Cert and Nonce Missing from OCSP Response? about ocsp HOT 4 OPEN

Well those ToDos explain what needs to be done, as well as show maybe they are actually optional. So far my variation is not happy so I'll try to complete those parts as well us understand why it doesn't like it.

Also note that I found the getResponses code to be excessive in the form with the dependency of async which in turn includes lodash. Instead of async map I went the route of map async so I would recommend rethinking that entire part of the server.

let pList = reqList.map( async ( req ) => {
    return ocsp.getResponse( req );
});
Promise.all( pList ).then( ( resps ) => { };

Yup burned passing the callback around too, as it should respond 'unknown' instead of calling back with an error.
Thanks for the hints and asn1.js-rfc25?0 stuff, that totally blows my mind.

from ocsp.

Well it seems that really those TODOs are much more important and missing. NO Nonce and NO Certs is pretty important part of the response specification.

Ultimately it would be nice to have the TODOs done on server responses. aka Nonce and Cert added to responses.

[As a side note I had struggled for days with the ANS1 encoder barfing over key case aka certID vs certId and the formulation of certStatus. Next just passing Nonce as it comes triggers a crash asn1_check_tlen:wrong tag?]

[2 Days later: I am starting to think as close as this is I might have to totally rebuild with PKI.js]

from ocsp.

Right so It's really missing the cert that causes an unsightly error in openssl ocsp test.
so it appears the cert is not considered optional to omit.

Response Verify Failure
139808917545408:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:../crypto/ocsp/ocsp_vfy.c:41:
139808917545408:error:0D0C50C8:asn1 encoding routines:ASN1_item_verify:wrong public key type:../crypto/asn1/a_verify.c:140:
139808917545408:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:../crypto/ocsp/ocsp_vfy.c:60:

My initial attempts to reintegrate or rebuild with PKI have lead me to conclude that library is way too massive for this otherwise almost working simple OCSP response.
The Nonce of course makes even more sense to have even though it's in theory optional.

I've burned too much time to carry on this repair job for the moment, for something Chrome doesn't even bother with anymore.

It would be really great if someone could complete this (Nonce and Cert in OCSP Response) or give some idea of if the pieces are already here somewhere waiting to be integrated or there are entire sections completely missing that would really take more then a few days or weeks even to add here, thanks.

from ocsp.

This can be solved by fixing the rfc2560 response extensions index from 0 to 1.
Just submitted a pull request

from ocsp.