diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-03-01 22:38:40 -0500 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-03-03 17:19:49 -0500 |
| commit | c0c1834465438844ff542514127b80b568c1afd8 (patch) | |
| tree | 356daefe9f1101caa909b71e1c55de51400b1b4b | |
| parent | 04214b3d3405750cbbda228554c0d9f087a59170 (diff) | |
| download | pki-c0c1834465438844ff542514127b80b568c1afd8.tar.gz pki-c0c1834465438844ff542514127b80b568c1afd8.tar.xz pki-c0c1834465438844ff542514127b80b568c1afd8.zip | |
Do not leak status of certs issued by other CAs
If an OCSP request includes CertIDs for certificates issued by
multiple CAs, return 'unknown' CertStatus for all certificates not
issued by the "signing" CA.
| -rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthority.java | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index cbb155a3b..63c7ca4e4 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -33,6 +33,7 @@ import java.security.Signature; import java.security.cert.CRLException; import java.security.cert.CertificateException; import java.security.cert.CertificateParsingException; +import java.util.Arrays; import java.util.ArrayList; import java.util.Collections; import java.util.Date; @@ -2245,7 +2246,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return response; } catch (Exception e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", e.toString())); - throw new EBaseException(e.toString()); + throw new EBaseException(e.toString(), e); } } @@ -2301,6 +2302,22 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori GeneralizedTime thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); GeneralizedTime nextUpdate = null; + byte[] nameHash = null; + String digestName = cid.getDigestName(); + if (digestName != null) { + try { + MessageDigest md = MessageDigest.getInstance(digestName); + nameHash = md.digest(mName.getEncoded()); + } catch (NoSuchAlgorithmException | IOException e) { + } + } + if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash)) { + // issuer of cert is not this CA (or we couldn't work + // out whether it is or not due to unknown hash alg); + // do not return status information for this cert + return new SingleResponse(cid, new UnknownInfo(), thisUpdate, null); + } + boolean ocspUseCache = true; try { |