subject:"\[openssl\-users\] Meaning of OCSP_NOEXPLICIT for OCSP_basic

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Stephan Mühlstrasser


Am 18.02.15 um 13:19 schrieb Stephan Mühlstrasser:


Unfortunately the -no_explicit command line option is not documented:

https://www.openssl.org/docs/apps/ocsp.html

What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the
-no_explicit command line option. What exactly is checked by the
X509_check_trust() call above with respect to the relevant RFCs?



As there is no documentation and as noone seems to know the meaning of 
the -no_explicit for openssl ocsp, should I file a documentation 
defect in RT for that?


If I understand the code in OCSP_basic_verify() that is depending on the 
OCSP_NOEXPLICIT flag correctly, it checks the root CA for the presence 
of the OCSPSigning flag in the extended key usage field. I could not 
find anything in RFC 6960 and RFC 2560 that would mandate such a check 
for the root CA certificate. Only the OCSP signing certificate must have 
OCSPSigning in the extended key usage field.


So maybe it is even a bug in the code itself?

--
Stephan

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Salz, Rich

 As there is no documentation and as noone seems to know the meaning of
 the -no_explicit for openssl ocsp, should I file a documentation defect in 
 RT
 for that?

yes, please.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Dr. Stephen Henson

On Wed, Feb 18, 2015, Stephan M?hlstrasser wrote:

 
 What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using
 the -no_explicit command line option. What exactly is checked by
 the X509_check_trust() call above with respect to the relevant RFCs?
 

If the responder root CA is set to be trusted for OCSP signing then it can be
used to sign OCSP responses for any certificate (aka a global responder). This
comes under:

   1. Matches a local configuration of OCSP signing authority for the
   certificate in question

or alternatively:

   Additional acceptance or rejection criteria may apply to either the
   response itself or to the certificate used to validate the signature
   on the response.

from RFC2560 et al.

If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
is disabled.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Dr. Stephen Henson

On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote:

 
 Do I understand it correctly then that a local configuration of
 OCSP signing authority here means that it is a deliberate choice
 inside OpenSSL itself to look for the OCSPSigning flag in the
 extended key usage of the root CA, although RFC 2560 does not say
 so?
 

No it's a separate thing called a trust setting which is not part of the
certificate itself . This is something which has to be explicitly configured
to trust that root CA for OCSPSigning.

It's OpenSSL's version of the trust settings you see in browsers.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Stephan Mühlstrasser


Am 24.02.2015 um 16:19 schrieb Salz, Rich:

As there is no documentation and as noone seems to know the meaning of
the -no_explicit for openssl ocsp, should I file a documentation
defect in RT for that?


yes, please.


Never mind, Stephen already fixed the doc in master :)


Sorry, I sent already a message to the RT address.

--
Stephan
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Salz, Rich

  As there is no documentation and as noone seems to know the meaning of
  the -no_explicit for openssl ocsp, should I file a documentation
  defect in RT for that?
 
 yes, please.

Never mind, Stephen already fixed the doc in master :)

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Stephan Mühlstrasser


Am 24.02.15 um 14:47 schrieb Dr. Stephen Henson:


If the responder root CA is set to be trusted for OCSP signing then it can be
used to sign OCSP responses for any certificate (aka a global responder). This
comes under:

1. Matches a local configuration of OCSP signing authority for the
certificate in question

or alternatively:

Additional acceptance or rejection criteria may apply to either the
response itself or to the certificate used to validate the signature
on the response.

from RFC2560 et al.

If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
is disabled.



Do I understand it correctly then that a local configuration of OCSP 
signing authority here means that it is a deliberate choice inside 
OpenSSL itself to look for the OCSPSigning flag in the extended key 
usage of the root CA, although RFC 2560 does not say so?


--
Stephan
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-18 Thread Stephan Mühlstrasser


Hi,

I have a question about the behavior of OCSP_basic_verify() and the 
meaning of the OCSP_NOEXPLICIT flag. The OCSP_basic_verify() function is 
the only place where this flag has an effect in the whole OpenSSL 
source, and in the openssl ocsp application it can be set with the 
-no_explicit command line option:


/*
 * Easy case: explicitly trusted. Get root CA and check for explicit
 * trust
 */
if (flags  OCSP_NOEXPLICIT)
goto end;

x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
goto end;
}

Unfortunately the -no_explicit command line option is not documented:

https://www.openssl.org/docs/apps/ocsp.html

What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the 
-no_explicit command line option. What exactly is checked by the 
X509_check_trust() call above with respect to the relevant RFCs?


Best regards
Stephan
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

8 matches

Site Navigation

Mail list logo

Footer information