forked from TrueCloudLab/lego
Make ocsp validate the signature of a response.
OCSP signatures should get validated if no issuer certificate is returned from the OCSP responder.
This commit is contained in:
xenolf
parent
f2f5117496
commit
65b62b5670
1 changed files with 8 additions and 3 deletions
|
|
@ -14,7 +14,6 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
|
||||||
"math/big"
|
"math/big"
|
||||||
"net/http"
|
"net/http"
|
||||||
"time"
|
"time"
|
||||||
|
|
@ -84,12 +83,18 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
ocspResBytes, err := ioutil.ReadAll(req.Body)
|
ocspResBytes, err := ioutil.ReadAll(req.Body)
|
||||||
_, err = ocsp.ParseResponse(ocspResBytes, nil)
|
ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("OCSPParse Error: %v", err)
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ocspRes.Certificate == nil {
|
||||||
|
err = ocspRes.CheckSignatureFrom(issuerCert)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return ocspResBytes, nil
|
return ocspResBytes, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue