From d3bc195f43cc4972bb4ab71b4529d3de0e4c3628 Mon Sep 17 00:00:00 2001
From: Bartlomiej Grzelewski <b.grzelewski@samsung.com>
Date: Thu, 2 Nov 2017 14:40:12 +0100
Subject: [PATCH] OCSP implementation update

Add support for OCSP responses that does not contain
issuer certificate.

Change-Id: I7fd5367c4c5f34c1d672fcf8506af6a2e9b9d2f7
---
 src/manager/service/certificate-store.cpp |  8 ++++++--
 src/manager/service/ocsp.cpp              | 10 +++++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/manager/service/certificate-store.cpp b/src/manager/service/certificate-store.cpp
index f7ac84e..871b8a9 100644
--- a/src/manager/service/certificate-store.cpp
+++ b/src/manager/service/certificate-store.cpp
@@ -57,8 +57,8 @@ int CertificateStore::verifyCertificate(
 	int ret;
 	LogDebug("Certificate for verfication ptr: " << (void *)cert.getX509());
 	LogDebug("Verfication with " << untrustedVector.size() <<
-			 " untrusted certificates" <<
-			 trustedVector.size() << "trusted certificates" <<
+			 " untrusted certificates " <<
+			 trustedVector.size() << " trusted certificates" <<
 			 " and system certificates set to: "
 			 << useTrustedSystemCertificates);
 
@@ -108,6 +108,10 @@ int CertificateStore::verifyCertificate(
 	int result = X509_verify_cert(csc.get()); // 1 == ok; 0 == fail; -1 == error
 
 	LogDebug("Openssl verification result: " << result);
+	if (result == 0) {
+		int error = X509_STORE_CTX_get_error(csc.get());
+		LogDebug("Verification error: " << X509_verify_cert_error_string(error));
+	}
 
 	if (result > 0) {
 		STACK_OF(X509) *chain = X509_STORE_CTX_get_chain(csc.get());
diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index 25219fc..0b51bf5 100644
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -310,7 +310,15 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
 		X509_STORE_add_cert(trustedStore, issuer);
 	}
 
-	int response = OCSP_basic_verify(bs, NULL, trustedStore, 0);
+	// Additional certificates to search for signer.
+	// OCSP response may not contain issuer certificate in this case
+	// we must pass it by 'other' certificates.
+	X509_STACK_PTR verifyOther = create_x509_stack();
+	sk_X509_push(verifyOther.get(), issuer);
+
+	int response = OCSP_basic_verify(bs, verifyOther.get(), trustedStore, 0);
+
+	verifyOther.reset();
 
 	if (response <= 0) {
 		OCSP_REQUEST_free(req);
-- 
2.7.4