From ce5886dda80b6f60fb30762381506d5c6f2d995c Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <bkaduk@akamai.com>
Date: Wed, 18 Oct 2017 15:29:18 -0500
Subject: Add an API to get the signer of an OCSP response

Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
---
 crypto/ocsp/ocsp_vfy.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'crypto/ocsp/ocsp_vfy.c')

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 809f7f41e1..89147d93ae 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -138,6 +138,15 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
     goto end;
 }
 
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+                     STACK_OF(X509) *extra_certs)
+{
+    int ret;
+
+    ret = ocsp_find_signer(signer, bs, extra_certs, 0);
+    return (ret > 0) ? 1 : 0;
+}
+
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
                             STACK_OF(X509) *certs, unsigned long flags)
 {
-- 
cgit v1.2.1