// Handle responds to requests for a ocsp signature. It creates and signs
// a ocsp response for the provided certificate and status. If the status
// is revoked then it also adds reason and revoked_at. The response is
// base64 encoded.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
body, err := ioutil.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
// Default the status to good so it matches the cli
req := &jsonSignRequest{
Status: "good",
}
err = json.Unmarshal(body, req)
if err != nil {
return errors.NewBadRequestString("Unable to parse sign request")
}
cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate))
if err != nil {
log.Error("Error from ParseCertificatePEM", err)
return errors.NewBadRequestString("Malformed certificate")
}
signReq := ocsp.SignRequest{
Certificate: cert,
Status: req.Status,
}
// We need to convert the time from being a string to a time.Time
if req.Status == "revoked" {
signReq.Reason = req.Reason
// "now" is accepted and the default on the cli so default that here
if req.RevokedAt == "" || req.RevokedAt == "now" {
signReq.RevokedAt = time.Now()
} else {
signReq.RevokedAt, err = time.Parse("2006-01-02", req.RevokedAt)
if err != nil {
return errors.NewBadRequestString("Malformed revocation time")
}
}
}
resp, err := h.signer.Sign(signReq)
if err != nil {
return err
}
b64Resp := base64.StdEncoding.EncodeToString(resp)
result := map[string]string{"ocspResponse": b64Resp}
return api.SendResponse(w, result)
}
// ocspSignerMain is the main CLI of OCSP signer functionality.
func ocspSignerMain(args []string, c cli.Config) (err error) {
// Read the cert to be revoked from file
certBytes, err := ioutil.ReadFile(c.CertFile)
if err != nil {
log.Critical("Unable to read certificate: ", err)
return
}
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
log.Critical("Unable to parse certificate: ", err)
return
}
req := ocsp.SignRequest{
Certificate: cert,
Status: c.Status,
}
if c.Status == "revoked" {
req.Reason = c.Reason
req.RevokedAt = time.Now()
if c.RevokedAt != "now" {
req.RevokedAt, err = time.Parse("2006-01-02", c.RevokedAt)
if err != nil {
log.Critical("Malformed revocation time: ", c.RevokedAt)
return
}
}
}
s, err := SignerFromConfig(c)
if err != nil {
log.Critical("Unable to create OCSP signer: ", err)
return
}
resp, err := s.Sign(req)
if err != nil {
log.Critical("Unable to sign OCSP response: ", err)
return
}
cli.PrintOCSPResponse(resp)
return
}