Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks
SignedDataVerifier attempts to perform online revocation checking when enable_online_checks=True, but its OCSP validation logic accepts stale GOOD responses as valid indefinitely. In appstoreserverlibrary/signed_data_verifier.py, _ChainVerifier.check_ocsp_status() verifies the OCSP response signature and CertID match, but never validates the freshness window carried by producedAt, thisUpdate, or nextUpdate. As a result, a previously valid signed OCSP GOOD response can be replayed after it is expired, and the library will still treat the certificate as …