Implement remaining OCSP verify checks in

accordance with RFC2560.
author: Dr. Stephen Henson <steve@openssl.org> 2001-01-18 01:35:39 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2001-01-18 01:35:39 +0000
commit: e8af92fcb1c3ae1b19e697d58b2dace46ca08aa7 (patch)
tree: 09857b6fe1ed2eaebe7409eb60b93ee079238006 /CHANGES
parent: 361ef5f4dc0a615b13d02f74e2b00b015b42be58 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 569f8ce79d..dedd7c3287 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,16 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) Add additional OCSP certificate checks. These are those specified
+     in RFC2560. This consists of two separate checks: the CA of the
+     certificate being checked must either be the OCSP signer certificate
+     or the issuer of the OCSP signer certificate. In the latter case the
+     OCSP signer certificate must contain the OCSP signing extended key
+     usage. This check is performed by attempting to match the OCSP
+     signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
+     in the OCSP_CERTID structures of the response.
+     [Steve Henson]
+
   *) Initial OCSP certificate verification added to OCSP_basic_verify()
      and related routines. This uses the standard OpenSSL certificate
      verify routines to perform initial checks (just CA validity) and
author	Dr. Stephen Henson <steve@openssl.org>	2001-01-18 01:35:39 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2001-01-18 01:35:39 +0000
commit	e8af92fcb1c3ae1b19e697d58b2dace46ca08aa7 (patch)
tree	09857b6fe1ed2eaebe7409eb60b93ee079238006 /CHANGES
parent	361ef5f4dc0a615b13d02f74e2b00b015b42be58 (diff)