Documentation ¶
Overview ¶
Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing. It also provies a basic OCSP responder stack for serving pre-signed OCSP responses.
Package ocsp implements an OCSP responder based on a generic storage backend. It provides a couple of sample implementations. Because OCSP responders handle high query volumes, we have to be careful about how much logging we do. Error-level logs are reserved for problems internal to the server, that can be fixed by an administrator. Any type of incorrect input from a user should be logged and Info or below. For things that are logged on every request, Debug is the appropriate level.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var StatusCode = map[string]int{ "good": ocsp.Good, "revoked": ocsp.Revoked, "unknown": ocsp.Unknown, }
StatusCode is a map between string statuses sent by cli/api to ocsp int statuses
Functions ¶
func ReasonStringToCode ¶
ReasonStringToCode tries to convert a reason string to an integer code
Types ¶
type DBSource ¶
DBSource represnts a source of OCSP responses backed by the certdb package.
func (DBSource) Response ¶
Response implements cfssl.ocsp.responder.Source, which returns the OCSP response in the Database for the given request with the expiration date furthest in the future. Response also returns a bool that is false if there were any errors obtaining the OCSP response and/or no OCSP response is present in the DB for the given request. Response will return a true bool if the byte array returned is a valid OCSP response.
type InMemorySource ¶
An InMemorySource is a map from serialNumber -> der(response)
func (InMemorySource) Response ¶
func (src InMemorySource) Response(request *ocsp.Request) (response []byte, present bool)
Response looks up an OCSP response to provide for a given request. InMemorySource looks up a response purely based on serial number, without regard to what issuer the request is asking for.
type Responder ¶
type Responder struct { Source Source // contains filtered or unexported fields }
A Responder object provides the HTTP logic to expose a Source of OCSP responses.
func NewResponder ¶
NewResponder instantiates a Responder with the give Source.
func (Responder) ServeHTTP ¶
func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)
A Responder can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.
type SignRequest ¶
type SignRequest struct { Certificate *x509.Certificate Status string Reason int RevokedAt time.Time Extensions []pkix.Extension // IssuerHash is the hashing function used to hash the issuer subject and public key // in the OCSP response. Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, // and crypto.SHA512. If zero, the default is crypto.SHA1. IssuerHash crypto.Hash }
SignRequest represents the desired contents of a specific OCSP response.
type Signer ¶
type Signer interface {
Sign(req SignRequest) ([]byte, error)
}
Signer represents a general signer of OCSP responses. It is responsible for populating all fields in the OCSP response that are not reflected in the SignRequest.
type Source ¶
Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request. In order to create an actual responder, wrap one of these in a Responder object and pass it to http.Handle.
func NewDBSource ¶
NewDBSource creates a new DBSource type with an associated dbAccessor.
func NewSourceFromFile ¶
NewSourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.
type StandardSigner ¶
type StandardSigner struct {
// contains filtered or unexported fields
}
StandardSigner is the default concrete type of OCSP signer. It represents a single responder (represented by a key and certificate) speaking for a single issuer (certificate). It is assumed that OCSP responses are issued at a regular interval, which is used to compute the nextUpdate value based on the current time.
func (StandardSigner) Sign ¶
func (s StandardSigner) Sign(req SignRequest) ([]byte, error)
Sign is used with an OCSP signer to request the issuance of an OCSP response.