Hi, Steve,
On this issue, I'd like to ask
more on OCSP verifying case.
If I have to insert all the
certificates of the chain ( my understanding is from ROOT CA to signer
of the OCSP response signer) into the STORE in default case, what is the stack
used for?
for example,
I am now having a 4-level certificate tree.
Root--CA1--CA2--End Entity cert
And I put the Root into STORE.
, put CA1,CA2 into Stack. (CA2 is also the signer of the OCSP
response)
I suppose that CA1 and CA2 can not be trusted directly, but they are
important to set up the chain to verify the signer
certificate of the OCSP response. And they 2 will be verified after
the chain is setup from the Root to to OCSP response signer in
X509_verify_cert() .
When I call OCSP_basic_verify() with the flag is 0, I find the OCSP
response can not be verified.
Further, I find that the stack is only used for search the signer of the
OCSP signer in function OCSP_basic_verify(), while
the X509_STORE_CTX_init() and X509_verify_cert() seem nothing to do with
the stack.
Would you please give me some guide on the usage of the STACK? In what
cases will the certificates in stack be added into chain and verified together
with the chain?
Can I put the certificates in store and stack independently as above?
thank you very much
wjw
|
- Re: about the X509_STORE of OCSP Dr. Stephen Henson
- Re: about the X509_STORE of OCSP Wu Junwei
- Wu Junwei