-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SHA256 as OCSP hash algorithm #190
Comments
@dnadoba may have more of the context here, but I believe this is just something we didn't get around to doing. We're not immediately planning to do this work, but we'd be happy to work with someone to produce a pull request to enable the feature, and would also be happy to accept documentation PRs that call out the limitation. |
Is it just not enabled or it doesn't work? Because after forking and forcefully enabling it I still get malformedRequest |
IIRC the problem is that there is no way of knowing upfront which hash algorithm the server supports. Therefore back then we needed to use SHA1 which is what was the only required hash algorithm by the specification for maximum compatibility. I don’t recall if I have tested SHA256 with a real sever or not. Do you have some code snipped to reproduce the behavior you described? |
`import Foundation enum ImportError: Error { enum CheckError: Error { struct ApplePKCS12 {
}` |
After some additional checks, i can say there may be a bug inside OCSP request generation logic. The hash algorithm is same, output issuer name and key hashes as well, and the certificate serial number is also recognising the same way. But i still get malformedRequest in swift and successful response in python. The generated request is 2 bits longer then the one generated with python, and as i already said, has slightly different content. |
Can you print both as base64 here? |
Python (Cryptography package)Hashing algorithm
Issuer key hash
Issuer name hash
Certificate serial number (encoded to hex with Swift Certificate.SerialNumber)
Request/Response HeadersBase64 Request
Base64 Response
SwiftHashing algorithm
Issuer key hash
Issuer name hash
Certificate serial number
Request/Response HeadersBase64 Request
Base64 Response
All values are copied directly from logs (and hashes are in base64) |
Python request, decoded:
Swift request, decoded:
The following are the differences: Python has used the explicit NULL encoding of the SHA256 hash function We have a trailing context-specific 2 node containing an empty Sequence. Python does not. Glancing at the ASN.1 document that appears to be the extensions field. |
@weekly71 Want to try out which of those two things matters? To fix the first difference, change this line to pass To fix the second difference, rewrite this section of code to pass It would be valuable to know which of these two the responder is unhappy with. |
After changing this |
I'd be happy to have that change, yes. |
After 4 hours of trying to get OCSP check for Apples own(!) certificates to work, I've noticed this comment in sources
As it turned out, this library does not support any other algorithms else then SHA1.
The text was updated successfully, but these errors were encountered: