os/security/cryptoservices/certificateandkeymgmt/testcertificates/openssl/readme.txt
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/security/cryptoservices/certificateandkeymgmt/testcertificates/openssl/readme.txt Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,24 @@
1.4 +The oscpResponder.pl script requires the ocsp responder to support DSA
1.5 +
1.6 +the following patch can be applied to openssl 0.9.7b or 0.9.7c:
1.7 +
1.8 +--- openssl-0.9.7b.ORIG/apps/ocsp.c 2003-03-26 02:47:06.000000000 +0200
1.9 ++++ openssl-0.9.7b/apps/ocsp.c 2004-02-22 16:11:18.000000000 +0200
1.10 +@@ -1115,7 +1115,16 @@
1.11 +
1.12 + OCSP_copy_nonce(bs, req);
1.13 +
1.14 +- OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1.15 ++ {
1.16 ++ /*in case of DSA keys we should use EVP_dss1()*/
1.17 ++ const EVP_MD *evp_md;
1.18 ++ /*
1.19 ++ * - EVP_dss1 only or can be EVP_dss for some DSA keys ?
1.20 ++ * - should we use method EVP_PKEY_type() ?
1.21 ++ */
1.22 ++ evp_md = (rkey->type == EVP_PKEY_DSA) ? EVP_dss1() : EVP_sha1();
1.23 ++ OCSP_basic_sign(bs, rcert, rkey, evp_md, rother, flags);
1.24 ++ }
1.25 +
1.26 + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1.27 +