Internal OCSP CA identification using request hash

In case of multiple CAs the correct one was selected using the first certificate. This could provide inconsistent. Now the selection is based on the request issuer name. Additionally, the output has been made consistent with the external OCSP for all the possibilities of subject and issuers.
dogtagpki · Aug 10, 2023 · f719bb7 · f719bb7
1 parent a495d6e
commit f719bb7
Showing 1 changed file with 31 additions and 19 deletions.
diff --git a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
@@ -107,6 +107,7 @@
 import com.netscape.certsrv.ca.ECAException;
 import com.netscape.certsrv.ca.IssuerUnavailableException;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
+import com.netscape.certsrv.dbs.EDBRecordNotFoundException;
 import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.logging.event.CRLSigningInfoEvent;
@@ -1557,25 +1558,27 @@ public OCSPResponse validate(OCSPRequest request)
          *    Otherwise, we move forward to generate and sign the
          *    aggregate OCSP response.
          */
-        CertificateAuthority ocspCA = this;
-        if (engine.getCAs().size() > 0 && tbsReq.getRequestCount() > 0) {
+        for (CertificateAuthority ocspCA: engine.getCAs()) {
             Request req = tbsReq.getRequestAt(0);
-            BigInteger serialNo = req.getCertID().getSerialNumber();
-
-            try {
-                CertificateRepository certificateRepository = engine.getCertificateRepository();
-                X509CertImpl cert = certificateRepository.getX509Certificate(serialNo);
-
-                X500Name certIssuerDN = (X500Name) cert.getIssuerDN();
-                ocspCA = engine.getCA(certIssuerDN);
-            } catch (EBaseException e) {
-                // If we don't know the issuer allow this CA to validate
-                // and report the CertStatus as Unknown
+            CertID cid = req.getCertID();
+            byte[] nameHash = null;
+            String digestName = cid.getDigestName();
+            if (digestName != null) {
+                try {
+                    MessageDigest md = MessageDigest.getInstance(digestName);
+                    nameHash = md.digest(ocspCA.getSubjectObj().getX500Name().getEncoded());
+                } catch (NoSuchAlgorithmException | IOException e) {
+                    logger.info("CertificateAuthority: OCSP request hash algorithm " + digestName + " not recognised - ");
+                }
+            }
+            if(Arrays.equals(nameHash, cid.getIssuerNameHash().toByteArray())) {
+                if(ocspCA != this) {
+                    return ((IOCSPService) ocspCA).validate(request);
+                }
+                break;
             }
         }
 
-        if (ocspCA != this)
-            return ((IOCSPService) ocspCA).validate(request);
 
         logger.debug("CertificateAuthority: validating OCSP request");
 
@@ -1734,11 +1737,14 @@ private BasicOCSPResponse sign(ResponseData rd) throws EBaseException {
         }
     }
 
-    private SingleResponse processRequest(Request req) {
+    public SingleResponse processRequest(Request req) {
 
         CAEngine engine = CAEngine.getInstance();
         CertificateRepository certificateRepository = engine.getCertificateRepository();
 
+        X509CertImpl caCert = mSigningUnit.getCertImpl();
+        X509Key key = (X509Key) caCert.getPublicKey();
+
         CertID cid = req.getCertID();
         INTEGER serialNo = cid.getSerialNumber();
         logger.debug("CertificateAuthority: processing request for cert 0x" + serialNo.toString(16));
@@ -1747,15 +1753,18 @@ private SingleResponse processRequest(Request req) {
         GeneralizedTime thisUpdate = new GeneralizedTime(new Date());
 
         byte[] nameHash = null;
+        byte[] keyHash = null;
         String digestName = cid.getDigestName();
         if (digestName != null) {
             try {
                 MessageDigest md = MessageDigest.getInstance(digestName);
                 nameHash = md.digest(mName.getEncoded());
+                keyHash = md.digest(key.getKey());
             } catch (NoSuchAlgorithmException | IOException e) {
             }
         }
-        if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash)) {
+        if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash) ||
+                !Arrays.equals(cid.getIssuerKeyHash().toByteArray(), keyHash)) {
             // issuer of cert is not this CA (or we couldn't work
             // out whether it is or not due to unknown hash alg);
             // do not return status information for this cert
@@ -1834,9 +1843,12 @@ private SingleResponse processRequest(Request req) {
             } else {
                 certStatus = new UnknownInfo();
             }
-        } catch (Exception e) {
+        } catch (EDBRecordNotFoundException e) {
             // not found
-            certStatus = new UnknownInfo(); // not issued not all
+            certStatus = new GoodInfo(); // not issued not all
+        } catch (EBaseException e) {
+            // internal error
+            certStatus = new UnknownInfo();
         }
 
         return new SingleResponse(