backport of commit 94d4223 (#26013)

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
hashicorp · Mar 18, 2024 · c760d1d · c760d1d
1 parent 4328b1b
commit c760d1d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go
@@ -630,9 +630,6 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) {
 			return testLogger
 		}, 10)
 
-		err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf)
-		require.NoError(t, err)
-
 		_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
 			"serial_number": serialNumber,
 		})

diff --git a/changelog/25986.txt b/changelog/25986.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: Address an issue in which OCSP query responses were not cached
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
@@ -776,14 +776,29 @@ func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, s
 		}, nil
 	}
 
+	sdkOcspStatus := internalStatusCodeToSDK(cacheValue.status)
+
 	return validateOCSP(&ocsp.Response{
 		ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(),
 		ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(),
 		NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(),
-		Status:     int(cacheValue.status),
+		Status:     sdkOcspStatus,
 	})
 }
 
+func internalStatusCodeToSDK(internalStatusCode ocspStatusCode) int {
+	switch internalStatusCode {
+	case ocspStatusGood:
+		return ocsp.Good
+	case ocspStatusRevoked:
+		return ocsp.Revoked
+	case ocspStatusUnknown:
+		return ocsp.Unknown
+	default:
+		return int(internalStatusCode)
+	}
+}
+
 /*
 // writeOCSPCache writes a OCSP Response cache
 func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {