Gateway server: generate OCSP response. (#274)

If the certificate PEM provided in the request contains more than one cert, use the second one to sign an OCSP response for the first. (This assumes both certs were created with the same key, which is good enough for test.)
ampproject · Apr 3, 2019 · efdc035 · efdc035
1 parent 3097864
commit efdc035
Showing 1 changed file with 34 additions and 2 deletions.
diff --git a/cmd/gateway_server/server.go b/cmd/gateway_server/server.go
@@ -3,6 +3,9 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -12,6 +15,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"strings"
+	"time"
 
 	"github.com/WICG/webpackage/go/signedexchange"
 	"github.com/WICG/webpackage/go/signedexchange/certurl"
@@ -20,6 +24,7 @@ import (
 	"github.com/ampproject/amppackager/packager/signer"
 	"github.com/ampproject/amppackager/packager/util"
 	"github.com/julienschmidt/httprouter"
+	"golang.org/x/crypto/ocsp"
 	"google.golang.org/grpc"
 )
 
@@ -45,6 +50,20 @@ func errorToSXGResponse(err error) *pb.SXGResponse {
 	return response
 }
 
+func createOCSPResponse(cert *x509.Certificate, key crypto.Signer) ([]byte, error) {
+	thisUpdate := time.Now()
+
+	// Construct args to ocsp.CreateResponse.
+	template := ocsp.Response{
+		SerialNumber: cert.SerialNumber,
+		Status: ocsp.Good,
+		ThisUpdate: thisUpdate,
+		NextUpdate: thisUpdate.Add(time.Hour*24*7),
+		IssuerHash: crypto.SHA256,
+	}
+	return ocsp.CreateResponse(cert /*issuer*/, cert /*responderCert*/, template, key)
+}
+
 func (s *gatewayServer) GenerateSXG(ctx context.Context, request *pb.SXGRequest) (*pb.SXGResponse, error) {
 	rtvCache, err := rtv.New()
 	if err != nil {
@@ -128,8 +147,21 @@ func (s *gatewayServer) GenerateSXG(ctx context.Context, request *pb.SXGRequest)
 		}, nil
 	}
 
-	// Creates cbor data.
-	ocspDer := []byte("ocsp")
+	// Create cert-chain+cbor.
+	var ocspDer []byte
+	if len(certs) > 1 {
+		// Attach an OCSP response, signed with the second cert in the
+		// chain (assumed to be the issuer and using the same private
+		// key as the leaf cert).
+		var err error
+		ocspDer, err = createOCSPResponse(certs[1], privateKey.(*ecdsa.PrivateKey))
+		if err != nil {
+			return errorToSXGResponse(err), nil
+		}
+	} else {
+		// Make up an invalid OCSP response.
+		ocspDer = []byte("ocsp")
+	}
 	var sctList []byte
 	certChain, err := certurl.NewCertChain(certs, ocspDer, sctList)
 	if err != nil {