Use sk_*_new_null() instead of sk_*_new(NULL). That avoids getting

[openssl.git] / crypto / ocsp / ocsp_srv.c

diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index b83992896fcf75fd2fcc942a9c8b616fc75bee4a..5743f9c7544e1ee96629569e69b1052d99051c75 100644 (file)
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -206,14 +206,22 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
        int i;
        OCSP_RESPID *rid;
 
-       if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
+       if (!X509_check_private_key(signer, key))
+               {
+               OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                goto err;
+               }
 
-       for (i = 0; i < sk_X509_num(certs); i++)
+       if(!(flags & OCSP_NOCERTS))
                {
-               X509 *tmpcert = sk_X509_value(certs, i);
-               if(!OCSP_basic_add1_cert(brsp, tmpcert))
+               if(!OCSP_basic_add1_cert(brsp, signer))
+                       goto err;
+               for (i = 0; i < sk_X509_num(certs); i++)
+                       {
+                       X509 *tmpcert = sk_X509_value(certs, i);
+                       if(!OCSP_basic_add1_cert(brsp, tmpcert))
                                goto err;
+                       }
                }
 
        rid = brsp->tbsResponseData->responderId;