dogtagpki · ladycfu · Aug 25, 2023 · Aug 25, 2023 · edewata · Aug 25, 2023
diff --git a/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java b/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
@@ -44,6 +44,7 @@
 import com.netscape.cmscore.apps.CMSEngine;
 import com.netscape.cmscore.apps.EngineConfig;
 import com.netscape.cmscore.base.ConfigStorage;
+import com.netscape.cmscore.cert.CertUtils;
 import com.netscape.ocsp.OCSPAuthority;
 
 @WebListener
@@ -149,9 +150,13 @@ public boolean isRevoked(X509Certificate[] certificates) {
         }
 
         for (X509Certificate cert: certificates) {
+            // validateConnCertWithCRL only handles leaf certs
+            if (CertUtils.isCACert(cert))
+                continue;
+
             if(!crlCertValid(crlStore, cert, null)) {
                 return true;
-            }
+            } else break;
         }
         return false;
 

diff --git a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java
@@ -56,6 +56,7 @@
 import org.mozilla.jss.netscape.security.util.ObjectIdentifier;
 import org.mozilla.jss.netscape.security.util.Utils;
 import org.mozilla.jss.netscape.security.x509.AlgorithmId;
+import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
 import org.mozilla.jss.netscape.security.x509.CertificateExtensions;
 import org.mozilla.jss.netscape.security.x509.Extension;
 import org.mozilla.jss.netscape.security.x509.X500Name;
@@ -1339,6 +1340,43 @@ public static void addCTv1PoisonExt(X509CertInfo certinfo)
         certinfo.set(X509CertInfo.EXTENSIONS, exts);
     }
 
+    public static boolean isCACert(X509Certificate cert) {
+        String method = "CertUtils.isCACert: ";
+        try {
+            X509CertImpl impl = new X509CertImpl(cert.getEncoded());
+            X509CertInfo certinfo = (X509CertInfo) impl.get(
+                    X509CertImpl.NAME + "." + X509CertImpl.INFO);
+            if (certinfo == null)
+                return false;
+            else {
+                CertificateExtensions exts = (CertificateExtensions) certinfo.get(X509CertInfo.EXTENSIONS);
+
+                if (exts == null)
+                    return false;
+                else {
+                    try {
+                        BasicConstraintsExtension ext = (BasicConstraintsExtension) exts
+                                .get(BasicConstraintsExtension.NAME);
+
+                        if (ext == null)
+                            return false;
+                        else {
+                            Boolean bool = (Boolean) ext.get(BasicConstraintsExtension.IS_CA);
+
+                            return bool.booleanValue();
+                        }
+                    } catch (IOException ee) {
+                        return false;
+                    }
+                }
+            }
+        } catch (Exception e) {
+            logger.warn(method + CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()), e);
+            return false;
+            //throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
+        }
+    }
+
     /*
      * for debugging
      */