Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove extraneous certificate from OCSP response #20201

Merged
merged 2 commits into from
Apr 17, 2023
Merged

Remove extraneous certificate from OCSP response #20201

merged 2 commits into from
Apr 17, 2023

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Apr 17, 2023
edited
Loading

Since the issuer used to sign the certificate also signs the OCSP response, no additional information is added by sending the issuer again in the certs field of the BasicOCSPResponse structure. Removing it saves bytes and avoids confusing Go-based OCSP verifiers which cannot handle the cert issuer being duplicated in the certs field.

This complements #20181; if anyone uses a different cluster for Vault PKI from Cert Auth and are running Vault 1.12.x, they could update that cluster to a future 1.12 Vault release, instead of (or in addition to) updating the cluster running Cert Auth to a newer 1.13 version. This additionally improves compatibility with any other Go OCSP validation that may be occurring (e.g., Snowflake or others as reported on the upstream Go issue).

As another justification, note that when validating under cross-signed pairs, if we provision this certificate without including both cross-signed pairs, we're essentially gambling as to which one the (OCSP) client is validating under since they're otherwise equivalent.

@cipherboy
Remove extraneous certificate from OCSP response
0562eae 
Since the issuer used to sign the certificate also signs the OCSP
response, no additional information is added by sending the issuer again
in the certs field of the BasicOCSPResponse structure. Removing it saves
bytes and avoids confusing Go-based OCSP verifiers which cannot handle
the cert issuer being duplicated in the certs field.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy added this to the 1.14 milestone Apr 17, 2023
@cipherboy cipherboy requested review from kitography, stevendpclark and a team April 17, 2023 16:12
@cipherboy
Add changelog entry
3fbe110 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy enabled auto-merge (squash) April 17, 2023 16:39
@cipherboy cipherboy merged commit 249c472 into main Apr 17, 2023
This was referenced Apr 17, 2023
Merged
Merged
@cipherboy cipherboy deleted the cipherboy-remove-issuers-from-ocsp-response branch April 21, 2023 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@kitography kitography Awaiting requested review from kitography

Assignees
No one assigned
Labels
enhancement secret/pki
Projects
None yet
Milestone
1.14
Development

Successfully merging this pull request may close these issues.
2 participants
@cipherboy @stevendpclark