ocsp: remove error for > 1 certificate in response
Some OCSP responders contain more than one certificate, which can be
used to "help the OCSP client verify the responders signature" (RFC
6960 section 4.2.1). This client doesn't do verification of the chain
to the root, but it's not an error for a responder to send more than
one.
Fixes golang/go#21527
Change-Id: Ie23cfcb347a4f7cdfb1a0cbad2aa03a1242553af
Reviewed-on: https://go-review.googlesource.com/57510
Reviewed-by: Adam Langley <agl@golang.org>
diff --git a/ocsp/ocsp.go b/ocsp/ocsp.go
index 589dfd3..5edc9c9 100644
--- a/ocsp/ocsp.go
+++ b/ocsp/ocsp.go
@@ -488,10 +488,6 @@
return nil, err
}
- if len(basicResp.Certificates) > 1 {
- return nil, ParseError("OCSP response contains bad number of certificates")
- }
-
if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 {
return nil, ParseError("OCSP response contains bad number of responses")
}
@@ -544,6 +540,13 @@
}
if len(basicResp.Certificates) > 0 {
+ // Responders should only send a single certificate (if they
+ // send any) that connects the responder's certificate to the
+ // original issuer. We accept responses with multiple
+ // certificates due to a number responders sending them[1], but
+ // ignore all but the first.
+ //
+ // [1] https://github.com/golang/go/issues/21527
ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes)
if err != nil {
return nil, err
