[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Thu Jun 21 18:39:57 UTC 2018


The branch master has been updated
       via  b8c32081e02b7008a90d878eccce46da256dfe86 (commit)
      from  379f846387348b1090054b56f1d31cdbcbd64196 (commit)


- Log -----------------------------------------------------------------
commit b8c32081e02b7008a90d878eccce46da256dfe86
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sat Feb 10 15:45:11 2018 +0100

    add documentation for OCSP_basic_verify()
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6227)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/OCSP_resp_find_status.pod | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index af7fb1d..1bbc4e3 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -8,7 +8,8 @@ OCSP_resp_get0_id,
 OCSP_resp_get1_id,
 OCSP_resp_get0_produced_at,
 OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
-OCSP_single_get0_status, OCSP_check_validity
+OCSP_single_get0_status, OCSP_check_validity,
+OCSP_basic_verify
 - OCSP response utility functions
 
 =head1 SYNOPSIS
@@ -48,6 +49,9 @@ OCSP_single_get0_status, OCSP_check_validity
                          ASN1_GENERALIZEDTIME *nextupd,
                          long sec, long maxsec);
 
+ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                      X509_STORE *st, unsigned long flags);
+
 =head1 DESCRIPTION
 
 OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is
@@ -100,6 +104,27 @@ OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
 leeway should be allowed in the check. If B<maxsec> is positive it indicates
 the maximum age of B<thisupd> in seconds.
 
+OCSP_basic_verify() checks that the basic response message B<bs> is correctly
+signed and that the signer certificate can be validated. It takes B<st> as
+the trusted store and B<certs> as a set of untrusted intermediate certificates.
+The function first tries to find the signer certificate of the response
+in <certs>. It also searches the certificates the responder may have included
+in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>.
+It fails if the signer certificate cannot be found.
+Next, the function checks the signature of B<bs> and fails on error
+unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns
+success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate
+was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>.
+Otherwise the function continues by validating the signer certificate.
+To this end, all certificates in B<cert> and in B<bs> are considered as
+untrusted certificates for the construction of the validation path for the
+signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path
+validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
+Otherwise it verifies that the signer certificate meets the OCSP issuer
+criteria including potential delegation. If this does not succeed and the
+B<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit
+trust for OCSP signing in the root CA certificate.
+
 =head1 RETURN VALUES
 
 OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise.
@@ -119,6 +144,9 @@ occurred.
 OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
 or 0 on error.
 
+OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such
+as malloc failure.
+
 =head1 NOTES
 
 Applications will typically call OCSP_resp_find_status() using the certificate


More information about the openssl-commits mailing list