Page, Greg via RT
2016-07-21 07:14:37 UTC
Hello!
I have been using openssl to get OCSP status for a certificate and I ran across an interesting case.
OCSP responses do not seem to include the intermediate certificates so they have to be acquired in other ways. I have been doing this and adding them to the certificate stack handed to OCSP_basic_verify().
However, I have noticed that these certificates are not used in creating a certificate chain back to a root CA because they are not added to the X509_STORE_CTX that is sent to X509_verify_cert() and X509_STORE_CTX_get1_chain().
I am relatively new to this so I may be incorrect; however, it seems to me that the certificates in the cert argument should be added to the X509_STORE_CTX.
What are your thoughts?
Thanks,
Greg
I have been using openssl to get OCSP status for a certificate and I ran across an interesting case.
OCSP responses do not seem to include the intermediate certificates so they have to be acquired in other ways. I have been doing this and adding them to the certificate stack handed to OCSP_basic_verify().
However, I have noticed that these certificates are not used in creating a certificate chain back to a root CA because they are not added to the X509_STORE_CTX that is sent to X509_verify_cert() and X509_STORE_CTX_get1_chain().
I am relatively new to this so I may be incorrect; however, it seems to me that the certificates in the cert argument should be added to the X509_STORE_CTX.
What are your thoughts?
Thanks,
Greg
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4620
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4620
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev