summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorRich Salz <rsalz@akamai.com>2020-08-17 21:31:42 +0200
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-08-27 20:03:39 +0200
commit0495a3ec4ab463d5c08f4a4e85d0e3925e4602e7 (patch)
tree1c3d88d88b9a4d71e98f70d1e01b5f3738086edb /doc
parentapps: -msg flag enhancement 2/2 (diff)
downloadopenssl-0495a3ec4ab463d5c08f4a4e85d0e3925e4602e7.tar.xz
openssl-0495a3ec4ab463d5c08f4a4e85d0e3925e4602e7.zip
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify() function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that if any certificate in the OCSP response is in the trust store, then trust it. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12666)
Diffstat (limited to 'doc')
-rw-r--r--doc/man3/OCSP_resp_find_status.pod9
-rw-r--r--doc/man3/X509_VERIFY_PARAM_set_flags.pod2
2 files changed, 8 insertions, 3 deletions
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index 179f303a77..7dd90837b6 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -120,7 +120,7 @@ OCSP_basic_verify() checks that the basic response message B<bs> is correctly
signed and that the signer certificate can be validated. It takes B<st> as
the trusted store and B<certs> as a set of untrusted intermediate certificates.
The function first tries to find the signer certificate of the response
-in <certs>. It also searches the certificates the responder may have included
+in B<certs>. It also searches the certificates the responder may have included
in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>.
It fails if the signer certificate cannot be found.
Next, the function checks the signature of B<bs> and fails on error
@@ -128,6 +128,10 @@ unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns
success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate
was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>.
Otherwise the function continues by validating the signer certificate.
+If B<flags> contains B<OCSP_PARTIAL_CHAIN>, intermediate CA certificates
+in B<st> are trust-anchors.
+For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
+in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
To this end, all certificates in B<cert> and in B<bs> are considered as
untrusted certificates for the construction of the validation path for the
signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path
@@ -185,7 +189,8 @@ L<OCSP_cert_to_id(3)>,
L<OCSP_request_add1_nonce(3)>,
L<OCSP_REQUEST_new(3)>,
L<OCSP_response_status(3)>,
-L<OCSP_sendreq_new(3)>
+L<OCSP_sendreq_new(3)>,
+L<X509_VERIFY_PARAM_set_flags(3)>
=head1 COPYRIGHT
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 4f067c877c..6265915d9c 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -75,7 +75,7 @@ These functions manipulate the B<X509_VERIFY_PARAM> structure associated with
a certificate verification operation.
The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring
-it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete
+it with B<flags>. See L</VERIFICATION FLAGS> for a complete
description of values the B<flags> parameter can take.
X509_VERIFY_PARAM_get_flags() returns the flags in B<param>.