ocsp

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 3, 2016 License: BSD-3-Clause, Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses are signed messages attesting to the validity of a certificate for a small period of time. This is used to manage revocation for X.509 certificates.

Index

Constants

View Source
const (
	// Good means that the certificate is valid.
	Good = iota
	// Revoked means that the certificate has been deliberately revoked.
	Revoked = iota
	// Unknown means that the OCSP responder doesn't know about the certificate.
	Unknown = iota
	// ServerFailed means that the OCSP responder failed to process the request.
	ServerFailed = iota
)

The status values that can be expressed in OCSP. See RFC 6960.

View Source
const (
	Unspecified          = iota
	KeyCompromise        = iota
	CACompromise         = iota
	AffiliationChanged   = iota
	Superseded           = iota
	CessationOfOperation = iota
	CertificateHold      = iota

	RemoveFromCRL      = iota
	PrivilegeWithdrawn = iota
	AACompromise       = iota
)

The enumerated reasons for revoking a certificate. See RFC 5280.

Variables

View Source
var (
	MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01}
	InternalErrorErrorResponse    = []byte{0x30, 0x03, 0x0A, 0x01, 0x02}
	TryLaterErrorResponse         = []byte{0x30, 0x03, 0x0A, 0x01, 0x03}
	SigRequredErrorResponse       = []byte{0x30, 0x03, 0x0A, 0x01, 0x05}
	UnauthorizedErrorResponse     = []byte{0x30, 0x03, 0x0A, 0x01, 0x06}
)

These are pre-serialized error responses for the various non-success codes defined by OCSP. The Unauthorized code in particular can be used by an OCSP responder that supports only pre-signed responses as a response to requests for certificates with unknown status. See RFC 5019.

Functions

func CreateRequest

func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error)

CreateRequest returns a DER-encoded, OCSP request for the status of cert. If opts is nil then sensible defaults are used.

func CreateResponse

func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error)

CreateResponse returns a DER-encoded OCSP response with the specified contents. The fields in the response are populated as follows:

The responder cert is used to populate the ResponderName field, and the certificate itself is provided alongside the OCSP response signature.

The issuer cert is used to puplate the IssuerNameHash and IssuerKeyHash fields. (SHA-1 is used for the hash function; this is not configurable.)

The template is used to populate the SerialNumber, RevocationStatus, RevokedAt, RevocationReason, ThisUpdate, and NextUpdate fields.

The ProducedAt date is automatically set to the current date, to the nearest minute.

Types

type ParseError

type ParseError string

ParseError results from an invalid OCSP response.

func (ParseError) Error

func (p ParseError) Error() string

type Request

type Request struct {
	HashAlgorithm  crypto.Hash
	IssuerNameHash []byte
	IssuerKeyHash  []byte
	SerialNumber   *big.Int
}

Request represents an OCSP request. See RFC 2560.

func ParseRequest

func ParseRequest(bytes []byte) (*Request, error)

ParseRequest parses an OCSP request in DER form. It only supports requests for a single certificate. Signed requests are not supported. If a request includes a signature, it will result in a ParseError.

type RequestOptions

type RequestOptions struct {
	// Hash contains the hash function that should be used when
	// constructing the OCSP request. If zero, SHA-1 will be used.
	Hash crypto.Hash
}

RequestOptions contains options for constructing OCSP requests.

type Response

type Response struct {
	// Status is one of {Good, Revoked, Unknown, ServerFailed}
	Status                                        int
	SerialNumber                                  *big.Int
	ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time
	RevocationReason                              int
	Certificate                                   *x509.Certificate
	// TBSResponseData contains the raw bytes of the signed response. If
	// Certificate is nil then this can be used to verify Signature.
	TBSResponseData    []byte
	Signature          []byte
	SignatureAlgorithm x509.SignatureAlgorithm
}

Response represents an OCSP response. See RFC 2560.

func ParseResponse

func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error)

ParseResponse parses an OCSP response in DER form. It only supports responses for a single certificate. If the response contains a certificate then the signature over the response is checked. If issuer is not nil then it will be used to validate the signature or embedded certificate. Invalid signatures or parse failures will result in a ParseError.

func (*Response) CheckSignatureFrom

func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error

CheckSignatureFrom checks that the signature in resp is a valid signature from issuer. This should only be used if resp.Certificate is nil. Otherwise, the OCSP response contained an intermediate certificate that created the signature. That signature is checked by ParseResponse and only resp.Certificate remains to be validated.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL