[strongSwan-dev] OCSP request malformed, no timestamp or nonce checks?

Jörn Heissler strongswan at wulf.eu.org
Mon Jun 5 19:08:10 CEST 2017

On Sun, Jun 04, 2017 at 09:36:27PM +0300, lauri wrote:
> I am attempting to implement OCSP responder in Python using asn1crypto
> library [1]. I managed to parse OCSP request generated by openssl, but
> when I try to parse OCSP request generated by StrongSwan I bump into
> issue described at asn1crypto issue tracker [2]. They claim that the
> request is malformed, but that can be easily problem on my side. I
> manage to parse and give a response suitable for StrongSwan if I skip
> parsing OCSP request extensions including the nonce.

> Could anyone of you point out what I might be doing wrong or have I
> found bugs in the StrongSwan's OCSP implementation?

I'm convinced that it's a bug in strongswan.
src/libstrongswan/plugins/x509/x509_ocsp_request.c function build_nonce.

    return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
                asn1_simple_object(ASN1_OCTET_STRING, this->nonce));

This creates an ASN1_SEQUENCE which contains the extension OID and an
ASN1_OCTET_STRING with the nonce.

Correct behaviour would be to wrap the OctetString in another

If you look above at ASN1_response_content you'll see an OctetString
(0x04) wrapping a sequence (0x30 and so on). This is correct.

rfc5280 (and others) specifies how those Extensions are to be encoded:

Extension  ::=  SEQUENCE  {
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING
                 -- contains the DER encoding of an ASN.1 value
                 -- corresponding to the extension type identified
                 -- by extnID

Correct code may look like this (Better triple check it, I'm mostly guessing

return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
            asn1_wrap(ASN1_OCTET_STRING, "m", asn1_simple_object(
                ASN1_OCTET_STRING, this->nonce)));


More information about the Dev mailing list