OCSPRequest throws exception when certificate's algorithm is MD5

Aug 13, 2015 at 9:29 AM
Edited Aug 13, 2015 at 9:44 AM

This file's certificate of counter signer has been signed with MD5 algorithm and when I try to call OCSPRequest, the exception occurs with the message "Issuer for the speified certificate not found."

I extracted certificate(X509Certificate2) of counter signer by refering this link.
var signedCms = new SignedCms();

foreach (var signerInfo in signedCms.SignerInfos)
    foreach (var unsignedAttribute in signerInfo.UnsignedAttributes)
        if (unsignedAttribute.Oid.Value != szOID_RSA_counterSign) continue;
        foreach (var counterSignInfo in signerInfo.CounterSignerInfos)
            counterCertificate = counterSignInfo.Certificate;   // Certificate of counter signer
I looked into the source code and found that CertID::m_initialize(X509Certificate2 cert) in PKI.OCSP.CertID.cs regards that the algorithm is always SHA1. I think this made exception but not sure.

I used current version of module (3.1.0) and the version of the source code I looked into is 3.1.0, too.

What should I do?
Aug 13, 2015 at 6:38 PM
The error is raised because issuer certificate for the signer certificate is not found. CertID structure requires some extra information that exists only in the issuer certificate. Internally, the CertID constructor attempts to build certificate chain to find issuer certificate and collect required data.

as a workaround, you need to install issuer certificate to the Intermediate CAs container in certificate store.
Aug 17, 2015 at 5:43 AM
OK, I installed issuer certificate and request instance has successfully created.

But now I'm receiving unsatisfying response. I got following HttpHeaders and ResponseStatus is "Unauthorized". The rest properties are filled with default value like "false" or "null", etc...
-       response    {PKI.OCSP.OCSPResponse} PKI.OCSP.OCSPResponse
 +      HttpHeaders {content-transfer-encoding: binary
Proxy-Connection: keep-alive
Accept-Ranges: none
Content-Length: 5
Content-Type: application/ocsp-response
Date: Mon, 17 Aug 2015 05:34:54 GMT
Server: nginx/1.4.7
}   System.Net.WebHeaderCollection
Did my request delivered with no mistakes? My code was like below.
                    OCSPRequest request = new OCSPRequest(_mainCert, new Uri(url));
                    OCSPResponse response = request.SendRequest();
                    switch (response.Responses[0].CertStatus)
                        case CertificateStatus.Good:
                            return true;
                        case CertificateStatus.Revoked:
                            AddCertNote("Not avaliable.");
                catch (System.Exception ex)

Thank you for your help, @Camelot.
Aug 23, 2015 at 8:32 AM
Unauthorized response status means that this OCSP server is not authoritative for this particular issuer and have no information about revocation status.
Aug 26, 2015 at 5:32 AM
That's strange. I checked its Authority Info Access points "http://ocsp.sign.com" and made new OCSPRequest with X509Certificate2 and URI.
Would you mind if I ask you to make OCSPRequest with counter signer's certificate of the file(MSCOMCTL.OCX)? I think I missed something...
Sep 6, 2015 at 7:37 AM
I checked AIA extension of signing and counter-signer certificates in the MSCOMCTL.OCX file signature. Neither certificate contains OCSP URLs. Where did you get it?