Skip to content

Commit abaf71f

Browse files
mauricefisher64mauricefisher64
authored
fix: Don't log OCSP status if the result cannot be validated. (#1489)
Don't log OCSP status if the result cannot be validated.
1 parent a7ca0ac commit abaf71f

File tree

1 file changed

+23
-16
lines changed

1 file changed

+23
-16
lines changed

sdk/src/crypto/cose/ocsp.rs

Lines changed: 23 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -149,17 +149,16 @@ fn process_ocsp_responses(
149149
tst_info: Option<&TstInfo>,
150150
validation_log: &mut StatusTracker,
151151
) -> Result<OcspResponse, CoseError> {
152-
let mut current_validation_log = StatusTracker::default();
153152
for ocsp_response_der in ocsp_response_ders {
154-
current_validation_log = StatusTracker::default();
153+
let mut current_validation_log = StatusTracker::default();
155154
if let Ok(ocsp_response) = if _sync {
156155
check_stapled_ocsp_response(
157156
sign1,
158157
ocsp_response_der,
159158
data,
160159
ctp,
161160
tst_info,
162-
validation_log,
161+
&mut current_validation_log,
163162
)
164163
} else {
165164
check_stapled_ocsp_response_async(
@@ -168,12 +167,12 @@ fn process_ocsp_responses(
168167
data,
169168
ctp,
170169
tst_info,
171-
validation_log,
170+
&mut current_validation_log,
172171
)
173172
.await
174173
} {
175174
// If certificate is revoked, return error immediately
176-
if validation_log.has_status(validation_status::SIGNING_CREDENTIAL_REVOKED) {
175+
if current_validation_log.has_status(validation_status::SIGNING_CREDENTIAL_REVOKED) {
177176
log_item!(
178177
"",
179178
format!(
@@ -183,14 +182,15 @@ fn process_ocsp_responses(
183182
"check_ocsp_status"
184183
)
185184
.validation_status(SIGNING_CREDENTIAL_REVOKED)
186-
.informational(&mut current_validation_log);
185+
.informational(validation_log);
187186

188187
return Err(CoseError::CertificateTrustError(
189188
CertificateTrustError::CertificateNotTrusted,
190189
));
191190
}
192191
// If certificate is confirmed not revoked, return success
193-
if validation_log.has_status(validation_status::SIGNING_CREDENTIAL_NOT_REVOKED) {
192+
if current_validation_log.has_status(validation_status::SIGNING_CREDENTIAL_NOT_REVOKED)
193+
{
194194
log_item!(
195195
"",
196196
format!(
@@ -200,14 +200,12 @@ fn process_ocsp_responses(
200200
"check_ocsp_status"
201201
)
202202
.validation_status(SIGNING_CREDENTIAL_NOT_REVOKED)
203-
.informational(&mut current_validation_log);
203+
.informational(validation_log);
204204

205-
validation_log.append(&current_validation_log);
206205
return Ok(ocsp_response);
207206
}
208207
}
209208
}
210-
validation_log.append(&current_validation_log);
211209
Ok(OcspResponse::default())
212210
}
213211

@@ -255,24 +253,33 @@ fn check_stapled_ocsp_response(
255253
Err(_) => (None, None),
256254
};
257255

258-
let Ok(ocsp_data) =
259-
OcspResponse::from_der_checked(ocsp_response_der, signing_time, validation_log)
260-
else {
256+
let mut current_validation_log = StatusTracker::default();
257+
let Ok(ocsp_data) = OcspResponse::from_der_checked(
258+
ocsp_response_der,
259+
signing_time,
260+
&mut current_validation_log,
261+
) else {
261262
return Ok(OcspResponse::default());
262263
};
263264

264265
// If we get a valid response, validate the certs.
265266
if ocsp_data.revoked_at.is_none() {
266267
if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
267-
check_end_entity_certificate_profile(
268+
// if the OCSP signing cert cannot be validated do not use this response
269+
if check_end_entity_certificate_profile(
268270
&ocsp_certs[0],
269271
ctp,
270272
validation_log,
271273
tst_info.as_ref(),
272-
)?;
274+
)
275+
.is_err()
276+
{
277+
return Ok(OcspResponse::default());
278+
}
273279
}
274280
}
275-
281+
// only append usable OCSP responses to validation_log
282+
validation_log.append(&current_validation_log);
276283
Ok(ocsp_data)
277284
}
278285

0 commit comments

Comments
 (0)