From 79d2877aae2996ae0aa7a380093d6e430e5fd277 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 19 Jul 2023 10:54:56 -0700
Subject: [PATCH] Adding useful OCSP debug messages

This patch fixed and added some useful information in the OCSP area. During investigation setup procedure for ticket RHCS-4264, some debug messages can be confusing.  In addition, more information should be shared for administrators to understand why things are not working as expected.
It is also useful for RHCS-4261

for RHCS-4264 and RHCS-4261
---
 .../java/com/netscape/cms/ocsp/LDAPStore.java     | 15 +++++++++++----
 .../netscape/cms/servlet/ocsp/AddCRLServlet.java  |  6 +++---
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
index 988449aec9b..31dc6938087 100644
--- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
+++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -17,6 +17,7 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.cms.ocsp;
 
+import java.lang.Integer;
 import java.math.BigInteger;
 import java.security.MessageDigest;
 import java.security.cert.X509CRL;
@@ -246,12 +247,13 @@ public void updateCRLHash(X509CertImpl caCert, X509CRLImpl crl)
 
         if (oldCRL != null) {
             if (oldCRL.getThisUpdate().getTime() >= crl.getThisUpdate().getTime()) {
-                logger.info("LDAPStore: no update, received CRL is older than current CRL");
+                logger.info("LDAPStore: no update, received CRL is not newer than current CRL");
                 return; // no update
             }
         }
-        logger.debug("Added '" + caCert.getSubjectName() + "' into CRL hash");
+        logger.debug("LDAPStore: updateCRLHash: Added '" + caCert.getSubjectName() + "' into CRL hash");
         mCRLs.put(caCert, crl);
+        logger.debug("LDAPStore: updateCRLHash: mCRLs size= "+ mCRLs.size());
     }
 
     @Override
@@ -418,9 +420,12 @@ public SingleResponse processRequest(Request req) throws Exception {
             logger.info("LDAPStore: Checking against " + caCert.getSubjectName());
 
             MessageDigest md = MessageDigest.getInstance(cid.getDigestName());
+            logger.debug("LDAPStore: processRequest: cert digest name=" +
+                    cid.getDigestName());
             X509Key key = (X509Key) caCert.getPublicKey();
 
             if (key == null) {
+                logger.debug("LDAPStore: processRequest: mCRLs caCert.getPublicKey() returns null");
                 throw new Exception("Missing issuer key");
             }
 
@@ -428,6 +433,7 @@ public SingleResponse processRequest(Request req) throws Exception {
             byte keyhsh[] = cid.getIssuerKeyHash().toByteArray();
 
             if (!Arrays.equals(digest, keyhsh)) {
+                logger.debug("LDAPStore: processRequest: CA key digest and cert issuer key hash do not match; continue to look at next CA in mCRLs...");
                 continue;
             }
 
@@ -438,11 +444,12 @@ public SingleResponse processRequest(Request req) throws Exception {
         }
 
         if (theCert == null) {
-            throw new Exception("Missing issuer certificate");
+            throw new Exception("Issuer certificate not found/served");
         }
 
         if (theCRL == null) {
-            throw new Exception("Missing CRL data");
+            throw new Exception("Missing CRL data for issuing CA:" +
+                    theCert.getSubjectDN());
         }
 
         GeneralizedTime thisUpdate = new GeneralizedTime(
diff --git a/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
index 171f07b014f..1fb0d64cf9b 100644
--- a/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
+++ b/base/ocsp/src/main/java/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
@@ -415,14 +415,14 @@ protected synchronized void process(CMSRequest cmsReq)
                     (pt.getThisUpdate().getTime() >=
                     crl.getThisUpdate().getTime())) {
 
-                logger.warn("AddCRLServlet: no update, received CRL is older than current CRL");
+                logger.warn("AddCRLServlet: no update, received CRL is not newer than current CRL");
 
                 if (noUI) {
                     try {
                         resp.setContentType("application/text");
                         resp.getOutputStream().write("status=1\n".getBytes());
                         resp.getOutputStream().write(
-                                "error=Sent CRL is older than the current CRL\n".getBytes());
+                                "error=Sent CRL is not newer than the current CRL\n".getBytes());
                         resp.getOutputStream().flush();
                         cmsReq.setStatus(CMSRequest.SUCCESS);
 
@@ -435,7 +435,7 @@ protected synchronized void process(CMSRequest cmsReq)
                     } catch (Exception e) {
                     }
                 } else {
-                    logger.error("AddCRLServlet: CRL is older");
+                    logger.error("AddCRLServlet: CRL is not newer");
 
                     // NOTE:  The signed audit events
                     //        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL and