in native/src/sslutils.c [495:535]
static int ssl_verify_OCSP(X509_STORE_CTX *ctx)
{
X509 *cert, *issuer;
int r = OCSP_STATUS_UNKNOWN;
cert = X509_STORE_CTX_get_current_cert(ctx);
if (!cert) {
/* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
* may yield NULL. Return early, but leave the ctx error as is. */
return OCSP_STATUS_UNKNOWN;
}
/* No need to check cert->valid, because ssl_verify_OCSP() only
* is called if OpenSSL already successfully verified the certificate
* (parameter "ok" in SSL_callback_SSL_verify() must be true).
*/
else if (X509_check_issued(cert,cert) == X509_V_OK) {
/* don't do OCSP checking for valid self-issued certs */
X509_STORE_CTX_set_error(ctx, X509_V_OK);
return OCSP_STATUS_UNKNOWN;
}
/* if we can't get the issuer, we cannot perform OCSP verification */
issuer = X509_STORE_CTX_get0_current_issuer(ctx);
if (issuer != NULL) {
r = ssl_ocsp_request(cert, issuer, ctx);
switch (r) {
case OCSP_STATUS_OK:
X509_STORE_CTX_set_error(ctx, X509_V_OK);
break;
case OCSP_STATUS_REVOKED:
/* we set the error if we know that it is revoked */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
break;
case OCSP_STATUS_UNKNOWN:
/* ssl_ocsp_request() sets the error correctly already. */
break;
}
}
return r;
}