Hi everyone,
we are currently trying to verify an ocsp response.
The return is "Response verify OK" but we need to verify the signature
algorithm of the response signature.
We tried putting the response into an DER and parsing it. But still no
information about the signature.
There are signature algorithm printed, but those are the ones of the
certificates. Or am I wrong?
Is there a way to only print the signature of the response?
I've added the response for further information.
Any help would be appreciated!
S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = DE, O = D-Trust GmbH, CN = D-TRUST OCSP-03 2008:PN
Produced At: Mar 12 09:58:31 2010 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A611B199CA6EE1B1B8599953CBF428F8F8C94641
Issuer Key Hash: F9CBC2D42788A9A1B050625E4DD2547D74731EBE
Serial Number: 094D36
Cert Status: good
This Update: Mar 12 09:58:31 2010 GMT
Response Single Extensions:
1.3.36.8.3.12:
..20090715143639Z
1.3.36.8.3.13:
0!0...+...........'.}O.L.....j}..T.
Response Extensions:
OCSP Nonce:
0410F987B6A59DB4116D1F60F436790C8C73
OCSP Archive Cutoff:
Mar 21 00:00:00 1975 GMT
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 515214 (0x7dc8e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN
Validity
Not Before: Jul 25 08:25:06 2008 GMT
Not After : Jul 24 08:25:06 2013 GMT
Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST OCSP-03 2008:PN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:f9:ee:d4:f3:19:42:22:88:7b:cc:d4:9d:63:5b:
4b:7d:ed:ad:76:18:2d:90:76:d4:d3:46:b1:7a:fc:
[...] 47:83:7a:39:40:7c:dd:45:92:a3:d8:3d:e4:4c:62:
c3:bd
Exponent: 3017650581 (0xb3ddb195)
X509v3 extensions:
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Authority Key Identifier:
keyid:67:E0:65:56:FC:7D:25:37:C5:BF:ED:78:88:2A:F0:FA:F2:47:C0:3A
qcStatements:
0.0......F..0......F.....
Authority Information Access:
OCSP - URI:http://qual.ocsp.d-trust.net
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.4788.2.31.1
X509v3 CRL Distribution Points:
URI:ldap://directory.d-trust.net/CN=D-TRUST%20Qualified%20Root%20CA%201%202008%3APN,O=D-Trust%20GmbH,C=DE?certificaterevocationlist
URI:http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2008.crl
X509v3 Issuer Alternative Name:
email:i...@d-trust.net, URI:http://www.d-trust.net
X509v3 Subject Key Identifier:
69:6E:2D:C0:AC:21:5E:52:4F:04:B2:57:B9:A8:93:18:D9:4B:F3:42
X509v3 Key Usage: critical
Non Repudiation
Signature Algorithm: sha256WithRSAEncryption
08:15:99:7a:60:45:35:c0:48:78:b2:e8:cd:fe:c8:2d:ad:3d:
[...]
44:b6:ea:3d:75:cb:40:5a:c4:e3:31:3b:69:14:77:e1:01:59:
3c:a8:56:27
-----BEGIN CERTIFICATE-----
MIIFCjCCA/KgAwIBAgIDB9yOMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAkRF
[...]
SycN3OakJ+QSiYCOOlQOY5TC+Ns5r/I9UzgGRzUqSr5Ho1kkI9h3Z0fnCjLlHwC5
+f/EUYHDfsXGTLQT1L1xEcSOUMJqV3c2RLbqPXXLQFrE4zE7aRR34QFZPKhWJw==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 515120 (0x7dc30)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN
Validity
Not Before: Jul 24 16:36:17 2008 GMT
Not After : Jul 24 16:36:17 2013 GMT
Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a6:87:ed:90:a5:73:91:95:c2:19:37:b5:29:c4:
a4:5f:9d:0b:29:90:28:a7:07:7e:3f:62:49:b6:25:
2f:59:db:33:2d:25:d6:d7:a1:ff:87:08:f0:b5:04:
dd:45:ca:25:a5:e3:29:8c:48:8d:06:79:a7:26:9f:
c8:20:2d:09:de:bc:84:94:6d:23:8a:8a:98:1a:a9:
9e:5e:de:8e:f7:ca:b5:92:dc:0a:59:ef:03:e6:b4:
9c:83:9f:8a:b5:0e:e5:2c:2a:d5:c7:60:fa:00:ae:
41:db:76:e8:8b:bd:b1:16:06:37:85:d3:50:6d:6c:
56:af:42:6d:19:28:25:8a:a7:c5:de:e1:0b:b3:32:
44:e2:81:96:3b:c3:08:f8:c1:a0:d0:02:6a:c6:81:
f2:ba:ed:72:9d:4a:b7:c4:cd:78:8b:c8:53:c8:cb:
4d:fe:46:e4:b4:80:43:f4:9f:5f:f3:d5:00:92:1e:
36:4f:b7:02:7c:b9:e0:bc:1b:97:eb:e0:21:42:3b:
14:f0:67:15:7b:bf:8b:74:3a:b2:27:8f:17:4e:7e:
af:6e:0c:8d:e3:e0:46:35:32:ff:7f:33:94:18:ce:
ec:dd:91:26:76:2e:0c:38:bc:21:80:9d:ee:02:4b:
99:e8:07:15:9a:4d:07:ac:23:e4:cd:2e:27:e9:d1:
d4:01
Exponent: 2886463171 (0xac0beec3)
X509v3 extensions:
qcStatements:
0
0......F..
Authority Information Access:
OCSP - URI:http://qual.ocsp.d-trust.net
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.4788.2.31.1
X509v3 Subject Alternative Name:
email:i...@d-trust.net, URI:http://www.d-trust.net
X509v3 CRL Distribution Points:
URI:ldap://directory.d-trust.net/CN=D-TRUST%20Qualified%20Root%20CA%201%202008%3APN,O=D-Trust%20GmbH,C=DE?certificaterevocationlist
URI:http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2008.crl
X509v3 Subject Key Identifier:
67:E0:65:56:FC:7D:25:37:C5:BF:ED:78:88:2A:F0:FA:F2:47:C0:3A
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
42:61:76:4f:be:62:7b:9f:eb:52:db:ed:d6:d5:9d:66:21:63:
[...]
e7:64:1f:1d:83:9c:9a:5d:84:f9:4e:f5:99:de:70:bd:f4:2d:
e3:62:91:24
-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIDB9wwMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAkRF
[...]
TmL3wXKxYqvAp5ssuCfaWB6xfq0nWu3W2n6C9uk0qTmKu+dkHx2DnJpdhPlO9Zne
cL30LeNikSQ=
-----END CERTIFICATE-----
Response verify OK
S999D003:/tmp/ocsp #
Kind regards,
Michel Pittelkow
