From: Rich Salz Date: Mon, 17 Aug 2020 19:31:42 +0000 (-0400) Subject: Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify() X-Git-Tag: openssl-3.0.0-alpha7~471 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0495a3ec4ab463d5c08f4a4e85d0e3925e4602e7;p=thirdparty%2Fopenssl.git Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify() This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify() function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that if any certificate in the OCSP response is in the trust store, then trust it. Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12666) --- diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index adf4970d58f..cf7602616f3 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -38,6 +38,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, STACK_OF(X509) *chain = NULL; STACK_OF(X509) *untrusted = NULL; X509_STORE_CTX *ctx = NULL; + X509_VERIFY_PARAM *vp; int i, ret = ocsp_find_signer(&signer, bs, certs, flags); if (!ret) { @@ -85,6 +86,9 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); goto f_err; } + if ((flags & OCSP_PARTIAL_CHAIN) != 0 + && (vp = X509_STORE_CTX_get0_param(ctx)) != NULL) + X509_VERIFY_PARAM_set_flags(vp, X509_V_FLAG_PARTIAL_CHAIN); X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(ctx); diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index 179f303a775..7dd90837b66 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -120,7 +120,7 @@ OCSP_basic_verify() checks that the basic response message B is correctly signed and that the signer certificate can be validated. It takes B as the trusted store and B as a set of untrusted intermediate certificates. The function first tries to find the signer certificate of the response -in . It also searches the certificates the responder may have included +in B. It also searches the certificates the responder may have included in B unless the B contain B. It fails if the signer certificate cannot be found. Next, the function checks the signature of B and fails on error @@ -128,6 +128,10 @@ unless the B contain B. Then the function already returns success if the B contain B or if the signer certificate was found in B and the B contain B. Otherwise the function continues by validating the signer certificate. +If B contains B, intermediate CA certificates +in B are trust-anchors. +For more details, see the description of B +in L. To this end, all certificates in B and in B are considered as untrusted certificates for the construction of the validation path for the signer certificate unless the B flag is set. After successful path @@ -185,7 +189,8 @@ L, L, L, L, -L +L, +L =head1 COPYRIGHT diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 4f067c877c5..6265915d9c8 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -75,7 +75,7 @@ These functions manipulate the B structure associated with a certificate verification operation. The X509_VERIFY_PARAM_set_flags() function sets the flags in B by oring -it with B. See the B section for a complete +it with B. See L for a complete description of values the B parameter can take. X509_VERIFY_PARAM_get_flags() returns the flags in B. diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 1c514efeee7..939a90877d4 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -102,6 +102,7 @@ extern "C" { # define OCSP_TRUSTOTHER 0x200 # define OCSP_RESPID_KEY 0x400 # define OCSP_NOTIME 0x800 +# define OCSP_PARTIAL_CHAIN 0x1000 typedef struct ocsp_cert_id_st OCSP_CERTID; typedef struct ocsp_one_request_st OCSP_ONEREQ;