openca / openca-ocspd Goto Github PK

The OpenCA's Online Certificate Status Protocol Daemon

License: Other

Shell 60.21% C 18.01% Makefile 19.51% M4 2.27%

openca-ocspd's Introduction

=============================================================================
                             OpenCA's OCSP Responder
               (c) 2001-2018 by Massimiliano Pala and OpenCA Labs
                             OpenCA Licensed Software
=============================================================================

1. General Description
======================

The OCSP (OnLine Certificate Status Protocol) is becoming ever more supported
by current clients as it provides an easy way to get a reliable and fast on-
Line verification of the required certificate(s) status.

The provided responder is capable of answering to complex OCSP requests, an
example of a configuration file and a way to start and make request to the
responded can be found into the etc/ directory.

To get a full list of the supported command-line options simply call the
openca-ocspd program with '-h' as an argument:

	$ openca-ocspd -h


2. INSTALL
==========

Since v2.0.0+ , the OCSPD server requires the LibPKI package to be installed.
You can download the latest package from any of our servers, more information
about the LibPKI software can be found here:

   https://www.openca.org/projects/libpki/

Please Read the Online install documentation on wiki pages for both the LibPKI
and the OCSPD packages at:

   https://www.openca.org/wiki/index.php/LibPKI
   https://www.openca.org/wiki/index.php/OCSP_Daemon

NOTE: v3.1.2+ requires LibPKI v0.8.9+

3. Provided files
=================

In the $prefix/etc/ocspd directory you'll find some example files for simple
configuration of the responder. All options are, I guess, self-explicative
and very easy to understand.

In particular, since the OCSP server (v2.0.0+) is based on LibPKI, you will
find:

o $prefix/etc/ocspd/pki - the directory where all the configurations for the
  OCSPD token(s) are kept. You can add/configure new tokens in the token.d
  directory. Keep in mind that tokens are identified by name (not file name).

o $prefix/etc/ocspd/ca.d - the directory which carries all the configuration
  files for the supported CAs. Each file carries the information about a
  CA the responder will provide responses for.

o $prefix/etc/ocspd/private - the directory with the private key of the OCSP
  server. You can change this by editing the token configuration in token.d.

o $prefix/etc/ocspd/certs - the directory with the certificates related to the
  OCSP server's tokens. You can change this by editing the token configuration
  in the token.d/ directory.


4. OCSP Responder certificate
=============================

The OCSP Responder must have its own certificate/key pair to be able to build
and sign the responses. To aceive this you can simply generate a PKCS#10 req
and upload it to your CA by using the appropriate command. Remember that the
certificate MUST contain the "OCSPSigning" extension in the extendedKeyUsage
extension: if requested you'll need to define a new extension file on the ca
(conf/openssl/extfiles) for the OCSP certificate profile.

We provide a script which will generate a new keypair and request in the
bin/ directory. Please use the provided script and send the generated request
file to your CA in order to get the OCSP certificate. To do so, use:

   $ cd PREFIX
   $ sudo bin/ocspd-genreq.sh

this will generate the key in the etc/ocspd/private/ directory and the
request in the etc/ocspd/ one. Once the certificate is installed properly
(follow the instructions provided by the script), you can start/stop the
server by using the etc/init.d/ocspd script:

   $ PREFIX/etc/init.d/ocspd start

and

   $ PREFIX/etc/init.d/ocspd stop

You can also activate extra debugging information, by using the start-debug
startup option as follows:

   $ PREFIX/etc/init.d/ocspd start-debug

This will activate a lot of debugging messages that might help you when more
info is required (e.g., an unknown error).

In order to force CRL reloading for the configured CAs, use the following:

   $ PREFIX/etc/init.d/ocspd reload-crl

5. Reverse Proxy Installation
=============================

It is possible to install the server behind a full-fledged HTTP server like
apache. A typical configuration for that would be the OCSP server listening
on the internal interface (e.g., 127.0.0.1 at port 2560) and the apache web
server listening on the generic port 80 on the external interface and act
as a reverse proxy to the OCSP server's interface.

To do that, here's an example configuration of the Apache Web Server:

  <VirtualHost _default_:80>

    Servername ocsp.example.com
    DocumentRoot /dev/null

    CustomLog /var/log/httpd/testocsp.kyrio.com-access.log combined
    ErrorLog /var/log/httpd/testocsp.kyrio.com-error.log

    # Just use the ProxyPass option from Apache to redirect the requests
    # to the OpenCA's OCSP server
    ProxyPass / http://127.0.0.1:2560

    # Using the RewriteEngine configuration instead of the
    # ProxyPass is another possibility, here's an example
    #
    # RewriteEngine on
    # RewriteCond %{CONTENT_TYPE} !^application/ocsp-request$
    # RewriteRule ^/(.*) http://localhost:2560/ [P]

  </VirtualHost>

More information can be found at http://wiki.cacert.org/OcspResponder. However,  
because of SELinux configuration, you might get an error from Apache when trying
to connect to the localhost at port 2560. In order to fix that, you need to
give Apache the possibility to open the connection. This is done by using the
following command:

  [root@ocsp]# setsebool -P httpd_can_network_connect 1

more on this issue (SELinux) can be found here:

  https://wiki.apache.org/httpd/13PermissionDenied


6. Known Bugs
=============

Since we re-engineered the server, no extensive testing has been perfomed.
Therefore, we encourage you to report any issue or wrong behavior.

Currently the responder has been tested with Mozilla and it has been reported
to work correctly.


4. Contacts
===========

If you have further questions, please, contact the OpenCA team. More infos on
OpenCA LABS and OpenCA Team can be found at http://www.openca.org


Enjoy the Open Source Community!


                                                Dr. Massimiliano Pala
                                                OpenCA Labs Director
                                                [email protected]

openca-ocspd's People

Contributors

Stargazers

Watchers

openca-ocspd's Issues

[ERROR] CRL Validity Check FAILED (Missing lastUpdate)

OCSPD v3.1.2

I am trying to integrate my own PKI with the OCSP responder.

When I am starting the daemon I receive errors that lastUpdate field is missing:

Sep 10 12:59:15 2019 GMT [82155] INFO: CRL signature is verified [Code: 1, CA Subject: O=emfytech, OU=engineering, CN=gerard.home_IssuingCA, L=kuantan, ST=pahang, C=MY]
Sep 10 12:59:15 2019 GMT [82155] INFO: [config.c:854] [DEBUG] CRL Signature verified successfully [URL: /bxs/pki/ca/crl/crl_gerard.home_IssuingCA.pem]
Sep 10 12:59:15 2019 GMT [82155] ERROR: [crl.c:286] [ERROR] CRL Validity Check FAILED (Missing lastUpdate) [CA: gerard.home_ocsp_ica, Error: no lastUpdate Field, Code: 5]
Sep 10 12:59:15 2019 GMT [82155] ERROR: [config.c:873] [ERROR] CRL Validity check FAILED [CA: gerard.home_ocsp_ica, Code: 5]

However when I check the CRL with openssl the lastUpdate field seems to be there.

openssl crl -inform PEM -lastupdate -noout -in /bxs/pki/ca/crl/crl_gerard.home_IssuingCA.pem
lastUpdate=Sep 10 14:59:12 2019 GMT

What could be the issue here?

openca-ocspd make warning issue

HI,

Try to build ocspd but see warnings:

# make
Making all in src
make[1]: Entering directory `/opt/openca-ocspd/src'
Making all in ocspd
make[2]: Entering directory `/opt/openca-ocspd/src/ocspd'
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-ocspd.o -MD -MP -MF .deps/ocspd-ocspd.Tpo -c -o ocspd-ocspd.o `test -f 'ocspd.c' || echo './'`ocspd.c
mv -f .deps/ocspd-ocspd.Tpo .deps/ocspd-ocspd.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-core.o -MD -MP -MF .deps/ocspd-core.Tpo -c -o ocspd-core.o `test -f 'core.c' || echo './'`core.c
mv -f .deps/ocspd-core.Tpo .deps/ocspd-core.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-threads.o -MD -MP -MF .deps/ocspd-threads.Tpo -c -o ocspd-threads.o `test -f 'threads.c' || echo './'`threads.c
mv -f .deps/ocspd-threads.Tpo .deps/ocspd-threads.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-request.o -MD -MP -MF .deps/ocspd-request.Tpo -c -o ocspd-request.o `test -f 'request.c' || echo './'`request.c
mv -f .deps/ocspd-request.Tpo .deps/ocspd-request.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-response.o -MD -MP -MF .deps/ocspd-response.Tpo -c -o ocspd-response.o `test -f 'response.c' || echo './'`response.c
response.c: In function ‘sign_ocsp_response’:
response.c:135:13: warning: assignment discards ‘const’ qualifier from pointer target type [enabled by default]
   signature = PKI_X509_OCSP_RESP_get_data(resp, PKI_X509_DATA_SIGNATURE);
             ^
mv -f .deps/ocspd-response.Tpo .deps/ocspd-response.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-config.o -MD -MP -MF .deps/ocspd-config.Tpo -c -o ocspd-config.o `test -f 'config.c' || echo './'`config.c
config.c: In function ‘CA_ENTRY_CERTID_new’:
config.c:871:13: warning: assignment discards ‘const’ qualifier from pointer target type [enabled by default]
  if ((iName = PKI_X509_CERT_get_data(cert, PKI_X509_DATA_SUBJECT)) == NULL)
             ^
config.c:891:18: warning: assignment discards ‘const’ qualifier from pointer target type [enabled by default]
  if (( keyString = PKI_X509_CERT_get_data( cert,
                  ^
mv -f .deps/ocspd-config.Tpo .deps/ocspd-config.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -MT ocspd-crl.o -MD -MP -MF .deps/ocspd-crl.Tpo -c -o ocspd-crl.o `test -f 'crl.c' || echo './'`crl.c
crl.c: In function ‘check_crl’:
crl.c:151:11: warning: assignment discards ‘const’ qualifier from pointer target type [enabled by default]
  if((pkey = PKI_X509_CERT_get_data( x_cacert,
           ^
mv -f .deps/ocspd-crl.Tpo .deps/ocspd-crl.Po
/bin/sh ../../libtool  --tag=CC   --mode=link gcc  -g -O2 -fstack-check -maccumulate-outgoing-args   -o ocspd ocspd-ocspd.o ocspd-core.o ocspd-threads.o ocspd-request.o ocspd-response.o ocspd-config.o ocspd-crl.o  -L/usr/lib64 -lcrypto -lssl -L/usr/lib64 -lpthread -Wl,-rpath -Wl,/usr/lib64 -lpki -lnsl
libtool: link: gcc -g -O2 -fstack-check -maccumulate-outgoing-args -o ocspd ocspd-ocspd.o ocspd-core.o ocspd-threads.o ocspd-request.o ocspd-response.o ocspd-config.o ocspd-crl.o -Wl,-rpath -Wl,/usr/lib64  -L/usr/lib64 /usr/lib64/libpki.so -lpthread -lrt -lcrypto -lssl -lxml2 -lz -lm -ldl -lresolv -lnsl
make[2]: Leaving directory `/opt/openca-ocspd/src/ocspd'
make[2]: Entering directory `/opt/openca-ocspd/src'
make[2]: Nothing to be done for `all-am'.
make[2]: Leaving directory `/opt/openca-ocspd/src'
make[1]: Leaving directory `/opt/openca-ocspd/src'
Making all in docs
make[1]: Entering directory `/opt/openca-ocspd/docs'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/opt/openca-ocspd/docs'
Making all in etc
make[1]: Entering directory `/opt/openca-ocspd/etc'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/opt/openca-ocspd/etc'
make[1]: Entering directory `/opt/openca-ocspd'
make[1]: Nothing to be done for `all-am'.
make[1]: Leaving directory `/opt/openca-ocspd'

Host info:

CentOS Linux release 7.2.1511 (Core)

openssl version -a
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

Thank you.

Link is down

http://wiki.openca.org/wiki/index.php/OCSP_Daemon

This link is not working. - Does anyone else have this issue as well?

'make install' error using OCSPd v3.1.1

Hi,

'make install' OCSPd v3.1.1 gives the following error (building on Ubuntu 14.04.3 LTS) :

/bin/bash ../build/mkinstalldirs /usr/etc;
/bin/bash ../build/mkinstalldirs /usr/etc/init.d;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/certs;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/crls;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/private;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/ca.d
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/pki;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/pki/token.d;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/pki/hsm.d;
/bin/bash ../build/mkinstalldirs /usr/etc/ocspd/pki/profile.d
mkdir -p -- /bin/bash ../build/mkinstalldirs /usr/etc/ocspd/pki
mkdir: cannot create directory «/bin/bash»: File exists
mkdir: cannot create directory «../build/mkinstalldirs»: File exists

Any help will be appreciated.

Bests,

openca-ocspd-3.1.2-1.el7.x86_64 Requires: libpki.so.89()(64bit) error

If i install libpki.so.89, openca tells me i need 0.9.0. If i install 0.9.0 it tells me I need libpki.so.89().

[root@ip-172-31-27-241 /]# yum localinstall /home/ec2-user/openca-ocspd-3.1.2-1.el7.x86_64.rpm
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
Examining /home/ec2-user/openca-ocspd-3.1.2-1.el7.x86_64.rpm: openca-ocspd-3.1.2-1.el7.x86_64
Marking /home/ec2-user/openca-ocspd-3.1.2-1.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package openca-ocspd.x86_64 0:3.1.2-1.el7 will be installed
--> Processing Dependency: libpki.so.89()(64bit) for package: openca-ocspd-3.1.2-1.el7.x86_64
--> Finished Dependency Resolution
Error: Package: openca-ocspd-3.1.2-1.el7.x86_64 (/openca-ocspd-3.1.2-1.el7.x86_64)
Requires: libpki.so.89()(64bit)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

[root@ip-172-31-27-241 /]# yum list libpki
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
Installed Packages
libpki.x86_64 0.9.0-1.el7 installed

all documentations link to https://www.openca.org/wiki/ are down...

all documentations link to https://www.openca.org/wiki/ are down... they get 500 ERROR!

OpenCA OCSPD v3.1.0 XML error

When i want to start the OCSPD responder with that command line:

ocspd -c /usr/etc/ocspd/ocspd.conf -v &

and i check if everything is working:

cat /var/log/syslog | grep ocspd

I got those errors:

Nov 13 16:50:56 kali ocspd[6194]: OpenCA OCSPD v3.1.0 - starting.
Nov 13 16:50:56 kali ocspd[6194]: [pki_config.c:35] [ERROR] XML I/O Error: Start tag expected, '<' not found
Nov 13 16:50:56 kali ocspd[6194]: [config.c:90] [ERROR] Missing pkiConfigDir in configuration!
Nov 13 16:50:56 kali ocspd[6194]: ocspd - ERROR::can not load config file!#12 (exit with 1)#12

What should i do ? Is there any missing dependencies in my installation ? I already checked the ocspd.xml file and the pkiConfigDir is the good one but i don't understand why it can't load the config file ocspd.conf ...

Please help me for that issue i don't have any tracks ...

OCSP request result in malloc() memory corruption using Node OCSP module

I've been running some test queries to our OpenCA OCSPd server using several clients. Queries from OpenSSL's ocsp command and our test .NET/C# client work fine.

However when making queries from a Node OCSP module (https://github.com/indutny/ocsp) the calls randomly result in malloc() memory corruption errors which, after several attempts, kill OCSPd:

*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f56f4000ae0 ***
*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f56fc000ae0 ***
*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f5700000ae0 ***
*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f56f8000ae0 ***
*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f56ec000ae0 ***
*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f56f0000ae0 ***
*** glibc detected *** /usr/sbin/ocspd: malloc(): memory corruption: 0x00007f56e4000ae0 ***

I haven't debugged things enough to tell if it's a malformed query by that module (as I never get success), but in any event I figured I'd post this since it seemed pretty severe and could take ocspd offline.

If you're interested in checking it out further I can supply some simple test code or set things up to loop against some server & cert.

Thanks!

Segfault at startup

Hi,

I am trying to install and use OCSPD responder.
I compiled latest stable version of openssl. I have the version of debian package installed :
root@openxkpi:/usr/etc/ocspd/certs# /usr/local/bin/openssl version
OpenSSL 1.1.0i 14 Aug 2018
root@openxkpi:/usr/etc/ocspd/certs# /usr/bin/openssl version
OpenSSL 1.0.1t 3 May 2016
I compiled libpki and ocspd on a debian 8.11 server.

I downloaded latest versions of libpki and ocspd on github (as I had compilations errors on versions from the openCA web site).

XML2 library Configuration:

XML2 prefix ..........: /usr
XML2 Compiler Flags ..: -I/usr/include/libxml2
XML2 Linker ..........: -L/usr/lib64
XML2 Libs ............: -lxml2

LDAP Configuration:

LDAP support .........: yes
LDAP Vendor ..........: OPENLDAP
LDAP prefix ..........:
LDAP Compiler Flags ..:
LDAP libs prefix .....:
LDAP Linker ..........:
LDAP libs ............: -lldap_r

OpenSSL Configuration:

Library ..............: OpenSSL
Prefix ...............: /usr
Compiler Flags .......: -I/usr/local/include -DENABLE_ECDSA=1
Linker Flags .........:
libs .................: -L/usr/local/lib -lssl -lcrypto
Support for ECDSA ....: yes

Configuration for libpki 0.8.9 :

Architecture .........: linux (64 bits)
Host System Type .....: x86_64-pc-linux-gnu
Supported URLs .......: file http https ldap dns
Library Version ......: v = 89, r = 89, a = 1
Install lib path .....: /usr/lib64
Install path .........: /usr
Compiler Flags .......: -I/usr/include -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -Wunused-variable -I/usr/local/include -DENABLE_ECDSA=1 -I/usr/include/libxml2
Linker Flags .........: -L/usr/lib64 -L/usr/lib64 -Wl,-rpath -Wl,"/usr/lib64"
Libs .................: -lpthread -ldl -lrt -lldap_r -L/usr/local/lib -lssl -lcrypto -lxml2 -lresolv

Package configured for: Debian 8 (x86_64)

Now type 'make' to build libpki 0.8.9,
and then 'make install' for installation.

Configuration for openca-ocspd 3.1.2 :

Install Prefix .......: /usr
Host System Type .....: x86_64-unknown-linux-gnu
Install path .........: /usr
Preprocessor .........: gcc
Compiler .............: gcc -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -I/usr/include -I/usr/local/include -DENABLE_ECDSA=1 -I/usr/include/libxml2
Linker ...............: gcc -lnsl -L/usr/lib64 -L/usr/local/lib -lssl -lcrypto -L/usr/lib64 -lpthread -Wl,-rpath -Wl,/usr/lib64 -lpki

/usr/etc/init.d/ocspd start-debug

Aug 21 16:13:08 openxkpi ocspd[22059]: OpenCA OCSPD v3.1.2 (Tue Aug 21 16:09:55 CEST 2018)- starting.
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:876] [DEBUG] Loading file /usr/etc/ocspd/ca.d/collegeca.xml
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:892] [DEBUG] Loaded /usr/etc/ocspd/ca.d/collegeca.xml file
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:866] [DEBUG] Skipping file mt.xml.bak
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:866] [DEBUG] Skipping file .
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:866] [DEBUG] Skipping file ca-mt-lan.crt
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:866] [DEBUG] Skipping file ca-prod-lan.crt
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:876] [DEBUG] Loading file /usr/etc/ocspd/ca.d/prod.xml
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:892] [DEBUG] Loaded /usr/etc/ocspd/ca.d/prod.xml file
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:866] [DEBUG] Skipping file ..
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:876] [DEBUG] Loading file /usr/etc/ocspd/ca.d/self-certs.xml
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:892] [DEBUG] Loaded /usr/etc/ocspd/ca.d/self-certs.xml file
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Aug 21 16:13:08 openxkpi ocspd[22059]: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
Aug 21 16:13:08 openxkpi ocspd[22059]: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Aug 21 16:13:08 openxkpi ocspd[22059]: [config.c:394] [DEBUG] Building CA List
Aug 21 16:13:08 openxkpi ocspd[22059]: Processing Configuration for [CA: Dartmouth]
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Aug 21 16:13:08 openxkpi ocspd[22059]: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS)

I configured a minimal install following : https://wiki.lacavernedemanu.fr/doku.php?id=wiki:systeme:openssl:install_ca
(the ocspd part).

Then when I start the ocspd server I get a segfault :
/usr/etc/init.d/ocspd start-debug
Starting OCSP Responder (Debug Mode): /usr/etc/init.d/ocspd : ligne 34 : 28061 Erreur de segmentation ${ocspd} -c "${conf}" -d -v -debug
Error, check logs!
Done.
/usr/etc/init.d/ocspd status
OCSP Responder is stopped.

and in the logs I get :
Aug 21 16:34:56 openxkpi ocspd[28061]: OpenCA OCSPD v3.1.2 (Tue Aug 21 16:09:55 CEST 2018)- starting.
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:866] [DEBUG] Skipping file .
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:876] [DEBUG] Loading file /usr/etc/ocspd/ca.d/prod.xml
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:892] [DEBUG] Loaded /usr/etc/ocspd/ca.d/prod.xml file
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:866] [DEBUG] Skipping file ..
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Aug 21 16:34:56 openxkpi ocspd[28061]: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
Aug 21 16:34:56 openxkpi ocspd[28061]: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Aug 21 16:34:56 openxkpi ocspd[28061]: [config.c:394] [DEBUG] Building CA List
Aug 21 16:34:56 openxkpi ocspd[28061]: Processing Configuration for [CA: ProductionMT]
Aug 21 16:34:56 openxkpi ocspd[28061]: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Aug 21 16:34:56 openxkpi ocspd[28061]: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: ProductionMT, URL: /var/www/html/caprod.crt]
Aug 21 16:34:56 openxkpi ocspd[28061]: [config.c:837] [DEBUG] CRL loaded successfully [URL: /var/www/html/caprod.crt]
Aug 21 16:34:56 openxkpi ocspd[28061]: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048]
Aug 21 16:34:56 openxkpi kernel: [1636827.712629] ocspd[28061]: segfault at 81 ip 00007f2bab342fb0 sp 00007ffd2b80edf0 error 4 in libcrypto.so.1.1[7f2bab2ae000+266000]

If I use start I also get another segfault
root@openxkpi:/usr/etc/ocspd/ca.d# /usr/etc/init.d/ocspd start
Starting OCSP Responder: /usr/etc/init.d/ocspd : ligne 34 : 28069 Erreur de segmentation ${ocspd} -c "${conf}" -d
Error, check logs!

Aug 21 16:50:44 openxkpi ocspd[28079]: OpenCA OCSPD v3.1.2 (Tue Aug 21 16:09:55 CEST 2018)- starting.
Aug 21 16:50:44 openxkpi ocspd[28079]: Processing Configuration for [CA: ProductionMT]
Aug 21 16:50:44 openxkpi kernel: [1637776.371495] ocspd[28079]: segfault at 21 ip 00007fab7c483fb0 sp 00007ffd8bd8dc10 error 4 in libcrypto.so.1.1[7fab7c3ef000+266000]

I made the configuration, build and install again but still the same error.

Thanks

Raphaël

Xml parsing error, issue clear and debbuged

hello again, I have some difficulties with the xml bug..

My xml file (ocspd) seems to be correct, I uploaded it to some xml parser / verifiers and no errors were throw.

But the programs tells that something is wrong with it, so I debugged a bit the whole thing:

root@kali:/usr/etc/ocspd# ocspd -c ocspd.conf -v
OpenCA's OCSP Responder - v3.1.0
(c) 2002-2014 by Massimiliano Pala and OpenCA Project
OpenCA licensed software

Calling PKI_CONFIG_load on file config.c line 45
PKI_CONFIG_load(char *urlPath) func (file pki.config line 94): url->addr = /usr/etc/ocspd/ocspd.conf
Call of xmlCtxtReadFile(parserCtxt, url->addr [...]) line 138 in pki_config.c
Trying to read member of struct doc ...
Doc->name is not available, access try gives a segmentation fault
Exiting PKI_CONFIG_load function and returning malformated struct doc
OCSPD_load_config func, calling PKI_CONFIG_get_value on line 93 of file config.c (token initialisation)

Function PKI_CONFIG_get_value on line 410 (pki_config.c)... receiving parameters : (PKI _config *doc = (null), char *search = /serverConfig/general/pkiConfigDir)
Call of PKI_CONFIG_get_element_stack ( doc, search )) line 524 in file pki.config.c : function receive null parameter from above, null returns and error are then generated

root@kali:~/OCSPD# cat /var/log/syslog | grep ocspd
Nov 20 11:37:41 kali ocspd[11632]: OpenCA OCSPD v3.1.0 - starting.
Nov 20 11:37:41 kali ocspd[11632]: [pki_config.c:35] [ERROR] XML I/O Error: Start tag expected, '<' not found
Nov 20 11:37:41 kali ocspd[11632]: [config.c:96] [ERROR] Missing pkiConfigDir in configuration!
Nov 20 11:37:41 kali ocspd[11632]: ocspd - ERROR::can not load config file!#12 (exit with 1)#12
root@kali:/usr/etc/ocspd#

I would like also to ask about the namespace thing in xml :
<pki:serverConfig xmlns:pki="http://www.openca.org/pki/1/0/0">

This url seems invalid (404), is that the reason of the malfunction ?

Support Extension for OCSP Responses

Next Release of OpenSSL will support extensions for OCSP responses, add the option and possible configuration options for it.

Add support for crlReloadExpired config option

The crlReloadExpired configuration option is currently ignored. The default behavior is to always try to reload expired crls.

Newbie on OpenCA's OCSP Responder setup

hi all,

i am newbie on OpenCA's OCSP Responder. I just assigned to develop an OpenCA's OCSP Responder project to test the verification of a certificate status. Refer to official website. I downloaded libpki-0.8.9.tar.gz and openca-ocspd-3.1.2.tar.gz and putty the files to new linux server (CentOS7) . After i run ./configure under libpki folder. It returns the following message:

checking checking for ldap vendor... LDAP VENDOR () ===> searching for Sun
checking checking for OpenLDAP vendor () ... LDAP VENDOR:
*** ERROR: No supported LDAP vendor found.
configure: error: *** ERROR: Do you have the devel package installed ?

I really don't know how to do. Looks there very limited setup document about that.
Did anyone can share me more update document about the setup?

Thanks.

Validation of critical OCSP request extensions

Investigate the validation of critical OCSP request extensions.

3.1.2-1 - Failed dependencies libpki 0.9.0

Trying to install openca-ocspd-3.1.2-1.el7.x86_64.rpm and ending up with:

error: Failed dependencies:
libpki >= 0.9.0 is needed by openca-ocspd-3.1.2-1.el7.x86_64

Yet there is no libpki 0.9.0 available on SF for download...? Posted it JUL 06 to the openca-ocspd mailing list but never got a response.

multiple digest algorithm used for building the issuerNameHash and issuerKeyHash

Add support for multiple digest algorithm used for building the issuerNameHash and issuerKeyHash. Currently only one digest algorithm is supported for every CA.

Minor POD issue (no trailing =back tag, specific to RHEL7 / perl 5.16+ / podlaters 2.5+)

RHEL7.4
kernel 3.10.0-693.11.6.el7.x86_64
perl perl-5.16.3-292.el7.x86_64
perl-podlators-2.5.1-3.el7.noarch
openca-ocspd-3.1.1.tar.gz

On the latest RHEL7 pod2man requires a closing =back before the final =cut in a pod doc, which {base}/docs/ocspd.3.pod is missing. RHEL6 and perl 5.10 doesn't split pod2man off from the main perl bundle and apparently allows an implicit closing =back (in this case, for closure of the last =over before the final =cut) . By the time you get to RHEL7 and perl 5.16 pod2man has peeled off into perl-podlators 2.5 as the "stock" setup, and podlaters chokes on the implicit/missing =back.

==== stock build ====
...
/usr/bin/pod2man --section=3 --c "OpenCA Contributed Manual" --r "openca-ocspd 3.1.1" ocspd.3.pod > ocspd.3
ocspd.3.pod around line 111: =over without closing =back
POD document had syntax errors at /usr/bin/pod2man line 69.
make[1]: *** [ocspd.3] Error 255
make[1]: Leaving directory '/home/olagarde/20171103-hpcmp-kerberos/BUILD_20180105.175215/openca-ocspd-3.1.1/docs'
...
==== diff-c thingy ====
$ diff -c ./openca-ocspd-3.1.1/docs/ocspd.3.pod.1 ./openca-ocspd-3.1.1/docs/ocspd.3.pod
*** ./openca-ocspd-3.1.1/docs/ocspd.3.pod.1 2018-01-05 18:33:23.382446909 -0600
--- ./openca-ocspd-3.1.1/docs/ocspd.3.pod 2018-01-05 18:33:52.735721320 -0600

*** 112,117 ****
--- 112,119 ----

L<openca(3)>,L<openssl(1)>, L<ocsp(1)>

+ =back
+
=cut

===== patched build =====
...
/usr/bin/pod2man --section=3 --c "OpenCA Contributed Manual" --r "openca-ocspd 3.1.1" ocspd.3.pod > ocspd.3
/usr/bin/pod2man --section=3 --c "OpenCA Contributed Manual" --r "openca-ocspd 3.1.1" ocspd.conf.3.pod > ocspd.conf.3
make[1]: Leaving directory `/home/olagarde/20171103-hpcmp-kerberos/BUILD_20180105.175215/openca-ocspd-3.1.1/docs'
...

Segmentation fault at PKI_X509_verify in crl.c

Hi,
I am hitting a segmentation fault at PKI_X509_verify in crl.c
This is my execution output.

sudo ./ocspd -c ~/workspace/ocspd/newconf/ocspd.xml -debug -v -stdout

OpenCA's OCSP Responder - v3.1.2 (Build: Wed Jul  8 17:35:19 IST 2020)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Jul  8 12:05:38 2020 GMT [14547] GENERAL: OpenCA OCSPD v3.1.2 (Wed Jul  8 17:35:19 IST 2020)- starting.
Jul  8 12:05:38 2020 GMT [14547] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /root/.libpki/profile.d!
Jul  8 12:05:38 2020 GMT [14547] INFO: [token.c:831] [DEBUG] Can not load profiles (/root/.libpki/profile.d)

Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:876] [DEBUG] Loading file /home/dharani/workspace/ocspd/newconf/ca.d/self-certs.xml
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:892] [DEBUG] Loaded /home/dharani/workspace/ocspd/newconf/ca.d/self-certs.xml file
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:866] [DEBUG] Skipping file .
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Jul  8 12:05:38 2020 GMT [14547] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
Jul  8 12:05:38 2020 GMT [14547] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Jul  8 12:05:38 2020 GMT [14547] INFO: [config.c:394] [DEBUG] Building CA List
Jul  8 12:05:38 2020 GMT [14547] GENERAL: Processing Configuration for [CA: IntermediateCA]
Jul  8 12:05:38 2020 GMT [14547] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Jul  8 12:05:38 2020 GMT [14547] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: IntermediateCA, URL: /home/dharani/workspace/ocspd/newconf/crls/test.crl]
Jul  8 12:05:38 2020 GMT [14547] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: /home/dharani/workspace/ocspd/newconf/crls/test.crl]
Jul  8 12:05:38 2020 GMT [14547] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: ECDSA, Key Size: 256]
Segmentation fault

The attached zip contains the ocspd configuration files and the folder structure.
My CA uses ECDSA 256bit key. Does ocsdp support this?

ocspd_conf.zip

Segmentation fault with libpki 0.99.2-rc2 and openssl 3.0.11

Hi,

I've been trying to build the current openca-ocspd version with the newest libpki library (0.9.9-rc2) and openssl 3.0.11 (Debian 12) and was able to compile it, but ran into trouble when starting ocspd with a configuration file that was working with the older openssl 1.1 and libpki 0.9.2.

After starting with "ocspd -c .xml" it exits with a segmentation fault. The last two messages in the debug log are the following:

[pki_keypair.c:185] [PKI_X509_KEYPAIR_VALUE_get_scheme()] [DEBUG]: ERROR, can not get the type of the keypair to get the scheme!
[crl.c:217] [check_crl()] [DEBUG] Got the public key from the CA cert [Scheme: Unknown, Key Size: 0]

I also checked the last function pointer on the stack, which seems to point to ENGINE_get_pkey_meth() from libcrypto.so.3

Are there any plans on supporting the new libpki version and add support to openssl 3?

If you need any more information or logs in order to solve this, I have no problem in helping out.

Incorrect signature algorithm returned when signing ocsp request with non-rsa key

I've been testing ca setup (simple root + intermediary with dedicated ocsp keys) with ocsp certifcate used for signing being based on prime256v1 key. In such scenario, the response still claims it's signed using sha1withrsaencryption.

When comparing with openssl ocsp (server) behaviour, openssl returns correct data (and that's the only difference pretty much) - if you run diff over both responses:

--- good        2018-05-15 13:52:41.837180575 +0200
+++ bad 2018-05-15 13:52:41.837180575 +0200
@@ -22,11 +22,11 @@
     This Update: May 15 11:52:41 2018 GMT
     Next Update: May 15 11:57:41 2018 GMT
 
-    Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:21:00:87:ee:8f:fc:26:6c:ea:11:47:0b:83:8f:00:
-         3f:58:8a:d0:a3:9e:70:7e:f3:5d:dc:6c:93:44:aa:71:d1:fa:
-         0a:02:20:64:d2:01:08:19:81:c4:d4:90:d5:c5:bb:d9:a8:15:
-         d6:f4:7a:d0:c1:ab:83:bf:31:37:9c:82:26:35:55:c2:5e
+    Signature Algorithm: sha1WithRSAEncryption
+         30:44:02:20:15:fe:1e:90:b4:88:74:e4:2e:2a:73:3f:e9:66:
+         f4:d4:4f:bf:17:c6:8c:41:0a:2e:97:c4:76:9e:e1:eb:e0:b0:
+         02:20:42:19:7e:78:c6:98:34:1e:37:9e:11:23:69:18:1b:fd:
+         7a:39:f1:80:10:19:e9:67:5d:2a:a2:37:b9:cd:e7:4d
 Certificate:
     Data:
         Version: 3 (0x2)

openssl ocsp client complains about it this way:

Response Verify Failure
139681479406016:error:0D0C50C8:asn1 encoding routines:ASN1_item_verify:wrong public key type:crypto/asn1/a_verify.c:140:
139681479406016:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:crypto/ocsp/ocsp_vfy.c:60:
139681479406016:error:0D0C50C8:asn1 encoding routines:ASN1_item_verify:wrong public key type:crypto/asn1/a_verify.c:140:
139681479406016:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:crypto/ocsp/ocsp_vfy.c:60:

If I change ocsp key to rsa, everything works fine.

request for non recognized CA

Hi,

I received from ocspd server message that server can't recognize my CA.

OCSPD server starts ok :

OpenCA OCSPD v3.1.2 - starting.
CRL matching CA cert ok [ 1 ]
INFO::CRL::1 Entries [ COMP ]
Configuration loaded and parsed
New Thread Started [4]
New Thread Started [9]
New Thread Started [7]
New Thread Started [5]
New Thread Started [3]
New Thread Started [1]
New Thread Started [8]
New Thread Started [6]
New Thread Started [2]
New Thread Started [0]

Try to run ocsp request locally
openssl ocsp -CAfile ca-chain.pem -url http://ocsp_domain:545 -resp_text -issuer comp-ca.crt -cert s-k.crt
[ocspd server bind 127.0.0.1;2560, and nginx redirect from ocsp_domain:545 to 127.0.0.1:2560 by proxypass]

Received:

Response verify OK
s-k.crt: unknown
        This Update: Oct  6 13:45:09 2017 GMT
        Next Update: Oct  6 13:50:09 2017 GMT

OCSPD debug log:

  Connection from [127.0.0.1]
  Request for certificate serial 26658
  request for non recognized CA [serial 26658]

Could you please help me?

Thanks

Valid certificates list

Is it possible import a list of valid certificates (serial numbers or so) to provide better response than "unknown" for issued certificates?

Can openca-ocspd-3.1.1 use LDAPv3 bind

ocspd v3.1.1 (with libpki 0.8.8) uses ldap v2 protocol to bind/read pki:caCertUrl and pki:crlUrl via ldap.

Is using ldap v3 an option and if it is how is it configured?

My Implementation details are : http://users.on.net/~emerson/mga/dokuwiki/pki.html#ldap

OpenCA Wiki page not working

Hi,

just wanted to inform you that wiki pages are not working for a while now.

All i get at https://www.openca.org/wiki is a redirect to http://openca.dyndns.org:4443/wiki/
which only serves the following:

<?php ..... mediaWiki->run();

In addition to wiki any other fairly recent documentation would be welcome.

Regards, Peter

systemd service

Maybe someone will find this useful.

systemd ocspd.service

[Unit]
Description=OpenCA OCSP Responder (OCSPD)
Documentation=man:ocspd(3) man:ocspd.conf(3)
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/usr/sbin/ocspd -c /usr/etc/ocspd/ocspd.xml -d
ExecReload=/bin/kill -s HUP ${MAINPID}
ExecStop=/bin/kill -s TERM ${MAINPID}
PIDFile=/usr/var/run/ocspd.pid
Restart=always
RestartSec=2

[Install]
WantedBy=multi-user.target

Tested on CentOS 7.

OCSPD Revoked Certificate Response Error

Hi,

I am using OpenCA's OCSP Responder - v3.1.2 on Debian 10.8.0.
I am having an issue that the revoked certificate request gives "Responder Error: internalerror (2)"
When i digged into the logs of the OCSPD, i found that in case of revoked certificate, only the following log is sent:

Jun 2 13:28:43 ocsp1 ocspd[1692]: Connection from [127.0.0.1]
Jun 2 13:28:43 ocsp1 ocspd[1692]: Request for certificate serial 160552354204550473679962
Jun 2 13:28:43 ocsp1 ocspd[1692]: [response.c:761] [OCSPD_CA_ENTRY_find()] [DEBUG] CRL::CA [MySelf] nameHash OK
Jun 2 13:28:43 ocsp1 ocspd[1692]: [response.c:777] [OCSPD_CA_ENTRY_find()] [DEBUG] CRL::CA [MySelf] issuerKeyHash OK
Jun 2 13:28:43 ocsp1 ocspd[1692]: [response.c:701] [ocspd_resp_send_socket()] [DEBUG] OCSP Response Bytes = 5, HTTP Header Bytes = 181

Add Support for addResponseKeyID

The configuration option is currently ignored.

Responder Error: internalerror (2)

Hello.

Right now I'm unable to retrieve a valid ocspd response using sha2 dighest algorightm and latest available version of openca-ocspd ( v3.1.2 )

Request was performed using openssl ocsp command. Every time I'm receiving such error:
Responder Error: internalerror (2)

In the ocspd logs I see this error:

Feb 15 07:40:23 2017 GMT [12503] INFO: Connection from [192.168.99.1]
Feb 15 07:40:23 2017 GMT [12503] INFO: [http_s.c:404] [DEBUG] HTTP Content-Length: 148 bytes
Feb 15 07:40:23 2017 GMT [12503] INFO: Request for certificate serial <censored>
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:692] [DEBUG] CRL::CA [emtrust] nameHash OK
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:707] [DEBUG] CRL::CA [emtrust] issuerKeyHash OK
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:329] [DEBUG] Using the specific token for the found CA (ocspServerToken2)
Feb 15 07:40:23 2017 GMT [12503] INFO: valid certificate status [serial <censored>]
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:85] [DEBUG] Digest Algorithm For Signature: SHA256
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:98] [DEBUG] Signing Certificate:
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:99] [DEBUG] - Serial .....: <censored>
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:100] [DEBUG] - Subject ....: <censored>
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:101] [DEBUG] - Issuer .....: <censored>
Feb 15 07:40:23 2017 GMT [12503] ERROR: [pki_ocsp_resp.c:293] Can not sign OCSP response => error:00000000:lib(0):func(0):reason(0)
Feb 15 07:40:23 2017 GMT [12503] ERROR: [response.c:117] [ERROR] Failed while signing [error:00000000:lib(0):func(0):reason(0)]
Feb 15 07:40:23 2017 GMT [12503] INFO: [response.c:630] [DEBUG] OCSP Response Bytes = 5, HTTP Header Bytes = 181

But for some reasons it works for version v2.4.2 using the same config and same certificates.

I've treid to compile and build it on Centos7 and Ubuntu16.04

Database storage

Is it possible use some database (MySQL, MariaDB, PostgreSQL) as a storage for (revoked) certificates?

Add support for httpProtocol configuration option

The httpProtocol configuration option is not used.

OCSPD v3.1.2 - Can not parse cert

OCSPD fails to load any CA I provide in any method. I have verified that the CAs are completely valid and "openssl x509" reads them perfectly. All that OCSPD mentions is that it "could not parse cert" or "Can not get CA cert". See below for both log entries and my root CA file.

Using caCertUrl

OpenCA's OCSP Responder - v3.1.2 (Build: Mon Jan 20 13:42:35 CST 2020)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Jan 27 14:58:53 2020 GMT [23174] GENERAL: OpenCA OCSPD v3.1.2 (Mon Jan 20 13:42:35 CST 2020)- starting.
Jan 27 14:58:53 2020 GMT [23174] INFO: [token.c:2585] [PKI_TOKEN_load_profiles()] [DEBUG] ERROR, can not load directory /home/ubuntu/.libpki/profile.d!
Jan 27 14:58:53 2020 GMT [23174] INFO: [token.c:838] [PKI_TOKEN_init()] [DEBUG] Can not load profiles (/home/ubuntu/.libpki/profile.d)

Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml file
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/000-ibRootCA.xml
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/000-ibRootCA.xml file
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file ..
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file .
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [config.c:277] [OCSPD_load_config()] [DEBUG] Selected response digest algorithm: SHA1
Jan 27 14:58:53 2020 GMT [23174] INFO: [config.c:298] [OCSPD_load_config()] [DEBUG] Selected signature digest algorithm: SHA256
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [config.c:414] [OCSPD_build_ca_list()] [DEBUG] Building CA List
Jan 27 14:58:53 2020 GMT [23174] GENERAL: Processing Configuration for [CA: XXXXX Global CA-1]
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] ERROR: [config.c:495] [OCSPD_build_ca_list()] [ERROR] Can not get CA cert [CA: file:///var/www/cacerts/globalca1.crt, URL: XXXXX Global CA-1]
Jan 27 14:58:53 2020 GMT [23174] GENERAL: Processing Configuration for [CA: XXXXX Root CA]
Jan 27 14:58:53 2020 GMT [23174] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Jan 27 14:58:53 2020 GMT [23174] ERROR: [config.c:495] [OCSPD_build_ca_list()] [ERROR] Can not get CA cert [CA: file:///var/www/cacerts/rootca.crt, URL: XXXXX Root CA]
Jan 27 14:58:53 2020 GMT [23174] INFO: Configuration loaded and parsed

Using caCertValue

OpenCA's OCSP Responder - v3.1.2 (Build: Mon Jan 20 13:42:35 CST 2020)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Jan 27 15:13:45 2020 GMT [23409] GENERAL: OpenCA OCSPD v3.1.2 (Mon Jan 20 13:42:35 CST 2020)- starting.
Jan 27 15:13:45 2020 GMT [23409] INFO: [token.c:2585] [PKI_TOKEN_load_profiles()] [DEBUG] ERROR, can not load directory /home/ubuntu/.libpki/profile.d!
Jan 27 15:13:45 2020 GMT [23409] INFO: [token.c:838] [PKI_TOKEN_init()] [DEBUG] Can not load profiles (/home/ubuntu/.libpki/profile.d)

Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/001-ibGlobalCA01.xml file
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:876] [PKI_CONFIG_load_dir()] [DEBUG]: Loading file /usr/etc/ocspd/ca.d/000-ibRootCA.xml
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:892] [PKI_CONFIG_load_dir()] [DEBUG]: Loaded /usr/etc/ocspd/ca.d/000-ibRootCA.xml file
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file ..
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:866] [PKI_CONFIG_load_dir()] [DEBUG]: Skipping file .
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Jan 27 15:13:45 2020 GMT [23409] INFO: [config.c:277] [OCSPD_load_config()] [DEBUG] Selected response digest algorithm: SHA1
Jan 27 15:13:45 2020 GMT [23409] INFO: [config.c:298] [OCSPD_load_config()] [DEBUG] Selected signature digest algorithm: SHA256
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Jan 27 15:13:45 2020 GMT [23409] INFO: [pki_config.c:412] [PKI_CONFIG_get_element()] [DEBUG]: Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Jan 27 15:13:45 2020 GMT [23409] INFO: [config.c:414] [OCSPD_build_ca_list()] [DEBUG] Building CA List
Jan 27 15:13:45 2020 GMT [23409] GENERAL: Processing Configuration for [CA: XXXXX Global CA-1]
Jan 27 15:13:45 2020 GMT [23409] ERROR: [config.c:531] [OCSPD_build_ca_list()] [ERROR] Can not parse cert from /caConfig/caCertValue [CA: XXXXX Global CA-1]
Jan 27 15:13:45 2020 GMT [23409] GENERAL: Processing Configuration for [CA: XXXXX Root CA]
Jan 27 15:13:45 2020 GMT [23409] ERROR: [config.c:531] [OCSPD_build_ca_list()] [ERROR] Can not parse cert from /caConfig/caCertValue [CA: XXXXX Root CA]
Jan 27 15:13:45 2020 GMT [23409] INFO: Configuration loaded and parsed

Current 000-ibRootCA.xml config (Certificate removed)

<?xml version="1.0" ?>
<!-- OCSP Daemon configuration -->
<pki:caConfig xmlns:pki="http://www.openca.org/openca/pki/1/0/0">
   <!-- Give a meaningful name to this CA - This name will be used in the
        logfiles -->
   <pki:name>intelli-building Root CA</pki:name>
   <!-- You can embed the CA certificate in the configuration file by
        using the caCert option and putting the PEM formatted version of
        the certificate here -->
   <pki:caCertValue>
-----BEGIN CERTIFICATE-----
CERT
-----END CERTIFICATE-----
   </pki:caCertValue>
   <!-- You can specify the URL where to download the CA certificate from.
        The URL is any URL supported by LibPKI (file://, id://, http://,
        https://, ldap://) -->
   <!--<pki:caCertUrl>file:///usr/etc/ocspd/certs/rootca.crt</pki:caCertUrl>-->
   <!-- <pki:caCertUrl>file:///usr/etc/ocspd/certs/cacert.pem</pki:caCertUrl> -->
   <pki:crlUrl>file:///var/www/cacrls/rootca.crl</pki:crlUrl>
   <!-- Use serverCertUrl if your OCSP server has only one private
        keypair (configured in the ocsp.xml -> token ) but different
        certificates issued by different CAs. This is the cert that
        will be used to generate responses for this CA -->
   <!-- <pki:serverCertUrl></pki:serverCertUrl> -->
   <!-- Use serverToken if your OCSP server has a full token configured
        (private key + certificate) to be used with this CA. The serverCertUrl
        and serverToken options are mutually exclusive, use only one! If
        the serverToken is used, it has the precedence over the serverCertUrl
        one -->
   <pki:serverToken>rootCertAuthToken</pki:serverToken>
   <!-- This allows for setting the responderIdType for the responder. The allowed
        values are:
        - 'name' for using the hash of the signer's certificate name
        - 'keyid' for using the hash of the signer's public key
        The default value (if not set) is to use the name identifier -->
   <pki:responderIdType>name</pki:responderIdType>
   <!-- In case a CA is compromised, set this option to yes. All the
        responses for this CA will carry the caCompromised flag. -->
   <pki:caCompromised>no</pki:caCompromised>
</pki:caConfig>

Feature request. Define dighest algorithm at the Virtual Host level

Hello.

At the moment it is possible to configure dighest algorithm in the ocspd.xml. But this value is applied globally.
But in case if I want to have a mixture of sha1 and sha2 ocsp servers, I should have 2 separate instances.

My proposal is to configure dighest algorithm per virtual host.

Best regards.

Does openca-ocspd support CA with multiple subCAs?

I wonder if someone could help me?

I'm trying to set up an ocsp responder with a root CA and several sub CA:s for signing deployed certificates using openca-ocspd with the fedora core 22.

However I have not been successful, and it either seems to me that the responder can use only a single certificate in signing all the ocsp responses, or I do not know how to configure the software properly. As far as I have understood each CA (and subCA) should have their own certificate with EKU for OCSP signing, as stated in the RFC2560:

"All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:

-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating <----o
that the responder may issue OCSP responses for that CA"

The responder stubbornly sends the first configured ocsp certificate no matter what CA CRL is being used for verification. With failed deployed certificates (certificates signed by the subCAs) I get (because the OCSP signing certificate in the response is the root CA instead of subCA OCSP signing certificate):

Response Verify Failure
140689577682800:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:152:

My question is: does the openca-ocspd software support multiple CA:s, or am I trying to do something that is not possible with the responder? If it does, how to configure it properly?

I have followed the configuration file at: http://svn.cacert.org/CAcert/SystemAdministration/ocsp/usr/local/etc/ocspd/ocspd.conf

The ocspd version is: ocspd.x86_64 1.9.0-5.fc22

Thanks a lot!

HTTPS

Hi,
Is any way to test the ocspd for https any example ?

Sha256 request causes crash

The OCSP server crashes on receiving a request with SHA-256, because using openssl ocsp with -sha256 will crash it with an error:
*** Error in '/usr/sbin/ocspd': double free or corruption (!prev): 0xb45025f8 ***
Here is a crash file I got from Apport:
ocsp_crash.txt

ocspd returns internalError on revoked certificate verification

How to reproduce: Just request the status of the revoked certificate to ocspd.

Please use X509_REVOKED_get0_revocationDate insted of X509_REVOKED_get0_serialNumber.

openca-ocspd/src/ocspd/response.c

Line 442 in efeb903

X509_REVOKED_get0_serialNumber(entry), thisupd,

How to configure OCSP responder to support nonce option?

Version: openca-ocspd-3.1.2
Need help in configuring OCSP to support the nonce option to send multiple responses.