in native/src/sslutils.c [1038:1080]
static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx)
{
char **ocsp_urls = NULL;
int nid;
X509_EXTENSION *ext;
ASN1_OCTET_STRING *os;
apr_pool_t *p;
apr_pool_create(&p, NULL);
/* Get the proper extension */
nid = X509_get_ext_by_NID(cert,NID_info_access,-1);
if (nid >= 0 ) {
ext = X509_get_ext(cert,nid);
os = X509_EXTENSION_get_data(ext);
ocsp_urls = decode_OCSP_url(os, p);
}
/* if we find the extensions and we can parse it check
the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
if (ocsp_urls != NULL) {
OCSP_RESPONSE *resp;
int rv = OCSP_STATUS_UNKNOWN;
/* for the time being just check for the fist response .. a better
approach is to iterate for all the possible ocsp urls */
resp = get_ocsp_response(p, cert, issuer, ocsp_urls[0]);
if (resp != NULL) {
rv = process_ocsp_response(resp, cert, issuer);
} else {
/* correct error code for application errors? */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
}
if (resp != NULL) {
OCSP_RESPONSE_free(resp);
apr_pool_destroy(p);
return rv;
}
}
apr_pool_destroy(p);
return OCSP_STATUS_UNKNOWN;
}