ocsp

Documentation

Index

• type Client
  • func New(logFactory func() hclog.Logger, cacheSize int) *Client
  • func (c *Client) ClearCache()
  • func (c *Client) GetAllRevocationStatus(ctx context.Context, verifiedChains []*x509.Certificate, conf *VerifyConfig) ([]*ocspStatus, error)
  • func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) (*ocspStatus, error)
  • func (c *Client) Logger() hclog.Logger
  • func (c *Client) NewTransport(conf *VerifyConfig) *http.Transport
  • func (c *Client) VerifyLeafCertificate(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) error
  • func (c *Client) VerifyPeerCertificate(ctx context.Context, verifiedChains [][]*x509.Certificate, conf *VerifyConfig) error
• type FailOpenMode
• type VerifyConfig

Types

type Client

type Client struct {
	// contains filtered or unexported fields
}

func New

func New(logFactory func() hclog.Logger, cacheSize int) *Client

func (*Client) ClearCache

func (c *Client) ClearCache()

func (*Client) GetAllRevocationStatus

func (c *Client) GetAllRevocationStatus(ctx context.Context, verifiedChains []*x509.Certificate, conf *VerifyConfig) ([]*ocspStatus, error)

func (*Client) GetRevocationStatus

func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) (*ocspStatus, error)

GetRevocationStatus checks the certificate revocation status for subject using issuer certificate.

func (*Client) Logger

func (c *Client) Logger() hclog.Logger

func (*Client) NewTransport

func (c *Client) NewTransport(conf *VerifyConfig) *http.Transport

NewTransport includes the certificate revocation check with OCSP in sequential.

func (*Client) VerifyLeafCertificate

func (c *Client) VerifyLeafCertificate(ctx context.Context, subject, issuer *x509.Certificate, conf *VerifyConfig) error

VerifyLeafCertificate verifies just the subject against it's direct issuer

func (*Client) VerifyPeerCertificate

func (c *Client) VerifyPeerCertificate(ctx context.Context, verifiedChains [][]*x509.Certificate, conf *VerifyConfig) error

VerifyPeerCertificate verifies all of certificate revocation status

type FailOpenMode

type FailOpenMode uint32

FailOpenMode is OCSP fail open mode. FailOpenTrue by default and may set to ocspModeFailClosed for fail closed mode

const (

	// FailOpenTrue represents OCSP fail open mode.
	FailOpenTrue FailOpenMode
	// FailOpenFalse represents OCSP fail closed mode.
	FailOpenFalse
)

type VerifyConfig

type VerifyConfig struct {
	OcspEnabled         bool
	ExtraCas            []*x509.Certificate
	OcspServersOverride []string
	OcspFailureMode     FailOpenMode
	QueryAllServers     bool
}