From 8c4fb02746e178633d6b05f08fb51cc35dd098ce Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Mon, 18 Mar 2024 19:11:14 +0000 Subject: [PATCH] backport of commit 94d42235cf28f8194aa0a5ccafd4c67afd344c64 --- builtin/logical/pki/integration_test.go | 3 --- changelog/25986.txt | 3 +++ sdk/helper/ocsp/client.go | 17 ++++++++++++++++- 3 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 changelog/25986.txt diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index 81720fa2fe5f..657352e50a0b 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -630,9 +630,6 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) { return testLogger }, 10) - err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf) - require.NoError(t, err) - _, err = client.Logical().Write("pki/revoke", map[string]interface{}{ "serial_number": serialNumber, }) diff --git a/changelog/25986.txt b/changelog/25986.txt new file mode 100644 index 000000000000..3f64fe3c871a --- /dev/null +++ b/changelog/25986.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/cert: Address an issue in which OCSP query responses were not cached +``` diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go index 8bd9cea4ee8f..9c1375c4f5b9 100644 --- a/sdk/helper/ocsp/client.go +++ b/sdk/helper/ocsp/client.go @@ -776,14 +776,29 @@ func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, s }, nil } + sdkOcspStatus := internalStatusCodeToSDK(cacheValue.status) + return validateOCSP(&ocsp.Response{ ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(), ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(), NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(), - Status: int(cacheValue.status), + Status: sdkOcspStatus, }) } +func internalStatusCodeToSDK(internalStatusCode ocspStatusCode) int { + switch internalStatusCode { + case ocspStatusGood: + return ocsp.Good + case ocspStatusRevoked: + return ocsp.Revoked + case ocspStatusUnknown: + return ocsp.Unknown + default: + return int(internalStatusCode) + } +} + /* // writeOCSPCache writes a OCSP Response cache func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {