On Wed, Jun 23, 2004, Christian Weber wrote: > I tried to ask this question to the list before, but seemingly the > attachment blocked itīs way. So the attachment is included as base64-block. > > Requesting information on signtrust (german, Deutsche Post AG) generated > smartcard > certificates leads to a download of a "signed response". > > Examining the respose shows that it is much like an ocsp response (binary > example > appended in base64) though feeding it into openssl with command > > >openssl ocsp -respin QNcLp5XvEIcAAGyqehE.rsp -noverify -text > > leads to the following output: > > >OCSP Response Data: > > OCSP Response Status: successful (0x0) > >Error parsing response > >10240:error:0D084078:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:explicit > >tag not constructed:tasn_dec.c:444: > >10240:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > >error:tasn_dec.c:272:Field=value.byName, Type=OCSP_RESPID > >10240:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 > >error:tasn_dec.c:566:Field=responderId, Type=OCSP_RESPDATA > >10240:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 > >error:tasn_dec.c:566:Field=tbsResponseData, Type=OCSP_BASICRESP > >10240:error:0D08806E:asn1 encoding routines:ASN1_unpack_string:decode > >error:asn_pack.c:189: > > This output was generated by openssl--0.9.7-stable-SNAP-20040611 on linux > 386. > > Looking at the asn structure itself one notices that the ResponderId is > coded as > Tag 81: "Signtrust" (dunno how to interpret this) instead of the usual x509 > representation. > > RFC2560 tells: > > ResponderID ::= CHOICE { > > byName [1] Name, > > byKey [2] KeyHash } > > but doesnīt specify Name itself. > > So my question is: does the signtrust coding match the rfc rules? > If it does can anybody give me a hint how to fix the asn1 paring > so that it recognizes the coding? >
No it violates the RFC rules and doesn't include a valid Name structure in there. Name BTW is defined in RFC3280 et al. >From the request data it looks like they've treated this as a string type and put "SignTrust" in there: this is just plain wrong. Since the response is broken OpenSSL is quite right to reject it and any decent ASN1 parser would reject it too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]