From b44fd58aedc7aa55a0fe16e443c6cfd3d2738982 Mon Sep 17 00:00:00 2001 From: GoEdgeLab Date: Fri, 18 Mar 2022 20:20:28 +0800 Subject: [PATCH] =?UTF-8?q?OCSP=E6=94=AF=E6=8C=81=E8=BF=87=E6=9C=9F?= =?UTF-8?q?=E6=97=B6=E9=97=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkg/nodeconfigs/node_config.go | 6 +- pkg/rpc/pb/service_ssl_cert.pb.go | 148 ++++++++++-------- pkg/rpc/protos/service_ssl_cert.proto | 3 +- .../sslconfigs/ssl_cert_config.go | 5 +- pkg/serverconfigs/sslconfigs/ssl_policy.go | 62 +++++++- .../sslconfigs/ssl_policy_test.go | 106 ++++++++++++- 6 files changed, 247 insertions(+), 83 deletions(-) diff --git a/pkg/nodeconfigs/node_config.go b/pkg/nodeconfigs/node_config.go index 79b4ce9..1190cd7 100644 --- a/pkg/nodeconfigs/node_config.go +++ b/pkg/nodeconfigs/node_config.go @@ -428,7 +428,7 @@ func (this *NodeConfig) SYNFloodConfig() *firewallconfigs.SYNFloodConfig { } // UpdateCertOCSP 修改证书OCSP -func (this *NodeConfig) UpdateCertOCSP(certId int64, ocsp []byte) { +func (this *NodeConfig) UpdateCertOCSP(certId int64, ocsp []byte, expiresAt int64) { shared.Locker.Lock() defer shared.Locker.Unlock() @@ -438,14 +438,14 @@ func (this *NodeConfig) UpdateCertOCSP(certId int64, ocsp []byte) { server.HTTPS.SSLPolicy != nil && server.HTTPS.SSLPolicy.OCSPIsOn && server.HTTPS.SSLPolicy.ContainsCert(certId) { - server.HTTPS.SSLPolicy.UpdateCertOCSP(certId, ocsp) + server.HTTPS.SSLPolicy.UpdateCertOCSP(certId, ocsp, expiresAt) } if server.TLS != nil && server.TLS.SSLPolicy != nil && server.TLS.SSLPolicy.OCSPIsOn && server.TLS.SSLPolicy.ContainsCert(certId) { - server.TLS.SSLPolicy.UpdateCertOCSP(certId, ocsp) + server.TLS.SSLPolicy.UpdateCertOCSP(certId, ocsp, expiresAt) } } } diff --git a/pkg/rpc/pb/service_ssl_cert.pb.go b/pkg/rpc/pb/service_ssl_cert.pb.go index 8f3579a..b54dff5 100644 --- a/pkg/rpc/pb/service_ssl_cert.pb.go +++ b/pkg/rpc/pb/service_ssl_cert.pb.go @@ -1125,8 +1125,9 @@ type ListUpdatedSSLCertOCSPResponse_SSLCertOCSP struct { unknownFields protoimpl.UnknownFields SslCertId int64 `protobuf:"varint,1,opt,name=sslCertId,proto3" json:"sslCertId,omitempty"` - Ocsp []byte `protobuf:"bytes,2,opt,name=ocsp,proto3" json:"ocsp,omitempty"` + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` Version int64 `protobuf:"varint,3,opt,name=version,proto3" json:"version,omitempty"` + ExpiresAt int64 `protobuf:"varint,4,opt,name=expiresAt,proto3" json:"expiresAt,omitempty"` } func (x *ListUpdatedSSLCertOCSPResponse_SSLCertOCSP) Reset() { @@ -1168,9 +1169,9 @@ func (x *ListUpdatedSSLCertOCSPResponse_SSLCertOCSP) GetSslCertId() int64 { return 0 } -func (x *ListUpdatedSSLCertOCSPResponse_SSLCertOCSP) GetOcsp() []byte { +func (x *ListUpdatedSSLCertOCSPResponse_SSLCertOCSP) GetData() []byte { if x != nil { - return x.Ocsp + return x.Data } return nil } @@ -1182,6 +1183,13 @@ func (x *ListUpdatedSSLCertOCSPResponse_SSLCertOCSP) GetVersion() int64 { return 0 } +func (x *ListUpdatedSSLCertOCSPResponse_SSLCertOCSP) GetExpiresAt() int64 { + if x != nil { + return x.ExpiresAt + } + return 0 +} + var File_service_ssl_cert_proto protoreflect.FileDescriptor var file_service_ssl_cert_proto_rawDesc = []byte{ @@ -1311,83 +1319,85 @@ var file_service_ssl_cert_proto_rawDesc = []byte{ 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, - 0x73, 0x69, 0x7a, 0x65, 0x22, 0xcd, 0x01, 0x0a, 0x1e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, + 0x73, 0x69, 0x7a, 0x65, 0x22, 0xeb, 0x01, 0x0a, 0x1e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x50, 0x0a, 0x0b, 0x73, 0x73, 0x6c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x0b, 0x73, 0x73, - 0x6c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x1a, 0x59, 0x0a, 0x0b, 0x53, 0x53, 0x4c, + 0x6c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x1a, 0x77, 0x0a, 0x0b, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x73, 0x6c, 0x43, 0x65, 0x72, 0x74, 0x49, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x73, 0x73, 0x6c, - 0x43, 0x65, 0x72, 0x74, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, + 0x43, 0x65, 0x72, 0x74, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x76, 0x65, 0x72, - 0x73, 0x69, 0x6f, 0x6e, 0x32, 0xe9, 0x07, 0x0a, 0x0e, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x44, 0x0a, 0x0d, 0x63, 0x72, 0x65, 0x61, 0x74, - 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x12, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x72, - 0x65, 0x61, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x53, - 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x39, 0x0a, - 0x0d, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x12, 0x18, - 0x2e, 0x70, 0x62, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, - 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, - 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x39, 0x0a, 0x0d, 0x64, 0x65, 0x6c, 0x65, - 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x12, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x44, - 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x12, 0x65, 0x0a, 0x18, 0x66, 0x69, 0x6e, 0x64, 0x45, 0x6e, 0x61, 0x62, 0x6c, - 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, - 0x23, 0x2e, 0x70, 0x62, 0x2e, 0x46, 0x69, 0x6e, 0x64, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, - 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x62, 0x2e, 0x46, 0x69, 0x6e, 0x64, 0x45, 0x6e, - 0x61, 0x62, 0x6c, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3e, 0x0a, 0x0d, 0x63, 0x6f, - 0x75, 0x6e, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x17, 0x2e, 0x70, 0x62, - 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x43, 0x6f, 0x75, - 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x6c, 0x69, - 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x17, 0x2e, 0x70, 0x62, 0x2e, - 0x4c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, - 0x43, 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5f, 0x0a, - 0x1d, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, - 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x28, - 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x53, 0x4c, 0x43, - 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, - 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, - 0x43, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x68, - 0x0a, 0x19, 0x6c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, - 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x24, 0x2e, 0x70, 0x62, - 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, - 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, - 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x55, 0x0a, 0x1b, 0x69, 0x67, 0x6e, 0x6f, - 0x72, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, - 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x26, 0x2e, 0x70, 0x62, 0x2e, 0x49, 0x67, 0x6e, - 0x6f, 0x72, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, + 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, + 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, + 0x41, 0x74, 0x32, 0xe9, 0x07, 0x0a, 0x0e, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x44, 0x0a, 0x0d, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, + 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x12, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x72, 0x65, 0x61, + 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x19, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, + 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x39, 0x0a, 0x0d, 0x75, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x12, 0x18, 0x2e, 0x70, + 0x62, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, + 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x39, 0x0a, 0x0d, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, + 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x12, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x6c, + 0x65, 0x74, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x12, 0x65, 0x0a, 0x18, 0x66, 0x69, 0x6e, 0x64, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, + 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x23, 0x2e, + 0x70, 0x62, 0x2e, 0x46, 0x69, 0x6e, 0x64, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x53, 0x53, + 0x4c, 0x43, 0x65, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x62, 0x2e, 0x46, 0x69, 0x6e, 0x64, 0x45, 0x6e, 0x61, 0x62, + 0x6c, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3e, 0x0a, 0x0d, 0x63, 0x6f, 0x75, 0x6e, + 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x17, 0x2e, 0x70, 0x62, 0x2e, 0x43, + 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x43, 0x6f, 0x75, 0x6e, 0x74, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x6c, 0x69, 0x73, 0x74, + 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x17, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, + 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, + 0x72, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5f, 0x0a, 0x1d, 0x63, + 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, + 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x28, 0x2e, 0x70, + 0x62, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, + 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x43, + 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x68, 0x0a, 0x19, + 0x6c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, + 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x24, 0x2e, 0x70, 0x62, 0x2e, 0x4c, + 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, - 0x53, 0x0a, 0x1a, 0x72, 0x65, 0x73, 0x65, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, - 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x25, 0x2e, - 0x70, 0x62, 0x2e, 0x52, 0x65, 0x73, 0x65, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, - 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x12, 0x59, 0x0a, 0x1d, 0x72, 0x65, 0x73, 0x65, 0x74, 0x41, 0x6c, 0x6c, + 0x25, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, + 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x55, 0x0a, 0x1b, 0x69, 0x67, 0x6e, 0x6f, 0x72, 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, - 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x28, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x73, 0x65, 0x74, - 0x41, 0x6c, 0x6c, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, - 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, - 0x5f, 0x0a, 0x16, 0x6c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, - 0x4c, 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x21, 0x2e, 0x70, 0x62, 0x2e, 0x4c, - 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, - 0x74, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, - 0x62, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, - 0x43, 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x42, 0x06, 0x5a, 0x04, 0x2e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x26, 0x2e, 0x70, 0x62, 0x2e, 0x49, 0x67, 0x6e, 0x6f, 0x72, + 0x65, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, + 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, + 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x53, 0x0a, + 0x1a, 0x72, 0x65, 0x73, 0x65, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, + 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x25, 0x2e, 0x70, 0x62, + 0x2e, 0x52, 0x65, 0x73, 0x65, 0x74, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, + 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x12, 0x59, 0x0a, 0x1d, 0x72, 0x65, 0x73, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x53, 0x53, + 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, 0x50, 0x45, 0x72, + 0x72, 0x6f, 0x72, 0x12, 0x28, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x73, 0x65, 0x74, 0x41, 0x6c, + 0x6c, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x73, 0x57, 0x69, 0x74, 0x68, 0x4f, 0x43, 0x53, + 0x50, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, + 0x70, 0x62, 0x2e, 0x52, 0x50, 0x43, 0x53, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x5f, 0x0a, + 0x16, 0x6c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, + 0x65, 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x21, 0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x69, 0x73, + 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, 0x72, 0x74, 0x4f, + 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x62, 0x2e, + 0x4c, 0x69, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x4c, 0x43, 0x65, + 0x72, 0x74, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x06, + 0x5a, 0x04, 0x2e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/rpc/protos/service_ssl_cert.proto b/pkg/rpc/protos/service_ssl_cert.proto index a8cc109..7e825e4 100644 --- a/pkg/rpc/protos/service_ssl_cert.proto +++ b/pkg/rpc/protos/service_ssl_cert.proto @@ -161,7 +161,8 @@ message ListUpdatedSSLCertOCSPResponse { message SSLCertOCSP { int64 sslCertId = 1; - bytes ocsp = 2; + bytes data = 2; int64 version = 3; + int64 expiresAt = 4; } } \ No newline at end of file diff --git a/pkg/serverconfigs/sslconfigs/ssl_cert_config.go b/pkg/serverconfigs/sslconfigs/ssl_cert_config.go index 6c5bf3e..d63ed91 100644 --- a/pkg/serverconfigs/sslconfigs/ssl_cert_config.go +++ b/pkg/serverconfigs/sslconfigs/ssl_cert_config.go @@ -30,8 +30,9 @@ type SSLCertConfig struct { CommonNames []string `yaml:"commonNames" json:"commonNames"` // OCSP - OCSP []byte `yaml:"ocsp" json:"ocsp"` - OCSPError string `yaml:"ocspError" json:"ocspError"` + OCSP []byte `yaml:"ocsp" json:"ocsp"` + OCSPExpiresAt int64 `yaml:"ocspExpiresAt" json:"ocspExpiresAt"` + OCSPError string `yaml:"ocspError" json:"ocspError"` cert *tls.Certificate timeBegin time.Time diff --git a/pkg/serverconfigs/sslconfigs/ssl_policy.go b/pkg/serverconfigs/sslconfigs/ssl_policy.go index 0057a7a..ac57b9c 100644 --- a/pkg/serverconfigs/sslconfigs/ssl_policy.go +++ b/pkg/serverconfigs/sslconfigs/ssl_policy.go @@ -6,6 +6,7 @@ import ( "crypto/x509" "github.com/TeaOSLab/EdgeCommon/pkg/configutils" "golang.org/x/net/http2" + "time" ) // TLSVersion TLS Version @@ -42,6 +43,8 @@ type SSLPolicy struct { clientCAPool *x509.CertPool tlsConfig *tls.Config + + ocspExpiresAt int64 // OCSP最早过期时间 } // Init 校验配置 @@ -55,7 +58,10 @@ func (this *SSLPolicy) Init() error { if err != nil { return err } - if this.OCSPIsOn && len(cert.OCSP) > 0 { + if this.OCSPIsOn && len(cert.OCSP) > 0 && cert.OCSPExpiresAt > time.Now().Unix() { + if this.ocspExpiresAt == 0 || cert.OCSPExpiresAt < this.ocspExpiresAt { + this.ocspExpiresAt = cert.OCSPExpiresAt + } cert.CertObject().OCSPStaple = cert.OCSP } certs = append(certs, *cert.CertObject()) @@ -167,16 +173,28 @@ func (this *SSLPolicy) ContainsCert(certId int64) bool { } // UpdateCertOCSP 修改某个证书的OCSP -func (this *SSLPolicy) UpdateCertOCSP(certId int64, ocsp []byte) { +func (this *SSLPolicy) UpdateCertOCSP(certId int64, ocsp []byte, expiresAt int64) { + var nowTime = time.Now().Unix() + for _, cert := range this.Certs { if cert.Id == certId { cert.OCSP = ocsp + cert.OCSPExpiresAt = expiresAt cert.CertObject().OCSPStaple = cert.OCSP // 修改tlsConfig中的cert - for index, cert2 := range this.tlsConfig.Certificates { - if this.certIsEqual(*cert.CertObject(), cert2) { - this.tlsConfig.Certificates[index].OCSPStaple = ocsp + for index, certObj := range this.tlsConfig.Certificates { + if this.certIsEqual(*cert.CertObject(), certObj) { + if len(cert.OCSP) > 0 && cert.OCSPExpiresAt > nowTime { + this.tlsConfig.Certificates[index].OCSPStaple = ocsp + + // 重置过期时间 + if this.ocspExpiresAt == 0 || cert.OCSPExpiresAt < this.ocspExpiresAt { + this.ocspExpiresAt = cert.OCSPExpiresAt + } + } else { + this.tlsConfig.Certificates[index].OCSPStaple = nil + } } } break @@ -184,6 +202,40 @@ func (this *SSLPolicy) UpdateCertOCSP(certId int64, ocsp []byte) { } } +// CheckOCSP 检查OCSP过期时间 +func (this *SSLPolicy) CheckOCSP() { + if !this.OCSPIsOn || this.ocspExpiresAt == 0 { + return + } + + var nowTime = time.Now().Unix() + if this.ocspExpiresAt > nowTime { + return + } + this.ocspExpiresAt = 0 + + for _, cert := range this.Certs { + if cert.OCSPExpiresAt > 0 && cert.OCSPExpiresAt < nowTime+1 { + // 重置OCSP + cert.OCSP = nil + cert.OCSPExpiresAt = 0 + for index, certObj := range this.tlsConfig.Certificates { + if this.certIsEqual(*cert.CertObject(), certObj) { + this.tlsConfig.Certificates[index].OCSPStaple = nil + } + } + } else if len(cert.OCSP) > 0 && cert.OCSPExpiresAt > nowTime && (this.ocspExpiresAt == 0 || cert.OCSPExpiresAt < this.ocspExpiresAt) { + // 重置过期时间 + this.ocspExpiresAt = cert.OCSPExpiresAt + } + } +} + +// OcspExpiresAt OCSP最近过期时间 +func (this *SSLPolicy) OcspExpiresAt() int64 { + return this.ocspExpiresAt +} + func (this *SSLPolicy) certIsEqual(cert1 tls.Certificate, cert2 tls.Certificate) bool { var b1 = cert1.Certificate var b2 = cert2.Certificate diff --git a/pkg/serverconfigs/sslconfigs/ssl_policy_test.go b/pkg/serverconfigs/sslconfigs/ssl_policy_test.go index 87cb870..ed2dcfc 100644 --- a/pkg/serverconfigs/sslconfigs/ssl_policy_test.go +++ b/pkg/serverconfigs/sslconfigs/ssl_policy_test.go @@ -1,17 +1,19 @@ // Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved. -package sslconfigs +package sslconfigs_test import ( + "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/sslconfigs" "github.com/iwind/TeaGo/assert" "testing" + "time" ) func TestSSLPolicy_MatchDomain(t *testing.T) { var a = assert.NewAssertion(t) - var policy = &SSLPolicy{} - policy.Certs = []*SSLCertConfig{ + var policy = &sslconfigs.SSLPolicy{} + policy.Certs = []*sslconfigs.SSLCertConfig{ { Id: 1, DNSNames: []string{"a.com", "b.com"}, @@ -31,3 +33,101 @@ func TestSSLPolicy_MatchDomain(t *testing.T) { a.IsTrue(ok) } } + +func TestSSLPolicy_CheckOCSP(t *testing.T) { + var certData = []byte(`-----BEGIN CERTIFICATE----- +MIIEcTCCA9qgAwIBAgIDbhMuMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYDVQQGEwJD +TjESMBAGA1UECBMJR3Vhbmdkb25nMREwDwYDVQQHEwhTaGVuemhlbjEQMA4GA1UE +ChMHVGVuY2VudDEMMAoGA1UECxMDV1hHMRMwEQYDVQQDEwpNbXBheW1jaENBMR8w +HQYJKoZIhvcNAQkBFhBtbXBheW1jaEB0ZW5jZW50MB4XDTE2MTIxMjA5NDAwM1oX +DTI2MTIxMDA5NDAwM1owgaExCzAJBgNVBAYTAkNOMRIwEAYDVQQIEwlHdWFuZ2Rv +bmcxETAPBgNVBAcTCFNoZW56aGVuMRAwDgYDVQQKEwdUZW5jZW50MQ4wDAYDVQQL +EwVNTVBheTE2MDQGA1UEAxQt5YyX5Lqs5LiJ55m+5YWt5Y2B6KGM5LqS6IGU56eR +5oqA5pyJ6ZmQ5YWs5Y+4MREwDwYDVQQEEwgxNzIyNzc0NDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAN2/1axdFhLKgMAGpkM9kpBfz88IvVYLFLaRrsIO +aM4RLDup5ye0GrOvQtq8gvPFbn+GuekyBfoVRNHW1OSv/uQfDYd5tcmAy/0BDZSL +OfPHaYOS2fj2y9KvLZTFTMBszG9kwV/FFlHgK4SJKbikdqTPd9vnt6Yr7FyfTIws +K9RQ77vetOTduWZttON+RK/Tlz6AepiVfl9LZ/XOVveYI/6TfEbI6uUoeXrlSKCf +w8/yfo69tcZV0g9yjSnVYDvgp6BFXJ1QK1CnJB4Dnol8XoBgUIrUyJqO+LvPr2Qy +wsnyONc15AJK/23vebDGGvTvYtu47qRywISD4ioW15YBK1UCAwEAAaOCAUYwggFC +MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHSJDRVMtQ0EgR2VuZXJhdGUgQ2Vy +dGlmaWNhdGUiMB0GA1UdDgQWBBQVQCAalLY0TuS+z80biOcWb0QkzjCBvwYDVR0j +BIG3MIG0gBQ+BSb2ImK0FVuIzWR+sNRip+WGdKGBkKSBjTCBijELMAkGA1UEBhMC +Q04xEjAQBgNVBAgTCUd1YW5nZG9uZzERMA8GA1UEBxMIU2hlbnpoZW4xEDAOBgNV +BAoTB1RlbmNlbnQxDDAKBgNVBAsTA1dYRzETMBEGA1UEAxMKTW1wYXltY2hDQTEf +MB0GCSqGSIb3DQEJARYQbW1wYXltY2hAdGVuY2VudIIJALtUlyu8AOhXMA4GA1Ud +DwEB/wQEAwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQUF +AAOBgQA/Zr9PIRE8c3mAnb0lmx/DToFJrUB4Sr51szjiX5XiKymBoC2hnwJvI+7B +EkRdNv4S7rvu33GS7BcZvjEwyrZdA9ZRIQz1MiaBIXdayIkkUCxaStB1junI8Jfc +dG6S+JIMJU8y0tG53vEG2JRw8Mmm1qloAxs1Zl92UtlZoiHHCQ== +-----END CERTIFICATE----- +`) + var keyData = []byte(`-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDdv9WsXRYSyoDA +BqZDPZKQX8/PCL1WCxS2ka7CDmjOESw7qecntBqzr0LavILzxW5/hrnpMgX6FUTR +1tTkr/7kHw2HebXJgMv9AQ2Uiznzx2mDktn49svSry2UxUzAbMxvZMFfxRZR4CuE +iSm4pHakz3fb57emK+xcn0yMLCvUUO+73rTk3blmbbTjfkSv05c+gHqYlX5fS2f1 +zlb3mCP+k3xGyOrlKHl65Uign8PP8n6OvbXGVdIPco0p1WA74KegRVydUCtQpyQe +A56JfF6AYFCK1Miajvi7z69kMsLJ8jjXNeQCSv9t73mwxhr072LbuO6kcsCEg+Iq +FteWAStVAgMBAAECggEAVkqTfMqQj2lsJs2vn5TzVulh9cAB5dzUB6OzbOKsmBwI +qYMZZ9LnXSsDihk3oGMg99FWwU9tEf9602mVWRS/zMfkvOZ4/lv3hZIGVdrEB4B/ +J+talU58zJTM2QraLjtoZqS/t2P7porkhGPX73lYjhQKIXIPfkOza+u1nwqFV84Z +YowiRTowuBHAAduW7W5uv4MaGG6P9w/JzR4zHCUjc5rnh/3a3+TN6KRxkXDh+1yi +6wg0S54qtTyAEIeGMjIqhzUgN0fxlhyMgtROi8h3DN/tvBoOCT9jGFeTsBcfk6Ib +p4sMDo/OcC1NXsENsccVprH297jKmwV0vZFGUebPAQKBgQD9bfrWU0TvLlLILJmT +52HRy6HCddKV6SdCBF04Rz3a5L32epKREql6l8KewHo05wlty90UL4sltHwZo9h6 +QuukNMMuLvaye2qOAkuFw1x5qD4R2VvbQsPDHoJt0zOzzF77/Faob+3NSHk9Yt3h +s7/LrU9vDfoPVROMatJR01XzFQKBgQDf/5kofDYQ/qcddosktkgxIyZBFuE4C/s+ +nhiXl/Kd5Q+AP2o6kPsl5o4Jz2s3zBrmyRb733Zhb/rx/gbebTvqLjrTpyxXovmQ +8ecKeAS+IlrvAEDDT4c6ecAXR4zHZER00g0zbL4sX+fpKzON+jL6poA/el4MQySR +/DLJUx1nQQKBgQCLNQFG/2BrPXfNaupFWyDZW9CT/6JYJEUjN0B5bHCmr2VFYdjm +hWjA5WHLUBEQxCPiwsvCjccSRAyzDNQZfG7xuOXJlZR/P9ms/ce8Ry6hyO+nYEzb +qNXddQHSD+RjjAxUwCxdw3XNgFTQimE03EarO5zZdMT57RKa3AaBWePpbQKBgQCq +D4fcMNFrfaqqt8FUEgAlLiZw7En5Hz+Ufrr0/Kt6LNnj6EFiTYgfcjcMQ6mHJzKV +XL5SY4mg2D+RUectH4mJdae74QPNVTJcVQuv6wbOw45+PZbtsYddYenwwqWjDADd +IExdaoXHctjDMcVmWTozCg38I48biC5Pl0WHi86bAQKBgGBK6XUJPRYOsQFshunq +edxSbZBiYFDUj6SfOdaTSuU61KOWRTXJyuOBaB77usmZdwOrB4vy1XUT1uuPWKlx +SKmNoe/mk2xYiGdKvFDRRHh25zCxDWsQ2nMQfUFczTZ9wBwGs40wzm36fSgHZybq +Z3NIV2eNt6YBwkC69DzdazXT +-----END PRIVATE KEY----- +`) + + var policy = &sslconfigs.SSLPolicy{ + OCSPIsOn: true, + } + + var nowTime = time.Now().Unix() + + policy.Certs = append(policy.Certs, &sslconfigs.SSLCertConfig{ + Id: 1, + CertData: certData, + KeyData: keyData, + OCSP: []byte("ocsp"), + OCSPExpiresAt: nowTime + 1, + }) + policy.Certs = append(policy.Certs, &sslconfigs.SSLCertConfig{ + Id: 1, + CertData: certData, + KeyData: keyData, + OCSP: []byte("ocsp"), + OCSPExpiresAt: nowTime + 3, + }) + policy.Certs = append(policy.Certs, &sslconfigs.SSLCertConfig{ + Id: 1, + CertData: certData, + KeyData: keyData, + OCSP: []byte("ocsp"), + OCSPExpiresAt: nowTime + 2, + }) + + err := policy.Init() + if err != nil { + t.Fatal(err) + } + + t.Log(policy.OcspExpiresAt(), policy.OcspExpiresAt() == nowTime+1) + + time.Sleep(1 * time.Second) + policy.CheckOCSP() + t.Log(policy.OcspExpiresAt(), policy.OcspExpiresAt() == nowTime+2) +}