It seems that OCSP_basic_verify(bs, certs, st, flags) unfortunately is
not documented, but from its code it becomes clear that the "certs"
parameter is meant to be a set of untrusted certificates, which is first
used (together with bs->certs) to determine the signer cert of the OCSP
response "bs" and then is partly(!) used to construct the chain of certs
towards a trusted (root) cert in the store passed in the "st" parameter.
>> OCSP responses do not seem to include the intermediate certificates so they
>> have to be acquired in other ways. I have been doing this and adding them
>> to the certificate stack handed to OCSP_basic_verify().
> Perhaps adding them to X509_STORE or STORE_CTX directly?
This does not work because OCSP_basic_verify(bs, certs, st, flags)
produces its own internal X509_STORE_CTX:
init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
where the "st" parameter is taken as the trusted store, while the set of
untrusted certs cannot be directly set by the caller.
>> I am relatively new to this so I may be incorrect; however, it seems to me
>> that the certificates in the cert argument should be added to the
> If you need to add certificates to validate a chain, it seems safer to explicitly add them to the store, not implicitly.
As long as the OCSP response pointed to by "bs" includes a non-NULL
bs->certs field, OCSP_basic_verify() takes the union of any certs in the
"certs" parameter and in bs->certs as untrusted certs for chain
construction, but if bs->certs is NULL, i.e. when the OCSP responder did
not include any certs its response, for some reason OCSP_basic_verify()
does not take "certs" but bs->certs, which corresponds to the empty set.
As long as a fix is not yet available, one can use the following
X509 *dummy = X509_new();
OCSP_basic_verify(bs, certs, st, flags);
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev