OCSP stapling

2025-06-06 17:44:04 +02:00 · 2025-06-06 17:44:04 +02:00 · b39ee8ede5
commit b39ee8ede5
parent 2949995abc
30 changed files with 1576 additions and 178 deletions
--- a/integration/fixtures/ocsp/gencert.go
+++ b/integration/fixtures/ocsp/gencert.go
@ -0,0 +1,100 @@
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"time"
+)
+
+func main() {
+	// generate CA
+	caKey, caCert := generateCA("Test CA")
+	saveKeyAndCert("integration/fixtures/ocsp/ca.key", "integration/fixtures/ocsp/ca.crt", caKey, caCert)
+
+	// server certificate
+	serverKey, serverCert := generateCert("server.local", caKey, caCert)
+	saveKeyAndCert("integration/fixtures/ocsp/server.key", "integration/fixtures/ocsp/server.crt", serverKey, serverCert)
+
+	// default certificate
+	defaultKey, defaultCert := generateCert("default.local", caKey, caCert)
+	saveKeyAndCert("integration/fixtures/ocsp/default.key", "integration/fixtures/ocsp/default.crt", defaultKey, defaultCert)
+}
+
+func generateCA(commonName string) (*ecdsa.PrivateKey, *x509.Certificate) {
+	// generate a private key for the CA
+	caKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+
+	// create a self-signed CA certificate
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour), // 10 ans
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		MaxPathLen:            1,
+		OCSPServer:            []string{"ocsp.example.com"},
+	}
+
+	caCertDER, _ := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	caCert, _ := x509.ParseCertificate(caCertDER)
+
+	return caKey, caCert
+}
+
+func generateCert(commonName string, caKey *ecdsa.PrivateKey, caCert *x509.Certificate) (*ecdsa.PrivateKey, *x509.Certificate) {
+	// create a private key for the certificate
+	certKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+
+	// create a certificate signed by the CA
+	certTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(1 * 365 * 24 * time.Hour), // 1 an
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		BasicConstraintsValid: true,
+		OCSPServer:            []string{"ocsp.example.com"},
+	}
+
+	certDER, _ := x509.CreateCertificate(rand.Reader, certTemplate, caCert, &certKey.PublicKey, caKey)
+	cert, _ := x509.ParseCertificate(certDER)
+
+	return certKey, cert
+}
+
+func saveKeyAndCert(keyFile, certFile string, key *ecdsa.PrivateKey, cert *x509.Certificate) {
+	// save the private key
+	keyOut, _ := os.Create(keyFile)
+	defer keyOut.Close()
+
+	// Marshal the private key to ASN.1 DER format
+	privateKey, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		panic(err)
+	}
+
+	err = pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privateKey})
+	if err != nil {
+		panic(err)
+	}
+
+	// save the certificate
+	certOut, _ := os.Create(certFile)
+	defer certOut.Close()
+	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	if err != nil {
+		panic(err)
+	}
+}