[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Matt Caswell matt at openssl.org
Tue Oct 31 17:34:29 UTC 2017

On 31/10/17 17:30, Dave Coombs wrote:
> Hi Matt, thanks for your response.
>>> Is the correct solution to use OCSP_basic_verify(), which feels like
>>> overkill for my needs (the code in question is *part of* our own
>>> path-validation routine), or might there be some other way?
>> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
>> "flags" argument? This basically finds the signer certificate and
>> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
>> chain validation bit.
> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and NULL for X509_STORE *st since it won't be used, then I think I should get the desired result, yes, at the cost of ocsp_find_signer(single-entry certs) and the internal creation/destruction of an unused X509_STORE_CTX.  I'd have a small performance hit but it probably wouldn't be too bad.

Probably the construction of that ctx is in the wrong place. It should
be later in the function. I can't imagine the ocsp_find_signer() hit is
too great.

> The alternative would be to change the OCSP_BASICRESP_verify() macro into an externally available function, and then both it and OCSP_basic_verify() could call the former macro, suitably renamed and internally scoped.  Clearly I'd be happy with that, though I understand if you don't want to go that route.

I did consider it, but I'm not especially keen. I think the intended
application interface here is to use OCSP_basic_verify().
OCSP_BASICRESP_verify() should probably have never been exposed in the
first place.


More information about the openssl-users mailing list