New OCSP response verify option OCSP_TRUSTOTHER
authorDr. Stephen Henson <steve@openssl.org>
Fri, 26 Jan 2001 01:55:52 +0000 (01:55 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 26 Jan 2001 01:55:52 +0000 (01:55 +0000)
CHANGES
crypto/ocsp/ocsp.h
crypto/ocsp/ocsp_vfy.c

diff --git a/CHANGES b/CHANGES
index 31f9a6e..4665120 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,11 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
+     passed by the function are trusted implicitly. If any of them signed the
+     reponse then it is assumed to be valid and is not verified.
+     [Steve Henson]
+
   *) Zero the premaster secret after deriving the master secret in
      DH ciphersuites.
      [Steve Henson]
index 0c643e1..ff81521 100644 (file)
@@ -85,6 +85,7 @@ extern "C" {
 #define OCSP_NOCASIGN                  0x40
 #define OCSP_NODELEGATED               0x80
 #define OCSP_NOCHECKS                  0x100
+#define OCSP_TRUSTOTHER                        0x200
 
 /*   CertID ::= SEQUENCE {
  *       hashAlgorithm            AlgorithmIdentifier,
index 8868c98..7470f1c 100644 (file)
@@ -59,7 +59,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                                X509_STORE *st, unsigned long flags);
 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
@@ -76,12 +76,14 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
        STACK_OF(X509) *chain = NULL;
        X509_STORE_CTX ctx;
        int i, ret = 0;
-       signer = ocsp_find_signer(bs, certs, st, flags);
-       if (!signer)
+       ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+       if (!ret)
                {
                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                goto end;
                }
+       if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+               flags |= OCSP_NOVERIFY;
        if (!(flags & OCSP_NOSIGS))
                {
                EVP_PKEY *skey;
@@ -148,19 +150,26 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
        }
 
 
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                                X509_STORE *st, unsigned long flags)
        {
        X509 *signer;
        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
        if ((signer = ocsp_find_signer_sk(certs, rid)))
-               return signer;
+               {
+               *psigner = signer;
+               return 2;
+               }
        if(!(flags & OCSP_NOINTERN) &&
            (signer = ocsp_find_signer_sk(bs->certs, rid)))
-               return signer;
+               {
+               *psigner = signer;
+               return 1;
+               }
        /* Maybe lookup from store if by subject name */
 
-       return NULL;
+       *psigner = NULL;
+       return 0;
        }