ocsp_responder: fix UTC time parsing and CERT_UNKNOWN response

Julek · Copilot · Julek · commit c4d0e084832e · 2026-03-03T11:55:06.000+01:00
- ParseIndexFile: replace XMKTIME() with UtcMkTime() to correctly
  interpret the trailing 'Z' (UTC) in the index file's revocation
  timestamps; XMKTIME/mktime uses local time, skewing the result on
  machines not running in UTC.

- wc_OcspResponder_WriteResponse: when a certificate is not found in
  the status list, write a successful OCSPResponse with per-certificate
  status CERT_UNKNOWN instead of returning OCSP_CERT_UNKNOWN. Per
  RFC 6960, 'unknown' belongs in a SingleResponse inside a successful
  response, not as an OCSPResponseStatus error, so OCSP clients can
  distinguish 'unknown cert' from 'not authorized to answer'.

- MapErrorToOcspStatus: remove the now-unreachable OCSP_CERT_UNKNOWN
  case.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c
@@ -258,6 +258,27 @@ static int LoadKeyDer(const char* filename, byte** der, word32* derSz)
     }
 }
 
+/* Compute UTC unix timestamp from broken-down time without timezone conversion.
+ * This avoids XMKTIME()/mktime(), which interprets struct tm as local time and
+ * would skew revocation timestamps on machines not running in UTC. */
+static time_t UtcMkTime(struct tm* t)
+{
+    static const int monthDaysCumulative[12] = {
+        0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
+    };
+    int year = t->tm_year + 1900;
+    int leapDays = year;
+
+    if (t->tm_mon <= 1)
+        --leapDays;
+    leapDays = leapDays / 4 - leapDays / 100 + leapDays / 400
+               - 1969 / 4 + 1969 / 100 - 1969 / 400;
+
+    return (time_t)(((((long long)(year - 1970) * 365 + leapDays +
+               monthDaysCumulative[t->tm_mon] + t->tm_mday - 1) * 24 +
+               t->tm_hour) * 60 + t->tm_min) * 60 + t->tm_sec);
+}
+
 /* Free index entries */
 static void FreeIndexEntries(IndexEntry* head)
 {
@@ -331,7 +352,10 @@ static IndexEntry* ParseIndexFile(const char* filename)
                             tm.tm_hour = (field[6] - '0') * 10 + (field[7] - '0');
                             tm.tm_min = (field[8] - '0') * 10 + (field[9] - '0');
                             tm.tm_sec = (field[10] - '0') * 10 + (field[11] - '0');
-                            entry->revocationTime = XMKTIME(&tm);
+                            /* Use UTC conversion: the 'Z' suffix in the index
+                             * file indicates UTC, but XMKTIME() uses local
+                             * time, which would skew the timestamp. */
+                            entry->revocationTime = UtcMkTime(&tm);
                         }
                     }
                     break;
@@ -686,8 +710,6 @@ static enum Ocsp_Response_Status MapErrorToOcspStatus(int err)
             return OCSP_INTERNAL_ERROR;
         case ASN_NO_SIGNER_E:
             return OCSP_UNAUTHORIZED;
-        case OCSP_CERT_UNKNOWN:
-            return OCSP_UNAUTHORIZED;
         default:
             return OCSP_INTERNAL_ERROR;
     }
diff --git a/src/ocsp.c b/src/ocsp.c
@@ -2753,8 +2753,21 @@ int wc_OcspResponder_WriteResponse(OcspResponder* responder,
     /* Find the certificate status */
     certStatus = FindCertStatus(ca, req.serial, req.serialSz);
     if (certStatus == NULL) {
-        WOLFSSL_MSG("No status configured for requested certificate");
-        ret = OCSP_CERT_UNKNOWN;
+        /* RFC 6960: 'unknown' is a per-certificate status inside a successful
+         * OCSPResponse, not an error response. Generate a successful response
+         * with CERT_UNKNOWN so clients can distinguish it from UNAUTHORIZED. */
+        OcspResponderCertStatus unknownStatus;
+        WOLFSSL_MSG("No status for requested certificate, responding CERT_UNKNOWN");
+        if (req.serialSz > EXTERNAL_SERIAL_SIZE) {
+            ret = BUFFER_E;
+            goto out;
+        }
+        XMEMSET(&unknownStatus, 0, sizeof(unknownStatus));
+        XMEMCPY(unknownStatus.serial, req.serial, req.serialSz);
+        unknownStatus.serialSz = req.serialSz;
+        unknownStatus.status = CERT_UNKNOWN;
+        ret = OcspResponse_WriteResponse(responder, response, responseSz, ca,
+                &unknownStatus, &req);
         goto out;
     }
 
