Skip to content

Commit

Permalink
backport of commit 249c472 (#20202)
Browse files Browse the repository at this point in the history
Co-authored-by: Alexander Scheel <[email protected]>
  • Loading branch information
1 parent 3f19f6c commit c9e7034
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 7 deletions.
8 changes: 7 additions & 1 deletion builtin/logical/pki/path_ocsp.go
Original file line number Diff line number Diff line change
Expand Up @@ -417,13 +417,19 @@ func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocsp
revSigAlg = x509.SHA512WithRSA
}

// Due to a bug in Go's ocsp.ParseResponse(...), we do not provision
// Certificate any more on the response to help Go based OCSP clients.
// This was technically unnecessary, as the Certificate given here
// both signed the OCSP response and issued the leaf cert, and so
// should already be trusted by the client.
//
// See also: https://github.com/golang/go/issues/59641
template := ocsp.Response{
IssuerHash: reqHash,
Status: info.ocspStatus,
SerialNumber: info.serialNumber,
ThisUpdate: curTime,
NextUpdate: curTime.Add(duration),
Certificate: caBundle.Certificate,
ExtraExtensions: []pkix.Extension{},
SignatureAlgorithm: revSigAlg,
}
Expand Down
6 changes: 0 additions & 6 deletions builtin/logical/pki/path_ocsp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,6 @@ func TestOcsp_MultipleMatchingIssuersOneWithoutSigningUsage(t *testing.T) {
require.Equal(t, crypto.SHA1, ocspResp.IssuerHash)
require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
require.Equal(t, rotatedCert, ocspResp.Certificate)

requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
requireOcspResponseSignedBy(t, ocspResp, rotatedCert)
Expand Down Expand Up @@ -436,7 +435,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
require.NoError(t, err, "parsing ocsp get response")

require.Equal(t, ocsp.Revoked, ocspResp.Status)
require.Equal(t, issuerCert, ocspResp.Certificate)
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)

// Test OCSP Get request for ocsp
Expand All @@ -457,7 +455,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
require.NoError(t, err, "parsing ocsp get response")

require.Equal(t, ocsp.Revoked, ocspResp.Status)
require.Equal(t, issuerCert, ocspResp.Certificate)
require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
}

Expand Down Expand Up @@ -521,7 +518,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe

require.Equal(t, ocsp.Good, ocspResp.Status)
require.Equal(t, requestHash, ocspResp.IssuerHash)
require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)

Expand All @@ -546,7 +542,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe

require.Equal(t, ocsp.Revoked, ocspResp.Status)
require.Equal(t, requestHash, ocspResp.IssuerHash)
require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)

Expand All @@ -566,7 +561,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe

require.Equal(t, ocsp.Good, ocspResp.Status)
require.Equal(t, requestHash, ocspResp.IssuerHash)
require.Equal(t, testEnv.issuer2, ocspResp.Certificate)
require.Equal(t, 0, ocspResp.RevocationReason)
require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber)

Expand Down
3 changes: 3 additions & 0 deletions changelog/20201.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate.
```

0 comments on commit c9e7034

Please sign in to comment.