/* ====================================================================
- * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
{ERR_REASON(OCSP_R_NO_PUBLIC_KEY), "no public key"},
{ERR_REASON(OCSP_R_NO_RESPONSE_DATA), "no response data"},
{ERR_REASON(OCSP_R_NO_REVOKED_TIME), "no revoked time"},
+ {ERR_REASON(OCSP_R_NO_SIGNER_KEY), "no signer key"},
{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),
"private key does not match certificate"},
{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED), "request not signed"},
* 2000.
*/
/* ====================================================================
- * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2000-2016 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
if (!ret) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
- goto err;
+ goto end;
}
ctx = X509_STORE_CTX_new();
if (ctx == NULL) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
- goto err;
+ goto f_err;
}
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
skey = X509_get0_pubkey(signer);
- if (skey)
- ret = OCSP_BASICRESP_verify(bs, skey, 0);
- if (!skey || ret <= 0) {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+ if (skey == NULL) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY);
goto err;
}
+ ret = OCSP_BASICRESP_verify(bs, skey, 0);
+ if (ret <= 0) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+ goto end;
+ }
}
if (!(flags & OCSP_NOVERIFY)) {
int init_res;
for (i = 0; i < sk_X509_num(certs); i++) {
if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
- goto err;
+ goto f_err;
}
}
} else {
init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
if (!init_res) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
- goto err;
+ goto f_err;
}
X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(i));
- goto err;
+ goto end;
}
if (flags & OCSP_NOCHECKS) {
ret = 1;
}
ret = 1;
}
- goto end;
-
- err:
- ret = 0;
end:
X509_STORE_CTX_free(ctx);
sk_X509_pop_free(chain, X509_free);
if (bs->certs && certs)
sk_X509_free(untrusted);
return ret;
+ goto end;
+
+ err:
+ ret = 0;
+ goto end;
+ f_err:
+ ret = -1;
+ goto end;
}
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
projects / openssl.git / commitdiff