12516
66%
master: 66%

Ran 08 Jul 2020 01:51AM UTC

Jobs 1

Files 111

Run time 8s

Badge

Embed ▾

Committed 08 Jul 2020 01:40AM UTC coverage: 66.177% (+0.009%) from 66.168%

Build # 12516

Build Type

push

travis-pro

Committed by

web-flow

Commit Message

ca: remove SerialExists check in GenerateOCSP (#4942)

When StoreIssuerInfo is enabled the CA loses its ability to verify that the certificate we are requesting an OCSP response for is real directly (previously we sent the cert DER and checked the signature on it). In order to prevent the ocsp-updater from sending a request for a serial that doesn't exist we added a check that the serial we were being asked to generate a response for did actually exist. This introduced a significant amount of database pressure as it requires a DB query for every single OCSP response we generate. It also provides a minimal level of security, we already trust the ocsp-updater and creating a response for a certificate that doesn't exist doesn't actually accomplish much (if the ocsp-updater was compromised the more realistic attack would be asking to generate a good response for a revoked certificate).

This change removes the check that the serial exists from the CA.

Fixes #4935.

Run Details

13052 of 19723 relevant lines covered (66.18%)

0.74 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
7	12516.7 (RUN="coverage" CONTAINER="netaccess")	08 Jul 2020 01:51AM UTC	0	66.18	Travis Job 12516.7

letsencrypt / boulder / 12516
66%
master: 66%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 12516

letsencrypt / boulder / 12516 66% master: 66%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 12516

letsencrypt / boulder / 12516
66%
master: 66%

README BADGES
x