From 054f5b182afaaadabd976cd99971ca57266a1be6 Mon Sep 17 00:00:00 2001
From: Steven Clark <steven.clark@hashicorp.com>
Date: Tue, 9 Jul 2024 09:03:34 -0400
Subject: [PATCH] Return the proper serial number in OCSP verification errors
 (#27696)

* Return the proper serial number in OCSP verification errors

 - We returned the issuer's certificate number instead of the serial
   number of the actual certificate we validated from an OCSP request.

 - The problematic serial number within the error are never shown
   currently in Vault. The only user of this library is cert-auth
   which swallows errors around revoked certificates and returns
   a boolean false instead of the actual error message.

* Add cl

* Use previously formatted serial in error msg
---
 builtin/logical/pki/integration_test.go | 1 +
 changelog/27696.txt                     | 3 +++
 sdk/helper/ocsp/client.go               | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 changelog/27696.txt

diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go
index 73d7d113ad88..1c3da7fa3a1b 100644
--- a/builtin/logical/pki/integration_test.go
+++ b/builtin/logical/pki/integration_test.go
@@ -718,6 +718,7 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) {
 
 		err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf)
 		require.Error(t, err)
+		require.Contains(t, err.Error(), serialNumber, "Expected revoked serial number to appear in err")
 	}
 }
 
diff --git a/changelog/27696.txt b/changelog/27696.txt
new file mode 100644
index 000000000000..42956c336015
--- /dev/null
+++ b/changelog/27696.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: Use subject's serial number, not issuer's within error message text in OCSP request errors
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
index 8fba050cb203..cef1f6896b48 100644
--- a/sdk/helper/ocsp/client.go
+++ b/sdk/helper/ocsp/client.go
@@ -702,12 +702,12 @@ func (c *Client) VerifyLeafCertificate(ctx context.Context, subject, issuer *x50
 	if results.code == ocspStatusGood {
 		return nil
 	} else {
-		serial := issuer.SerialNumber
+		serial := subject.SerialNumber
 		serialHex := strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":"))
 		if results.code == ocspStatusRevoked {
 			return fmt.Errorf("certificate with serial number %s has been revoked", serialHex)
 		} else if conf.OcspFailureMode == FailOpenFalse {
-			return fmt.Errorf("unknown OCSP status for cert with serial number %s", strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":")))
+			return fmt.Errorf("unknown OCSP status for cert with serial number %s", serialHex)
 		} else {
 			c.Logger().Warn("could not validate OCSP status for cert, but continuing in fail open mode", "serial", serialHex)
 		}