It seems that OCSP_basic_verify(bs, certs, st, flags) unfortunately is not documented, but from its code it becomes clear that the "certs" parameter is meant to be a set of untrusted certificates, which is first used (together with bs->certs) to determine the signer cert of the OCSP response "bs" and then is partly(!) used to construct the chain of certs towards a trusted (root) cert in the store passed in the "st" parameter.
>> OCSP responses do not seem to include the intermediate certificates so they >> have to be acquired in other ways. I have been doing this and adding them >> to the certificate stack handed to OCSP_basic_verify(). > > Perhaps adding them to X509_STORE or STORE_CTX directly? This does not work because OCSP_basic_verify(bs, certs, st, flags) produces its own internal X509_STORE_CTX: init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); where the "st" parameter is taken as the trusted store, while the set of untrusted certs cannot be directly set by the caller. >> I am relatively new to this so I may be incorrect; however, it seems to me >> that the certificates in the cert argument should be added to the >> X509_STORE_CTX. > > If you need to add certificates to validate a chain, it seems safer to > explicitly add them to the store, not implicitly. As long as the OCSP response pointed to by "bs" includes a non-NULL bs->certs field, OCSP_basic_verify() takes the union of any certs in the "certs" parameter and in bs->certs as untrusted certs for chain construction, but if bs->certs is NULL, i.e. when the OCSP responder did not include any certs its response, for some reason OCSP_basic_verify() does not take "certs" but bs->certs, which corresponds to the empty set. I consider this a bug, for which I've just submitted a pull request: https://github.com/openssl/openssl/pull/4124 This fix takes "certs" as the set of untrusted certs in case bs->certs is NULL. As long as a fix is not yet available, one can use the following workaround: { X509 *dummy = X509_new(); (void)OCSP_basic_add1_cert(bs, dummy); X509_free(dummy); } before calling OCSP_basic_verify(bs, certs, st, flags); -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev