[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Dave Coombs dcoombs at carillon.ca
Tue Oct 31 17:30:03 UTC 2017

Hi Matt, thanks for your response.

>> Is the correct solution to use OCSP_basic_verify(), which feels like
>> overkill for my needs (the code in question is *part of* our own
>> path-validation routine), or might there be some other way?
> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
> "flags" argument? This basically finds the signer certificate and
> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
> chain validation bit.

If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and NULL for X509_STORE *st since it won't be used, then I think I should get the desired result, yes, at the cost of ocsp_find_signer(single-entry certs) and the internal creation/destruction of an unused X509_STORE_CTX.  I'd have a small performance hit but it probably wouldn't be too bad.

The alternative would be to change the OCSP_BASICRESP_verify() macro into an externally available function, and then both it and OCSP_basic_verify() could call the former macro, suitably renamed and internally scoped.  Clearly I'd be happy with that, though I understand if you don't want to go that route.


More information about the openssl-users mailing list