backport of commit 249c472b5b (#20203)

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

builtin/logical/pki/path_ocsp.go

@@ -462,13 +462,19 @@ func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocsp
 		revSigAlg = x509.SHA512WithRSA
 	}
 
+	// Due to a bug in Go's ocsp.ParseResponse(...), we do not provision
+	// Certificate any more on the response to help Go based OCSP clients.
+	// This was technically unnecessary, as the Certificate given here
+	// both signed the OCSP response and issued the leaf cert, and so
+	// should already be trusted by the client.
+	//
+	// See also: https://github.com/golang/go/issues/59641
 	template := ocsp.Response{
 		IssuerHash:         reqHash,
 		Status:             info.ocspStatus,
 		SerialNumber:       info.serialNumber,
 		ThisUpdate:         curTime,
 		NextUpdate:         curTime.Add(duration),
-		Certificate:        caBundle.Certificate,
 		ExtraExtensions:    []pkix.Extension{},
 		SignatureAlgorithm: revSigAlg,
 	}

builtin/logical/pki/path_ocsp_test.go

@@ -359,7 +359,6 @@ func TestOcsp_MultipleMatchingIssuersOneWithoutSigningUsage(t *testing.T) {
 	require.Equal(t, crypto.SHA1, ocspResp.IssuerHash)
 	require.Equal(t, 0, ocspResp.RevocationReason)
 	require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
-	require.Equal(t, rotatedCert, ocspResp.Certificate)
 
 	requireOcspSignatureAlgoForKey(t, rotatedCert.SignatureAlgorithm, ocspResp.SignatureAlgorithm)
 	requireOcspResponseSignedBy(t, ocspResp, rotatedCert)
@@ -436,7 +435,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
 	require.NoError(t, err, "parsing ocsp get response")
 
 	require.Equal(t, ocsp.Revoked, ocspResp.Status)
-	require.Equal(t, issuerCert, ocspResp.Certificate)
 	require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
 
 	// Test OCSP Get request for ocsp
@@ -457,7 +455,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
 	require.NoError(t, err, "parsing ocsp get response")
 
 	require.Equal(t, ocsp.Revoked, ocspResp.Status)
-	require.Equal(t, issuerCert, ocspResp.Certificate)
 	require.Equal(t, certToRevoke.SerialNumber, ocspResp.SerialNumber)
 }
 
@@ -521,7 +518,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
 
 	require.Equal(t, ocsp.Good, ocspResp.Status)
 	require.Equal(t, requestHash, ocspResp.IssuerHash)
-	require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
 	require.Equal(t, 0, ocspResp.RevocationReason)
 	require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
 
@@ -546,7 +542,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
 
 	require.Equal(t, ocsp.Revoked, ocspResp.Status)
 	require.Equal(t, requestHash, ocspResp.IssuerHash)
-	require.Equal(t, testEnv.issuer1, ocspResp.Certificate)
 	require.Equal(t, 0, ocspResp.RevocationReason)
 	require.Equal(t, testEnv.leafCertIssuer1.SerialNumber, ocspResp.SerialNumber)
 
@@ -566,7 +561,6 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
 
 	require.Equal(t, ocsp.Good, ocspResp.Status)
 	require.Equal(t, requestHash, ocspResp.IssuerHash)
-	require.Equal(t, testEnv.issuer2, ocspResp.Certificate)
 	require.Equal(t, 0, ocspResp.RevocationReason)
 	require.Equal(t, testEnv.leafCertIssuer2.SerialNumber, ocspResp.SerialNumber)
 

changelog/20201.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate.
+```