[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Dave Coombs dcoombs at carillon.ca
Tue Oct 31 13:06:44 UTC 2017


I was fiddling around with OpenSSL 1.1.0 this past weekend, because One Day We'll Need To Upgrade (tm), and ran into the following.

We have some code that uses OCSP_BASICRESP_verify() with 1.0.1 / 1.0.2 to confirm that the signature on an ocsp response is correct.  This is a macro in ocsp.h, which directly accesses the signature, signatureAlgorithm, and tbsResponseData members of the OCSP_BASICRESP structure.  In 1.1.0, this structure is now opaque, but the macros are still present in the public ocsp.h, so any external code that uses this macro can't compile.

I can get around this by copying the struct definitions from ocsp_lcl.h into the external code, but that both defeats the purpose of opaque structures and will cause me problems if the structure contents ever change.

Is the correct solution to use OCSP_basic_verify(), which feels like overkill for my needs (the code in question is *part of* our own path-validation routine), or might there be some other way?

Either way, I hereby report you've got a few macros in a public header that can't possibly work as things stand. :-)


More information about the openssl-users mailing list