我正在使用 OCSP 请求编写证书吊销验证以获取实际状态。我发送请求,但收到错误。错误: ocsp: 来自服务器的错误: 格式不正确。我在源代码中发现了错误返回:MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01},但不明白是什么原因导致错误?
func CheckRevocation(cert *x509.Certificate) error {
var (
buffer []byte
output []byte
OCSPResponse *ocsp.Response
OCSPURL string
IssuerURL string
httpRequest *http.Request
httpResponse *http.Response
)
if len(cert.OCSPServer) > 0 {
OCSPURL = cert.OCSPServer[0]
}
if len(cert.IssuingCertificateURL) > 0 {
IssuerURL = cert.IssuingCertificateURL[0]
}
issuer, err := DownloadCert(IssuerURL) // return *x509.Certificate, err
if err != nil {
return err
}
opts := &ocsp.RequestOptions{
Hash: crypto.SHA256,
}
buffer, err = ocsp.CreateRequest(cert, issuer, opts)
if err != nil {
return err
}
httpRequest, err = http.NewRequest("GET", OCSPURL, nil)
if err != nil {
return err
}
httpRequest.Header.Add("Content-Type", "application/ocsp-request")
httpRequest.Header.Add("Accept", "application/ocsp-response")
writer := bytes.NewBuffer(buffer)
httpRequest.Write(writer)
httpClient := &http.Client{}
httpResponse, err = httpClient.Do(httpRequest)
if err != nil {
return err
}
defer httpResponse.Body.Close()
output, err = ioutil.ReadAll(httpResponse.Body)
if err != nil {
return err
}
OCSPResponse, err = ocsp.ParseResponse(output, issuer)
if err != nil {
return err
}
debugPrint("OCSP", "result: %d", OCSPResponse.Status)
return nil
}
证书示例:
...
<ds:X509Certificate>
MIIG9DCCBNygAwIBAgIUTFVCYjrFFRdWjgJW0G8fUs6LLk4wDQYJKoZIhvcNAQELBQAwgc4xCzAJ
BgNVBAYTAktaMRUwEwYDVQQHDAzQkNCh0KLQkNCd0JAxFTATBgNVBAgMDNCQ0KHQotCQ0J3QkDFM
MEoGA1UECgxD0KDQnNCaIMKr0JzQldCc0JvQldCa0JXQotCi0IbQmiDQotCV0KXQndCY0JrQkNCb
0KvSmiDSmtCr0JfQnNCV0KLCuzFDMEEGA1UEAww60rDQm9Ci0KLQq9KaINCa0KPTmNCb0JDQndCU
0KvQoNCj0KjQqyDQntCg0KLQkNCb0KvSmiAoUlNBKTAeFw0xNzA3MjcwMzU1MDZaFw0xODA3Mjcw
MzU1MDZaMIHJMSwwKgYDVQQDDCPQkdCQ0JnQotCj0KDQodCr0J3QntCSINCU0JDQndCY0K/QoDEf
MB0GA1UEBAwW0JHQkNCZ0KLQo9Cg0KHQq9Cd0J7QkjEYMBYGA1UEBRMPSUlOOTIwNzI3MzAwMDQ0
MQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQm9Cc0JDQotCrMRUwEwYDVQQIDAzQkNCb0JzQkNCi
0KsxIzAhBgNVBCoMGtCh0JXQmdCi0JrQkNCh0KvQnNCe0JLQmNCnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvW0Lyoex/kkhq5Xb5uCOtEpp4zjc34M5UGftcgmY6FXvlCaPm4415cmk
Kyaz6M+vmsK3T/wH3S2Up5cLKo022BgpBTYg6+lPUQgigYM7PPc20aLySrMg+Gu4HitokrdWgA/H
hjr14HAOFNiEZm7UpeLAhBfuAz/S9TeCct0C/dp75X8K7zOdXX1n/npnMZKMStPVJ94Cbdpprz/O
lNWzk+MGUB5+2yy4k4zBUamyEk8QzsJZID4Hva8ZIwqSXe4gyCe46iPxPZ8EKiwR4Pn6BXj0k7G1
a8A1jYEqc91QMX+L4CCS5M+BeUvbrcdMjNEoy71YG6m9qgNsBGl7WueMawIDAQABo4IByzCCAccw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggqgw4DAwQBATAPBgNVHSMECDAG
gARVtbTiMB0GA1UdDgQWBBQKnKaePX9Y74pplb7yI5ql8zxiJDBeBgNVHSAEVzBVMFMGByqDDgMD
AgQwSDAhBggrBgEFBQcCARYVaHR0cDovL3BraS5nb3Yua3ovY3BzMCMGCCsGAQUFBwICMBcMFWh0
dHA6Ly9wa2kuZ292Lmt6L2NwczBOBgNVHR8ERzBFMEOgQaA/hh1odHRwOi8vY3JsLnBraS5nb3Yu
a3ovcnNhLmNybIYeaHR0cDovL2NybDEucGtpLmdvdi5rei9yc2EuY3JsMFIGA1UdLgRLMEkwR6BF
oEOGH2h0dHA6Ly9jcmwucGtpLmdvdi5rei9kX3JzYS5jcmyGIGh0dHA6Ly9jcmwxLnBraS5nb3Yu
a3ovZF9yc2EuY3JsMGIGCCsGAQUFBwEBBFYwVDAuBggrBgEFBQcwAoYiaHR0cDovL3BraS5nb3Yu
a3ovY2VydC9wa2lfcnNhLmNlcjAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AucGtpLmdvdi5rejAN
BgkqhkiG9w0BAQsFAAOCAgEAColZth/p4wVdcPU1AHTMhNeyLtSJI4K5A7/NoOsqYsH5qpE89gPI
mxB4NAvtmHD49f/lHLvzeIBh+snO+lfJZYXaWcYwU1+dJRyB/bE+W6vcEa5N79eihSyl9fsQTYcz
jBsXzUx0Sv2vAiZH+RIowSsg/m9+UZDt5eNcL7eqkr/JDs0I5VVYXFKwNP1rPam4jfuJKB9w/bEg
6G6RM0/DGaXxLAimVB6gLQzT1hdQzgG8YOERJxjlTeRUICUiEqFz5mZzlJ6zb2+N7lUCzRu385o1
DeWjRJZaTxFKM9JJv8a6zPjcuFA+PIsDy9GSLby1OfZaJJo/7w4iLtJiYDuyMTXisnOknmVr5LC6
fft4AXOq7zOTn7t5r3T9lb5VmorfnqdqSXrep6c/dlkSlyP2mYhUE3JOSQTraJQH/jjcWH5hfewb
/9kPWqDlTpBnok9pcciRSYOgzqkpe0CJ3ZNyj+YNuL58O+TkV9MOwe8wWrWe8rVYV61E597WJZJ/
m6qKBPYUy+zoRVK/XdYYAMsBC2zHrz8n7Z8k6s9FQo4YLgprMQh6Hcq42PgnCZZGxxJ4wU44STUj
HCtohHNYjhz+sZfKg6KEFPzGJN1O7rYd8q0Gl9vQtKMjIsETZ7BRYbXxuzMVA2CMhxiXJS929qH2
ce48JWaAdMkyzyjcF8t3tVY=
</ds:X509Certificate>
此证书有效,但无法调用 OCSP 来检查其状态。可能是我的电话不正确。有人有想法吗?
该标准允许通过GET或POST发出请求。 有关使用 POST 方法的示例,请参阅下面的代码。这个例子适用于我公司的公司PKI,几乎适用于NIST PIV测试卡(https://csrc.nist.gov/projects/piv/nist-personal-identity-verification-test-cards),但绊倒了Go中的一个错误,该错误可能在1.11中已解决(见 https://github.com/golang/go/issues/21527)
请注意,某些 OCSP 响应程序需要主机标头。 此外,我环境中的两个 OSCP 响应程序都希望 SHA1 用于哈希算法,并在使用 SHA256 时失败。
func isCertificateRevokedByOCSP(commonName string, clientCert, issuerCert *x509.Certificate, ocspServer string) bool {
opts := &ocsp.RequestOptions{Hash: crypto.SHA1}
buffer, err := ocsp.CreateRequest(clientCert, issuerCert, opts)
if err != nil {
return false
}
httpRequest, err := http.NewRequest(http.MethodPost, ocspServer, bytes.NewBuffer(buffer))
if err != nil {
return false
}
ocspUrl, err := url.Parse(ocspServer)
if err != nil {
return false
}
httpRequest.Header.Add("Content-Type", "application/ocsp-request")
httpRequest.Header.Add("Accept", "application/ocsp-response")
httpRequest.Header.Add("host", ocspUrl.Host)
httpClient := &http.Client{}
httpResponse, err := httpClient.Do(httpRequest)
if err != nil {
return false
}
defer httpResponse.Body.Close()
output, err := ioutil.ReadAll(httpResponse.Body)
if err != nil {
return false
}
ocspResponse, err := ocsp.ParseResponse(output, issuerCert)
if err != nil {
return false
}
if ocspResponse.Status == ocsp.Revoked {
logger.GetLogger().Warnf("certificate '%s' has been revoked by OCSP server %s, refusing connection", commonName, ocspServer)
return true
} else {
return false
}
}
在寻找 OCSP 请求的 Go 示例时遇到了这个问题。这是我最终为任何寻找完整示例的人提供的函数:
// CheckOCSPStatus will make an OCSP request for the provided certificate.
// If the status of the certificate is not good, then an error is returned.
func CheckOCSPStatus(ctx context.Context, cert *x509.Certificate) error {
var (
ocspURL = cert.OCSPServer[0]
issuerCertURL = cert.IssuingCertificateURL[0]
)
// download the issuer certificate
issuer, err := getCert(ctx, issuerCertURL)
if err != nil {
return fmt.Errorf("getting issuer certificate: %w", err)
}
// Build OCSP request
buffer, err := ocsp.CreateRequest(cert, issuer, &ocsp.RequestOptions{
Hash: crypto.SHA1,
})
if err != nil {
return fmt.Errorf("creating ocsp request body: %w", err)
}
req, err := http.NewRequest(http.MethodPost, ocspURL, bytes.NewBuffer(buffer))
if err != nil {
return fmt.Errorf("creating http request: %w", err)
}
ocspUrl, err := url.Parse(ocspURL)
if err != nil {
return fmt.Errorf("parsing ocsp url: %w", err)
}
req.Header.Add("Content-Type", "application/ocsp-request")
req.Header.Add("Accept", "application/ocsp-response")
req.Header.Add("host", ocspUrl.Host)
req = req.WithContext(ctx)
// Make OCSP request
httpResponse, err := http.DefaultClient.Do(req)
if err != nil {
return fmt.Errorf("making ocsp request: %w", err)
}
defer httpResponse.Body.Close()
output, err := ioutil.ReadAll(httpResponse.Body)
if err != nil {
return fmt.Errorf("reading response body: %w", err)
}
// Parse response
ocspResponse, err := ocsp.ParseResponse(output, issuer)
if err != nil {
return fmt.Errorf("parsing ocsp response: %w", err)
}
// check status
if ocspResponse.Status != ocsp.Good {
return fmt.Errorf("invalid cert status: %v", ocspResponse.Status)
}
return nil
}
func getCert(ctx context.Context, url string) (*x509.Certificate, error) {
req, _ := http.NewRequest(http.MethodGet, url, nil)
req = req.WithContext(ctx)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return nil, fmt.Errorf("getting cert from %s: %w", url, err)
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("reading response body: %w", err)
}
cert, err := x509.ParseCertificate(body)
if err != nil {
return nil, fmt.Errorf("parsing certificate: %w", err)
}
return cert, nil
}
这是一个完整且可运行的要点:https://gist.github.com/alexrudd/ca792642c1f7923ee344b3645a420006