|
@@ -120,7 +120,7 @@ OCSP_basic_verify() checks that the basic response message B<bs> is correctly
|
|
|
signed and that the signer certificate can be validated. It takes B<st> as
|
|
|
the trusted store and B<certs> as a set of untrusted intermediate certificates.
|
|
|
The function first tries to find the signer certificate of the response
|
|
|
-in <certs>. It also searches the certificates the responder may have included
|
|
|
+in B<certs>. It also searches the certificates the responder may have included
|
|
|
in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>.
|
|
|
It fails if the signer certificate cannot be found.
|
|
|
Next, the function checks the signature of B<bs> and fails on error
|
|
@@ -128,6 +128,10 @@ unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns
|
|
|
success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate
|
|
|
was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>.
|
|
|
Otherwise the function continues by validating the signer certificate.
|
|
|
+If B<flags> contains B<OCSP_PARTIAL_CHAIN>, intermediate CA certificates
|
|
|
+in B<st> are trust-anchors.
|
|
|
+For more details, see the description of B<X509_V_FLAG_PARTIAL_CHAIN>
|
|
|
+in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
|
|
|
To this end, all certificates in B<cert> and in B<bs> are considered as
|
|
|
untrusted certificates for the construction of the validation path for the
|
|
|
signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path
|
|
@@ -185,7 +189,8 @@ L<OCSP_cert_to_id(3)>,
|
|
|
L<OCSP_request_add1_nonce(3)>,
|
|
|
L<OCSP_REQUEST_new(3)>,
|
|
|
L<OCSP_response_status(3)>,
|
|
|
-L<OCSP_sendreq_new(3)>
|
|
|
+L<OCSP_sendreq_new(3)>,
|
|
|
+L<X509_VERIFY_PARAM_set_flags(3)>
|
|
|
|
|
|
=head1 COPYRIGHT
|
|
|
|