ocsp

package
v0.0.0-...-b4c92f9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2023 License: Apache-2.0, ISC, MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source
const (
	Good = iota
	Revoked
	Unknown
	ServerFailed
)

The certificate status values that can be expressed in OCSP. See RFC 6960. Good means that the certificate is valid. Revoked means that the certificate has been deliberately revoked. Unknown means that the OCSP responder doesn't know about the certificate. ServerFailed is unused and was never used (see https://go-review.googlesource.com/#/c/18944). ParseResponse will return a ResponseError when an error response is parsed.

Variables

This section is empty.

Functions

func CreateRequest

func CreateRequest(cert *x509.Certificate, issuerKeyHash []byte, issuerNameHash []byte) ([]byte, error)

CreateRequest returns a DER-encoded, OCSP request for the status of cert keyhash and namehash must be computed with SHA-1, use functions above

func DeserializeSCTListByte

func DeserializeSCTListByte(serializedSCTList []byte) ([][]byte, error)

DeserializeSCTList deserializes a list of SCTs. copy of DeserializeSCTList

func GetKeyHashSHA1

func GetKeyHashSHA1(cert *x509.Certificate) ([]byte, error)

GetKeyHashSHA1 - compute hash of the certificate's public key, using SHA-1

func GetNameHashSHA1

func GetNameHashSHA1(cert *x509.Certificate) []byte

GetNameHashSHA1 - compute hash of the certificate's subject field, using SHA-1

func ParseSCTListFromOcspResponseByte

func ParseSCTListFromOcspResponseByte(response *Response) ([][]byte, error)

解析传递过来的ocsp response,解析得到sct by ocsp stapling

func SerializeSCTList

func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, error)

SerializeSCTList serializes a list of SCTs.

func ValidateResponse

func ValidateResponse(resp *Response, basicResp *BasicOCSPResponse, issuer *x509.Certificate) bool

ValidateResponse - Checks to see that the signature on the OCSP resposne is valid From RFC 6960 Section 4.2.2.2:

The key that signs a certificate's [OCSP Response] need not be the
same key that signed the certificate.  It is necessary, however, to
ensure that the entity signing this information is authorized to do
so.  Therefore, a certificate's issuer MUST do one of the following:
				- sign the OCSP responses itself, or
				- explicitly designate this authority to another entity [delegation certificate]

If a delegation certificate is used, it must be explicitly provided in the OCSP response. We parse this if provided and assign it to resp.ResponseIssuingCertificate

Types

type BasicOCSPResponse

type BasicOCSPResponse struct {
	TBSResponseData    ResponseData
	SignatureAlgorithm pkix.AlgorithmIdentifier
	Signature          asn1.BitString
	Certs              []asn1.RawValue `asn1:"explicit,tag:0,optional"`
}

BasicOCSPResponse - ASN1 struct for OCSP Response corresponding to idPKIXOCSPBasic, see RFC 6960 4.2.1

func ParseResponse

func ParseResponse(bytes []byte) (*BasicOCSPResponse, error)

ParseResponse - Ensures that OCSP response ASN1 is properly formatted, performs basic error checking, then returns BasicResponse type

type CertID

type CertID struct {
	HashAlgorithm pkix.AlgorithmIdentifier
	NameHash      []byte
	IssuerKeyHash []byte
	SerialNumber  *big.Int
}

CertID - struct for ocsp data request for single cert. See RFC 6960 4.1.1

type NewParsedAndRawSCT

type NewParsedAndRawSCT struct {
	Raw    []byte
	Parsed *ct.SignedCertificateTimestamp
}

func DeserializeSCTList

func DeserializeSCTList(serializedSCTList []byte) (int, int, []NewParsedAndRawSCT, error)

DeserializeSCTList deserializes a list of SCTs.

func ParseSCTListFromOcspResponse

func ParseSCTListFromOcspResponse(response *Response) (int, int, []NewParsedAndRawSCT, error)

解析传递过来的ocsp response,解析得到sct by ocsp stapling

type PublicKeyInfo

type PublicKeyInfo struct {
	Algorithm pkix.AlgorithmIdentifier
	PublicKey asn1.BitString
}

PublicKeyInfo - struct for public key data when creating hash, see GetKeyHash and RFC 6960

type Request

type Request struct {
	Cert CertID
}

Request - wrapper for single OCSP Request. See RFC 6960 4.1.1.

type RequestASN1

type RequestASN1 struct {
	TBSRequest TBSRequest
}

RequestASN1 - corresponds to OCSPRequest struct in 4.1.1 of RFC 6960

type Response

type Response struct {
	// Status is one of {Good, Revoked, Unknown}
	CertificateStatus                             string
	IsRevoked                                     bool // set to true if CertificateStatus is "revoked"
	SerialNumber                                  string
	ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time
	RevocationReason                              crl.RevocationReasonCode
	ResponseIssuingCertificate                    *x509.Certificate
	// TBSResponseData contains the raw bytes of the signed response. If
	// Certificate is nil then this can be used to verify Signature.
	TBSResponseData    []byte
	Signature          []byte
	SignatureAlgorithm x509.SignatureAlgorithm
	IsValidSignature   bool

	// IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash.
	// Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512.
	// If zero, the default is crypto.SHA1.
	IssuerHash crypto.Hash

	// RawResponderName optionally contains the DER-encoded subject of the
	// responder certificate. Exactly one of RawResponderName and
	// ResponderKeyHash is set.
	RawResponderName []byte
	// ResponderKeyHash optionally contains the SHA-1 hash of the
	// responder's public key. Exactly one of RawResponderName and
	// ResponderKeyHash is set.
	ResponderKeyHash []byte

	// Extensions contains raw X.509 extensions from the singleExtensions field
	// of the OCSP response. When parsing certificates, this can be used to
	// extract non-critical extensions that are not parsed by this package. When
	// marshaling OCSP responses, the Extensions field is ignored, see
	// ExtraExtensions.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any marshaled
	// OCSP response (in the singleExtensions field). Values override any
	// extensions that would otherwise be produced based on the other fields. The
	// ExtraExtensions field is not populated when parsing certificates, see
	// Extensions.
	ExtraExtensions []pkix.Extension
}

Response represents an OCSP response, flattened for easy manipulation of data. DOES NOT CORRESPOND TO TRUE OCSP RESPONSE STRUCTURE. API functions below parse OCSP responses and fill in this data structure for client use.

func ConvertResponse

func ConvertResponse(stringResponse string) (*Response, error)

将string格式转为 Response结构体

func ParseResponseForCert

func ParseResponseForCert(bytes []byte, cert *x509.Certificate, issuer *x509.Certificate) (*Response, error)

ParseResponseForCert parses an OCSP response in DER form and searches for a Response relating to cert. If such a Response is found and the OCSP response contains a certificate then the signature over the response is checked. If issuer is not nil then it will be used to validate the signature or embedded certificate.

Invalid responses and parse failures will result in a ParseError. Error responses will result in a ResponseError.

func (*Response) CheckSignatureFrom

func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error

CheckSignatureFrom checks that the signature in resp is a valid signature from issuer. This should only be used if resp.Certificate is nil. Otherwise, the OCSP response contained an intermediate certificate that created the signature. That signature is checked by ParseResponse and only resp.Certificate remains to be validated.

type ResponseASN1

type ResponseASN1 struct {
	ResponseStatus asn1.Enumerated
	ResponseBytes  ResponseBytes `asn1:"explicit,tag:0,optional"`
}

ResponseASN1 - corresponds to OCSPResponse struct in 4.2.1 of RFC 6960

type ResponseBytes

type ResponseBytes struct {
	ResponseType asn1.ObjectIdentifier
	Response     []byte
}

ResponseBytes - ASN1 struct for storing response data

type ResponseData

type ResponseData struct {
	Raw            asn1.RawContent // added for our use
	Version        int             `asn1:"optional,default:0,explicit,tag:0"`
	RawResponderID asn1.RawValue
	ProducedAt     time.Time `asn1:"generalized"`
	Responses      []SingleResponse
}

ResponseData - ASN1 struct defined in RFC 6960 4.2.1

type ResponseError

type ResponseError struct {
	Status ResponseStatus
}

ResponseError respresents OCSP response status codes

func (ResponseError) Error

func (r ResponseError) Error() string

type ResponseStatus

type ResponseStatus int

ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3

const Success ResponseStatus = 0

Success - OCSP Responder signals that response is successful

func (*ResponseStatus) MarshalJSON

func (code *ResponseStatus) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshler interface

func (*ResponseStatus) String

func (code *ResponseStatus) String() string

func (*ResponseStatus) UnmarshalJSON

func (code *ResponseStatus) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type RevokedInfo

type RevokedInfo struct {
	RevocationTime   time.Time       `asn1:"generalized"`
	RevocationReason asn1.Enumerated `asn1:"explicit,tag:0,optional"`
}

RevokedInfo - ASN1 struct defined in RFC 6960 4.2.1

type SingleResponse

type SingleResponse struct {
	CertID           CertID
	Good             asn1.Flag        `asn1:"tag:0,optional"`
	Revoked          RevokedInfo      `asn1:"tag:1,optional"`
	Unknown          asn1.Flag        `asn1:"tag:2,optional"`
	ThisUpdate       time.Time        `asn1:"generalized"`
	NextUpdate       time.Time        `asn1:"generalized,explicit,tag:0,optional"`
	SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"`
}

SingleResponse - ASN1 struct defined in RFC 6960 4.2.1

type TBSRequest

type TBSRequest struct {
	Version       int              `asn1:"explicit,tag:0,default:0,optional"`
	RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"`
	RequestList   []Request
}

TBSRequest - represents to-be-signed OCSP Request. See RFC 6960 4.1.1.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL