From 8bdd0050e2f3419a61721d281b7216c628d10722 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Mon, 9 Jan 2023 12:02:43 +0100 Subject: [PATCH] MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response When calling OCSP_basic_verify to check the validity of the received OCSP response, we need to provide an untrusted certificate chain as well as an X509_STORE holding only trusted certificates. Since the certificate chain and the issuer certificate are all provided by the user, we assume that they are valid and we add them all to a temporary store. This enables to focus only on the response's validity. --- src/ssl_ocsp.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index a969565..165c16c 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -728,16 +728,30 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer, goto end; } - /* Add ocsp issuer certificate to a store in order verify the ocsp - * response. */ + /* Create a temporary store in which we add the certificate's chain + * certificates. We assume that all those certificates can be trusted + * because they were provided by the user. + * The only ssl item that needs to be verified here is the OCSP + * response. + */ store = X509_STORE_new(); if (!store) { memprintf(err, "X509_STORE_new() failed"); goto end; } - X509_STORE_add_cert(store, issuer); - if (OCSP_basic_verify(basic, chain, store, 0) != 1) { + if (chain) { + int i = 0; + for (i = 0; i < sk_X509_num(chain); i++) { + X509 *cert = sk_X509_value(chain, i); + X509_STORE_add_cert(store, cert); + } + } + + if (issuer) + X509_STORE_add_cert(store, issuer); + + if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { memprintf(err, "OCSP_basic_verify() failed"); goto end; } -- 1.7.10.4