Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For unknown certificates OCSP should have unknown CertStatus (part 2) #4534

Merged
merged 2 commits into from
Aug 10, 2023
Merged

For unknown certificates OCSP should have unknown CertStatus (part 2) #4534

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
941e64a
For unknown certificates OCSP should have unknown CertStatus (part 2)
ckelleyRH Aug 8, 2023
d6adf7b
Internal OCSP CA identification using request hash
fmarco76 Aug 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 11 additions & 13 deletions base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,6 @@
import com.netscape.certsrv.ca.CAEnabledException;
import com.netscape.certsrv.ca.CAMissingCertException;
import com.netscape.certsrv.ca.CAMissingKeyException;
import com.netscape.certsrv.ca.CANotFoundException;
import com.netscape.certsrv.ca.CANotLeafException;
import com.netscape.certsrv.ca.CATypeException;
import com.netscape.certsrv.ca.ECAException;
Expand Down Expand Up @@ -1550,9 +1549,8 @@ public OCSPResponse validate(OCSPRequest request)
* CertID in the request.
*
* 2. If this CA is *not* the issuer, look up the issuer
* by its DN in CAEngine. If not found, fail. If
* found, dispatch to its 'validate' method. Otherwise
* continue.
* by its DN in CAEngine. If found, dispatch to its 'validate'
* method. Otherwise continue.
*
* 3. If this CA is NOT the issuing CA, we locate the
* issuing CA and dispatch to its 'validate' method.
Expand All @@ -1564,16 +1562,16 @@ public OCSPResponse validate(OCSPRequest request)
Request req = tbsReq.getRequestAt(0);
BigInteger serialNo = req.getCertID().getSerialNumber();

CertificateRepository certificateRepository = engine.getCertificateRepository();
X509CertImpl cert = certificateRepository.getX509Certificate(serialNo);

X500Name certIssuerDN = (X500Name) cert.getIssuerDN();
ocspCA = engine.getCA(certIssuerDN);
}
try {
CertificateRepository certificateRepository = engine.getCertificateRepository();
X509CertImpl cert = certificateRepository.getX509Certificate(serialNo);

if (ocspCA == null) {
logger.error("CertificateAuthority: Could not locate issuing CA");
throw new CANotFoundException("Could not locate issuing CA");
X500Name certIssuerDN = (X500Name) cert.getIssuerDN();
ocspCA = engine.getCA(certIssuerDN);
} catch (EBaseException e) {
// If we don't know the issuer allow this CA to validate
// and report the CertStatus as Unknown
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think here we should catch EDBRecordNotFoundException specifically (see LDAPSession.read()) which indicates that the cert doesn't exist in CA's cert repository. Other exceptions might indicate there's a real issue in CA so we should let it bubble up like before so it can be handled properly by the caller.

}

if (ocspCA != this)
Expand Down