• From: Germany
  • Registered: 2013-08-27
  • Posts: 24

Topic: Issuer Key Hash not set before OCSP request

I've tried verifying a certificate with the following function:

CyaSSL_CertManagerCheckOCSP

I know that the certificate in question is valid and that the OpenSSL OCSP responder running here uses the correct CA certificate and knows the states of the certificates.

When trying to verify my cert, the responder stated that the certificate status is unknown.
After trying some more, I saw that the "Issuer Key Hash"-value in the OCSP request changed. This was due to this field not being set anywhere and thus pointing to some uninitialized value.

I've now patched the function ParseCertRelative inside ctaocrypt/src/asn.c (CyaSSL embedded SSL v2.9.0) to set the "Issuer Key Hash"-field in the certificate which state is to be checked:

    if (verify && type != CA_TYPE) {
        [...]
    } else if (type != CA_TYPE) {
        Signer* ca = NULL;
#ifndef NO_SKID
        if (cert->extAuthKeyIdSet)
            ca = GetCA(cm, cert->extAuthKeyId);
        if (ca == NULL)
            ca = GetCAByName(cm, cert->issuerHash);
#else /* NO_SKID */
        ca = GetCA(cm, cert->issuerHash);
#endif /* NO SKID */

        // Store Issuer Key Hash for later OCSP request
        memcpy(cert->issuerKeyHash, ca->subjectKeyIdHash, SHA_SIZE);
    }

This way, the OCSP request has the correct "Issuer Key Hash" and the OCSP responder correctly responds "good" as certificate status.

Is this a bug or am I using the OCSP api wrong?

- Daniel

Share

  • From: Germany
  • Registered: 2013-08-27
  • Posts: 24

Re: Issuer Key Hash not set before OCSP request

After a closer look I saw that the same thing which I try to do is done in the code above if verify is set to 1 (which is not the case if I want to do a stand-alone OCSP lookup via CyaSSL_CertManagerCheckOCSP).
So I changed the code that the verify-flag is not already validated within

if (verify && type != CA_TYPE) {

but rather inside the changed if-statement

if (type != CA_TYPE) {
    [...]
    if (ca) {
        [...]
        if (verify) {
            /* try to confirm/verify signature */
            [...]
        }
    }
}

This way, the ca's public key hash is set for any cert which is not a CA itself, but verification itself is only done if the verify-flag is also set.

So, does this change to set the ca's public key hash every time, not only if verify=1, seem ok?

- Daniel

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: Issuer Key Hash not set before OCSP request

Hi,

Thanks for the report.  We'll look into this and get back to you.

Best Regards,
Chris

https://www.wolfssl.com

chrisc's Website

Share