Skip to content

Commit

Permalink
Make SMIME revocation check with OSCP work with OpenSSL 3
Browse files Browse the repository at this point in the history 
At least with OpenSSL 3.1.2, oscp's -cert argument doesn't support
STDIN("-") :/
  • Loading branch information
@sunnavy
sunnavy committed Sep 6, 2023
1 parent e5ec254 commit e0dc247
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions lib/RT/Crypt/SMIME.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1264,18 +1264,22 @@ sub CheckRevocationUsingOCSP {
$out = '';
$err = '';

safe_run_child { run3( [$self->OpenSSLPath(), 'ocsp', '-issuer', $issuer, '-cert', '-', @ca_verify, '-url', $ocsp_url],
\$PEM, \$out, \$err) };
my $cert_fh = File::Temp->new;
print $cert_fh $PEM;
close $cert_fh;
my $cert_file = $cert_fh->filename;
safe_run_child { run3( [$self->OpenSSLPath(), 'ocsp', '-issuer', $issuer, '-cert', $cert_file, @ca_verify, '-url', $ocsp_url],
undef, \$out, \$err) };
return undef unless $? == 0;

if ($out =~ /^-: revoked/) {
if ($out =~ /^\Q$cert_file\E: revoked/) {
$res->{info}[0]{Trust} = "REVOKED certificate checked against OCSP URI $ocsp_url";
$res->{info}[0]{TrustTerse} = "none (revoked certificate)";
$res->{info}[0]{TrustLevel} = -1;
$res->{exit_code} = 0;
return 1;
}
if ($out =~ /^-: good/) {
if ($out =~ /^\Q$cert_file\E: good/) {
# Definitely NOT revoked. Return 0, but not undef
return 0;
}
Expand Down

0 comments on commit e0dc247

Please sign in to comment.