Documentation ¶
Overview ¶
Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing. It also provies a basic OCSP responder stack for serving pre-signed OCSP responses.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var StatusCode = map[string]int{ "good": ocsp.Good, "revoked": ocsp.Revoked, "unknown": ocsp.Unknown, }
StatusCode is a map between string statuses sent by cli/api to ocsp int statuses
Functions ¶
func ReasonStringToCode ¶
ReasonStringToCode tries to convert a reason string to an integer code
Types ¶
type InMemorySource ¶
An InMemorySource is a map from serialNumber -> der(response)
func (InMemorySource) Response ¶
func (src InMemorySource) Response(request *ocsp.Request) (response []byte, present bool)
Response looks up an OCSP response to provide for a given request. InMemorySource looks up a response purely based on serial number, without regard to what issuer the request is asking for.
type Responder ¶
type Responder struct { Source Source // contains filtered or unexported fields }
A Responder object provides the HTTP logic to expose a Source of OCSP responses.
func NewResponder ¶
NewResponder instantiates a Responder with the give Source.
func (Responder) ServeHTTP ¶
func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)
A Responder can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.
type SignRequest ¶
type SignRequest struct { Certificate *x509.Certificate Status string Reason int RevokedAt time.Time Extensions []pkix.Extension }
SignRequest represents the desired contents of a specific OCSP response.
type Signer ¶
type Signer interface {
Sign(req SignRequest) ([]byte, error)
}
Signer represents a general signer of OCSP responses. It is responsible for populating all fields in the OCSP response that are not reflected in the SignRequest.
type Source ¶
Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request. In order to create an actual responder, wrap one of these in a Responder object and pass it to http.Handle.
func NewSourceFromFile ¶
NewSourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.
type StandardSigner ¶
type StandardSigner struct {
// contains filtered or unexported fields
}
StandardSigner is the default concrete type of OCSP signer. It represents a single responder (represented by a key and certificate) speaking for a single issuer (certificate). It is assumed that OCSP responses are issued at a regular interval, which is used to compute the nextUpdate value based on the current time.
func (StandardSigner) Sign ¶
func (s StandardSigner) Sign(req SignRequest) ([]byte, error)
Sign is used with an OCSP signer to request the issuance of an OCSP response.
Directories ¶
Path | Synopsis |
---|---|
Package config in the ocsp directory provides configuration data for an OCSP signer.
|
Package config in the ocsp directory provides configuration data for an OCSP signer. |
Package pkcs11 in the ocsp directory provides a way to construct a PKCS#11-based OCSP signer.
|
Package pkcs11 in the ocsp directory provides a way to construct a PKCS#11-based OCSP signer. |