How to get and extract signer's certificate in OCSP Response

Question

I am trying to do perform OCSP validation on the remote website certificate. When I receive an OCSP validation response. I need to perform extendedKeyUsage "id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)" validation on the signer's certificate. But I am not able to find the signer's certificate in the OCSP response.

From https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2 Page18:

The responder MAY include certificates in the certs field of BasicOCSPResponse that help the OCSP client verify the responder's signature.

But the Cert field in the BasicOCSPResponse is coming empty. Is it that there is some extension that I need to send to force the OCSPResponder to send the singer's certificate. Or I am looking at the wrong place. Can anyone please suggest how can I find the signer's certificate?

Answer 1

My understanding of the OCSP Response was not correct. There are 3 options which could be an original signing certificate.

1. Issuer certificate which is part of the certificate chain - mostly this is the scenario.
2. It could be one of the certificates available in the trustore.
3. It could also be coming as part of the OCSPResponse but this is not always required because this could be validated using the certificates from the above 2 options.

If the signing certificate is found using the 3rd criteria. It should match 2 criteria:

1. It should have the extendedKeyUsage as id-kp-OCSPSigning (oid: 1.3.6.1.5.5.7.3.9) and
2. The OCSPResponse signature should be matched with the certificate.
3. This certificate should be verified with the public key of the issuer certificate.