Skip to content

Commit af04b17

Browse files
dghgitdghgit
committed
added check that original OCSP response was actually for CertID requested - relates to github #1789 
1 parent a227d55 commit af04b17

File tree

1 file changed

+36
-32
lines changed

1 file changed

+36
-32
lines changed

prov/src/main/java/org/bouncycastle/jce/provider/OcspCache.java

Lines changed: 36 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
import java.security.cert.X509Certificate;
1414
import java.text.ParseException;
1515
import java.util.Collections;
16+
import java.util.Date;
1617
import java.util.HashMap;
1718
import java.util.List;
1819
import java.util.Map;
@@ -70,36 +71,7 @@ static OCSPResponse getOcspResponse(
7071
BasicOCSPResponse basicResp = BasicOCSPResponse.getInstance(
7172
ASN1OctetString.getInstance(response.getResponseBytes().getResponse()).getOctets());
7273

73-
ResponseData responseData = ResponseData.getInstance(basicResp.getTbsResponseData());
74-
75-
ASN1Sequence s = responseData.getResponses();
76-
boolean matchFound = false;
77-
78-
for (int i = 0; i != s.size(); i++)
79-
{
80-
SingleResponse resp = SingleResponse.getInstance(s.getObjectAt(i));
81-
82-
if (certID.equals(resp.getCertID()))
83-
{
84-
matchFound = true;
85-
ASN1GeneralizedTime nextUp = resp.getNextUpdate();
86-
try
87-
{
88-
if (nextUp != null && parameters.getValidDate().after(nextUp.getDate()))
89-
{
90-
responseMap.remove(certID);
91-
response = null;
92-
}
93-
}
94-
catch (ParseException e)
95-
{
96-
// this should never happen, but...
97-
responseMap.remove(certID);
98-
response = null;
99-
}
100-
}
101-
}
102-
74+
boolean matchFound = isCertIDFoundAndCurrent(basicResp, parameters.getValidDate(), certID);
10375
if (matchFound)
10476
{
10577
if (response != null)
@@ -109,7 +81,6 @@ static OCSPResponse getOcspResponse(
10981
}
11082
else
11183
{
112-
// this should also never happen, however...
11384
responseMap.remove(certID);
11485
}
11586
}
@@ -201,7 +172,8 @@ static OCSPResponse getOcspResponse(
201172
{
202173
BasicOCSPResponse basicResp = BasicOCSPResponse.getInstance(respBytes.getResponse().getOctets());
203174

204-
validated = ProvOcspRevocationChecker.validatedOcspResponse(basicResp, parameters, nonce, responderCert, helper);
175+
validated = ProvOcspRevocationChecker.validatedOcspResponse(basicResp, parameters, nonce, responderCert, helper)
176+
&& isCertIDFoundAndCurrent(basicResp, parameters.getValidDate(), certID);
205177
}
206178

207179
if (!validated)
@@ -242,4 +214,36 @@ static OCSPResponse getOcspResponse(
242214
e, parameters.getCertPath(), parameters.getIndex());
243215
}
244216
}
217+
218+
private static boolean isCertIDFoundAndCurrent(BasicOCSPResponse basicResp, Date validDate, CertID certID)
219+
{
220+
ResponseData responseData = ResponseData.getInstance(basicResp.getTbsResponseData());
221+
ASN1Sequence s = responseData.getResponses();
222+
223+
for (int i = 0; i != s.size(); i++)
224+
{
225+
SingleResponse resp = SingleResponse.getInstance(s.getObjectAt(i));
226+
227+
if (certID.equals(resp.getCertID()))
228+
{
229+
ASN1GeneralizedTime nextUp = resp.getNextUpdate();
230+
try
231+
{
232+
if (nextUp != null && validDate.after(nextUp.getDate()))
233+
{
234+
return false;
235+
}
236+
}
237+
catch (ParseException e)
238+
{
239+
// this should never happen, but...
240+
return false;
241+
}
242+
243+
return true;
244+
}
245+
}
246+
247+
return false;
248+
}
245249
}

0 commit comments

Comments
 (0)