ocsp_check - double check if ocsp didn't report any errors in execution

in case the reposnses are too old, ocsp tool can return text like this:

Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
        This Update: Sep 21 12:12:48 2014 GMT
        Next Update: Sep 22 12:12:48 2014 GMT

light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index ce7ec04883043abd179e29e86effa27f96ab0a1e..6876c6d8c40e18c1b9782585fb095db535e9f13a 100644 (file)
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                     -serial "${serial}" 2>&1)
 
     if [ $? -eq 0 ]; then
+      # check if ocsp didn't report any errors
+      if echo "$status" | grep -Eq "(error|fail)"; then
+          exit 1
+      fi
       # check that the reported status of certificate is ok
       if echo "$status" | grep -Fq "^${serial}: good"; then
         # check if signature on the OCSP response verified correctly