ErrNotFound indicates the request OCSP response was not found. It is used to indicate that the responder should reply with unauthorizedErrorResponse.
var ErrNotFound = errors.New("request OCSP Response not found")
func NewFilterSource(issuerCerts []*issuance.Certificate, serialPrefixes []string, wrapped Source, stats prometheus.Registerer, log blog.Logger, clk clock.Clock) (*filterSource, error)
NewFilterSource returns a filterSource which performs various checks on the OCSP requests sent to the wrapped Source, and the OCSP responses returned by it.
func NewMemorySource(responses map[string]*Response, logger blog.Logger) (*inMemorySource, error)
NewMemorySource returns an initialized InMemorySource which simply looks up responses from an in-memory map based on the serial number in the request.
func NewMemorySourceFromFile(responseFile string, logger blog.Logger) (*inMemorySource, error)
NewMemorySourceFromFile reads the named file into an InMemorySource. The file read by this function must contain whitespace-separated OCSP responses. Each OCSP response must be in base64-encoded DER form (i.e., PEM without headers or whitespace). Invalid responses are ignored. This function pulls the entire file into an InMemorySource.
func SampledError(log blog.Logger, sampleRate int, format string, a ...interface{})
A Responder object provides an HTTP wrapper around a Source.
type Responder struct {
Source Source
// contains filtered or unexported fields
}
func NewResponder(source Source, timeout time.Duration, stats prometheus.Registerer, logger blog.Logger, sampleRate int) *Responder
NewResponder instantiates a Responder with the give Source.
func (rs Responder) ServeHTTP(response http.ResponseWriter, request *http.Request)
ServeHTTP is a Responder that can process both GET and POST requests. The mapping from an OCSP request to an OCSP response is done by the Source; the Responder simply decodes the request, and passes back whatever response is provided by the source. The Responder will set these headers:
Cache-Control: "max-age=(response.NextUpdate-now), public, no-transform, must-revalidate", Last-Modified: response.ThisUpdate, Expires: response.NextUpdate, ETag: the SHA256 hash of the response, and Content-Type: application/ocsp-response.
Note: The caller must use http.StripPrefix to strip any path components (including '/') on GET requests. Do not use this responder in conjunction with http.NewServeMux, because the default handler will try to canonicalize path components by changing any strings of repeated '/' into a single '/', which will break the base64 encoding.
Response is a wrapper around the standard library's *ocsp.Response, but it also carries with it the raw bytes of the encoded response.
type Response struct {
*ocsp.Response
Raw []byte
}
Source represents the logical source of OCSP responses, i.e., the logic that actually chooses a response based on a request.
type Source interface {
Response(context.Context, *ocsp.Request) (*Response, error)
}