Dont add the error from validating via issuer signature if the subsequent verification from extraCas succeeds (#28597)

* Dont add the error from validating via issuer signature if the subsequent verification from extraCas succeeds

* changelog

Author: sgmiller

changelog/28597.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded.
+```

sdk/helper/ocsp/client.go

@@ -495,15 +495,19 @@ func validateOCSPParsedResponse(ocspRes *ocsp.Response, subject, issuer *x509.Ce
 			var matchedCA *x509.Certificate
 
 			// Assumption 1 failed, try 2
-			if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
-				// Assumption 2 failed, try 3
-				overallErr = multierror.Append(overallErr, err)
-
-				m, err := verifySignature(ocspRes, extraCas)
-				if err != nil {
-					overallErr = multierror.Append(overallErr, err)
+			if sigFromIssuerErr := ocspRes.Certificate.CheckSignatureFrom(issuer); sigFromIssuerErr != nil {
+				if len(extraCas) > 0 {
+					// Assumption 2 failed, try 3
+					m, err := verifySignature(ocspRes, extraCas)
+					if err != nil {
+						overallErr = multierror.Append(overallErr, sigFromIssuerErr)
+						overallErr = multierror.Append(overallErr, err)
+					} else {
+						overallErr = nil
+						matchedCA = m
+					}
 				} else {
-					matchedCA = m
+					overallErr = multierror.Append(overallErr, sigFromIssuerErr)
 				}
 			} else {
 				matchedCA = ocspRes.Certificate