Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix OCSP checking #274

Merged
merged 2 commits into from
Jun 28, 2022
Merged

Fix OCSP checking #274

merged 2 commits into from
Jun 28, 2022

Conversation

jdtw
Copy link
Contributor

@jdtw jdtw commented Jun 28, 2022
edited

Fixes #272. The root of the problem is that we're asking the wrong OCSP servers. The current code does something like:

leaf, issuers := chain[0], chain[1:]
for _, issuer := range issuers {
  // check for revocation of leaf via issuer.OCSPServer
}

The main problem is that OCSPServer is the URI of the OCSP server for that certificate, and by asking issuer.OCSPServer about leaf, we're requesting OCSP responses from the wrong server. We should be checking leaf.OCSPServer in this example instead of issuer.OCSPServer.

The second problem is that the loop makes no sense. One would not expect any OCSP server in a given chain to be authoritative for a given leaf.

If you do certigo connect google.com, you'll see

Certificate has OCSP extension, but was unable to check status:
	ocsp: error from server: unauthorized

The "unauthorized" means the OCSP server we asked doesn't know anything about the cert we asked about.

@jdtw jdtw requested review from a team, stfinney, john-shieh and violetd12 June 28, 2022 20:04
jdtw
jdtw commented Jun 28, 2022
View reviewed changes
lib/ocsp.go
@@ -32,7 +32,7 @@ import (
)

var (
skippedRevocationCheck = errors.New("skipped revocation check")
errSkippedRevocationCheck = errors.New("skipped revocation check")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixes the lint about error naming while I'm in the file...

@jdtw jdtw merged commit 4c8f1c5 into master Jun 28, 2022
@jdtw jdtw deleted the jwood/fix-ocsp branch June 28, 2022 21:51
jdtw added a commit to jdtw/certigo that referenced this pull request Jul 25, 2022
@jdtw
Merge branch 'master' into jdtw/proxy-command
21ba4e4 
* master: (21 commits)
  Update README.md
  Unconditionally add forward slash in OCSP GET requests (square#282)
  Use Go generate instead of a makefile (square#279)
  Bump github.com/stretchr/testify from 1.7.5 to 1.8.0
  Add support for printing SCTs (square#277)
  Update Go version to 1.18 (square#276)
  Update to 1.16 (square#275)
  Fix OCSP checking (square#274)
  Bump github.com/stretchr/testify from 1.7.2 to 1.7.5
  Update go command to install certigo (square#270)
  Bump github.com/stretchr/testify from 1.7.1 to 1.7.2
  Upgrade yaml.v3 version (square#266)
  Allow any ciphersuite in TestConnect (square#268)
  Fix TestConnect on macOS (square#265)
  Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (square#262)
  Bump version string to 1.15.1 (square#263)
  Remove use of the format list in the connect command (square#260)
  Add --leaf flag to view the first cert only, including for json and pem
  Set certs explicitly (square#259)
  Upgrade /x/crypto dependency (square#257)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sq-smits sq-smits sq-smits approved these changes

@stfinney stfinney Awaiting requested review from stfinney

@john-shieh john-shieh Awaiting requested review from john-shieh

@violetd12 violetd12 Awaiting requested review from violetd12

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OCSP unauhtorized error
2 participants
@jdtw @sq-smits