|
Hi,all
I am studying the verifying of the OCSP response in Openssl v0.9.7b.
I find in the ocsp_find_signer() in ocsp_vfy.c , there is no search in the
X509 STORE for the signer certificate of the ocsp response.
(there is comment says /* Maybe lookup from store if by subject name
*/)
Question 1:
if there is trusted X509 store existing, shoud I search the signer
certificate in the X509_STORE?
Because it is possible the response directly signed by the
certificate which can be trusted.
If I can find the signer certificate of the ocsp resposne, then I can only
verify the response by the trusted certificate while ignore verifying the
certificate itself .
Am I right?
Question 2:
And if I search the signer certificate in the Store, which should I
compare?
the EVP_PKEY *pkey; in X509_object or
the X509_PUBKEY *key; in X509 in X509_object ?
Thanks in advance.
wjw |
