ocsp

package
v0.0.0-...-53fe175 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2020 License: Apache-2.0, ISC, MIT Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Good = iota
	Revoked
	Unknown
	ServerFailed
)

The certificate status values that can be expressed in OCSP. See RFC 6960. Good means that the certificate is valid. Revoked means that the certificate has been deliberately revoked. Unknown means that the OCSP responder doesn't know about the certificate. ServerFailed is unused and was never used (see https://go-review.googlesource.com/#/c/18944). ParseResponse will return a ResponseError when an error response is parsed.

Variables

This section is empty.

Functions

func CreateRequest 

func CreateRequest(cert *x509.Certificate, issuerKeyHash []byte, issuerNameHash []byte) ([]byte, error)

CreateRequest returns a DER-encoded, OCSP request for the status of cert keyhash and namehash must be computed with SHA-1, use functions above

func GetKeyHashSHA1 

func GetKeyHashSHA1(cert *x509.Certificate) ([]byte, error)

GetKeyHashSHA1 - compute hash of the certificate's public key, using SHA-1

func GetNameHashSHA1 

func GetNameHashSHA1(cert *x509.Certificate) []byte

GetNameHashSHA1 - compute hash of the certificate's subject field, using SHA-1

func ValidateResponse 

func ValidateResponse(resp *Response, basicResp *BasicOCSPResponse, issuer *x509.Certificate) bool

ValidateResponse - Checks to see that the signature on the OCSP resposne is valid From RFC 6960 Section 4.2.2.2: 

The key that signs a certificate's [OCSP Response] need not be the
same key that signed the certificate.  It is necessary, however, to
ensure that the entity signing this information is authorized to do
so.  Therefore, a certificate's issuer MUST do one of the following:
				- sign the OCSP responses itself, or
				- explicitly designate this authority to another entity [delegation certificate]

If a delegation certificate is used, it must be explicitly provided in the OCSP response. We parse this if provided and assign it to resp.ResponseIssuingCertificate

Types

type BasicOCSPResponse 

type BasicOCSPResponse struct {
	TBSResponseData    ResponseData
	SignatureAlgorithm pkix.AlgorithmIdentifier
	Signature          asn1.BitString
	Certs              []asn1.RawValue `asn1:"explicit,tag:0,optional"`
}

BasicOCSPResponse - ASN1 struct for OCSP Response corresponding to idPKIXOCSPBasic, see RFC 6960 4.2.1

func ParseResponse 

func ParseResponse(bytes []byte) (*BasicOCSPResponse, error)

ParseResponse - Ensures that OCSP response ASN1 is properly formatted, performs basic error checking, then returns BasicResponse type

type CertID 

type CertID struct {
	HashAlgorithm pkix.AlgorithmIdentifier
	NameHash      []byte
	IssuerKeyHash []byte
	SerialNumber  *big.Int
}

CertID - struct for ocsp data request for single cert. See RFC 6960 4.1.1

type PublicKeyInfo 

type PublicKeyInfo struct {
	Algorithm pkix.AlgorithmIdentifier
	PublicKey asn1.BitString
}

PublicKeyInfo - struct for public key data when creating hash, see GetKeyHash and RFC 6960

type Request 

type Request struct {
	Cert CertID
}

Request - wrapper for single OCSP Request. See RFC 6960 4.1.1.

type RequestASN1 

type RequestASN1 struct {
	TBSRequest TBSRequest
}

RequestASN1 - corresponds to OCSPRequest struct in 4.1.1 of RFC 6960

type Response 

type Response struct {
	// Status is one of {Good, Revoked, Unknown}
	CertificateStatus                             string
	IsRevoked                                     bool // set to true if CertificateStatus is "revoked"
	SerialNumber                                  string
	ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time
	RevocationReason                              crl.RevocationReasonCode
	ResponseIssuingCertificate                    *x509.Certificate
	// TBSResponseData contains the raw bytes of the signed response. If
	// Certificate is nil then this can be used to verify Signature.
	TBSResponseData    []byte
	Signature          []byte
	SignatureAlgorithm x509.SignatureAlgorithm
	IsValidSignature   bool

	// IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash.
	// Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512.
	// If zero, the default is crypto.SHA1.
	IssuerHash crypto.Hash

	// RawResponderName optionally contains the DER-encoded subject of the
	// responder certificate. Exactly one of RawResponderName and
	// ResponderKeyHash is set.
	RawResponderName []byte
	// ResponderKeyHash optionally contains the SHA-1 hash of the
	// responder's public key. Exactly one of RawResponderName and
	// ResponderKeyHash is set.
	ResponderKeyHash []byte

	// Extensions contains raw X.509 extensions from the singleExtensions field
	// of the OCSP response. When parsing certificates, this can be used to
	// extract non-critical extensions that are not parsed by this package. When
	// marshaling OCSP responses, the Extensions field is ignored, see
	// ExtraExtensions.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any marshaled
	// OCSP response (in the singleExtensions field). Values override any
	// extensions that would otherwise be produced based on the other fields. The
	// ExtraExtensions field is not populated when parsing certificates, see
	// Extensions.
	ExtraExtensions []pkix.Extension
}

Response represents an OCSP response, flattened for easy manipulation of data. DOES NOT CORRESPOND TO TRUE OCSP RESPONSE STRUCTURE. API functions below parse OCSP responses and fill in this data structure for client use.

func ParseResponseForCert 

func ParseResponseForCert(bytes []byte, cert *x509.Certificate, issuer *x509.Certificate) (*Response, error)

ParseResponseForCert parses an OCSP response in DER form and searches for a Response relating to cert. If such a Response is found and the OCSP response contains a certificate then the signature over the response is checked. If issuer is not nil then it will be used to validate the signature or embedded certificate.

Invalid responses and parse failures will result in a ParseError. Error responses will result in a ResponseError.

func (*Response) CheckSignatureFrom 

func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error

CheckSignatureFrom checks that the signature in resp is a valid signature from issuer. This should only be used if resp.Certificate is nil. Otherwise, the OCSP response contained an intermediate certificate that created the signature. That signature is checked by ParseResponse and only resp.Certificate remains to be validated.

type ResponseASN1 

type ResponseASN1 struct {
	ResponseStatus asn1.Enumerated
	ResponseBytes  ResponseBytes `asn1:"explicit,tag:0,optional"`
}

ResponseASN1 - corresponds to OCSPResponse struct in 4.2.1 of RFC 6960

type ResponseBytes 

type ResponseBytes struct {
	ResponseType asn1.ObjectIdentifier
	Response     []byte
}

ResponseBytes - ASN1 struct for storing response data

type ResponseData 

type ResponseData struct {
	Raw            asn1.RawContent // added for our use
	Version        int             `asn1:"optional,default:0,explicit,tag:0"`
	RawResponderID asn1.RawValue
	ProducedAt     time.Time `asn1:"generalized"`
	Responses      []SingleResponse
}

ResponseData - ASN1 struct defined in RFC 6960 4.2.1

type ResponseError 

type ResponseError struct {
	Status ResponseStatus
}

ResponseError respresents OCSP response status codes

func (ResponseError) Error 

func (r ResponseError) Error() string

type ResponseStatus 

type ResponseStatus int

ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3 

const Success ResponseStatus = 0

Success - OCSP Responder signals that response is successful

func (*ResponseStatus) MarshalJSON 

func (code *ResponseStatus) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshler interface

func (*ResponseStatus) String 

func (code *ResponseStatus) String() string

func (*ResponseStatus) UnmarshalJSON 

func (code *ResponseStatus) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type RevokedInfo 

type RevokedInfo struct {
	RevocationTime   time.Time       `asn1:"generalized"`
	RevocationReason asn1.Enumerated `asn1:"explicit,tag:0,optional"`
}

RevokedInfo - ASN1 struct defined in RFC 6960 4.2.1

type SingleResponse 

type SingleResponse struct {
	CertID           CertID
	Good             asn1.Flag        `asn1:"tag:0,optional"`
	Revoked          RevokedInfo      `asn1:"tag:1,optional"`
	Unknown          asn1.Flag        `asn1:"tag:2,optional"`
	ThisUpdate       time.Time        `asn1:"generalized"`
	NextUpdate       time.Time        `asn1:"generalized,explicit,tag:0,optional"`
	SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"`
}

SingleResponse - ASN1 struct defined in RFC 6960 4.2.1

type TBSRequest 

type TBSRequest struct {
	Version       int              `asn1:"explicit,tag:0,default:0,optional"`
	RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"`
	RequestList   []Request
}

TBSRequest - represents to-be-signed OCSP Request. See RFC 6960 4.1.1.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.