Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Responses from OpenCA's OCSPd supported? #1

Open
Codelica opened this issue Aug 6, 2015 · 1 comment
Open

Responses from OpenCA's OCSPd supported? #1

Codelica opened this issue Aug 6, 2015 · 1 comment

Comments

@Codelica
Copy link

Codelica commented Aug 6, 2015

Hello.. thanks for this module, it's definitely needed.

When testing check() with a good cert against OCSPd (from the OpenCA project), it's throwing "Invalid signature."

OCSPd logs:

Aug  6 13:53:49 watchtower ocspd[9710]: Request for certificate serial 4096
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:684] [DEBUG] CRL::CA [ca-ec-sockets] nameHash OK
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:699] [DEBUG] CRL::CA [ca-ec-sockets] issuerKeyHash OK
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:324] [DEBUG] Using the specific token for the found CA (ca-ec-sockets)
Aug  6 13:53:49 watchtower ocspd[9710]: valid certificate status [serial 4096]
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:84] [DEBUG] Digest Algorithm For Signature: SHA1
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:97] [DEBUG] Signing Certificate:
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:98] [DEBUG] - Serial .....: 4100
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:99] [DEBUG] - Subject ....: C=US, ST=Nevada, L=Las Vegas, O=MyCompany Inc., CN=ocsp-sockets.mycompany.com
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:100] [DEBUG] - Issuer .....: C=US, ST=Nevada, L=Las Vegas, O=MyCompany Inc., CN=MyCompany Sockets Root CA
Aug  6 13:53:49 watchtower ocspd[9710]: [hsm_main.c:648] [DEBUG] Signature Size (512 bytes)
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:119] [DEBUG] Response signed successfully
Aug  6 13:53:49 watchtower ocspd[9710]: [response.c:622] [DEBUG] OCSP Response Bytes = 2333, HTTP Header Bytes = 184

When trying to trace through your verification code I noticed:

// TODO(indutny): support other responders

So I was just curious if there might be a known issue with OSCPd before digging further.

Thanks!
@Codelica
Copy link
Author

Codelica commented Aug 7, 2015

As a followup, the queries to our OpenCA OCSPd server seem to either fail (as above with "invalid signature") or hang (with a malloc() error on OCSPd end) using this module. So it seems like queries to OCSPd aren't possible currently -- and that OSCPd has a pretty bad bug, as you can eventually kill the daemon by making them. :(

I tried to compare requests (using the same certs) with this module and working clients we've tried (OpenSSL's ocsp command, and a .NET/C# test client). The OpenSSL command and C# code seem to issue the same request, but this module seems to issue a completely different (and notably larger) request. I'm afraid I don't know enough about OCSP request structure to know if that's potentially ok. :)

For reference, this is the OpenSSL command I was using for comparison:

openssl ocsp -noverify -no_nonce -respout ocsp.response.txt -reqout ocsp.request.txt \
-issuer my-ca.cer -cert my-cert.cer -url "http://ocsp.mycompany.com" \
-header "HOST" "ocsp.mycompany.com" -text

Thanks for reading...

@alubbe alubbe mentioned this issue May 24, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Codelica