Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have a question about the behavior of OCSP_basic_verify() and the 
meaning of the OCSP_NOEXPLICIT flag. The OCSP_basic_verify() function is 
the only place where this flag has an effect in the whole OpenSSL 
source, and in the "openssl ocsp" application it can be set with the 
"-no_explicit" command line option:

/*
  * Easy case: explicitly trusted. Get root CA and check for explicit
  * trust
  */
if (flags & OCSP_NOEXPLICIT)
     goto end;

x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
     OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
     goto end;
}

Unfortunately the "-no_explicit" command line option is not documented:

https://www.openssl.org/docs/apps/ocsp.html

What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the 
"-no_explicit" command line option. What exactly is checked by the 
X509_check_trust() call above with respect to the relevant RFCs?

Best regards
Stephan


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux