From d59ff4a03dac65773b22a85df256ade72fcc179d Mon Sep 17 00:00:00 2001
From: Andrew Ayer <agwa@andrewayer.name>
Date: Wed, 23 Jul 2025 21:35:30 -0400
Subject: [PATCH] sunlight: verify that log returns correct issuer data

---
 client.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/client.go b/client.go
index f43db6f..e9d1fa0 100644
--- a/client.go
+++ b/client.go
@@ -253,5 +253,8 @@ func (c *Client) Issuer(ctx context.Context, fp [32]byte) (*x509.Certificate, er
 	if err != nil {
 		return nil, fmt.Errorf("sunlight: failed to fetch issuer certificate for %x: %w", fp, err)
 	}
+	if gotFP := sha256.Sum256(cert); gotFP != fp {
+		return nil, fmt.Errorf("sunlight: log returned wrong issuer %x instead of %x", gotFP, fp)
+	}
 	return x509.ParseCertificate(cert)
 }