diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java index 988449aec9b..31dc6938087 100644 --- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java +++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.ocsp; +import java.lang.Integer; import java.math.BigInteger; import java.security.MessageDigest; import java.security.cert.X509CRL; @@ -246,12 +247,13 @@ public void updateCRLHash(X509CertImpl caCert, X509CRLImpl crl) if (oldCRL != null) { if (oldCRL.getThisUpdate().getTime() >= crl.getThisUpdate().getTime()) { - logger.info("LDAPStore: no update, received CRL is older than current CRL"); + logger.info("LDAPStore: no update, received CRL is not newer than current CRL"); return; // no update } } - logger.debug("Added '" + caCert.getSubjectName() + "' into CRL hash"); + logger.debug("LDAPStore: updateCRLHash: Added '" + caCert.getSubjectName() + "' into CRL hash"); mCRLs.put(caCert, crl); + logger.debug("LDAPStore: updateCRLHash: mCRLs size= "+ mCRLs.size()); } @Override @@ -418,9 +420,12 @@ public SingleResponse processRequest(Request req) throws Exception { logger.info("LDAPStore: Checking against " + caCert.getSubjectName()); MessageDigest md = MessageDigest.getInstance(cid.getDigestName()); + logger.debug("LDAPStore: processRequest: cert digest name=" + + cid.getDigestName()); X509Key key = (X509Key) caCert.getPublicKey(); if (key == null) { + logger.debug("LDAPStore: processRequest: mCRLs caCert.getPublicKey() returns null"); throw new Exception("Missing issuer key"); } @@ -428,6 +433,7 @@ public SingleResponse processRequest(Request req) throws Exception { byte keyhsh[] = cid.getIssuerKeyHash().toByteArray(); if (!Arrays.equals(digest, keyhsh)) { + logger.debug("LDAPStore: processRequest: CA key digest and cert issuer key hash do not match; continue to look at next CA in mCRLs..."); continue; } @@ -438,11 +444,12 @@ public SingleResponse processRequest(Request req) throws Exception { } if (theCert == null) { - throw new Exception("Missing issuer certificate"); + throw new Exception("Issuer certificate not found/served"); } if (theCRL == null) { - throw new Exception("Missing CRL data"); + throw new Exception("Missing CRL data for issuing CA:" + + theCert.getSubjectDN()); } GeneralizedTime thisUpdate = new GeneralizedTime( diff --git a/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java index e9cb94d680a..79d046c99a9 100644 --- a/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java +++ b/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java @@ -412,14 +412,14 @@ protected synchronized void process(CMSRequest cmsReq) (pt.getThisUpdate().getTime() >= crl.getThisUpdate().getTime())) { - logger.warn("AddCRLServlet: no update, received CRL is older than current CRL"); + logger.warn("AddCRLServlet: no update, received CRL is not newer than current CRL"); if (noUI) { try { resp.setContentType("application/text"); resp.getOutputStream().write("status=1\n".getBytes()); resp.getOutputStream().write( - "error=Sent CRL is older than the current CRL\n".getBytes()); + "error=Sent CRL is not newer than the current CRL\n".getBytes()); resp.getOutputStream().flush(); cmsReq.setStatus(CMSRequest.SUCCESS); @@ -432,7 +432,7 @@ protected synchronized void process(CMSRequest cmsReq) } catch (Exception e) { } } else { - logger.error("AddCRLServlet: CRL is older"); + logger.error("AddCRLServlet: CRL is not newer"); // NOTE: The signed audit events // LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL and