crypto icon indicating copy to clipboard operation
crypto copied to clipboard

Published 20 hours ago verified publisher icon golang

ocsp: better validate OCSP response's certificates

Open cipherboy opened this issue 2 years ago • 4 comments

We make three changes here:

  1. Allow iterating over all given certificates to find the one that signed this OCSP response, as RFC 6960 does not guarantee an order and some CAs send multiple certificates, and
  2. Allow the passed issuer to match the certificate that directly signed this response, and
  3. Lastly, we document the unsafe behavior of calling these functions with issuer=nil, indicating that it performs no trust verification.

Previously, when a CA returned the intermediate CA that signed a leaf cert as an additional cert in the response field (without using a delegated OCSP certificate), Go would err with a bad signature, as it expected the intermediate CA to have signed the wire copy (even though it was the exact same certificate).

Also includes a code comment around the "bad signature on embedded certificate" error message, indicating that this isn't strictly the correct preposition choice.

See also: https://github.com/crtsh/test_websites_monitor/blob/1bd8226b5f963e91d7889ea432a36e3173be8eec/test_websites_monitor.go#L267 See also: https://github.com/golang/go/issues/59641

Fixes golang/go#59641

cipherboy avatar Apr 17 '23 13:04 cipherboy

This PR (HEAD: 4da111cfcc3932f2ffd43f200312a8fb79ed407e) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/crypto/+/485055 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off) See the Wiki page for more info

gopherbot avatar Apr 17 '23 13:04 gopherbot

Message from Alex Scheel:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/485055. After addressing review feedback, remember to publish your drafts!

gopherbot avatar Apr 17 '23 14:04 gopherbot

This PR (HEAD: 7ee4c84b54f11b7125a796724103b8372c86e827) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/crypto/+/485055 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off) See the Wiki page for more info

gopherbot avatar Apr 17 '23 14:04 gopherbot

Message from Alex Scheel:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/485055. After addressing review feedback, remember to publish your drafts!

gopherbot avatar Sep 25 '23 15:09 gopherbot