> Additional candidate signer certificates need to be included in the
> -verify_other option.
>
> If the OCSP signing certificate is self signed then it needs to be explicitly
> trusted which is the -VAfile option if you use that it will also be searched
> as a signer.
doesn't putting it in the CApath also mean it's explicitly trusted?
I tracked down this code in crypto/ocsp/ocsp_vfy.c:
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509)
*certs, X509_STORE *st, unsigned long flags)
{
X509 *signer;
OCSP_RESPID *rid = bs->tbsResponseData->responderId;
if ((signer = ocsp_find_signer_sk(certs, rid)))
{
*psigner = signer;
return 2;
}
if(!(flags & OCSP_NOINTERN) &&
(signer = ocsp_find_signer_sk(bs->certs, rid)))
{
*psigner = signer;
return 1;
}
/* Maybe lookup from store if by subject name */
*psigner = NULL;
return 0;
}
It looks like implementing the "Maybe" case would solve my problem. Would it
be incorrect to look in the store also here? I'd be glad to work on a patch.
I understand I can make the command line tool with with -verify_other, but in
my code I have no handy way to do that. My users are going to dump all trusted
certs, regardless of purpose, into the trusted store.
--
Chris Bare
[email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
