[strongSwan-dev] OCSP request malformed, no timestamp or nonce checks?

lauri lauri.vosandi at gmail.com
Sun Jun 4 20:36:27 CEST 2017


I am attempting to implement OCSP responder in Python using asn1crypto
library [1]. I managed to parse OCSP request generated by openssl, but
when I try to parse OCSP request generated by StrongSwan I bump into
issue described at asn1crypto issue tracker [2]. They claim that the
request is malformed, but that can be easily problem on my side. I
manage to parse and give a response suitable for StrongSwan if I skip
parsing OCSP request extensions including the nonce.

I was digging through the StrongSwan code and I discovered that OCSP
reponse signature is checked, but no additional checks for nonce or
timestamps are performed [3].

Could anyone of you point out what I might be doing wrong or have I
found bugs in the StrongSwan's OCSP implementation?

1. https://github.com/wbond/asn1crypto/
2. https://github.com/wbond/asn1crypto/issues/56
3. https://github.com/strongswan/strongswan/blob/master/src/libstrongswan/plugins/x509/x509_ocsp_response.c#L756

Lauri V├Ásandi
tel: +372 53329412
e-mail: lauri.vosandi at gmail.com
blog: http://lauri.vosandi.com/

More information about the Dev mailing list