Hi Ted, I can now get the Revoked status to work properly - I simply wasn't entering a date in the column for Revoked Date : I was only putting an R in the first column.
I can't get E(xpired) to work but I can live without that for now. I always get an error of some sort when the first column is an E. This does seem like a bug. Your analysis of Unknown, Good and Revoked matches my experience with testing it. I am using the utility to generate OCSP responses which I can then import into my test harness to test a DRM agent I am working on. Using OpenSSL / ocsp (eventually!) looks like it gives more flexibility for negative testing than trying to persuade a real server to reply with the responses which my test cases require. I am using version 0.9.8b, as you are. Thanks for your input here. Nick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 3:13 PM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. File - IT WORKS! Fitzsimons, Nick wrote: > [...] > I notice however that if I set the Status column to be R(evoked) I > get a staus of unknown rather than revoked. > > Does anyone have any observations on this ? > The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD 0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]