Affects Version/s: EJBCA 6.0.0
Fix Version/s: EJBCA 6.2.0
Issue discovered during:Customer
Previously for external OCSP responders trusted OCSP request signers were stored in a directory in the file system, and read, and cached, from there.
In 6.0.0 with the move to Key Bindings and trust configured in key bindings this certificate is looked up among CA certificates:
- Also check that the signer certificate can be verified by one of the CA-certificates that we answer for
X509Certificate signerca = certificateStoreSession.findLatestX509CertificateBySubject(CertTools.getIssuerDN(certificate));
Perhaps this can be taken from the OCSP signing cache, or cached some other way. If this query is cached it saves one SQL query when OCSP request signatures are required.