{
X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
+ STACK_OF(X509) *untrusted = NULL;
X509_STORE_CTX ctx;
int i, ret = 0;
ret = ocsp_find_signer(&signer, bs, certs, st, flags);
}
if (!(flags & OCSP_NOVERIFY)) {
int init_res;
- if (flags & OCSP_NOCHAIN)
- init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
- else
- init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+ if (flags & OCSP_NOCHAIN) {
+ untrusted = NULL;
+ } else if (bs->certs && certs) {
+ untrusted = sk_X509_dup(bs->certs);
+ for (i = 0; i < sk_X509_num(certs); i++) {
+ if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+ }
+ } else {
+ untrusted = bs->certs;
+ }
+ init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
if (!init_res) {
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
end:
if (chain)
sk_X509_pop_free(chain, X509_free);
+ if (bs->certs && certs)
+ sk_X509_free(untrusted);
return ret;
}
projects / openssl.git / commitdiff