About finding OCSP response signer

[Wu Junwei]

Hi,     I am studying the verifying of the OCSP response.   I find that the function OCSP_basic_verify() in ocsp_vfy.c can do this job. It is mainly devided into 2 parts.   1, to use the public key of the response signer to verify the basic response 2, to verity the certificate of  the signer of the basic response   And in the step 1, it searchs the certificate of the signer according to the ResponderId in the basic response.   MY question is: according to RFC2560, the signer of the OCSP response can be    -- the CA who issued the certificate in question    -- a Trusted Responder whose public key is trusted by the requester    -- a CA Designated Responder (Authorized Responder) who holds a       specially marked certificate issued directly by the CA, indicating       that the responder may issue OCSP responses for that CA   In case 2 and case 3, it seems ok, because the signer of the response is just the responder. But in case 1, the signer is not the responder. How can ocsp_find_signer(&signer, bs, certs, st, flags) find the certificate of the signer only by the ResponderId? I think this function will find the certificate of the responder while maybe not of the signer.   Can somebody kindly explain to me why it is OK in case 3 ?   Thanks   Wjw