On Mon, Sep 15, 2003, Tanel Kuusk wrote: > Martin Kouril wrote: > >code is everytime used "X509_get0_pubkey_bitstr" function called with > >issuers cert in argument when creating an ocsp request. Is possible to > >bypass it? > >I don't think so. But maybe ..... :) > > An OCSP responder uses three items to identify the requested > certificate: its serial number, its issuers name hash and issuers > public key hash. But at least some CAs include a X.509v3 extension > "Authority Key Identifier" in the certificate, which contains the > issuer key hash in a human-readable form (keyid:aa:bb:cc:00:11). > You can try to convert this into a hex number 0xaabbcc0011. > Every certificate also includes its issuers DN, you can look > into the OpenSSL ocsp client code to find out how to calculate > its hash. So - with certain limitations, yes you can create an > OCSP request without issuers cert. > >
This in not a reliable way to genreate the issuer key hash. Although OpenSSL uses the SHA1 hash for SKID which it copies to AKID this is not guaranteed by the standards: so other CAs may use a different technique. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
