[openssl.org #2206] [PATCH] Implicitly support non-delegated OCSP response signing

2014-09-03 Thread Rich Salz via RT
Fixed here, to be merged into post-1.0.2. Thanks:
https://github.com/akamai/openssl/tree/rsalz-monolith/apps

commit 3e3a94bcf03ab5251d95e028dffc14c8a369f2c1
Author: Rob Stradling rob.stradl...@comodo.com
Date: Wed Sep 3 10:42:02 2014 -0400

RT2206: Support issuer in OCSP response signing

The -issuer is trusted to sign OCSP responses.
This is non-delegated, as per RFC 2560.

I also fixed a signed/unsigned cast warning that I
missed when doing the last rebase/merge.

--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2206] [PATCH] Implicitly support non-delegated OCSP response signing

2010-03-26 Thread Rob Stradling via RT
The attached patches (generated against OpenSSL 0.9.8n and OpenSSL-1.0.0-
beta5) cause openssl ocsp to implicitly trust the Issuing CA Certificate (as 
denoted by the -issuer parameter) as a candidate OCSP Response signer.  This 
non-delegated model is allowed by RFC 2560.

With this patch, it's possible to do an OCSP check like this:
$ ~/local/openssl-0.9.8n-modified/bin/openssl ocsp -issuer ComodoEVSGCCA.crt -
cert secure.comodo.com.crt -no_nonce -url http://ocsp.comodoca.com
Response verify OK
secure.comodo.com.crt: good
This Update: Mar 25 19:03:00 2010 GMT
Next Update: Mar 29 19:03:00 2010 GMT

But without this patch, you have to also specify -VAfile ComodoEVSGCCA.crt 
to achieve the same result.

Here are an example End-entity Certificate and Issuing CA Certificate whose 
OCSP Responder uses the non-delegated model.

secure.comodo.com.crt:
-BEGIN CERTIFICATE-
MIIGUjCCBTqgAwIBAgIRAJQkYZmHGtbUyY0tko7rIB4wDQYJKoZIhvcNAQEFBQAw
czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV
BAMTEENPTU9ETyBFViBTR0MgQ0EwHhcNMDkwMTA4MDAwMDAwWhcNMTEwNDA3MjM1
OTU5WjCCAX8xETAPBgNVBAUTCDA0MDU4NjkwMRMwEQYLKwYBBAGCNzwCAQMTAkdC
MSMwIQYLKwYBBAGCNzwCAQITEkdyZWF0ZXIgTWFuY2hlc3RlcjEbMBkGCysGAQQB
gjc8AgEBEwpNYW5jaGVzdGVyMRswGQYDVQQPExJWMS4wLCBDbGF1c2UgNS4oYikx
CzAJBgNVBAYTAkdCMQ8wDQYDVQQREwZNNSAzRVExGzAZBgNVBAgTEkdyZWF0ZXIg
TWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEWMBQGA1UECRMNVHJhZmZvcmQg
Um9hZDEWMBQGA1UECRMNRXhjaGFuZ2UgUXVheTElMCMGA1UECRMcM3JkIEZsb29y
LCAyNiBPZmZpY2UgVmlsbGFnZTEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx
GjAYBgNVBAsTEUNvbW9kbyBFViBTR0MgU1NMMRowGAYDVQQDExFzZWN1cmUuY29t
b2RvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWgPqeYQTL9
IdKWF/FxZ/y32XyGgU3gi2n6cd4ewDlSPkadoaYCeR8nTQBsssuFHaYA2T15+Iky
TZ/O63fFB5ZjWCaN6Ryjsk5PWDTYiYRieswQOREEvWr9N3Rpn9/l7vOd9L3Kngbz
QGTDzPxjba1Kz+5jx436y3s/0830c8bd002qPbSwvnrqdfSA2x6pHfY6mKvJI7Bj
p1FfYHk3Tt6P03j5l4rLu51dxf0u5J66sxQBJBjTWrc3YJzuRZ5BYs6GzKeUv0lz
X1RzkAUA0gq2PFUarCEVSd392rD9gXfVS+VEnssqpyjlScsbPD9EIopW+sXylHb4
CJx+kh/wFskCAwEAAaOCAdEwggHNMB8GA1UdIwQYMBaAFH/2TDYoFK7NHjev3lry
W8OgrCv+MB0GA1UdDgQWBBR3BpKJiE8F31jgH6F+yyU9mwXksDAOBgNVHQ8BAf8E
BAMCBaAwDAYDVR0TAQH/BAIwADA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUH
AwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEATARBglghkgBhvhCAQEEBAMCBsAwRgYD
VR0gBD8wPTA7BgwrBgEEAbIxAQIBBQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9z
ZWN1cmUuY29tb2RvLm5ldC9DUFMwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2Ny
bC5jb21vZG9jYS5jb20vQ29tb2RvRVZTR0NDQS5jcmwwawYIKwYBBQUHAQEEXzBd
MDUGCCsGAQUFBzAChilodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Db21vZG9FVlNH
Q0NBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDMG
A1UdEQQsMCqCEXNlY3VyZS5jb21vZG8uY29tghV3d3cuc2VjdXJlLmNvbW9kby5j
b20wDQYJKoZIhvcNAQEFBQADggEBAH/IFXTOFOEuxm38/yN1ssElb4hRS349eK8o
72Sn1HDdmvDnZaEDjZsHAH7Dtm6N6Wd67rkt2fLczTi+BJWX2qttw4ttwsnRJoIV
Rucu+QrqgX4Duce+smo3qXbTTWgrUNgHVmuOpyWtafIcKJ/CqPz3rkp+u8NSlXKj
/dvm/3P8i4RcRsE63+pR/o0sFrGzQaC6UdQtCUFcQXFQzrkWUAsxwnN3V7wXq+YH
h2OEDNsojuogH6zBkcknmd5cpoFu4BANx4lbbWDUr+rqJmXvZWa4jlsiI+k8wRhz
m83TXZpbVZI7VpZT7hnQyEeNxeu7jv9ygME84X6UPJp3004m2nw=
-END CERTIFICATE-

ComodoEVSGCCA.crt:
-BEGIN CERTIFICATE-
MIIEljCCA36gAwIBAgIQE2Lo61QaEIy4qA7ln7HUUTANBgkqhkiG9w0BAQUFADCB
gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
MDBaFw0xOTEyMzEyMzU5NTlaMHMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVh
dGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E
TyBDQSBMaW1pdGVkMRkwFwYDVQQDExBDT01PRE8gRVYgU0dDIENBMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6M6qqSWvLo7ReZVepIgkT/2zXK4qnkp7
QODMUOmBWBXSh/ethXppUqCVbo9nCY7x81wX40lCyBJnpgX4N6APFmEPjzFSxuGH
4U+528n+aRvUyfctrEjXc0oEleOhN4dSWoiz1gEs8QNwLCZwK0c7Cq4xetflFE6s
LzDhfG022qD1g2JdiCYNBUVezveL65W04OsQetS5WXVGUt2GdITLX9McQerwmtqR
ZITf3p/y3dD6pmiWtz6XLX+x+4xsp/5ygtDjitO7484Bt51n6akTmjsh7fdzE+Mz
XXoBqcpJ0E5jh1eBOhdUMPYCXpS2YNIp+U7nKaCgnSpb6z+JLkWi/QIDAQABo4IB
FTCCAREwHwYDVR0jBBgwFoAUC1jli8ZMFTekQKkwqSG+RzZaVv8wHQYDVR0OBBYE
FH/2TDYoFK7NHjev3lryW8OgrCv+MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
CDAGAQH/AgEAMCAGA1UdJQQZMBcGCisGAQQBgjcKAwMGCWCGSAGG+EIEATA+BgNV
HSAENzA1MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29t
b2RvLm5ldC9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9j
YS5jb20vQ09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwDQYJKoZIhvcN
AQEFBQADggEBAIzZ2VIz7gf24eyrFeCfFdiZJdsZlSWbQ75ZK4EpyPjxX45JAjZG
HOvyof7RCkW60NtQRAxQozxuX4TUTxqoaY8kZgHSC7QIGbq9NAmQCWJxrTmOuHh5
sSR4tM2nSflteH9wh4KRNayxAIYhUdLNRss6gsBIGtMVJtvxD4JxZuKLd1Sjdi/X
bfgNDs46TmVXPxx3UMq7elP3+189dVaq0+MfErUdv8Pc4fk5Z4HxM5zIHsXm7iu5
2VjIxy7fSNHJ5LMaCF+aGG1h07CtJ14INTQloZ9CyHWY0wJkVZTjr9HnSrnk2QZu
cSj43azlRd/Y5ygFoWjOwSVbhfpGnf7bZPA=
-END CERTIFICATE-

On Wednesday 24 March 2010 12:38:07 you wrote:
 On Wednesday 24 March 2010 12:01:51 you wrote:
 snip
 
Well it would typically require giving a public responder access to a
CA key: increasing