issue error message for expired certificates in OCSP trust chain checking

author Andreas Steffen <andreas.steffen@strongswan.org>

Tue, 24 Nov 2009 11:37:38 +0000 (12:37 +0100)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Tue, 24 Nov 2009 11:37:38 +0000 (12:37 +0100)
author Andreas Steffen <andreas.steffen@strongswan.org>
Tue, 24 Nov 2009 11:37:38 +0000 (12:37 +0100)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Tue, 24 Nov 2009 11:37:38 +0000 (12:37 +0100)
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c

index d1533cc5a89e42fb5ba48f4f639a504bdd3d6cf6..b1f558ebfd1cf3401ee5adf702217ee1ecce99ea 100644 (file)
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -998,6 +998,7 @@ static bool valid_ocsp_response(response_t *res)
                 identification_t *subject = certificate->get_subject(certificate);
                 identification_t *issuer  = certificate->get_issuer(certificate);
                 chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+               time_t not_before, not_after;
  
                 DBG(DBG_CONTROL,
                         DBG_log("subject: '%Y'", subject);
@@ -1008,8 +1009,11 @@ static bool valid_ocsp_response(response_t *res)
                         }
                 )
  
-               if (!certificate->get_validity(certificate, NULL, NULL, NULL))
+               if (!certificate->get_validity(certificate, NULL, &not_before, &not_after))
                 {
+                       plog("certificate is invalid (valid from %T to %T)",
+                                &not_before, FALSE, &not_after, FALSE);
+                       
                         unlock_authcert_list("valid_ocsp_response");
                         return FALSE;
                 }
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Tue, 24 Nov 2009 11:37:38 +0000 (12:37 +0100)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Tue, 24 Nov 2009 11:37:38 +0000 (12:37 +0100)