Hide implementation detail in ocsp package

3 years ago · ffa5a14a72
parent 8f3d5e8e7b
commit ffa5a14a72
2 changed files with 18 additions and 5 deletions
--- a/pkg/ocsp/ocsp.go
+++ b/pkg/ocsp/ocsp.go
@ -44,6 +44,7 @@ import (
 )

 var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
+var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9})

 // ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3
 type ResponseStatus int
@ -356,7 +357,7 @@ type Request struct {
 func (req *Request) Marshal() ([]byte, error) {
 	hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
 	if hashAlg == nil {
-		return nil, errors.New("Unknown hash algorithm")
+		return nil, errors.New("unknown hash algorithm")
 	}

 	request, err := asn1.Marshal(ocspRequest{
@ -426,6 +427,11 @@ type Response struct {
 	// ExtraExtensions field is not populated when parsing certificates, see
 	// Extensions.
 	ExtraExtensions []pkix.Extension
+
+	// SupportExtendedRevoke is used to notify the requester that extended revoke
+	// is supported as specified in
+	// https://www.rfc-editor.org/rfc/rfc6960.html#section-4.4.8
+	SupportExtendedRevoke bool
 }

 // These are pre-serialized error responses for the various non-success codes
@ -752,7 +758,6 @@ func CreateResponse(
 	issuer, responderCert *x509.Certificate,
 	template Response,
 	priv crypto.Signer,
-	extensions []pkix.Extension,
 ) ([]byte, error) {
 	var publicKeyInfo struct {
 		Algorithm pkix.AlgorithmIdentifier
@ -819,6 +824,16 @@ func CreateResponse(
 		IsCompound: true,
 		Bytes:      responderCert.RawSubject,
 	}
+
+	var extensions []pkix.Extension
+
+	if template.SupportExtendedRevoke {
+		extensions = append(
+			extensions,
+			pkix.Extension{Id: idPKIXOCSPExtendedRevoke, Value: asn1.NullBytes},
+		)
+	}
+
 	tbsResponseData := responseData{
 		Version:            0,
 		RawResponderID:     rawResponderID,
--- a/pkg/ocspsource/ocspsource.go
+++ b/pkg/ocspsource/ocspsource.go
@ -43,8 +43,6 @@ type CertificateUpdate struct {
 	RevocationReason int
 }

-var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9})
-
 type CertificateDatabase interface {
 	LookupResponseTemplate(*big.Int) *ocsp.Response
 	UpdateCertificate(*CertificateUpdate)
@ -112,13 +110,13 @@ func (i *CertificateIssuer) buildResponse(template *ocsp.Response) ([]byte, erro
 	template.ThisUpdate = time.Now()
 	template.NextUpdate = time.Now().Add(time.Hour)
 	template.Certificate = i.responderCertificate
+	template.SupportExtendedRevoke = true

 	response, err := ocsp.CreateResponse(
 		i.caCertificate,
 		i.responderCertificate,
 		*template,
 		i.responderKey,
-		[]pkix.Extension{{Id: idPKIXOCSPExtendedRevoke, Value: nil, Critical: false}},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("could not create final OCSP response: %w", err)