char *proxy = NULL, *no_proxy = NULL;
int use_ssl;
STACK_OF(OPENSSL_STRING) *aia = NULL;
- X509 *x = NULL;
+ X509 *x = NULL, *cert;
+ X509_NAME *iname;
+ STACK_OF(X509) *chain = NULL;
+ SSL_CTX *ssl_ctx;
X509_STORE_CTX *inctx = NULL;
X509_OBJECT *obj;
OCSP_REQUEST *req = NULL;
/* Build up OCSP query from server certificate */
x = SSL_get_certificate(s);
+ iname = X509_get_issuer_name(x);
aia = X509_get1_ocsp(x);
if (aia != NULL) {
if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &use_ssl,
proxy = srctx->proxy;
no_proxy = srctx->no_proxy;
- inctx = X509_STORE_CTX_new();
- if (inctx == NULL)
+ ssl_ctx = SSL_get_SSL_CTX(s);
+ if (!SSL_CTX_get0_chain_certs(ssl_ctx, &chain))
goto err;
- if (!X509_STORE_CTX_init(inctx,
- SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
- NULL, NULL))
- goto err;
- obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509,
- X509_get_issuer_name(x));
- if (obj == NULL) {
- BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
- goto done;
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ /* check the untrusted certificate chain (-cert_chain option) */
+ cert = sk_X509_value(chain, i);
+ if (X509_name_cmp(iname, X509_get_subject_name(cert)) == 0) {
+ /* the issuer certificate is found */
+ id = OCSP_cert_to_id(NULL, x, cert);
+ break;
+ }
+ }
+ if (id == NULL) {
+ inctx = X509_STORE_CTX_new();
+ if (inctx == NULL)
+ goto err;
+ if (!X509_STORE_CTX_init(inctx, SSL_CTX_get_cert_store(ssl_ctx),
+ NULL, NULL))
+ goto err;
+ obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, iname);
+ if (obj == NULL) {
+ BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
+ goto done;
+ }
+ id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
+ X509_OBJECT_free(obj);
}
- id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
- X509_OBJECT_free(obj);
if (id == NULL)
goto err;
req = OCSP_REQUEST_new();
projects / thirdparty / openssl.git / commitdiff
