堆栈内存溢出
  简体   繁体   English

如何在 OCSP 响应中获取和提取签名者的证书

[英]How to get and extract signer's certificate in OCSP Response

 原文  2022-02-10 12:29:26       java/ x509certificate/ ocsp

问题描述

I am trying to do perform OCSP validation on the remote website certificate.我正在尝试对远程网站证书执行 OCSP 验证。 When I receive an OCSP validation response.当我收到 OCSP 验证响应时。 I need to perform extendedKeyUsage "id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)" validation on the signer's certificate.我需要对签名者的证书执行 extendedKeyUsage "id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)" 验证。 But I am not able to find the signer's certificate in the OCSP response.但是我无法在 OCSP 响应中找到签名者的证书。

From https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2 Page18:来自https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2第 18 页:

The responder MAY include certificates in the certs field of BasicOCSPResponse that help the OCSP client verify the responder's signature.响应者可以在 BasicOCSPResponse 的 certs 字段中包含证书,以帮助 OCSP 客户端验证响应者的签名。

But the Cert field in the BasicOCSPResponse is coming empty.但是 BasicOCSPResponse 中的 Cert 字段变空了。 Is it that there is some extension that I need to send to force the OCSPResponder to send the singer's certificate.是不是我需要发送一些扩展来强制 OCSPResponder 发送歌手的证书。 Or I am looking at the wrong place.或者我看错地方了。 Can anyone please suggest how can I find the signer's certificate?谁能建议我如何找到签名者的证书?

1 个解决方案

解决方案1
 0  2022-02-14 10:18:36

My understanding of the OCSP Response was not correct.我对 OCSP 响应的理解不正确。 There are 3 options which could be an original signing certificate.有 3 个选项可以是原始签名证书。

  1. Issuer certificate which is part of the certificate chain - mostly this is the scenario.颁发者证书是证书链的一部分 - 大多数情况下都是这样。
  2. It could be one of the certificates available in the trustore.它可能是 trustore 中可用的证书之一。
  3. It could also be coming as part of the OCSPResponse but this is not always required because this could be validated using the certificates from the above 2 options.它也可能作为 OCSPResponse 的一部分出现,但这并不总是必需的,因为这可以使用来自上述 2 个选项的证书进行验证。

If the signing certificate is found using the 3rd criteria.如果使用第三个条件找到签名证书。 It should match 2 criteria:它应该符合 2 个条件:

  1. It should have the extendedKeyUsage as id-kp-OCSPSigning (oid: 1.3.6.1.5.5.7.3.9) and它应该具有 extendedKeyUsage 作为 id-kp-OCSPSigning (oid: 1.3.6.1.5.5.7.3.9) 和
  2. The OCSPResponse signature should be matched with the certificate. OCSPResponse 签名应与证书匹配。
  3. This certificate should be verified with the public key of the issuer certificate.该证书应使用颁发者证书的公钥进行验证。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从Java中的服务器证书获取OCSP URL? - How to get the OCSP url from the server certificate in java? 如何从Tomcat的主机获取签名者证书? - How to get Signer certificate from perticular host for Tomcat? 如何从 signature.xml 文件中获取 OCSP 响应 - How to get OCSP response from signature.xml file OCSP吊销客户端证书 - OCSP Revocation on client certificate 如何使用脱机签名和OCSP响应创建PADES - How to create PADES using offline signature and OCSP response 如何在C#或Java握手期间读取ocsp装订响应 - How to read ocsp stapled response during handshake in C# or Java 如何使用 okhttp 响应获取服务器证书 - how to get the server certificate with okhttp response 在OCSP响应中,responderID的用途是什么? - What is the use of the responderID in the OCSP response? 如何在配置了SSL的tomcat中缓存和更新CRL(证书吊销列表)/ OCSP响应? - How to cache and update CRL (certificate revokation list)/OCSP responses in SSL configured tomcat? 如何测试OCSP实施? - How to test OCSP implementation?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM