// OCSPStaple contains an optional OCSP response which will be served // to clients that request it. OCSPStaple byte
I could set the OCSPStaple in the Certificate struct, but how to get the OCSP response in Go and why is this not done by default?
I think any OCSP lookup or other revocation check would need a HTTP request at some point.
Maybe the HTTP request can be done separately. As long the OCSP server can be extracted from the certificate and the OCSP response can be parsed.
This wouldn't be perfect but a working situation.
The attached file, ocsp_request.go contains a function CreateRequest that will return a DER encoded OCSP request for the supplied certificate chain. This file is created as part of your existing OCSP response parser at https://code.google.com/p/go/source/browse/?repo=crypto#hg%2Focsp
While code works for most CA's I'm running into a problem with a few where the keyIdentifier is not composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
Thanks, these changes are quite simple and I have tested the OCSP lookup on every certificate in the chain for all major CA public facing websites without running into any issues.