httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Date Wed, 05 Feb 2014 07:44:19 GMT
On 05.02.2014 08:25, Brian Smith wrote:
> It would be possible for a server to fetch and staple the OCSP
> response only using the information from the server's end-entity
> certificate.

Actually no - you can't properly fill in the CertID for the request
otherwise. From RFC 6960:

>    Request         ::=     SEQUENCE {
>        reqCert                     CertID,
>        singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL }
> 
>    CertID          ::=     SEQUENCE {
>        hashAlgorithm       AlgorithmIdentifier,
>        issuerNameHash      OCTET STRING, -- Hash of issuer's DN
>        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
>        serialNumber        CertificateSerialNumber }
> 

and

>    o  issuerKeyHash is the hash of the issuer's public key.  The hash
>       shall be calculated over the value (excluding tag and length) of
>       the subject public key field in the issuer's certificate.

(relying on the end-entity's AKID extension isn't reliable enough - even
if it is present, it doesn't necessarily have to be a hash over the
issuer's public key, that's only a recommendation in RFC 5280 section
4.2.1.2)

Kaspar

Mime
View raw message