More verification of OCSP responses - timestamps

markt-asf · markt-asf · commit e8f60b95e502 · 2025-12-11T09:06:31.000Z
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
@@ -218,6 +218,8 @@ extern ENGINE *tcn_ssl_engine;
 #define OCSP_STATUS_OK        0
 #define OCSP_STATUS_REVOKED   1
 #define OCSP_STATUS_UNKNOWN   2
+/* 15 minutes - aligns with JSSE */
+#define OCSP_MAX_SKEW       900
 #endif
 
 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
@@ -1016,14 +1016,16 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res
     OCSP_BASICRESP *bs;
     OCSP_SINGLERESP *ss;
     OCSP_CERTID *certid;
+    ASN1_GENERALIZEDTIME *thisupd;
+    ASN1_GENERALIZEDTIME *nextupd;
     STACK_OF(X509) *certStack;
 
     r = OCSP_response_status(ocsp_resp);
 
     if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
         return OCSP_STATUS_UNKNOWN;
     }
-    
+
     bs = OCSP_response_get1_basic(ocsp_resp);
     if (OCSP_check_nonce(ocsp_req, bs) == 0) {
         X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_RESP_INVALID);
@@ -1046,15 +1048,26 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res
     }
 
     ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial number and get the matching response */
-    i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL);
+    i = OCSP_single_get0_status(ss, NULL, NULL, &thisupd, &nextupd);
+    if (OCSP_check_validity(thisupd, nextupd, OCSP_MAX_SKEW, -1) <= 0) {
+        X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_NOT_YET_VALID);
+        o = OCSP_STATUS_UNKNOWN;
+        goto clean_certid;
+    }
+    if (OCSP_check_validity(thisupd, nextupd, OCSP_MAX_SKEW, OCSP_MAX_SKEW) <= 0) {
+        X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_HAS_EXPIRED);
+        o = OCSP_STATUS_UNKNOWN;
+        goto clean_certid;
+    }
+
     if (i == V_OCSP_CERTSTATUS_GOOD)
         o =  OCSP_STATUS_OK;
     else if (i == V_OCSP_CERTSTATUS_REVOKED)
         o = OCSP_STATUS_REVOKED;
     else if (i == V_OCSP_CERTSTATUS_UNKNOWN)
         o = OCSP_STATUS_UNKNOWN;
 
-    /* we clean up */
+clean_certid:
     OCSP_CERTID_free(certid);
 clean_bs:
     OCSP_BASICRESP_free(bs);
