Re: about the X509_STORE of OCSP

[Wu Junwei]

Hi, Steve,       On this issue, I'd like to ask more on OCSP verifying case.   If I have to insert all the certificates of the chain ( my understanding is from ROOT CA to signer of the OCSP response signer) into the STORE in default case, what is the stack used for?   for example, I am now having a 4-level certificate tree. Root--CA1--CA2--End Entity cert   And I put the Root into STORE. , put CA1,CA2 into Stack. (CA2 is also the signer of the OCSP response)   I suppose that CA1 and CA2 can not be trusted directly, but they are important to set up the chain to verify the signer certificate of the OCSP response. And they 2 will be verified after the chain is setup from the Root to to OCSP response signer in X509_verify_cert() .     When I call OCSP_basic_verify() with the flag is 0, I find the OCSP response can not be verified. Further, I find that the stack is only used for search the signer of the OCSP signer in function OCSP_basic_verify(), while the X509_STORE_CTX_init() and X509_verify_cert() seem nothing to do with the stack.     Would you please give me some guide on the usage of the STACK? In what cases will the certificates in stack be added into chain and verified together with the chain?   Can I put the certificates in store and stack independently as above?     thank you very much wjw     ----- Original Message ----- From: Dr. Stephen Henson To: [EMAIL PROTECTED] Sent: Saturday, June 14, 2003 4:02 AM Subject: Re: about the X509_STORE of OCSP On Fri, Jun 13, 2003, Wu Junwei wrote: > Hi,all > when I use           openssl ocsp -issuer xxx -cert XXXX -url xxx -CAfile > xxx...      to get the ocsp resposne, and verify it. > Do I need to setup up the whole chain from the root CA to the entry CA in > the CAfile or CApath? > > I mean , when I set the trusted certificate(s) in the X509_STORE, do I need > to insert the root CA or upper level CA of the trusted certificate into the > STORE? > Can I just input the trusted certificate into the STORE ( this trusted > certificate is not root CA )? > In the default case you need any certificate in the responder chain that is not part of the response including the root. This however can be customised by the various flags depending on whatever trust model is appropriate to the responder in question. Steve. -- Dr Stephen N. Henson. Core developer of the   OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project                                 http://www.openssl.org User Support Mailing List                    [EMAIL PROTECTED] Automated List Manager                           [EMAIL PROTECTED]