Remove extraneous certificate from OCSP response (#20201)
* Remove extraneous certificate from OCSP response Since the issuer used to sign the certificate also signs the OCSP response, no additional information is added by sending the issuer again in the certs field of the BasicOCSPResponse structure. Removing it saves bytes and avoids confusing Go-based OCSP verifiers which cannot handle the cert issuer being duplicated in the certs field. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
parent
dfbd9091b0
commit
4190212bbb
|
@ -499,13 +499,19 @@ func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocsp
|
||||||
revSigAlg = x509.SHA512WithRSA
|
revSigAlg = x509.SHA512WithRSA
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Due to a bug in Go's ocsp.ParseResponse(...), we do not provision
|
||||||
|
// Certificate any more on the response to help Go based OCSP clients.
|
||||||
|
// This was technically unnecessary, as the Certificate given here
|
||||||
|
// both signed the OCSP response and issued the leaf cert, and so
|
||||||
|
// should already be trusted by the client.
|
||||||
|
//
|
||||||
|
// See also: https://github.com/golang/go/issues/59641
|
||||||
template := ocsp.Response{
|
template := ocsp.Response{
|
||||||
IssuerHash: reqHash,
|
IssuerHash: reqHash,
|
||||||
Status: info.ocspStatus,
|
Status: info.ocspStatus,
|
||||||
SerialNumber: info.serialNumber,
|
SerialNumber: info.serialNumber,
|
||||||
ThisUpdate: curTime,
|
ThisUpdate: curTime,
|
||||||
NextUpdate: curTime.Add(duration),
|
NextUpdate: curTime.Add(duration),
|
||||||
Certificate: caBundle.Certificate,
|
|
||||||
ExtraExtensions: []pkix.Extension{},
|
ExtraExtensions: []pkix.Extension{},
|
||||||
SignatureAlgorithm: revSigAlg,
|
SignatureAlgorithm: revSigAlg,
|
||||||
}
|
}
|
||||||
|
|
|
@ -365,7 +365,6 @@ func TestOcsp_MultipleMatchingIssuersOneWithoutSigningUsage(t *testing.T) {
|
||||||
require.Equal(t, crypto.SHA1, ocspResp.IssuerHash)
|
require.Equal(t, crypto.SHA1, ocspResp.IssuerHash)
|
||||||
require.Equal(t, 0, ocspResp.RevocationReason)
|
require.Equal(t, 0, ocspResp.RevocationReason)
|
||||||
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
|
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
|
||||||
require.Equal(t, rotatedCert, ocspResp.Certificate)
|
|
||||||
|
|
||||||
requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
|
requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
|
||||||
requireOcspResponseSignedBy(t, ocspResp, rotatedCert)
|
requireOcspResponseSignedBy(t, ocspResp, rotatedCert)
|
||||||
|
@ -442,7 +441,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
|
||||||
require.NoError(t, err, "parsing ocsp get response")
|
require.NoError(t, err, "parsing ocsp get response")
|
||||||
|
|
||||||
require.Equal(t, ocsp.Revoked, ocspResp.Status)
|
require.Equal(t, ocsp.Revoked, ocspResp.Status)
|
||||||
require.Equal(t, issuerCert, ocspResp.Certificate)
|
|
||||||
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
|
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
|
||||||
|
|
||||||
// Test OCSP Get request for ocsp
|
// Test OCSP Get request for ocsp
|
||||||
|
@ -463,7 +461,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
|
||||||
require.NoError(t, err, "parsing ocsp get response")
|
require.NoError(t, err, "parsing ocsp get response")
|
||||||
|
|
||||||
require.Equal(t, ocsp.Revoked, ocspResp.Status)
|
require.Equal(t, ocsp.Revoked, ocspResp.Status)
|
||||||
require.Equal(t, issuerCert, ocspResp.Certificate)
|
|
||||||
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
|
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -527,7 +524,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
|
||||||
|
|
||||||
require.Equal(t, ocsp.Good, ocspResp.Status)
|
require.Equal(t, ocsp.Good, ocspResp.Status)
|
||||||
require.Equal(t, requestHash, ocspResp.IssuerHash)
|
require.Equal(t, requestHash, ocspResp.IssuerHash)
|
||||||
require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
|
|
||||||
require.Equal(t, 0, ocspResp.RevocationReason)
|
require.Equal(t, 0, ocspResp.RevocationReason)
|
||||||
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
|
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
|
||||||
|
|
||||||
|
@ -552,7 +548,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
|
||||||
|
|
||||||
require.Equal(t, ocsp.Revoked, ocspResp.Status)
|
require.Equal(t, ocsp.Revoked, ocspResp.Status)
|
||||||
require.Equal(t, requestHash, ocspResp.IssuerHash)
|
require.Equal(t, requestHash, ocspResp.IssuerHash)
|
||||||
require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
|
|
||||||
require.Equal(t, 0, ocspResp.RevocationReason)
|
require.Equal(t, 0, ocspResp.RevocationReason)
|
||||||
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
|
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
|
||||||
|
|
||||||
|
@ -572,7 +567,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
|
||||||
|
|
||||||
require.Equal(t, ocsp.Good, ocspResp.Status)
|
require.Equal(t, ocsp.Good, ocspResp.Status)
|
||||||
require.Equal(t, requestHash, ocspResp.IssuerHash)
|
require.Equal(t, requestHash, ocspResp.IssuerHash)
|
||||||
require.Equal(t, testEnv.issuer2, ocspResp.Certificate)
|
|
||||||
require.Equal(t, 0, ocspResp.RevocationReason)
|
require.Equal(t, 0, ocspResp.RevocationReason)
|
||||||
require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber)
|
require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate.
|
||||||
|
```
|
Loading…
Reference in New Issue