Return the proper serial number in OCSP verification errors (#27696)

* Return the proper serial number in OCSP verification errors

 - We returned the issuer's certificate number instead of the serial
   number of the actual certificate we validated from an OCSP request.

 - The problematic serial number within the error are never shown
   currently in Vault. The only user of this library is cert-auth
   which swallows errors around revoked certificates and returns
   a boolean false instead of the actual error message.

* Add cl

* Use previously formatted serial in error msg

builtin/logical/pki/integration_test.go

@@ -718,6 +718,7 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) {
 
 		err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf)
 		require.Error(t, err)
+		require.Contains(t, err.Error(), serialNumber, "Expected revoked serial number to appear in err")
 	}
 }
 

changelog/27696.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: Use subject's serial number, not issuer's within error message text in OCSP request errors
+```

sdk/helper/ocsp/client.go

@@ -702,12 +702,12 @@ func (c *Client) VerifyLeafCertificate(ctx context.Context, subject, issuer *x50
 	if results.code == ocspStatusGood {
 		return nil
 	} else {
-		serial := issuer.SerialNumber
+		serial := subject.SerialNumber
 		serialHex := strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":"))
 		if results.code == ocspStatusRevoked {
 			return fmt.Errorf("certificate with serial number %s has been revoked", serialHex)
 		} else if conf.OcspFailureMode == FailOpenFalse {
-			return fmt.Errorf("unknown OCSP status for cert with serial number %s", strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":")))
+			return fmt.Errorf("unknown OCSP status for cert with serial number %s", serialHex)
 		} else {
 			c.Logger().Warn("could not validate OCSP status for cert, but continuing in fail open mode", "serial", serialHex)
 		}