Skip to content

Commit

Permalink
Bug2229930-crlCertValid-leaf-only
Browse files Browse the repository at this point in the history 
This patch addresses the issue where OCSPEngine:crlCertValid attempts to
verify up the chain and failed because when using CRL to validate certs,
the CAs up the chain are issued by different CAs.
OCSPEngine:crlCertValid should be limited to leaf certs validation only.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2229930
  • Loading branch information
@ladycfu
ladycfu committed Aug 25, 2023
1 parent bef9102 commit e3845d5
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
7 changes: 6 additions & 1 deletion base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.base.ConfigStorage;
import com.netscape.cmscore.cert.CertUtils;
import com.netscape.ocsp.OCSPAuthority;

@WebListener
Expand Down Expand Up @@ -149,9 +150,13 @@ public boolean isRevoked(X509Certificate[] certificates) {
}

for (X509Certificate cert: certificates) {
// validateConnCertWithCRL only handles leaf certs
if (CertUtils.isCACert(cert))
continue;

if(!crlCertValid(crlStore, cert, null)) {
return true;
}
} else break;
}
return false;

Expand Down
38 changes: 38 additions & 0 deletions base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@
import org.mozilla.jss.netscape.security.util.ObjectIdentifier;
import org.mozilla.jss.netscape.security.util.Utils;
import org.mozilla.jss.netscape.security.x509.AlgorithmId;
import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
import org.mozilla.jss.netscape.security.x509.CertificateExtensions;
import org.mozilla.jss.netscape.security.x509.Extension;
import org.mozilla.jss.netscape.security.x509.X500Name;
Expand Down Expand Up @@ -1339,6 +1340,43 @@ public static void addCTv1PoisonExt(X509CertInfo certinfo)
certinfo.set(X509CertInfo.EXTENSIONS, exts);
}

public static boolean isCACert(X509Certificate cert) {
String method = "CertUtils.isCACert: ";
try {
X509CertImpl impl = new X509CertImpl(cert.getEncoded());
X509CertInfo certinfo = (X509CertInfo) impl.get(
X509CertImpl.NAME + "." + X509CertImpl.INFO);
if (certinfo == null)
return false;
else {
CertificateExtensions exts = (CertificateExtensions) certinfo.get(X509CertInfo.EXTENSIONS);

if (exts == null)
return false;
else {
try {
BasicConstraintsExtension ext = (BasicConstraintsExtension) exts
.get(BasicConstraintsExtension.NAME);

if (ext == null)
return false;
else {
Boolean bool = (Boolean) ext.get(BasicConstraintsExtension.IS_CA);

return bool.booleanValue();
}
} catch (IOException ee) {
return false;
}
}
}
} catch (Exception e) {
logger.warn(method + CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()), e);
return false;
//throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
}
}

/*
* for debugging
*/
Expand Down

0 comments on commit e3845d5

Please sign in to comment.