/ go Public
x/crypto/ocsp: OCSP responses signed by invalid OCSP responder certificate should return signature verification error #43522
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
In case of OCSP reponse signed with embedded OCSP responder cert (not by CA cert directly) ParseResponse from ocsp package does not check if embedded OCSP responder certificate is expired.
...only signatures are checked. This allows one to use old, expired OCSP responder certificate and its key to sign OCSP response and go application using ocsp.ParseResponse package will accept this response but should not (checked in go1.15.2 linux/amd64 but master sources seems to contain the same problem).
OpenSSL in such scenario throws
Response Verify Failureerror:
Please see OpenSSL's OCSP response verification algo described on...
...and do full responder cert verification, not just signatures.
The text was updated successfully, but these errors were encountered: