mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-29 13:03:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use new partial chain flag instead of modifying input parameters.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2012-12-13 18:20:47 +00:00
parent 51e7a4378a
commit 2a21cdbe6b
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
crypto/ocsp/ocsp_vfy.c
View File

@ -111,14 +111,13 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
*/
if (chain == certs) goto verified_chain;
/* If we trust some "other" certificates, mark them as
* explicitly trusted (because some of them might be
/* If we trust some "other" certificates, allow partial
* chains (because some of them might be
* Intermediate CA Certificates), put them in a store and
* attempt to build a trusted chain.
*/
if ((flags & OCSP_TRUSTOTHER) && (certs != NULL))
{
ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign);
tmpstore = X509_STORE_new();
if (!tmpstore)
{
@ -129,7 +128,6 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
for (i = 0; i < sk_X509_num(certs); i++)
{
X509 *xother = sk_X509_value(certs, i);
X509_add1_trust_object(xother, objtmp);
if (!X509_STORE_add_cert(tmpstore, xother))
{
ret = -1;
@ -145,6 +143,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
goto end;
}
X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_PARTIAL_CHAIN);
ret = X509_verify_cert(&ctx);
if (ret == 1)
{