[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Jakob Bohm jb-openssl at wisemo.com
Tue Oct 31 16:40:08 UTC 2017


On 31/10/2017 17:26, Matt Caswell wrote:
>
> On 31/10/17 16:02, Wouter Verhelst wrote:
>> Hi Matt,
>>
>> On 31-10-17 16:36, Matt Caswell wrote:
>>> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
>>> "flags" argument? This basically finds the signer certificate and
>>> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
>>> chain validation bit.
>> Just wanted to point out that that is, actually, a confusing name for
>> that flag.
>>
>> "NOVERIFY" seems to imply that there is no verification being done, at
>> all. Intuitively one senses that's not right, and that at least some
>> verification will be done (in casu the signature will still be checked);
>> but figuring out which part of the verification is being dropped and
>> which part isn't requires one to read either the library source or the
>> documentation, both of which are annoying if they can be avoided and do
>> not help for the readability of code that uses the flag in question.
>>
>> Might I suggest that this flag be renamed somehow, to something that
>> makes it more clear what exactly it does?
>>
> I agree its not a great name for it. Unfortunately we are stuck with it
> for compatibility reasons. If we renamed it we would break any code that
> is currently using it. We could introduce a new flag with a different
> name which does the same thing - but I'm not sure that does anything to
> make things less confusing.
>
> The best way forward is to document it. It isn't documented at all at
> the moment along with a number of other OCSP related functions and
> features. PRs welcome for that.
>
> Matt
You could introduce the new name, but define the old name to it, and
document that the flag is alsoavailable under the other name for
backwards compatibility.  Then code that doesn't need compatibility with
1.1.0 or older can just use the new name.

As for the macro that doesn't work, wouldn't it be better to make it
a function (or a wrapper around the call with the badly named flag).
One could just as easily argue that the API was accidentally broken,
not accidentally kept.  After all, the references to internal structures
is internal to the inline implementation, not part of the interface.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list