Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.
PR#3668
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287
)
This commit is contained in:
parent
06cf4418cf
commit
e35e22e1d9
1 changed files with 17 additions and 4 deletions
|
@ -83,6 +83,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
|
|||
{
|
||||
X509 *signer, *x;
|
||||
STACK_OF(X509) *chain = NULL;
|
||||
STACK_OF(X509) *untrusted = NULL;
|
||||
X509_STORE_CTX ctx;
|
||||
int i, ret = 0;
|
||||
ret = ocsp_find_signer(&signer, bs, certs, st, flags);
|
||||
|
@ -107,10 +108,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
|
|||
}
|
||||
if (!(flags & OCSP_NOVERIFY)) {
|
||||
int init_res;
|
||||
if (flags & OCSP_NOCHAIN)
|
||||
init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
|
||||
else
|
||||
init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
|
||||
if (flags & OCSP_NOCHAIN) {
|
||||
untrusted = NULL;
|
||||
} else if (bs->certs && certs) {
|
||||
untrusted = sk_X509_dup(bs->certs);
|
||||
for (i = 0; i < sk_X509_num(certs); i++) {
|
||||
if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
|
||||
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
untrusted = bs->certs;
|
||||
}
|
||||
init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
|
||||
if (!init_res) {
|
||||
ret = -1;
|
||||
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
|
||||
|
@ -161,6 +172,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
|
|||
end:
|
||||
if (chain)
|
||||
sk_X509_pop_free(chain, X509_free);
|
||||
if (bs->certs && certs)
|
||||
sk_X509_free(untrusted);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue