Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate OCSP response ProducedAt. #515

Merged
merged 3 commits into from
Mar 29, 2021
Merged

Validate OCSP response ProducedAt. #515

merged 3 commits into from
Mar 29, 2021

Conversation

twifkak
Copy link
Member

@twifkak twifkak commented Mar 26, 2021

Don't accept an OCSP response if its ProducedAt is outside the leaf cert's
NotBefore/NotAfter validity window.

Fixes #514.

@twifkak
Validate OCSP response ProducedAt.
9212c4e 
Don't accept an OCSP response if its ProducedAt is outside the leaf cert's
NotBefore/NotAfter validity window.
@twifkak
Add missing deps to vendor directory.
78ed384
@twifkak twifkak requested a review from banaag March 26, 2021 02:14
@twifkak
Copy link
Member Author

twifkak commented Mar 26, 2021

To make it easier to review, you may want to look at this commit separately from the vendor update.

banaag
banaag reviewed Mar 26, 2021
View reviewed changes
packager/certcache/certcache.go
@@ -429,9 +429,9 @@ func (this *CertCache) readOCSP(allowRetries bool) ([]byte, time.Time, error) {

// Print # of retries, wait for specified time and returned updated wait time.
func waitForSpecifiedTime(waitTimeInMinutes int, numRetries int) int {
log.Printf("Retrying OCSP server: retry #%d\n", numRetries)
log.Printf("Retrying OCSP server: retry #%d", numRetries)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you remove the \n on purpose? Did you mean to change it to Println then?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the \n is redundant. I saw this done on webpkg. It's a difference between fmt and log: https://golang.org/pkg/log/#pkg-overview:~:text=Every%20log%20message%20is%20output%20on,newline%2C%20the%20logger%20will%20add%20one.

banaag
banaag reviewed Mar 26, 2021
View reviewed changes
packager/certcache/certcache_test.go Outdated
var err error
this.fakeOCSP, err = FakeOCSPResponse(this.fakeClock.Now())
this.fakeOCSP, err = FakeOCSPResponse(now, now.Add(1*time.Minute))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment here as to why a minute was added?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea. Decided to extract it into the FakeOCSPResponse function so there was only one place to document it.

@twifkak twifkak merged commit 8da047b into ampproject:master Mar 29, 2021
@twifkak twifkak deleted the produced_at branch March 29, 2021 19:44
@twifkak twifkak mentioned this pull request Mar 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banaag banaag banaag approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@twifkak @banaag