Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3299

OCSP request signer verification does an additional database lookup

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.0.0
    • Fix Version/s: EJBCA 6.2.0
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Customer

      Description

      Previously for external OCSP responders trusted OCSP request signers were stored in a directory in the file system, and read, and cached, from there.

      In 6.0.0 with the move to Key Bindings and trust configured in key bindings this certificate is looked up among CA certificates:
      OcspresponseGeneratorSessionBean:
      /*

      • Also check that the signer certificate can be verified by one of the CA-certificates that we answer for
        */
        X509Certificate signerca = certificateStoreSession.findLatestX509CertificateBySubject(CertTools.getIssuerDN(certificate));

      Perhaps this can be taken from the OCSP signing cache, or cached some other way. If this query is cached it saves one SQL query when OCSP request signatures are required.

        Attachments

          Activity

            People

            Assignee:
            mikek Mike Agrenius Kushner
            Reporter:
            tomas Tomas Gustavsson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: