Verify delegated & CA signed OCSP correctly (#736)

Both ParseResponse and ParseResponseForCert in "golang.org/x/crypto/ocsp" do already verify the response and embedded certificates when present. Previous OCSP signature validation in this package was done incorrectly and would only be performed when ParseResponse would have verified the signature with no errors. By using ParseResponseForCert instead of ParseResponse also OCSP responses containing multiple answers can be handled successfully.
cloudflare · Mar 16, 2017 · 418d970 · 418d970
1 parent f27ab50
commit 418d970
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/revoke/revoke.go b/revoke/revoke.go
@@ -239,16 +239,13 @@ func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok bool) {
 	}
 
 	for _, server := range ocspURLs {
-		resp, err := sendOCSPRequest(server, ocspRequest, issuer)
+		resp, err := sendOCSPRequest(server, ocspRequest, leaf, issuer)
 		if err != nil {
 			if strict {
 				return
 			}
 			continue
 		}
-		if err = resp.CheckSignatureFrom(issuer); err != nil {
-			return false, false
-		}
 
 		// There wasn't an error fetching the OCSP status.
 		ok = true
@@ -266,7 +263,7 @@ func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok bool) {
 // sendOCSPRequest attempts to request an OCSP response from the
 // server. The error only indicates a failure to *fetch* the
 // certificate, and *does not* mean the certificate is valid.
-func sendOCSPRequest(server string, req []byte, issuer *x509.Certificate) (*ocsp.Response, error) {
+func sendOCSPRequest(server string, req []byte, leaf, issuer *x509.Certificate) (*ocsp.Response, error) {
 	var resp *http.Response
 	var err error
 	if len(req) > 256 {
@@ -304,5 +301,5 @@ func sendOCSPRequest(server string, req []byte, issuer *x509.Certificate) (*ocsp
 		return nil, errors.New("OSCP signature required")
 	}
 
-	return ocsp.ParseResponse(body, issuer)
+	return ocsp.ParseResponseForCert(body, leaf, issuer)
 }