leaf, issuers := chain[0], chain[1:]
for _, issuer := range issuers {
// check for revocation of leaf via issuer.OCSPServer
}
The main problem is that OCSPServer is the URI of the OCSP server for that certificate, and by asking issuer.OCSPServer about leaf, we're requesting OCSP responses from the wrong server. We should be checking leaf.OCSPServer in this example instead of issuer.OCSPServer.
The second problem is that the loop makes no sense. One would not expect any OCSP server in a given chain to be authoritative for a given leaf.
If you do certigo connect google.com, you'll see
Certificate has OCSP extension, but was unable to check status:
ocsp: error from server: unauthorized
The "unauthorized" means the OCSP server we asked doesn't know anything about the cert we asked about.
Fixes https://github.com/square/certigo/issues/272. The root of the problem is that we're asking the wrong OCSP servers. The current code does something like:
The main problem is that
OCSPServeris the URI of the OCSP server for that certificate, and by askingissuer.OCSPServeraboutleaf, we're requesting OCSP responses from the wrong server. We should be checkingleaf.OCSPServerin this example instead ofissuer.OCSPServer.The second problem is that the loop makes no sense. One would not expect any OCSP server in a given chain to be authoritative for a given leaf.
If you do certigo connect google.com, you'll see
The "unauthorized" means the OCSP server we asked doesn't know anything about the cert we asked about.