提交 50d51991 编写于 作者: D Dr. Stephen Henson

New OCSP response verify option OCSP_TRUSTOTHER

上级 9020b862
...@@ -3,6 +3,11 @@ ...@@ -3,6 +3,11 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000] Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
*) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
passed by the function are trusted implicitly. If any of them signed the
reponse then it is assumed to be valid and is not verified.
[Steve Henson]
*) Zero the premaster secret after deriving the master secret in *) Zero the premaster secret after deriving the master secret in
DH ciphersuites. DH ciphersuites.
[Steve Henson] [Steve Henson]
......
...@@ -85,6 +85,7 @@ extern "C" { ...@@ -85,6 +85,7 @@ extern "C" {
#define OCSP_NOCASIGN 0x40 #define OCSP_NOCASIGN 0x40
#define OCSP_NODELEGATED 0x80 #define OCSP_NODELEGATED 0x80
#define OCSP_NOCHECKS 0x100 #define OCSP_NOCHECKS 0x100
#define OCSP_TRUSTOTHER 0x200
/* CertID ::= SEQUENCE { /* CertID ::= SEQUENCE {
* hashAlgorithm AlgorithmIdentifier, * hashAlgorithm AlgorithmIdentifier,
......
...@@ -59,7 +59,7 @@ ...@@ -59,7 +59,7 @@
#include <openssl/ocsp.h> #include <openssl/ocsp.h>
#include <openssl/err.h> #include <openssl/err.h>
static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags); X509_STORE *st, unsigned long flags);
static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
...@@ -76,12 +76,14 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, ...@@ -76,12 +76,14 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
STACK_OF(X509) *chain = NULL; STACK_OF(X509) *chain = NULL;
X509_STORE_CTX ctx; X509_STORE_CTX ctx;
int i, ret = 0; int i, ret = 0;
signer = ocsp_find_signer(bs, certs, st, flags); ret = ocsp_find_signer(&signer, bs, certs, st, flags);
if (!signer) if (!ret)
{ {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
goto end; goto end;
} }
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) if (!(flags & OCSP_NOSIGS))
{ {
EVP_PKEY *skey; EVP_PKEY *skey;
...@@ -148,19 +150,26 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, ...@@ -148,19 +150,26 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
} }
static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags) X509_STORE *st, unsigned long flags)
{ {
X509 *signer; X509 *signer;
OCSP_RESPID *rid = bs->tbsResponseData->responderId; OCSP_RESPID *rid = bs->tbsResponseData->responderId;
if ((signer = ocsp_find_signer_sk(certs, rid))) if ((signer = ocsp_find_signer_sk(certs, rid)))
return signer; {
*psigner = signer;
return 2;
}
if(!(flags & OCSP_NOINTERN) && if(!(flags & OCSP_NOINTERN) &&
(signer = ocsp_find_signer_sk(bs->certs, rid))) (signer = ocsp_find_signer_sk(bs->certs, rid)))
return signer; {
*psigner = signer;
return 1;
}
/* Maybe lookup from store if by subject name */ /* Maybe lookup from store if by subject name */
return NULL; *psigner = NULL;
return 0;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册