Where to find the OCSP response signer cert if the OCSP response does not contain one?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Where to find the OCSP response signer cert if the OCSP response does not contain one?

M K Saravanan
Hi,

If the OCSP responder does not send the response signer certificate in the OCSP response, then how can we find the signer certificate?

I was doing a simple test to verify google certificate via OCSP like this:

$ openssl ocsp -issuer ./www.google.com.sg-issuer.cer -CAfile ./ca.cer -cert ./www.google.com.sg.cer -url http://clients1.google.com/ocsp -header Host clients1.google.com -no_nonce
Response Verify Failure
2283136:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:91:
./www.google.com.sg.cer: good
        This Update: Oct 27 14:35:13 2015 GMT
        Next Update: Nov  3 14:35:13 2015 GMT

Upon checking the wireshark capture, I found the OCSP response does not send signer cert, but only the responderID (byKey).

In such scenario, where do I find the OCSP response signer cert?

with regards,
Saravanan


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Where to find the OCSP response signer cert if the OCSP response does not contain one?

M K Saravanan
Hi,

> Upon checking the wireshark capture, I found the OCSP response does not send
> signer cert, but only the responderID (byKey).
>
> In such scenario, where do I find the OCSP response signer cert?

Clarifying my own question.

https://tools.ietf.org/html/rfc6960#section-4.2.2.3 says:

---------------
The purpose of the ResponderID information is to allow clients to
find the certificate used to sign a signed OCSP response.  Therefore,
the information MUST correspond to the certificate that was used to
sign the response.

The responder MAY include certificates in the certs field of
BasicOCSPResponse that help the OCSP client verify the responder's
signature.
-----------------
I understand that it is not mandatory to send the OCSP response signer
certificate in the OCSP response.  So in such cases, where to find the OCSP
response signer certificate?  That is my question.

with regards,
Saravanan
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Where to find the OCSP response signer cert if the OCSP response does not contain one?

Jakob Bohm-7
On 28/10/2015 10:24, M K Saravanan wrote:

> Hi,
>
>> Upon checking the wireshark capture, I found the OCSP response does not send
>> signer cert, but only the responderID (byKey).
>>
>> In such scenario, where do I find the OCSP response signer cert?
> Clarifying my own question.
>
> https://tools.ietf.org/html/rfc6960#section-4.2.2.3 says:
>
> ---------------
> The purpose of the ResponderID information is to allow clients to
> find the certificate used to sign a signed OCSP response.  Therefore,
> the information MUST correspond to the certificate that was used to
> sign the response.
>
> The responder MAY include certificates in the certs field of
> BasicOCSPResponse that help the OCSP client verify the responder's
> signature.
> -----------------
> I understand that it is not mandatory to send the OCSP response signer
> certificate in the OCSP response.  So in such cases, where to find the OCSP
> response signer certificate?  That is my question.
Obvious first check is to see if it is the CA certificate
that issued thecertificate you are checking.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users