Add the -VAfile option to 'openssl ocsp'. This option will give the

client code certificates to use to only check response signatures. I'm not entirely sure if the way I just implemented the verification is the right way to do it, and would be happy if someone would like to review this.
2001-02-08 17:59:29 +00:00 · 2001-02-08 17:59:29 +00:00 · 9235adbf47
commit 9235adbf47
parent a71b5abfa4
2 changed files with 22 additions and 1 deletions
--- a/5
+++ b/5
@ -3,6 +3,11 @@

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

+  *) Add the option -VAfile to 'openssl ocsp', so the user can give the
+     OCSP client a number of certificate to only verify the response
+     signature against.
+     [Richard Levitte]
+
  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
     Bleichenbacher's DSA attack.
     [Ulf Moeller, Bodo Moeller]
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -94,7 +94,9 @@ int MAIN(int argc, char **argv)
 	BIO *out = NULL;
 	int req_text = 0, resp_text = 0;
 	char *CAfile = NULL, *CApath = NULL;
+        char *VAfile = NULL;
 	X509_STORE *store = NULL;
+        STACK_OF(X509) *VAstore = NULL;
 	int ret = 1;
 	int badarg = 0;
 	int i;
@ -167,6 +169,15 @@ int MAIN(int argc, char **argv)
 				}
 			else badarg = 1;
 			}
+		else if (!strcmp (*args, "-VAfile"))
+			{
+			if (args[1])
+				{
+				args++;
+				VAfile = *args;
+				}
+			else badarg = 1;
+			}
 		else if (!strcmp (*args, "-CAfile"))
 			{
 			if (args[1])
@ -290,6 +301,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-path         path to use in OCSP request\n");
 		BIO_printf (bio_err, "-CApath dir   trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file  trusted certificates file\n");
+		BIO_printf (bio_err, "-VAfile file  validator certificates file\n");
 		BIO_printf (bio_err, "-noverify     don't verify response\n");
 		goto end;
 		}
@ -438,6 +450,8 @@ int MAIN(int argc, char **argv)
 	store = setup_verify(bio_err, CAfile, CApath);
 	if(!store) goto end;

+        if (VAfile) VAstore = load_certs(bio_err, VAfile, FORMAT_PEM);
+
 	bs = OCSP_response_get1_basic(resp);

 	if (!bs)
@ -454,7 +468,8 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}

-		i = OCSP_basic_verify(bs, NULL, store, 0);
+		i = OCSP_basic_verify(bs, VAstore, store, OCSP_TRUSTOTHER);
+                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);

 		if(i <= 0)
 			{
@ -475,6 +490,7 @@ end:
 	ERR_print_errors(bio_err);
 	X509_free(signer);
 	X509_STORE_free(store);
+        sk_X509_free(VAstore);
 	EVP_PKEY_free(key);
 	X509_free(issuer);
 	X509_free(cert);