This change add a function select to correct response from a responder
that includes multiple certificates in the case the server uses response
pre-generation.
RFC6960 section 4.2.2 states:
"The response MUST include a SingleResponse for each certificate in
the request. The response SHOULD NOT include any additional
SingleResponse elements, but, for example, OCSP responders that
pre-generate status responses might include additional SingleResponse
elements if necessary to improve response pre-generation performance
or cache efficiency (according to [RFC5019], Section 2.2.1)."
Change-Id: I39eeaa3daf16a7d7eb030e34229f16cf4295f9d7
Reviewed-on: https://go-review.googlesource.com/10611
Reviewed-by: Russ Cox <rsc@golang.org>
Tests that Marshaling a parsed response
returns the same bytes as were parsed.
Use Marshal in CreateRequest;
still passes CreateRequest's golden test.
Change-Id: I427ef8372d7b62c43b7718d7d90631d022377d32
Reviewed-on: https://go-review.googlesource.com/19488
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
ASN.1 specification of `ResponseData` is:
ResponseData ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
responderID ResponderID,
producedAt GeneralizedTime,
responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
Where `Version` is:
Version ::= INTEGER { v1(0) }
Invalid default value results in a presence of a field that otherwise
should not be present.
See: https://github.com/openssl/openssl/issues/1297
Fixes: golang/#16321
Change-Id: Ibb065a67624e1877cfbe62e0483d781d783f74f0
Reviewed-on: https://go-review.googlesource.com/24841
Reviewed-by: Adam Langley <agl@golang.org>
The typos were found by misspell tool.
Change-Id: I120740f12f7ba48330749ebf84050a7b98e01016
Reviewed-on: https://go-review.googlesource.com/24725
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Previously, OCSP errors (like “malformed request”, not “that certificate
is revoked”) were intended to result in a Response being returned with
Status set to ServerFailed. However, since an “optional” tag was missing
in the ASN.1, a parse error was actually returned.
This CL changes that behaviour so that ParseResponse will now return an
error for these responses. That error will be a ResponseError, allowing
callers to find the exact error code.
Change-Id: I4f8ae5ba39203c2c204fb1d65471d1427bf68b25
Reviewed-on: https://go-review.googlesource.com/18944
Reviewed-by: Adam Langley <agl@golang.org>
Some current uses of OCSP require extensions. In particular, Certificate
Transparency (RFC 6962) can use an OCSP extension to carry a Signed
Certificate Timestamp. This patch adds support for OCSP extensions (in
particular, singleExtensions), by adding Extensions and ExtraExtensions
fields with the same semantics as in x509.Certificate.
As a side-effect, trying to parse a response with a critical extension
will now return an error, just like parsing a certificate.
This change does not enable extensions in OCSP requests, just responses.
Change-Id: I5918f26ea1bb9d1ece96e85a6bb7691c7c017467
Reviewed-on: https://go-review.googlesource.com/18202
Reviewed-by: Adam Langley <agl@golang.org>
In the initial patch enabling generation of OCSP responses, the Reason
field in the revokedInfo struct used for serializing responses was set
to type int. That type maps to the ASN.1 type INTEGER, not ENUMERATED,
as required by RFC 6960. As a result, if you serialize an OCSP
resonse with the Reason field populated, then it will be rejected as
malformed by compliant OCSP parsers.
This patch changes the type of the Reason field in revokedInfo to
asn1.Enumerated. It leaves the RevocationReason field in the public
Response struct as int, and converts between the two. The patch
also adds constant for the defined revocation reasons.
Change-Id: I97205319503f447cde12d9a0bb0bd1a8db7a66ee
Reviewed-on: https://go-review.googlesource.com/13964
Reviewed-by: Adam Langley <agl@golang.org>
The current implementation is not compliant with the ASN.1 structure
for an OCSP response in RFC 6960. In the RFC, the "revoked" field is
marked "implicit". The "explicit" tag in the current struct causes
the encoder to emit an additional SEQUENCE, which cases some parsers
(notably OpenSSL) to reject OCSP responses as malformed. This patch
simply removes the "explicit" tag, so that the emitted DER is
compliant with the RFC.
Change-Id: Ifa65a73a8d24f08fe3c2794309df772edc8bb114
Reviewed-on: https://go-review.googlesource.com/13572
Reviewed-by: Adam Langley <agl@golang.org>
OCSP responders sometimes rely on pre-generated responses to increase
performance. In such cases, RFC 5019 allows responders to respond with
responseStatus unauthorized if they do not have a pre-generated response for
a certificate. This patch provides a pre-serialized unauthorized response.
This change also updates the serialization of OCSP responses so that the
resulting DER encoding is compatible with other parsers.
Note: This change depends on updates to encoding/asn1 to improve handling
of flags and time values.
https://go-review.googlesource.com/#/c/5970/
Change-Id: I77e042de6535a70b0996e058cb38a00076a16dd4
Reviewed-on: https://go-review.googlesource.com/4121
Reviewed-by: Adam Langley <agl@golang.org>
If the system is using UTC, then time.Now().loc != time.UTC().loc,
so it should not use reflect.DeepEqual to compare two times.
While we're here, also fix some copy-paste errors.
Change-Id: I1fef5f22f5b5eb978746d2695a1b43f153e4a408
Reviewed-on: https://go-review.googlesource.com/10335
Reviewed-by: Adam Langley <agl@golang.org>
The current content of the ocsp module is focused on the processing needed to implement an OCSP client: it only implements request generation and response parsing.
This change adds response generation and request parsing.
Change-Id: Idf6f4e69af504520f2b58340734e45cd92bb3d60
Reviewed-on: https://go-review.googlesource.com/3666
Reviewed-by: Adam Langley <agl@golang.org>
Paul van Brouwershaven pointed out that it would be better to pass in
the issuing certificate and have the verification be done in the OCSP
package than to expect the caller to deal with the difference between
responses with and without a responder certificate.
R=golang-dev, dayveday, paul
CC=golang-dev
https://golang.org/cl/11220043
Some OCSP responses (notably COMODO's) don't use an intermediate
certificate to sign OCSP responses so this change allowed that.
Additionally, a CreateRequest function is added for creating OCSP
requests.
This change makes one API change: SerialNumber becomes a *big.Int to
match crypto/x509. The original code dates to before encoding/asn1
could cope with big.Ints and using a []byte was a workaround for that.
R=golang-dev
CC=golang-dev
https://golang.org/cl/10402043
Manual edits to README.
Moved from main Go repository, deleted Makefiles, ran gofix -r go1rename.
Tested with: go test code.google.com/p/go.crypto/...
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5564059
Paul van Brouwershaven
Roland Shoemaker
Fedor Indutny
Martin Hamrle
Adam Langley
Richard Barnes
Shenghou Ma
David Symonds
Russ Cox