Commit Graph

3 Commits

Author SHA1 Message Date
Jacob Hoffman-Andrews 797f3c7217
responder: return InternalError for expired responses (#6377)
This was masking a bug, because the integration test for OCSP responses
for expired certificates was looking for the "unauthorized" OCSP
response status. Which we were returning, even though our HTTP-level
response code was 533.
2022-09-14 11:24:46 -07:00
Nina b8b3605404
ocsp-responder: handle expired ocsp responses (#6183)
Return 533 if we would otherwise serve an expired response.

Closes #6175
2022-06-29 17:58:33 -07:00
Aaron Gable 0a22f83c0b
Major OCSP refactor (#5863)
Completely refactor the way we organize our code related to OCSP.

- Move it all into one `//ocsp/` package, rather than having multiple
  top-level packages.
- Merge the OCSP updater's config sub-package with its parent
  (since it isn't necessary to break it out to avoid cyclic imports).
- Remove all `Source` logic from ocsp-responder's `main.go`, because
  it was difficult to mentally trace the control flow there.
- Replace that logic with a set of composable `Source`s in the
  `//ocsp/responder/` package, each of which is good at just one thing.
- Update the way the filters work to make sure that the request's
  `IssuerKeyHash` and the response's `ResponderName` can both
  be derived from the same issuer certificate, ensuring that the req and
  resp are correctly matched.
- Split the metrics into a separate metric for each `Source`, so we can
  tell what all of them are doing, not just aggregate behavior.
- Split the tests into individual files for each `Source`, and update them
  for the new public interfaces.
2022-02-04 12:01:34 -08:00