MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response

When calling OCSP_basic_verify to check the validity of the received OCSP response, we need to provide an untrusted certificate chain as well as an X509_STORE holding only trusted certificates. Since the certificate chain and the issuer certificate are all provided by the user, we assume that they are valid and we add them all to a temporary store. This enables to focus only on the response's validity.
2023-01-09 12:02:43 +01:00 · 2023-01-09 12:02:43 +01:00 · 8bdd0050e2
commit 8bdd0050e2
parent 57f60c2316
1 changed files with 18 additions and 4 deletions
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@ -728,16 +728,30 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
 		goto end;
 	}

-	/* Add ocsp issuer certificate to a store in order verify the ocsp
-	 * response. */
+	/* Create a temporary store in which we add the certificate's chain
+	 * certificates. We assume that all those certificates can be trusted
+	 * because they were provided by the user.
+	 * The only ssl item that needs to be verified here is the OCSP
+	 * response.
+	 */
 	store = X509_STORE_new();
 	if (!store) {
 		memprintf(err, "X509_STORE_new() failed");
 		goto end;
 	}
-	X509_STORE_add_cert(store, issuer);

-	if (OCSP_basic_verify(basic, chain, store, 0) != 1) {
+	if (chain) {
+		int i = 0;
+		for (i = 0; i < sk_X509_num(chain); i++) {
+			X509 *cert = sk_X509_value(chain, i);
+			X509_STORE_add_cert(store, cert);
+		}
+	}
+
+	if (issuer)
+		X509_STORE_add_cert(store, issuer);
+
+	if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
 		memprintf(err, "OCSP_basic_verify() failed");
 		goto end;
 	}