Re: [Openca-ocspd] Question about OpenCA OCSPD response for "Revoked-Superceded"?

[<oh...@ya...>]

 Hi,
I just realized that the OCSP responses with:
Response verify OK
0x17FF15: good
        This Update: Aug  6 14:18:41 2019 GMT
        Next Update: Aug  6 14:23:41 2019 GMT

are the same as when OCSPD cannot find the serial number??

So it seems like some of the entries that are in the CRL file are NOT in the OCSPD database, i.e., when I do an OCSP request for 17FF15, OCSPD does not have that entry in its database???

Jim



    On Tuesday, August 6, 2019, 2:25:33 PM UTC, oh...@ya... <oh...@ya...> wrote:  
 
 Hi,

This is similar to a case I mentioned in my previout post, but this time it is for a entry in the CRL that is "Key Compromise".

I have testing against one of our CRLs, and in there, we have a cert serial 17FF15.  Here's the output from the "openssl crl" for that serial number:

    Serial Number: 17FF15
        Revocation Date: Sep 27 16:41:12 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Key Compromise


However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this:

OOCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 17FF15
    Request Extensions:
        OCSP Nonce:
            0410C4C258A539DD8568B18DD47058D02E75
Response verify OK
0x17FF15: good
        This Update: Aug  6 14:18:41 2019 GMT
        Next Update: Aug  6 14:23:41 2019 GMT




So, it looks like, from the CRL, the cert was Revoked, because it was "Key Compromise", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked?

Again, I am not that familiar with the RFC's but is that a "correct" OCSP response for that revoked entry in the CRL file?

Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked?

For instance, here is the CRL entry vs. OCSP response for another serial number, 17FF16:
    Serial Number: 17FF16
        Revocation Date: Oct 29 16:55:42 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Affiliation Changed
            Invalidity Date:
                Oct 29 16:49:18 2018 GMT




OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 17FF16
    Request Extensions:
        OCSP Nonce:
            041070807FF2981BD8E943724399B93011E7
Response verify OK
0x17FF16: revoked
        This Update: Aug  6 14:23:01 2019 GMT
        Next Update: Aug  6 14:28:01 2019 GMT
        Reason: affiliationChanged
        Revocation Time: Oct 29 16:55:42 2018 GMT


Notice the OCSP response for the 17FF16 serial number has:
0x17FF16: revoked
and:
        Reason: affiliationChanged
        Revocation Time: Oct 29 16:55:42 2018 GMT


Thanks,
Jim