/xk6-ocsp

k6 extension to test OCSP responders

Primary LanguageGoMIT LicenseMIT

xk6-ocsp

A k6 extension to test OCSP responders.

Feel free to send PRs, current limitations:

  • no support for "exotic" ECC curves (e.g. brainpool) in certificates
  • RSASSAPSS is not supported for OCSP signatures

To workaround these limitations see the documentation in the examples directory.

Build

To build a k6 binary with this extension, first ensure you have the prerequisites:

Then:

  1. Install xk6:
$ go install go.k6.io/xk6/cmd/xk6@latest
  1. Build the binary:
$ xk6 build --with github.com/nikosn/xk6-ocsp@latest --output k6-ocsp-check

Usage

Check the examples directory for sample k6 scripts.

To import the ocsp module

import ocspmodule from 'k6/x/ocsp';

ExtractSerialNumberAndOCSPURIFromCert

ocspmodule.ExtractSerialNumberAndOCSPURIFromCert(certPath string) (string, string, error)

ExtractSerialNumberAndOCSPURIFromCert extracts the serialNumber and OCSP URI from a PEM encoded certificate The serialNumber is returned as HEX string. This does not work with "exotic" ECC keys like brainpool.

CreateRequest

ocspmodule.CreateRequest(hexSerialNumber string, issuerCertPath string, hashAlgorithm string) ([]byte, string, error)

CreateOCSPRequest creates an OCSP request using the given hex serialNumber and issuer certificate path where the PEM encoded issuer certificate is placed into. This does not work with "exotic" ECC keys like brainpool. hashAlgorithm can be SHA1 or SHA256.

CheckResponse

ocspmodule.CheckResponse(ocspResponseBytes []byte, verifySignature bool) (string, error)

CheckOCSPResponse checks the OCSP response. Signature verification fails in case custom ECC curves like brainpool are used. RSAPSS signatures aren't supported either.
To workaround this set verifySignature to false.