fix OCSP

markus621 · markus621 · commit a71eac0e45eb · 2025-10-25T06:26:19.000+03:00
diff --git a/.lic.yaml b/.lic.yaml
@@ -1,3 +1,5 @@
 author: Mikhail Knyazhev <markus621@yandex.ru>
 lic_short: "BSD 3-Clause"
 lic_file: LICENSE
+ignore_files:
+  - pki/internal/xocsp/ocsp.go
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.25.0
 require (
 	go.osspkg.com/casecheck v0.3.0
 	go.osspkg.com/errors v0.4.0
+	go.osspkg.com/ioutils v0.7.3
 	go.osspkg.com/random v0.5.0
 	go.osspkg.com/syncing v0.4.3
 	golang.org/x/crypto v0.43.0
diff --git a/go.sum b/go.sum
@@ -2,6 +2,8 @@ go.osspkg.com/casecheck v0.3.0 h1:x15blEszElbrHrEH5H02JIIhGIg/lGZzIt1kQlD3pwM=
 go.osspkg.com/casecheck v0.3.0/go.mod h1:TRFXDMFJEOtnlp3ET2Hix3osbxwPWhvaiT/HfD3+gBA=
 go.osspkg.com/errors v0.4.0 h1:E17+WyUzTXEHCTxGm8lOMPOOojzHG1lsOuQtTVGoATQ=
 go.osspkg.com/errors v0.4.0/go.mod h1:s75ZovPemYtrCtRPVsbQNq9MgMbmLMK1NEypr+uwjXI=
+go.osspkg.com/ioutils v0.7.3 h1:QF+Ra0bHoU3MGMGH5PGdV2lRLq1rWPdv/OB+v5UTjkI=
+go.osspkg.com/ioutils v0.7.3/go.mod h1:RO/43IM//Wq8RnLvEzivDAuM37mnLW3eWxTCVmkUaY4=
 go.osspkg.com/random v0.5.0 h1:6x2CQ5Vb6PVyuGi6Ao3K6Pr2fzVviBPCEEJC5HQNSmg=
 go.osspkg.com/random v0.5.0/go.mod h1:lsg3FI87PQdjhVWIVo2GXyPBclipljUxjMlWqRl2cck=
 go.osspkg.com/syncing v0.4.3 h1:XioXG9zje1LNCsfQhNHkNPCQqPSJZHWTzM8Xig2zvAU=
diff --git a/pki/internal/xocsp/ocsp.go b/pki/internal/xocsp/ocsp.go
@@ -1,3 +1,5 @@
+//FORK: golang.org/x/crypto/ocsp
+
 // Copyright 2013 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
@@ -293,10 +295,6 @@ const (
 	Revoked = 1
 	// Unknown means that the OCSP responder doesn't know about the certificate.
 	Unknown = 2
-	// ServerFailed is unused and was never used (see
-	// https://go-review.googlesource.com/#/c/18944). ParseResponse will
-	// return a ResponseError when an error response is parsed.
-	ServerFailed = 3
 )
 
 // The enumerated reasons for revoking a certificate. See RFC 5280.
@@ -327,7 +325,7 @@ type Request struct {
 func (req *Request) Marshal() ([]byte, error) {
 	hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
 	if hashAlg == nil {
-		return nil, errors.New("Unknown hash algorithm")
+		return nil, errors.New("unknown hash algorithm")
 	}
 	return asn1.Marshal(ocspRequest{
 		tbsRequest{
@@ -479,6 +477,8 @@ func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
 // multiple statuses and cert is not nil, then ParseResponseForCert will return
 // the first status which contains a matching serial, otherwise it will return an
 // error. If cert is nil, then the first status in the response will be returned.
+//
+//nolint:gocyclo
 func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) {
 	var resp responseASN1
 	rest, err := asn1.Unmarshal(bytes, &resp)
@@ -687,7 +687,9 @@ func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte
 // If template.IssuerHash is not set, SHA1 will be used.
 //
 // The ProducedAt date is automatically set to the current date, to the nearest minute.
-func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error) {
+func CreateResponse(
+	status ResponseStatus, issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer,
+) ([]byte, error) {
 	var publicKeyInfo struct {
 		Algorithm pkix.AlgorithmIdentifier
 		PublicKey asn1.BitString
@@ -792,7 +794,7 @@ func CreateResponse(issuer, responderCert *x509.Certificate, template Response,
 	}
 
 	return asn1.Marshal(responseASN1{
-		Status: asn1.Enumerated(Success),
+		Status: asn1.Enumerated(status),
 		Response: responseBytes{
 			ResponseType: idPKIXOCSPBasic,
 			Response:     responseDER,
diff --git a/pki/ocsp.go b/pki/ocsp.go
@@ -7,89 +7,162 @@ package pki
 
 import (
 	"context"
+	"crypto"
 	"crypto/x509/pkix"
-	"io"
+	"fmt"
+	"math/big"
 	"net/http"
 	"time"
 
+	"go.osspkg.com/ioutils"
+
 	"go.osspkg.com/encrypt/pki/internal/xocsp"
-	"golang.org/x/crypto/ocsp"
 )
 
 type OCSPStatusResolver interface {
-	OCSPStatusResolve(ctx context.Context, r *ocsp.Request) (OCSPStatus, error)
+	OCSPStatusResolve(ctx context.Context, r *OCSPRequest) (*OCSPResponse, error)
 }
 
 type OCSPStatus int
 
 const (
-	OCSPStatusUnknown      OCSPStatus = ocsp.Unknown
-	OCSPStatusGood         OCSPStatus = ocsp.Good
-	OCSPStatusRevoked      OCSPStatus = ocsp.Revoked
-	OCSPStatusServerFailed OCSPStatus = ocsp.ServerFailed
+	OCSPStatusGood    OCSPStatus = xocsp.Good
+	OCSPStatusUnknown OCSPStatus = xocsp.Unknown
+	OCSPStatusRevoked OCSPStatus = xocsp.Revoked
 )
 
-type OCSPServer struct {
-	CA             Certificate
-	Resolver       OCSPStatusResolver
-	UpdateInterval time.Duration
-}
+type OCSPRevocationReason int
 
-func (v *OCSPServer) HTTPHandler(w http.ResponseWriter, r *http.Request) {
-	defer r.Body.Close() //nolint:errcheck
-	raw, err := io.ReadAll(r.Body)
-	if err != nil {
-		http.Error(w, "invalid request", http.StatusBadRequest)
-		return
-	}
+const (
+	// OCSPRevocationReasonUnspecified
+	// Unspecified (code 0): A general, default reason when a more specific one isn't applicable.
+	OCSPRevocationReasonUnspecified OCSPRevocationReason = 0
+	// OCSPRevocationReasonKeyCompromise
+	// Key Compromise (code 1): The most critical reason, indicating that the
+	// private key associated with the certificate has been compromised or is suspected of being compromised.
+	OCSPRevocationReasonKeyCompromise OCSPRevocationReason = 1
+	// OCSPRevocationReasonCACompromise
+	// CA Compromise (code 2): The certificate authority that issued the certificate has been compromised.
+	OCSPRevocationReasonCACompromise OCSPRevocationReason = 2
+	// OCSPRevocationReasonAffiliationChanged
+	// Affiliation Changed (code 3): The certificate holder's relationship with the organization has changed,
+	// such as termination of employment.
+	OCSPRevocationReasonAffiliationChanged OCSPRevocationReason = 3
+	// OCSPRevocationReasonSuperseded
+	// Superseded (code 4): The certificate has been replaced by a new one,
+	// often because of a normal lifecycle event like a password change or a legal name change.
+	OCSPRevocationReasonSuperseded OCSPRevocationReason = 4
+	// OCSPRevocationReasonCessationOfOperation
+	// Cessation of Operation (code 5): The system or service for which the certificate was issued is no longer in
+	// operation.
+	OCSPRevocationReasonCessationOfOperation OCSPRevocationReason = 5
+	// OCSPRevocationReasonCertificateHold
+	// Certificate Hold (code 6): Used for temporary invalidation, such as when a certificate's status is under review.
+	OCSPRevocationReasonCertificateHold OCSPRevocationReason = 6
+)
 
-	req, err := xocsp.ParseRequest(raw)
-	if err != nil {
-		http.Error(w, "invalid ocsp data", http.StatusBadRequest)
-		return
+type (
+	OCSPServer struct {
+		CA             Certificate
+		Resolver       OCSPStatusResolver
+		UpdateInterval time.Duration
+		OnError        func(err error)
 	}
-
-	var nonce []byte
-	for _, extension := range req.Extensions {
-		if extension.Id.Equal(xocsp.OIDNonce) {
-			nonce = extension.Value
-		}
+	OCSPRequest struct {
+		HashAlgorithm  crypto.Hash
+		IssuerNameHash []byte
+		IssuerKeyHash  []byte
+		SerialNumber   *big.Int
+		Extensions     []pkix.Extension
 	}
 
-	status, err := v.Resolver.OCSPStatusResolve(r.Context(), &ocsp.Request{
-		HashAlgorithm:  req.HashAlgorithm,
-		IssuerNameHash: req.IssuerNameHash,
-		IssuerKeyHash:  req.IssuerKeyHash,
-		SerialNumber:   req.SerialNumber,
-	})
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
+	OCSPResponse struct {
+		Status           OCSPStatus
+		RevokedAt        time.Time
+		RevocationReason OCSPRevocationReason
 	}
+)
+
+func (v *OCSPServer) HTTPHandler(w http.ResponseWriter, r *http.Request) {
+	reqStatus := xocsp.Success
 
 	template := xocsp.Response{
-		Status:       int(status),
-		SerialNumber: req.SerialNumber,
-		ThisUpdate:   time.Now(),
-		NextUpdate:   time.Now().Add(v.UpdateInterval),
-		ProducedAt:   time.Now(),
-		Certificate:  v.CA.Crt,
+		Status:      int(OCSPStatusUnknown),
+		ThisUpdate:  time.Now().Truncate(time.Minute).UTC(),
+		NextUpdate:  time.Now().Add(v.UpdateInterval).Truncate(time.Minute).UTC(),
+		Certificate: v.CA.Crt,
 	}
 
-	if len(nonce) > 0 {
-		template.Extensions = append(template.Extensions, pkix.Extension{
-			Id:       xocsp.OIDNonce,
-			Critical: false,
-			Value:    nonce,
-		})
+	var (
+		err error
+		raw []byte
+	)
+
+	if raw, err = ioutils.ReadAll(r.Body); err == nil {
+
+		var req *xocsp.Request
+		if req, err = xocsp.ParseRequest(raw); err == nil {
+
+			template.SerialNumber = req.SerialNumber
+
+			for _, extension := range req.Extensions {
+				if extension.Id.Equal(xocsp.OIDNonce) {
+					template.Extensions = append(template.Extensions, pkix.Extension{
+						Id:       xocsp.OIDNonce,
+						Critical: false,
+						Value:    extension.Value,
+					})
+					break
+				}
+			}
+
+			var resp *OCSPResponse
+			if resp, err = v.Resolver.OCSPStatusResolve(r.Context(), &OCSPRequest{
+				HashAlgorithm:  req.HashAlgorithm,
+				IssuerNameHash: req.IssuerNameHash,
+				IssuerKeyHash:  req.IssuerKeyHash,
+				SerialNumber:   req.SerialNumber,
+				Extensions:     req.Extensions,
+			}); err == nil {
+
+				template.Status = int(resp.Status)
+
+				if resp.Status == OCSPStatusRevoked {
+					template.RevokedAt = resp.RevokedAt
+
+					switch resp.RevocationReason {
+					case OCSPRevocationReasonKeyCompromise, OCSPRevocationReasonCACompromise,
+						OCSPRevocationReasonAffiliationChanged, OCSPRevocationReasonSuperseded,
+						OCSPRevocationReasonCessationOfOperation, OCSPRevocationReasonCertificateHold:
+						template.RevocationReason = int(resp.RevocationReason)
+					default:
+						template.RevocationReason = int(OCSPRevocationReasonUnspecified)
+					}
+				}
+			}
+		}
+	}
+
+	if err != nil {
+		if v.OnError != nil {
+			v.OnError(fmt.Errorf("ocsp: request processing: %w", err))
+		}
+		reqStatus = xocsp.InternalError
 	}
 
-	resp, err := xocsp.CreateResponse(v.CA.Crt, v.CA.Crt, template, v.CA.Key)
+	resp, err := xocsp.CreateResponse(reqStatus, v.CA.Crt, v.CA.Crt, template, v.CA.Key)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		if v.OnError != nil {
+			v.OnError(fmt.Errorf("ocsp: create response: %w", err))
+		}
+		http.Error(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
 	w.Header().Set("Content-Type", "application/ocsp-response")
-	w.Write(resp) //nolint:errcheck
+	if _, err = w.Write(resp); err != nil {
+		if v.OnError != nil {
+			v.OnError(fmt.Errorf("ocsp: write response: %w", err))
+		}
+	}
 }
