Documentation ¶
Index ¶
- Constants
- Variables
- func NeedsRefresh(resp *ocsp.Response, mtime time.Time, period time.Duration) bool
- func ResponderURL(cert *x509.Certificate) (string, error)
- func Update(cert, issuer *x509.Certificate, responderURL string) ([]byte, error)
- type Event
- type Fetcher
- type Request
- type Response
- func Fetch(req *Request, etag string, lastModified, nextUpdate time.Time) (*Response, error)
- func FetchForCert(cert, issuer *x509.Certificate, responderURL, etag string, ...) (*Response, error)
- func FetchR(req *Request, prev *Response) (*Response, error)
- func NeedsRefreshFile(filename string, issuer *x509.Certificate, period time.Duration) (bool, *Response, error)
- type Updater
Constants ¶
const DefaultTickRound = 5 * time.Minute
Variables ¶
var ErrDuplicateTag = errors.New("ocspd: duplicate tag")
Functions ¶
func NeedsRefresh ¶
NeedsRefresh determines whether the given OCSP response needs to be refreshed.
If the response has no NextUpdate information, it needs to be refreshed. Otherwise, it'll need to be refreshed halfway through its validity period, and to avoid refreshing too many times during that interval the last refresh time and the checks period are used as guidance.
func ResponderURL ¶
func ResponderURL(cert *x509.Certificate) (string, error)
ResponderURL extracts the OCSP responder URL from the given certificate.
Types ¶
type Request ¶
type Request struct {
// contains filtered or unexported fields
}
func CreateRequest ¶
func CreateRequest(cert, issuer *x509.Certificate, responderURL string) (req *Request, err error)
type Response ¶
type Response struct { OCSPResponse *ocsp.Response RawOCSPResponse []byte MaxAge time.Time Etag string LastModified time.Time }
func FetchForCert ¶
func NeedsRefreshFile ¶
func NeedsRefreshFile(filename string, issuer *x509.Certificate, period time.Duration) (bool, *Response, error)
NeedsRefreshFile applies NeedsRefresh heuristics to an OCSP response stored in a file: it will check if the file exists, parse it, then call NeedsRefresh with parsed OCSP response, the file's last modification time and the given period.
type Updater ¶
type Updater struct { OnUpdate func(Event) TickRound time.Duration Log func(format string, v ...interface{}) Fetcher *Fetcher // contains filtered or unexported fields }
Updater schedules queries to OCSP responders at appropriate times in order to maintain fresh OCSP responses for a set of certificates.
Queries are scheduled such that the OCSP responses are always fresh but but without hammering the OCSP responders, hopefully making a single query at the appropriate time to get a fresh response (rather than the same that's already cached).
Internally, Updater organizes certificates in such a way that if a certificate is added twice it won't cause more work to be done; a certificate can thus be associated to several "tags".
Whenever the OCSP response for a certificate is refreshed, the OnUpdate function is called.
func (*Updater) AddOrUpdate ¶
AddOrUpdate adds a certificate to be monitored, with an optional response (generally coming from a cache).
The OCSPResponse and MaxAge in resp will be used to schedule the next update, the ETag and LastModified will be used for the next update if provided; RawOCSPResponse is never used.
If the certificate is already monitored, its next update will be rescheduled.
func (*Updater) Start ¶
func (u *Updater) Start()
Start begins scheduling OCSP fetches for the monitored certificates.
It schedules calls to UpdateNow at specific times to always maintain monitored certificates' OCSP responses up to date.
It's a no-op if the Updater is already started, and blocks otherwise.
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
update-ocsp
update-ocsp reads all-in-one bundle files (whose names are passed as command-line argument) and sends queries to the OCSP responders, storing the responses in *.ocsp files next to the input files.
|
update-ocsp reads all-in-one bundle files (whose names are passed as command-line argument) and sends queries to the OCSP responders, storing the responses in *.ocsp files next to the input files. |