summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBartlomiej Grzelewski <b.grzelewski@samsung.com>2017-11-02 14:40:12 +0100
committerBartlomiej Grzelewski <b.grzelewski@samsung.com>2017-11-02 19:33:38 +0100
commitdbe42bca6a6c4b1c7a144ae01542c6a0d712131f (patch)
tree16e49196a57d5a7a66d8378dab95b5de4c294575
parent6740dc3e28a85b06f9fffa4f0c9eb3e4b1d6e66d (diff)
downloadkey-manager-dbe42bca6a6c4b1c7a144ae01542c6a0d712131f.tar.gz
key-manager-dbe42bca6a6c4b1c7a144ae01542c6a0d712131f.tar.bz2
key-manager-dbe42bca6a6c4b1c7a144ae01542c6a0d712131f.zip
Add support for OCSP responses that does not contain issuer certificate. Change-Id: I7fd5367c4c5f34c1d672fcf8506af6a2e9b9d2f7
-rw-r--r--src/manager/service/certificate-store.cpp8
-rw-r--r--src/manager/service/ocsp.cpp10
2 files changed, 15 insertions, 3 deletions
diff --git a/src/manager/service/certificate-store.cpp b/src/manager/service/certificate-store.cpp
index f7ac84e3..871b8a9a 100644
--- a/src/manager/service/certificate-store.cpp
+++ b/src/manager/service/certificate-store.cpp
@@ -57,8 +57,8 @@ int CertificateStore::verifyCertificate(
int ret;
LogDebug("Certificate for verfication ptr: " << (void *)cert.getX509());
LogDebug("Verfication with " << untrustedVector.size() <<
- " untrusted certificates" <<
- trustedVector.size() << "trusted certificates" <<
+ " untrusted certificates " <<
+ trustedVector.size() << " trusted certificates" <<
" and system certificates set to: "
<< useTrustedSystemCertificates);
@@ -108,6 +108,10 @@ int CertificateStore::verifyCertificate(
int result = X509_verify_cert(csc.get()); // 1 == ok; 0 == fail; -1 == error
LogDebug("Openssl verification result: " << result);
+ if (result == 0) {
+ int error = X509_STORE_CTX_get_error(csc.get());
+ LogDebug("Verification error: " << X509_verify_cert_error_string(error));
+ }
if (result > 0) {
STACK_OF(X509) *chain = X509_STORE_CTX_get_chain(csc.get());
diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index 8c430f56..dcccf2ac 100644
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -319,7 +319,15 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
X509_STORE_add_cert(trustedStore, issuer);
}
- int response = OCSP_basic_verify(bs, NULL, trustedStore, 0);
+ // Additional certificates to search for signer.
+ // OCSP response may not contain issuer certificate in this case
+ // we must pass it by 'other' certificates.
+ X509_STACK_PTR verifyOther = create_x509_stack();
+ sk_X509_push(verifyOther.get(), issuer);
+
+ int response = OCSP_basic_verify(bs, verifyOther.get(), trustedStore, 0);
+
+ verifyOther.reset();
if (response <= 0) {
OCSP_REQUEST_free(req);