Commits on Apr 17, 2023

1. ocsp: better validate OCSP response's certificates …

   We make three changes here:
   
    1. Allow iterating over all given certificates to find the one that
       signed this OCSP response, as RFC 6960 does not guarantee an order
       and some CAs send multiple certificates, and
    2. Allow the passed issuer to match the certificate that directly
       signed this response, and
    3. Lastly, we document the unsafe behavior of calling these functions
       with issuer=nil, indicating that it performs no trust verification.
   
   Previously, when a CA returned the intermediate CA that signed a leaf
   cert as an additional cert in the response field (without using a
   delegated OCSP certificate), Go would err with a bad signature, as it
   expected the intermediate CA to have signed the wire copy (even though
   it was the exact same certificate).
   
   Also includes a code comment around the "bad signature on embedded
   certificate" error message, indicating that this isn't strictly
   the correct preposition choice.
   
   See also: https://github.com/crtsh/test_websites_monitor/blob/1bd8226b5f963e91d7889ea432a36e3173be8eec/test_websites_monitor.go#L267
   See also: golang/go#59641
   
   Fixes golang/go#59641
   
   Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

   

   cipherboy committed Apr 17, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 7ee4c84
   • Browse repository at this point

   Copy the full SHA

   7ee4c84 View commit details

   Browse the repository at this point in the history