Each OCSP response signature is always verified before it is returned. If a signature verification fails, we will respond with a INTERNAL_ERROR.
Since a failure of the signature verification on the client should be very similar to receiving an INTERNAL_ERROR, this seem like a good point to make configurable and save the CPU cycles on the VA.
https://tools.ietf.org/html/rfc6960#section-3.2 bullet 2 clearly specifies that the signature validation is the responsibility of the client.
This option should be documented recommend use in conjunction with regular health-check calls (so a misbehaving HSM is discovered quickly).
A middle ground could be to always check the first signature when an OcspCacheEntry is used after a cache reload. A malfunctioning HSM would be detected fairly quick and most OCSP requests would not waste CPU cycles on the validation. This is probably also acceptable for most setups and there is one less thing to configure.
It would not be a good idea to perform this validation during the cache reload even though it minimizes the work of the path that affect response time, since reload on a system with many signers would put considerable load on the HSM and affect performance of the ongoing responses.
- New boolean flag on OcspCacheEntry to signal if a response using this private key has been verified (default to false / reset during cache reload)
- Avoid response signature check if the flag is set
- First thread that finds it in the false state, sets it to true and then performs signature validation