From 233105d2c9d1a2c6911342d8249b19310e94c251 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@users.sourceforge.net>
Date: Sun, 16 May 2010 19:42:40 +0200
Subject: OCSP_check.sh: new check logic

contrib/OCSP_check/OCSP_check.sh:
  I discovered that, quite surprisingly, the exit status of "openssl ocsp"
  is 0 even if the certificate status is "revoked". This means that the
  logic of the script needs to be rewritten so that it parses the output
  returned by the query and explicitly looks for a

  "0x<serial number>: good"

  line, and exit if either the command has a non-zero exit status, or the
  above line is not found.

  Doing that portably without bashisms requires some juggling around, so
  perhaps the code is slightly less clean now, but it does have many
  comments.

Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
---
 contrib/OCSP_check/OCSP_check.sh | 42 ++++++++++++++++++++++++++++++----------
 1 file changed, 32 insertions(+), 10 deletions(-)

(limited to 'contrib')

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index 2ffe5d6..847be45 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -63,27 +63,49 @@ fi
 
 # begin
 if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
+
   eval serial="\$tls_serial_${cur_depth}"
 
-  # Check that the serial is not empty
+  # To successfully complete, the following must happen:
+  #
+  # - The serial number must not be empty
+  # - The exit status of "openssl ocsp" must be zero
+  # - The output of the above command must contain the line
+  #   "0x${serial}: good"
+  #
+  # Everything else fails with exit status 1.
+
   if [ -n "$serial" ]; then
 
     # This is only an example; you are encouraged to run this command (without
     # redirections) manually against your or your CA's OCSP server to see how
     # it responds, and adapt accordingly.
-    # Sample output:
+    # Sample output that is assumed here:
     #
     # Response verify OK
     # 0x428740A5: good
     #      This Update: Apr 24 19:38:49 2010 GMT
     #      Next Update: May  2 14:23:42 2010 GMT
-
-    openssl ocsp -issuer "$issuer" \
-                 "$nonce" \
-                 -CAfile "$verify" \
-                 -url "$ocsp_url" \
-                 -serial "0x${serial}" >/dev/null 2>&1
-  else
-    exit 1
+    #
+    # NOTE: It is needed to check the exit code of OpenSSL explicitly.  OpenSSL
+    #       can in some circumstances give a "good" result if it could not
+    #       reach the the OSCP server.  In this case, the exit code will indicate
+    #       if OpenSSL itself failed or not.  If OpenSSL's exit code is not 0,
+    #       don't trust the OpenSSL status.
+
+    status=$(openssl ocsp -issuer "$issuer" \
+                    "$nonce" \
+                    -CAfile "$verify" \
+                    -url "$ocsp_url" \
+                    -serial "0x${serial}" 2>/dev/null)
+
+    if [ $? -eq 0 ]; then
+      # check that it's good
+      if echo "$status" | grep -Fq "0x${serial}: good"; then
+        exit 0
+      fi
+    fi
   fi
+  # if we get here, something was wrong
+  exit 1
 fi
-- 
cgit