MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response
When calling OCSP_basic_verify to check the validity of the received
OCSP response, we need to provide an untrusted certificate chain as well
as an X509_STORE holding only trusted certificates. Since the
certificate chain and the issuer certificate are all provided by the
user, we assume that they are valid and we add them all to a temporary
store. This enables to focus only on the response's validity.
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index a969565..165c16c 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -728,16 +728,30 @@
goto end;
}
- /* Add ocsp issuer certificate to a store in order verify the ocsp
- * response. */
+ /* Create a temporary store in which we add the certificate's chain
+ * certificates. We assume that all those certificates can be trusted
+ * because they were provided by the user.
+ * The only ssl item that needs to be verified here is the OCSP
+ * response.
+ */
store = X509_STORE_new();
if (!store) {
memprintf(err, "X509_STORE_new() failed");
goto end;
}
- X509_STORE_add_cert(store, issuer);
+
+ if (chain) {
+ int i = 0;
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ X509 *cert = sk_X509_value(chain, i);
+ X509_STORE_add_cert(store, cert);
+ }
+ }
+
+ if (issuer)
+ X509_STORE_add_cert(store, issuer);
- if (OCSP_basic_verify(basic, chain, store, 0) != 1) {
+ if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
memprintf(err, "OCSP_basic_verify() failed");
goto end;
}