From 65b62b567023d5b52e439195b1598861345f1956 Mon Sep 17 00:00:00 2001
From: xenolf <xenolf@users.noreply.github.com>
Date: Tue, 27 Oct 2015 22:31:56 +0100
Subject: [PATCH] Make ocsp validate the signature of a response. OCSP
 signatures should get validated if no issuer certificate is returned from the
 OCSP responder.

---
 acme/crypto.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/acme/crypto.go b/acme/crypto.go
index 0054eb77..0db5b045 100644
--- a/acme/crypto.go
+++ b/acme/crypto.go
@@ -14,7 +14,6 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
-	"log"
 	"math/big"
 	"net/http"
 	"time"
@@ -84,12 +83,18 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
 	}
 
 	ocspResBytes, err := ioutil.ReadAll(req.Body)
-	_, err = ocsp.ParseResponse(ocspResBytes, nil)
+	ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert)
 	if err != nil {
-		log.Printf("OCSPParse Error: %v", err)
 		return nil, err
 	}
 
+	if ocspRes.Certificate == nil {
+		err = ocspRes.CheckSignatureFrom(issuerCert)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return ocspResBytes, nil
 }