MCPcopy
hub / github.com/caddyserver/certmagic / validateOCSPResponder

Function validateOCSPResponder

ocsp.go:265–282  ·  view source on GitHub ↗

validateOCSPResponder enforces RFC 6960 §4.2.2.2: "Systems or applications that rely on OCSP responses MUST be capable of detecting and enforcing the use of the id-kp-OCSPSigning value." An issuer-signed response (where the embedded Certificate field is nil, meaning the issuer signed directly) is al

(ocspResp *ocsp.Response, issuerCert *x509.Certificate)

Source from the content-addressed store, hash-verified

263// id-kp-OCSPSigning value." An issuer-signed response (where the embedded Certificate
264// field is nil, meaning the issuer signed directly) is always acceptable.
265func validateOCSPResponder(ocspResp *ocsp.Response, issuerCert *x509.Certificate) error {
266 respCert := ocspResp.Certificate
267
268 // if response was signed directly by the issuer, or embedded responder cert IS the issuer, accept
269 if respCert == nil || respCert.Equal(issuerCert) {
270 // Response was signed directly by the issuer — always valid.
271 return nil
272 }
273
274 // RFC 6960 §4.2.2.2 requires id-kp-OCSPSigning for delegated responders
275 for _, eku := range respCert.ExtKeyUsage {
276 if eku == x509.ExtKeyUsageOCSPSigning {
277 return nil
278 }
279 }
280
281 return fmt.Errorf("OCSP responder certificate (subject: %s) is not the issuer and does not carry id-kp-OCSPSigning", respCert.Subject)
282}

Callers 2

getOCSPForCertFunction · 0.85

Calls

no outgoing calls

Tested by 1

Used in the wild real call sites across dependent graphs

searching dependent graphs…