int SslOcspStapling::certVerify(OCSP_RESPONSE *pResponse, OCSP_BASICRESP *pBasicResp, X509_STORE *pXstore) { int n, iResult = -1; STACK_OF(X509) *pXchain; ASN1_GENERALIZEDTIME *pThisupdate, *pNextupdate; struct stat st; pXchain = m_pCtx->extra_certs; if (OCSP_basic_verify(pBasicResp, pXchain, pXstore, OCSP_NOVERIFY) == 1) { if ((m_pCertId != NULL) && (OCSP_resp_find_status(pBasicResp, m_pCertId, &n, NULL, NULL, &pThisupdate, &pNextupdate) == 1) && (n == V_OCSP_CERTSTATUS_GOOD) && (OCSP_check_validity(pThisupdate, pNextupdate, 300, -1) == 1)) { iResult = 0; updateRespData(pResponse); unlink(m_sRespfile.c_str()); rename(m_sRespfileTmp.c_str(), m_sRespfile.c_str()); if (::stat(m_sRespfile.c_str(), &st) == 0) m_RespTime = st.st_mtime; } } if (iResult) { setLastErrMsg("%s", SSLError().what()); ERR_clear_error(); if (m_pHttpFetch) m_pHttpFetch->writeLog(s_ErrMsg.c_str()); } return iResult; }
int SslOcspStapling::verifyRespFile(int iNeedVerify) { int iResult = -1; BIO *pBio; OCSP_RESPONSE *pResponse; OCSP_BASICRESP *pBasicResp; X509_STORE *pXstore; if (iNeedVerify) pBio = BIO_new_file(m_sRespfileTmp.c_str(), "r"); else pBio = BIO_new_file(m_sRespfile.c_str(), "r"); if (pBio == NULL) return LS_FAIL; pResponse = d2i_OCSP_RESPONSE_bio(pBio, NULL); BIO_free(pBio); if (pResponse == NULL) return LS_FAIL; if (OCSP_response_status(pResponse) == OCSP_RESPONSE_STATUS_SUCCESSFUL) { if (iNeedVerify) { pBasicResp = OCSP_response_get1_basic(pResponse); if (pBasicResp != NULL) { pXstore = SSL_CTX_get_cert_store(m_pCtx); if (pXstore) iResult = certVerify(pResponse, pBasicResp, pXstore); OCSP_BASICRESP_free(pBasicResp); } } else { updateRespData(pResponse); iResult = 0; } } OCSP_RESPONSE_free(pResponse); return iResult; }