config.go

Documentation: go.mongodb.org/mongo-driver/x/mongo/driver/ocsp

     1  // Copyright (C) MongoDB, Inc. 2017-present.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License"); you may
     4  // not use this file except in compliance with the License. You may obtain
     5  // a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
     6  
     7  package ocsp
     8  
     9  import (
    10  	"crypto/x509"
    11  	"errors"
    12  	"fmt"
    13  	"net/http"
    14  
    15  	"go.mongodb.org/mongo-driver/internal/httputil"
    16  	"golang.org/x/crypto/ocsp"
    17  )
    18  
    19  type config struct {
    20  	serverCert, issuer      *x509.Certificate
    21  	cache                   Cache
    22  	disableEndpointChecking bool
    23  	ocspRequest             *ocsp.Request
    24  	ocspRequestBytes        []byte
    25  	httpClient              *http.Client
    26  }
    27  
    28  func newConfig(certChain []*x509.Certificate, opts *VerifyOptions) (config, error) {
    29  	cfg := config{
    30  		cache:                   opts.Cache,
    31  		disableEndpointChecking: opts.DisableEndpointChecking,
    32  		httpClient:              opts.HTTPClient,
    33  	}
    34  
    35  	if cfg.httpClient == nil {
    36  		cfg.httpClient = httputil.DefaultHTTPClient
    37  	}
    38  
    39  	if len(certChain) == 0 {
    40  		return cfg, errors.New("verified certificate chain contained no certificates")
    41  	}
    42  
    43  	// In the case where the leaf certificate and CA are the same, the chain may only contain one certificate.
    44  	cfg.serverCert = certChain[0]
    45  	cfg.issuer = certChain[0]
    46  	if len(certChain) > 1 {
    47  		// If the chain has multiple certificates, the one directly after the leaf should be the issuer. Use
    48  		// CheckSignatureFrom to verify that it is the issuer.
    49  		cfg.issuer = certChain[1]
    50  
    51  		if err := cfg.serverCert.CheckSignatureFrom(cfg.issuer); err != nil {
    52  			errString := "error checking if server certificate is signed by the issuer in the verified chain: %v"
    53  			return cfg, fmt.Errorf(errString, err)
    54  		}
    55  	}
    56  
    57  	var err error
    58  	cfg.ocspRequestBytes, err = ocsp.CreateRequest(cfg.serverCert, cfg.issuer, nil)
    59  	if err != nil {
    60  		return cfg, fmt.Errorf("error creating OCSP request: %w", err)
    61  	}
    62  	cfg.ocspRequest, err = ocsp.ParseRequest(cfg.ocspRequestBytes)
    63  	if err != nil {
    64  		return cfg, fmt.Errorf("error parsing OCSP request bytes: %w", err)
    65  	}
    66  
    67  	return cfg, nil
    68  }
    69
View as plain text