OCSP Error Return

1. In CheckOcspResponse(), remove the existing check for UNKNOWN
   certificate status. Given the values of ret and ocsp->error, unknown
   won't get checked.
2. Separated checks for UKNOWN and REJECTED for logging purposes. Return
   that as an error.
3. Anything else should be a failure.
This commit is contained in:
John Safranek 2023-12-04 11:31:04 -08:00
parent 195c14ccaf
commit 52658c51a9
No known key found for this signature in database
GPG Key ID: 8CE817DE0D3CCB4A

View File

@ -409,10 +409,14 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
end:
if (ret == 0 && validated == 1) {
WOLFSSL_MSG("New OcspResponse validated");
} else if ((ret == ocsp->error) && (ocspResponse->single->status->status == CERT_UNKNOWN)) {
}
else if (ret == OCSP_CERT_REVOKED) {
WOLFSSL_MSG("OCSP revoked");
}
else if (ret == OCSP_CERT_UNKNOWN) {
WOLFSSL_MSG("OCSP unknown");
ret = OCSP_CERT_UNKNOWN;
} else if (ret != OCSP_CERT_REVOKED) {
}
else {
WOLFSSL_MSG("OCSP lookup failure");
ret = OCSP_LOOKUP_FAIL;
}