@@ -134,30 +134,11 @@ private void VerifyOcspResponse(BasicOcspResp basicResponse,
134134 if ( responseCertificates . Length < 1 )
135135 {
136136 throw new UserCertificateOcspCheckFailedException ( "OCSP response must contain the responder certificate, but none was provided" ) ;
137- }
138-
139- // Validate responder certificates. At least one must be valid.
140- Org . BouncyCastle . X509 . X509Certificate responderCert = null ;
141- Exception lastValidationException = null ;
142- foreach ( var cert in responseCertificates )
143- {
144- try
145- {
146- OcspResponseValidator . ValidateResponseSignature ( basicResponse , cert ) ;
147- responderCert = cert ;
148- lastValidationException = null ;
149- break ;
150- }
151- catch ( UserCertificateOcspCheckFailedException ex )
152- {
153- lastValidationException = ex ;
154- }
155- }
156-
157- // If validation of all certificates failed, throw the last validation exception.
158- if ( lastValidationException != null )
159- {
160- throw lastValidationException ;
137+ // The first certificate is the responder certificate. Any subsequent certificates, if provided, represent the
138+ // certificate chain, which we already possess via the configured trusted CA certificates.
139+ // Thus, the chain doesn't require validation, only the responder certificate does.
140+ var responderCert = basicResponse . GetCerts ( ) [ 0 ] ;
141+ OcspResponseValidator . ValidateResponseSignature ( basicResponse , responderCert ) ;
161142 }
162143
163144 // 3. The identity of the signer matches the intended recipient of the
0 commit comments