From e85b77dc1480752cec28ea5672bf3f2a7686af87 Mon Sep 17 00:00:00 2001
From: Florian Bauer <florian@fsrv.xyz>
Date: Mon, 19 May 2025 19:01:23 +0200
Subject: [PATCH] fix: check if responder certificate is issued by
 cacertificate; fail otherwise

Signed-off-by: Florian Bauer <florian@fsrv.xyz>
---
 main.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/main.go b/main.go
index 92e82e3..71fda29 100644
--- a/main.go
+++ b/main.go
@@ -119,6 +119,10 @@ func main() {
 		log.Fatalf("failed to parse ca certificate: %v", loadCaCertificateError)
 	}
 
+	if !bytes.Equal(caCertificate.RawSubject, responderKeyPair.Leaf.RawIssuer) {
+		log.Fatalf("responder certificate issuer does not match ca certificate subject; %+q != %+q", caCertificate.Subject.String(), responderKeyPair.Leaf.Issuer.String())
+	}
+
 	source := ocsp_source.NewCrlSource(caCertificate, responderKeyPair)
 
 	crl := &x509.RevocationList{}