Add an API to get the signer of an OCSP response

Add a new function OCSP_resp_get0_signer() that looks in the certs bundled with the response as well as in additional certificates provided as a function argument, returning the certificate that signed the given response (if present). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4573)
author: Benjamin Kaduk <bkaduk@akamai.com> 2017-10-18 15:29:18 -0500
committer: Ben Kaduk <kaduk@mit.edu> 2017-11-11 20:03:49 -0600
commit: ce5886dda80b6f60fb30762381506d5c6f2d995c (patch)
tree: edaba1bdce2192f8665da3d2c77bf83acaaca6cf /crypto/ocsp/ocsp_vfy.c
parent: 47c07020b7be6f5f8d8ffc7323b54a4ac259c910 (diff)
download: openssl-new-ce5886dda80b6f60fb30762381506d5c6f2d995c.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 809f7f41e1..89147d93ae 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -138,6 +138,15 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
     goto end;
 }
 
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+                     STACK_OF(X509) *extra_certs)
+{
+    int ret;
+
+    ret = ocsp_find_signer(signer, bs, extra_certs, 0);
+    return (ret > 0) ? 1 : 0;
+}
+
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
                             STACK_OF(X509) *certs, unsigned long flags)
 {
author	Benjamin Kaduk <bkaduk@akamai.com>	2017-10-18 15:29:18 -0500
committer	Ben Kaduk <kaduk@mit.edu>	2017-11-11 20:03:49 -0600
commit	ce5886dda80b6f60fb30762381506d5c6f2d995c (patch)
tree	edaba1bdce2192f8665da3d2c77bf83acaaca6cf /crypto/ocsp/ocsp_vfy.c
parent	47c07020b7be6f5f8d8ffc7323b54a4ac259c910 (diff)
download	openssl-new-ce5886dda80b6f60fb30762381506d5c6f2d995c.tar.gz