OCSP.verify_response() does not validate certificate status

[lnagel]

Summary

The OCSP.verify_response() method in pyasice/ocsp.py has critical validation gaps that can allow invalid, revoked, or unrelated certificates to pass OCSP verification.

Current Behavior

The method currently validates:

1. ✅ response_status == "successful" (OCSP server processed the request)
2. ✅ Signature algorithm is sha256_rsa or sha1_rsa
3. ✅ OCSP response signature is cryptographically valid (using embedded responder certificate)

Missing Validations

The following critical checks are not performed:

Certificate Status (cert_status) - CRITICAL

The code checks response_status (whether the OCSP server processed the request successfully), but does not check cert_status (the actual revocation status of the certificate).

# Current code (line 124-126):
ocsp_status = ocsp_response["response_status"].native
if ocsp_status != "successful":
    raise OCSPError("OCSP validation failed: certificate is %s" % ocsp_status)

The response_status can be successful while cert_status is:

• good - Certificate is valid ✅
• revoked - Certificate has been revoked ❌
• unknown - OCSP responder has no information about this certificate ❌

Impact: A revoked certificate or a certificate unknown to the OCSP responder will pass validation.

Environment

• pyasice version: 1.2.0
• Python: 3.12
• asn1crypto: latest

References

• RFC 6960 - OCSP - Section 3.2 describes response validation requirements
• The existing comment in code (line 117-119) acknowledging incomplete verification