Re: [openssl.org #3516] OCSP Certificate Chain Response Handling

2014-09-09 Thread Rob Stradling

Duplicate of #2206 ?

On 05/09/14 08:35, Mehner, Carl via RT wrote:

OCSP response handling in /apps/ocsp.c
--
2014-06-25

The OCSP Documentation States
https://www.openssl.org/docs/apps/ocsp.html
Otherwise the OCSP responder certificate's CA is checked against the issuing CA 
certificate in the request. If there is a match and the OCSPSigning extended key usage is 
present in the OCSP responder certificate then the OCSP verify succeeds.

--Assumptions--
The flag '-issuer' in openSSL's ocsp application is what the responder's 
certificate's CA is checking against.
The 'responder's certificate's CA' means the certificate authority that is 
issuer of the ocsp signing certificate.


--What Happens--
When running the command:
openssl ocsp -no_nonce -issuer intermediary.cer -cert leaf.cer -CA root.cer 
-url http://ocsp.url

Validation of the OCSP responder certificate fails unless the issuer's cert is 
also in the file containing the root CA cert. The error messages are:
Response Verify Failure
8604:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify 
error:.\crypto\ocsp\ocsp_vfy.c:126:Verify error:unable to get local issuer 
certificate

However, if you specify a -CAfile that includes the same cert from the 
'-issuer' flag and the root CA cert that is the root of trust for the ocsp 
responder cert, you will get back a 'Response verify OK'

--What Should Happen--
If the certificate provided in the '-issuer' flag matches the CA certificate 
referenced in the OCSP responder's issuer field, the OCSP verify should succeed.

There should be no need to chain up to the root in this case as it would be a 
waste of time since that evaluation is already done on the issuer certificate 
provided with the '-issuer' flag when evaluating the chain of the certificate 
provided by the '-cert' flag outside of the OCSP validation process. If the 
leaf validation fails, there is no need to validate the OCSP chain, the 
connection will fail regardless.

However, if the anyone feels that the full chain needs to be validated, the 
validation procedure should be able to bridge the cert included on the 
'-issuer' flag with a single root specified on the '-CA' flag. (It currently 
does not.)

-cem


--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #3516] OCSP Certificate Chain Response Handling

2014-09-05 Thread Mehner, Carl via RT
OCSP response handling in /apps/ocsp.c
--
2014-06-25

The OCSP Documentation States
https://www.openssl.org/docs/apps/ocsp.html
Otherwise the OCSP responder certificate's CA is checked against the issuing 
CA certificate in the request. If there is a match and the OCSPSigning extended 
key usage is present in the OCSP responder certificate then the OCSP verify 
succeeds.

--Assumptions--
The flag '-issuer' in openSSL's ocsp application is what the responder's 
certificate's CA is checking against.
The 'responder's certificate's CA' means the certificate authority that is 
issuer of the ocsp signing certificate.


--What Happens--
When running the command:
openssl ocsp -no_nonce -issuer intermediary.cer -cert leaf.cer -CA 
root.cer -url http://ocsp.url

Validation of the OCSP responder certificate fails unless the issuer's cert is 
also in the file containing the root CA cert. The error messages are:
Response Verify Failure
8604:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify 
error:.\crypto\ocsp\ocsp_vfy.c:126:Verify error:unable to get local issuer 
certificate

However, if you specify a -CAfile that includes the same cert from the 
'-issuer' flag and the root CA cert that is the root of trust for the ocsp 
responder cert, you will get back a 'Response verify OK'

--What Should Happen--
If the certificate provided in the '-issuer' flag matches the CA certificate 
referenced in the OCSP responder's issuer field, the OCSP verify should succeed.

There should be no need to chain up to the root in this case as it would be a 
waste of time since that evaluation is already done on the issuer certificate 
provided with the '-issuer' flag when evaluating the chain of the certificate 
provided by the '-cert' flag outside of the OCSP validation process. If the 
leaf validation fails, there is no need to validate the OCSP chain, the 
connection will fail regardless.

However, if the anyone feels that the full chain needs to be validated, the 
validation procedure should be able to bridge the cert included on the 
'-issuer' flag with a single root specified on the '-CA' flag. (It currently 
does not.)

-cem

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org