[Cmpforopenssl-devel] cmpforopenssl - Problem in the management of the revocation reason

[Riccardo B. <ric...@er...>]

Hi all,
Using the git clone https://git.code.sf.net/p/cmpforopenssl/git cmpforopenssl-git
I downloaded and installed your last version of cmpforopenssl in a Ubuntu 14.04.5 LTS VM (I made this on September 14th).

Trying evaluating the cmpforopenssl, I saw that your application isn't managing correctly the revocation reason.
The cmp revocation request was tested using both cmpforopenssl and cmpclient (both have been run in clear test ... no TLS used).

In both case the Certificates were revoked
but an unexpected wrong revocation code (different from all value tryied) was observed invoking the OCSP protocol with the Serial Number of the certificate previously revoked via cmpforopenssl.
Independently from the value of revocation reason used in the cmpforopenssl syntax, the certificates is always revoked with the reason of cessationOfOperation.

Response verify OK
trazas5.pem: revoked
        This Update: Sep 15 13:24:15 2017 GMT
        Reason: cessationOfOperation
        Revocation Time: Sep 15 13:23:02 2017 GMT
root@security:/opt/cmp/bin

Analysing the RR answer in both cases, the first one sent from cmpclient and the second one from cmpforopenssl, I'm seeing that:


  *   In Wireshark trace generated during the cmpclient test, the CRLReason value (keyCompromise 1) associated to the id-ce-reasonCode is correctly decoded.

[cid:image005.jpg@01D33256.7C496F40]


  *   In the Wireshark trace generated during the cmpforopenssl test, the RR packet has been declared as malformed  .... this after id-ce-reasonCode row.

[cid:image006.jpg@01D33256.7C496F40]

Can I help you to analyse this behaviour ?
Do you have a patch available on this part to be tested ?

Br
Riccardo