-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify delegated & CA signed OCSP correctly #736
Conversation
lgtm, but please rebase on top of the master. |
@lziest, done |
@vanbroup I've fixed our tests on master; can you rebase? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If resp.Certificarte is not nil, should it be used to verify the OCSP response as well?
When resp.Certificarte is present it should contain a delegated signing certificate (not the issuer, you should already have that). When it doesn't contain a delegated signing certificate the response should not be delegated and be signed by the issuer directly. I started thinking why ParseResponseForCert in "golang.org/x/crypto/ocsp" would not already verify the signature. After verification I concluded that it does already verify the signature. I think it makes more sense to remove the OCSP signature verification from CFSSL as it has no value to do it twice. https://github.com/golang/crypto/blob/master/ocsp/ocsp.go#L524 |
Both ParseResponse and ParseResponseForCert in "golang.org/x/crypto/ocsp" do already verify the response and embedded certificates when present. Previous OCSP signature validation in this package was done incorrectly and would only be performed when ParseResponse would have verified the signature with no errors. By using ParseResponseForCert instead of ParseResponse also OCSP responses containing multiple awnsers can be handled successfully.
Codecov Report
@@ Coverage Diff @@
## master #736 +/- ##
==========================================
- Coverage 57.77% 57.71% -0.06%
==========================================
Files 76 77 +1
Lines 6643 6769 +126
==========================================
+ Hits 3838 3907 +69
- Misses 2391 2463 +72
+ Partials 414 399 -15
Continue to review full report at Codecov.
|
Much appreciated. |
Only check the OCSP response signature from the issuer when no delegated signing certificate is included in the response. When a delegated OCSP signing certificate is present verify this is issued by the same CA.