Hi,
I am studying the verifying of the OCSP response.
I find that the function OCSP_basic_verify() in ocsp_vfy.c can do this
job.
It is mainly devided into 2 parts.
1, to use the public key of the response signer to verify the basic
response
2, to verity the certificate of the signer of the basic
response
And in the step 1, it searchs the certificate of the signer according
to the ResponderId in the basic response.
MY question is: according to RFC2560, the signer of the OCSP response can
be
-- the CA who issued the certificate in
question
-- a Trusted Responder whose public key is trusted by the requester -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA In case 2 and case 3, it seems ok, because the signer of the response is
just the responder.
But in case 1, the signer is not the responder.
How can ocsp_find_signer(&signer, bs, certs, st, flags) find the
certificate of the signer only by the ResponderId?
I think this function will find the certificate of the responder
while maybe not of the signer.
Can somebody kindly explain to me why it is OK in case 3 ?
Thanks
Wjw
|
- Re: About finding OCSP response signer Wu Junwei
- Re: About finding OCSP response signer Wu Junwei
- Re: About finding OCSP response signer Dr. Stephen Henson
- Re: About finding OCSP response signer Wu Junwei