[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Stephan Mühlstrasser stm at pdflib.com
Wed Feb 18 12:19:59 UTC 2015


I have a question about the behavior of OCSP_basic_verify() and the 
meaning of the OCSP_NOEXPLICIT flag. The OCSP_basic_verify() function is 
the only place where this flag has an effect in the whole OpenSSL 
source, and in the "openssl ocsp" application it can be set with the 
"-no_explicit" command line option:

  * Easy case: explicitly trusted. Get root CA and check for explicit
  * trust
if (flags & OCSP_NOEXPLICIT)
     goto end;

x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
     goto end;

Unfortunately the "-no_explicit" command line option is not documented:


What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the 
"-no_explicit" command line option. What exactly is checked by the 
X509_check_trust() call above with respect to the relevant RFCs?

Best regards

More information about the openssl-users mailing list