Hide implementation detail in ocsp package
This commit is contained in:
parent
8f3d5e8e7b
commit
ffa5a14a72
2 changed files with 18 additions and 5 deletions
|
|
@ -44,6 +44,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
|
var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
|
||||||
|
var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9})
|
||||||
|
|
||||||
// ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3
|
// ResponseStatus contains the result of an OCSP request. See https://tools.ietf.org/html/rfc6960#section-2.3
|
||||||
type ResponseStatus int
|
type ResponseStatus int
|
||||||
|
|
@ -356,7 +357,7 @@ type Request struct {
|
||||||
func (req *Request) Marshal() ([]byte, error) {
|
func (req *Request) Marshal() ([]byte, error) {
|
||||||
hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
|
hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
|
||||||
if hashAlg == nil {
|
if hashAlg == nil {
|
||||||
return nil, errors.New("Unknown hash algorithm")
|
return nil, errors.New("unknown hash algorithm")
|
||||||
}
|
}
|
||||||
|
|
||||||
request, err := asn1.Marshal(ocspRequest{
|
request, err := asn1.Marshal(ocspRequest{
|
||||||
|
|
@ -426,6 +427,11 @@ type Response struct {
|
||||||
// ExtraExtensions field is not populated when parsing certificates, see
|
// ExtraExtensions field is not populated when parsing certificates, see
|
||||||
// Extensions.
|
// Extensions.
|
||||||
ExtraExtensions []pkix.Extension
|
ExtraExtensions []pkix.Extension
|
||||||
|
|
||||||
|
// SupportExtendedRevoke is used to notify the requester that extended revoke
|
||||||
|
// is supported as specified in
|
||||||
|
// https://www.rfc-editor.org/rfc/rfc6960.html#section-4.4.8
|
||||||
|
SupportExtendedRevoke bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// These are pre-serialized error responses for the various non-success codes
|
// These are pre-serialized error responses for the various non-success codes
|
||||||
|
|
@ -752,7 +758,6 @@ func CreateResponse(
|
||||||
issuer, responderCert *x509.Certificate,
|
issuer, responderCert *x509.Certificate,
|
||||||
template Response,
|
template Response,
|
||||||
priv crypto.Signer,
|
priv crypto.Signer,
|
||||||
extensions []pkix.Extension,
|
|
||||||
) ([]byte, error) {
|
) ([]byte, error) {
|
||||||
var publicKeyInfo struct {
|
var publicKeyInfo struct {
|
||||||
Algorithm pkix.AlgorithmIdentifier
|
Algorithm pkix.AlgorithmIdentifier
|
||||||
|
|
@ -819,6 +824,16 @@ func CreateResponse(
|
||||||
IsCompound: true,
|
IsCompound: true,
|
||||||
Bytes: responderCert.RawSubject,
|
Bytes: responderCert.RawSubject,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var extensions []pkix.Extension
|
||||||
|
|
||||||
|
if template.SupportExtendedRevoke {
|
||||||
|
extensions = append(
|
||||||
|
extensions,
|
||||||
|
pkix.Extension{Id: idPKIXOCSPExtendedRevoke, Value: asn1.NullBytes},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
tbsResponseData := responseData{
|
tbsResponseData := responseData{
|
||||||
Version: 0,
|
Version: 0,
|
||||||
RawResponderID: rawResponderID,
|
RawResponderID: rawResponderID,
|
||||||
|
|
|
||||||
|
|
@ -43,8 +43,6 @@ type CertificateUpdate struct {
|
||||||
RevocationReason int
|
RevocationReason int
|
||||||
}
|
}
|
||||||
|
|
||||||
var idPKIXOCSPExtendedRevoke = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 9})
|
|
||||||
|
|
||||||
type CertificateDatabase interface {
|
type CertificateDatabase interface {
|
||||||
LookupResponseTemplate(*big.Int) *ocsp.Response
|
LookupResponseTemplate(*big.Int) *ocsp.Response
|
||||||
UpdateCertificate(*CertificateUpdate)
|
UpdateCertificate(*CertificateUpdate)
|
||||||
|
|
@ -112,13 +110,13 @@ func (i *CertificateIssuer) buildResponse(template *ocsp.Response) ([]byte, erro
|
||||||
template.ThisUpdate = time.Now()
|
template.ThisUpdate = time.Now()
|
||||||
template.NextUpdate = time.Now().Add(time.Hour)
|
template.NextUpdate = time.Now().Add(time.Hour)
|
||||||
template.Certificate = i.responderCertificate
|
template.Certificate = i.responderCertificate
|
||||||
|
template.SupportExtendedRevoke = true
|
||||||
|
|
||||||
response, err := ocsp.CreateResponse(
|
response, err := ocsp.CreateResponse(
|
||||||
i.caCertificate,
|
i.caCertificate,
|
||||||
i.responderCertificate,
|
i.responderCertificate,
|
||||||
*template,
|
*template,
|
||||||
i.responderKey,
|
i.responderKey,
|
||||||
[]pkix.Extension{{Id: idPKIXOCSPExtendedRevoke, Value: nil, Critical: false}},
|
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not create final OCSP response: %w", err)
|
return nil, fmt.Errorf("could not create final OCSP response: %w", err)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue