backport of commit bae0072 (#28602)

Co-authored-by: Scott Miller <smiller@hashicorp.com>
hashicorp · Oct 4, 2024 · 92ad805 · 92ad805
1 parent 5edfee5
commit 92ad805
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/changelog/28597.txt b/changelog/28597.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded.
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
@@ -495,15 +495,19 @@ func validateOCSPParsedResponse(ocspRes *ocsp.Response, subject, issuer *x509.Ce
 			var matchedCA *x509.Certificate
 
 			// Assumption 1 failed, try 2
-			if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
-				// Assumption 2 failed, try 3
-				overallErr = multierror.Append(overallErr, err)
-
-				m, err := verifySignature(ocspRes, extraCas)
-				if err != nil {
-					overallErr = multierror.Append(overallErr, err)
+			if sigFromIssuerErr := ocspRes.Certificate.CheckSignatureFrom(issuer); sigFromIssuerErr != nil {
+				if len(extraCas) > 0 {
+					// Assumption 2 failed, try 3
+					m, err := verifySignature(ocspRes, extraCas)
+					if err != nil {
+						overallErr = multierror.Append(overallErr, sigFromIssuerErr)
+						overallErr = multierror.Append(overallErr, err)
+					} else {
+						overallErr = nil
+						matchedCA = m
+					}
 				} else {
-					matchedCA = m
+					overallErr = multierror.Append(overallErr, sigFromIssuerErr)
 				}
 			} else {
 				matchedCA = ocspRes.Certificate