#!/bin/bash
depth=$1
env >> /etc/openvpn/server/ocsp_env.log
if [ "$depth" -eq 0 ]; then
    echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
    if [ -n "$tls_serial_0" ]; then
        # é preciso converter o serial para hexadecimal porque o openssl espera em hex
        hex_serial=$(printf '%x' "$tls_serial_0")
        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
        echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
        
        if echo "$status" | grep -q "revoked"; then
            echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log
            exit 1
        fi
        
        if echo "$status" | grep -q "good"; then
            echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log
            exit 0
        fi
        
        echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log
        exit 1
    else
        echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
        exit 1
    fi
fi

exit 0