Hide implementation detail in ocsp package
This commit is contained in:
parent
8f3d5e8e7b
commit
ffa5a14a72
2 changed files with 18 additions and 5 deletions
|
|
@ -44,6 +44,7 @@ import (
|
|||
)
|
||||
|
||||
var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
|
||||
var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9})
|
||||
|
||||
// ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3
|
||||
type ResponseStatus int
|
||||
|
|
@ -356,7 +357,7 @@ type Request struct {
|
|||
func (req *Request) Marshal() ([]byte, error) {
|
||||
hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
|
||||
if hashAlg == nil {
|
||||
return nil, errors.New("Unknown hash algorithm")
|
||||
return nil, errors.New("unknown hash algorithm")
|
||||
}
|
||||
|
||||
request, err := asn1.Marshal(ocspRequest{
|
||||
|
|
@ -426,6 +427,11 @@ type Response struct {
|
|||
// ExtraExtensions field is not populated when parsing certificates, see
|
||||
// Extensions.
|
||||
ExtraExtensions []pkix.Extension
|
||||
|
||||
// SupportExtendedRevoke is used to notify the requester that extended revoke
|
||||
// is supported as specified in
|
||||
// https://www.rfc-editor.org/rfc/rfc6960.html#section-4.4.8
|
||||
SupportExtendedRevoke bool
|
||||
}
|
||||
|
||||
// These are pre-serialized error responses for the various non-success codes
|
||||
|
|
@ -752,7 +758,6 @@ func CreateResponse(
|
|||
issuer, responderCert *x509.Certificate,
|
||||
template Response,
|
||||
priv crypto.Signer,
|
||||
extensions []pkix.Extension,
|
||||
) ([]byte, error) {
|
||||
var publicKeyInfo struct {
|
||||
Algorithm pkix.AlgorithmIdentifier
|
||||
|
|
@ -819,6 +824,16 @@ func CreateResponse(
|
|||
IsCompound: true,
|
||||
Bytes: responderCert.RawSubject,
|
||||
}
|
||||
|
||||
var extensions []pkix.Extension
|
||||
|
||||
if template.SupportExtendedRevoke {
|
||||
extensions = append(
|
||||
extensions,
|
||||
pkix.Extension{Id: idPKIXOCSPExtendedRevoke, Value: asn1.NullBytes},
|
||||
)
|
||||
}
|
||||
|
||||
tbsResponseData := responseData{
|
||||
Version: 0,
|
||||
RawResponderID: rawResponderID,
|
||||
|
|
|
|||
|
|
@ -43,8 +43,6 @@ type CertificateUpdate struct {
|
|||
RevocationReason int
|
||||
}
|
||||
|
||||
var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9})
|
||||
|
||||
type CertificateDatabase interface {
|
||||
LookupResponseTemplate(*big.Int) *ocsp.Response
|
||||
UpdateCertificate(*CertificateUpdate)
|
||||
|
|
@ -112,13 +110,13 @@ func (i *CertificateIssuer) buildResponse(template *ocsp.Response) ([]byte, erro
|
|||
template.ThisUpdate = time.Now()
|
||||
template.NextUpdate = time.Now().Add(time.Hour)
|
||||
template.Certificate = i.responderCertificate
|
||||
template.SupportExtendedRevoke = true
|
||||
|
||||
response, err := ocsp.CreateResponse(
|
||||
i.caCertificate,
|
||||
i.responderCertificate,
|
||||
*template,
|
||||
i.responderKey,
|
||||
[]pkix.Extension{{Id: idPKIXOCSPExtendedRevoke, Value: nil, Critical: false}},
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not create final OCSP response: %w", err)
|
||||
|
|
|
|||
Loading…
Reference in a new issue