Hi,Steve,
Thank you. Let me ask more
:^)
I am reading the
function:
int OCSP_basic_verify(OCSP_BASICRESP *bs,
STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags) in ocsp_vfy.c. I notice that it is
possible that the certificate of the signer of the ocsp response is not in the
bs->certs,
say, the return of ocsp_find_signer() is 2.
And , all the certificates in local client stack can
not be trusted except the local root certificate.
So I think there may be only one root
certificate in certificate STORE while the others certificates are in local
certificate stack in local client.
And even it is possible that the bs->certs is NULL
because it is optional for OCSP response attaching the
certificates.
If in this case, how can the openssl verify the OCSP
response?
How to set up the chain to be verified, if
1,the OCSP response signer certificate is in NOT in
bs->certs,
2,and bs->certs is NULL,
3,and the local certificates can NOT be trusted
EXCEPT the root certificate in store ?
Because I think in function X509_verify_cert(), it
only searchs the ctx->untrusted and certificates STORE to set up the
untrusted certificate chain to be verified.
And the ctx->untrusted is set in the function
X509_STORE_CTX_init() by ctx->untrusted=chain;
And the varible chain is set in OCSP_basic_verify()
by init_res = X509_STORE_CTX_init(&ctx, st, signer,
bs->certs);
I does not find the searching in local
stack.
So I wonder, why it does NOT search both the local
stack and bs->certs for setting up the untrusted certificate chain?
Thanks and regards,
wjw
|
- about certificate verifying Wu Junwei
- Re: about certificate verifying Dr. Stephen Henson
- Wu Junwei