From: Hubert Kario <hkario@redhat.com>
Date: Fri, 26 Sep 2014 10:24:01 +0000 (+0200)
Subject: ocsp_check - double check if ocsp didn't report any errors in execution
X-Git-Tag: v2.3.5~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27ab61cec7cefa645a1e02834e032eef12907598;p=thirdparty%2Fopenvpn.git

ocsp_check - double check if ocsp didn't report any errors in execution

in case the reposnses are too old, ocsp tool can return text like this:

Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
        This Update: Sep 21 12:12:48 2014 GMT
        Next Update: Sep 22 12:12:48 2014 GMT

light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 51390f4de4f02edf377d55a7ef108798d2d8dc88)
---

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index ce7ec0488..6876c6d8c 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                     -serial "${serial}" 2>&1)
 
     if [ $? -eq 0 ]; then
+      # check if ocsp didn't report any errors
+      if echo "$status" | grep -Eq "(error|fail)"; then
+          exit 1
+      fi
       # check that the reported status of certificate is ok
       if echo "$status" | grep -Fq "^${serial}: good"; then
         # check if signature on the OCSP response verified correctly