On Thu, Aug 26, 2004, pijush koley wrote: > Hi! I am able to validate response from OCSP responder. But I can not able > to find why this is behaving so. Here is my test environment. > > I have installed Netscape CMS v6.2 on Solaris and installed OpenSSL on > another machine. I have isuued one user cert and place it on a pem file say > user.pem and CA cert on another file say IssuerCA.pem. > > I executed following set of commands - > > 1. openssl ocsp -issuer IssuerCA.pem -cert user.pem -reqout req.der > > 2. openssl ocsp -issuer IssuerCA.pem -cert user.pem -url : /ocsp">http://<IP > of CMS server>:<Port>/ocsp -resp_text -respout resp.der > > 3. openssl ocsp -issuer IssuerCA.pem -CAfile IssuerCA.pem -respin resp.der > -text > > In this case I received the error which I have mentioned my earlier mail. > > But if I execute following command in step 3 then I get success. openssl > ocsp -issuer IssuerCA.pem -VAfile OCSPCert.pem -respin resp.der -text > > where OCSPCert.pem is the OSCP cert issued during CMS inatallation (Please > note that this OSCP cert is issued to OCSP responder when I have installed > CMS, I did not issue this certificate explicitly). > > But in case of IPlanet CMS v4.7, when I executed the commands mentioned in > 1, 2 and 3, I received a success in response verification. > > Can anybody please explain me why such behaviour occurs in case of Netscape > CMS v6.2? >
For some reason the signature on the OCSP certificate is invalid. You can see this if you manually extract the certificates from the OCSP response text output and run 'openssl verify' on them. I checked this against another implementation to rule out the possibility of a bug in the OpenSSL signature verification routines. When you use the -VAfile option the OCSP responder certificate is trusted implicitly without attempting to verify its signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
