Documentation ¶
Overview ¶
Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing. It also provies a basic OCSP responder stack for serving pre-signed OCSP responses.
Package ocsp implements an OCSP responder based on a generic storage backend. It provides a couple of sample implementations. Because OCSP responders handle high query volumes, we have to be careful about how much logging we do. Error-level logs are reserved for problems internal to the server, that can be fixed by an administrator. Any type of incorrect input from a user should be logged and Info or below. For things that are logged on every request, Debug is the appropriate level.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNotFound indicates the request OCSP response was not found. It is used to // indicate that the responder should reply with unauthorizedErrorResponse. ErrNotFound = errors.New("Request OCSP Response not found") )
var StatusCode = map[string]int{ "good": ocsp.Good, "revoked": ocsp.Revoked, "unknown": ocsp.Unknown, }
StatusCode is a map between string statuses sent by cli/api to ocsp int statuses
Functions ¶
func ReasonStringToCode ¶
ReasonStringToCode tries to convert a reason string to an integer code
Types ¶
type InMemorySource ¶
An InMemorySource is a map from serialNumber -> der(response)
type Responder ¶
type Responder struct { Source Source // contains filtered or unexported fields }
A Responder object provides the HTTP logic to expose a Source of OCSP responses.
func NewResponder ¶
NewResponder instantiates a Responder with the give Source.
func (Responder) ServeHTTP ¶
func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)
A Responder can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.
type SignRequest ¶
type SignRequest struct { Certificate *x509.Certificate Status string Reason int RevokedAt time.Time Extensions []pkix.Extension // IssuerHash is the hashing function used to hash the issuer subject and public key // in the OCSP response. Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, // and crypto.SHA512. If zero, the default is crypto.SHA1. IssuerHash crypto.Hash // If provided ThisUpdate will override the default usage of time.Now().Truncate(time.Hour) ThisUpdate *time.Time // If provided NextUpdate will override the default usage of ThisUpdate.Add(signerInterval) NextUpdate *time.Time }
SignRequest represents the desired contents of a specific OCSP response.
type Signer ¶
type Signer interface {
Sign(req SignRequest) ([]byte, error)
}
Signer represents a general signer of OCSP responses. It is responsible for populating all fields in the OCSP response that are not reflected in the SignRequest.
type Source ¶
Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request. In order to create an actual responder, wrap one of these in a Responder object and pass it to http.Handle. By default the Responder will set the headers Cache-Control to "max-age=(response.NextUpdate-now), public, no-transform, must-revalidate", Last-Modified to response.ThisUpdate, Expires to response.NextUpdate, ETag to the SHA256 hash of the response, and Content-Type to application/ocsp-response. If you want to override these headers, or set extra headers, your source should return a http.Header with the headers you wish to set. If you don't want to set any extra headers you may return nil instead.
func NewDBSource ¶
NewDBSource creates a new DBSource type with an associated dbAccessor.
func NewSourceFromDB ¶
NewSourceFromDB reads the given database configuration file and creates a database data source for use with the OCSP responder
func NewSourceFromFile ¶
NewSourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.
type StandardSigner ¶
type StandardSigner struct {
// contains filtered or unexported fields
}
StandardSigner is the default concrete type of OCSP signer. It represents a single responder (represented by a key and certificate) speaking for a single issuer (certificate). It is assumed that OCSP responses are issued at a regular interval, which is used to compute the nextUpdate value based on the current time.
func (StandardSigner) Sign ¶
func (s StandardSigner) Sign(req SignRequest) ([]byte, error)
Sign is used with an OCSP signer to request the issuance of an OCSP response.