Possibly ignored OCSP response signature validation result

[recombinationgroup]

While using BouncyCastle Java 1.83, we encountered an issue where the OCSP revocation checker seems to ignore the signature validation status of the OCSP response. Specifically, this happens if a revocation checker is used which already has an OCSP response provided (as opposed to fetching the response via OcspCache).

Note: this might be a misuse of the BouncyCastle API on our end, but from reading the source code, it seemed more like a bug than a feature to us.

We created a minimal reproducer here:
https://github.com/recombinationgroup/bouncycastle-ocsp-sig-reproducer

We noticed that:

• ProvRevocationChecker calls ocspChecker.check(certificate) (line 147) on ProvOcspRevocationChecker, seemingly expecting an Exception in case the revocation checking process fails
• ProvOcspRevocationChecker calls validatedOcspResponse(basicResp, parameters, nonce, parent.getOcspResponderCert(), helper) (line 264), since preValidated is false.
• This call to validatedOcspResponse returns false in case the OCSP response signature is invalid (at least if it was signed using a wrong/malicious private key). It does not throw an Exception in this case. This is expected, because this method is also called when OcspCache validates a response it just received from an OCSP responder.
• OcspCache throws an exception in case validatedOcspResponse returns false.
• ProvOcspRevocationChecker does not throw an Exception in case validatedOcspResponse returns false. Since this does not result in an Exception, a bad validation state is silently ignored by ProvRevocationChecker.

It might be that the implicit contract here is that if an OCSP response is handed in "manually", ProvRevocationChecker assumes that the signature has already been verified. However, that seems surprising to us, since validatedOcspResponse is explicitly called, even in this case.

Please let us know if there is any further info you would like us to supply.