cfssl: Index | Files | Directories

package ocsp

import ""

Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing. It also provies a basic OCSP responder stack for serving pre-signed OCSP responses.

Package ocsp implements an OCSP responder based on a generic storage backend. It provides a couple of sample implementations. Because OCSP responders handle high query volumes, we have to be careful about how much logging we do. Error-level logs are reserved for problems internal to the server, that can be fixed by an administrator. Any type of incorrect input from a user should be logged and Info or below. For things that are logged on every request, Debug is the appropriate level.


Package Files

ocsp.go responder.go


var (

    // ErrNotFound indicates the request OCSP response was not found. It is used to
    // indicate that the responder should reply with unauthorizedErrorResponse.
    ErrNotFound = errors.New("Request OCSP Response not found")
var StatusCode = map[string]int{
    "good":    ocsp.Good,
    "revoked": ocsp.Revoked,
    "unknown": ocsp.Unknown,

StatusCode is a map between string statuses sent by cli/api to ocsp int statuses

func ReasonStringToCode Uses

func ReasonStringToCode(reason string) (reasonCode int, err error)

ReasonStringToCode tries to convert a reason string to an integer code

type DBSource Uses

type DBSource struct {
    Accessor certdb.Accessor

DBSource represnts a source of OCSP responses backed by the certdb package.

func (DBSource) Response Uses

func (src DBSource) Response(req *ocsp.Request) ([]byte, http.Header, error)

Response implements cfssl.ocsp.responder.Source, which returns the OCSP response in the Database for the given request with the expiration date furthest in the future.

type InMemorySource Uses

type InMemorySource map[string][]byte

An InMemorySource is a map from serialNumber -> der(response)

func (InMemorySource) Response Uses

func (src InMemorySource) Response(request *ocsp.Request) ([]byte, http.Header, error)

Response looks up an OCSP response to provide for a given request. InMemorySource looks up a response purely based on serial number, without regard to what issuer the request is asking for.

type Responder Uses

type Responder struct {
    Source Source
    // contains filtered or unexported fields

A Responder object provides the HTTP logic to expose a Source of OCSP responses.

func NewResponder Uses

func NewResponder(source Source, stats Stats) *Responder

NewResponder instantiates a Responder with the give Source.

func (Responder) ServeHTTP Uses

func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)

A Responder can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.

type SignRequest Uses

type SignRequest struct {
    Certificate *x509.Certificate
    Status      string
    Reason      int
    RevokedAt   time.Time
    Extensions  []pkix.Extension
    // IssuerHash is the hashing function used to hash the issuer subject and public key
    // in the OCSP response. Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384,
    // and crypto.SHA512. If zero, the default is crypto.SHA1.
    IssuerHash crypto.Hash
    // If provided ThisUpdate will override the default usage of time.Now().Truncate(time.Hour)
    ThisUpdate *time.Time
    // If provided NextUpdate will override the default usage of ThisUpdate.Add(signerInterval)
    NextUpdate *time.Time

SignRequest represents the desired contents of a specific OCSP response.

type Signer Uses

type Signer interface {
    Sign(req SignRequest) ([]byte, error)

Signer represents a general signer of OCSP responses. It is responsible for populating all fields in the OCSP response that are not reflected in the SignRequest.

func NewSigner Uses

func NewSigner(issuer, responder *x509.Certificate, key crypto.Signer, interval time.Duration) (Signer, error)

NewSigner simply constructs a new StandardSigner object from the inputs, taking the interval in seconds

func NewSignerFromFile Uses

func NewSignerFromFile(issuerFile, responderFile, keyFile string, interval time.Duration) (Signer, error)

NewSignerFromFile reads the issuer cert, the responder cert and the responder key from PEM files, and takes an interval in seconds

type Source Uses

type Source interface {
    Response(*ocsp.Request) ([]byte, http.Header, error)

Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request. In order to create an actual responder, wrap one of these in a Responder object and pass it to http.Handle. By default the Responder will set the headers Cache-Control to "max-age=(response.NextUpdate-now), public, no-transform, must-revalidate", Last-Modified to response.ThisUpdate, Expires to response.NextUpdate, ETag to the SHA256 hash of the response, and Content-Type to application/ocsp-response. If you want to override these headers, or set extra headers, your source should return a http.Header with the headers you wish to set. If you don't want to set any extra headers you may return nil instead.

func NewDBSource Uses

func NewDBSource(dbAccessor certdb.Accessor) Source

NewDBSource creates a new DBSource type with an associated dbAccessor.

func NewSourceFromDB Uses

func NewSourceFromDB(DBConfigFile string) (Source, error)

NewSourceFromDB reads the given database configuration file and creates a database data source for use with the OCSP responder

func NewSourceFromFile Uses

func NewSourceFromFile(responseFile string) (Source, error)

NewSourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.

type StandardSigner Uses

type StandardSigner struct {
    // contains filtered or unexported fields

StandardSigner is the default concrete type of OCSP signer. It represents a single responder (represented by a key and certificate) speaking for a single issuer (certificate). It is assumed that OCSP responses are issued at a regular interval, which is used to compute the nextUpdate value based on the current time.

func (StandardSigner) Sign Uses

func (s StandardSigner) Sign(req SignRequest) ([]byte, error)

Sign is used with an OCSP signer to request the issuance of an OCSP response.

type Stats Uses

type Stats interface {

Stats is a basic interface that allows users to record information about returned responses


configPackage config in the ocsp directory provides configuration data for an OCSP signer.

Package ocsp imports 25 packages (graph) and is imported by 532 packages. Updated 2019-11-02. Refresh now. Tools for package owners.