2 files changed, 63 insertions, 31 deletions
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index 39f1eb043e..8abe7c268c 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -726,22 +726,49 @@ ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
     return self;
 }
 
+static VALUE
+add_status_convert_time(VALUE obj)
+{
+    ASN1_TIME *time;
+
+    if (RB_INTEGER_TYPE_P(obj))
+	time = X509_gmtime_adj(NULL, NUM2INT(obj));
+    else
+	time = ossl_x509_time_adjust(NULL, obj);
+
+    if (!time)
+	ossl_raise(eOCSPError, NULL);
+
+    return (VALUE)time;
+}
+
 /*
  * call-seq:
  *   basic_response.add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) -> basic_response
  *
- * Adds a validation +status+ (0 for good, 1 for revoked, 2 for unknown) to this
- * response for +certificate_id+.  +reason+ describes the reason for the
- * revocation, if any.
+ * Adds a certificate status for +certificate_id+. +status+ is the status, and
+ * must be one of these:
+ *
+ * - OpenSSL::OCSP::V_CERTSTATUS_GOOD
+ * - OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+ * - OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+ *
+ * +reason+ and +revocation_time+ can be given only when +status+ is
+ * OpenSSL::OCSP::V_CERTSTATUS_REVOKED. +reason+ describes the reason for the
+ * revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants.
+ * +revocation_time+ is the time when the certificate is revoked.
+ *
+ * +this_update+ and +next_update+ indicate the time at which ths status is
+ * verified to be correct and the time at or before which newer information
+ * will be available, respectively. +next_update+ is optional.
  *
- * The +revocation_time+, +this_update+ and +next_update+ are times for the
- * certificate's revocation time, the time of this status and the next update
- * time for a new status, respectively.
+ * +extensions+ is an Array of OpenSSL::X509::Extension to be included in the
+ * SingleResponse. This is also optional.
  *
- * +extensions+ may be an Array of OpenSSL::X509::Extension that will
- * be added to this response or nil.
+ * Note that the times, +revocation_time+, +this_update+ and +next_update+
+ * can be specified in either of Integer or Time object. If they are Integer, it
+ * is treated as the relative seconds from the current time.
  */
-
 static VALUE
 ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
 			 VALUE reason, VALUE revtime,
@@ -750,36 +777,37 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
     OCSP_BASICRESP *bs;
     OCSP_SINGLERESP *single;
     OCSP_CERTID *id;
-    ASN1_TIME *ths, *nxt, *rev;
-    int st, rsn, error, rstatus = 0;
+    ASN1_TIME *ths = NULL, *nxt = NULL, *rev = NULL;
+    int st, rsn = 0, error = 0, rstatus = 0;
     long i;
     VALUE tmp;
 
+    GetOCSPBasicRes(self, bs);
+    SafeGetOCSPCertId(cid, id);
     st = NUM2INT(status);
-    rsn = NIL_P(status) ? 0 : NUM2INT(reason);
-    if(!NIL_P(ext)){
-	/* All ary's members should be X509Extension */
-	Check_Type(ext, T_ARRAY);
+    if (!NIL_P(ext)) { /* All ext's members must be X509::Extension */
+	ext = rb_check_array_type(ext);
 	for (i = 0; i < RARRAY_LEN(ext); i++)
 	    OSSL_Check_Kind(RARRAY_AREF(ext, i), cX509Ext);
     }
 
-    error = 0;
-    ths = nxt = rev = NULL;
-    if(!NIL_P(revtime)){
-	tmp = rb_protect(rb_Integer, revtime, &rstatus);
-	if(rstatus) goto err;
-	rev = X509_gmtime_adj(NULL, NUM2INT(tmp));
+    if (st == V_OCSP_CERTSTATUS_REVOKED) {
+	rsn = NUM2INT(reason);
+	tmp = rb_protect(add_status_convert_time, revtime, &rstatus);
+	if (rstatus) goto err;
+	rev = (ASN1_TIME *)tmp;
+    }
+
+    tmp = rb_protect(add_status_convert_time, thisupd, &rstatus);
+    if (rstatus) goto err;
+    ths = (ASN1_TIME *)tmp;
+
+    if (!NIL_P(nextupd)) {
+	tmp = rb_protect(add_status_convert_time, nextupd, &rstatus);
+	if (rstatus) goto err;
+	nxt = (ASN1_TIME *)tmp;
     }
-    tmp = rb_protect(rb_Integer, thisupd, &rstatus);
-    if(rstatus) goto err;
-    ths = X509_gmtime_adj(NULL, NUM2INT(tmp));
-    tmp = rb_protect(rb_Integer, nextupd, &rstatus);
-    if(rstatus) goto err;
-    nxt = X509_gmtime_adj(NULL, NUM2INT(tmp));
 
-    GetOCSPBasicRes(self, bs);
-    SafeGetOCSPCertId(cid, id);
     if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))){
 	error = 1;
 	goto err;
@@ -787,8 +815,7 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
 
     if(!NIL_P(ext)){
 	X509_EXTENSION *x509ext;
-	while ((x509ext = OCSP_SINGLERESP_delete_ext(single, 0)))
-	    X509_EXTENSION_free(x509ext);
+
 	for(i = 0; i < RARRAY_LEN(ext); i++){
 	    x509ext = DupX509ExtPtr(RARRAY_AREF(ext, i));
 	    if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
diff --git a/ext/openssl/ruby_missing.h b/ext/openssl/ruby_missing.h
index d7384ec32c..f076b1757d 100644
--- a/ext/openssl/ruby_missing.h
+++ b/ext/openssl/ruby_missing.h
@@ -24,4 +24,9 @@
 #define rb_io_t OpenFile
 #endif
 
+#ifndef RB_INTEGER_TYPE_P
+/* for Ruby 2.3 compatibility */
+#define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
+#endif
+
 #endif /* _OSSL_RUBY_MISSING_H_ */