in capi/lib/revocation/ocsp/ocsp.go [176:234]
func newOCSPResponse(certificate, issuer *x509.Certificate, responder string) (response OCSP) {
response.Responder = responder
req, err := ocsplib.CreateRequest(certificate, issuer, nil)
if err != nil {
response.Status = InternalError
response.Error = errors.Wrap(err, "failed to create DER encoded OCSP request").Error()
return
}
r, err := http.NewRequest("POST", responder, bytes.NewReader(req))
if err != nil {
response.Status = InternalError
response.Error = errors.Wrap(err, "failed to create HTTP POST for OCSP request").Error()
return
}
r.Header.Add("X-Automated-Tool", "https://github.com/mozilla/CCADB-Tools/capi CCADB test website verification tool")
r.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0")
r.Header.Set("Content-Type", OCSPContentType)
client := http.Client{}
client.Timeout = time.Duration(20 * time.Second)
ret, err := client.Do(r)
if err != nil {
response.Status = BadResponse
response.Error = errors.Wrapf(err, "failed to retrieve HTTP POST response from %v", responder).Error()
return
}
defer ret.Body.Close()
httpResp, err := ioutil.ReadAll(ret.Body)
if err != nil {
response.Status = BadResponse
response.Error = err.Error()
return
}
serverResponse, err := ocsplib.ParseResponse(httpResp, issuer)
if err != nil {
switch true {
case strings.Contains(err.Error(), `unauthorized`):
response.Status = Unauthorized
case strings.Contains(err.Error(), `verification error`):
response.Error = err.Error()
response.Status = CryptoVerifcationError
case itLooksLikeHTML(httpResp):
response.Status = BadResponse
response.Error = fmt.Sprintf("Response appears to be HTML. Error: %s", err.Error())
default:
response.Status = BadResponse
response.Error = err.Error()
}
return
}
switch serverResponse.Status {
case ocsplib.Revoked:
response.Status = Revoked
case ocsplib.Good:
response.Status = Good
case ocsplib.Unknown:
response.Status = Unknown
}
return
}