Re: about certificate verifying

[Wu Junwei]

Hi,Steve,      Thank you. Let me ask more  :^)       I am reading the function:   int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,     X509_STORE *st, unsigned long flags)  in ocsp_vfy.c.   I notice that it is possible that the certificate of the signer of the ocsp response is not in the bs->certs, say, the return of ocsp_find_signer() is 2. And , all the certificates in local client stack can not be trusted except the local root certificate. So I think there may be only one root certificate in certificate STORE while the others certificates are in local certificate stack in local client.   And even it is possible that the bs->certs is NULL because it is optional for OCSP response attaching the certificates.     If in this case, how can the openssl verify the OCSP response? How to set up the chain to be verified, if 1,the OCSP response signer certificate is in NOT in bs->certs, 2,and bs->certs is NULL, 3,and the local certificates can NOT be trusted EXCEPT the root certificate in store ?     Because I think in function X509_verify_cert(), it only searchs the ctx->untrusted and certificates STORE to set up the untrusted certificate chain to be verified. And the ctx->untrusted is set in the function X509_STORE_CTX_init() by ctx->untrusted=chain; And the varible chain is set in OCSP_basic_verify() by  init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);   I does not find the searching in local stack.   So I wonder, why it does NOT search both the local stack and bs->certs for setting up the untrusted certificate chain?     Thanks and regards, wjw         ----- Original Message ----- From: Dr. Stephen Henson To: [EMAIL PROTECTED] Sent: Monday, June 02, 2003 8:32 PM Subject: Re: about certificate verifying On Mon, Jun 02, 2003, Wu Junwei wrote: > Hi,all > >     I have a question about the certificate verifying. >     I know OpenSSL has provided the X509_verify_cert() to do this function. > And I should use X509_STORE_CTX_init() to do the initialization work. > But I now have only the certificates stack and  no store exists. > > So can I use  X509_STORE_CTX_init(&ctx, NULL, signer, bs->certs) to do the > initialization work? > Is there any problem if I use NULL to take the place of store ? > Yes only one problem: it wont work :-) The certificate STACK in that function supplies a set of untrusted certificates which will be used in path building, for example intermediate CAs. The X509_STORE contains a set of trusted CAs. For a verify to work at least one trusted CA must be in the path, so if you have no trusted CAs it wont verify. Actually it might crash is X509_STORE is NULL... > And should I call this function in x509_vfy.c ? > > /* Set alternative lookup method: just a STACK of trusted certificates. >  * This avoids X509_STORE nastiness where it isn't needed. >  */ > void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) > { >  ctx->other_ctx = sk; >  ctx->get_issuer = get_issuer_sk; > } > Yes, that function is probably the best to use. Alternatively you can add the certifictes one at a time to an X509_STORE using X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. Core developer of the   OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project                                 http://www.openssl.org User Support Mailing List                    [EMAIL PROTECTED] Automated List Manager                           [EMAIL PROTECTED]