[Openca-ocspd] Cisco Router + OCSPD-2

[Joachim A. <ac...@as...>]

Hi Massimilio, hi OCSP developers,

I'm a step further with my problems between Cisco router <-> OCSPD-2


1st, I had to comment in this line again at response.c (line 518):

        // PKI_NET_write (connfd, "\r\n", 2); <--- Deleted: Caused issues
        //                                         in Firefox/Thunderbird OCSPs

   What is good for Firefox is bad for Cisco routers:
   Without \r\n , the Cisco router showed an error:
   ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/pki/pkicomm/pki_http.c(303): E_PKI_TRANSPORT : data transport error ()


2nd, a followup-problem, after inserting the PKI_Net_write \r\n again,
was still there with OCSP-2.1.0 + libpki-0.6.4:

  ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(690): E_PKI_TRANSPORT : data transport warning (transport failure)
  ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(3438): E_PKI_TRANSPORT : data transport error (!PKI_STATUS_GRANTED)

  Certificates weren't correct up to that release.

But I think I've mastered two levels in this adventure up to this point. :-)

3rd, after upgrading to OCSP-2.1.1 + libpki-0.6.5, it's looking much better now,
but it still doesn't work yet:

  ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2715): E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported



I have looked a bit more into depth: Cisco seems to use source code from
RSA Security (www.rsa.com) for Cisco router's OCSP functionality.
Cisco routers include exactly the strings for warnings and errors
like the ocsp.c of RSA does. This is my suspicion, because I've
googled the following ocsp.c source file of RSA:

http://www.rsa.com/products/bsafe/documentation/certc272html/ocsp_8c-source.html


So, what does exactly happen, when the Cisco router gets back the
OCSP response from ocspd-2.1.1....

The RSA ocsp.c reads - there are only some hashing standards, it will
support, when decoding the Certificate ID:

   /* since we only support DAI_SHA1_OID and DAI_MD5_OID, and both
      don't come with parameters, so we just decode OID */

In other cases it would put out this "E_DIGEST_ALG_NOT_SUPPORTED" error.

But - when I turn debugging on (writing DER cert into /tmp/ocsp-resp.der)
and look up the OCSP response with
  "openssl ocsp -resp_text -respin /tmp/ocsp-resp.der -no_cert_verify"

I just get a (in my eyes) normal reponse, I don't see there would be
another hashing done then the SHA1 in the protocol standard:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = DE, O = Astel, OU = TestCA, CN = Test
    Produced At: Jun  3 15:32:11 2011 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      Issuer Key Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      Serial Number: XXXXXXXXXXXXXXXXXXXX
    Cert Status: good
    This Update: Jun  3 15:32:11 2011 GMT
    Next Update: Jun  3 15:37:11 2011 GMT
    [...]


Could you just have a look into
http://www.rsa.com/products/bsafe/documentation/certc272html/ocsp_8c-source.html
to see which hashing format is expected by the RSA code?

Greetings
    -Achim