#2230 Lightweight CAs: use correct OCSP signer
Closed: Fixed None Opened 8 years ago by ftweedal.

Because the /ca/ocsp endpoint is now servicing all lightweight CAs,
we must inspect the request and look up the right OCSP issuer to use.
Sort of like "virtual hosts" for OCSP :)

If an OCSP request contains requests for multiple certificates from
different issuers, we should return "unknown" for all certificates
that were NOT issued by the chosen CA.

The heuristic for choosing the CA shall be to use the issuer identified
in the FIRST request in the requestList.


Pushed to master:

  • afe1d7205ae32c272e15dbf42475da4a79b5c9bc Lightweight CAs: lookup correct issuer for OCSP responses
  • 04214b3d3405750cbbda228554c0d9f087a59170 Move OCSP digest name lookup to CertID class
  • c0c1834465438844ff542514127b80b568c1afd8 Do not leak status of certs issued by other CAs

Metadata Update from @ftweedal:
- Issue set to the milestone: 10.3.0.a2

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2350

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata