/*
* Check if the certificate is revoked using OCSP.
* Current implementation aren't using OCSP to validate the certificate.
* If the OCSP server is set and the cert Key Usage is set as critical,
* stop swupd operation.
*
* TODO: Implement proper check of OCSP.
*/
static int validate_authority(X509 *cert)
{
AUTHORITY_INFO_ACCESS *info;
int n, i;
// Check if Authority Information Access is critical
if (!is_x509_ext_critical(cert, NID_info_access)) {
return 0;
}
debug("Authority Information Access is critical. Checking certificate revocation method\n");
// Check if the OCSP URI is set
info = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL);
if (!info) {
goto error;
}
n = sk_ACCESS_DESCRIPTION_num(info);
for (i = 0; i < n; i++) {
ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
error("OCSP uri found, but method not supported\n");
return -1;
}
}
AUTHORITY_INFO_ACCESS_free(info);
error:
error("Supported Authority Information Access methods not found in the certificate.\n");
return -1;
}
/* Return the responder URI specified in the given certificate, or
* NULL if none specified. */
static const char *extract_responder_uri(X509 *cert, apr_pool_t *pool)
{
STACK_OF(ACCESS_DESCRIPTION) *values;
char *result = NULL;
int j;
values = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL);
if (!values) {
return NULL;
}
for (j = 0; j < sk_ACCESS_DESCRIPTION_num(values) && !result; j++) {
ACCESS_DESCRIPTION *value = sk_ACCESS_DESCRIPTION_value(values, j);
/* Name found in extension, and is a URI: */
if (OBJ_obj2nid(value->method) == NID_ad_OCSP
&& value->location->type == GEN_URI) {
result = apr_pstrdup(pool,
(char *)value->location->d.uniformResourceIdentifier->data);
}
}
AUTHORITY_INFO_ACCESS_free(values);
return result;
}
