-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/ocsp: Verify ProducedAt, ThisUpdate, and NextUpdate against cert validity window #45244
Comments
cc @agl |
It looks like the library ought to check ThisUpdate and NextUpdate against the cert's validity window, too. LMK if you want me to provide a minified test case for you like I did with ProducedAt. |
/cc @sleevi |
/cc @FiloSottile @rolandshoemaker Note: I think historically, Go has taken a conservative approach, even though specific certificate profiles (e.g. Web PKI) may make more stringent requirements. I know @FiloSottile tries to find the right balance, but I did want to explicitly acknowledge he may decide to WontFix this and leave it to implementations to enforce :) So, enforcing Enforcing For the other bits, I think it may make sense specific to the application? We've not yet profiled these in the Web PKI, and the closest profile I'm aware of is the (mandatory-but-not-mandatory for Web PKI) RFC 5019, Section 2.2.4 |
Good to know. For For |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Almost certainly. I don't see anything in https://github.com/golang/crypto/blob/master/ocsp/ocsp.go that would change the situation.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
https://play.golang.org/p/oV4dSUSHMt9
ocsp.ParseResponse()
does not validate that the response'sProducedAt
is within theNotBefore
/NotAfter
range of the provided `cert.ocsp.ParseResponseForCert()
, if given an OCSP response with multiple SingleResponses, does not necessarily pick the one with the correctProducedAt
per the same logic.What did you expect to see?
What did you see instead?
The text was updated successfully, but these errors were encountered: