AW: WG: OCSP response signature verification
I forgot to write, which versions are used. For the client we are using 0.9.8L. But we also tested with M. We are not sure about the responders but we are trying to find out. Kind regards Michel Pittelkow Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? It should print the signature algorithm and signature just before the certificates. See the OCSP_RESPONSE_print() function in ocsp_prn.c. Are you using an old version of OpenSSL? I've added the response for further information. Any help would be appreciated! Would be more useful if you'd attached the DER response i.e. response-2.der, can you send that? S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text [snip] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AW: WG: OCSP response signature verification
Ah! That's exactly the point, where I tried to edit the code and recompile it. But every time I tried to I became an error in make complaining about [link_app.] and a false call of 'main' in _start... Can I just replace the file and recompile openssl? Or do I have to edit something in any type of data. Sorry. I am not that into C though :-( Kind regards Michel Pittelkow I forgot to write, which versions are used. For the client we are using 0.9.8L. But we also tested with M. We are not sure about the responders but we are trying to find out. Oops, there was a bug in the print routine which meant the signature and signature algorithm were never printed out. I've just fixed it here: http://cvs.openssl.org/chngview?cn=19434 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AW: WG: OCSP response signature verification
Done that. It now seems to work! Thank you :) S999D003:/home/ah/test # ./openssl ocsp -respin response-2.der -text OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = DE, O = D-Trust GmbH, CN = D-TRUST OCSP-03 2008:PN Produced At: Mar 12 09:58:31 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A611B199CA6EE1B1B8599953CBF428F8F8C94641 Issuer Key Hash: F9CBC2D42788A9A1B050625E4DD2547D74731EBE Serial Number: 094D36 Cert Status: good This Update: Mar 12 09:58:31 2010 GMT Response Single Extensions: 1.3.36.8.3.12: ..20090715143639Z 1.3.36.8.3.13: 0!0...+...'.}O.L.j}..T. Response Extensions: OCSP Nonce: 0410F987B6A59DB4116D1F60F436790C8C73 OCSP Archive Cutoff: Mar 21 00:00:00 1975 GMT Signature Algorithm: sha256WithRSAEncryption c0:71:91:0c:47:da:92:47:4a:03:a7:4f:2b:1f:fb:96:aa:a3: ce:e0:c1:23:bb:e1:39:48:4e:68:28:db:99:79:83:12:bf:48: 66:63:4b:fc:c3:39:c0:87:ef:26:2c:53:6b:54:dd:f9:1e:17: 66:ff:d9:9f:6e:7d:31:65:90:7c:5c:b5:fa:31:42:44:96:4b: 1d:c7:4d:4f:6a:57:93:2e:c6:72:6f:da:47:f7:33:58:f4:ed: 51:fc:e7:24:19:dc:23:2e:12:b4:b2:1d:76:14:7c:56:ac:0e: 81:b8:b8:ef:a2:5f:5d:11:a9:cd:a8:19:31:2e:35:5a:b4:bc: 87:4b:66:c8:7a:a1:1f:6e:6b:1b:2b:85:5c:3a:34:cb:e4:c2: 68:58:27:70:d5:99:fd:92:3c:0d:08:2d:05:93:80:ef:be:42: 0a:d1:81:82:8f:06:51:ef:15:9c:19:38:63:d9:73:0f:c3:c5: 13:26:ca:eb:b2:76:7b:32:20:df:99:c1:50:13:f5:76:5c:44: f2:91:0d:42:4f:46:57:8a:f7:f1:6f:a2:21:dd:b5:8b:84:96: d2:de:25:df:d2:4b:f4:e1:dd:9e:31:48:21:95:08:0e:67:6f: 49:e1:ab:77:11:cf:61:dc:ae:d3:38:a3:fb:54:36:70:bc:1a: 56:47:22:fe Certificate: Data: Kind regards Michel Pittelkow Ah! That's exactly the point, where I tried to edit the code and recompile it. But every time I tried to I became an error in make complaining about [link_app.] and a false call of 'main' in _start... Can I just replace the file and recompile openssl? Or do I have to edit something in any type of data. Sorry. I am not that into C though :-( If you've compiled OpenSSL already you should just make the change and type make and it should rebuild it OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org