ocsp_check - signature verification and cert staus results are separate

when openssl returns result of parsing and verification of the OCSP response, the signature verification is separate from the certificate status, as such it's necessary to check both of them. Otherwise results like: Response Verify Failure 140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85: ca/cert.pem: good This Update: Sep 23 12:12:28 2014 GMT will be accepted as being trustworthy. Note that "Response verify OK" is printed on stderr, so it can't be discarded. Signed-off-by: Hubert Kario <hkario@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1411727041-11884-1-git-send-email-hkario@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9054 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2024-09-19 19:42:30 +02:00 · 2014-09-26 12:24:00 +02:00 · 2014-09-26 12:24:00 +02:00 · e0c9e84529
commit e0c9e84529
parent 8a4566ce4f
1 changed files with 6 additions and 3 deletions
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@ -97,12 +97,15 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                    "$nonce" \
                    -CAfile "$verify" \
                    -url "$ocsp_url" \
-                    -serial "${serial}" 2>/dev/null)
+                    -serial "${serial}" 2>&1)

    if [ $? -eq 0 ]; then
-      # check that it's good
+      # check that the reported status of certificate is ok
      if echo "$status" | grep -Fq "^${serial}: good"; then
-        exit 0
+        # check if signature on the OCSP response verified correctly
+        if echo "$status" | grep -Fq "^Response verify OK"; then
+            exit 0
+        fi
      fi
    fi
  fi