Add the -VAfile option to 'openssl ocsp'. This option will give the

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

  *) Add the option -VAfile to 'openssl ocsp', so the user can give the

     OCSP client a number of certificate to only verify the response

     signature against.

     [Richard Levitte]

  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent

     Bleichenbacher's DSA attack.

     [Ulf Moeller, Bodo Moeller]

	BIO *out = NULL;

	int req_text = 0, resp_text = 0;

	char *CAfile = NULL, *CApath = NULL;

        char *VAfile = NULL;

	X509_STORE *store = NULL;

        STACK_OF(X509) *VAstore = NULL;

	int ret = 1;

	int badarg = 0;

	int i;

				}

			else badarg = 1;

			}

		else if (!strcmp (*args, "-VAfile"))

			{

			if (args[1])

				{

				args++;

				VAfile = *args;

				}

			else badarg = 1;

			}

		else if (!strcmp (*args, "-CAfile"))

			{

			if (args[1])

		BIO_printf (bio_err, "-path         path to use in OCSP request\n");

		BIO_printf (bio_err, "-CApath dir   trusted certificates directory\n");

		BIO_printf (bio_err, "-CAfile file  trusted certificates file\n");

		BIO_printf (bio_err, "-VAfile file  validator certificates file\n");

		BIO_printf (bio_err, "-noverify     don't verify response\n");

		goto end;

		}

	store = setup_verify(bio_err, CAfile, CApath);

	if(!store) goto end;

        if (VAfile) VAstore = load_certs(bio_err, VAfile, FORMAT_PEM);

	bs = OCSP_response_get1_basic(resp);

	if (!bs)

			goto end;

			}

		i = OCSP_basic_verify(bs, NULL, store, 0);

		i = OCSP_basic_verify(bs, VAstore, store, OCSP_TRUSTOTHER);

                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);

		if(i <= 0)

			{

	ERR_print_errors(bio_err);

	X509_free(signer);

	X509_STORE_free(store);

        sk_X509_free(VAstore);

	EVP_PKEY_free(key);

	X509_free(issuer);

	X509_free(cert);