diff options
| author | Mathieu Souchaud <[email protected]> | 2018-02-26 18:46:44 +0100 |
|---|---|---|
| committer | Mathieu Souchaud <[email protected]> | 2018-03-01 10:57:14 +0100 |
| commit | 593af9d4e3d89f6a92cb2b6f4f127be728d10782 (patch) | |
| tree | 774874c6dc5c175e50873a934abbf6aee2a8a4ee /src/lib/x509/x509path.cpp | |
| parent | 3870a2a59a9940635a133fbe60ab05c9815a4d1c (diff) | |
OCSP softfail revocation check
Diffstat (limited to 'src/lib/x509/x509path.cpp')
| -rw-r--r-- | src/lib/x509/x509path.cpp | 50 |
1 files changed, 30 insertions, 20 deletions
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index 0914348ee..1a0db5035 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -371,26 +371,34 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate if(subject->ocsp_responder() == "") { ocsp_response_futures.emplace_back(std::async(std::launch::deferred, [&]() -> std::shared_ptr<const OCSP::Response> { - throw Exception("No OCSP responder URL set for this certificate"); + return std::make_shared<const OCSP::Response>(Certificate_Status_Code::OSCP_NO_REVOCATION_URL); })); - } - else - { - ocsp_response_futures.emplace_back(std::async(std::launch::async, [&]() -> std::shared_ptr<const OCSP::Response> { - OCSP::Request req(*issuer, BigInt::decode(subject->serial_number())); - - auto http = HTTP::POST_sync(subject->ocsp_responder(), - "application/ocsp-request", - req.BER_encode(), - /*redirects*/1, - timeout); - - http.throw_unless_ok(); - // Check the MIME type? - - return std::make_shared<const OCSP::Response>(http.body()); - })); - } + } + else + { + ocsp_response_futures.emplace_back(std::async(std::launch::async, [&]() -> std::shared_ptr<const OCSP::Response> { + OCSP::Request req(*issuer, BigInt::decode(subject->serial_number())); + + HTTP::Response http; + try + { + http = HTTP::POST_sync(subject->ocsp_responder(), + "application/ocsp-request", + req.BER_encode(), + /*redirects*/1, + timeout); + } + catch(std::exception& e) + { + // log e.what() ? + } + if (http.status_code() != 200) + return std::make_shared<const OCSP::Response>(Certificate_Status_Code::OSCP_SERVER_NOT_AVAILABLE); + // Check the MIME type? + + return std::make_shared<const OCSP::Response>(http.body()); + })); + } } std::vector<std::shared_ptr<const OCSP::Response>> ocsp_responses; @@ -774,7 +782,9 @@ void PKIX::merge_revocation_status(CertificatePathStatusCodes& chain_status, { for(auto&& code : ocsp[i]) { - if(code == Certificate_Status_Code::OCSP_RESPONSE_GOOD) + if(code == Certificate_Status_Code::OCSP_RESPONSE_GOOD || + code == Certificate_Status_Code::OSCP_NO_REVOCATION_URL || // softfail + code == Certificate_Status_Code::OSCP_SERVER_NOT_AVAILABLE) // softfail { had_ocsp = true; } |