Fix url encoding for ocsp requests

server/certidp/ocsp_responder.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -55,7 +56,7 @@ func FetchOCSPResponse(link *ChainLink, opts *OCSPPeerConfig, log *Log) ([]byte,
 		return nil, err
 	}
 
-	reqEnc := base64.StdEncoding.EncodeToString(reqDER)
+	reqEnc := encodeOCSPRequest(reqDER)
 
 	responders := *link.OCSPWebEndpoints
 
@@ -68,10 +69,10 @@ func FetchOCSPResponse(link *ChainLink, opts *OCSPPeerConfig, log *Log) ([]byte,
 		Timeout: timeout,
 	}
 	for _, u := range responders {
-		url := u.String()
-		log.Debugf(DbgMakingCARequest, url)
-		url = strings.TrimSuffix(url, "/")
-		raw, err = getRequestBytes(fmt.Sprintf("%s/%s", url, reqEnc), hc)
+		responderURL := u.String()
+		log.Debugf(DbgMakingCARequest, responderURL)
+		responderURL = strings.TrimSuffix(responderURL, "/")
+		raw, err = getRequestBytes(fmt.Sprintf("%s/%s", responderURL, reqEnc), hc)
 		if err == nil {
 			break
 		}
@@ -82,3 +83,10 @@ func FetchOCSPResponse(link *ChainLink, opts *OCSPPeerConfig, log *Log) ([]byte,
 
 	return raw, nil
 }
+
+// encodeOCSPRequest encodes the OCSP request in base64 and URL-encodes it.
+// This is needed to fulfill the OCSP responder's requirements for the request format. (X.690)
+func encodeOCSPRequest(reqDER []byte) string {
+	reqEnc := base64.StdEncoding.EncodeToString(reqDER)
+	return url.QueryEscape(reqEnc)
+}

server/certidp/ocsp_responder_test.go

@@ -0,0 +1,29 @@
+package certidp
+
+import (
+	"encoding/base64"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+func TestEncodeOCSPRequest(t *testing.T) {
+	data := []byte("test data for OCSP request")
+	encoded := encodeOCSPRequest(data)
+
+	if strings.ContainsAny(encoded, "+/=") {
+		t.Errorf("URL contains unescaped characters: %s", encoded)
+	}
+
+	decodedURL, err := url.QueryUnescape(encoded)
+	if err != nil {
+		t.Errorf("failed to url-decode request: %v", err)
+	}
+	decodedData, err := base64.StdEncoding.DecodeString(decodedURL)
+	if err != nil {
+		t.Errorf("failed to base64-decode request: %v", err)
+	}
+	if string(decodedData) != string(data) {
+		t.Errorf("Decoded data does not match original: got %s, want %s", decodedData, data)
+	}
+}