Skip to content

SSLMate/ocsputil

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

software.sslmate.com/src/ocsputil

software.sslmate.com/src/ocsputil is a Go package that provides convenience functions for OCSP checking. It's mostly a wrapper around golang.org/x/crypto/ocsp.

The ocsputil.Evaluate function evaluates the reliability of a certificate's OCSP responder, and is used by OCSP Watch.

View GoDocs

evalocsp

evalocsp is a command line tool that evaluates the reliability of a certificate's OCSP responder using ocsputil.Evaluate.

Install it with: go install software.sslmate.com/src/ocsputil/cmd/evalocsp@latest

Input (on stdin): Two PEM-encoded certificates - the certificate whose OCSP responder should be evaluated, followed by its issuer. The first certificate may be a precertificate, but if it's signed by a dedicated precert signing CA, then the second certificate must be the issuer of the final certificate rather than the precertificate. Extra certificates and non-certificate data are ignored.

Output (on stdout): A JSON object with the following fields:

Field Name Description
error null if the OCSP check was successful, or the error, as a string.
responder_url The URL of the OCSP responder.
request_bytes The bytes of the OCSP request, as a base64-encoded string.
response_bytes The bytes of the OCSP response, as a base64-encoded string.
response_time The length of time which the OCSP responder took to respond, formatted as a time.Duration string.

If error is null, then the other fields are non-null. If error is non-null, then any of the other fields may be null depending on the nature of the error.

Go 1.18 Bug

Go 1.18 accidentally banned SHA-1-signed OCSP responses, which can still be found in the WebPKI. To avoid this bug, use Go 1.18.1 or higher.