Skip to content

SSLMate/ocsputil

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

software.sslmate.com/src/ocsputil

software.sslmate.com/src/ocsputil is a Go package that provides convenience functions for OCSP checking. It's mostly a wrapper around golang.org/x/crypto/ocsp.

The ocsputil.Evaluate function evaluates the reliability of a certificate's OCSP responder, and is used by OCSP Watch.

View GoDocs

evalocsp

evalocsp is a command line tool that evaluates the reliability of a certificate's OCSP responder using ocsputil.Evaluate.

Install it with: go install software.sslmate.com/src/ocsputil/cmd/evalocsp@latest

Input (on stdin): Two PEM-encoded certificates - the certificate whose OCSP responder should be evaluated, followed by its issuer. The first certificate may be a precertificate, but if it's signed by a dedicated precert signing CA, then the second certificate must be the issuer of the final certificate rather than the precertificate. Extra certificates and non-certificate data are ignored.

Output (on stdout): A JSON object with the following fields:

Field Name Description
error null if the OCSP check was successful, or the error, as a string.
responder_url The URL of the OCSP responder.
request_bytes The bytes of the OCSP request, as a base64-encoded string.
response_bytes The bytes of the OCSP response, as a base64-encoded string.
response_time The length of time which the OCSP responder took to respond, formatted as a time.Duration string.

If error is null, then the other fields are non-null. If error is non-null, then any of the other fields may be null depending on the nature of the error.

Go 1.18 Bug

Go 1.18 accidentally banned SHA-1-signed OCSP responses, which can still be found in the WebPKI. To avoid this bug, use Go 1.18.1 or higher.

About

Go utilities for checking OCSP

Resources

License

Stars

Watchers

Forks

Languages