[Pki-devel] [PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses
Fraser Tweedale
ftweedal at redhat.com
Thu Oct 1 12:51:34 UTC 2015
Well, it would help to attach the patch :)
On Thu, Oct 01, 2015 at 10:43:51PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> The attached patch makes sure that the right authority is used to
> create OCSP responses. Note that OCSP requests may ask about certs
> from more than one issuer - even though this is crazy the heuristic
> used is to simply use issuer of the first CertID in the request.
>
> Note that OCSP response validation of certificates issued by sub-CAs
> currently fails due to a separate issue[1].
>
> [1] https://fedorahosted.org/pki/ticket/1632
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
From 35e46bdf2eb2139eb0772a0e6abbe8f3a40173bf Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 1 Oct 2015 08:26:01 -0400
Subject: [PATCH] Lightweight CAs: lookup correct issuer for OCSP responses
---
.../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 5440a380ab8c5627f6305ad882159a7bcf3ef88e..2ee745a3988dceed926cd0279276922c766eb8c0 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2106,12 +2106,49 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
return null;
}
+ TBSRequest tbsReq = request.getTBSRequest();
+
+ /* An OCSP request can contain CertIDs for certificates
+ * issued by different CAs, but each SingleResponse is valid
+ * only if the combined response was signed by its issuer or
+ * an authorised OCSP signing delegate.
+ *
+ * Even though it is silly to send an OCSP request
+ * asking about certs issued by different CAs, we must
+ * employ some heuristic to deal with this case. Our
+ * heuristic is:
+ *
+ * 1. Find the issuer of the cert identified by the first
+ * CertID in the request.
+ *
+ * 2. If this CA is *not* the issuer, look up the issuer
+ * by its DN in the caMap. If not found, fail. If
+ * found, dispatch to its 'validate' method. Otherwise
+ * continue.
+ *
+ * 3. Either we were not the issuing CA, or we
+ * re-dispatched the 'validate' call to the issuing CA.
+ * Therefore, move past the check to generate and sign
+ * the aggregate OCSP response.
+ */
+ ICertificateAuthority ocspCA = this;
+ if (tbsReq.getRequestCount() > 0) {
+ com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0);
+ BigInteger serialNo = req.getCertID().getSerialNumber();
+ X509CertImpl cert = mCertRepot.getX509Certificate(serialNo);
+ X500Name certIssuerDN = (X500Name) cert.getIssuerDN();
+ ocspCA = getCA(certIssuerDN);
+ }
+ if (ocspCA == null)
+ throw new CANotFoundException("Could not locate issuing CA");
+ if (ocspCA != this)
+ return ((IOCSPService) ocspCA).validate(request);
+
mNumOCSPRequest++;
IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
long startTime = CMS.getCurrentDate().getTime();
try {
//log(ILogger.LL_INFO, "start OCSP request");
- TBSRequest tbsReq = request.getTBSRequest();
// (3) look into database to check the
// certificate's status
--
2.4.3
More information about the Pki-devel
mailing list