diff --git a/ocsp/ocsp.go b/ocsp/ocsp.go index d297ac92ea..3bdd9c540c 100644 --- a/ocsp/ocsp.go +++ b/ocsp/ocsp.go @@ -345,6 +345,8 @@ func (req *Request) Marshal() ([]byte, error) { // Response represents an OCSP response containing a single SingleResponse. See // RFC 6960. type Response struct { + // Raw is the DER encoded ASN.1 response data + Raw asn1.RawContent // Status is one of {Good, Revoked, Unknown} Status int SerialNumber *big.Int @@ -513,6 +515,7 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon } ret := &Response{ + Raw: bytes, TBSResponseData: basicResp.TBSResponseData.Raw, Signature: basicResp.Signature.RightAlign(), SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm), diff --git a/ocsp/ocsp_test.go b/ocsp/ocsp_test.go index 70b19764f5..5fb95d6046 100644 --- a/ocsp/ocsp_test.go +++ b/ocsp/ocsp_test.go @@ -71,6 +71,43 @@ func TestOCSPDecode(t *testing.T) { } } +func TestOCSPResponseRaw(t *testing.T) { + for _, tData := range []struct { + name string + ocspRespHex string + certHex string + }{ + {"Resp", ocspResponseHex, ""}, + {"RespWithoutCert", ocspResponseWithoutCertHex, ""}, + {"RespWithExt", ocspResponseWithExtensionHex, ""}, + {"MultiResp", ocspMultiResponseHex, ocspMultiResponseCertHex}, + } { + t.Run(tData.name, func(t *testing.T) { + responseBytes, _ := hex.DecodeString(tData.ocspRespHex) + var crt *x509.Certificate + if len(tData.certHex) > 0 { + crtBytes, _ := hex.DecodeString(tData.certHex) + var err error + crt, err = x509.ParseCertificate(crtBytes) + if err != nil { + t.Errorf("error parsing certificate: %s", err) + return + } + } + resp, err := ParseResponseForCert(responseBytes, crt, nil) + if err != nil { + t.Errorf("unexpected parse error: %s", err) + return + } + + if !bytes.Equal(responseBytes, resp.Raw) { + t.Errorf("bytes not equal") + } + }) + } + +} + func TestOCSPDecodeWithoutCert(t *testing.T) { responseBytes, _ := hex.DecodeString(ocspResponseWithoutCertHex) _, err := ParseResponse(responseBytes, nil)