]>
git.ipfire.org Git - thirdparty/hostap.git/blob - src/crypto/tls_openssl_ocsp.c
2 * SSL/TLS interface functions for OpenSSL - BoringSSL OCSP
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/x509v3.h>
14 #ifdef OPENSSL_IS_BORINGSSL
15 #include <openssl/asn1.h>
16 #include <openssl/asn1t.h>
17 #endif /* OPENSSL_IS_BORINGSSL */
20 #include "tls_openssl.h"
23 #ifdef OPENSSL_IS_BORINGSSL
25 static void tls_show_errors(int level
, const char *func
, const char *txt
)
29 wpa_printf(level
, "OpenSSL: %s - %s %s",
30 func
, txt
, ERR_error_string(ERR_get_error(), NULL
));
32 while ((err
= ERR_get_error())) {
33 wpa_printf(MSG_INFO
, "OpenSSL: pending error: %s",
34 ERR_error_string(err
, NULL
));
40 * CertID ::= SEQUENCE {
41 * hashAlgorithm AlgorithmIdentifier,
42 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
43 * issuerKeyHash OCTET STRING, -- Hash of Issuer's public key
44 * serialNumber CertificateSerialNumber }
47 X509_ALGOR
*hashAlgorithm
;
48 ASN1_OCTET_STRING
*issuerNameHash
;
49 ASN1_OCTET_STRING
*issuerKeyHash
;
50 ASN1_INTEGER
*serialNumber
;
54 * ResponseBytes ::= SEQUENCE {
55 * responseType OBJECT IDENTIFIER,
56 * response OCTET STRING }
59 ASN1_OBJECT
*responseType
;
60 ASN1_OCTET_STRING
*response
;
64 * OCSPResponse ::= SEQUENCE {
65 * responseStatus OCSPResponseStatus,
66 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
69 ASN1_ENUMERATED
*responseStatus
;
70 ResponseBytes
*responseBytes
;
73 ASN1_SEQUENCE(ResponseBytes
) = {
74 ASN1_SIMPLE(ResponseBytes
, responseType
, ASN1_OBJECT
),
75 ASN1_SIMPLE(ResponseBytes
, response
, ASN1_OCTET_STRING
)
76 } ASN1_SEQUENCE_END(ResponseBytes
);
78 ASN1_SEQUENCE(OCSPResponse
) = {
79 ASN1_SIMPLE(OCSPResponse
, responseStatus
, ASN1_ENUMERATED
),
80 ASN1_EXP_OPT(OCSPResponse
, responseBytes
, ResponseBytes
, 0)
81 } ASN1_SEQUENCE_END(OCSPResponse
);
83 IMPLEMENT_ASN1_FUNCTIONS(OCSPResponse
);
86 * ResponderID ::= CHOICE {
94 ASN1_OCTET_STRING
*byKey
;
99 * RevokedInfo ::= SEQUENCE {
100 * revocationTime GeneralizedTime,
101 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
104 ASN1_GENERALIZEDTIME
*revocationTime
;
105 ASN1_ENUMERATED
*revocationReason
;
109 * CertStatus ::= CHOICE {
110 * good [0] IMPLICIT NULL,
111 * revoked [1] IMPLICIT RevokedInfo,
112 * unknown [2] IMPLICIT UnknownInfo }
118 RevokedInfo
*revoked
;
124 * SingleResponse ::= SEQUENCE {
126 * certStatus CertStatus,
127 * thisUpdate GeneralizedTime,
128 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
129 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
133 CertStatus
*certStatus
;
134 ASN1_GENERALIZEDTIME
*thisUpdate
;
135 ASN1_GENERALIZEDTIME
*nextUpdate
;
136 STACK_OF(X509_EXTENSION
) *singleExtensions
;
140 * ResponseData ::= SEQUENCE {
141 * version [0] EXPLICIT Version DEFAULT v1,
142 * responderID ResponderID,
143 * producedAt GeneralizedTime,
144 * responses SEQUENCE OF SingleResponse,
145 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
148 ASN1_INTEGER
*version
;
149 ResponderID
*responderID
;
150 ASN1_GENERALIZEDTIME
*producedAt
;
151 STACK_OF(SingleResponse
) *responses
;
152 STACK_OF(X509_EXTENSION
) *responseExtensions
;
156 * BasicOCSPResponse ::= SEQUENCE {
157 * tbsResponseData ResponseData,
158 * signatureAlgorithm AlgorithmIdentifier,
159 * signature BIT STRING,
160 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
163 ResponseData
*tbsResponseData
;
164 X509_ALGOR
*signatureAlgorithm
;
165 ASN1_BIT_STRING
*signature
;
166 STACK_OF(X509
) *certs
;
169 ASN1_SEQUENCE(CertID
) = {
170 ASN1_SIMPLE(CertID
, hashAlgorithm
, X509_ALGOR
),
171 ASN1_SIMPLE(CertID
, issuerNameHash
, ASN1_OCTET_STRING
),
172 ASN1_SIMPLE(CertID
, issuerKeyHash
, ASN1_OCTET_STRING
),
173 ASN1_SIMPLE(CertID
, serialNumber
, ASN1_INTEGER
)
174 } ASN1_SEQUENCE_END(CertID
);
176 ASN1_CHOICE(ResponderID
) = {
177 ASN1_EXP(ResponderID
, value
.byName
, X509_NAME
, 1),
178 ASN1_EXP(ResponderID
, value
.byKey
, ASN1_OCTET_STRING
, 2)
179 } ASN1_CHOICE_END(ResponderID
);
181 ASN1_SEQUENCE(RevokedInfo
) = {
182 ASN1_SIMPLE(RevokedInfo
, revocationTime
, ASN1_GENERALIZEDTIME
),
183 ASN1_EXP_OPT(RevokedInfo
, revocationReason
, ASN1_ENUMERATED
, 0)
184 } ASN1_SEQUENCE_END(RevokedInfo
);
186 ASN1_CHOICE(CertStatus
) = {
187 ASN1_IMP(CertStatus
, value
.good
, ASN1_NULL
, 0),
188 ASN1_IMP(CertStatus
, value
.revoked
, RevokedInfo
, 1),
189 ASN1_IMP(CertStatus
, value
.unknown
, ASN1_NULL
, 2)
190 } ASN1_CHOICE_END(CertStatus
);
192 ASN1_SEQUENCE(SingleResponse
) = {
193 ASN1_SIMPLE(SingleResponse
, certID
, CertID
),
194 ASN1_SIMPLE(SingleResponse
, certStatus
, CertStatus
),
195 ASN1_SIMPLE(SingleResponse
, thisUpdate
, ASN1_GENERALIZEDTIME
),
196 ASN1_EXP_OPT(SingleResponse
, nextUpdate
, ASN1_GENERALIZEDTIME
, 0),
197 ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse
, singleExtensions
,
199 } ASN1_SEQUENCE_END(SingleResponse
);
201 ASN1_SEQUENCE(ResponseData
) = {
202 ASN1_EXP_OPT(ResponseData
, version
, ASN1_INTEGER
, 0),
203 ASN1_SIMPLE(ResponseData
, responderID
, ResponderID
),
204 ASN1_SIMPLE(ResponseData
, producedAt
, ASN1_GENERALIZEDTIME
),
205 ASN1_SEQUENCE_OF(ResponseData
, responses
, SingleResponse
),
206 ASN1_EXP_SEQUENCE_OF_OPT(ResponseData
, responseExtensions
,
208 } ASN1_SEQUENCE_END(ResponseData
);
210 ASN1_SEQUENCE(BasicOCSPResponse
) = {
211 ASN1_SIMPLE(BasicOCSPResponse
, tbsResponseData
, ResponseData
),
212 ASN1_SIMPLE(BasicOCSPResponse
, signatureAlgorithm
, X509_ALGOR
),
213 ASN1_SIMPLE(BasicOCSPResponse
, signature
, ASN1_BIT_STRING
),
214 ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse
, certs
, X509
, 0)
215 } ASN1_SEQUENCE_END(BasicOCSPResponse
);
217 IMPLEMENT_ASN1_FUNCTIONS(BasicOCSPResponse
);
219 #define sk_SingleResponse_num(sk) \
220 sk_num(CHECKED_CAST(_STACK *, STACK_OF(SingleResponse) *, sk))
222 #define sk_SingleResponse_value(sk, i) \
223 ((SingleResponse *) \
224 sk_value(CHECKED_CAST(_STACK *, STACK_OF(SingleResponse) *, sk), (i)))
227 static char * mem_bio_to_str(BIO
*out
)
233 rlen
= BIO_ctrl_pending(out
);
234 txt
= os_malloc(rlen
+ 1);
240 res
= BIO_read(out
, txt
, rlen
);
252 static char * generalizedtime_str(ASN1_GENERALIZEDTIME
*t
)
256 out
= BIO_new(BIO_s_mem());
260 if (!ASN1_GENERALIZEDTIME_print(out
, t
)) {
265 return mem_bio_to_str(out
);
269 static char * responderid_str(ResponderID
*rid
)
273 out
= BIO_new(BIO_s_mem());
279 X509_NAME_print_ex(out
, rid
->value
.byName
, 0, XN_FLAG_ONELINE
);
282 i2a_ASN1_STRING(out
, rid
->value
.byKey
, V_ASN1_OCTET_STRING
);
289 return mem_bio_to_str(out
);
293 static char * octet_string_str(ASN1_OCTET_STRING
*o
)
297 out
= BIO_new(BIO_s_mem());
301 i2a_ASN1_STRING(out
, o
, V_ASN1_OCTET_STRING
);
302 return mem_bio_to_str(out
);
306 static char * integer_str(ASN1_INTEGER
*i
)
310 out
= BIO_new(BIO_s_mem());
314 i2a_ASN1_INTEGER(out
, i
);
315 return mem_bio_to_str(out
);
319 static char * algor_str(X509_ALGOR
*alg
)
323 out
= BIO_new(BIO_s_mem());
327 i2a_ASN1_OBJECT(out
, alg
->algorithm
);
328 return mem_bio_to_str(out
);
332 static char * extensions_str(const char *title
, STACK_OF(X509_EXTENSION
) *ext
)
339 out
= BIO_new(BIO_s_mem());
343 if (!X509V3_extensions_print(out
, title
, ext
, 0, 0)) {
347 return mem_bio_to_str(out
);
351 static int ocsp_resp_valid(ASN1_GENERALIZEDTIME
*thisupd
,
352 ASN1_GENERALIZEDTIME
*nextupd
)
356 if (!ASN1_GENERALIZEDTIME_check(thisupd
)) {
357 wpa_printf(MSG_DEBUG
,
358 "OpenSSL: Invalid OCSP response thisUpdate");
363 tmp
= now
+ 5 * 60; /* allow five minute clock difference */
364 if (X509_cmp_time(thisupd
, &tmp
) > 0) {
365 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP response not yet valid");
370 return 1; /* OK - no limit on response age */
372 if (!ASN1_GENERALIZEDTIME_check(nextupd
)) {
373 wpa_printf(MSG_DEBUG
,
374 "OpenSSL: Invalid OCSP response nextUpdate");
378 tmp
= now
- 5 * 60; /* allow five minute clock difference */
379 if (X509_cmp_time(nextupd
, &tmp
) < 0) {
380 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP response expired");
384 if (ASN1_STRING_cmp(nextupd
, thisupd
) < 0) {
385 wpa_printf(MSG_DEBUG
,
386 "OpenSSL: OCSP response nextUpdate before thisUpdate");
390 /* Both thisUpdate and nextUpdate are valid */
395 static int issuer_match(X509
*cert
, X509
*issuer
, CertID
*certid
)
398 ASN1_BIT_STRING
*ikey
;
401 unsigned char md
[EVP_MAX_MD_SIZE
];
402 ASN1_OCTET_STRING
*hash
;
405 dgst
= EVP_get_digestbyobj(certid
->hashAlgorithm
->algorithm
);
407 wpa_printf(MSG_DEBUG
,
408 "OpenSSL: Could not find matching hash algorithm for OCSP");
412 iname
= X509_get_issuer_name(cert
);
413 if (!X509_NAME_digest(iname
, dgst
, md
, &len
))
415 hash
= ASN1_OCTET_STRING_new();
418 if (!ASN1_OCTET_STRING_set(hash
, md
, len
)) {
419 ASN1_OCTET_STRING_free(hash
);
423 txt
= octet_string_str(hash
);
425 wpa_printf(MSG_DEBUG
, "OpenSSL: calculated issuerNameHash: %s",
430 if (ASN1_OCTET_STRING_cmp(certid
->issuerNameHash
, hash
)) {
431 ASN1_OCTET_STRING_free(hash
);
435 ikey
= X509_get0_pubkey_bitstr(issuer
);
437 !EVP_Digest(ikey
->data
, ikey
->length
, md
, &len
, dgst
, NULL
) ||
438 !ASN1_OCTET_STRING_set(hash
, md
, len
)) {
439 ASN1_OCTET_STRING_free(hash
);
443 txt
= octet_string_str(hash
);
445 wpa_printf(MSG_DEBUG
, "OpenSSL: calculated issuerKeyHash: %s",
450 if (ASN1_OCTET_STRING_cmp(certid
->issuerKeyHash
, hash
)) {
451 ASN1_OCTET_STRING_free(hash
);
455 ASN1_OCTET_STRING_free(hash
);
460 static X509
* ocsp_find_signer(STACK_OF(X509
) *certs
, ResponderID
*rid
)
463 unsigned char hash
[SHA_DIGEST_LENGTH
];
465 if (rid
->type
== 0) {
467 return X509_find_by_subject(certs
, rid
->value
.byName
);
471 if (rid
->value
.byKey
->length
!= SHA_DIGEST_LENGTH
)
473 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
474 X509
*x
= sk_X509_value(certs
, i
);
476 X509_pubkey_digest(x
, EVP_sha1(), hash
, NULL
);
477 if (os_memcmp(rid
->value
.byKey
->data
, hash
,
478 SHA_DIGEST_LENGTH
) == 0)
486 enum ocsp_result
check_ocsp_resp(SSL_CTX
*ssl_ctx
, SSL
*ssl
, X509
*cert
,
487 X509
*issuer
, X509
*issuer_issuer
)
489 const uint8_t *resp_data
;
493 ResponseBytes
*bytes
;
494 const u8
*basic_data
;
496 BasicOCSPResponse
*basic
;
500 unsigned int j
, num_resp
;
501 SingleResponse
*matching_resp
= NULL
, *cmp_sresp
;
502 enum ocsp_result result
= OCSP_INVALID
;
504 STACK_OF(X509
) *untrusted
= NULL
, *certs
= NULL
, *chain
= NULL
;
506 X509
*signer
, *tmp_cert
;
507 int signer_trusted
= 0;
512 txt
= integer_str(X509_get_serialNumber(cert
));
514 wpa_printf(MSG_DEBUG
,
515 "OpenSSL: Searching OCSP response for peer certificate serialNumber: %s", txt
);
519 SSL_get0_ocsp_response(ssl
, &resp_data
, &resp_len
);
520 if (resp_data
== NULL
|| resp_len
== 0) {
521 wpa_printf(MSG_DEBUG
, "OpenSSL: No OCSP response received");
522 return OCSP_NO_RESPONSE
;
525 wpa_hexdump(MSG_DEBUG
, "OpenSSL: OCSP response", resp_data
, resp_len
);
527 resp
= d2i_OCSPResponse(NULL
, &resp_data
, resp_len
);
529 wpa_printf(MSG_INFO
, "OpenSSL: Failed to parse OCSPResponse");
533 status
= ASN1_ENUMERATED_get(resp
->responseStatus
);
535 wpa_printf(MSG_INFO
, "OpenSSL: OCSP responder error %d",
540 bytes
= resp
->responseBytes
;
543 OBJ_obj2nid(bytes
->responseType
) != NID_id_pkix_OCSP_basic
) {
545 "OpenSSL: Could not find BasicOCSPResponse");
549 basic_data
= ASN1_STRING_data(bytes
->response
);
550 basic_len
= ASN1_STRING_length(bytes
->response
);
551 wpa_hexdump(MSG_DEBUG
, "OpenSSL: BasicOCSPResponse",
552 basic_data
, basic_len
);
554 basic
= d2i_BasicOCSPResponse(NULL
, &basic_data
, basic_len
);
557 "OpenSSL: Could not parse BasicOCSPResponse");
558 OCSPResponse_free(resp
);
562 rd
= basic
->tbsResponseData
;
565 untrusted
= sk_X509_dup(basic
->certs
);
569 num
= sk_X509_num(basic
->certs
);
570 for (i
= 0; i
< num
; i
++) {
573 extra_cert
= sk_X509_value(basic
->certs
, i
);
574 X509_NAME_oneline(X509_get_subject_name(extra_cert
),
576 wpa_printf(MSG_DEBUG
,
577 "OpenSSL: BasicOCSPResponse cert %s", buf
);
579 if (!sk_X509_push(untrusted
, extra_cert
)) {
580 wpa_printf(MSG_DEBUG
,
581 "OpenSSL: Could not add certificate to the untrusted stack");
586 store
= SSL_CTX_get_cert_store(ssl_ctx
);
588 if (X509_STORE_add_cert(store
, issuer
) != 1) {
589 tls_show_errors(MSG_INFO
, __func__
,
590 "OpenSSL: Could not add issuer to certificate store");
592 certs
= sk_X509_new_null();
594 tmp_cert
= X509_dup(issuer
);
595 if (tmp_cert
&& !sk_X509_push(certs
, tmp_cert
)) {
598 "OpenSSL: Could not add issuer to OCSP responder trust store");
603 if (certs
&& issuer_issuer
) {
604 tmp_cert
= X509_dup(issuer_issuer
);
606 !sk_X509_push(certs
, tmp_cert
)) {
609 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
616 signer
= ocsp_find_signer(certs
, rd
->responderID
);
618 signer
= ocsp_find_signer(untrusted
, rd
->responderID
);
622 wpa_printf(MSG_DEBUG
,
623 "OpenSSL: Could not find OCSP signer certificate");
627 skey
= X509_get_pubkey(signer
);
629 wpa_printf(MSG_DEBUG
,
630 "OpenSSL: Could not get OCSP signer public key");
633 if (ASN1_item_verify(ASN1_ITEM_rptr(ResponseData
),
634 basic
->signatureAlgorithm
, basic
->signature
,
635 basic
->tbsResponseData
, skey
) <= 0) {
636 wpa_printf(MSG_DEBUG
,
637 "OpenSSL: BasicOCSPResponse signature is invalid");
641 X509_NAME_oneline(X509_get_subject_name(signer
), buf
, sizeof(buf
));
642 wpa_printf(MSG_DEBUG
,
643 "OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
646 if (!X509_STORE_CTX_init(&ctx
, store
, signer
, untrusted
))
648 X509_STORE_CTX_set_purpose(&ctx
, X509_PURPOSE_OCSP_HELPER
);
649 ret
= X509_verify_cert(&ctx
);
650 chain
= X509_STORE_CTX_get1_chain(&ctx
);
651 X509_STORE_CTX_cleanup(&ctx
);
653 wpa_printf(MSG_DEBUG
,
654 "OpenSSL: Could not validate OCSP signer certificate");
658 if (!chain
|| sk_X509_num(chain
) <= 0) {
659 wpa_printf(MSG_DEBUG
, "OpenSSL: No OCSP signer chain found");
663 if (!signer_trusted
) {
664 X509_check_purpose(signer
, -1, 0);
665 if ((signer
->ex_flags
& EXFLAG_XKUSAGE
) &&
666 (signer
->ex_xkusage
& XKU_OCSP_SIGN
)) {
667 wpa_printf(MSG_DEBUG
,
668 "OpenSSL: OCSP signer certificate delegation OK");
670 tmp_cert
= sk_X509_value(chain
, sk_X509_num(chain
) - 1);
671 if (X509_check_trust(tmp_cert
, NID_OCSP_sign
, 0) !=
672 X509_TRUST_TRUSTED
) {
673 wpa_printf(MSG_DEBUG
,
674 "OpenSSL: OCSP signer certificate not trusted");
675 result
= OCSP_NO_RESPONSE
;
681 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP version: %lu",
682 ASN1_INTEGER_get(rd
->version
));
684 txt
= responderid_str(rd
->responderID
);
686 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP responderID: %s",
691 txt
= generalizedtime_str(rd
->producedAt
);
693 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP producedAt: %s",
698 num_resp
= sk_SingleResponse_num(rd
->responses
);
700 wpa_printf(MSG_DEBUG
,
701 "OpenSSL: No OCSP SingleResponse within BasicOCSPResponse");
702 result
= OCSP_NO_RESPONSE
;
705 cmp_sresp
= sk_SingleResponse_value(rd
->responses
, 0);
706 for (j
= 0; j
< num_resp
; j
++) {
707 SingleResponse
*sresp
;
710 sresp
= sk_SingleResponse_value(rd
->responses
, j
);
711 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP SingleResponse %u/%u",
714 txt
= algor_str(sresp
->certID
->hashAlgorithm
);
716 wpa_printf(MSG_DEBUG
,
717 "OpenSSL: certID hashAlgorithm: %s", txt
);
721 txt
= octet_string_str(sresp
->certID
->issuerNameHash
);
723 wpa_printf(MSG_DEBUG
,
724 "OpenSSL: certID issuerNameHash: %s", txt
);
728 txt
= octet_string_str(sresp
->certID
->issuerKeyHash
);
730 wpa_printf(MSG_DEBUG
,
731 "OpenSSL: certID issuerKeyHash: %s", txt
);
735 txt
= integer_str(sresp
->certID
->serialNumber
);
737 wpa_printf(MSG_DEBUG
,
738 "OpenSSL: certID serialNumber: %s", txt
);
742 switch (sresp
->certStatus
->type
) {
744 wpa_printf(MSG_DEBUG
, "OpenSSL: certStatus: good");
747 wpa_printf(MSG_DEBUG
, "OpenSSL: certStatus: revoked");
750 wpa_printf(MSG_DEBUG
, "OpenSSL: certStatus: unknown");
754 txt
= generalizedtime_str(sresp
->thisUpdate
);
756 wpa_printf(MSG_DEBUG
, "OpenSSL: thisUpdate: %s", txt
);
760 if (sresp
->nextUpdate
) {
761 txt
= generalizedtime_str(sresp
->nextUpdate
);
763 wpa_printf(MSG_DEBUG
, "OpenSSL: nextUpdate: %s",
769 txt
= extensions_str("singleExtensions",
770 sresp
->singleExtensions
);
772 wpa_printf(MSG_DEBUG
, "OpenSSL: %s", txt
);
776 cid1
= cmp_sresp
->certID
;
777 cid2
= sresp
->certID
;
779 (OBJ_cmp(cid1
->hashAlgorithm
->algorithm
,
780 cid2
->hashAlgorithm
->algorithm
) != 0 ||
781 ASN1_OCTET_STRING_cmp(cid1
->issuerNameHash
,
782 cid2
->issuerNameHash
) != 0 ||
783 ASN1_OCTET_STRING_cmp(cid1
->issuerKeyHash
,
784 cid2
->issuerKeyHash
) != 0)) {
785 wpa_printf(MSG_DEBUG
,
786 "OpenSSL: Different OCSP response issuer information between SingleResponse values within BasicOCSPResponse");
790 if (!matching_resp
&& issuer
&&
791 ASN1_INTEGER_cmp(sresp
->certID
->serialNumber
,
792 X509_get_serialNumber(cert
)) == 0 &&
793 issuer_match(cert
, issuer
, sresp
->certID
) == 0) {
794 wpa_printf(MSG_DEBUG
,
795 "OpenSSL: This response matches peer certificate");
796 matching_resp
= sresp
;
800 txt
= extensions_str("responseExtensions", rd
->responseExtensions
);
802 wpa_printf(MSG_DEBUG
, "OpenSSL: %s", txt
);
806 if (!matching_resp
) {
807 wpa_printf(MSG_DEBUG
,
808 "OpenSSL: Could not find OCSP response that matches the peer certificate");
809 result
= OCSP_NO_RESPONSE
;
813 if (!ocsp_resp_valid(matching_resp
->thisUpdate
,
814 matching_resp
->nextUpdate
)) {
815 wpa_printf(MSG_DEBUG
,
816 "OpenSSL: OCSP response not valid at this time");
820 if (matching_resp
->certStatus
->type
== 1) {
821 wpa_printf(MSG_DEBUG
,
822 "OpenSSL: OCSP response indicated that the peer certificate has been revoked");
823 result
= OCSP_REVOKED
;
827 if (matching_resp
->certStatus
->type
!= 0) {
828 wpa_printf(MSG_DEBUG
,
829 "OpenSSL: OCSP response did not indicate good status");
830 result
= OCSP_NO_RESPONSE
;
834 /* OCSP response indicated the certificate is good. */
837 sk_X509_pop_free(chain
, X509_free
);
838 sk_X509_free(untrusted
);
839 sk_X509_pop_free(certs
, X509_free
);
840 BasicOCSPResponse_free(basic
);
841 OCSPResponse_free(resp
);
846 #endif /* OPENSSL_IS_BORINGSSL */