diff options
author | Rich Salz <rsalz@akamai.com> | 2020-08-17 15:31:42 -0400 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-27 20:03:39 +0200 |
commit | 0495a3ec4ab463d5c08f4a4e85d0e3925e4602e7 (patch) | |
tree | 1c3d88d88b9a4d71e98f70d1e01b5f3738086edb /crypto/ocsp | |
parent | fcc3a5204c6daa0f0bbc1679ce1ce82fb767190d (diff) |
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if any certificate in the OCSP response is in the trust store, then
trust it.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12666)
Diffstat (limited to 'crypto/ocsp')
-rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index adf4970d58..cf7602616f 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -38,6 +38,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, STACK_OF(X509) *chain = NULL; STACK_OF(X509) *untrusted = NULL; X509_STORE_CTX *ctx = NULL; + X509_VERIFY_PARAM *vp; int i, ret = ocsp_find_signer(&signer, bs, certs, flags); if (!ret) { @@ -85,6 +86,9 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); goto f_err; } + if ((flags & OCSP_PARTIAL_CHAIN) != 0 + && (vp = X509_STORE_CTX_get0_param(ctx)) != NULL) + X509_VERIFY_PARAM_set_flags(vp, X509_V_FLAG_PARTIAL_CHAIN); X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(ctx); |