[OCSP] Autoridades certificadoras homologadas pelo OpenFinance não seguem a RFC6960

[lucasfurno]

Durante a implementação de validação de OCSP para validar o status de um certificado de assinatura, identificamos que algumas CAs não seguem a RFC6960 pois ao realizar uma chamada utilizando método GET em direção ao OCSP Responder o retorno é inválido.

OCSP over HTTP

A.1.  Request

   HTTP-based OCSP requests can use either the GET or the POST method to
   submit their requests.  To enable HTTP caching, small requests (that
   after encoding are less than 255 bytes) MAY be submitted using GET.
   If HTTP caching is not important or if the request is greater than
   255 bytes, the request SHOULD be submitted using POST.  Where privacy
   is a requirement, OCSP transactions exchanged using HTTP MAY be
   protected using either Transport Layer Security/Secure Socket Layer
   (TLS/SSL) or some other lower-layer protocol.

   An OCSP request using the GET method is constructed as follows:

   GET {url}/{url-encoding of base-64 encoding of the DER encoding of
   the OCSPRequest}

   where {url} may be derived from the value of the authority
   information access extension in the certificate being checked for
   revocation, or other local configuration of the OCSP client.

   An OCSP request using the POST method is constructed as follows: The
   Content-Type header has the value "application/ocsp-request", while
   the body of the message is the binary value of the DER encoding of
   the OCSPRequest.

O cenário apresentado abaixo foi identificado tanto em certificado de homologação do OpenFinance (Sandbox) quanto em produção. Utilizando os comandos da URL https://unmitigatedrisk.com/?p=42 para resumir os comandos:

curl -vsi http://ocsp2.acsoluti.com.br/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBR5X%2FoVZWaxe9Tnoz%2FWlamMNJAclgQUhyboEB5t1CA%2FZX6c%2F%2F1B9%2F%2FJYCMCCBHeIhIpkkQS
*   Trying 187.0.211.29:80...
* Connected to ocsp2.acsoluti.com.br (187.0.211.29) port 80 (#0)
> GET /MEkwRzBFMEMwQTAJBgUrDgMCGgUABBR5X%2FoVZWaxe9Tnoz%2FWlamMNJAclgQUhyboEB5t1CA%2FZX6c%2F%2F1B9%2F%2FJYCMCCBHeIhIpkkQS HTTP/1.1
> Host: ocsp2.acsoluti.com.br
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Date: Tue, 12 Sep 2023 13:54:33 GMT
Date: Tue, 12 Sep 2023 13:54:33 GMT
< Server: Apache
Server: Apache
< Content-Length: 298
Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1

< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /MEkwRzBFMEMwQTAJBgUrDgMCGgUABBR5X/oVZWaxe9Tnoz/WlamMNJAclgQUhyboEB5t1CA/ZX6c//1B9//JYCMCCBHeIhIpkkQS was not found on this server.</p>
</body></html>

curl --verbose --data-binary @ocsp.req -H "Content-Type:application/ocsp-request" --url http://ocsp2.acsoluti.com.br -o /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 187.0.211.29:80...
* Connected to ocsp2.acsoluti.com.br (187.0.211.29) port 80 (#0)
> POST / HTTP/1.1
> Host: ocsp2.acsoluti.com.br
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type:application/ocsp-request
> Content-Length: 75
> 
} [75 bytes data]
< HTTP/1.1 200 OK
< Date: Tue, 12 Sep 2023 13:55:16 GMT
< Server: WildFly/10
< X-Powered-By: Undertow/1
< Content-Type: application/ocsp-response
< Content-Length: 1814
< 
{ [1814 bytes data]
100  1889  100  1814  100    75  14428    596 --:--:-- --:--:-- --:--:-- 15873
* Connection #0 to host ocsp2.acsoluti.com.br left intact

O atendimento da RFC6960 é obrigatório pelo OpenFinance e deve ser questionado diretamente as CAs com relação a adequação ou realmente é um comportamento esperado?