Golang，发送OCSP请求返回

I'm writing certificate revocation validation using OCSP request to get actual status. I send request, but getting error. ERROR: ocsp: error from server: malformed. I found error return in source: MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01}, but don't understand what causes error??

func CheckRevocation(cert *x509.Certificate) error {
    var (
        buffer       []byte
        output       []byte
        OCSPResponse *ocsp.Response
        OCSPURL      string
        IssuerURL    string
        httpRequest  *http.Request
        httpResponse *http.Response
    )
    if len(cert.OCSPServer) > 0 {
        OCSPURL = cert.OCSPServer[0]
    }
    if len(cert.IssuingCertificateURL) > 0 {
        IssuerURL = cert.IssuingCertificateURL[0]
    }
    issuer, err := DownloadCert(IssuerURL) // return *x509.Certificate, err
    if err != nil {
        return err
    }
    opts := &ocsp.RequestOptions{
        Hash: crypto.SHA256,
    }
    buffer, err = ocsp.CreateRequest(cert, issuer, opts)
    if err != nil {
        return err
    }
    httpRequest, err = http.NewRequest("GET", OCSPURL, nil)
    if err != nil {
        return err
    }
    httpRequest.Header.Add("Content-Type", "application/ocsp-request")
    httpRequest.Header.Add("Accept", "application/ocsp-response")
    writer := bytes.NewBuffer(buffer)
    httpRequest.Write(writer)
    httpClient := &http.Client{}
    httpResponse, err = httpClient.Do(httpRequest)
    if err != nil {
        return err
    }
    defer httpResponse.Body.Close()
    output, err = ioutil.ReadAll(httpResponse.Body)
    if err != nil {
        return err
    }
    OCSPResponse, err = ocsp.ParseResponse(output, issuer)
    if err != nil {
        return err
    }
    debugPrint("OCSP", "result: %d", OCSPResponse.Status)
    return nil
}

EXAMPLE OF CERTIFICATE:

...
<ds:X509Certificate>
MIIG9DCCBNygAwIBAgIUTFVCYjrFFRdWjgJW0G8fUs6LLk4wDQYJKoZIhvcNAQELBQAwgc4xCzAJ
BgNVBAYTAktaMRUwEwYDVQQHDAzQkNCh0KLQkNCd0JAxFTATBgNVBAgMDNCQ0KHQotCQ0J3QkDFM
MEoGA1UECgxD0KDQnNCaIMKr0JzQldCc0JvQldCa0JXQotCi0IbQmiDQotCV0KXQndCY0JrQkNCb
0KvSmiDSmtCr0JfQnNCV0KLCuzFDMEEGA1UEAww60rDQm9Ci0KLQq9KaINCa0KPTmNCb0JDQndCU
0KvQoNCj0KjQqyDQntCg0KLQkNCb0KvSmiAoUlNBKTAeFw0xNzA3MjcwMzU1MDZaFw0xODA3Mjcw
MzU1MDZaMIHJMSwwKgYDVQQDDCPQkdCQ0JnQotCj0KDQodCr0J3QntCSINCU0JDQndCY0K/QoDEf
MB0GA1UEBAwW0JHQkNCZ0KLQo9Cg0KHQq9Cd0J7QkjEYMBYGA1UEBRMPSUlOOTIwNzI3MzAwMDQ0
MQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQm9Cc0JDQotCrMRUwEwYDVQQIDAzQkNCb0JzQkNCi
0KsxIzAhBgNVBCoMGtCh0JXQmdCi0JrQkNCh0KvQnNCe0JLQmNCnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvW0Lyoex/kkhq5Xb5uCOtEpp4zjc34M5UGftcgmY6FXvlCaPm4415cmk
Kyaz6M+vmsK3T/wH3S2Up5cLKo022BgpBTYg6+lPUQgigYM7PPc20aLySrMg+Gu4HitokrdWgA/H
hjr14HAOFNiEZm7UpeLAhBfuAz/S9TeCct0C/dp75X8K7zOdXX1n/npnMZKMStPVJ94Cbdpprz/O
lNWzk+MGUB5+2yy4k4zBUamyEk8QzsJZID4Hva8ZIwqSXe4gyCe46iPxPZ8EKiwR4Pn6BXj0k7G1
a8A1jYEqc91QMX+L4CCS5M+BeUvbrcdMjNEoy71YG6m9qgNsBGl7WueMawIDAQABo4IByzCCAccw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggqgw4DAwQBATAPBgNVHSMECDAG
gARVtbTiMB0GA1UdDgQWBBQKnKaePX9Y74pplb7yI5ql8zxiJDBeBgNVHSAEVzBVMFMGByqDDgMD
AgQwSDAhBggrBgEFBQcCARYVaHR0cDovL3BraS5nb3Yua3ovY3BzMCMGCCsGAQUFBwICMBcMFWh0
dHA6Ly9wa2kuZ292Lmt6L2NwczBOBgNVHR8ERzBFMEOgQaA/hh1odHRwOi8vY3JsLnBraS5nb3Yu
a3ovcnNhLmNybIYeaHR0cDovL2NybDEucGtpLmdvdi5rei9yc2EuY3JsMFIGA1UdLgRLMEkwR6BF
oEOGH2h0dHA6Ly9jcmwucGtpLmdvdi5rei9kX3JzYS5jcmyGIGh0dHA6Ly9jcmwxLnBraS5nb3Yu
a3ovZF9yc2EuY3JsMGIGCCsGAQUFBwEBBFYwVDAuBggrBgEFBQcwAoYiaHR0cDovL3BraS5nb3Yu
a3ovY2VydC9wa2lfcnNhLmNlcjAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AucGtpLmdvdi5rejAN
BgkqhkiG9w0BAQsFAAOCAgEAColZth/p4wVdcPU1AHTMhNeyLtSJI4K5A7/NoOsqYsH5qpE89gPI
mxB4NAvtmHD49f/lHLvzeIBh+snO+lfJZYXaWcYwU1+dJRyB/bE+W6vcEa5N79eihSyl9fsQTYcz
jBsXzUx0Sv2vAiZH+RIowSsg/m9+UZDt5eNcL7eqkr/JDs0I5VVYXFKwNP1rPam4jfuJKB9w/bEg
6G6RM0/DGaXxLAimVB6gLQzT1hdQzgG8YOERJxjlTeRUICUiEqFz5mZzlJ6zb2+N7lUCzRu385o1
DeWjRJZaTxFKM9JJv8a6zPjcuFA+PIsDy9GSLby1OfZaJJo/7w4iLtJiYDuyMTXisnOknmVr5LC6
fft4AXOq7zOTn7t5r3T9lb5VmorfnqdqSXrep6c/dlkSlyP2mYhUE3JOSQTraJQH/jjcWH5hfewb
/9kPWqDlTpBnok9pcciRSYOgzqkpe0CJ3ZNyj+YNuL58O+TkV9MOwe8wWrWe8rVYV61E597WJZJ/
m6qKBPYUy+zoRVK/XdYYAMsBC2zHrz8n7Z8k6s9FQo4YLgprMQh6Hcq42PgnCZZGxxJ4wU44STUj
HCtohHNYjhz+sZfKg6KEFPzGJN1O7rYd8q0Gl9vQtKMjIsETZ7BRYbXxuzMVA2CMhxiXJS929qH2
ce48JWaAdMkyzyjcF8t3tVY=
</ds:X509Certificate>

This certificate is valid, but cannot call OCSP to check it's status. May be my call is incorrect. Does anyone have ideas?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

duanqiao1947 2018-07-18 14:55

关注

The standard allows for requests to made via GET or POST. See the code below for an example that works with the POST method. This example works in my company's corporate PKI and almost works with the NIST PIV test cards (https://csrc.nist.gov/projects/piv/nist-personal-identity-verification-test-cards), but trips over a bug in Go that may have been resolved in 1.11 (see https://github.com/golang/go/issues/21527)

Note that some OCSP responders require the host header. Also, both of the OSCP responders in my environment want SHA1 for the hash algorithm and fail when SHA256 is used.

func isCertificateRevokedByOCSP(commonName string, clientCert, issuerCert *x509.Certificate, ocspServer string) bool {
    opts := &ocsp.RequestOptions{Hash: crypto.SHA1}
    buffer, err := ocsp.CreateRequest(clientCert, issuerCert, opts)
    if err != nil {
        return false
    }
    httpRequest, err := http.NewRequest(http.MethodPost, ocspServer, bytes.NewBuffer(buffer))
    if err != nil {
        return false
    }
    ocspUrl, err := url.Parse(ocspServer)
    if err != nil {
        return false
    }
    httpRequest.Header.Add("Content-Type", "application/ocsp-request")
    httpRequest.Header.Add("Accept", "application/ocsp-response")
    httpRequest.Header.Add("host", ocspUrl.Host)
    httpClient := &http.Client{}
    httpResponse, err := httpClient.Do(httpRequest)
    if err != nil {
        return false
    }
    defer httpResponse.Body.Close()
    output, err := ioutil.ReadAll(httpResponse.Body)
    if err != nil {
        return false
    }
    ocspResponse, err := ocsp.ParseResponse(output, issuerCert)
    if err != nil {
        return false
    }
    if ocspResponse.Status == ocsp.Revoked {
        logger.GetLogger().Warnf("certificate '%s' has been revoked by OCSP server %s, refusing connection", commonName, ocspServer)
        return true
    } else {
        return false
    }
}

报告相同问题？

关注问题

如何使用证书golang发送https请求 ssl
2016-08-08 06:45

回答 2 已采纳 You need to add CA of your certificate to your transport like: package main import ( "crypto
Golang发送http请求发送两次而不是一次 http
2017-04-13 13:19

回答 1 已采纳 As in my edit, the cause was AVG anti virus. There was nothing in the console log indicating any p
GoLang通过POST请求发送文件
2017-08-07 07:40

回答 2 已采纳 os.Open will open a file, since the file doesn't exist you will get an error. Use os.Create instea
golang知识图谱
2021-09-06 17:01

csy2005csy的博客 csv 可读和写由逗号分割的数值（ csv）文件 gob 管理gob流——在编码器（发送者）和解码器（接收者）之间进行二进制值交换 hex 实现了十六进制的编码和解码 json 实现了定义于RFC 4627中的JSON对象的编码和解码 pem ...
Golang HTTP请求返回200响应，但主体为空 http
2018-10-12 07:09

回答 1 已采纳 I have confirmed locally that your code, as shown, should work. Here is the code I used: packag
Golang HTTP GET请求返回404
2013-04-17 15:09

回答 2 已采纳 The issue was unicode-related. There was a %2F in my command (not displayed in my original questi
golang http.Post请求返回响应404 http
2018-12-01 10:52

回答 2 已采纳 1) Access to https://github.com/settings/tokens 2) Click "Generate new token" 3) Copy the token. 4
【k8s admission 学习】使用 go 语言创建自签证书及签发证书
2022-10-07 12:11

oceanweave的博客这样我们就配置好了三级证书的签名请求了，这里都是分开写的，大部分代码都是一样的，可以写成一个方法，这里就不扩展了。如上，我们完成了证书的生成、存储和读取等能力，证书相关的处理就结束了。，用来区分这是一...
如何为Golang HTTP请求发送嵌套标头 http https
2018-06-26 19:49

回答 1 已采纳 I just ran your Ruby code and found out that it doesn't actually send any headers, instead it adds
使用标头在Golang中发送POST请求 http
2016-10-12 19:15

回答 1 已采纳 You need to add a content type to your request. You said http.PostForm worked so let's look at th
http PUT请求以golang上传zip文件 http
2018-12-11 07:25

回答 1 已采纳 This is a working example. Most likely, it comes down to the fact that the server is a bit simple
Socket，TCP，HTTP三者之间的区别和原理?
2023-03-21 13:26

兔兔丫.的博客确认了客户端想要释放连接，随后服务器端结束ESTABLISHED阶段，进入CLOSE-WAIT阶段（半关闭状态）并返回一段TCP报文，其中：标记位为ACK，表示“接收到客户端发送的释放连接的请求”；序号为Seq=V；确认号为Ack=U...
向Golang API发送请求以发送JSON和严格认证的JSON json
2017-12-20 08:40

回答 1 已采纳 When sending JSON to any http server you always have to use JSON.stringify(). Not doing so will r
Go --- gRPC学习笔记
2022-06-24 16:57

吕元龙的小屋的博客是一种通过网络从远程计算机上请求服务，而不需要了解底层网络技术的协议。RPC它假定某些协议的存在，例如TCP/UDP等，为通信程序之间携带信息数据。在OSI网络七层模型中，RPC跨越了传输层和应用层，RPC使得开发包括...
HTTPS 握手会影响性能吗？废话，肯定会
2022-12-13 21:28

AI研习社的博客 OCSP 因此，现在基本都是使用 OCSP ，名为在线证书状态协议（Online Certificate Status Protocol）来查询证书的有效性，它的工作方式是向 CA 发送查询请求，让 CA 返回证书的有效状态。不必像 CRL 方式客户端需要...
没有解决我的问题, 去提问

悬赏问题

¥15 各位请问平行检验趋势图这样要怎么调整？说标准差差异太大了
¥15 delphi webbrowser组件网页下拉菜单自动选择问题
¥15 wpf界面一直接收PLC给过来的信号，导致UI界面操作起来会卡顿
¥15 init i2c:2 freq:100000[MAIXPY]: find ov2640[MAIXPY]: find ov sensor是main文件哪里有问题吗
¥15 运动想象脑电信号数据集.vhdr
¥15 三因素重复测量数据R语句编写，不存在交互作用
¥15 微信会员卡等级和折扣规则
¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
¥15 随身WiFi网络灯亮但是没有网络，如何解决？
¥15 gdf格式的脑电数据如何处理matlab

码龄粉丝数原力等级 --

Golang，发送OCSP请求返回

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

Golang，发送OCSP请求返回

1条回答 默认 最新

悬赏问题

1条回答默认最新