package ocsp

import "github.com/cloudflare/cfssl/ocsp"

Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing. It also provies a basic OCSP responder stack for serving pre-signed OCSP responses.

Package ocsp implements an OCSP responder based on a generic storage backend. It provides a couple of sample implementations. Because OCSP responders handle high query volumes, we have to be careful about how much logging we do. Error-level logs are reserved for problems internal to the server, that can be fixed by an administrator. Any type of incorrect input from a user should be logged and Info or below. For things that are logged on every request, Debug is the appropriate level.

Index ¶

• Variables
• func ReasonStringToCode(reason string) (reasonCode int, err error)
• type DBSource
• func (src DBSource) Response(req *ocsp.Request) ([]byte, http.Header, error)
• type InMemorySource
• func (src InMemorySource) Response(request *ocsp.Request) ([]byte, http.Header, error)
• type Responder
• func NewResponder(source Source, stats Stats) *Responder
• func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)
• type SignRequest
• type Signer
• func NewSigner(issuer, responder *x509.Certificate, key crypto.Signer, interval time.Duration) (Signer, error)
• func NewSignerFromFile(issuerFile, responderFile, keyFile string, interval time.Duration) (Signer, error)
• type Source
• func NewDBSource(dbAccessor certdb.Accessor) Source
• func NewSourceFromDB(DBConfigFile string) (Source, error)
• func NewSourceFromFile(responseFile string) (Source, error)
• type StandardSigner
• func (s StandardSigner) Sign(req SignRequest) ([]byte, error)
• type Stats

Variables ¶

var (

	// ErrNotFound indicates the request OCSP response was not found. It is used to
	// indicate that the responder should reply with unauthorizedErrorResponse.
	ErrNotFound = errors.New("Request OCSP Response not found")
)

var StatusCode = map[string]int{
	"good":    ocsp.Good,
	"revoked": ocsp.Revoked,
	"unknown": ocsp.Unknown,
}

StatusCode is a map between string statuses sent by cli/api to ocsp int statuses

Functions ¶

func ReasonStringToCode ¶

func ReasonStringToCode(reason string) (reasonCode int, err error)

ReasonStringToCode tries to convert a reason string to an integer code

Types ¶

type DBSource ¶

type DBSource struct {
	Accessor certdb.Accessor
}

DBSource represnts a source of OCSP responses backed by the certdb package.

func (DBSource) Response ¶

func (src DBSource) Response(req *ocsp.Request) ([]byte, http.Header, error)

Response implements cfssl.ocsp.responder.Source, which returns the OCSP response in the Database for the given request with the expiration date furthest in the future.

type InMemorySource ¶

type InMemorySource map[string][]byte

An InMemorySource is a map from serialNumber -> der(response)

func (InMemorySource) Response ¶

func (src InMemorySource) Response(request *ocsp.Request) ([]byte, http.Header, error)

Response looks up an OCSP response to provide for a given request. InMemorySource looks up a response purely based on serial number, without regard to what issuer the request is asking for.

type Responder ¶

type Responder struct {
	Source Source
	// contains filtered or unexported fields
}

A Responder object provides the HTTP logic to expose a Source of OCSP responses.

func NewResponder ¶

func NewResponder(source Source, stats Stats) *Responder

NewResponder instantiates a Responder with the give Source.

func (Responder) ServeHTTP ¶

func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)

A Responder can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.

type SignRequest ¶

type SignRequest struct {
	Certificate *x509.Certificate
	Status      string
	Reason      int
	RevokedAt   time.Time
	Extensions  []pkix.Extension
	// IssuerHash is the hashing function used to hash the issuer subject and public key
	// in the OCSP response. Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384,
	// and crypto.SHA512. If zero, the default is crypto.SHA1.
	IssuerHash crypto.Hash
	// If provided ThisUpdate will override the default usage of time.Now().Truncate(time.Hour)
	ThisUpdate *time.Time
	// If provided NextUpdate will override the default usage of ThisUpdate.Add(signerInterval)
	NextUpdate *time.Time
}

SignRequest represents the desired contents of a specific OCSP response.

type Signer ¶

type Signer interface {
	Sign(req SignRequest) ([]byte, error)
}

Signer represents a general signer of OCSP responses. It is responsible for populating all fields in the OCSP response that are not reflected in the SignRequest.

func NewSigner ¶

func NewSigner(issuer, responder *x509.Certificate, key crypto.Signer, interval time.Duration) (Signer, error)

NewSigner simply constructs a new StandardSigner object from the inputs, taking the interval in seconds

func NewSignerFromFile ¶

func NewSignerFromFile(issuerFile, responderFile, keyFile string, interval time.Duration) (Signer, error)

NewSignerFromFile reads the issuer cert, the responder cert and the responder key from PEM files, and takes an interval in seconds

type Source ¶

type Source interface {
	Response(*ocsp.Request) ([]byte, http.Header, error)
}

Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request. In order to create an actual responder, wrap one of these in a Responder object and pass it to http.Handle. By default the Responder will set the headers Cache-Control to "max-age=(response.NextUpdate-now), public, no-transform, must-revalidate", Last-Modified to response.ThisUpdate, Expires to response.NextUpdate, ETag to the SHA256 hash of the response, and Content-Type to application/ocsp-response. If you want to override these headers, or set extra headers, your source should return a http.Header with the headers you wish to set. If you don't want to set any extra headers you may return nil instead.

func NewDBSource ¶

func NewDBSource(dbAccessor certdb.Accessor) Source

NewDBSource creates a new DBSource type with an associated dbAccessor.

func NewSourceFromDB ¶

func NewSourceFromDB(DBConfigFile string) (Source, error)

NewSourceFromDB reads the given database configuration file and creates a database data source for use with the OCSP responder

func NewSourceFromFile ¶

func NewSourceFromFile(responseFile string) (Source, error)

NewSourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.

type StandardSigner ¶

type StandardSigner struct {
	// contains filtered or unexported fields
}

StandardSigner is the default concrete type of OCSP signer. It represents a single responder (represented by a key and certificate) speaking for a single issuer (certificate). It is assumed that OCSP responses are issued at a regular interval, which is used to compute the nextUpdate value based on the current time.

func (StandardSigner) Sign ¶

func (s StandardSigner) Sign(req SignRequest) ([]byte, error)

Sign is used with an OCSP signer to request the issuance of an OCSP response.

type Stats ¶

type Stats interface {
	ResponseStatus(ocsp.ResponseStatus)
}

Stats is a basic interface that allows users to record information about returned responses

Source Files ¶

ocsp.go responder.go

Directories ¶