7
66%
master: 66%

Ran 08 Jul 2020 01:51AM UTC

Files 111

Run time 7s

Badge

Embed ▾

Committed 08 Jul 2020 01:40AM UTC coverage: 66.177% (+0.009%) from 66.168%

Job # RUN="coverage" CONTAINER="netaccess"

Build Type

push

travis-pro

Committed by

web-flow

Commit Message

ca: remove SerialExists check in GenerateOCSP (#4942)

When StoreIssuerInfo is enabled the CA loses its ability to verify that the certificate we are requesting an OCSP response for is real directly (previously we sent the cert DER and checked the signature on it). In order to prevent the ocsp-updater from sending a request for a serial that doesn't exist we added a check that the serial we were being asked to generate a response for did actually exist. This introduced a significant amount of database pressure as it requires a DB query for every single OCSP response we generate. It also provides a minimal level of security, we already trust the ocsp-updater and creating a response for a certificate that doesn't exist doesn't actually accomplish much (if the ocsp-updater was compromised the more realistic attack would be asking to generate a good response for a revoked certificate).

This change removes the check that the serial exists from the CA.

Fixes #4935.

Run Details

13052 of 19723 relevant lines covered (66.18%)

0.74 hits per line

letsencrypt / boulder / 12516 / 7
66%
master: 66%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 12516.7 (RUN="coverage" CONTAINER="netaccess")

letsencrypt / boulder / 12516 / 7 66% master: 66%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 12516.7 (RUN="coverage" CONTAINER="netaccess")

letsencrypt / boulder / 12516 / 7
66%
master: 66%

README BADGES
x