New function and options to check OCSP response validity.

1 files changed, 10 insertions, 0 deletions

diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index 18249abc38..bccdf77b4f 100644
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -444,6 +444,9 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
 				ASN1_GENERALIZEDTIME **revtime,
 				ASN1_GENERALIZEDTIME **thisupd,
 				ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+			ASN1_GENERALIZEDTIME *nextupd,
+			long sec, long maxsec);
 
 int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
 
@@ -569,6 +572,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_OCSP_CHECK_DELEGATED			 106
 #define OCSP_F_OCSP_CHECK_IDS				 107
 #define OCSP_F_OCSP_CHECK_ISSUER			 108
+#define OCSP_F_OCSP_CHECK_VALIDITY			 115
 #define OCSP_F_OCSP_MATCH_ISSUERID			 109
 #define OCSP_F_OCSP_PARSE_URL				 114
 #define OCSP_F_OCSP_REQUEST_SIGN			 110
@@ -580,8 +584,11 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_BAD_DATA					 100
 #define OCSP_R_CERTIFICATE_VERIFY_ERROR			 101
 #define OCSP_R_DIGEST_ERR				 102
+#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD		 122
+#define OCSP_R_ERROR_IN_THISUPDATE_FIELD		 123
 #define OCSP_R_ERROR_PARSING_URL			 121
 #define OCSP_R_MISSING_OCSPSIGNING_USAGE		 103
+#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE		 124
 #define OCSP_R_NOT_BASIC_RESPONSE			 104
 #define OCSP_R_NO_CERTIFICATES_IN_CHAIN			 105
 #define OCSP_R_NO_CONTENT				 106
@@ -597,6 +604,9 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_SERVER_WRITE_ERROR			 116
 #define OCSP_R_SIGNATURE_FAILURE			 117
 #define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND		 118
+#define OCSP_R_STATUS_EXPIRED				 125
+#define OCSP_R_STATUS_NOT_YET_VALID			 126
+#define OCSP_R_STATUS_TOO_OLD				 127
 #define OCSP_R_UNKNOWN_MESSAGE_DIGEST			 119
 #define OCSP_R_UNKNOWN_NID				 120