ACK
-Steffan
On 26-09-14 12:24, Hubert Kario wrote:
> in case the reposnses are too old, ocsp tool can return text like this:
>
> Response verify OK
> ca/cert.pem: WARNING: Status times invalid.
> 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
> expired:ocsp_cl.c:358:
> good
> This Update: Sep 21 12:12:48 2014 GMT
> Next Update: Sep 22 12:12:48 2014 GMT
>
> light change in buffering can cause "verify OK" and "ca/cert.pem: good"
> to be placed in a way that matching will be valid
> ---
> contrib/OCSP_check/OCSP_check.sh | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/contrib/OCSP_check/OCSP_check.sh
> b/contrib/OCSP_check/OCSP_check.sh
> index ce7ec04..6876c6d 100644
> --- a/contrib/OCSP_check/OCSP_check.sh
> +++ b/contrib/OCSP_check/OCSP_check.sh
> @@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq
> $check_depth ]; then
> -serial "${serial}" 2>&1)
>
> if [ $? -eq 0 ]; then
> + # check if ocsp didn't report any errors
> + if echo "$status" | grep -Eq "(error|fail)"; then
> + exit 1
> + fi
> # check that the reported status of certificate is ok
> if echo "$status" | grep -Fq "^${serial}: good"; then
> # check if signature on the OCSP response verified correctly
>
