On 31-10-17 17:47, Matt Caswell wrote:
>
>
> On 31/10/17 16:42, Wouter Verhelst wrote:
>> On 31-10-17 17:26, Matt Caswell wrote:
>>> I agree its not a great name for it. Unfortunately we are stuck with it
>>> for compatibility reasons. If we renamed it we would break any code that
>>> is currentl
On 11/01/2017 09:52 AM, Dave Coombs wrote:
>>> It would be nice, though, if the API provided a way to get the signer's
>>> certificate. There is OCSP_resp_get0_signature(), but that only returns
>>> the bit string. Comparable functions in other modules (eg:
>>> X509_get0_signature(), X509_REQ_
>> It would be nice, though, if the API provided a way to get the signer's
>> certificate. There is OCSP_resp_get0_signature(), but that only returns the
>> bit string. Comparable functions in other modules (eg:
>> X509_get0_signature(), X509_REQ_get0_signature(), X509_CRL_get0_signature(),
>
On 10/31/2017 01:05 PM, Dave Coombs wrote:
>>> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and
>>> NULL for X509_STORE *st since it won't be used, then I think I should get
>>> the desired result, yes, at the cost of ocsp_find_signer(single-entry
>>> certs) and the in
>> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and
>> NULL for X509_STORE *st since it won't be used, then I think I should get
>> the desired result, yes, at the cost of ocsp_find_signer(single-entry certs)
>> and the internal creation/destruction of an unused X509_S
On 31/10/17 17:30, Dave Coombs wrote:
> Hi Matt, thanks for your response.
>
>>> Is the correct solution to use OCSP_basic_verify(), which feels like
>>> overkill for my needs (the code in question is *part of* our own
>>> path-validation routine), or might there be some other way?
>>
>> Can you
Hi Matt, thanks for your response.
>> Is the correct solution to use OCSP_basic_verify(), which feels like
>> overkill for my needs (the code in question is *part of* our own
>> path-validation routine), or might there be some other way?
>
> Can you use OCSP_basic_verify() passing in OCSP_NOVERIF
On 31/10/17 16:42, Wouter Verhelst wrote:
> On 31-10-17 17:26, Matt Caswell wrote:
>> I agree its not a great name for it. Unfortunately we are stuck with it
>> for compatibility reasons. If we renamed it we would break any code that
>> is currently using it. We could introduce a new flag with a
On 31-10-17 17:26, Matt Caswell wrote:
> I agree its not a great name for it. Unfortunately we are stuck with it
> for compatibility reasons. If we renamed it we would break any code that
> is currently using it. We could introduce a new flag with a different
> name which does the same thing - but
On 31/10/2017 17:26, Matt Caswell wrote:
On 31/10/17 16:02, Wouter Verhelst wrote:
Hi Matt,
On 31-10-17 16:36, Matt Caswell wrote:
Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
"flags" argument? This basically finds the signer certificate and
verifies the signature usi
On 31/10/17 16:02, Wouter Verhelst wrote:
> Hi Matt,
>
> On 31-10-17 16:36, Matt Caswell wrote:
>> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
>> "flags" argument? This basically finds the signer certificate and
>> verifies the signature using OCSP_BASICRESP_verify(), b
Hi Matt,
On 31-10-17 16:36, Matt Caswell wrote:
> Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final
> "flags" argument? This basically finds the signer certificate and
> verifies the signature using OCSP_BASICRESP_verify(), but skips all the
> chain validation bit.
Just wanted
On 10/31/2017 10:36 AM, Matt Caswell wrote:
>
> On 31/10/17 13:06, Dave Coombs wrote:
>
>> Either way, I hereby report you've got a few macros in a public
>> header that can't possibly work as things stand. :-)
> Yes - a bug. I'm tempted just to remove them.
>
That seems like the best course of ac
On 31/10/17 13:06, Dave Coombs wrote:
> Hello,
>
> I was fiddling around with OpenSSL 1.1.0 this past weekend, because
> One Day We'll Need To Upgrade (tm), and ran into the following.
>
> We have some code that uses OCSP_BASICRESP_verify() with 1.0.1 /
> 1.0.2 to confirm that the signature on
14 matches
Mail list logo
