Address OCSP client caching issue (#25986)

* Address OCSP client caching issue - The OCSP cache built into the client that is used by cert-auth would cache the responses but when pulling out a cached value the response wasn't validating properly and was then thrown away. - The issue was around a confusion of the client's internal status vs the Go SDK OCSP status integer values. - Add a test that validates the cache is now used * Add cl * Fix PKI test failing now due to the OCSP cache working - Remove the previous lookup before revocation as now the OCSP cache works so we don't see the new revocation as we are actually leveraging the cache
hashicorp · Mar 18, 2024 · 94d4223 · 94d4223
1 parent c7bdac4
commit 94d4223
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go
@@ -630,9 +630,6 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) {
 			return testLogger
 		}, 10)
 
-		err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf)
-		require.NoError(t, err)
-
 		_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
 			"serial_number": serialNumber,
 		})

diff --git a/changelog/25986.txt b/changelog/25986.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: Address an issue in which OCSP query responses were not cached
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
@@ -776,14 +776,29 @@ func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, s
 		}, nil
 	}
 
+	sdkOcspStatus := internalStatusCodeToSDK(cacheValue.status)
+
 	return validateOCSP(&ocsp.Response{
 		ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(),
 		ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(),
 		NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(),
-		Status:     int(cacheValue.status),
+		Status:     sdkOcspStatus,
 	})
 }
 
+func internalStatusCodeToSDK(internalStatusCode ocspStatusCode) int {
+	switch internalStatusCode {
+	case ocspStatusGood:
+		return ocsp.Good
+	case ocspStatusRevoked:
+		return ocsp.Revoked
+	case ocspStatusUnknown:
+		return ocsp.Unknown
+	default:
+		return int(internalStatusCode)
+	}
+}
+
 /*
 // writeOCSPCache writes a OCSP Response cache
 func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {