Dont add the error from validating via issuer signature if the subseq…

…uent verification from extraCas succeeds (#28597) * Dont add the error from validating via issuer signature if the subsequent verification from extraCas succeeds * changelog
hashicorp · Oct 4, 2024 · bae0072 · bae0072
1 parent aeca0cd
commit bae0072
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/changelog/28597.txt b/changelog/28597.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded.
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
@@ -495,15 +495,19 @@ func validateOCSPParsedResponse(ocspRes *ocsp.Response, subject, issuer *x509.Ce
 			var matchedCA *x509.Certificate
 
 			// Assumption 1 failed, try 2
-			if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
-				// Assumption 2 failed, try 3
-				overallErr = multierror.Append(overallErr, err)
-
-				m, err := verifySignature(ocspRes, extraCas)
-				if err != nil {
-					overallErr = multierror.Append(overallErr, err)
+			if sigFromIssuerErr := ocspRes.Certificate.CheckSignatureFrom(issuer); sigFromIssuerErr != nil {
+				if len(extraCas) > 0 {
+					// Assumption 2 failed, try 3
+					m, err := verifySignature(ocspRes, extraCas)
+					if err != nil {
+						overallErr = multierror.Append(overallErr, sigFromIssuerErr)
+						overallErr = multierror.Append(overallErr, err)
+					} else {
+						overallErr = nil
+						matchedCA = m
+					}
 				} else {
-					matchedCA = m
+					overallErr = multierror.Append(overallErr, sigFromIssuerErr)
 				}
 			} else {
 				matchedCA = ocspRes.Certificate