[PATCH] Add RFC 2560 "non-delegated" model where issuer is OCSP signee
Frederik Schwan
gooogle.liest.mit at googlemail.com
Mon May 5 12:21:15 UTC 2014
# HG changeset patch
# User Frederik Schwan <frederik.schwan at linux.com>
# Date 1399288827 -7200
# Mon May 05 13:20:27 2014 +0200
# Node ID a1f71e35b4a851e1a2c8756f885683518665c528
# Parent 48c97d83ab7f0a3f641987fb32ace8af7720aefc
Add RFC 2560 "non-delegated" model where issuer is OCSP signee
diff -r 48c97d83ab7f -r a1f71e35b4a8 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Tue Apr 29 22:22:38 2014 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Mon May 05 13:20:27 2014 +0200
@@ -529,11 +529,11 @@
const
#endif
u_char *p;
- int n;
+ int n, i;
size_t len;
ngx_str_t response;
X509_STORE *store;
- STACK_OF(X509) *chain;
+ STACK_OF(X509) *chain, *issuer_st;
OCSP_CERTID *id;
OCSP_RESPONSE *ocsp;
OCSP_BASICRESP *basic;
@@ -589,13 +589,19 @@
#else
chain = staple->ssl_ctx->extra_certs;
#endif
+ issuer_st = sk_X509_new_null();
+ sk_X509_push(issuer_st, staple->issuer);
+ i = OCSP_basic_verify(basic, chain, store,
+ staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
+
+ if (i <= 0 && issuer_st){
+ i = OCSP_basic_verify(basic, issuer_st, store,OCSP_TRUSTOTHER);
+ if (i > 0) ERR_clear_error();
+ }
- if (OCSP_basic_verify(basic, chain, store,
- staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
- != 1)
- {
+ if(i <= 0){
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
- "OCSP_basic_verify() failed");
+ "OCSP_basic_verify() failed");
goto error;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 341 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140505/8a312b2f/attachment.bin>
More information about the nginx-devel
mailing list