github.com/ztalab/ZACA@v0.0.1/pkg/caclient/ocsp_impl.go

github.com/ztalab/ZACA@v0.0.1/pkg/caclient/ocsp_impl.go (about)

     1  package caclient
     2  
     3  import (
     4  	"bytes"
     5  	"crypto"
     6  	"crypto/x509"
     7  	"fmt"
     8  	"io/ioutil"
     9  	"net/http"
    10  	"sync/atomic"
    11  
    12  	"golang.org/x/crypto/ocsp"
    13  	"golang.org/x/sync/singleflight"
    14  
    15  	"github.com/pkg/errors"
    16  	"github.com/ztalab/ZACA/pkg/logger"
    17  )
    18  
    19  var ocspBlockSign int64 = 0
    20  
    21  var sg = new(singleflight.Group)
    22  
    23  var ocspOpts = ocsp.RequestOptions{
    24  	Hash: crypto.SHA1,
    25  }
    26  
    27  func SendOcspRequest(server string, req []byte, leaf, issuer *x509.Certificate) (*ocsp.Response, error) {
    28  	if server == "" {
    29  		server = leaf.OCSPServer[0]
    30  	}
    31  	var resp *http.Response
    32  	var err error
    33  	buf := bytes.NewBuffer(req)
    34  	resp, err = httpClient.Post(server, "application/ocsp-request", buf)
    35  
    36  	if err != nil {
    37  		return nil, err
    38  	}
    39  
    40  	body, err := ioutil.ReadAll(resp.Body)
    41  	if err != nil {
    42  		return nil, err
    43  	}
    44  	defer resp.Body.Close()
    45  
    46  	if resp.StatusCode != http.StatusOK {
    47  		logger.With("url", server, resp.Status, "body", string(body)).
    48  			Warnf("Request error")
    49  		return nil, fmt.Errorf("ocsp response err: %v", resp.Status)
    50  	}
    51  
    52  	switch {
    53  	case bytes.Equal(body, ocsp.UnauthorizedErrorResponse):
    54  		return nil, errors.New("OSCP unauthorized")
    55  	case bytes.Equal(body, ocsp.MalformedRequestErrorResponse):
    56  		return nil, errors.New("OSCP malformed")
    57  	case bytes.Equal(body, ocsp.InternalErrorErrorResponse):
    58  		return nil, errors.New("OSCP internal error")
    59  	case bytes.Equal(body, ocsp.TryLaterErrorResponse):
    60  		return nil, errors.New("OSCP try later")
    61  	case bytes.Equal(body, ocsp.SigRequredErrorResponse):
    62  		return nil, errors.New("OSCP signature required")
    63  	}
    64  
    65  	parsedOcspResp, err := ocsp.ParseResponseForCert(body, leaf, issuer)
    66  	if err != nil {
    67  		logger.With("body", string(body)).Errorf("ocsp Parsing error: %v", err)
    68  		return nil, errors.Wrap(err, "ocsp Parsing error")
    69  	}
    70  
    71  	return parsedOcspResp, nil
    72  }
    73  
    74  // BlockOcspRequests Blocking OCSP requests will cause the MTLs handshake to fail
    75  func BlockOcspRequests() {
    76  	atomic.StoreInt64(&ocspBlockSign, 1)
    77  }
    78  
    79  // AllowOcspRequests
    80  func AllowOcspRequests() {
    81  	atomic.StoreInt64(&ocspBlockSign, 0)
    82  }