Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Better validate OCSP response's optional certs
We make three changes here: 1. Allow iterating over all given certificates to find the one that signed this OCSP response, as RFC 6960 does not guarantee an order and some CAs send multiple certificates, and 2. Allow the passed issuer to match the certificate that directly signed this response, and 3. Lastly, we document the unsafe behavior of calling these functions with issuer=nil, indicating that it performs no trust verification. Previously, when a CA returned the intermediate CA that signed a leaf cert as an additional cert in the response field (without using a delegated OCSP certificate), Go would err with a bad signature, as it expected the intermediate CA to have signed the wire copy. Also includes a code comment around the "bad signature on embedded certificate" error message, indicating that this isn't strictly the correct preposition choice. See also: https://github.com/crtsh/test_websites_monitor/blob/1bd8226b5f963e91d7889ea432a36e3173be8eec/test_websites_monitor.go#L267 See also: golang/go#59641 Signed-off-by: Alexander Scheel <[email protected]>
- Loading branch information