HomePhabricator

update-ocsp: refactor validation, check cert life

Authored by BBlack.

Description

update-ocsp: refactor validation, check cert life

The functional highlights here are:

  1. We now ask openssl for the text output in the same command that

stores the binary response to disk.

  1. Command executions split stderr and stdout for easier parsing.
  1. OpenSSL stderr is parsed for an explicit "Response verify OK"

rather than relying solely on an exit status of zero.

  1. OCSP Windows are checked from the initial text output, rather

than as a second command reading from the stored binary response.

  1. The signing cert's validity is checked, causing failure if:
    • "Not Before" > 60s in the future
    • "Not After" < 1h in the future
    • "Not After" earlier than any OCSP Window end time (which is usually 12h in the future)

certs_fetch_ocsp() is now an overlong function that's not ideally
factored, but we'll deal with this in the rewrite as a daemon in
ticket T93927, as many details about the handling of date windows
will change in that model anyways.

Bug: T109737
Bug: T109738
Change-Id: Ide511688caa9ea3d0dd0bf18687d98237a3c4949

Details