In ocsp_match_issuerid() we are passed the CA that signed the responder

certificate so need to match its subject with the certificate IDs in the
response.

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index be399a3a3597abe873da499da1d6bb461391deb1..43b62a8cb8b255d71a1a38947ab511c8f1fd5825 100644 (file)
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -305,7 +305,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                if ((cid->issuerNameHash->length != mdlen) ||
                   (cid->issuerKeyHash->length != mdlen))
                        return 0;
-               iname = X509_get_issuer_name(cert);
+               iname = X509_get_subject_name(cert);
                if (!X509_NAME_digest(iname, dgst, md, NULL))
                        return -1;
                if (memcmp(md, cid->issuerNameHash->data, mdlen))