boulder: github.com/letsencrypt/boulder/ocsp Index | Files

package ocsp

import "github.com/letsencrypt/boulder/ocsp"

Package ocsp implements an OCSP responder based on a generic storage backend.

Index

Package Files

responder.go

Variables

var (

    // ErrNotFound indicates the request OCSP response was not found. It is used to
    // indicate that the responder should reply with unauthorizedErrorResponse.
    ErrNotFound = errors.New("Request OCSP Response not found")
)

type InMemorySource Uses

type InMemorySource struct {
    // contains filtered or unexported fields
}

An InMemorySource is a map from serialNumber -> der(response)

func (InMemorySource) Response Uses

func (src InMemorySource) Response(request *ocsp.Request) ([]byte, http.Header, error)

Response looks up an OCSP response to provide for a given request. InMemorySource looks up a response purely based on serial number, without regard to what issuer the request is asking for.

type Responder Uses

type Responder struct {
    Source Source
    // contains filtered or unexported fields
}

A Responder object provides the HTTP logic to expose a Source of OCSP responses.

func NewResponder Uses

func NewResponder(source Source, responseTypes *prometheus.CounterVec) *Responder

NewResponder instantiates a Responder with the give Source.

func (Responder) ServeHTTP Uses

func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)

A Responder can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.

type Source Uses

type Source interface {
    Response(*ocsp.Request) ([]byte, http.Header, error)
}

Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request. In order to create an actual responder, wrap one of these in a Responder object and pass it to http.Handle. By default the Responder will set the headers Cache-Control to "max-age=(response.NextUpdate-now), public, no-transform, must-revalidate", Last-Modified to response.ThisUpdate, Expires to response.NextUpdate, ETag to the SHA256 hash of the response, and Content-Type to application/ocsp-response. If you want to override these headers, or set extra headers, your source should return a http.Header with the headers you wish to set. If you don't want to set any extra headers you may return nil instead.

func NewMemorySource Uses

func NewMemorySource(responses map[string][]byte, logger blog.Logger) Source

NewMemorySource returns an initialized InMemorySource

func NewMemorySourceFromFile Uses

func NewMemorySourceFromFile(responseFile string, logger blog.Logger) (Source, error)

NewMemorySourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.

Package ocsp imports 16 packages (graph) and is imported by 2 packages. Updated 2019-10-17. Refresh now. Tools for package owners.