OSCP response handling

yim-lee · yim-lee · commit b1510fa379d6 · 2021-03-11T17:00:33.000-08:00
diff --git a/Sources/PackageCollectionsSigning/Certificate/CertificatePolicy.swift b/Sources/PackageCollectionsSigning/Certificate/CertificatePolicy.swift
@@ -375,14 +375,21 @@ private struct BoringSSLOCSPClient {
 
         group.notify(queue: callbackQueue) {
             // If there's no result then something must have gone wrong
-            guard !results.isEmpty, results.compactMap({ $0.failure }).isEmpty else {
+            guard !results.isEmpty else {
+                return wrappedCallback(.failure(CertificatePolicyError.ocspFailure))
+            }
+
+            let statuses = results.compactMap { $0.success }
+            // We got results but they are all failures
+            guard !statuses.isEmpty else {
                 diagnosticsEngine.emit(error: "OCSP failed. All results: \(results)")
                 return wrappedCallback(.failure(CertificatePolicyError.ocspFailure))
             }
-            // Is there response "bad status" response?
+            // If at least one response is "bad status" then the chain is invalid
             guard results.compactMap({ $0.success }).first(where: { !$0 }) == nil else {
                 return wrappedCallback(.failure(CertificatePolicyError.invalidCertChain))
             }
+            // Good status
             wrappedCallback(.success(()))
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -375,14 +375,21 @@ private struct BoringSSLOCSPClient {`
`375`	`375`
`376`	`376`	`group.notify(queue: callbackQueue) {`
`377`	`377`	`// If there's no result then something must have gone wrong`
`378`		`- guard !results.isEmpty, results.compactMap({ $0.failure }).isEmpty else {`
	`378`	`+ guard !results.isEmpty else {`
	`379`	`+ return wrappedCallback(.failure(CertificatePolicyError.ocspFailure))`
	`380`	`+ }`
	`381`	`+`
	`382`	`+ let statuses = results.compactMap { $0.success }`
	`383`	`+ // We got results but they are all failures`
	`384`	`+ guard !statuses.isEmpty else {`
`379`	`385`	`diagnosticsEngine.emit(error: "OCSP failed. All results: \(results)")`
`380`	`386`	`return wrappedCallback(.failure(CertificatePolicyError.ocspFailure))`
`381`	`387`	`}`
`382`		`- // Is there response "bad status" response?`
	`388`	`+ // If at least one response is "bad status" then the chain is invalid`
`383`	`389`	`guard results.compactMap({ $0.success }).first(where: { !$0 }) == nil else {`
`384`	`390`	`return wrappedCallback(.failure(CertificatePolicyError.invalidCertChain))`
`385`	`391`	`}`
	`392`	`+ // Good status`
`386`	`393`	`wrappedCallback(.success(()))`
`387`	`394`	`}`
`388`	`395`	`}`