[SERVER-60310] OCSP response validation should not consider statuses of irrelevant certificates Created: 29/Sep/21  Updated: 29/Oct/23  Resolved: 03/Dec/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.2.0, 5.1.2, 5.0.6, 4.4.11

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Erwin Pe
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.1, v5.0, v4.4
Sprint: Security 2021-11-15, Security 2021-11-29, Security 2021-12-13
Participants:
Case:

 Description   

When an OCSP responder is queried, it may elect to disclose the statuses of more certificates than were initially requested. These certificates may or may not be revoked. If we attempt to validate an OCSP response, and observe one or more revoked statuses for unsolicited certificate we should ignore them if (and only if) they are irrelevant for the chain we are attempting to validate.

Otherwise, we may fail to validate a valid chain.



 Comments   
Comment by Githook User [ 06/Dec/21 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-60310 Skip irrelevant certificates when validating OCSP responses

(cherry picked from commit c56dfd0e1963c76c97a9d9d19ac7cef390f82066)
Branch: v5.1
https://github.com/mongodb/mongo/commit/0d95d87f917ae9bccfa23467fd12f1cf32ab0476

Comment by Githook User [ 06/Dec/21 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-60310 Skip irrelevant certificates when validating OCSP responses

(cherry picked from commit c56dfd0e1963c76c97a9d9d19ac7cef390f82066)
Branch: v5.0
https://github.com/mongodb/mongo/commit/f0ca1be2bc3203a83e7112a0bba8fda4f049eecc

Comment by Githook User [ 06/Dec/21 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-60310 Skip irrelevant certificates when validating OCSP responses

(cherry picked from commit c56dfd0e1963c76c97a9d9d19ac7cef390f82066)
Branch: v4.4
https://github.com/mongodb/mongo/commit/7fe2b3080aa2d9e31e57aa2d556db8c4ec10663d

Comment by Githook User [ 02/Dec/21 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-60310 Skip irrelevant certificates when validating OCSP responses
Branch: master
https://github.com/mongodb/mongo/commit/c56dfd0e1963c76c97a9d9d19ac7cef390f82066

Generated at Thu Feb 08 05:49:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.