scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Dont add the error from validating via issuer signature if the subsequent verification from extraCas succeeds (#28597)

Browse Source 
* Dont add the error from validating via issuer signature if the subsequent verification from extraCas succeeds

* changelog
This commit is contained in:
Scott Miller
2024-10-04 13:59:40 -05:00
committed by GitHub
parent aeca0cdee6
commit bae00721d2
2 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/28597.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded.
```

10
sdk/helper/ocsp/client.go
View File

@@ -495,16 +495,20 @@ func validateOCSPParsedResponse(ocspRes *ocsp.Response, subject, issuer *x509.Ce
var matchedCA *x509.Certificate
// Assumption 1 failed, try 2
if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
if sigFromIssuerErr := ocspRes.Certificate.CheckSignatureFrom(issuer); sigFromIssuerErr != nil {
if len(extraCas) > 0 {
// Assumption 2 failed, try 3
overallErr = multierror.Append(overallErr, err)
m, err := verifySignature(ocspRes, extraCas)
if err != nil {
overallErr = multierror.Append(overallErr, sigFromIssuerErr)
overallErr = multierror.Append(overallErr, err)
} else {
overallErr = nil
matchedCA = m
}
} else {
overallErr = multierror.Append(overallErr, sigFromIssuerErr)
}
} else {
matchedCA = ocspRes.Certificate
}