Closed RufusJWB closed 2 years ago
I suspect that my Go code is tripping over the invalidly-encoded Key Usage extension when it parses the certificate, just as some of the linters do. See https://crt.sh/?id=4995198001&opt=ocsp,zlint,cablint,x509lint
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1718991
I think I would have to fork the crypto/x509 library if I was going to attempt to implement a workaround. I'm not minded to do that.
I suspect that my Go code is tripping over the invalidly-encoded Key Usage extension when it parses the certificate, just as some of the linters do. See https://crt.sh/?id=4995198001&opt=ocsp,zlint,cablint,x509lint
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1718991
I think I would have to fork the crypto/x509 library if I was going to attempt to implement a workaround. I'm not minded to do that.
I understand that. As a work-around, you could parse the err
variable and print a more speaking error message. Currently it looks as if there is a problem with the OCSP responder when the problem comes in fact from parsing the certificate. What do you think?
I prepared a pull request to improve the error messages: https://github.com/crtsh/libocsppq/pull/1
When I check https://crt.sh/?id=4995198001&opt=ocsp the web GUI tells: If I check the OCSP responder with OpenSSL everything looks good:
Also decoding manually the OCSP response (see ocspResp.zip) looks good. Any idea what the problem might be?