Documentation ¶
Index ¶
- Constants
- func CreateRequest(cert *x509.Certificate, issuerKeyHash []byte, issuerNameHash []byte) ([]byte, error)
- func DeserializeSCTListByte(serializedSCTList []byte) ([][]byte, error)
- func GetKeyHashSHA1(cert *x509.Certificate) ([]byte, error)
- func GetNameHashSHA1(cert *x509.Certificate) []byte
- func ParseSCTListFromOcspResponseByte(response *Response) ([][]byte, error)
- func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, error)
- func ValidateResponse(resp *Response, basicResp *BasicOCSPResponse, issuer *x509.Certificate) bool
- type BasicOCSPResponse
- type CertID
- type NewParsedAndRawSCT
- type PublicKeyInfo
- type Request
- type RequestASN1
- type Response
- type ResponseASN1
- type ResponseBytes
- type ResponseData
- type ResponseError
- type ResponseStatus
- type RevokedInfo
- type SingleResponse
- type TBSRequest
Constants ¶
const ( Good = iota Revoked Unknown ServerFailed )
The certificate status values that can be expressed in OCSP. See RFC 6960. Good means that the certificate is valid. Revoked means that the certificate has been deliberately revoked. Unknown means that the OCSP responder doesn't know about the certificate. ServerFailed is unused and was never used (see https://go-review.googlesource.com/#/c/18944). ParseResponse will return a ResponseError when an error response is parsed.
Variables ¶
This section is empty.
Functions ¶
func CreateRequest ¶
func CreateRequest(cert *x509.Certificate, issuerKeyHash []byte, issuerNameHash []byte) ([]byte, error)
CreateRequest returns a DER-encoded, OCSP request for the status of cert keyhash and namehash must be computed with SHA-1, use functions above
func DeserializeSCTListByte ¶
DeserializeSCTList deserializes a list of SCTs. copy of DeserializeSCTList
func GetKeyHashSHA1 ¶
func GetKeyHashSHA1(cert *x509.Certificate) ([]byte, error)
GetKeyHashSHA1 - compute hash of the certificate's public key, using SHA-1
func GetNameHashSHA1 ¶
func GetNameHashSHA1(cert *x509.Certificate) []byte
GetNameHashSHA1 - compute hash of the certificate's subject field, using SHA-1
func ParseSCTListFromOcspResponseByte ¶
解析传递过来的ocsp response,解析得到sct by ocsp stapling
func SerializeSCTList ¶
func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, error)
SerializeSCTList serializes a list of SCTs.
func ValidateResponse ¶
func ValidateResponse(resp *Response, basicResp *BasicOCSPResponse, issuer *x509.Certificate) bool
ValidateResponse - Checks to see that the signature on the OCSP resposne is valid From RFC 6960 Section 4.2.2.2:
The key that signs a certificate's [OCSP Response] need not be the same key that signed the certificate. It is necessary, however, to ensure that the entity signing this information is authorized to do so. Therefore, a certificate's issuer MUST do one of the following: - sign the OCSP responses itself, or - explicitly designate this authority to another entity [delegation certificate]
If a delegation certificate is used, it must be explicitly provided in the OCSP response. We parse this if provided and assign it to resp.ResponseIssuingCertificate
Types ¶
type BasicOCSPResponse ¶
type BasicOCSPResponse struct { TBSResponseData ResponseData SignatureAlgorithm pkix.AlgorithmIdentifier Signature asn1.BitString Certs []asn1.RawValue `asn1:"explicit,tag:0,optional"` }
BasicOCSPResponse - ASN1 struct for OCSP Response corresponding to idPKIXOCSPBasic, see RFC 6960 4.2.1
func ParseResponse ¶
func ParseResponse(bytes []byte) (*BasicOCSPResponse, error)
ParseResponse - Ensures that OCSP response ASN1 is properly formatted, performs basic error checking, then returns BasicResponse type
type CertID ¶
type CertID struct { HashAlgorithm pkix.AlgorithmIdentifier NameHash []byte IssuerKeyHash []byte SerialNumber *big.Int }
CertID - struct for ocsp data request for single cert. See RFC 6960 4.1.1
type NewParsedAndRawSCT ¶
type NewParsedAndRawSCT struct { Raw []byte Parsed *ct.SignedCertificateTimestamp }
func DeserializeSCTList ¶
func DeserializeSCTList(serializedSCTList []byte) (int, int, []NewParsedAndRawSCT, error)
DeserializeSCTList deserializes a list of SCTs.
func ParseSCTListFromOcspResponse ¶
func ParseSCTListFromOcspResponse(response *Response) (int, int, []NewParsedAndRawSCT, error)
解析传递过来的ocsp response,解析得到sct by ocsp stapling
type PublicKeyInfo ¶
type PublicKeyInfo struct { Algorithm pkix.AlgorithmIdentifier PublicKey asn1.BitString }
PublicKeyInfo - struct for public key data when creating hash, see GetKeyHash and RFC 6960
type Request ¶
type Request struct {
Cert CertID
}
Request - wrapper for single OCSP Request. See RFC 6960 4.1.1.
type RequestASN1 ¶
type RequestASN1 struct {
TBSRequest TBSRequest
}
RequestASN1 - corresponds to OCSPRequest struct in 4.1.1 of RFC 6960
type Response ¶
type Response struct { // Status is one of {Good, Revoked, Unknown} CertificateStatus string IsRevoked bool // set to true if CertificateStatus is "revoked" SerialNumber string ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time RevocationReason crl.RevocationReasonCode ResponseIssuingCertificate *x509.Certificate // TBSResponseData contains the raw bytes of the signed response. If // Certificate is nil then this can be used to verify Signature. TBSResponseData []byte Signature []byte SignatureAlgorithm x509.SignatureAlgorithm IsValidSignature bool // IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash. // Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512. // If zero, the default is crypto.SHA1. IssuerHash crypto.Hash // RawResponderName optionally contains the DER-encoded subject of the // responder certificate. Exactly one of RawResponderName and // ResponderKeyHash is set. RawResponderName []byte // ResponderKeyHash optionally contains the SHA-1 hash of the // responder's public key. Exactly one of RawResponderName and // ResponderKeyHash is set. ResponderKeyHash []byte // Extensions contains raw X.509 extensions from the singleExtensions field // of the OCSP response. When parsing certificates, this can be used to // extract non-critical extensions that are not parsed by this package. When // marshaling OCSP responses, the Extensions field is ignored, see // ExtraExtensions. Extensions []pkix.Extension // ExtraExtensions contains extensions to be copied, raw, into any marshaled // OCSP response (in the singleExtensions field). Values override any // extensions that would otherwise be produced based on the other fields. The // ExtraExtensions field is not populated when parsing certificates, see // Extensions. ExtraExtensions []pkix.Extension }
Response represents an OCSP response, flattened for easy manipulation of data. DOES NOT CORRESPOND TO TRUE OCSP RESPONSE STRUCTURE. API functions below parse OCSP responses and fill in this data structure for client use.
func ConvertResponse ¶
将string格式转为 Response结构体
func ParseResponseForCert ¶
func ParseResponseForCert(bytes []byte, cert *x509.Certificate, issuer *x509.Certificate) (*Response, error)
ParseResponseForCert parses an OCSP response in DER form and searches for a Response relating to cert. If such a Response is found and the OCSP response contains a certificate then the signature over the response is checked. If issuer is not nil then it will be used to validate the signature or embedded certificate.
Invalid responses and parse failures will result in a ParseError. Error responses will result in a ResponseError.
func (*Response) CheckSignatureFrom ¶
func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error
CheckSignatureFrom checks that the signature in resp is a valid signature from issuer. This should only be used if resp.Certificate is nil. Otherwise, the OCSP response contained an intermediate certificate that created the signature. That signature is checked by ParseResponse and only resp.Certificate remains to be validated.
type ResponseASN1 ¶
type ResponseASN1 struct { ResponseStatus asn1.Enumerated ResponseBytes ResponseBytes `asn1:"explicit,tag:0,optional"` }
ResponseASN1 - corresponds to OCSPResponse struct in 4.2.1 of RFC 6960
type ResponseBytes ¶
type ResponseBytes struct { ResponseType asn1.ObjectIdentifier Response []byte }
ResponseBytes - ASN1 struct for storing response data
type ResponseData ¶
type ResponseData struct { Raw asn1.RawContent // added for our use Version int `asn1:"optional,default:0,explicit,tag:0"` RawResponderID asn1.RawValue ProducedAt time.Time `asn1:"generalized"` Responses []SingleResponse }
ResponseData - ASN1 struct defined in RFC 6960 4.2.1
type ResponseError ¶
type ResponseError struct {
Status ResponseStatus
}
ResponseError respresents OCSP response status codes
func (ResponseError) Error ¶
func (r ResponseError) Error() string
type ResponseStatus ¶
type ResponseStatus int
ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3
const Success ResponseStatus = 0
Success - OCSP Responder signals that response is successful
func (*ResponseStatus) MarshalJSON ¶
func (code *ResponseStatus) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshler interface
func (*ResponseStatus) String ¶
func (code *ResponseStatus) String() string
func (*ResponseStatus) UnmarshalJSON ¶
func (code *ResponseStatus) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type RevokedInfo ¶
type RevokedInfo struct { RevocationTime time.Time `asn1:"generalized"` RevocationReason asn1.Enumerated `asn1:"explicit,tag:0,optional"` }
RevokedInfo - ASN1 struct defined in RFC 6960 4.2.1
type SingleResponse ¶
type SingleResponse struct { CertID CertID Good asn1.Flag `asn1:"tag:0,optional"` Revoked RevokedInfo `asn1:"tag:1,optional"` Unknown asn1.Flag `asn1:"tag:2,optional"` ThisUpdate time.Time `asn1:"generalized"` NextUpdate time.Time `asn1:"generalized,explicit,tag:0,optional"` SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"` }
SingleResponse - ASN1 struct defined in RFC 6960 4.2.1
type TBSRequest ¶
type TBSRequest struct { Version int `asn1:"explicit,tag:0,default:0,optional"` RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"` RequestList []Request }
TBSRequest - represents to-be-signed OCSP Request. See RFC 6960 4.1.1.