ssl_engine_ocsp.c revision 7b7430e701e9a31ce809da7c220bb8dfcf68c86e
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ssl_private.h"
#ifndef OPENSSL_NO_OCSP
#include "apr_base64.h"
/* Return the responder URI specified in the given certificate, or
* NULL if none specified. */
{
int j;
if (!values) {
return NULL;
}
/* Name found in extension, and is a URI: */
}
}
return result;
}
/* Return the responder URI object which should be used in the given
* configuration for the given certificate, or NULL if none can be
* determined. */
conn_rec *c, apr_pool_t *p)
{
apr_uri_t *u = apr_palloc(p, sizeof *u);
const char *s;
/* Use default responder URL if forced by configuration, else use
* certificate-specified responder, falling back to default if
* necessary and possible. */
}
else {
s = extract_responder_uri(cert, p);
}
}
if (s == NULL) {
"no OCSP responder specified in certificate and "
"no default configured");
return NULL;
}
rv = apr_uri_parse(p, s, u);
"failed to parse OCSP responder URI '%s'", s);
return NULL;
}
"cannot handle OCSP responder URI '%s'", s);
return NULL;
}
if (!u->port) {
}
return u;
}
/* Create an OCSP request for the given certificate; returning the
* certificate ID in *certid and *issuer on success. Returns the
* request object on success, or NULL on error. */
server_rec *s, apr_pool_t *p)
{
"could not retrieve certificate id");
return NULL;
}
return req;
}
/* Verify the OCSP status of given certificate. Returns
* V_OCSP_CERTSTATUS_* result code. */
{
int rc = V_OCSP_CERTSTATUS_GOOD;
if (!ruri) {
return V_OCSP_CERTSTATUS_UNKNOWN;
}
if (request) {
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
int r = OCSP_response_status(response);
if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
"OCSP response not successful: %d", rc);
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
if (!basicResponse) {
"could not retrieve OCSP basic response");
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
"Bad OCSP responder answer (bad nonce)");
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
/* TODO: allow flags configuration. */
"failed to verify the OCSP response");
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
if (rc != 1) {
"failed to retrieve OCSP response status");
}
else {
}
/* Check whether the response is inside the defined validity
* period; otherwise fail. */
if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
/* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
* that responses can be of any age as long as nextup is in the
* future. */
if (vrc != 1) {
"OCSP response outside validity period");
}
}
{
int level =
const char *result =
"OCSP validation completed, "
"certificate status: %s (%d, %d)",
}
}
/* certID is freed when the request is freed */
return rc;
}
{
int rv;
if (!cert) {
/* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
* may yield NULL. Return early, but leave the ctx error as is. */
"No cert available to check with OCSP");
return 1;
}
/* don't do OCSP checking for valid self-issued certs */
"Skipping OCSP check for valid self-issued cert");
return 1;
}
/* Create a temporary pool to constrain memory use (the passed-in
* pool may be e.g. a connection pool). */
/* Propagate the verification status back to the passed-in
* context. */
switch (rv) {
case V_OCSP_CERTSTATUS_GOOD:
break;
break;
/* correct error code for application errors? */
break;
}
return rv == V_OCSP_CERTSTATUS_GOOD;
}
#endif /* HAVE_OCSP */