letsencrypt / boulder / 13213
66%
master: 66%

LAST BUILD BRANCH: ocsp-fail-stops-issuances
DEFAULT BRANCH: master
Ran
Jobs 1
Files 114
Run time 30s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.375% (+0.02%) from 65.355%
13213

push

travis-pro

web-flow 
ocsp-responder: don't respond for other issuers (#5183)

When making an OCSP request, the client provides three pieces of
information: the URL which it is querying to get OCSP info, the
hash of the issuer public which issued the cert in question, and
the serial number of the cert in question. In Boulder, the first
of these is only provided implicitly, based on which instance of
ocsp-responder is handling the request: we ensure (via configs)
that the ocsp-responder handling a given OCSP AIA URL has the
corresponding issuer cert loaded in memory.

When handling a request, the ocsp-responder checks three things:
that the request is using SHA1 to hash the issuer public key, that
the requested issuer public key matches one of the loaded issuer
certs, and that the requested serial number is one we could have
issued (i.e. has the correct prefix). It relies on the database
query to filter out requests for non-existent serials.

However, this means that a request to an ocsp-responder instance
with issuer cert A loaded could receive and handle a request which
specifies cert A as the issuer, but names a serial which was actually
issued by issuer cert B. The checks all pass and the database lookup
succeeds. But the returned OCSP response is for a certificate that
was issued by a different issuer, and the response itself was
signed by that other issuer.

In order to resolve this potentially confusing situation, this change
adds one additional check to the ocsp-responder: after it has
retrieved the ocsp response, it looks up which issuer produced that
ocsp response, confirms that it has that issuer cert loaded in
memory, and confirms that its issuer key hash matches that in the
original request.

There is still one wrinkle if issuer certs A and B are both loaded
in one ocsp-responder, and that one ocsp-responder is handling OCSP
requests to both of their AIA OCSP URLs. In this case, it is possible
that a request to a.ocsp.com, but ... (continued)

40 of 40 new or added lines in 1 file covered. (100.0%)

13307 of 20355 relevant lines covered (65.37%)

0.73 hits per line

New Missed Lines in Diff

Lines Coverage File
2
52.63
 3.5% cmd/ocsp-responder/main.go

Uncovered Existing Lines

Lines Coverage File
2
52.63
 3.5% cmd/ocsp-responder/main.go
Jobs
ID Job ID Ran Files Coverage
7 13213.7 (TESTFLAGS="--coverage" CONTAINER="netaccess") 114
65.37
 Travis Job 13213.7
Source Files on build 13213