From afe1d7205ae32c272e15dbf42475da4a79b5c9bc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 1 Oct 2015 08:26:01 -0400
Subject: Lightweight CAs: lookup correct issuer for OCSP responses

---
 .../src/com/netscape/ca/CertificateAuthority.java  | 39 +++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 889e7e3f7..cbb155a3b 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2121,12 +2121,49 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
             return null;
         }
 
+        TBSRequest tbsReq = request.getTBSRequest();
+
+        /* An OCSP request can contain CertIDs for certificates
+         * issued by different CAs, but each SingleResponse is valid
+         * only if the combined response was signed by its issuer or
+         * an authorised OCSP signing delegate.
+         *
+         * Even though it is silly to send an OCSP request
+         * asking about certs issued by different CAs, we must
+         * employ some heuristic to deal with this case. Our
+         * heuristic is:
+         *
+         * 1. Find the issuer of the cert identified by the first
+         *    CertID in the request.
+         *
+         * 2. If this CA is *not* the issuer, look up the issuer
+         *    by its DN in the caMap.  If not found, fail.  If
+         *    found, dispatch to its 'validate' method.  Otherwise
+         *    continue.
+         *
+         * 3. If this CA is NOT the issuing CA, we locate the
+         *    issuing CA and dispatch to its 'validate' method.
+         *    Otherwise, we move forward to generate and sign the
+         *    aggregate OCSP response.
+         */
+        ICertificateAuthority ocspCA = this;
+        if (tbsReq.getRequestCount() > 0) {
+            com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0);
+            BigInteger serialNo = req.getCertID().getSerialNumber();
+            X509CertImpl cert = mCertRepot.getX509Certificate(serialNo);
+            X500Name certIssuerDN = (X500Name) cert.getIssuerDN();
+            ocspCA = getCA(certIssuerDN);
+        }
+        if (ocspCA == null)
+            throw new CANotFoundException("Could not locate issuing CA");
+        if (ocspCA != this)
+            return ((IOCSPService) ocspCA).validate(request);
+
         mNumOCSPRequest++;
         IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
         long startTime = CMS.getCurrentDate().getTime();
         try {
             //log(ILogger.LL_INFO, "start OCSP request");
-            TBSRequest tbsReq = request.getTBSRequest();
 
             // (3) look into database to check the
             //     certificate's status
-- 
cgit