Hi! We're developing a OCSP Responder. During interop testing it was discovered that openssl verifies the signature on the response nicely when the certificate is reported as revoked, but fails to verify the signature when the certificate is reported as valid.
I've tested the signature in Ascertia OCSP Client and in one home-made OCSP Client and both these verifies the signature ok. This is how I'm running openssl against a valid certificate: openssl ocsp -signer test_rpa_new.pem -url http://localhost:81 -issuer johnserver_issuer.pem -cert johnserver_eu_valid.pem -CAfile johnserver_issuer.pem Enter pass phrase for test_rpa_new.pem: Response Verify Failure 3776:error:04077068:rsa routines:RSA_verify:bad signature:.\crypto\rsa\rsa_sign.c:218: 3776:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:.\crypto\asn1\a_verify.c:162: 3776:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:.\crypto\ocsp\ocsp_vfy.c:98: johnserver_eu_valid.pem: good This Update: Feb 14 11:51:46 2005 GMT This is how I'm running openssl against a revoked (hold) certificate: openssl ocsp -signer test_rpa_new.pem -url http://localhost:81 -issuer johnserver_issuer.pem -cert johnserver_eu_revoked.pem -CAfile johnserver_issuer.pem Enter pass phrase for test_rpa_new.pem: Response verify OK johnserver_eu_revoked.pem: revoked This Update: Feb 14 11:51:46 2005 GMT Reason: certificateHold Revocation Time: Feb 3 11:34:14 2005 GMT Could someone help me check why openssl thinks the first signature is invalid? Could it be that openssl parses the response and then rebuilds it before openssl checks the signature and that the asn1 der encoding is done differently? Any ideas is appriciated! Test responses can be found here: http://www.allberg.se/ocsp/openssl.zip Regards, John ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
