ocsp: remove error for > 1 certificate in response

Some OCSP responders contain more than one certificate, which can be used to "help the OCSP client verify the responders signature" (RFC 6960 section 4.2.1). This client doesn't do verification of the chain to the root, but it's not an error for a responder to send more than one. Fixes golang/go#21527 Change-Id: Ie23cfcb347a4f7cdfb1a0cbad2aa03a1242553af Reviewed-on: https://go-review.googlesource.com/57510 Reviewed-by: Adam Langley <agl@golang.org>
golang · May 1, 2018 · 80f0338 · 80f0338
1 parent ae8bce0
commit 80f0338
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/ocsp/ocsp.go b/ocsp/ocsp.go
@@ -488,10 +488,6 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon
 		return nil, err
 	}
 
-	if len(basicResp.Certificates) > 1 {
-		return nil, ParseError("OCSP response contains bad number of certificates")
-	}
-
 	if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 {
 		return nil, ParseError("OCSP response contains bad number of responses")
 	}
@@ -544,6 +540,13 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon
 	}
 
 	if len(basicResp.Certificates) > 0 {
+		// Responders should only send a single certificate (if they
+		// send any) that connects the responder's certificate to the
+		// original issuer. We accept responses with multiple
+		// certificates due to a number responders sending them[1], but
+		// ignore all but the first.
+		//
+		// [1] https://github.com/golang/go/issues/21527
 		ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes)
 		if err != nil {
 			return nil, err