/
certificates.go
78 lines (71 loc) · 1.8 KB
/
certificates.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package certs
import (
"bytes"
"crypto"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"log"
"net/http"
"net/url"
"golang.org/x/crypto/ocsp"
)
// IsCertRevokedByCA checks whether a certificate was revoked by the CA using OCSP
func IsCertRevokedByCA(clientCert, issuerCert *x509.Certificate, ocspServer string) bool {
opts := &ocsp.RequestOptions{Hash: crypto.SHA1}
buffer, err := ocsp.CreateRequest(clientCert, issuerCert, opts)
if err != nil {
log.Fatal(err)
return false
}
httpRequest, err := http.NewRequest(http.MethodPost, ocspServer, bytes.NewBuffer(buffer))
if err != nil {
log.Fatal(err)
return false
}
ocspURL, err := url.Parse(ocspServer)
if err != nil {
log.Fatal(err)
return false
}
httpRequest.Header.Add("Content-Type", "application/ocsp-request")
httpRequest.Header.Add("Accept", "application/ocsp-response")
httpRequest.Header.Add("host", ocspURL.Host)
httpClient := &http.Client{}
httpResponse, err := httpClient.Do(httpRequest)
if err != nil {
log.Fatal(err)
return false
}
defer httpResponse.Body.Close()
body, err := ioutil.ReadAll(httpResponse.Body)
if err != nil {
log.Fatal(err)
return false
}
ocspResponse, err := ocsp.ParseResponse(body, issuerCert)
if err != nil {
log.Fatal(err)
return false
}
if ocspResponse.Status == ocsp.Revoked {
fmt.Println("Certficate has been revoked by CA")
return true
} else {
return false
}
}
// ParsePEMCert parses a x509 certificate from the given PEM encoded certificate
func ParsePEMCert(pemCert string) *x509.Certificate {
var pemData = []byte(pemCert)
block, _ := pem.Decode(pemData)
if block == nil || block.Type != "CERTIFICATE" {
log.Fatal("Failed to decode PEM block containing certificate")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
log.Fatal(err)
}
return cert
}