Hi everyone, we are currently trying to verify an ocsp response. The return is "Response verify OK" but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong?
Is there a way to only print the signature of the response? I've added the response for further information. Any help would be appreciated! S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = DE, O = D-Trust GmbH, CN = D-TRUST OCSP-03 2008:PN Produced At: Mar 12 09:58:31 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A611B199CA6EE1B1B8599953CBF428F8F8C94641 Issuer Key Hash: F9CBC2D42788A9A1B050625E4DD2547D74731EBE Serial Number: 094D36 Cert Status: good This Update: Mar 12 09:58:31 2010 GMT Response Single Extensions: 1.3.36.8.3.12: ..20090715143639Z 1.3.36.8.3.13: 0!0...+...........'.}O.L.....j}..T. Response Extensions: OCSP Nonce: 0410F987B6A59DB4116D1F60F436790C8C73 OCSP Archive Cutoff: Mar 21 00:00:00 1975 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 515214 (0x7dc8e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN Validity Not Before: Jul 25 08:25:06 2008 GMT Not After : Jul 24 08:25:06 2013 GMT Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST OCSP-03 2008:PN Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:f9:ee:d4:f3:19:42:22:88:7b:cc:d4:9d:63:5b: 4b:7d:ed:ad:76:18:2d:90:76:d4:d3:46:b1:7a:fc: [...] 47:83:7a:39:40:7c:dd:45:92:a3:d8:3d:e4:4c:62: c3:bd Exponent: 3017650581 (0xb3ddb195) X509v3 extensions: X509v3 Extended Key Usage: OCSP Signing X509v3 Authority Key Identifier: keyid:67:E0:65:56:FC:7D:25:37:C5:BF:ED:78:88:2A:F0:FA:F2:47:C0:3A qcStatements: 0.0......F..0......F..... Authority Information Access: OCSP - URI:http://qual.ocsp.d-trust.net X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.4788.2.31.1 X509v3 CRL Distribution Points: URI:ldap://directory.d-trust.net/CN=D-TRUST%20Qualified%20Root%20CA%201%202008%3APN,O=D-Trust%20GmbH,C=DE?certificaterevocationlist URI:http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2008.crl X509v3 Issuer Alternative Name: email:i...@d-trust.net, URI:http://www.d-trust.net X509v3 Subject Key Identifier: 69:6E:2D:C0:AC:21:5E:52:4F:04:B2:57:B9:A8:93:18:D9:4B:F3:42 X509v3 Key Usage: critical Non Repudiation Signature Algorithm: sha256WithRSAEncryption 08:15:99:7a:60:45:35:c0:48:78:b2:e8:cd:fe:c8:2d:ad:3d: [...] 44:b6:ea:3d:75:cb:40:5a:c4:e3:31:3b:69:14:77:e1:01:59: 3c:a8:56:27 -----BEGIN CERTIFICATE----- MIIFCjCCA/KgAwIBAgIDB9yOMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAkRF [...] SycN3OakJ+QSiYCOOlQOY5TC+Ns5r/I9UzgGRzUqSr5Ho1kkI9h3Z0fnCjLlHwC5 +f/EUYHDfsXGTLQT1L1xEcSOUMJqV3c2RLbqPXXLQFrE4zE7aRR34QFZPKhWJw== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 515120 (0x7dc30) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN Validity Not Before: Jul 24 16:36:17 2008 GMT Not After : Jul 24 16:36:17 2013 GMT Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a6:87:ed:90:a5:73:91:95:c2:19:37:b5:29:c4: a4:5f:9d:0b:29:90:28:a7:07:7e:3f:62:49:b6:25: 2f:59:db:33:2d:25:d6:d7:a1:ff:87:08:f0:b5:04: dd:45:ca:25:a5:e3:29:8c:48:8d:06:79:a7:26:9f: c8:20:2d:09:de:bc:84:94:6d:23:8a:8a:98:1a:a9: 9e:5e:de:8e:f7:ca:b5:92:dc:0a:59:ef:03:e6:b4: 9c:83:9f:8a:b5:0e:e5:2c:2a:d5:c7:60:fa:00:ae: 41:db:76:e8:8b:bd:b1:16:06:37:85:d3:50:6d:6c: 56:af:42:6d:19:28:25:8a:a7:c5:de:e1:0b:b3:32: 44:e2:81:96:3b:c3:08:f8:c1:a0:d0:02:6a:c6:81: f2:ba:ed:72:9d:4a:b7:c4:cd:78:8b:c8:53:c8:cb: 4d:fe:46:e4:b4:80:43:f4:9f:5f:f3:d5:00:92:1e: 36:4f:b7:02:7c:b9:e0:bc:1b:97:eb:e0:21:42:3b: 14:f0:67:15:7b:bf:8b:74:3a:b2:27:8f:17:4e:7e: af:6e:0c:8d:e3:e0:46:35:32:ff:7f:33:94:18:ce: ec:dd:91:26:76:2e:0c:38:bc:21:80:9d:ee:02:4b: 99:e8:07:15:9a:4d:07:ac:23:e4:cd:2e:27:e9:d1: d4:01 Exponent: 2886463171 (0xac0beec3) X509v3 extensions: qcStatements: 0 0......F.. Authority Information Access: OCSP - URI:http://qual.ocsp.d-trust.net X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.4788.2.31.1 X509v3 Subject Alternative Name: email:i...@d-trust.net, URI:http://www.d-trust.net X509v3 CRL Distribution Points: URI:ldap://directory.d-trust.net/CN=D-TRUST%20Qualified%20Root%20CA%201%202008%3APN,O=D-Trust%20GmbH,C=DE?certificaterevocationlist URI:http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2008.crl X509v3 Subject Key Identifier: 67:E0:65:56:FC:7D:25:37:C5:BF:ED:78:88:2A:F0:FA:F2:47:C0:3A X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 42:61:76:4f:be:62:7b:9f:eb:52:db:ed:d6:d5:9d:66:21:63: [...] e7:64:1f:1d:83:9c:9a:5d:84:f9:4e:f5:99:de:70:bd:f4:2d: e3:62:91:24 -----BEGIN CERTIFICATE----- MIIE5DCCA8ygAwIBAgIDB9wwMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAkRF [...] TmL3wXKxYqvAp5ssuCfaWB6xfq0nWu3W2n6C9uk0qTmKu+dkHx2DnJpdhPlO9Zne cL30LeNikSQ= -----END CERTIFICATE----- Response verify OK S999D003:/tmp/ocsp # Kind regards, Michel Pittelkow