On 01-12-15 14:58, Verhelst Wouter (Consultant) wrote:
Hi folks,
I'm trying to write an application that needs to verify the validity of data on
a smartcard. That data is signed with an RSA key for which a certificate exists
on the card; but if the card is stolen or lost, the certificate will be
revoked, so I want to ensure that the certificate is valid. I'm doing an OCSP
request to take care of that.
Since OpenSSL's own OCSP_sendreq_* functions don't support HTTP proxies, I'm
currently using libcurl to send the request to the OCSP endpoint. This seems to
work; when I get the reply and use d2i_OCSP_RESPONSE(), then with things like
OCSP_response_status() and OCSP_resp_find_status() and friends I can manage to
get the status of the request and a given certificate.
However, that doesn't do signature verification. I believe that I should use
OCSP_basic_verify() for that, but I'm not entirely sure whether that is the
case, and if so whether I would need to do some additional checks beforehand.
Unfortunately, I can't find any documentation on OCSP_basic_verify().
I should note that due to the nature of my needs, I have a rather huge set of
valid intermediate CAs, but a fairly limited set of root CAs that can be used
for valid cards (that is, if the signature validates but it wasn't signed by
any of the CAs under one of my limited set of roots, the card is a forgery and
should be rejected as invalid).
A few questions:
- Am I right in assuming that OCSP_basic_verify will check the signature on the
OCSP request?
- In "OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)", I'm not
entirely certain of what the "st" argument is meant to contain, and can't figure out the "certs" one. Pouring
over the code, I believe the "st" argument should allow me to limit validation to my set of root certificates, but I
could be mistaken. As for the "certs" one, I can't understand that one at all. The only thing I can think of is that
maybe it should contain the issuer certificate that I used for the original request, but then why is it a STACK_OF(X509)* and not
just an X509*? What am I missing?
Thanks for any help,
Ping. Anyone?
If this is documented somewhere, feel free to point me to the
documentation...
--
Wouter Verhelst
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users