[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

[Matt Caswell]

On 31/10/17 16:02, Wouter Verhelst wrote:
> Hi Matt,
> 
> On 31-10-17 16:36, Matt Caswell wrote:
>> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
>> "flags" argument? This basically finds the signer certificate and
>> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
>> chain validation bit.
> Just wanted to point out that that is, actually, a confusing name for
> that flag.
> 
> "NOVERIFY" seems to imply that there is no verification being done, at
> all. Intuitively one senses that's not right, and that at least some
> verification will be done (in casu the signature will still be checked);
> but figuring out which part of the verification is being dropped and
> which part isn't requires one to read either the library source or the
> documentation, both of which are annoying if they can be avoided and do
> not help for the readability of code that uses the flag in question.
> 
> Might I suggest that this flag be renamed somehow, to something that
> makes it more clear what exactly it does?
> 

I agree its not a great name for it. Unfortunately we are stuck with it
for compatibility reasons. If we renamed it we would break any code that
is currently using it. We could introduce a new flag with a different
name which does the same thing - but I'm not sure that does anything to
make things less confusing.

The best way forward is to document it. It isn't documented at all at
the moment along with a number of other OCSP related functions and
features. PRs welcome for that.

Matt