Re: [openssl-users] View OCSP response in CMS

Thu, 22 Sep 2011 01:15:11 -0700 

Le 21/09/2011 21:20, Gabriel Marques a écrit :
I'm developing a tool for signing digital TV apps, and one of the goals was to embed OCSP responses into the CMS signature file of the application. The idea is that the broadcaster equipment would query the OCSP and update the response with certain frequency, so that the receiver could check the certificate validity without Internet connection. 


Well, using the BouncyCastle lib I've forcedly embedded the response 
in the OtherRevocationInfoFormat field of the CMS file, but OpenSSL 
does not like the way I did it:
-> openssl cms -cmsout -print -inform der -in 
/tmp/sig3/META-INF/BR-ecdsaTest.EC

Error reading S/MIME message

3076389608:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
tag:tasn_dec.c:1319:
3076389608:error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested asn1 
error:tasn_dec.c:381:Type=X509_CRL_INFO
3076389608:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:751:Field=crl, Type=X509_CRL
3076389608:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:
3076389608:error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested asn1 
error:tasn_dec.c:339:Field=d.crl, Type=CMS_RevocationInfoChoice



This could be because I'm doing something wrong (probably) or because 
OpenSSL (1.0e) is alway expecting a CRL set where other kind of 
revocation info could be present.
I couldn't find a clear way to do insert OCSP responses into a CMS 
structure.

The RFCs are the clearer source I could get:

RFC 3852 - CMS structure:


The latest RFC for CMS is 5652. But the phrasing is the same:

-----
  IF ((certificates is present) AND
     (any certificates with a type of other are present)) OR
     ((crls is present) AND
     (any crls with a type of other are present))
  THEN version MUST be 5
  ELSE
  [...]
-----

In your examples, you set version to 3.


Based on your parsed example, it seems you correctly set the tag ([1]) 
for the "crls" element, but you didn't use the good encoding for the 
"other" field (of type "OtherRevocationInfoFormat", as it also must be 
tagged ([1]) and be identified by the correct OID (1.3.6.1.5.5.7.16.2).


--
Erwann ABALEA
-----
Le neuneu est un con qui débute. C'est une espèce rare mais qui fait
beaucoup de bruit.
-+- JCD in : Guide du Neuneu d'Usenet -- Bien configurer son neuneu.-+-























					Reply via email to