DigiDoc4-Client icon indicating copy to clipboard operation
DigiDoc4-Client copied to clipboard

Published 20 hours ago verified publisher icon open-eid

Error "Signature is unknown" for signature containers containing an invalid OCSP response

Open user8547 opened this issue 2 years ago • 1 comments

When a signature container contains an OCSP response that contains validity status of a different certificate serial number than the signatory's certificate included in the signature, DigiDoc4 client shows an error "Signature is unknown" and technical information section wrongly reports that certificate status is unknown (while the status is "Good"). However, it should show "Signature is not valid" with an appropriate description in the technical information section (e.g., "OCSP response does not match signatory's certificate").

Screenshot from 2022-10-18 17-26-46

Test .asice file attached. forgery7.zip

user8547 avatar Oct 18 '22 14:10 user8547

This should be in open-eid/libdigidocpp. OCSP can contain 1 to N references to certificates (rfc6960). If we cannot find suitable reference to certificate in OCSP then it is classified to UNKNOWN status.

metsma avatar Oct 21 '22 07:10 metsma