Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checkocsp: verify validity period of signing certificate #4852

Merged
merged 5 commits into from Jun 8, 2020
Merged

checkocsp: verify validity period of signing certificate #4852

merged 5 commits into from Jun 8, 2020

Conversation

jsha
Copy link
Contributor

@jsha jsha commented Jun 8, 2020
edited

No description provided.

@jsha jsha requested a review from a team as a code owner June 8, 2020 19:42
rolandshoemaker
rolandshoemaker reviewed Jun 8, 2020
View reviewed changes
test/ocsp/helper/helper.go
// certificate signed it, and that that certificate is currently valid.
func checkSignature(resp *ocsp.Response, issuer *x509.Certificate) error {
var ocspSigner = issuer
if delegatedSigner := resp.Certificate; delegatedSigner != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

x/crypto/ocsp already does this signature checking for us, I think all we need to do is check that the certificate is still valid.

rolandshoemaker
rolandshoemaker reviewed Jun 8, 2020
View reviewed changes
test/ocsp/helper/helper.go Outdated
@@ -222,5 +266,10 @@ func parseAndPrint(respBytes []byte, cert, issuer *x509.Certificate, expectStatu
fmt.Printf(" RevocationReason %d\n", resp.RevocationReason)
fmt.Printf(" SignatureAlgorithm %s\n", resp.SignatureAlgorithm)
fmt.Printf(" Extensions %#v\n", resp.Extensions)
fmt.Printf(" Certificate:\n")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will panic if we don't get a bundled certificate.

rolandshoemaker
rolandshoemaker reviewed Jun 8, 2020
View reviewed changes
test/ocsp/helper/helper.go Outdated
if resp.Certificate == nil {
fmt.Printf(" Certificate: nil\n")
} else {
fmt.Printf(" Certificate:\n")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extremely nit: Printf with no formatting directive.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

somewhat surprised we don;t get a vet error for this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go vet actually does spot this, but we don't run go vet in Travis because it's too noisy, and it's explicitly documented as something not recommended for CI.

But thanks for the suggestion on running it- I actually found a bug on another line.

@jsha jsha changed the title Add signature validation for ocspcheck test tool ocspcheck: verify validity period of signing certificate Jun 8, 2020
@jsha jsha merged commit d003ae8 into master Jun 8, 2020
@jsha jsha deleted the ocspcheck-signature branch June 8, 2020 20:56
@jsha jsha changed the title ocspcheck: verify validity period of signing certificate checkocsp: verify validity period of signing certificate Jun 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rolandshoemaker rolandshoemaker rolandshoemaker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jsha @rolandshoemaker