Re: problem verifying OCSP signature

Wed, 14 Apr 2010 04:59:18 -0700 

On Tue, Apr 13, 2010, Chris Bare wrote:

> > Additional candidate signer certificates  need to be included in the
> > -verify_other option.
> > 
> > If the OCSP signing certificate is self signed then it needs to be 
> > explicitly
> > trusted which is the -VAfile option if you use that it will also be searched
> > as a signer.
> 
> doesn't putting it in the CApath also mean it's explicitly trusted?
> 
> I tracked down this code in crypto/ocsp/ocsp_vfy.c:
> static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509)
> *certs, X509_STORE *st, unsigned long flags)
>       {
>       X509 *signer;
>       OCSP_RESPID *rid = bs->tbsResponseData->responderId;
>       if ((signer = ocsp_find_signer_sk(certs, rid)))
>               {
>               *psigner = signer;
>               return 2;
>               }
>       if(!(flags & OCSP_NOINTERN) &&
>           (signer = ocsp_find_signer_sk(bs->certs, rid)))
>               {
>               *psigner = signer;
>               return 1;
>               }
>       /* Maybe lookup from store if by subject name */
> 
>       *psigner = NULL;
>       return 0;
>       }
> 
> It looks like implementing the "Maybe" case would solve my problem. Would it
> be incorrect to look in the store also here? I'd be glad to work on a patch.
> 

The store can only lookup by subject name, lookup by key identifier is not
supported: OCSP can use either.

It doesn't automatically trust certificates in the store because they have to be
authorised to sign OCSP responses. Certificates can be explicitly trusted
though by adding an appropriate trust value.

> I understand I can make the command line tool with with -verify_other, but in
> my code I have no handy way to do that. My users are going to dump all trusted
> certs, regardless of purpose, into the trusted store.

Well that's a bit of a problem because if you trust all those a self signed EE
certificate could be used to sign OCSP responses for anyone.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to