diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
| commit | 81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7 (patch) | |
| tree | 9c61e9161ee5332e99d091153a4cd242160b9180 /crypto/ocsp/ocsp_vfy.c | |
| parent | a068630a2038ff167d29cdaed828161719355531 (diff) | |
| download | openssl-81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7.tar.gz | |
Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
Diffstat (limited to 'crypto/ocsp/ocsp_vfy.c')
| -rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 63 |
1 files changed, 59 insertions, 4 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 2ea3f4a923..6110825b19 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -68,13 +68,15 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { - X509 *signer; - int ret; + X509 *signer, *x; + STACK_OF(X509) *chain = NULL; + X509_STORE_CTX ctx; + int i, ret = 0; signer = ocsp_find_signer(bs, certs, st, flags); if (!signer) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - return 0; + goto end; } if(!(flags & OCSP_NOSIGS)) { @@ -85,9 +87,62 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if(ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); - return 0; + goto end; } } + if(!(flags & OCSP_NOVERIFY)) + { + if(flags & OCSP_NOCHAIN) + X509_STORE_CTX_init(&ctx, st, signer, NULL); + else + X509_STORE_CTX_init(&ctx, st, signer, bs->certs); + + X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); + ret = X509_verify_cert(&ctx); + chain = X509_STORE_CTX_get1_chain(&ctx); + X509_STORE_CTX_cleanup(&ctx); + if (ret <= 0) + { + i = X509_STORE_CTX_get_error(&ctx); + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); + ERR_add_error_data(2, "Verify error:", + X509_verify_cert_error_string(i)); + goto end; + } + if(flags & OCSP_NOCHECKS) + { + ret = 1; + goto end; + } + /* At this point we have a valid certificate chain + * need to verify it against the OCSP criteria. + */ +#if 0 + if(ocsp_check_issuer(bs, chain, flags)) + { + ret = 1; + goto end; + } +#endif + + /* Easy case: explicitly trusted. Get root CA and + * check for explicit trust + */ + if(flags & OCSP_NOEXPLICIT) goto end; + + x = sk_X509_value(chain, sk_X509_num(chain) - 1); + if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) + { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED); + goto end; + } + ret = 1; + } + + + + end: + if(chain) sk_X509_pop_free(chain, X509_free); return 1; } |