23b206fb12af37c8abe7352d6d8e2a64cd83ba87
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_response.c
1 /**
2 * Copyright (C) 2008-2009 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "x509_ocsp_response.h"
19
20 #include <time.h>
21
22 #include <asn1/oid.h>
23 #include <asn1/asn1.h>
24 #include <asn1/asn1_parser.h>
25 #include <utils/identification.h>
26 #include <utils/linked_list.h>
27 #include <debug.h>
28
29 #include <library.h>
30 #include <credentials/certificates/x509.h>
31 #include <credentials/certificates/crl.h>
32
33 /**
34 * how long do we use an OCSP response without a nextUpdate
35 */
36 #define OCSP_DEFAULT_LIFETIME 30
37
38 typedef struct private_x509_ocsp_response_t private_x509_ocsp_response_t;
39
40 /**
41 * Private data of a ocsp_t object.
42 */
43 struct private_x509_ocsp_response_t {
44 /**
45 * Public interface for this ocsp object.
46 */
47 x509_ocsp_response_t public;
48
49 /**
50 * complete encoded OCSP response
51 */
52 chunk_t encoding;
53
54 /**
55 * data for signature verficiation
56 */
57 chunk_t tbsResponseData;
58
59 /**
60 * signature algorithm (OID)
61 */
62 int signatureAlgorithm;
63
64 /**
65 * signature
66 */
67 chunk_t signature;
68
69 /**
70 * name or keyid of the responder
71 */
72 identification_t *responderId;
73
74 /**
75 * time of response production
76 */
77 time_t producedAt;
78
79 /**
80 * latest nextUpdate in this OCSP response
81 */
82 time_t usableUntil;
83
84 /**
85 * list of included certificates
86 */
87 linked_list_t *certs;
88
89 /**
90 * Linked list of OCSP responses, single_response_t
91 */
92 linked_list_t *responses;
93
94 /**
95 * Nonce required for ocsp request and response
96 */
97 chunk_t nonce;
98
99 /**
100 * reference counter
101 */
102 refcount_t ref;
103 };
104
105 /**
106 * single response contained in OCSP response
107 */
108 typedef struct {
109 /** hash algorithm OID to for the two hashes */
110 int hashAlgorithm;
111 /** hash of issuer DN */
112 chunk_t issuerNameHash;
113 /** issuerKeyID */
114 chunk_t issuerKeyHash;
115 /** serial number of certificate */
116 chunk_t serialNumber;
117 /** OCSP certificate status */
118 cert_validation_t status;
119 /** time of revocation, if revoked */
120 time_t revocationTime;
121 /** revocation reason, if revoked */
122 crl_reason_t revocationReason;
123 /** creation of associated CRL */
124 time_t thisUpdate;
125 /** creation of next CRL */
126 time_t nextUpdate;
127 } single_response_t;
128
129 /* our OCSP response version implementation */
130 #define OCSP_BASIC_RESPONSE_VERSION 1
131
132 /* some OCSP specific prefabricated ASN.1 constants */
133 static const chunk_t ASN1_nonce_oid = chunk_from_chars(
134 0x06, 0x09,
135 0x2B, 0x06,
136 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
137 );
138 static const chunk_t ASN1_response_oid = chunk_from_chars(
139 0x06, 0x09,
140 0x2B, 0x06,
141 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
142 );
143 static const chunk_t ASN1_response_content = chunk_from_chars(
144 0x04, 0x0D,
145 0x30, 0x0B,
146 0x06, 0x09,
147 0x2B, 0x06,
148 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
149 );
150
151 METHOD(ocsp_response_t, get_status, cert_validation_t,
152 private_x509_ocsp_response_t *this, x509_t *subject, x509_t *issuer,
153 time_t *revocation_time, crl_reason_t *revocation_reason,
154 time_t *this_update, time_t *next_update)
155 {
156 enumerator_t *enumerator;
157 single_response_t *response;
158 cert_validation_t status = VALIDATION_FAILED;
159 certificate_t *issuercert = &issuer->interface;
160
161 enumerator = this->responses->create_enumerator(this->responses);
162 while (enumerator->enumerate(enumerator, &response))
163 {
164 hasher_t *hasher;
165 identification_t *id;
166 cred_encoding_type_t type;
167 chunk_t hash, fingerprint;
168
169 /* check serial first, is cheaper */
170 if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
171 {
172 continue;
173 }
174 /* check issuerKeyHash if available */
175 if (response->issuerKeyHash.ptr)
176 {
177 public_key_t *public;
178
179 public = issuercert->get_public_key(issuercert);
180 if (!public)
181 {
182 continue;
183 }
184 switch (response->hashAlgorithm)
185 {
186 case OID_SHA1:
187 type = KEYID_PUBKEY_SHA1;
188 break;
189 default:
190 public->destroy(public);
191 continue;
192 }
193 if (!public->get_fingerprint(public, type, &fingerprint) ||
194 !chunk_equals(response->issuerKeyHash, fingerprint))
195 {
196 public->destroy(public);
197 continue;
198 }
199 public->destroy(public);
200 }
201 /* check issuerNameHash, if available */
202 else if (response->issuerNameHash.ptr)
203 {
204 hasher = lib->crypto->create_hasher(lib->crypto,
205 hasher_algorithm_from_oid(response->hashAlgorithm));
206 if (!hasher)
207 {
208 continue;
209 }
210 id = issuercert->get_subject(issuercert);
211 hasher->allocate_hash(hasher, id->get_encoding(id), &hash);
212 hasher->destroy(hasher);
213 if (!chunk_equals(hash, response->issuerNameHash))
214 {
215 continue;
216 }
217 }
218 else
219 {
220 continue;
221 }
222 /* got a match */
223 status = response->status;
224 *revocation_time = response->revocationTime;
225 *revocation_reason = response->revocationReason;
226 *this_update = response->thisUpdate;
227 *next_update = response->nextUpdate;
228
229 break;
230 }
231 enumerator->destroy(enumerator);
232 return status;
233 }
234
235 METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*,
236 private_x509_ocsp_response_t *this)
237 {
238 return this->certs->create_enumerator(this->certs);
239 }
240
241 /**
242 * ASN.1 definition of singleResponse
243 */
244 static const asn1Object_t singleResponseObjects[] = {
245 { 0, "singleResponse", ASN1_SEQUENCE, ASN1_BODY }, /* 0 */
246 { 1, "certID", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
247 { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 2 */
248 { 2, "issuerNameHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 3 */
249 { 2, "issuerKeyHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 4 */
250 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 5 */
251 { 1, "certStatusGood", ASN1_CONTEXT_S_0, ASN1_OPT }, /* 6 */
252 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
253 { 1, "certStatusRevoked", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 8 */
254 { 2, "revocationTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 9 */
255 { 2, "revocationReason", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 10 */
256 { 3, "crlReason", ASN1_ENUMERATED, ASN1_BODY }, /* 11 */
257 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
258 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
259 { 1, "certStatusUnknown", ASN1_CONTEXT_S_2, ASN1_OPT }, /* 14 */
260 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
261 { 1, "thisUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 16 */
262 { 1, "nextUpdateContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 17 */
263 { 2, "nextUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 18 */
264 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
265 { 1, "singleExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 20 */
266 { 2, "singleExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 21 */
267 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
268 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 23 */
269 { 4, "critical", ASN1_BOOLEAN, ASN1_BODY |
270 ASN1_DEF }, /* 24 */
271 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 25 */
272 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 26 */
273 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
274 { 0, "exit", ASN1_EOC, ASN1_EXIT }
275 };
276 #define SINGLE_RESPONSE_ALGORITHM 2
277 #define SINGLE_RESPONSE_ISSUER_NAME_HASH 3
278 #define SINGLE_RESPONSE_ISSUER_KEY_HASH 4
279 #define SINGLE_RESPONSE_SERIAL_NUMBER 5
280 #define SINGLE_RESPONSE_CERT_STATUS_GOOD 6
281 #define SINGLE_RESPONSE_CERT_STATUS_REVOKED 8
282 #define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME 9
283 #define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON 11
284 #define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN 14
285 #define SINGLE_RESPONSE_THIS_UPDATE 16
286 #define SINGLE_RESPONSE_NEXT_UPDATE 18
287 #define SINGLE_RESPONSE_EXT_ID 23
288 #define SINGLE_RESPONSE_CRITICAL 24
289 #define SINGLE_RESPONSE_EXT_VALUE 25
290
291 /**
292 * Parse a single OCSP response
293 */
294 static bool parse_singleResponse(private_x509_ocsp_response_t *this,
295 chunk_t blob, int level0)
296 {
297 asn1_parser_t *parser;
298 chunk_t object;
299 int objectID;
300 bool success = FALSE;
301
302 single_response_t *response;
303
304 response = malloc_thing(single_response_t);
305 response->hashAlgorithm = OID_UNKNOWN;
306 response->issuerNameHash = chunk_empty;
307 response->issuerKeyHash = chunk_empty;
308 response->serialNumber = chunk_empty;
309 response->status = VALIDATION_FAILED;
310 response->revocationTime = 0;
311 response->revocationReason = CRL_REASON_UNSPECIFIED;
312 response->thisUpdate = UNDEFINED_TIME;
313 /* if nextUpdate is missing, we give it a short lifetime */
314 response->nextUpdate = this->producedAt + OCSP_DEFAULT_LIFETIME;
315
316 parser = asn1_parser_create(singleResponseObjects, blob);
317 parser->set_top_level(parser, level0);
318
319 while (parser->iterate(parser, &objectID, &object))
320 {
321 switch (objectID)
322 {
323 case SINGLE_RESPONSE_ALGORITHM:
324 response->hashAlgorithm = asn1_parse_algorithmIdentifier(object,
325 parser->get_level(parser)+1, NULL);
326 break;
327 case SINGLE_RESPONSE_ISSUER_NAME_HASH:
328 response->issuerNameHash = object;
329 break;
330 case SINGLE_RESPONSE_ISSUER_KEY_HASH:
331 response->issuerKeyHash = object;
332 break;
333 case SINGLE_RESPONSE_SERIAL_NUMBER:
334 response->serialNumber = object;
335 break;
336 case SINGLE_RESPONSE_CERT_STATUS_GOOD:
337 response->status = VALIDATION_GOOD;
338 break;
339 case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
340 response->status = VALIDATION_REVOKED;
341 break;
342 case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
343 response->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
344 break;
345 case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
346 if (object.len == 1)
347 {
348 response->revocationReason = *object.ptr;
349 }
350 break;
351 case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
352 response->status = VALIDATION_FAILED;
353 break;
354 case SINGLE_RESPONSE_THIS_UPDATE:
355 response->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
356 break;
357 case SINGLE_RESPONSE_NEXT_UPDATE:
358 response->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
359 if (response->nextUpdate > this->usableUntil)
360 {
361 this->usableUntil = response->nextUpdate;
362 }
363 break;
364 }
365 }
366 success = parser->success(parser);
367 parser->destroy(parser);
368 if (success)
369 {
370 if (this->usableUntil == UNDEFINED_TIME)
371 {
372 this->usableUntil = this->producedAt + OCSP_DEFAULT_LIFETIME;
373 }
374 this->responses->insert_last(this->responses, response);
375 }
376 else
377 {
378 free(response);
379 }
380 return success;
381 }
382
383 /**
384 * ASN.1 definition of responses
385 */
386 static const asn1Object_t responsesObjects[] = {
387 { 0, "responses", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
388 { 1, "singleResponse", ASN1_EOC, ASN1_RAW }, /* 1 */
389 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
390 { 0, "exit", ASN1_EOC, ASN1_EXIT }
391 };
392 #define RESPONSES_SINGLE_RESPONSE 1
393
394 /**
395 * Parse all responses
396 */
397 static bool parse_responses(private_x509_ocsp_response_t *this,
398 chunk_t blob, int level0)
399 {
400 asn1_parser_t *parser;
401 chunk_t object;
402 int objectID;
403 bool success = FALSE;
404
405 parser = asn1_parser_create(responsesObjects, blob);
406 parser->set_top_level(parser, level0);
407
408 while (parser->iterate(parser, &objectID, &object))
409 {
410 switch (objectID)
411 {
412 case RESPONSES_SINGLE_RESPONSE:
413 if (!parse_singleResponse(this, object,
414 parser->get_level(parser)+1))
415 {
416 goto end;
417 }
418 break;
419 default:
420 break;
421 }
422 }
423 success = parser->success(parser);
424
425 end:
426 parser->destroy(parser);
427 return success;
428 }
429
430 /**
431 * ASN.1 definition of basicResponse
432 */
433 static const asn1Object_t basicResponseObjects[] = {
434 { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
435 { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
436 { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE |
437 ASN1_DEF }, /* 2 */
438 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
439 { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */
440 { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
441 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
442 { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */
443 { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */
444 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
445 { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */
446 { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
447 { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
448 { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */
449 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */
450 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */
451 { 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
452 ASN1_DEF }, /* 16 */
453 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
454 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
455 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
456 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
457 { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
458 { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */
459 { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */
460 { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 24 */
461 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
462 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
463 { 0, "exit", ASN1_EOC, ASN1_EXIT }
464 };
465 #define BASIC_RESPONSE_TBS_DATA 1
466 #define BASIC_RESPONSE_VERSION 3
467 #define BASIC_RESPONSE_ID_BY_NAME 5
468 #define BASIC_RESPONSE_ID_BY_KEY 8
469 #define BASIC_RESPONSE_PRODUCED_AT 10
470 #define BASIC_RESPONSE_RESPONSES 11
471 #define BASIC_RESPONSE_EXT_ID 15
472 #define BASIC_RESPONSE_CRITICAL 16
473 #define BASIC_RESPONSE_EXT_VALUE 17
474 #define BASIC_RESPONSE_ALGORITHM 20
475 #define BASIC_RESPONSE_SIGNATURE 21
476 #define BASIC_RESPONSE_CERTIFICATE 24
477
478 /**
479 * Parse a basicOCSPResponse
480 */
481 static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
482 chunk_t blob, int level0)
483 {
484 asn1_parser_t *parser;
485 chunk_t object;
486 chunk_t responses = chunk_empty;
487 int objectID;
488 int extn_oid = OID_UNKNOWN;
489 u_int responses_level = level0;
490 certificate_t *cert;
491 bool success = FALSE;
492 bool critical;
493
494 parser = asn1_parser_create(basicResponseObjects, blob);
495 parser->set_top_level(parser, level0);
496
497 while (parser->iterate(parser, &objectID, &object))
498 {
499 switch (objectID)
500 {
501 case BASIC_RESPONSE_TBS_DATA:
502 this->tbsResponseData = object;
503 break;
504 case BASIC_RESPONSE_VERSION:
505 {
506 u_int version = (object.len)? (1 + (u_int)*object.ptr) : 1;
507
508 if (version != OCSP_BASIC_RESPONSE_VERSION)
509 {
510 DBG1(DBG_LIB, " ocsp ResponseData version %d not "
511 "supported", version);
512 goto end;
513 }
514 break;
515 }
516 case BASIC_RESPONSE_ID_BY_NAME:
517 this->responderId = identification_create_from_encoding(
518 ID_DER_ASN1_DN, object);
519 DBG2(DBG_LIB, " '%Y'", this->responderId);
520 break;
521 case BASIC_RESPONSE_ID_BY_KEY:
522 this->responderId = identification_create_from_encoding(
523 ID_KEY_ID, object);
524 DBG2(DBG_LIB, " '%Y'", this->responderId);
525 break;
526 case BASIC_RESPONSE_PRODUCED_AT:
527 this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
528 break;
529 case BASIC_RESPONSE_RESPONSES:
530 responses = object;
531 responses_level = parser->get_level(parser)+1;
532 break;
533 case BASIC_RESPONSE_EXT_ID:
534 extn_oid = asn1_known_oid(object);
535 break;
536 case BASIC_RESPONSE_CRITICAL:
537 critical = object.len && *object.ptr;
538 DBG2(DBG_LIB, " %s", critical ? "TRUE" : "FALSE");
539 break;
540 case BASIC_RESPONSE_EXT_VALUE:
541 if (extn_oid == OID_NONCE)
542 {
543 this->nonce = object;
544 }
545 break;
546 case BASIC_RESPONSE_ALGORITHM:
547 this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object,
548 parser->get_level(parser)+1, NULL);
549 break;
550 case BASIC_RESPONSE_SIGNATURE:
551 this->signature = object;
552 break;
553 case BASIC_RESPONSE_CERTIFICATE:
554 {
555 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,CERT_X509,
556 BUILD_BLOB_ASN1_DER, object,
557 BUILD_END);
558 if (cert)
559 {
560 this->certs->insert_last(this->certs, cert);
561 }
562 break;
563 }
564 }
565 }
566 success = parser->success(parser);
567
568 end:
569 parser->destroy(parser);
570 if (success)
571 {
572 if (!this->responderId)
573 {
574 this->responderId = identification_create_from_encoding(ID_ANY,
575 chunk_empty);
576 }
577 success = parse_responses(this, responses, responses_level);
578 }
579 return success;
580 }
581
582 /**
583 * ASN.1 definition of ocspResponse
584 */
585 static const asn1Object_t ocspResponseObjects[] = {
586 { 0, "OCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
587 { 1, "responseStatus", ASN1_ENUMERATED, ASN1_BODY }, /* 1 */
588 { 1, "responseBytesContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 2 */
589 { 2, "responseBytes", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
590 { 3, "responseType", ASN1_OID, ASN1_BODY }, /* 4 */
591 { 3, "response", ASN1_OCTET_STRING, ASN1_BODY }, /* 5 */
592 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
593 { 0, "exit", ASN1_EOC, ASN1_EXIT }
594 };
595 #define OCSP_RESPONSE_STATUS 1
596 #define OCSP_RESPONSE_TYPE 4
597 #define OCSP_RESPONSE 5
598
599 /**
600 * Parse OCSPResponse object
601 */
602 static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
603 {
604 asn1_parser_t *parser;
605 chunk_t object;
606 int objectID;
607 int responseType = OID_UNKNOWN;
608 bool success = FALSE;
609 ocsp_status_t status;
610
611 parser = asn1_parser_create(ocspResponseObjects, this->encoding);
612
613 while (parser->iterate(parser, &objectID, &object))
614 {
615 switch (objectID)
616 {
617 case OCSP_RESPONSE_STATUS:
618 status = (ocsp_status_t)*object.ptr;
619 switch (status)
620 {
621 case OCSP_SUCCESSFUL:
622 break;
623 default:
624 DBG1(DBG_LIB, " ocsp response status: %N",
625 ocsp_status_names, status);
626 goto end;
627 }
628 break;
629 case OCSP_RESPONSE_TYPE:
630 responseType = asn1_known_oid(object);
631 break;
632 case OCSP_RESPONSE:
633 switch (responseType)
634 {
635 case OID_BASIC:
636 success = parse_basicOCSPResponse(this, object,
637 parser->get_level(parser)+1);
638 break;
639 default:
640 DBG1(DBG_LIB, " ocsp response type %#B not supported",
641 &object);
642 goto end;
643 }
644 break;
645 }
646 }
647 success &= parser->success(parser);
648
649 end:
650 parser->destroy(parser);
651 return success;
652 }
653
654 METHOD(certificate_t, get_type, certificate_type_t,
655 private_x509_ocsp_response_t *this)
656 {
657 return CERT_X509_OCSP_RESPONSE;
658 }
659
660 METHOD(certificate_t, get_issuer, identification_t*,
661 private_x509_ocsp_response_t *this)
662 {
663 return this->responderId;
664 }
665
666 METHOD(certificate_t, has_issuer, id_match_t,
667 private_x509_ocsp_response_t *this, identification_t *issuer)
668 {
669 return this->responderId->matches(this->responderId, issuer);
670 }
671
672 METHOD(certificate_t, issued_by, bool,
673 private_x509_ocsp_response_t *this, certificate_t *issuer)
674 {
675 public_key_t *key;
676 signature_scheme_t scheme;
677 bool valid;
678 x509_t *x509 = (x509_t*)issuer;
679
680 if (issuer->get_type(issuer) != CERT_X509)
681 {
682 return FALSE;
683 }
684 if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
685 {
686 chunk_t fingerprint;
687
688 key = issuer->get_public_key(issuer);
689 if (!key ||
690 !key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
691 !chunk_equals(fingerprint,
692 this->responderId->get_encoding(this->responderId)))
693 {
694 DESTROY_IF(key);
695 return FALSE;
696 }
697 key->destroy(key);
698 }
699 else
700 {
701 if (!this->responderId->equals(this->responderId,
702 issuer->get_subject(issuer)))
703 {
704 return FALSE;
705 }
706 }
707 if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
708 !(x509->get_flags(x509) & X509_CA))
709 {
710 return FALSE;
711 }
712
713 /* get the public key of the issuer */
714 key = issuer->get_public_key(issuer);
715
716 /* determine signature scheme */
717 scheme = signature_scheme_from_oid(this->signatureAlgorithm);
718
719 if (scheme == SIGN_UNKNOWN || key == NULL)
720 {
721 return FALSE;
722 }
723 valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
724 key->destroy(key);
725 return valid;
726 }
727
728 METHOD(certificate_t, get_public_key, public_key_t*,
729 private_x509_ocsp_response_t *this)
730 {
731 return NULL;
732 }
733
734 METHOD(certificate_t, get_validity, bool,
735 private_x509_ocsp_response_t *this, time_t *when,
736 time_t *not_before, time_t *not_after)
737 {
738 time_t t = when ? *when : time(NULL);
739
740 if (not_before)
741 {
742 *not_before = this->producedAt;
743 }
744 if (not_after)
745 {
746 *not_after = this->usableUntil;
747 }
748 return (t < this->usableUntil);
749 }
750
751 METHOD(certificate_t, get_encoding, bool,
752 private_x509_ocsp_response_t *this, cred_encoding_type_t type,
753 chunk_t *encoding)
754 {
755 if (type == CERT_ASN1_DER)
756 {
757 *encoding = chunk_clone(this->encoding);
758 return TRUE;
759 }
760 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
761 CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END);
762 }
763
764 METHOD(certificate_t, equals, bool,
765 private_x509_ocsp_response_t *this, certificate_t *other)
766 {
767 chunk_t encoding;
768 bool equal;
769
770 if (this == (private_x509_ocsp_response_t*)other)
771 {
772 return TRUE;
773 }
774 if (other->get_type(other) != CERT_X509_OCSP_RESPONSE)
775 {
776 return FALSE;
777 }
778 if (other->equals == (void*)equals)
779 { /* skip allocation if we have the same implementation */
780 return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
781 }
782 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
783 {
784 return FALSE;
785 }
786 equal = chunk_equals(this->encoding, encoding);
787 free(encoding.ptr);
788 return equal;
789 }
790
791 METHOD(certificate_t, get_ref, certificate_t*,
792 private_x509_ocsp_response_t *this)
793 {
794 ref_get(&this->ref);
795 return &this->public.interface.certificate;
796 }
797
798 METHOD(certificate_t, destroy, void,
799 private_x509_ocsp_response_t *this)
800 {
801 if (ref_put(&this->ref))
802 {
803 this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
804 this->responses->destroy_function(this->responses, free);
805 DESTROY_IF(this->responderId);
806 free(this->encoding.ptr);
807 free(this);
808 }
809 }
810
811 /**
812 * load an OCSP response
813 */
814 static x509_ocsp_response_t *load(chunk_t blob)
815 {
816 private_x509_ocsp_response_t *this;
817
818 INIT(this,
819 .public = {
820 .interface = {
821 .certificate = {
822 .get_type = _get_type,
823 .get_subject = _get_issuer,
824 .get_issuer = _get_issuer,
825 .has_subject = _has_issuer,
826 .has_issuer = _has_issuer,
827 .issued_by = _issued_by,
828 .get_public_key = _get_public_key,
829 .get_validity = _get_validity,
830 .get_encoding = _get_encoding,
831 .equals = _equals,
832 .get_ref = _get_ref,
833 .destroy = _destroy,
834 },
835 .get_status = _get_status,
836 .create_cert_enumerator = _create_cert_enumerator,
837 },
838 },
839 .ref = 1,
840 .encoding = chunk_clone(blob),
841 .producedAt = UNDEFINED_TIME,
842 .usableUntil = UNDEFINED_TIME,
843 .responses = linked_list_create(),
844 .signatureAlgorithm = OID_UNKNOWN,
845 .certs = linked_list_create(),
846 );
847
848 if (!parse_OCSPResponse(this))
849 {
850 destroy(this);
851 return NULL;
852 }
853 return &this->public;
854 }
855
856 /**
857 * See header.
858 */
859 x509_ocsp_response_t *x509_ocsp_response_load(certificate_type_t type,
860 va_list args)
861 {
862 chunk_t blob = chunk_empty;
863
864 while (TRUE)
865 {
866 switch (va_arg(args, builder_part_t))
867 {
868 case BUILD_BLOB_ASN1_DER:
869 blob = va_arg(args, chunk_t);
870 continue;
871 case BUILD_END:
872 break;
873 default:
874 return NULL;
875 }
876 break;
877 }
878 if (blob.ptr)
879 {
880 return load(blob);
881 }
882 return NULL;
883 }
884