MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response

When calling OCSP_basic_verify to check the validity of the received
OCSP response, we need to provide an untrusted certificate chain as well
as an X509_STORE holding only trusted certificates. Since the
certificate chain and the issuer certificate are all provided by the
user, we assume that they are valid and we add them all to a temporary
store. This enables to focus only on the response's validity.

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index a969565f9b3db112ada30895e902c9107341c5fc..165c16ca93387f6451e289edfe6cda7d0f27801d 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -728,16 +728,30 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
                goto end;
        }
 
-       /* Add ocsp issuer certificate to a store in order verify the ocsp
-        * response. */
+       /* Create a temporary store in which we add the certificate's chain
+        * certificates. We assume that all those certificates can be trusted
+        * because they were provided by the user.
+        * The only ssl item that needs to be verified here is the OCSP
+        * response.
+        */
        store = X509_STORE_new();
        if (!store) {
                memprintf(err, "X509_STORE_new() failed");
                goto end;
        }
-       X509_STORE_add_cert(store, issuer);
 
-       if (OCSP_basic_verify(basic, chain, store, 0) != 1) {
+       if (chain) {
+               int i = 0;
+               for (i = 0; i < sk_X509_num(chain); i++) {
+                       X509 *cert = sk_X509_value(chain, i);
+                       X509_STORE_add_cert(store, cert);
+               }
+       }
+
+       if (issuer)
+               X509_STORE_add_cert(store, issuer);
+
+       if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
                memprintf(err, "OCSP_basic_verify() failed");
                goto end;
        }