search

bseddon / ocsp-responder

PHP implementation of RFC 6960 to respond to certificate checking
MIT License
3 stars 1 forks source link

Help: for OCSP Certificate #1

Open shyamrsoni opened 9 months ago

shyamrsoni commented 9 months ago

Thanks Bill to share such a wonderful code. As we go through OCSPServer.php & noticed that it directly works with CA certificate to sign the OCSP response, but, we have to provide CA's private key. What modification do we required, if we are willing to use OCSP Signing Certificate to sign the response? We tried to provide OCSP Certificate along with it's Private Key instead of CA's for $caCertificate & $caKey identifiers but the code fails as it don't have hash of issuer public key to be compare with the OCSP request's issuerPubKeyHash. Thanks in advance.

bseddon commented 8 months ago

Hi The presumption of the OCSP model is that you are returning a signed response to document the validity of a certificate you have generated and provided to another party. That other party has used the certificate to sign something. In the example case mentioned in the readme.md, the certificate you have generated and provided is used by a financial institution to sign XML documents.

Any consumer of that XML document, say an EU member state government, may want to ask about the validity of the certificate used for signing. The consumer of the XML document will ask you, as the creator of the certificate, used to sign the XML document, whether the certificate was valid at the time of signing (it may have expired when the user asks possibly many year later). In this case they will ask for validation information using an OCSP request.

The consumer of the XML document knows they can ask you for an OCSP response because your OCSP site is named in the public information available in the certificate used to sign the XML. The OCSP response must be signed by a certificate that was used to create the certificate used to sign the XML document. The user will be expecting this to happen because this is a requirement of OCSP.

Implicit in all of this is that you created the certificate. To have created the certificate, you need to have your own CA certificiate and it is this certificate which is used to sign the OCSP response. That is, if you generated the certificate for another party, you must have the necessary keys. If you did not create the certificate used to sign the XML document then you cannot verify its status because you don't know. This is the purpose of OCSP - to make sure only the entity which generates a key is able to attest to its validity.