forked from TrueCloudLab/lego
Make ocsp validate the signature of a response.
OCSP signatures should get validated if no issuer certificate is returned from the OCSP responder.
This commit is contained in:
xenolf
parent
f2f5117496
commit
65b62b5670
1 changed files with 8 additions and 3 deletions
|
|
@ -14,7 +14,6 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"math/big"
|
||||
"net/http"
|
||||
"time"
|
||||
|
|
@ -84,12 +83,18 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
|
|||
}
|
||||
|
||||
ocspResBytes, err := ioutil.ReadAll(req.Body)
|
||||
_, err = ocsp.ParseResponse(ocspResBytes, nil)
|
||||
ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert)
|
||||
if err != nil {
|
||||
log.Printf("OCSPParse Error: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if ocspRes.Certificate == nil {
|
||||
err = ocspRes.CheckSignatureFrom(issuerCert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return ocspResBytes, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue