TRKJ/EdgeAPI
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeAPI.git synced 2025-11-10 12:30:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

OCSP支持过期时间

Browse Source
This commit is contained in:
GoEdgeLab
2022-03-18 20:21:24 +08:00
parent 9638e4d12a
commit 0f80b2571c
6 changed files with 85 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
internal/tasks/ssl_cert_update_ocsp_task.go
View File

@@ -63,8 +63,8 @@ func (this *SSLCertUpdateOCSPTask) Loop(checkLock bool) error {
var tx *dbs.Tx
// TODO 将来可以设置单次任务条数
var size int64 = 60
var maxAge = 7200
certs, err := models.SharedSSLCertDAO.ListCertsToUpdateOCSP(tx, maxAge, size)
var maxTries = 5
certs, err := models.SharedSSLCertDAO.ListCertsToUpdateOCSP(tx, maxTries, size)
if err != nil {
return errors.New("list certs failed: " + err.Error())
}
@@ -82,14 +82,16 @@ func (this *SSLCertUpdateOCSPTask) Loop(checkLock bool) error {
}
for _, cert := range certs {
ocspData, err := this.UpdateCertOCSP(cert)
ocspData, expiresAt, err := this.UpdateCertOCSP(cert)
var errString = ""
var hasErr = false
if err != nil {
errString = err.Error()
hasErr = true
remotelogs.Warn("SSLCertUpdateOCSPTask", "update ocsp failed: "+errString)
}
err = models.SharedSSLCertDAO.UpdateCertOCSP(tx, int64(cert.Id), ocspData, errString)
err = models.SharedSSLCertDAO.UpdateCertOCSP(tx, int64(cert.Id), ocspData, expiresAt, hasErr, errString)
if err != nil {
return errors.New("update ocsp failed: " + err.Error())
}
@@ -99,37 +101,37 @@ func (this *SSLCertUpdateOCSPTask) Loop(checkLock bool) error {
}
// UpdateCertOCSP 更新单个证书OCSP
func (this *SSLCertUpdateOCSPTask) UpdateCertOCSP(certOne *models.SSLCert) (ocspData []byte, err error) {
func (this *SSLCertUpdateOCSPTask) UpdateCertOCSP(certOne *models.SSLCert) (ocspData []byte, expiresAt int64, err error) {
if certOne.IsCA == 1 || len(certOne.CertData) == 0 || len(certOne.KeyData) == 0 {
return
}
keyPair, err := tls.X509KeyPair([]byte(certOne.CertData), []byte(certOne.KeyData))
if err != nil {
return nil, errors.New("parse certificate failed: " + err.Error())
return nil, 0, errors.New("parse certificate failed: " + err.Error())
}
if len(keyPair.Certificate) == 0 {
return nil, nil
return nil, 0, nil
}
var certData = keyPair.Certificate[0]
cert, err := x509.ParseCertificate(certData)
if err != nil {
return nil, errors.New("parse certificate block failed: " + err.Error())
return nil, 0, errors.New("parse certificate block failed: " + err.Error())
}
// 是否已过期
var now = time.Now()
if cert.NotBefore.After(now) || cert.NotAfter.Before(now) {
return nil, nil
return nil, 0, nil
}
if len(cert.IssuingCertificateURL) == 0 || len(cert.OCSPServer) == 0 {
return nil, nil
return nil, 0, nil
}
if len(cert.DNSNames) == 0 {
return nil, nil
return nil, 0, nil
}
var issuerURL = cert.IssuingCertificateURL[0]
@@ -137,12 +139,12 @@ func (this *SSLCertUpdateOCSPTask) UpdateCertOCSP(certOne *models.SSLCert) (ocsp
issuerReq, err := http.NewRequest(http.MethodGet, issuerURL, nil)
if err != nil {
return nil, errors.New("request issuer certificate failed: " + err.Error())
return nil, 0, errors.New("request issuer certificate failed: " + err.Error())
}
issuerReq.Header.Set("User-Agent", teaconst.ProductName+"/"+teaconst.Version)
issuerResp, err := this.httpClient.Do(issuerReq)
if err != nil {
return nil, errors.New("request issuer certificate failed: '" + issuerURL + "': " + err.Error())
return nil, 0, errors.New("request issuer certificate failed: '" + issuerURL + "': " + err.Error())
}
defer func() {
_ = issuerResp.Body.Close()
@@ -150,29 +152,29 @@ func (this *SSLCertUpdateOCSPTask) UpdateCertOCSP(certOne *models.SSLCert) (ocsp
issuerData, err := ioutil.ReadAll(issuerResp.Body)
if err != nil {
return nil, errors.New("read issuer certificate failed: '" + issuerURL + "': " + err.Error())
return nil, 0, errors.New("read issuer certificate failed: '" + issuerURL + "': " + err.Error())
}
issuerCert, err := x509.ParseCertificate(issuerData)
if err != nil {
return nil, errors.New("parse issuer certificate failed: '" + issuerURL + "': " + err.Error())
return nil, 0, errors.New("parse issuer certificate failed: '" + issuerURL + "': " + err.Error())
}
buf, err := ocsp.CreateRequest(cert, issuerCert, &ocsp.RequestOptions{
Hash: crypto.SHA1,
})
if err != nil {
return nil, errors.New("create ocsp request failed: " + err.Error())
return nil, 0, errors.New("create ocsp request failed: " + err.Error())
}
ocspReq, err := http.NewRequest(http.MethodPost, ocspServerURL, bytes.NewBuffer(buf))
if err != nil {
return nil, errors.New("request ocsp failed: " + err.Error())
return nil, 0, errors.New("request ocsp failed: " + err.Error())
}
ocspReq.Header.Set("Content-Type", "application/ocsp-request")
ocspReq.Header.Set("Accept", "application/ocsp-response")
ocspResp, err := this.httpClient.Do(ocspReq)
if err != nil {
return nil, errors.New("request ocsp failed: '" + ocspServerURL + "': " + err.Error())
return nil, 0, errors.New("request ocsp failed: '" + ocspServerURL + "': " + err.Error())
}
defer func() {
@@ -181,17 +183,17 @@ func (this *SSLCertUpdateOCSPTask) UpdateCertOCSP(certOne *models.SSLCert) (ocsp
respData, err := ioutil.ReadAll(ocspResp.Body)
if err != nil {
return nil, errors.New("read ocsp failed: '" + ocspServerURL + "': " + err.Error())
return nil, 0, errors.New("read ocsp failed: '" + ocspServerURL + "': " + err.Error())
}
ocspResult, err := ocsp.ParseResponse(respData, issuerCert)
if err != nil {
return nil, errors.New("decode ocsp failed: " + err.Error())
return nil, 0, errors.New("decode ocsp failed: " + err.Error())
}
// 只返回Good的ocsp
if ocspResult.Status == ocsp.Good {
return respData, nil
return respData, ocspResult.NextUpdate.Unix(), nil
}
return nil, nil
return nil, 0, nil
}