Fix OCSP verification of requests hashes

OCSP requests have the certificate serial number, the hash of CA DN and the hash of the CA public key. According to the specification, in order to recognise a request both hashes have to match but the current implementation was verifying only the public key hash. This commit add a check on the other hash of the request.
dogtagpki · Aug 10, 2023 · de39759 · de39759
1 parent db966eb
commit de39759
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -388,9 +388,9 @@ public SingleResponse processRequest(Request req) throws Exception {
 
         Enumeration<X509CertImpl> caCerts = mCRLs.keys();
 
+        MessageDigest md = MessageDigest.getInstance(cid.getDigestName());
         while (caCerts.hasMoreElements()) {
             X509CertImpl caCert = caCerts.nextElement();
-            MessageDigest md = MessageDigest.getInstance(cid.getDigestName());
 	    logger.debug("LDAPStore: processRequest: cert digest name=" +
                     cid.getDigestName());
             X509Key key = (X509Key) caCert.getPublicKey();
@@ -400,18 +400,20 @@ public SingleResponse processRequest(Request req) throws Exception {
                 throw new Exception("Missing issuer key");
             }
 
-            byte digest[] = md.digest(key.getKey());
-            byte keyhsh[] = cid.getIssuerKeyHash().toByteArray();
+            byte[] digest = md.digest(key.getKey());
+            byte[] keyhsh = cid.getIssuerKeyHash().toByteArray();
 
-            if (!Arrays.equals(digest, keyhsh)) {
-		logger.debug("LDAPStore: processRequest: CA key digest and cert issuer key hash do not match; continue to look at next CA in mCRLs...");
-                continue;
-            }
 
-            theCert = caCert;
-            incReqCount(caCert.getSubjectDN().toString());
-            theCRL = mCRLs.get(caCert);
-            break;
+            byte[] name = md.digest(caCert.getSubjectObj().getX500Name().getEncoded());
+            byte[] namehash = cid.getIssuerNameHash().toByteArray();
+
+            if (Arrays.equals(digest, keyhsh) && Arrays.equals(name, namehash)) {
+                theCert = caCert;
+                incReqCount(caCert.getSubjectX500Principal().getName());
+                theCRL = mCRLs.get(caCert);
+                break;
+            }
+            logger.debug("LDAPStore: processRequest: CA key digest and cert issuer key hash do not match; continue to look at next CA in mCRLs...");
         }
 
         if (theCert == null) {