Duplicate of #2206 ?
On 05/09/14 08:35, Mehner, Carl via RT wrote:
OCSP response handling in /apps/ocsp.c
----------
2014-06-25
The OCSP Documentation States
https://www.openssl.org/docs/apps/ocsp.html
"Otherwise the OCSP responder certificate's CA is checked against the issuing CA
certificate in the request. If there is a match and the OCSPSigning extended key usage is
present in the OCSP responder certificate then the OCSP verify succeeds."
--Assumptions--
The flag '-issuer' in openSSL's ocsp application is what the responder's
certificate's CA is checking against.
The 'responder's certificate's CA' means the certificate authority that is
issuer of the ocsp signing certificate.
--What Happens--
When running the command:
openssl ocsp -no_nonce -issuer <intermediary.cer> -cert <leaf.cer> -CA <root.cer>
-url http://<ocsp.url>
Validation of the OCSP responder certificate fails unless the issuer's cert is
also in the file containing the root CA cert. The error messages are:
Response Verify Failure
8604:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:.\crypto\ocsp\ocsp_vfy.c:126:Verify error:unable to get local issuer
certificate
However, if you specify a -CAfile that includes the same cert from the
'-issuer' flag and the root CA cert that is the root of trust for the ocsp
responder cert, you will get back a 'Response verify OK'
--What Should Happen--
If the certificate provided in the '-issuer' flag matches the CA certificate
referenced in the OCSP responder's issuer field, the OCSP verify should succeed.
There should be no need to chain up to the root in this case as it would be a
waste of time since that evaluation is already done on the issuer certificate
provided with the '-issuer' flag when evaluating the chain of the certificate
provided by the '-cert' flag outside of the OCSP validation process. If the
leaf validation fails, there is no need to validate the OCSP chain, the
connection will fail regardless.
However, if the anyone feels that the full chain needs to be validated, the
validation procedure should be able to bridge the cert included on the
'-issuer' flag with a single root specified on the '-CA' flag. (It currently
does not.)
-cem
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org