[英]How to get and extract signer's certificate in OCSP Response
I am trying to do perform OCSP validation on the remote website certificate.我正在尝试对远程网站证书执行 OCSP 验证。 When I receive an OCSP validation response.
当我收到 OCSP 验证响应时。 I need to perform extendedKeyUsage "id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)" validation on the signer's certificate.
我需要对签名者的证书执行 extendedKeyUsage "id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)" 验证。 But I am not able to find the signer's certificate in the OCSP response.
但是我无法在 OCSP 响应中找到签名者的证书。
From https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2 Page18:来自https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2第 18 页:
The responder MAY include certificates in the certs field of BasicOCSPResponse that help the OCSP client verify the responder's signature.
响应者可以在 BasicOCSPResponse 的 certs 字段中包含证书,以帮助 OCSP 客户端验证响应者的签名。
But the Cert field in the BasicOCSPResponse is coming empty.但是 BasicOCSPResponse 中的 Cert 字段变空了。 Is it that there is some extension that I need to send to force the OCSPResponder to send the singer's certificate.
是不是我需要发送一些扩展来强制 OCSPResponder 发送歌手的证书。 Or I am looking at the wrong place.
或者我看错地方了。 Can anyone please suggest how can I find the signer's certificate?
谁能建议我如何找到签名者的证书?
My understanding of the OCSP Response was not correct.我对 OCSP 响应的理解不正确。 There are 3 options which could be an original signing certificate.
有 3 个选项可以是原始签名证书。
If the signing certificate is found using the 3rd criteria.如果使用第三个条件找到签名证书。 It should match 2 criteria:
它应该符合 2 个条件:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.