ocsp_check - signature verification and cert staus results are separate

when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.

Otherwise results like:

Response Verify Failure
140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
        This Update: Sep 23 12:12:28 2014 GMT

will be accepted as being trustworthy.

Note that "Response verify OK" is printed on stderr, so it can't
be discarded.

Signed-off-by: Hubert Kario <hkario@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-1-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9054
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index 553c3dcec97068ea9f27b4e44a617187e6ce8f7b..ce7ec04883043abd179e29e86effa27f96ab0a1e 100644 (file)
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -97,12 +97,15 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                     "$nonce" \
                     -CAfile "$verify" \
                     -url "$ocsp_url" \
-                    -serial "${serial}" 2>/dev/null)
+                    -serial "${serial}" 2>&1)
 
     if [ $? -eq 0 ]; then
-      # check that it's good
+      # check that the reported status of certificate is ok
       if echo "$status" | grep -Fq "^${serial}: good"; then
-        exit 0
+        # check if signature on the OCSP response verified correctly
+        if echo "$status" | grep -Fq "^Response verify OK"; then
+            exit 0
+        fi
       fi
     fi
   fi