On Thu, Jul 17, 2003, Wu Junwei wrote: > Hi,all > > I have a 4-level certificate tree. > > ca0--ca1--ca2--cert > > And I put ca0 ,ca1 in the X509_STORE, > put ca2 in the STACK_OF(X509) > > When I send the ocsp request to ca2, with the cert in question, I can get > the ocsp response which is signed by the delegated signer D1. > D1 is signed by ca2. > And the D1's certificate is attached in the ocsp response. > > I think because in the store, there is no whole certificates of the chain to > verify the D1's certificate. > The function OCSP_basic_verify() will not return 1 in default case. > > And I would like to know, in What case, I can have this situation verified > by the OCSP_basic_verify()? > Or, maybe I should change the original program ? >
The way this works is that initially the OCSP_basic_verify() has to locate the response signer's certificate. It will look both in the response and the passed STACK. In your case the signer's certificate is part of the response so that's OK. It then attempts to verify the signer's certificate chain. It uses the certificates in the response as untrusted CAs along with the store. It does not use the supplied STACK for this. Therefore any certificates not in the response must be in the store. In you example you'd need ca2 in the store or the response. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
