search

crtsh / certwatch_db

Database schema
https://crt.sh/
GNU General Public License v3.0
194 stars 36 forks source link

OCSP response parser displays error, but there is none #79

Closed RufusJWB closed 2 years ago

RufusJWB commented 2 years ago

When I check https://crt.sh/?id=4995198001&opt=ocsp the web GUI tells: image If I check the OCSP responder with OpenSSL everything looks good:

PS C:\Users\z002m76a\Desktop> openssl.exe ocsp -issuer 2565151295.crt -cert 4995198001.crt -respout ocspResp.der -text -url http://oneocsp.microsoft.com/ocsp
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 0F5B4FF6887B4722ADB4859609E6A925212174E0
          Issuer Key Hash: 09CB597F86B2708F1AC339E3C0D9E9BFBB4DB223
          Serial Number: 330000002E99DB07378D0F00B600000000002E
    Request Extensions:
        OCSP Nonce:
            04105518D033770F44D9F3DE5036CE3AEB69
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: D824C828147C214D92E4407B17615961D15D7697
    Produced At: Nov 19 09:46:26 2021 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 0F5B4FF6887B4722ADB4859609E6A925212174E0
      Issuer Key Hash: 09CB597F86B2708F1AC339E3C0D9E9BFBB4DB223
      Serial Number: 330000002E99DB07378D0F00B600000000002E
    Cert Status: revoked
    Revocation Time: Jun 24 20:18:00 2021 GMT
    Revocation Reason: superseded (0x4)
    This Update: Nov 13 18:06:01 2021 GMT
    Next Update: Feb 14 06:26:01 2022 GMT
        Response Single Extensions:
            1.3.6.1.4.1.311.21.4:
220213181601Z   .

    Response Extensions:
        OCSP Nonce:
            04105518D033770F44D9F3DE5036CE3AEB69
    Signature Algorithm: sha1WithRSAEncryption
         b0:c4:45:75:78:6e:d9:b7:0b:1d:19:22:a6:1c:20:1f:71:7d:
         b2:7f:41:5b:d8:9d:dd:1a:6c:a2:0f:f7:13:8e:b5:31:6f:9e:

Also decoding manually the OCSP response (see ocspResp.zip) looks good. Any idea what the problem might be?

robstradling commented 2 years ago

I suspect that my Go code is tripping over the invalidly-encoded Key Usage extension when it parses the certificate, just as some of the linters do. See https://crt.sh/?id=4995198001&opt=ocsp,zlint,cablint,x509lint

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1718991

I think I would have to fork the crypto/x509 library if I was going to attempt to implement a workaround. I'm not minded to do that.

RufusJWB commented 2 years ago

I suspect that my Go code is tripping over the invalidly-encoded Key Usage extension when it parses the certificate, just as some of the linters do. See https://crt.sh/?id=4995198001&opt=ocsp,zlint,cablint,x509lint

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1718991

I think I would have to fork the crypto/x509 library if I was going to attempt to implement a workaround. I'm not minded to do that.

I understand that. As a work-around, you could parse the err variable and print a more speaking error message. Currently it looks as if there is a problem with the OCSP responder when the problem comes in fact from parsing the certificate. What do you think?

RufusJWB commented 2 years ago

I prepared a pull request to improve the error messages: https://github.com/crtsh/libocsppq/pull/1