On 31/10/17 13:06, Dave Coombs wrote: > Hello, > > I was fiddling around with OpenSSL 1.1.0 this past weekend, because > One Day We'll Need To Upgrade (tm), and ran into the following. > > We have some code that uses OCSP_BASICRESP_verify() with 1.0.1 / > 1.0.2 to confirm that the signature on an ocsp response is correct. > This is a macro in ocsp.h, which directly accesses the signature, > signatureAlgorithm, and tbsResponseData members of the OCSP_BASICRESP > structure. In 1.1.0, this structure is now opaque, but the macros > are still present in the public ocsp.h, so any external code that > uses this macro can't compile. > > I can get around this by copying the struct definitions from > ocsp_lcl.h into the external code, but that both defeats the purpose > of opaque structures and will cause me problems if the structure > contents ever change. > > Is the correct solution to use OCSP_basic_verify(), which feels like > overkill for my needs (the code in question is *part of* our own > path-validation routine), or might there be some other way? Can you use OCSP_basic_verify() passing in OCSP_NOVERIFY in the final "flags" argument? This basically finds the signer certificate and verifies the signature using OCSP_BASICRESP_verify(), but skips all the chain validation bit. > Either way, I hereby report you've got a few macros in a public > header that can't possibly work as things stand. :-) Yes - a bug. I'm tempted just to remove them. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
