MINOR: ssl: resolve ocsp_issuer later
The goal is to use the ckch to store data from PEM files or <payload> and
only for that. This patch adresses the ckch->ocsp_issuer case. It finds
issuers chain if no chain is present in the ckch in ssl_sock_put_ckch_into_ctx(),
filling the ocsp_issuer from the chain must be done after.
It changes the way '.issuer' is managed: it tries to load '.issuer' in
ckch->ocsp_issuer first and then look for the issuer in the chain later
(in ssl_sock_load_ocsp() ). "ssl-load-extra-files" without the "issuer"
parameter can negate extra '.issuer' file check.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 00793b7..14066d7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1404,9 +1404,9 @@
* successfully enabled, or -1 in other error case.
*/
#ifndef OPENSSL_IS_BORINGSSL
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
{
- X509 *x = NULL, *issuer = NULL;
+ X509 *x, *issuer;
OCSP_CERTID *cid = NULL;
int i, ret = -1;
struct certificate_ocsp *ocsp = NULL, *iocsp;
@@ -1420,6 +1420,17 @@
goto out;
issuer = ckch->ocsp_issuer;
+ /* take issuer from chain over ocsp_issuer, is what is done historicaly */
+ if (chain) {
+ /* check if one of the certificate of the chain is the issuer */
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ X509 *ti = sk_X509_value(chain, i);
+ if (X509_check_issued(ti, x) == X509_V_OK) {
+ issuer = ti;
+ break;
+ }
+ }
+ }
if (!issuer)
goto out;
@@ -1520,7 +1531,7 @@
return ret;
}
#else /* OPENSSL_IS_BORINGSSL */
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
{
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
}
@@ -3291,7 +3302,6 @@
{
BIO *in = NULL;
int ret = 1;
- int i;
X509 *ca;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
@@ -3390,15 +3400,6 @@
SWAP(ckch->cert, cert);
SWAP(ckch->chain, chain);
- /* check if one of the certificate of the chain is the issuer */
- for (i = 0; i < sk_X509_num(ckch->chain); i++) {
- X509 *issuer = sk_X509_value(ckch->chain, i);
- if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) {
- ckch->ocsp_issuer = issuer;
- X509_up_ref(issuer);
- break;
- }
- }
ret = 0;
end:
@@ -3574,11 +3575,6 @@
ret = 1;
goto end;
}
- } else {
- memprintf(err, "%sNo issuer found, cannot use the OCSP response'.\n",
- err && *err ? *err : "");
- ret = 1;
- goto end;
}
}
}
@@ -3687,7 +3683,7 @@
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
/* Load OCSP Info into context */
if (ckch->ocsp_response) {
- if (ssl_sock_load_ocsp(ctx, ckch) < 0) {
+ if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;