OCSP request builder

0
votes

I was checking OCSP status of certain end points using the answer posted at the following: [1]: How to check OCSP client certificate revocation using Python Requests library?

I ran into an issue trying to validate oscp status for certs issued by zeroSSL, in that, the status returns unauthorised, however, checking it via some online webservice returned status as Good.

Changed the algorithm from a sha256 to sha1 in the ocsp request builder,and it worked. Where is this hash algorithm defined, is it algo that the ocsp server uses to sign the request i presume..?

How do i find the algo used by the ocsp server before hand or is it possible to predetermine the hash algo the ocsp server uses?

def Get_OCSP_ReqBuilder(clientcert,issuercert,ocsp_location):
    builder = OCSPRequestBuilder()
    req = builder.add_certificate(clientcert,issuercert,SHA256()) # Replaced A SHA1() here.
    req2 = req.build() 
    req_path = base64.b64encode(req2.public_bytes(serialization.Encoding.DER))
    ocsp_requestencoded = urljoin(ocsp_location + '/', req_path.decode('ascii'))
    return ocsp_requestencoded
1
pythonocsp

1 Answers

0
votes

From what I've seen, SHA1 is a good place to start for making OCSP requests. Early revs of the OCSP RFC required that OCSP responders support it, so it became a default. The x509 docs say that the only supported algos are SHA1, SHA224, SHA256, SHA384, and SHA512, so if you wanted to be robust, you could implement a little fallback routine to check others. Even trying them all wouldn't be too terrible if you had to.

I have run into the same problem you did: response status of unauthorized for requests hashed with SHA256 but successful when I used SHA1. It's frustrating, because there isn't really anything in the protocol defining a way to query for supported algos, and the narrow range of responses are limited and not very descriptive, so systems end up with unhelpful error messages. I'd probably have chased it down more quickly if the response had been "malformedRequest," compared to "Unauthorized."