int SslOcspStapling::certVerify(OCSP_RESPONSE *pResponse,
OCSP_BASICRESP *pBasicResp, X509_STORE *pXstore)
{
int n, iResult = -1;
STACK_OF(X509) *pXchain;
ASN1_GENERALIZEDTIME *pThisupdate, *pNextupdate;
struct stat st;
pXchain = m_pCtx->extra_certs;
if (OCSP_basic_verify(pBasicResp, pXchain, pXstore, OCSP_NOVERIFY) == 1)
{
if ((m_pCertId != NULL)
&& (OCSP_resp_find_status(pBasicResp, m_pCertId, &n,
NULL, NULL, &pThisupdate, &pNextupdate) == 1)
&& (n == V_OCSP_CERTSTATUS_GOOD)
&& (OCSP_check_validity(pThisupdate, pNextupdate, 300, -1) == 1))
{
iResult = 0;
updateRespData(pResponse);
unlink(m_sRespfile.c_str());
rename(m_sRespfileTmp.c_str(), m_sRespfile.c_str());
if (::stat(m_sRespfile.c_str(), &st) == 0)
m_RespTime = st.st_mtime;
}
}
if (iResult)
{
setLastErrMsg("%s", SSLError().what());
ERR_clear_error();
if (m_pHttpFetch)
m_pHttpFetch->writeLog(s_ErrMsg.c_str());
}
return iResult;
}
int SslOcspStapling::verifyRespFile(int iNeedVerify)
{
int iResult = -1;
BIO *pBio;
OCSP_RESPONSE *pResponse;
OCSP_BASICRESP *pBasicResp;
X509_STORE *pXstore;
if (iNeedVerify)
pBio = BIO_new_file(m_sRespfileTmp.c_str(), "r");
else
pBio = BIO_new_file(m_sRespfile.c_str(), "r");
if (pBio == NULL)
return LS_FAIL;
pResponse = d2i_OCSP_RESPONSE_bio(pBio, NULL);
BIO_free(pBio);
if (pResponse == NULL)
return LS_FAIL;
if (OCSP_response_status(pResponse) == OCSP_RESPONSE_STATUS_SUCCESSFUL)
{
if (iNeedVerify)
{
pBasicResp = OCSP_response_get1_basic(pResponse);
if (pBasicResp != NULL)
{
pXstore = SSL_CTX_get_cert_store(m_pCtx);
if (pXstore)
iResult = certVerify(pResponse, pBasicResp, pXstore);
OCSP_BASICRESP_free(pBasicResp);
}
}
else
{
updateRespData(pResponse);
iResult = 0;
}
}
OCSP_RESPONSE_free(pResponse);
return iResult;
}
