[PATCH] Add RFC 2560 "non-delegated" model where issuer is OCSP signee

Frederik Schwan gooogle.liest.mit at googlemail.com
Mon May 5 12:21:15 UTC 2014


# HG changeset patch
# User Frederik Schwan <frederik.schwan at linux.com>
# Date 1399288827 -7200
#      Mon May 05 13:20:27 2014 +0200
# Node ID a1f71e35b4a851e1a2c8756f885683518665c528
# Parent  48c97d83ab7f0a3f641987fb32ace8af7720aefc
Add RFC 2560 "non-delegated" model where issuer is OCSP signee

diff -r 48c97d83ab7f -r a1f71e35b4a8 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c	Tue Apr 29 22:22:38 2014 +0200
+++ b/src/event/ngx_event_openssl_stapling.c	Mon May 05 13:20:27 2014 +0200
@@ -529,11 +529,11 @@
     const
 #endif
     u_char                *p;
-    int                    n;
+    int                    n, i;
     size_t                 len;
     ngx_str_t              response;
     X509_STORE            *store;
-    STACK_OF(X509)        *chain;
+    STACK_OF(X509)        *chain, *issuer_st;
     OCSP_CERTID           *id;
     OCSP_RESPONSE         *ocsp;
     OCSP_BASICRESP        *basic;
@@ -589,13 +589,19 @@
 #else
     chain = staple->ssl_ctx->extra_certs;
 #endif
+    issuer_st = sk_X509_new_null();
+    sk_X509_push(issuer_st, staple->issuer);
+    i = OCSP_basic_verify(basic, chain, store,
+        staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
+
+    if (i <= 0 && issuer_st){
+        i = OCSP_basic_verify(basic, issuer_st, store,OCSP_TRUSTOTHER);
+        if (i > 0) ERR_clear_error();
+    }

-    if (OCSP_basic_verify(basic, chain, store,
-        staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
-        != 1)
-    {
+    if(i <= 0){
         ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
-                      "OCSP_basic_verify() failed");
+                  "OCSP_basic_verify() failed");
         goto error;
     }













-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 341 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140505/8a312b2f/attachment.bin>


More information about the nginx-devel mailing list