Add the -VAfile option to 'openssl ocsp'. This option will give the

client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.

diff --git a/CHANGES b/CHANGES
index 136dde4884708769cd900c81ea00231a21cd3ded..4c59e64dbfc7029575581f2c2da93a83b66701d4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,11 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) Add the option -VAfile to 'openssl ocsp', so the user can give the
+     OCSP client a number of certificate to only verify the response
+     signature against.
+     [Richard Levitte]
+
   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
      Bleichenbacher's DSA attack.
      [Ulf Moeller, Bodo Moeller]

diff --git a/apps/ocsp.c b/apps/ocsp.c
index cec2f2b8090f65a5c837498bbd53614be7b104b0..1ea4f9d2ef09b748b3a0c52f47f40b162ac11c8c 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -94,7 +94,9 @@ int MAIN(int argc, char **argv)
        BIO *out = NULL;
        int req_text = 0, resp_text = 0;
        char *CAfile = NULL, *CApath = NULL;
+        char *VAfile = NULL;
        X509_STORE *store = NULL;
+        STACK_OF(X509) *VAstore = NULL;
        int ret = 1;
        int badarg = 0;
        int i;
@@ -167,6 +169,15 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
+               else if (!strcmp (*args, "-VAfile"))
+                       {
+                       if (args[1])
+                               {
+                               args++;
+                               VAfile = *args;
+                               }
+                       else badarg = 1;
+                       }
                else if (!strcmp (*args, "-CAfile"))
                        {
                        if (args[1])
@@ -290,6 +301,7 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "-path         path to use in OCSP request\n");
                BIO_printf (bio_err, "-CApath dir   trusted certificates directory\n");
                BIO_printf (bio_err, "-CAfile file  trusted certificates file\n");
+               BIO_printf (bio_err, "-VAfile file  validator certificates file\n");
                BIO_printf (bio_err, "-noverify     don't verify response\n");
                goto end;
                }
@@ -438,6 +450,8 @@ int MAIN(int argc, char **argv)
        store = setup_verify(bio_err, CAfile, CApath);
        if(!store) goto end;
 
+        if (VAfile) VAstore = load_certs(bio_err, VAfile, FORMAT_PEM);
+
        bs = OCSP_response_get1_basic(resp);
 
        if (!bs)
@@ -454,7 +468,8 @@ int MAIN(int argc, char **argv)
                        goto end;
                        }
 
-               i = OCSP_basic_verify(bs, NULL, store, 0);
+               i = OCSP_basic_verify(bs, VAstore, store, OCSP_TRUSTOTHER);
+                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
 
                if(i <= 0)
                        {
@@ -475,6 +490,7 @@ end:
        ERR_print_errors(bio_err);
        X509_free(signer);
        X509_STORE_free(store);
+        sk_X509_free(VAstore);
        EVP_PKEY_free(key);
        X509_free(issuer);
        X509_free(cert);