Re: Problem with openssl ocsp utility!!!

[pijush koley]

Hi!

I am able to validate response from OCSP responder. But I can not able to find why this is behaving so. Here is my test environment.

 

I have installed Netscape CMS v6.2 on Solaris and installed OpenSSL on another machine. I have isuued one user cert and place it on a pem file say user.pem and CA cert on another file say IssuerCA.pem.

 

I executed following set of commands -

 

1.  openssl ocsp -issuer IssuerCA.pem -cert user.pem -reqout req.der

 

2. openssl ocsp -issuer IssuerCA.pem -cert user.pem -url http://<IP of CMS server>:<Port>/ocsp -resp_text -respout resp.der

 

3. openssl ocsp -issuer IssuerCA.pem -CAfile IssuerCA.pem -respin resp.der -text

 

In this case I received the error which I have mentioned my earlier mail.

 

But if I execute following command in step 3 then I get success.

openssl ocsp -issuer IssuerCA.pem -VAfile OCSPCert.pem -respin resp.der -text

 

where OCSPCert.pem is the OSCP cert issued during CMS inatallation (Please note that this OSCP cert is issued to OCSP responder when I have installed CMS, I did not issue this certificate explicitly).

 

But in case of IPlanet CMS v4.7, when  I executed the commands mentioned in 1, 2 and 3, I received a success in response verification.

 

Can anybody please explain me why such behaviour occurs in case of Netscape CMS v6.2?

 

Thanks in advance.

-Pijush

pijush koley <[EMAIL PROTECTED]> wrote:

Hi!

I am trying to use ocsp client utility of openssl. I have installed CMS software on Solaris box and installed openssl on another box. After that I want to check the status of a user certificate. To do that, I generate one response file using ocsp utility. The status returned by the OCSP responder is ok, but to verify the response openssl generates following error.

 

------------------------------------------------------------------------------------------------------------------------------

Response Verify Failure
2720:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is no
t 01:.\crypto\rsa\rsa_pk1.c:100:
2720:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c:580:
2720:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:.\crypto\asn1\a_v
erify.c:162:2720:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:.\crypto\ocsp\ocsp_vfy.c:122:Verify error:certificate signature failure

------------------------------------------------------------------------------------------------------------------------------

 

Can anyone please help me to resolve the problem?

I am also attaching CA certificate, User certificate and response what I have received from CMS.

 

Thanks in advance.

Regards

-Pijush

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com -----BEGIN CERTIFICATE-----
MIIDJDCCAo2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmzELMAkGA1UEBhMCSU4xHTAbBgNVBAgc
FAAAMHcAADCTAAAwWAAAMIMAAP9CMRUwEwYDVQQHHAwAADCCAAAwbwAAMEMxJTAjBgNVBAocHAAA
MEQAADCTAAAwdQAAMEkAAP9TAAD/WQAA/1MxETAPBgNVBAscCAAAMHoAAP9EMRwwGgYDVQQDExND
ZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTA0MDgxNjA1MDAwMFoXDTA2MDgxNjA1MDAwMFowgZsxCzAJ
BgNVBAYTAklOMR0wGwYDVQQIHBQAADB3AAAwkwAAMFgAADCDAAD/QjEVMBMGA1UEBxwMAAAwggAA
MG8AADBDMSUwIwYDVQQKHBwAADBEAAAwkwAAMHUAADBJAAD/UwAA/1kAAP9TMREwDwYDVQQLHAgA
ADB6AAD/RDEcMBoGA1UEAxMTQ2VydGlmaWNhdGUgTWFuYWdlcjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAvtxYrpPDQU3HV9rt4j3RX9eh3ImTGWCAjI/hrAxqHFfWh5lxwVhLv4tBz3I0x46A
KNpQ6MLc7HSUYjsgtzUmcULgNIrnnpvXrFWlBRp3OiJdW5MPf9xuIbBV28N128nN0E7mLSOeiTca
C50UnqGXfLiwtfAAfZU8ZF/ugHj4wT8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFIeSMGq2GZQXO6Dk1TT0orhVzgtXMB8GA1UdIwQYMBaAFIeS
MGq2GZQXO6Dk1TT0orhVzgtXMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOBgQCvziXC
d3AyTrYWC EdNrJp70 Vh2CuFJUcohVcKCRRJLoxW9AiXRJGAA8ANH4tMCtHUnHg0J+aOYt1py4C19
1x8iqSOeSiQPCcWUoadDikFAEMZVut3+TtR5kuYHE0iqXNTVfNtzkgkhZ+vpaQ8olAf2qHSEKPnU
XXyI2a2M2cLMwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICiDCCAfGgAwIBAgIBBTANBgkqhkiG9w0BAQQFADCBmzELMAkGA1UEBhMCSU4xHTAbBgNVBAgc
FAAAMHcAADCTAAAwWAAAMIMAAP9CMRUwEwYDVQQHHAwAADCCAAAwbwAAMEMxJTAjBgNVBAocHAAA
MEQAADCTAAAwdQAAMEkAAP9TAAD/WQAA/1MxETAPBgNVBAscCAAAMHoAAP9EMRwwGgYDVQQDExND
ZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTA0MDgyNDIwNDgyNFoXDTA1MDgyNDIwNDgyNFowVjELMAkG
A1UEBgwCSU4xFTATBgoJkiaJk/IsZAEBDAV1c2VyMjEOMAwGA1UEAwwFdXNlcjIxIDAeBgkqhkiG
9w0BCQEMEXVzZXIyQGluZm9zeXMuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANdDZY97b/ng
8UyA0B6WjKULEq+g7Vs/jBeHKa9hRkPiO8ttVT7nDSvqWdTqxvFt78hjmJqNE8GVzbPVXJKvDRcC
AwEAAaNkMGIwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwIF4DAfBgNVHSMEGDAWgBSH
kjBqthmUFzug5NU09KK4Vc4LVzAcBgNVHREEFTATgRF1c2VyMkBpbmZvc3lzLmNvbTANBgkqhkiG
9w0BAQQFAAOBgQCwdFgPU41P8H/fEpZAKaAiIAHi7k5p8hreqPiLLzjLfNZr1XC2m05KfRWr0iwX
VyXRwrHOmQ9Y4ty0IX74itfzgun6VOXPqwYRF6TCOxDg7I2FN12Y8wqpg+BJ8YTmHJBrXgwpYUbe
cy65OJP6Y+48OT0TH/CI6KXMQNSjBkXLsQ==
-----END CERTIFICATE-----


> ATTACHM ENT part 4 application/x-x509-ca-cert name=resp.der

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com