From c122a4e33d1e00f8e6e9878e19df43da2b78f9c6 Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Sat, 18 Apr 2020 02:18:02 -0400
Subject: [PATCH] validate and expose nextUpdate field in OCSP response

---
 src/ngx_http_lua_ssl_ocsp.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c
index d1805b23dd..0189a1cd10 100644
--- a/src/ngx_http_lua_ssl_ocsp.c
+++ b/src/ngx_http_lua_ssl_ocsp.c
@@ -262,7 +262,7 @@ ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data,
 int
 ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp,
     size_t resp_len, const char *chain_data, size_t chain_len,
-    u_char *errbuf, size_t *errbuf_size)
+    u_char *errbuf, size_t *errbuf_size, time_t *valid)
 {
 #ifndef NGX_HTTP_LUA_USE_OCSP
 
@@ -383,6 +383,15 @@ ngx_http_lua_ffi_ssl_validate_ocsp_response(const u_char *resp,
         goto error;
     }
 
+    if (nextupdate) {
+        *valid = ngx_ssl_stapling_time(nextupdate);
+        if (valid == (time_t) NGX_ERROR) {
+            ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
+                          "invalid nextUpdate time in certificate status");
+            goto error;
+        }
+    }
+
     sk_X509_free(chain);
     X509_free(cert);
     X509_free(issuer);