Skip to content

Commit

Permalink
Improve exception handling for OCSP validation
Browse files Browse the repository at this point in the history
  • Loading branch information
fmarco76 committed Aug 16, 2023
1 parent 62ca334 commit f3f6e51
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 9 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ocsp-crl-ldap-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -332,7 +332,7 @@ jobs:
-c ca_signing \
--serial $CERT_ID | tee output
# the responder does not provide valid answer
# the responder should return "Unknown"
sed -n "s/^CertStatus=\(.*\)$/\1/p" output > actual
echo "Unknown" > expected
diff expected actual
Expand All @@ -347,7 +347,7 @@ jobs:
# remove file names and line numbers so it can be compared
sed -n "s/^$CERT_ID:\s*\(\S*\)$/\1/p" output > actual
# the responder does not provide valid answer
# the responder should return "unknown"
echo "unknown" > expected
diff expected actual
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1389,7 +1389,7 @@ public OCSPResponse validate(OCSPRequest request)
MessageDigest md = MessageDigest.getInstance(digestName);
nameHash = md.digest(ocspCA.getSubjectObj().getX500Name().getEncoded());
} catch (NoSuchAlgorithmException | IOException e) {
logger.info("CertificateAuthority: OCSP request hash algorithm " + digestName + " not recognised - ");
logger.warn("CertificateAuthority: OCSP request hash algorithm " + digestName + " not recognised: " + e.getMessage(), e);
}
}
if(Arrays.equals(nameHash, cid.getIssuerNameHash().toByteArray())) {
Expand Down Expand Up @@ -1583,6 +1583,7 @@ public SingleResponse processRequest(Request req) {
nameHash = md.digest(mName.getEncoded());
keyHash = md.digest(key.getKey());
} catch (NoSuchAlgorithmException | IOException e) {
logger.warn("CertificateAuthority: OCSP request hash algorithm " + digestName + " not recognised: " + e.getMessage(), e);
}
}
if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash) ||
Expand Down Expand Up @@ -1666,11 +1667,11 @@ public SingleResponse processRequest(Request req) {
certStatus = new UnknownInfo();
}
} catch (EDBRecordNotFoundException e) {
logger.debug(name + "cert record not found");
logger.debug("{} cert record not found", name);
certStatus = new UnknownInfo(); // not issued by this CA
} catch (Exception e) {
// internal error
logger.debug(name + "failed on certificateRepository.readCertificateRecord " + e.toString());
logger.error(name + " Unable to retrieve certificate record: " + e.getMessage(), e);
certStatus = new UnknownInfo();
}

Expand Down
6 changes: 3 additions & 3 deletions base/ocsp/src/main/java/com/netscape/cms/ocsp/DefStore.java
Original file line number Diff line number Diff line change
Expand Up @@ -346,7 +346,7 @@ public SingleResponse processRequest(Request req) throws Exception {
X509Key key = (X509Key) cert.getPublicKey();

byte[] digest = md.digest(key.getKey());
logger.info("DefStore: Digest: " + new String(Hex.encodeHex(digest)));
logger.info("DefStore: Digest: {}", new String(Hex.encodeHex(digest)));
byte[] name = md.digest(cert.getSubjectObj().getX500Name().getEncoded());

if (!Arrays.equals(digest, keyhsh) && Arrays.equals(name, namehash)) {
Expand Down Expand Up @@ -379,7 +379,7 @@ public SingleResponse processRequest(Request req) throws Exception {
logger.debug("DefStore: using crl cache");
}

logger.info("DefStore: Adding CRL issuing point container for " + new String(Hex.encodeHex(digest)));
logger.info("DefStore: Adding CRL issuing point container for {}", new String(Hex.encodeHex(digest)));
mCacheCRLIssuingPoints.put(new String(digest), new CRLIPContainer(theRec, theCert, theCRL));
break;
}
Expand All @@ -394,7 +394,7 @@ public SingleResponse processRequest(Request req) throws Exception {
logger.info("DefStore: Issuer: " + theCert);

if (theCert == null) {
logger.info("Missing issuer certificate");
logger.warn("Missing issuer certificate");
// Unknown cert so respond with unknown state
return new SingleResponse(cid, new UnknownInfo(), new GeneralizedTime(new Date()), null);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -443,7 +443,7 @@ public SingleResponse processRequest(Request req) throws Exception {
}

if (theCert == null) {
logger.info("Missing issuer certificate");
logger.warn("Missing issuer certificate");
// Unknown cert so respond with unknown state
return new SingleResponse(cid, new UnknownInfo(), new GeneralizedTime(new Date()), null);
}
Expand Down

0 comments on commit f3f6e51

Please sign in to comment.