From 94d42235cf28f8194aa0a5ccafd4c67afd344c64 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Mon, 18 Mar 2024 15:11:14 -0400 Subject: [PATCH] Address OCSP client caching issue (#25986) * Address OCSP client caching issue - The OCSP cache built into the client that is used by cert-auth would cache the responses but when pulling out a cached value the response wasn't validating properly and was then thrown away. - The issue was around a confusion of the client's internal status vs the Go SDK OCSP status integer values. - Add a test that validates the cache is now used * Add cl * Fix PKI test failing now due to the OCSP cache working - Remove the previous lookup before revocation as now the OCSP cache works so we don't see the new revocation as we are actually leveraging the cache --- builtin/logical/pki/integration_test.go | 3 --- changelog/25986.txt | 3 +++ sdk/helper/ocsp/client.go | 17 ++++++++++++++++- 3 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 changelog/25986.txt diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index b4550d3f05..a0912dab1c 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -630,9 +630,6 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) { return testLogger }, 10) - err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf) - require.NoError(t, err) - _, err = client.Logical().Write("pki/revoke", map[string]interface{}{ "serial_number": serialNumber, }) diff --git a/changelog/25986.txt b/changelog/25986.txt new file mode 100644 index 0000000000..3f64fe3c87 --- /dev/null +++ b/changelog/25986.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/cert: Address an issue in which OCSP query responses were not cached +``` diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go index 8bd9cea4ee..9c1375c4f5 100644 --- a/sdk/helper/ocsp/client.go +++ b/sdk/helper/ocsp/client.go @@ -776,14 +776,29 @@ func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, s }, nil } + sdkOcspStatus := internalStatusCodeToSDK(cacheValue.status) + return validateOCSP(&ocsp.Response{ ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(), ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(), NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(), - Status: int(cacheValue.status), + Status: sdkOcspStatus, }) } +func internalStatusCodeToSDK(internalStatusCode ocspStatusCode) int { + switch internalStatusCode { + case ocspStatusGood: + return ocsp.Good + case ocspStatusRevoked: + return ocsp.Revoked + case ocspStatusUnknown: + return ocsp.Unknown + default: + return int(internalStatusCode) + } +} + /* // writeOCSPCache writes a OCSP Response cache func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {