Backport of Add fix for Go x/crypto/ocsp failure case into release/1.13.x

[hc-github-team-secure-vault-core]

Backport

This PR is auto-generated from #20181 to be assessed for backporting due to the inclusion of the label backport/1.13.x.

The below text is copied from the body of the original PR.

---

When calling ocsp.ParseRequest(req, issue) with a non-nil issuer on a ocsp request which unknowingly contains an entry in the BasicOCSPResponse's certs field, Go incorrectly assumes that the issuer is a direct parent of the first certificate in the certs field, discarding the rest.

As documented in the Go issue, this is not a valid assumption and thus causes OCSP verification to fail in Vault with an error like:

bad OCSP signature: crypto/rsa: verification error

which ultimately leads to a cert auth login error of:

no chain matching all constraints could be found for this login certificate

We address this by using the unsafe issuer=nil argument, taking on the task of validating the OCSP response's signature as best we can in the absence of full chain information on either side (both the trusted certificate whose OCSP response we're verifying and the lack of any additional certs the OCSP responder may have sent).

See also: golang/go#59641

---

Overview of commits

• 17a2827