A k6 extension to test OCSP responders.
Feel free to send PRs, current limitations:
- no support for "exotic" ECC curves (e.g. brainpool) in certificates
- RSASSAPSS is not supported for OCSP signatures
To workaround these limitations see the documentation in the examples directory.
To build a k6 binary with this extension, first ensure you have the prerequisites:
- Go toolchain
- Git
Then:
- Install
xk6:
$ go install go.k6.io/xk6/cmd/xk6@latest- Build the binary:
$ xk6 build --with github.com/nikosn/xk6-ocsp@latest --output k6-ocsp-checkCheck the examples directory for sample k6 scripts.
To import the ocsp module
import ocspmodule from 'k6/x/ocsp';ocspmodule.ExtractSerialNumberAndOCSPURIFromCert(certPath string) (string, string, error)ExtractSerialNumberAndOCSPURIFromCert extracts the serialNumber and OCSP URI from a PEM encoded certificate The serialNumber is returned as HEX string. This does not work with "exotic" ECC keys like brainpool.
ocspmodule.CreateRequest(hexSerialNumber string, issuerCertPath string, hashAlgorithm string) ([]byte, string, error)CreateOCSPRequest creates an OCSP request using the given hex serialNumber and issuer certificate path where the PEM encoded issuer certificate is placed into. This does not work with "exotic" ECC keys like brainpool. hashAlgorithm can be SHA1 or SHA256.
ocspmodule.CheckResponse(ocspResponseBytes []byte, verifySignature bool) (string, error)CheckOCSPResponse checks the OCSP response. Signature verification fails in case custom ECC curves like brainpool are used. RSAPSS signatures aren't supported either.
To workaround this set verifySignature to false.