Re: [openssl-dev] [openssl.org #4620] OCSP_basic_verify() question/comment

[David von Oheimb]

It seems that OCSP_basic_verify(bs, certs, st, flags) unfortunately is
not documented, but from its code it becomes clear that the "certs"
parameter is meant to be a set of untrusted certificates, which is first
used (together with bs->certs) to determine the signer cert of the OCSP
response "bs" and then is partly(!) used to construct the chain of certs
towards a trusted (root) cert in the store passed in the "st" parameter.

>> OCSP responses do not seem to include the intermediate certificates so they
>> have to be acquired in other ways. I have been doing this and adding them
>> to the certificate stack handed to OCSP_basic_verify().
>
> Perhaps adding them to X509_STORE or STORE_CTX directly?

This does not work because OCSP_basic_verify(bs, certs, st, flags)
produces its own internal X509_STORE_CTX:
  init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
where the "st" parameter is taken as the trusted store, while the set of
untrusted certs cannot be directly set by the caller.

>> I am relatively new to this so I may be incorrect; however, it seems to me
>> that the certificates in the cert argument should be added to the
>> X509_STORE_CTX.
>
> If you need to add certificates to validate a chain, it seems safer to 
> explicitly add them to the store, not implicitly.

As long as the OCSP response pointed to by "bs" includes a non-NULL
bs->certs field, OCSP_basic_verify() takes the union of any certs in the
"certs" parameter and in bs->certs as untrusted certs for chain
construction, but if bs->certs is NULL, i.e. when the OCSP responder did
not include any certs its response, for some reason OCSP_basic_verify()
does not take "certs" but bs->certs, which corresponds to the empty set.

I consider this a bug, for which I've just submitted a pull request:
https://github.com/openssl/openssl/pull/4124
This fix takes "certs" as the set of untrusted certs in case bs->certs
is NULL.

As long as a fix is not yet available, one can use the following
workaround:
{
   X509 *dummy = X509_new();
   (void)OCSP_basic_add1_cert(bs, dummy);
   X509_free(dummy);
}
before calling
OCSP_basic_verify(bs, certs, st, flags);
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4620] OCSP_basic_verify() question/comment

[Salz, Rich via RT]

> OCSP responses do not seem to include the intermediate certificates so they
> have to be acquired in other ways.   I have been doing this and adding them
> to the certificate stack handed to OCSP_basic_verify().

Perhaps adding them to X509_STORE or STORE_CTX directly?

> I am relatively new to this so I may be incorrect; however, it seems to me
> that the certificates in the cert argument should be added to the
> X509_STORE_CTX.

If you need to add certificates to validate a chain, it seems safer to 
explicitly add them to the store, not implicitly.



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4620
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4620] OCSP_basic_verify() question/comment

[Page, Greg via RT]

Hello!


I have been using openssl to get OCSP status for a certificate and I ran across 
an interesting case.


OCSP responses do not seem to include the intermediate certificates so they 
have to be acquired in other ways.   I have been doing this and adding them to 
the certificate stack handed to OCSP_basic_verify().


However, I have noticed that these certificates are not used in creating a 
certificate chain back to a root CA because they are not added to the 
X509_STORE_CTX that is sent to X509_verify_cert() and 
X509_STORE_CTX_get1_chain().


I am relatively new to this so I may be incorrect; however, it seems to me that 
the certificates in the cert argument should be added to the X509_STORE_CTX.


What are your thoughts?


Thanks,

Greg


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4620
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev