[openssl.org #1458] garbage-in garbage-out - was OCSP response nonce extension encoding not DER

[Simon McMahon via RT]

Looks like OpenSSL has a problem/feature of garbage-in garbage-out. It's a 
problem because it does not comply with the RFC and a feature because it 
lets OpenSSL work with broken clients.

My OCSP request from some time ago had the encoding error of encoding the 
default values and it looks like OpenSSL just returns the encoding of the 
nonce extension that it got rather than re-encoding it as DER. Actually 
the encoding can be BER but the ... signature SHALL be computed on the 
hash of the DER encoding ... is clear.

This explains why OpenSSL now works for me - because the request (with 
nonce) from my end is now DER encoded.

Regards,

Simon McMahon




Simon McMahon/Australia/Contr/[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
01/10/2007 12:56 PM
Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org
cc

Subject
OCSP response nonce extension encoding not DER






Hi,

Just saw some weirdness in OCSP response encodings with a nonce extension.

The OCSP response has this for the extensions:
A1 1E
30 1C
30 1A
06 09 2B 06 01 05 05 07 30 01 02
01 01 00 ---
04 0A 04 08 A5 10 18 67 E5 A4 8B 2C 

The sencond last item is the 'false' (00) for the 'critical' field. 
'false' is the default value (rfc 3280) so should not appear in a DER 
encoding.

Here is another OCSP response extension and this is how it should be for 
DER:

A1 1B
30 19 
30 17 
06 09 2B 06 01 05 05 07 30 01 02 
04 0A 04 08 D4 4C 29 A8 C6 1A 16 56 

The 'false' is not there.

Note that afaik both were produced by the same version of OpenSSL but at 
different times. I haven't been able to reproduce the one containing the 
'false' and since I cant reproduce a response like this, and the most 
recent one I produced was OK I'm not 100% sure what is going on.

I only noticed this because my validitator used to accept the first 
response, now it rejects it. It reencodes the resp to DER, before checking 

the sig. RFC 2560 says the signature SHALL be computed on the hash of the 

DER encoding The error I get is a bad signature.

The entire ocsp response is attached.

Simon McMahon


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1458] garbage-in garbage-out - was OCSP response nonce extension encoding not DER

[Stephen Henson via RT]

This is to work around broken encodings and not just for OCSP. OpenSSL
effectively uses the received encoding when computing signatures instead
of converting it to DER. OpenSSL isn't alone in doing this and it is
fairly common practice.

In the past several (rather important) certificates would have been
unusable because they would technically have broken signatures if DER
conversion had taken place.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]