Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-1131

Filter what is published to CertificateData on standalone OCSP

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJCBA 3.9.0
    • Component/s: Protocols
    • Labels:
      None

      Description

      The actual certificate is not required on a regular OCSP responders setup to answer requests.

      ExternalOCSPPublisher should be modified to only publish the actual certificate if explicitly configured to. This should be done in the GUI together with the rest of the config. Documentation also needs to be updated.

      Looking at what is used on the external OCSP:
      fingerprint: verifyProtection, isRevoked
      issuerDN: verifyProtection, isRevoked, findCertificateByIssuerAndSerno
      subjectDN: verifyProtection
      cAFingerprint: verifyProtection
      status: verifyProtection, isRevoked
      type: verifyProtection
      serialNumber: verifyProtection, isRevoked, findCertificateByIssuerAndSerno
      expireDate: verifyProtection
      revocationDate: verifyProtection, isRevoked
      revocationReason: verifyProtection, isRevoked
      base64Cert: findCertificateByIssuerAndSerno
      username

      {additional fields added in 3.9.0}

      isRevoked is always called on external OCSP
      verifyProtection is called from isRevoked if protection is enabled
      findCertificateByIssuerAndSerno is called if the the external OCSP is configured to handle a request extension
      Additional info like subjectDN might be helpful in a test-environment

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              johan Johan Eklund
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 days
                  2d
                  Remaining:
                  Remaining Estimate - 2 days
                  2d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified