validateOCSPResponder enforces RFC 6960 §4.2.2.2: "Systems or applications that rely on OCSP responses MUST be capable of detecting and enforcing the use of the id-kp-OCSPSigning value." An issuer-signed response (where the embedded Certificate field is nil, meaning the issuer signed directly) is al
(ocspResp *ocsp.Response, issuerCert *x509.Certificate)
| 263 | // id-kp-OCSPSigning value." An issuer-signed response (where the embedded Certificate |
| 264 | // field is nil, meaning the issuer signed directly) is always acceptable. |
| 265 | func validateOCSPResponder(ocspResp *ocsp.Response, issuerCert *x509.Certificate) error { |
| 266 | respCert := ocspResp.Certificate |
| 267 | |
| 268 | // if response was signed directly by the issuer, or embedded responder cert IS the issuer, accept |
| 269 | if respCert == nil || respCert.Equal(issuerCert) { |
| 270 | // Response was signed directly by the issuer — always valid. |
| 271 | return nil |
| 272 | } |
| 273 | |
| 274 | // RFC 6960 §4.2.2.2 requires id-kp-OCSPSigning for delegated responders |
| 275 | for _, eku := range respCert.ExtKeyUsage { |
| 276 | if eku == x509.ExtKeyUsageOCSPSigning { |
| 277 | return nil |
| 278 | } |
| 279 | } |
| 280 | |
| 281 | return fmt.Errorf("OCSP responder certificate (subject: %s) is not the issuer and does not carry id-kp-OCSPSigning", respCert.Subject) |
| 282 | } |
no outgoing calls
searching dependent graphs…