validate and expose nextUpdate field in OCSP response

openresty · Apr 18, 2020 · c122a4e · c122a4e
1 parent 8966382
commit c122a4e
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c
@@ -262,7 +262,7 @@ ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data,
 int
 ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp,
     size_t resp_len, const char *chain_data, size_t chain_len,
-    u_char *errbuf, size_t *errbuf_size)
+    u_char *errbuf, size_t *errbuf_size, time_t *valid)
 {
 #ifndef NGX_HTTP_LUA_USE_OCSP
 
@@ -383,6 +383,15 @@ ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp,
         goto error;
     }
 
+    if (nextupdate) {
+        *valid = ngx_ssl_stapling_time(nextupdate);
+        if (valid == (time_t) NGX_ERROR) {
+            ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
+                          "invalid nextUpdate time in certificate status");
+            goto error;
+        }
+    }
+
     sk_X509_free(chain);
     X509_free(cert);
     X509_free(issuer);