Hi Ted,
I can now get the Revoked status to work properly - I simply
wasn't entering
a date in the column for Revoked Date : I was only putting an R in the
first column.
I can't get E(xpired) to work but I can live without that for now. I
always get an error of
some sort when the first column is an E. This does seem like a bug.
Your analysis of
Unknown, Good and Revoked matches my experience with testing it.
I am using the utility to generate OCSP responses which I can then
import into my test
harness to test a DRM agent I am working on. Using OpenSSL / ocsp
(eventually!) looks like
it gives more flexibility for negative testing than trying to persuade
a real server to
reply with the responses which my test cases require.
I am using version 0.9.8b, as you are.
Thanks for your input here.
Nick
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich
Sent: Tuesday, August 01, 2006 3:13 PM
To: openssl-users@openssl.org
Subject: Re: ca format of index.txt. File - IT WORKS!
Fitzsimons, Nick wrote:
> [...]
> I notice however that if I set the Status column to be R(evoked) I
> get a staus of unknown rather than revoked.
>
> Does anyone have any observations on this ?
>
The relevant code goes as this (apps/ocsp.c lines 1063 and following):
inf = lookup_serial(db, serial);
if (!inf)
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL,
thisupd, nextupd);
else if (inf[DB_type][0] == DB_TYPE_VAL)
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_GOOD,
0, NULL,
thisupd, nextupd);
else if (inf[DB_type][0] == DB_TYPE_REV)
{
ASN1_OBJECT *inst = NULL;
ASN1_TIME *revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single;
int reason = -1;
unpack_revinfo(&revtm, &reason, &inst, &invtm,
inf[DB_rev_date]);
single = OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm,
thisupd, nextupd);
if (invtm)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_invalidity_date, invtm, 0, 0);
else if (inst)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
ASN1_TIME_free(revtm);
ASN1_GENERALIZEDTIME_free(invtm);
}
while the status-defines are
#define V_OCSP_CERTSTATUS_GOOD 0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define V_OCSP_CERTSTATUS_UNKNOWN 2
So to me this looks like the result is UNKNOWN if the serial is not
found, GOOD if status is 'V' and REVOKED if status is 'R'.
But I haven't had much experience with OCSP yet...
Which version of openssl are you working with (i'm looking into the
source of 0.9.8b)?
BTW, if there is an unexpected status (like 'E') there seems to be no
response. Is this really the way it should work?
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
