Re: WG: OCSP response signature verification
On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? It should print the signature algorithm and signature just before the certificates. See the OCSP_RESPONSE_print() function in ocsp_prn.c. Are you using an old version of OpenSSL? I've added the response for further information. Any help would be appreciated! Would be more useful if you'd attached the DER response i.e. response-2.der, can you send that? S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text [snip] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: WG: OCSP response signature verification
Sure! Here are the request and response files. Kind regards Michel Pittelkow Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? It should print the signature algorithm and signature just before the certificates. See the OCSP_RESPONSE_print() function in ocsp_prn.c. Are you using an old version of OpenSSL? I've added the response for further information. Any help would be appreciated! Would be more useful if you'd attached the DER response i.e. response-2.der, can you send that? S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text [snip] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ request-2.der Description: request-2.der response-2.der Description: response-2.der
Re: WG: OCSP response signature verification
On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: I forgot to write, which versions are used. For the client we are using 0.9.8L. But we also tested with M. We are not sure about the responders but we are trying to find out. Oops, there was a bug in the print routine which meant the signature and signature algorithm were never printed out. I've just fixed it here: http://cvs.openssl.org/chngview?cn=19434 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: WG: OCSP response signature verification
On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: Ah! That's exactly the point, where I tried to edit the code and recompile it. But every time I tried to I became an error in make complaining about [link_app.] and a false call of 'main' in _start... Can I just replace the file and recompile openssl? Or do I have to edit something in any type of data. Sorry. I am not that into C though :-( If you've compiled OpenSSL already you should just make the change and type make and it should rebuild it OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org