(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client)
| 378 | } |
| 379 | |
| 380 | func VerifyOCSPEndpoint(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client) (bool, error) { |
| 381 | req, err := ocsp.CreateRequest(cert, issuer, nil) |
| 382 | if err != nil { |
| 383 | return false, errors.Errorf("error creating OCSP request") |
| 384 | } |
| 385 | |
| 386 | httpReq, err := http.NewRequest(http.MethodPost, endpoint, bytes.NewReader(req)) |
| 387 | if err != nil { |
| 388 | return false, errors.Errorf("error contacting OCSP server: %s", endpoint) |
| 389 | } |
| 390 | httpReq.Header.Add("Content-Type", "application/ocsp-request") |
| 391 | httpResp, err := httpClient.Do(httpReq) // #nosec G704 -- request relies on values from certificate or intentionally provided by user |
| 392 | if err != nil { |
| 393 | return false, errors.Errorf("error contacting OCSP server: %s", endpoint) |
| 394 | } |
| 395 | defer httpResp.Body.Close() |
| 396 | respBytes, err := io.ReadAll(httpResp.Body) |
| 397 | if err != nil { |
| 398 | return false, errors.Errorf("error reading response from OCSP server: %s", endpoint) |
| 399 | } |
| 400 | |
| 401 | resp, err := ocsp.ParseResponse(respBytes, issuer) |
| 402 | if err != nil { |
| 403 | return false, errors.Errorf("error parsing response from OCSP server: %s", endpoint) |
| 404 | } |
| 405 | |
| 406 | switch resp.Status { |
| 407 | case ocsp.Revoked: |
| 408 | return true, errors.Errorf("certificate has been revoked according to OCSP %s", endpoint) |
| 409 | case ocsp.Good: |
| 410 | return true, nil |
| 411 | default: |
| 412 | return true, errors.Errorf("certificate status is unknown according to OCSP %s", endpoint) |
| 413 | } |
| 414 | } |
| 415 | |
| 416 | func VerifyCRLEndpoint(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client, insecure bool) (bool, error) { |
| 417 | resp, err := httpClient.Get(endpoint) |
no test coverage detected
searching dependent graphs…