|
OCSP Gurus,
I am attempting to implement an app which
attempts
to verify PKCS7 signatures on data. It does
all the local
verification one would expect.
Now I want to add OCSP into the mix. Given a
locally verified
certificate chain, I want to perform OCSP on any
and all certs
involved in the cert chains for the signer(s) of
the PCKS7 signature.
So, on to my questions:
1. If I have a chain of X certificates, with only
the last one
being "trusted" (the rest coming from the signature
itself),
is it appropriate to perform OCSP on those certs
that were
delivered as part of the message? My intuition says
yes,
since otherwise the certs would be
trusted.
2. Does anyone have any example code that can
access
the AuthorityInfoAccess data from an X509
Certificate?
That is, given an X509 *, how do I go from there
and get
the URL that points at the OCSP Responder for that
cert.
I couldn't find any routines like
AUTHORITY_INFO_ACCESS
*X509_get_AUTHORITY_INFO_ACESS(X509 *);
3. Once I get the URL, what happens if it starts
with HTTPS:// ?
Should I perform OCSP with the chain required
to initiate
the SSL connection? What about the
possibility of a
circular, never-ending OCSP session?
4. Should I perform OCSP on the certs involved in
the
signed OCSP response? Couldn't this also lead
to
a circular reference?
5. Each OCSP request/response takes a
non-trivial
amount of time to perform. Are there any
optimizations
(such as response caching, or some way to feed
multiple
requests to the same responder at one time) that I
might
be overlooking? If I have a chain of 10 certs,
each with
a valid OCSP Responder description, and I do
OCSP
10 times (possibly more for any additonal certs I
may
encounter), it will take forever.
Any help is greatly appreciated.
cj
|
