/* * Check if the certificate is revoked using OCSP. * Current implementation aren't using OCSP to validate the certificate. * If the OCSP server is set and the cert Key Usage is set as critical, * stop swupd operation. * * TODO: Implement proper check of OCSP. */ static int validate_authority(X509 *cert) { AUTHORITY_INFO_ACCESS *info; int n, i; // Check if Authority Information Access is critical if (!is_x509_ext_critical(cert, NID_info_access)) { return 0; } debug("Authority Information Access is critical. Checking certificate revocation method\n"); // Check if the OCSP URI is set info = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL); if (!info) { goto error; } n = sk_ACCESS_DESCRIPTION_num(info); for (i = 0; i < n; i++) { ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i); if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) { error("OCSP uri found, but method not supported\n"); return -1; } } AUTHORITY_INFO_ACCESS_free(info); error: error("Supported Authority Information Access methods not found in the certificate.\n"); return -1; }
/* Return the responder URI specified in the given certificate, or * NULL if none specified. */ static const char *extract_responder_uri(X509 *cert, apr_pool_t *pool) { STACK_OF(ACCESS_DESCRIPTION) *values; char *result = NULL; int j; values = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL); if (!values) { return NULL; } for (j = 0; j < sk_ACCESS_DESCRIPTION_num(values) && !result; j++) { ACCESS_DESCRIPTION *value = sk_ACCESS_DESCRIPTION_value(values, j); /* Name found in extension, and is a URI: */ if (OBJ_obj2nid(value->method) == NID_ad_OCSP && value->location->type == GEN_URI) { result = apr_pstrdup(pool, (char *)value->location->d.uniformResourceIdentifier->data); } } AUTHORITY_INFO_ACCESS_free(values); return result; }