fix: check if responder certificate is issued by cacertificate; fail otherwise

Signed-off-by: Florian Bauer <florian@fsrv.xyz>
2025-05-19 19:01:23 +02:00
parent 62886c1d8f
commit e85b77dc14
1 changed files with 4 additions and 0 deletions
--- a/main.go
+++ b/main.go
@@ -119,6 +119,10 @@ func main() {
 		log.Fatalf("failed to parse ca certificate: %v", loadCaCertificateError)
 	}

+	if !bytes.Equal(caCertificate.RawSubject, responderKeyPair.Leaf.RawIssuer) {
+		log.Fatalf("responder certificate issuer does not match ca certificate subject; %+q != %+q", caCertificate.Subject.String(), responderKeyPair.Leaf.Issuer.String())
+	}
+
 	source := ocsp_source.NewCrlSource(caCertificate, responderKeyPair)

 	crl := &x509.RevocationList{}