Make OCSP response verification more flexible.

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
This commit is contained in:
Dr. Stephen Henson 2015-03-22 17:34:56 +00:00
parent 117476ba30
commit d635f4bb36

View File

@ -83,6 +83,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
{ {
X509 *signer, *x; X509 *signer, *x;
STACK_OF(X509) *chain = NULL; STACK_OF(X509) *chain = NULL;
STACK_OF(X509) *untrusted = NULL;
X509_STORE_CTX ctx; X509_STORE_CTX ctx;
int i, ret = 0; int i, ret = 0;
ret = ocsp_find_signer(&signer, bs, certs, st, flags); ret = ocsp_find_signer(&signer, bs, certs, st, flags);
@ -107,10 +108,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
} }
if (!(flags & OCSP_NOVERIFY)) { if (!(flags & OCSP_NOVERIFY)) {
int init_res; int init_res;
if (flags & OCSP_NOCHAIN) if (flags & OCSP_NOCHAIN) {
init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); untrusted = NULL;
else } else if (bs->certs && certs) {
init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); untrusted = sk_X509_dup(bs->certs);
for (i = 0; i < sk_X509_num(certs); i++) {
if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
goto end;
}
}
} else {
untrusted = bs->certs;
}
init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
if (!init_res) { if (!init_res) {
ret = -1; ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
@ -161,6 +172,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
end: end:
if (chain) if (chain)
sk_X509_pop_free(chain, X509_free); sk_X509_pop_free(chain, X509_free);
if (bs->certs && certs)
sk_X509_free(untrusted);
return ret; return ret;
} }