Hi Matt, thanks for your response. >> Is the correct solution to use OCSP_basic_verify(), which feels like >> overkill for my needs (the code in question is *part of* our own >> path-validation routine), or might there be some other way? > > Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final > "flags" argument? This basically finds the signer certificate and > verifies the signature using OCSP_BASICRESP_verify(), but skips all the > chain validation bit.
If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and NULL for X509_STORE *st since it won't be used, then I think I should get the desired result, yes, at the cost of ocsp_find_signer(single-entry certs) and the internal creation/destruction of an unused X509_STORE_CTX. I'd have a small performance hit but it probably wouldn't be too bad. The alternative would be to change the OCSP_BASICRESP_verify() macro into an externally available function, and then both it and OCSP_basic_verify() could call the former macro, suitably renamed and internally scoped. Clearly I'd be happy with that, though I understand if you don't want to go that route. Cheers, -Dave -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
