Update to use CERT_REVOKED error, shortcut out of OCSP checking when OCSP reply is a revocation reply.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21800 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-08-03 10:12:09 +00:00
parent 0df9285b48
commit 90b68a672a
1 changed files with 8 additions and 1 deletions
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -618,6 +618,10 @@ hx509_revoke_verify(hx509_context context,
 	    case choice_OCSPCertStatus_good:
 		break;
 	    case choice_OCSPCertStatus_revoked:
+		hx509_set_error_string(context, 0, 
+				       HX509_CERT_REVOKED,
+				       "Certificate revoked by issuer in OCSP");
+		return HX509_CERT_REVOKED;
 	    case choice_OCSPCertStatus_unknown:
 		continue;
 	    }
@@ -705,7 +709,10 @@ hx509_revoke_verify(hx509_context context,
 		    if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical)
 			return HX509_CRL_UNKNOWN_EXTENSION;
 	    
-	    return HX509_CRL_CERT_REVOKED;
+	    hx509_set_error_string(context, 0, 
+				   HX509_CERT_REVOKED,
+				   "Certificate revoked by issuer in CRL");
+	    return HX509_CERT_REVOKED;
 	}

 	return 0;