int ret;
LogDebug("Certificate for verfication ptr: " << (void *)cert.getX509());
LogDebug("Verfication with " << untrustedVector.size() <<
- " untrusted certificates" <<
- trustedVector.size() << "trusted certificates" <<
+ " untrusted certificates " <<
+ trustedVector.size() << " trusted certificates" <<
" and system certificates set to: "
<< useTrustedSystemCertificates);
int result = X509_verify_cert(csc.get()); // 1 == ok; 0 == fail; -1 == error
LogDebug("Openssl verification result: " << result);
+ if (result == 0) {
+ int error = X509_STORE_CTX_get_error(csc.get());
+ LogDebug("Verification error: " << X509_verify_cert_error_string(error));
+ }
if (result > 0) {
STACK_OF(X509) *chain = X509_STORE_CTX_get_chain(csc.get());
X509_STORE_add_cert(trustedStore, issuer);
}
- int response = OCSP_basic_verify(bs, NULL, trustedStore, 0);
+ // Additional certificates to search for signer.
+ // OCSP response may not contain issuer certificate in this case
+ // we must pass it by 'other' certificates.
+ X509_STACK_PTR verifyOther = create_x509_stack();
+ sk_X509_push(verifyOther.get(), issuer);
+
+ int response = OCSP_basic_verify(bs, verifyOther.get(), trustedStore, 0);
+
+ verifyOther.reset();
if (response <= 0) {
OCSP_REQUEST_free(req);