On 31/10/17 17:30, Dave Coombs wrote:
> Hi Matt, thanks for your response.
> 
>>> Is the correct solution to use OCSP_basic_verify(), which feels like
>>> overkill for my needs (the code in question is *part of* our own
>>> path-validation routine), or might there be some other way?
>>
>> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
>> "flags" argument? This basically finds the signer certificate and
>> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
>> chain validation bit.
> 
> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and 
> NULL for X509_STORE *st since it won't be used, then I think I should get the 
> desired result, yes, at the cost of ocsp_find_signer(single-entry certs) and 
> the internal creation/destruction of an unused X509_STORE_CTX.  I'd have a 
> small performance hit but it probably wouldn't be too bad.

Probably the construction of that ctx is in the wrong place. It should
be later in the function. I can't imagine the ocsp_find_signer() hit is
too great.

> 
> The alternative would be to change the OCSP_BASICRESP_verify() macro into an 
> externally available function, and then both it and OCSP_basic_verify() could 
> call the former macro, suitably renamed and internally scoped.  Clearly I'd 
> be happy with that, though I understand if you don't want to go that route.

I did consider it, but I'm not especially keen. I think the intended
application interface here is to use OCSP_basic_verify().
OCSP_BASICRESP_verify() should probably have never been exposed in the
first place.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to