Why is it that bouncycastle needs the issuer certificate in order to check the OCSP status of a given certificate?

Question

Please excuse my ignorance, but I'm slowly making my way through the depts of using bouncycastle and cryptography at all.

I'm experimenting with OCSP and I'm trying to check the revocation status of a certificate using bouncycastle. I dont understand why does bouncycastle need the issuer certificate in order to do that? To build a OCSPReq I have to provide a CertificateID object which needs the issuer cert. What is the point? In my understanding all I need for an OCSP check is the certificate I'm checking and the URI of the OCSP responder... Please correct me if I'm wrong.

Thanks!

Answer 1

I don't know anything about the bouncycastle component, I am purely talking from the RFC point of view.

We need the issuer certificate for building the ocsp request(Hash of Issuer DN and Hash of Issuer public key hash) , Check the RFC 2560, section 4.1.1

Request         ::=     SEQUENCE {
   reqCert                     CertID,
   singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL }

CertID          ::=     SEQUENCE {
   hashAlgorithm       AlgorithmIdentifier,
   issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
   issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
   serialNumber        CertificateSerialNumber 
 }