From 4aa28a72c7deea46f8c7bc407153fd50030bb311 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 20 Jun 2017 08:18:20 +0200
Subject: Fixed OCSP service error handling.

Some OCSP-related classes have been modified to detect errors and
handle exceptions properly.

https://pagure.io/dogtagpki/issue/2652

Change-Id: Ifd054c47d04ff106120df2d7f3705366c7de9da9
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java    |  9 +++++++--
 base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java       |  3 +--
 base/server/cms/src/com/netscape/cms/ocsp/DefStore.java  | 15 +++++++--------
 base/server/cms/src/com/netscape/cms/ocsp/LDAPStore.java | 11 ++++++++---
 4 files changed, 23 insertions(+), 15 deletions(-)

(limited to 'base')

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index d4b8d7ecd..31a0c03b6 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2312,6 +2312,11 @@ public class CertificateAuthority
         }
 
         TBSRequest tbsReq = request.getTBSRequest();
+        if (tbsReq.getRequestCount() == 0) {
+            CMS.debug("CertificateAuthority: No request found");
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", "No Request Found"));
+            throw new EBaseException("OCSP request is empty");
+        }
 
         /* An OCSP request can contain CertIDs for certificates
          * issued by different CAs, but each SingleResponse is valid
@@ -2451,10 +2456,10 @@ public class CertificateAuthority
             mTotalTime += endTime - startTime;
 
             return response;
-        } catch (Exception e) {
 
+        } catch (EBaseException e) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", e.toString()));
-            throw new EBaseException(e.toString(), e);
+            throw e;
         }
     }
 
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
index 14dd33813..3f702c317 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
@@ -455,9 +455,8 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
             return response;
 
         } catch (Exception e) {
-            CMS.debug(e);
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString()));
-            return null;
+            throw new EBaseException(e);
         }
 
     }
diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
index a009cbb91..a0aefa99a 100644
--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
@@ -326,6 +326,11 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
         CMS.debug("DefStore: validating OCSP request");
 
         TBSRequest tbsReq = request.getTBSRequest();
+        if (tbsReq.getRequestCount() == 0) {
+            CMS.debug("DefStore: No request found");
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", "No Request Found"));
+            throw new EBaseException("OCSP request is empty");
+        }
 
         IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
 
@@ -358,11 +363,6 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
                 statsSub.endTiming("lookup");
             }
 
-            if (singleResponses.size() <= 0) {
-                CMS.debug("DefStore: No Request Found");
-                log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", "No Request Found"));
-                return null;
-            }
             if (statsSub != null) {
                 statsSub.startTiming("build_response");
             }
@@ -423,10 +423,9 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
 
             return response;
 
-        } catch (Exception e) {
-            CMS.debug(e);
+        } catch (EBaseException e) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString()));
-            return null;
+            throw e;
         }
     }
 
diff --git a/base/server/cms/src/com/netscape/cms/ocsp/LDAPStore.java b/base/server/cms/src/com/netscape/cms/ocsp/LDAPStore.java
index 4cc9269cd..5017b968e 100644
--- a/base/server/cms/src/com/netscape/cms/ocsp/LDAPStore.java
+++ b/base/server/cms/src/com/netscape/cms/ocsp/LDAPStore.java
@@ -275,6 +275,11 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo {
         CMS.debug("LDAPStore: validating OCSP request");
 
         TBSRequest tbsReq = request.getTBSRequest();
+        if (tbsReq.getRequestCount() == 0) {
+            CMS.debug("LDAPStore: No request found");
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", "No Request Found"));
+            throw new EBaseException("OCSP request is empty");
+        }
 
         IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
 
@@ -364,10 +369,10 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo {
             mOCSPAuthority.incTotalTime(endTime - startTime);
 
             return response;
-        } catch (Exception e) {
-            CMS.debug("LDAPStore: validation " + e.toString());
+
+        } catch (EBaseException e) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString()));
-            return null;
+            throw e;
         }
     }
 
-- 
cgit