[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Stephan Mühlstrasser
stm at pdflib.com
Wed Feb 18 12:19:59 UTC 2015
Hi,
I have a question about the behavior of OCSP_basic_verify() and the
meaning of the OCSP_NOEXPLICIT flag. The OCSP_basic_verify() function is
the only place where this flag has an effect in the whole OpenSSL
source, and in the "openssl ocsp" application it can be set with the
"-no_explicit" command line option:
/*
* Easy case: explicitly trusted. Get root CA and check for explicit
* trust
*/
if (flags & OCSP_NOEXPLICIT)
goto end;
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
goto end;
}
Unfortunately the "-no_explicit" command line option is not documented:
https://www.openssl.org/docs/apps/ocsp.html
What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the
"-no_explicit" command line option. What exactly is checked by the
X509_check_trust() call above with respect to the relevant RFCs?
Best regards
Stephan
More information about the openssl-users
mailing list