gpgsm: Problems with OCSP validation / No CRL known for OCSP Cert id-pkix-ocsp-nocheck?
Open, WishlistPublic

Description

In the wald forum it has been reported that GPGSM can't work with ocsp and or CRL checks enabled with a Spanish Governmental certificate chain.

https://wald.intevation.org/forum/forum.php?thread_id=2009&forum_id=21&group_id=11

I think this might be a missing feature / wishlist item related to T4118 but here the OCSP responder cert should be accepted probably because of id-pkix-ocsp-nocheck ?
This task is more about not forgetting that report and maybe improving gpgsm along the way.

werner added a subscriber: werner.Dec 17 2018, 9:44 AM

Is using

ocsp-signer ./FILE

in dirmngr.conf with FILE being in ~/.gnupg and having a list of valid responder certificates a useful workaround? It is one of the suggested solution from rfc6960.

Good to know. I thought that ocsp-signer was only used if ocsp-responder is explitly set. I've suggested the workaround in the Message Board.

I had to look it up in the code and man page too ;-)

@werner what should the contents of the file look like?

I think they should contain the certificates in PEM format like:

-----BEGIN CERTIFICATE-----
MIIFvjCCA6agAwIBAgIBDTANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJERTEY
MBYGA1UECgwPSW50ZXZhdGlvbiBHbWJIMSEwHwYDVQQDDBhJbnRldmF0aW9uIEVt
YWlsIENBIDIwMTYwHhcNMTgwMTE5MjA1NzMzWhcNMjAwMTE5MjA1NzMzWjBAMQsw
.....
xBhxAKO+klmW0eBtHWwh9BCnlyH0r1YzvHMbH2PmOCqN6L6HelQHRLGgqJdM1/SH
i29VL4yWffYFKfvhsin/S48lqYH3D5oBioT09iXy95qmGFjARs17OtHPBnzfmrti
jHXHpNQHjXLVh34s9G/w8xZl+tQdM/d7taAsDx2j4kQ4Oq7GLU/FHGVMvGTC2Q9K
MyJm04Kci7Sss2G/iJlgZntNqM0ISM3WuyrhAiOkHx2Eug==
-----END CERTIFICATE-----

Is this correct? I was asked this on wald and I have no way ATM to test this.

A list of SHA-1 fingerprints for the valid certificates. With our without colons.

The reporter said that it did not work for him.

As an additional note the OCSP signer selection in Kleopatra needs improvement.

werner,
I'm the spanish user. Are you also setting default ocsp responder option?
Setting only ocsp_signer doesn't worked, there are several CA's with diferent ocsp responders.