Incorrect signature algorithm returned when signing ocsp request with non-rsa key #32
Description
I've been testing ca setup (simple root + intermediary with dedicated ocsp keys) with ocsp certifcate used for signing being based on prime256v1 key. In such scenario, the response still claims it's signed using sha1withrsaencryption.
When comparing with openssl ocsp (server) behaviour, openssl returns correct data (and that's the only difference pretty much) - if you run diff over both responses:
--- good 2018-05-15 13:52:41.837180575 +0200
+++ bad 2018-05-15 13:52:41.837180575 +0200
@@ -22,11 +22,11 @@
This Update: May 15 11:52:41 2018 GMT
Next Update: May 15 11:57:41 2018 GMT
- Signature Algorithm: ecdsa-with-SHA256
- 30:45:02:21:00:87:ee:8f:fc:26:6c:ea:11:47:0b:83:8f:00:
- 3f:58:8a:d0:a3:9e:70:7e:f3:5d:dc:6c:93:44:aa:71:d1:fa:
- 0a:02:20:64:d2:01:08:19:81:c4:d4:90:d5:c5:bb:d9:a8:15:
- d6:f4:7a:d0:c1:ab:83:bf:31:37:9c:82:26:35:55:c2:5e
+ Signature Algorithm: sha1WithRSAEncryption
+ 30:44:02:20:15:fe:1e:90:b4:88:74:e4:2e:2a:73:3f:e9:66:
+ f4:d4:4f:bf:17:c6:8c:41:0a:2e:97:c4:76:9e:e1:eb:e0:b0:
+ 02:20:42:19:7e:78:c6:98:34:1e:37:9e:11:23:69:18:1b:fd:
+ 7a:39:f1:80:10:19:e9:67:5d:2a:a2:37:b9:cd:e7:4d
Certificate:
Data:
Version: 3 (0x2)
openssl ocsp client complains about it this way:
Response Verify Failure
139681479406016:error:0D0C50C8:asn1 encoding routines:ASN1_item_verify:wrong public key type:crypto/asn1/a_verify.c:140:
139681479406016:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:crypto/ocsp/ocsp_vfy.c:60:
139681479406016:error:0D0C50C8:asn1 encoding routines:ASN1_item_verify:wrong public key type:crypto/asn1/a_verify.c:140:
139681479406016:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:crypto/ocsp/ocsp_vfy.c:60:
If I change ocsp key to rsa, everything works fine.