Commit 4ca5efc2 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Make OCSP response verification more flexible. 



If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 86d20cb6

crypto/ocsp/ocsp_vfy.c

+17 −4
Original line number Diff line number Diff line
@@ -84,6 +84,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 
{

    X509 *signer, *x;

    STACK_OF(X509) *chain = NULL;

    STACK_OF(X509) *untrusted = NULL;

    X509_STORE_CTX ctx;

    int i, ret = 0;

    ret = ocsp_find_signer(&signer, bs, certs, st, flags);
@@ -108,10 +109,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 
    }

    if (!(flags & OCSP_NOVERIFY)) {

        int init_res;

        if (flags & OCSP_NOCHAIN)

            init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);

        else

            init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);

        if (flags & OCSP_NOCHAIN) {

            untrusted = NULL;

        } else if (bs->certs && certs) {

            untrusted = sk_X509_dup(bs->certs);

            for (i = 0; i < sk_X509_num(certs); i++) {

                if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {

                    OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);

                    goto end;

                }

            }

        } else {

            untrusted = bs->certs;

        }

        init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);

        if (!init_res) {

            ret = -1;

            OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
@@ -162,6 +173,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 
 end:

    if (chain)

        sk_X509_pop_free(chain, X509_free);

    if (bs->certs && certs)

        sk_X509_free(untrusted);

    return ret;

}