generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

revert OCSP_basic_verify changes: they aren't needed now we support partial chain verification and can pass verify options to ocsp utility

Browse Source
This commit is contained in:
Dr. Stephen Henson 2012-12-20 18:51:00 +00:00
parent 032b33059e
commit 0028a23b9f
1 changed files with 7 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
crypto/ocsp/ocsp_vfy.c
View File

@ -77,10 +77,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
{ {
X509 *signer, *x; X509 *signer, *x;
STACK_OF(X509) *chain = NULL; STACK_OF(X509) *chain = NULL;
STACK_OF(X509) *tmpchain = NULL;
X509_STORE *tmpstore = NULL;
X509_STORE_CTX ctx; X509_STORE_CTX ctx;
int i, ret; int i, ret = 0;
ret = ocsp_find_signer(&signer, bs, certs, st, flags); ret = ocsp_find_signer(&signer, bs, certs, st, flags);
if (!ret) if (!ret)
{ {
@ -88,7 +86,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
goto end; goto end;
} }
if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
chain = certs; flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) if (!(flags & OCSP_NOSIGS))
{ {
EVP_PKEY *skey; EVP_PKEY *skey;
@ -104,59 +102,6 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
if (!(flags & OCSP_NOVERIFY)) if (!(flags & OCSP_NOVERIFY))
{ {
int init_res; int init_res;
/* If we trust the signer, we don't need to build a chain.
* (If the signer is a root certificate, X509_verify_cert()
* would fail anyway!)
*/
if (chain && chain == certs) goto verified_chain;
/* If we trust some "other" certificates, allow partial
* chains (because some of them might be
* Intermediate CA Certificates), put them in a store and
* attempt to build a trusted chain.
*/
if ((flags & OCSP_TRUSTOTHER) && (certs != NULL))
{
tmpstore = X509_STORE_new();
if (!tmpstore)
{
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
goto end;
}
for (i = 0; i < sk_X509_num(certs); i++)
{
X509 *xother = sk_X509_value(certs, i);
if (!X509_STORE_add_cert(tmpstore, xother))
{
ret = -1;
goto end;
}
}
init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL);
if (!init_res)
{
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
goto end;
}
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_PARTIAL_CHAIN);
ret = X509_verify_cert(&ctx);
if (ret == 1)
{
chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx);
X509_STORE_CTX_cleanup(&ctx);
goto verified_chain;
}
X509_STORE_CTX_cleanup(&ctx);
}
/* Attempt to build a chain up to a Root Certificate in the
* trust store provided by the caller.
*/
if(flags & OCSP_NOCHAIN) if(flags & OCSP_NOCHAIN)
init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
else else
@ -170,7 +115,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
ret = X509_verify_cert(&ctx); ret = X509_verify_cert(&ctx);
chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); chain = X509_STORE_CTX_get1_chain(&ctx);
X509_STORE_CTX_cleanup(&ctx); X509_STORE_CTX_cleanup(&ctx);
if (ret <= 0) if (ret <= 0)
{ {
@ -180,8 +125,6 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_verify_cert_error_string(i)); X509_verify_cert_error_string(i));
goto end; goto end;
} }
verified_chain:
if(flags & OCSP_NOCHECKS) if(flags & OCSP_NOCHECKS)
{ {
ret = 1; ret = 1;
@ -212,8 +155,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
end: end:
if(tmpchain) sk_X509_pop_free(tmpchain, X509_free); if(chain) sk_X509_pop_free(chain, X509_free);
if(tmpstore) X509_STORE_free(tmpstore);
return ret; return ret;
} }