Thanks for the report.  We'll look into this and get back to you.

Best Regards,
Chris

if (verify && type != CA_TYPE) {

but rather inside the changed if-statement

if (type != CA_TYPE) {
    [...]
    if (ca) {
        [...]
        if (verify) {
            /* try to confirm/verify signature */
            [...]
        }
    }
}

This way, the ca's public key hash is set for any cert which is not a CA itself, but verification itself is only done if the verify-flag is also set.

So, does this change to set the ca's public key hash every time, not only if verify=1, seem ok?

- Daniel

CyaSSL_CertManagerCheckOCSP

I know that the certificate in question is valid and that the OpenSSL OCSP responder running here uses the correct CA certificate and knows the states of the certificates.

When trying to verify my cert, the responder stated that the certificate status is unknown.
After trying some more, I saw that the "Issuer Key Hash"-value in the OCSP request changed. This was due to this field not being set anywhere and thus pointing to some uninitialized value.

I've now patched the function ParseCertRelative inside ctaocrypt/src/asn.c (CyaSSL embedded SSL v2.9.0) to set the "Issuer Key Hash"-field in the certificate which state is to be checked:

    if (verify && type != CA_TYPE) {
        [...]
    } else if (type != CA_TYPE) {
        Signer* ca = NULL;
#ifndef NO_SKID
        if (cert->extAuthKeyIdSet)
            ca = GetCA(cm, cert->extAuthKeyId);
        if (ca == NULL)
            ca = GetCAByName(cm, cert->issuerHash);
#else /* NO_SKID */
        ca = GetCA(cm, cert->issuerHash);
#endif /* NO SKID */

        // Store Issuer Key Hash for later OCSP request
        memcpy(cert->issuerKeyHash, ca->subjectKeyIdHash, SHA_SIZE);
    }

This way, the OCSP request has the correct "Issuer Key Hash" and the OCSP responder correctly responds "good" as certificate status.

Is this a bug or am I using the OCSP api wrong?

- Daniel