From ffa5a14a72d5086623290595821b166346ab29e5 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Tue, 29 Mar 2022 19:56:44 +0200 Subject: [PATCH] Hide implementation detail in ocsp package --- pkg/ocsp/ocsp.go | 19 +++++++++++++++++-- pkg/ocspsource/ocspsource.go | 4 +--- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/pkg/ocsp/ocsp.go b/pkg/ocsp/ocsp.go index a2ba199..8afebb9 100644 --- a/pkg/ocsp/ocsp.go +++ b/pkg/ocsp/ocsp.go @@ -44,6 +44,7 @@ import ( ) var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1}) +var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9}) // ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3 type ResponseStatus int @@ -356,7 +357,7 @@ type Request struct { func (req *Request) Marshal() ([]byte, error) { hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm) if hashAlg == nil { - return nil, errors.New("Unknown hash algorithm") + return nil, errors.New("unknown hash algorithm") } request, err := asn1.Marshal(ocspRequest{ @@ -426,6 +427,11 @@ type Response struct { // ExtraExtensions field is not populated when parsing certificates, see // Extensions. ExtraExtensions []pkix.Extension + + // SupportExtendedRevoke is used to notify the requester that extended revoke + // is supported as specified in + // https://www.rfc-editor.org/rfc/rfc6960.html#section-4.4.8 + SupportExtendedRevoke bool } // These are pre-serialized error responses for the various non-success codes @@ -752,7 +758,6 @@ func CreateResponse( issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer, - extensions []pkix.Extension, ) ([]byte, error) { var publicKeyInfo struct { Algorithm pkix.AlgorithmIdentifier @@ -819,6 +824,16 @@ func CreateResponse( IsCompound: true, Bytes: responderCert.RawSubject, } + + var extensions []pkix.Extension + + if template.SupportExtendedRevoke { + extensions = append( + extensions, + pkix.Extension{Id: idPKIXOCSPExtendedRevoke, Value: asn1.NullBytes}, + ) + } + tbsResponseData := responseData{ Version: 0, RawResponderID: rawResponderID, diff --git a/pkg/ocspsource/ocspsource.go b/pkg/ocspsource/ocspsource.go index f322986..b5f3f25 100644 --- a/pkg/ocspsource/ocspsource.go +++ b/pkg/ocspsource/ocspsource.go @@ -43,8 +43,6 @@ type CertificateUpdate struct { RevocationReason int } -var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9}) - type CertificateDatabase interface { LookupResponseTemplate(*big.Int) *ocsp.Response UpdateCertificate(*CertificateUpdate) @@ -112,13 +110,13 @@ func (i *CertificateIssuer) buildResponse(template *ocsp.Response) ([]byte, erro template.ThisUpdate = time.Now() template.NextUpdate = time.Now().Add(time.Hour) template.Certificate = i.responderCertificate + template.SupportExtendedRevoke = true response, err := ocsp.CreateResponse( i.caCertificate, i.responderCertificate, *template, i.responderKey, - []pkix.Extension{{Id: idPKIXOCSPExtendedRevoke, Value: nil, Critical: false}}, ) if err != nil { return nil, fmt.Errorf("could not create final OCSP response: %w", err)