Skip to content

Return the proper serial number in OCSP verification errors#27696

Merged
stevendpclark merged 3 commits intomainfrom
stevendpclark/fix-ocsp-error-msg
Jul 9, 2024
Merged

Return the proper serial number in OCSP verification errors#27696
stevendpclark merged 3 commits intomainfrom
stevendpclark/fix-ocsp-error-msg

Conversation

@stevendpclark
Copy link
Copy Markdown
Contributor

@stevendpclark stevendpclark commented Jul 4, 2024
edited
Loading

Description

  • We returned the issuer's certificate number instead of the serial number of the actual certificate we validated from an OCSP request that confirmed the certificate was revoked

Fixes #27126

VAULT-28667

TODO only if you're a HashiCorp employee

  • Labels: If this PR is the CE portion of an ENT change, and that ENT change is
    getting backported to N-2, use the new style backport/ent/x.x.x+ent labels
    instead of the old style backport/x.x.x labels.
  • Labels: If this PR is a CE only change, it can only be backported to N, so use
    the normal backport/x.x.x label (there should be only 1).
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@stevendpclark
Return the proper serial number in OCSP verification errors
3872d65 
 - We returned the issuer's certificate number instead of the serial
   number of the actual certificate we validated from an OCSP request.

 - The problematic serial number within the error are never shown
   currently in Vault. The only user of this library is cert-auth
   which swallows errors around revoked certificates and returns
   a boolean false instead of the actual error message.
@stevendpclark stevendpclark added this to the 1.15.12 milestone Jul 4, 2024
@stevendpclark stevendpclark self-assigned this Jul 4, 2024
@stevendpclark stevendpclark requested a review from a team as a code owner July 4, 2024 17:50
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 4, 2024
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jul 4, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

@github-actions
Copy link
Copy Markdown

github-actions bot commented Jul 4, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@stevendpclark stevendpclark force-pushed the stevendpclark/fix-ocsp-error-msg branch from 49d32cc to d714a98 Compare July 4, 2024 18:06
@stevendpclark stevendpclark modified the milestones: 1.15.12, 1.15.13 Jul 5, 2024
@stevendpclark stevendpclark merged commit 054f5b1 into main Jul 9, 2024
@stevendpclark stevendpclark deleted the stevendpclark/fix-ocsp-error-msg branch July 9, 2024 13:03
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sgmiller sgmiller sgmiller approved these changes

Assignees

@stevendpclark stevendpclark

Labels

hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed

Projects

None yet

Milestone

1.15.13

Development

Successfully merging this pull request may close these issues.

OCSPClient.VerifyLeafCertificate() returns incorrect error messages

2 participants

@stevendpclark @sgmiller