OCSP Denier: invalid ASN.1 syntax for OCSPResponse

[droe]

OCSPDenier::ocspResponse in http/OCSPDenier.cpp contains an syntactically invalid OCSP response. OCSPResponse according to RFC 2560:

4.2.1  ASN.1 Specification of the OCSP Response

   An OCSP response at a minimum consists of a responseStatus field
   indicating the processing status of the prior request. If the value
   of responseStatus is one of the error conditions, responseBytes are
   not set.

   OCSPResponse ::= SEQUENCE {
      responseStatus         OCSPResponseStatus,
      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }

   OCSPResponseStatus ::= ENUMERATED {
       successful            (0),  --Response has valid confirmations
       malformedRequest      (1),  --Illegal confirmation request
       internalError         (2),  --Internal error in issuer
       tryLater              (3),  --Try again later
                                   --(4) is not used
       sigRequired           (5),  --Must sign the request
       unauthorized          (6)   --Request unauthorized
   }
[...]

So instead of the string "3", the HTTP response body should contain an ASN.1 SEQUENCE, containing an ENUMERATED with the value 0x03 to be a valid OCSP response, which is a total of 5 bytes in the case of tryLater (responseBytes is not needed).

Incidentally, clients seem to ignore ASN.1 syntax errors in OCSP responses, so fixing this might not actually change client behaviour for many OCSP client implementations.

[droe]

This can be tested using OpenSSL as follows, where sslsniff is listening on port 10080:

% openssl ocsp -issuer ca.crt -serial 1234 -url http://127.0.0.1:10080/ocsp
Error querying OCSP responsder

Which is a client-local error. It should show Responder Error: trylater (3) if it received a tryLater from the OCSP server.