Remove extraneous certificate from OCSP response (#20201)

* Remove extraneous certificate from OCSP response

Since the issuer used to sign the certificate also signs the OCSP
response, no additional information is added by sending the issuer again
in the certs field of the BasicOCSPResponse structure. Removing it saves
bytes and avoids confusing Go-based OCSP verifiers which cannot handle
the cert issuer being duplicated in the certs field.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-04-17 12:40:26 -04:00 committed by GitHub
parent dfbd9091b0
commit 4190212bbb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 7 deletions

View File

@ -499,13 +499,19 @@ func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocsp
revSigAlg = x509.SHA512WithRSA revSigAlg = x509.SHA512WithRSA
} }
// Due to a bug in Go's ocsp.ParseResponse(...), we do not provision
// Certificate any more on the response to help Go based OCSP clients.
// This was technically unnecessary, as the Certificate given here
// both signed the OCSP response and issued the leaf cert, and so
// should already be trusted by the client.
//
// See also: https://github.com/golang/go/issues/59641
template := ocsp.Response{ template := ocsp.Response{
IssuerHash: reqHash, IssuerHash: reqHash,
Status: info.ocspStatus, Status: info.ocspStatus,
SerialNumber: info.serialNumber, SerialNumber: info.serialNumber,
ThisUpdate: curTime, ThisUpdate: curTime,
NextUpdate: curTime.Add(duration), NextUpdate: curTime.Add(duration),
Certificate: caBundle.Certificate,
ExtraExtensions: []pkix.Extension{}, ExtraExtensions: []pkix.Extension{},
SignatureAlgorithm: revSigAlg, SignatureAlgorithm: revSigAlg,
} }

View File

@ -365,7 +365,6 @@ func TestOcsp_MultipleMatchingIssuersOneWithoutSigningUsage(t *testing.T) {
require.Equal(t, crypto.SHA1, ocspResp.IssuerHash) require.Equal(t, crypto.SHA1, ocspResp.IssuerHash)
require.Equal(t, 0, ocspResp.RevocationReason) require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber) require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
require.Equal(t, rotatedCert, ocspResp.Certificate)
requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm) requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
requireOcspResponseSignedBy(t, ocspResp, rotatedCert) requireOcspResponseSignedBy(t, ocspResp, rotatedCert)
@ -442,7 +441,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
require.NoError(t, err, "parsing ocsp get response") require.NoError(t, err, "parsing ocsp get response")
require.Equal(t, ocsp.Revoked, ocspResp.Status) require.Equal(t, ocsp.Revoked, ocspResp.Status)
require.Equal(t, issuerCert, ocspResp.Certificate)
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber) require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
// Test OCSP Get request for ocsp // Test OCSP Get request for ocsp
@ -463,7 +461,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
require.NoError(t, err, "parsing ocsp get response") require.NoError(t, err, "parsing ocsp get response")
require.Equal(t, ocsp.Revoked, ocspResp.Status) require.Equal(t, ocsp.Revoked, ocspResp.Status)
require.Equal(t, issuerCert, ocspResp.Certificate)
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber) require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
} }
@ -527,7 +524,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
require.Equal(t, ocsp.Good, ocspResp.Status) require.Equal(t, ocsp.Good, ocspResp.Status)
require.Equal(t, requestHash, ocspResp.IssuerHash) require.Equal(t, requestHash, ocspResp.IssuerHash)
require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
require.Equal(t, 0, ocspResp.RevocationReason) require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber) require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
@ -552,7 +548,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
require.Equal(t, ocsp.Revoked, ocspResp.Status) require.Equal(t, ocsp.Revoked, ocspResp.Status)
require.Equal(t, requestHash, ocspResp.IssuerHash) require.Equal(t, requestHash, ocspResp.IssuerHash)
require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
require.Equal(t, 0, ocspResp.RevocationReason) require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber) require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
@ -572,7 +567,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
require.Equal(t, ocsp.Good, ocspResp.Status) require.Equal(t, ocsp.Good, ocspResp.Status)
require.Equal(t, requestHash, ocspResp.IssuerHash) require.Equal(t, requestHash, ocspResp.IssuerHash)
require.Equal(t, testEnv.issuer2, ocspResp.Certificate)
require.Equal(t, 0, ocspResp.RevocationReason) require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber) require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber)

3
changelog/20201.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate.
```