From c8edfcfb27a457a675d8e194acb59891a6e839ed Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 1 Mar 2016 22:38:40 -0500
Subject: [PATCH 75/75] Do not leak status of certs issued by other CAs

If an OCSP request includes CertIDs for certificates issued by
multiple CAs, return 'unknown' CertStatus for all certificates not
issued by the "signing" CA.
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index cbb155a3bedd1517256b89ab8d2803d6ccbbb8c5..63c7ca4e4a8083dc58b54196af89cc7629e9fd97 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -33,6 +33,7 @@ import java.security.Signature;
 import java.security.cert.CRLException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateParsingException;
+import java.util.Arrays;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
@@ -2245,7 +2246,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
             return response;
         } catch (Exception e) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", e.toString()));
-            throw new EBaseException(e.toString());
+            throw new EBaseException(e.toString(), e);
         }
     }
 
@@ -2301,6 +2302,22 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
         GeneralizedTime thisUpdate = new GeneralizedTime(CMS.getCurrentDate());
         GeneralizedTime nextUpdate = null;
 
+        byte[] nameHash = null;
+        String digestName = cid.getDigestName();
+        if (digestName != null) {
+            try {
+                MessageDigest md = MessageDigest.getInstance(digestName);
+                nameHash = md.digest(mName.getEncoded());
+            } catch (NoSuchAlgorithmException | IOException e) {
+            }
+        }
+        if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash)) {
+            // issuer of cert is not this CA (or we couldn't work
+            // out whether it is or not due to unknown hash alg);
+            // do not return status information for this cert
+            return new SingleResponse(cid, new UnknownInfo(), thisUpdate, null);
+        }
+
         boolean ocspUseCache = true;
 
         try {
-- 
2.5.0