oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(hx509_ocsp_verify): explain what its useful for and provide sane error message.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20808 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2007-06-03 03:18:12 +00:00
parent 85d84dd15e
commit 4f52c4766a
1 changed files with 45 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
lib/hx509/revoke.c
View File

@@ -281,8 +281,11 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
ret = parse_ocsp_basic(data, length, &basic); ret = parse_ocsp_basic(data, length, &basic);
_hx509_unmap_file(data, length); _hx509_unmap_file(data, length);
if (ret) if (ret) {
hx509_set_error_string(context, ret, 0,
"Failed to parse OCSP response");
return ret; return ret;
}
if (basic.certs) { if (basic.certs) {
int i; int i;
@@ -956,6 +959,12 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
return ret; return ret;
} }
/*
* Verify that the `cert' is part of the OCSP reply and its not
* expired. Doesn't verify signature the OCSP reply or its done by a
* authorized sender, that is assumed to be already done.
*/
int int
hx509_ocsp_verify(hx509_context context, hx509_ocsp_verify(hx509_context context,
time_t now, time_t now,
@@ -968,12 +977,17 @@ hx509_ocsp_verify(hx509_context context,
OCSPBasicOCSPResponse basic; OCSPBasicOCSPResponse basic;
int ret, i; int ret, i;
if (now == 0)
now = time(NULL);
*expiration = 0; *expiration = 0;
ret = parse_ocsp_basic(data, length, &basic); ret = parse_ocsp_basic(data, length, &basic);
if (ret) if (ret) {
hx509_set_error_string(context, ret, 0,
"Failed to parse OCSP response");
return ret; return ret;
}
for (i = 0; i < basic.tbsResponseData.responses.len; i++) { for (i = 0; i < basic.tbsResponseData.responses.len; i++) {
@@ -1004,20 +1018,43 @@ hx509_ocsp_verify(hx509_context context,
now + context->ocsp_time_diff) now + context->ocsp_time_diff)
continue; continue;
/* don't allow the next updte to be in the past */ /* don't allow the next update to be in the past */
if (basic.tbsResponseData.responses.val[i].nextUpdate) { if (basic.tbsResponseData.responses.val[i].nextUpdate) {
if (*basic.tbsResponseData.responses.val[i].nextUpdate < now) if (*basic.tbsResponseData.responses.val[i].nextUpdate < now)
continue; continue;
*expiration = *basic.tbsResponseData.responses.val[i].nextUpdate;
} else } else
continue; *expiration = now;
*expiration = *basic.tbsResponseData.responses.val[i].nextUpdate;
free_OCSPBasicOCSPResponse(&basic);
return 0; return 0;
} }
free_OCSPBasicOCSPResponse(&basic); free_OCSPBasicOCSPResponse(&basic);
return 0; {
hx509_name name;
char *subject;
ret = hx509_cert_get_subject(cert, &name);
if (ret) {
hx509_clear_error_string(context);
goto out;
}
ret = hx509_name_to_string(name, &subject);
hx509_name_free(&name);
if (ret) {
hx509_clear_error_string(context);
goto out;
}
hx509_set_error_string(context, HX509_CERT_NOT_IN_OCSP, 0,
"Certificate %s not in OCSP response "
"or not good",
subject);
free(subject);
}
out:
return HX509_CERT_NOT_IN_OCSP;
} }
struct hx509_crl { struct hx509_crl {