From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Tue, 24 Nov 2009 11:37:38 +0000 (+0100)
Subject: issue error message for expired certificates in OCSP trust chain checking
X-Git-Tag: 4.3.6~183
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c4570d188e55f2fd27319c98ef52a34c678b8bf4;p=thirdparty%2Fstrongswan.git

issue error message for expired certificates in OCSP trust chain checking
---

diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index d1533cc5a8..b1f558ebfd 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -998,6 +998,7 @@ static bool valid_ocsp_response(response_t *res)
 		identification_t *subject = certificate->get_subject(certificate);
 		identification_t *issuer  = certificate->get_issuer(certificate);
 		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
+		time_t not_before, not_after;
 
 		DBG(DBG_CONTROL,
 			DBG_log("subject: '%Y'", subject);
@@ -1008,8 +1009,11 @@ static bool valid_ocsp_response(response_t *res)
 			}
 		)
 
-		if (!certificate->get_validity(certificate, NULL, NULL, NULL))
+		if (!certificate->get_validity(certificate, NULL, &not_before, &not_after))
 		{
+			plog("certificate is invalid (valid from %T to %T)",
+				 &not_before, FALSE, &not_after, FALSE);
+			
 			unlock_authcert_list("valid_ocsp_response");
 			return FALSE;
 		}