Moved data structures to new collections subfolder
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_response.c
1 /**
2 * Copyright (C) 2008-2009 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "x509_ocsp_response.h"
19
20 #include <time.h>
21
22 #include <asn1/oid.h>
23 #include <asn1/asn1.h>
24 #include <asn1/asn1_parser.h>
25 #include <utils/identification.h>
26 #include <collections/linked_list.h>
27 #include <debug.h>
28
29 #include <library.h>
30 #include <credentials/certificates/x509.h>
31 #include <credentials/certificates/crl.h>
32
33 /**
34 * how long do we use an OCSP response without a nextUpdate
35 */
36 #define OCSP_DEFAULT_LIFETIME 30
37
38 typedef struct private_x509_ocsp_response_t private_x509_ocsp_response_t;
39
40 /**
41 * Private data of a ocsp_t object.
42 */
43 struct private_x509_ocsp_response_t {
44 /**
45 * Public interface for this ocsp object.
46 */
47 x509_ocsp_response_t public;
48
49 /**
50 * complete encoded OCSP response
51 */
52 chunk_t encoding;
53
54 /**
55 * data for signature verficiation
56 */
57 chunk_t tbsResponseData;
58
59 /**
60 * signature algorithm (OID)
61 */
62 int signatureAlgorithm;
63
64 /**
65 * signature
66 */
67 chunk_t signature;
68
69 /**
70 * name or keyid of the responder
71 */
72 identification_t *responderId;
73
74 /**
75 * time of response production
76 */
77 time_t producedAt;
78
79 /**
80 * latest nextUpdate in this OCSP response
81 */
82 time_t usableUntil;
83
84 /**
85 * list of included certificates
86 */
87 linked_list_t *certs;
88
89 /**
90 * Linked list of OCSP responses, single_response_t
91 */
92 linked_list_t *responses;
93
94 /**
95 * Nonce required for ocsp request and response
96 */
97 chunk_t nonce;
98
99 /**
100 * reference counter
101 */
102 refcount_t ref;
103 };
104
105 /**
106 * single response contained in OCSP response
107 */
108 typedef struct {
109 /** hash algorithm OID to for the two hashes */
110 int hashAlgorithm;
111 /** hash of issuer DN */
112 chunk_t issuerNameHash;
113 /** issuerKeyID */
114 chunk_t issuerKeyHash;
115 /** serial number of certificate */
116 chunk_t serialNumber;
117 /** OCSP certificate status */
118 cert_validation_t status;
119 /** time of revocation, if revoked */
120 time_t revocationTime;
121 /** revocation reason, if revoked */
122 crl_reason_t revocationReason;
123 /** creation of associated CRL */
124 time_t thisUpdate;
125 /** creation of next CRL */
126 time_t nextUpdate;
127 } single_response_t;
128
129 /* our OCSP response version implementation */
130 #define OCSP_BASIC_RESPONSE_VERSION 1
131
132 /* some OCSP specific prefabricated ASN.1 constants */
133 static const chunk_t ASN1_nonce_oid = chunk_from_chars(
134 0x06, 0x09,
135 0x2B, 0x06,
136 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
137 );
138 static const chunk_t ASN1_response_oid = chunk_from_chars(
139 0x06, 0x09,
140 0x2B, 0x06,
141 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
142 );
143 static const chunk_t ASN1_response_content = chunk_from_chars(
144 0x04, 0x0D,
145 0x30, 0x0B,
146 0x06, 0x09,
147 0x2B, 0x06,
148 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
149 );
150
151 METHOD(ocsp_response_t, get_status, cert_validation_t,
152 private_x509_ocsp_response_t *this, x509_t *subject, x509_t *issuer,
153 time_t *revocation_time, crl_reason_t *revocation_reason,
154 time_t *this_update, time_t *next_update)
155 {
156 enumerator_t *enumerator;
157 single_response_t *response;
158 cert_validation_t status = VALIDATION_FAILED;
159 certificate_t *issuercert = &issuer->interface;
160
161 enumerator = this->responses->create_enumerator(this->responses);
162 while (enumerator->enumerate(enumerator, &response))
163 {
164 hasher_t *hasher;
165 identification_t *id;
166 cred_encoding_type_t type;
167 chunk_t hash, fingerprint;
168
169 /* check serial first, is cheaper */
170 if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
171 {
172 continue;
173 }
174 /* check issuerKeyHash if available */
175 if (response->issuerKeyHash.ptr)
176 {
177 public_key_t *public;
178
179 public = issuercert->get_public_key(issuercert);
180 if (!public)
181 {
182 continue;
183 }
184 switch (response->hashAlgorithm)
185 {
186 case OID_SHA1:
187 type = KEYID_PUBKEY_SHA1;
188 break;
189 default:
190 public->destroy(public);
191 continue;
192 }
193 if (!public->get_fingerprint(public, type, &fingerprint) ||
194 !chunk_equals(response->issuerKeyHash, fingerprint))
195 {
196 public->destroy(public);
197 continue;
198 }
199 public->destroy(public);
200 }
201 /* check issuerNameHash, if available */
202 else if (response->issuerNameHash.ptr)
203 {
204 id = issuercert->get_subject(issuercert);
205 hasher = lib->crypto->create_hasher(lib->crypto,
206 hasher_algorithm_from_oid(response->hashAlgorithm));
207 if (!hasher ||
208 !hasher->allocate_hash(hasher, id->get_encoding(id), &hash))
209 {
210 DESTROY_IF(hasher);
211 continue;
212 }
213 hasher->destroy(hasher);
214 if (!chunk_equals(hash, response->issuerNameHash))
215 {
216 free(hash.ptr);
217 continue;
218 }
219 free(hash.ptr);
220 }
221 else
222 {
223 continue;
224 }
225 /* got a match */
226 status = response->status;
227 *revocation_time = response->revocationTime;
228 *revocation_reason = response->revocationReason;
229 *this_update = response->thisUpdate;
230 *next_update = response->nextUpdate;
231
232 break;
233 }
234 enumerator->destroy(enumerator);
235 return status;
236 }
237
238 METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*,
239 private_x509_ocsp_response_t *this)
240 {
241 return this->certs->create_enumerator(this->certs);
242 }
243
244 /**
245 * ASN.1 definition of singleResponse
246 */
247 static const asn1Object_t singleResponseObjects[] = {
248 { 0, "singleResponse", ASN1_SEQUENCE, ASN1_BODY }, /* 0 */
249 { 1, "certID", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
250 { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 2 */
251 { 2, "issuerNameHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 3 */
252 { 2, "issuerKeyHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 4 */
253 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 5 */
254 { 1, "certStatusGood", ASN1_CONTEXT_S_0, ASN1_OPT }, /* 6 */
255 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
256 { 1, "certStatusRevoked", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 8 */
257 { 2, "revocationTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 9 */
258 { 2, "revocationReason", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 10 */
259 { 3, "crlReason", ASN1_ENUMERATED, ASN1_BODY }, /* 11 */
260 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
261 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
262 { 1, "certStatusUnknown", ASN1_CONTEXT_S_2, ASN1_OPT }, /* 14 */
263 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
264 { 1, "thisUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 16 */
265 { 1, "nextUpdateContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 17 */
266 { 2, "nextUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 18 */
267 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
268 { 1, "singleExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 20 */
269 { 2, "singleExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 21 */
270 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
271 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 23 */
272 { 4, "critical", ASN1_BOOLEAN, ASN1_BODY |
273 ASN1_DEF }, /* 24 */
274 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 25 */
275 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 26 */
276 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
277 { 0, "exit", ASN1_EOC, ASN1_EXIT }
278 };
279 #define SINGLE_RESPONSE_ALGORITHM 2
280 #define SINGLE_RESPONSE_ISSUER_NAME_HASH 3
281 #define SINGLE_RESPONSE_ISSUER_KEY_HASH 4
282 #define SINGLE_RESPONSE_SERIAL_NUMBER 5
283 #define SINGLE_RESPONSE_CERT_STATUS_GOOD 6
284 #define SINGLE_RESPONSE_CERT_STATUS_REVOKED 8
285 #define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME 9
286 #define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON 11
287 #define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN 14
288 #define SINGLE_RESPONSE_THIS_UPDATE 16
289 #define SINGLE_RESPONSE_NEXT_UPDATE 18
290 #define SINGLE_RESPONSE_EXT_ID 23
291 #define SINGLE_RESPONSE_CRITICAL 24
292 #define SINGLE_RESPONSE_EXT_VALUE 25
293
294 /**
295 * Parse a single OCSP response
296 */
297 static bool parse_singleResponse(private_x509_ocsp_response_t *this,
298 chunk_t blob, int level0)
299 {
300 asn1_parser_t *parser;
301 chunk_t object;
302 int objectID;
303 bool success = FALSE;
304
305 single_response_t *response;
306
307 response = malloc_thing(single_response_t);
308 response->hashAlgorithm = OID_UNKNOWN;
309 response->issuerNameHash = chunk_empty;
310 response->issuerKeyHash = chunk_empty;
311 response->serialNumber = chunk_empty;
312 response->status = VALIDATION_FAILED;
313 response->revocationTime = 0;
314 response->revocationReason = CRL_REASON_UNSPECIFIED;
315 response->thisUpdate = UNDEFINED_TIME;
316 /* if nextUpdate is missing, we give it a short lifetime */
317 response->nextUpdate = this->producedAt + OCSP_DEFAULT_LIFETIME;
318
319 parser = asn1_parser_create(singleResponseObjects, blob);
320 parser->set_top_level(parser, level0);
321
322 while (parser->iterate(parser, &objectID, &object))
323 {
324 switch (objectID)
325 {
326 case SINGLE_RESPONSE_ALGORITHM:
327 response->hashAlgorithm = asn1_parse_algorithmIdentifier(object,
328 parser->get_level(parser)+1, NULL);
329 break;
330 case SINGLE_RESPONSE_ISSUER_NAME_HASH:
331 response->issuerNameHash = object;
332 break;
333 case SINGLE_RESPONSE_ISSUER_KEY_HASH:
334 response->issuerKeyHash = object;
335 break;
336 case SINGLE_RESPONSE_SERIAL_NUMBER:
337 response->serialNumber = object;
338 break;
339 case SINGLE_RESPONSE_CERT_STATUS_GOOD:
340 response->status = VALIDATION_GOOD;
341 break;
342 case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
343 response->status = VALIDATION_REVOKED;
344 break;
345 case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
346 response->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
347 break;
348 case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
349 if (object.len == 1)
350 {
351 response->revocationReason = *object.ptr;
352 }
353 break;
354 case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
355 response->status = VALIDATION_FAILED;
356 break;
357 case SINGLE_RESPONSE_THIS_UPDATE:
358 response->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
359 break;
360 case SINGLE_RESPONSE_NEXT_UPDATE:
361 response->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
362 if (response->nextUpdate > this->usableUntil)
363 {
364 this->usableUntil = response->nextUpdate;
365 }
366 break;
367 }
368 }
369 success = parser->success(parser);
370 parser->destroy(parser);
371 if (success)
372 {
373 if (this->usableUntil == UNDEFINED_TIME)
374 {
375 this->usableUntil = this->producedAt + OCSP_DEFAULT_LIFETIME;
376 }
377 this->responses->insert_last(this->responses, response);
378 }
379 else
380 {
381 free(response);
382 }
383 return success;
384 }
385
386 /**
387 * ASN.1 definition of responses
388 */
389 static const asn1Object_t responsesObjects[] = {
390 { 0, "responses", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
391 { 1, "singleResponse", ASN1_EOC, ASN1_RAW }, /* 1 */
392 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
393 { 0, "exit", ASN1_EOC, ASN1_EXIT }
394 };
395 #define RESPONSES_SINGLE_RESPONSE 1
396
397 /**
398 * Parse all responses
399 */
400 static bool parse_responses(private_x509_ocsp_response_t *this,
401 chunk_t blob, int level0)
402 {
403 asn1_parser_t *parser;
404 chunk_t object;
405 int objectID;
406 bool success = FALSE;
407
408 parser = asn1_parser_create(responsesObjects, blob);
409 parser->set_top_level(parser, level0);
410
411 while (parser->iterate(parser, &objectID, &object))
412 {
413 switch (objectID)
414 {
415 case RESPONSES_SINGLE_RESPONSE:
416 if (!parse_singleResponse(this, object,
417 parser->get_level(parser)+1))
418 {
419 goto end;
420 }
421 break;
422 default:
423 break;
424 }
425 }
426 success = parser->success(parser);
427
428 end:
429 parser->destroy(parser);
430 return success;
431 }
432
433 /**
434 * ASN.1 definition of basicResponse
435 */
436 static const asn1Object_t basicResponseObjects[] = {
437 { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
438 { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
439 { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE |
440 ASN1_DEF }, /* 2 */
441 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
442 { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */
443 { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
444 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
445 { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */
446 { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */
447 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
448 { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */
449 { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
450 { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
451 { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */
452 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */
453 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */
454 { 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
455 ASN1_DEF }, /* 16 */
456 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
457 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
458 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
459 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
460 { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
461 { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */
462 { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */
463 { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 24 */
464 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
465 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
466 { 0, "exit", ASN1_EOC, ASN1_EXIT }
467 };
468 #define BASIC_RESPONSE_TBS_DATA 1
469 #define BASIC_RESPONSE_VERSION 3
470 #define BASIC_RESPONSE_ID_BY_NAME 5
471 #define BASIC_RESPONSE_ID_BY_KEY 8
472 #define BASIC_RESPONSE_PRODUCED_AT 10
473 #define BASIC_RESPONSE_RESPONSES 11
474 #define BASIC_RESPONSE_EXT_ID 15
475 #define BASIC_RESPONSE_CRITICAL 16
476 #define BASIC_RESPONSE_EXT_VALUE 17
477 #define BASIC_RESPONSE_ALGORITHM 20
478 #define BASIC_RESPONSE_SIGNATURE 21
479 #define BASIC_RESPONSE_CERTIFICATE 24
480
481 /**
482 * Parse a basicOCSPResponse
483 */
484 static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
485 chunk_t blob, int level0)
486 {
487 asn1_parser_t *parser;
488 chunk_t object;
489 chunk_t responses = chunk_empty;
490 int objectID;
491 int extn_oid = OID_UNKNOWN;
492 u_int responses_level = level0;
493 certificate_t *cert;
494 bool success = FALSE;
495 bool critical;
496
497 parser = asn1_parser_create(basicResponseObjects, blob);
498 parser->set_top_level(parser, level0);
499
500 while (parser->iterate(parser, &objectID, &object))
501 {
502 switch (objectID)
503 {
504 case BASIC_RESPONSE_TBS_DATA:
505 this->tbsResponseData = object;
506 break;
507 case BASIC_RESPONSE_VERSION:
508 {
509 u_int version = (object.len)? (1 + (u_int)*object.ptr) : 1;
510
511 if (version != OCSP_BASIC_RESPONSE_VERSION)
512 {
513 DBG1(DBG_ASN, " ocsp ResponseData version %d not "
514 "supported", version);
515 goto end;
516 }
517 break;
518 }
519 case BASIC_RESPONSE_ID_BY_NAME:
520 this->responderId = identification_create_from_encoding(
521 ID_DER_ASN1_DN, object);
522 DBG2(DBG_ASN, " '%Y'", this->responderId);
523 break;
524 case BASIC_RESPONSE_ID_BY_KEY:
525 this->responderId = identification_create_from_encoding(
526 ID_KEY_ID, object);
527 DBG2(DBG_ASN, " '%Y'", this->responderId);
528 break;
529 case BASIC_RESPONSE_PRODUCED_AT:
530 this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
531 break;
532 case BASIC_RESPONSE_RESPONSES:
533 responses = object;
534 responses_level = parser->get_level(parser)+1;
535 break;
536 case BASIC_RESPONSE_EXT_ID:
537 extn_oid = asn1_known_oid(object);
538 break;
539 case BASIC_RESPONSE_CRITICAL:
540 critical = object.len && *object.ptr;
541 DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE");
542 break;
543 case BASIC_RESPONSE_EXT_VALUE:
544 if (extn_oid == OID_NONCE)
545 {
546 this->nonce = object;
547 }
548 break;
549 case BASIC_RESPONSE_ALGORITHM:
550 this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object,
551 parser->get_level(parser)+1, NULL);
552 break;
553 case BASIC_RESPONSE_SIGNATURE:
554 this->signature = object;
555 break;
556 case BASIC_RESPONSE_CERTIFICATE:
557 {
558 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,CERT_X509,
559 BUILD_BLOB_ASN1_DER, object,
560 BUILD_END);
561 if (cert)
562 {
563 this->certs->insert_last(this->certs, cert);
564 }
565 break;
566 }
567 }
568 }
569 success = parser->success(parser);
570
571 end:
572 parser->destroy(parser);
573 if (success)
574 {
575 if (!this->responderId)
576 {
577 this->responderId = identification_create_from_encoding(ID_ANY,
578 chunk_empty);
579 }
580 success = parse_responses(this, responses, responses_level);
581 }
582 return success;
583 }
584
585 /**
586 * ASN.1 definition of ocspResponse
587 */
588 static const asn1Object_t ocspResponseObjects[] = {
589 { 0, "OCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
590 { 1, "responseStatus", ASN1_ENUMERATED, ASN1_BODY }, /* 1 */
591 { 1, "responseBytesContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 2 */
592 { 2, "responseBytes", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
593 { 3, "responseType", ASN1_OID, ASN1_BODY }, /* 4 */
594 { 3, "response", ASN1_OCTET_STRING, ASN1_BODY }, /* 5 */
595 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
596 { 0, "exit", ASN1_EOC, ASN1_EXIT }
597 };
598 #define OCSP_RESPONSE_STATUS 1
599 #define OCSP_RESPONSE_TYPE 4
600 #define OCSP_RESPONSE 5
601
602 /**
603 * Parse OCSPResponse object
604 */
605 static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
606 {
607 asn1_parser_t *parser;
608 chunk_t object;
609 int objectID;
610 int responseType = OID_UNKNOWN;
611 bool success = FALSE;
612 ocsp_status_t status;
613
614 parser = asn1_parser_create(ocspResponseObjects, this->encoding);
615
616 while (parser->iterate(parser, &objectID, &object))
617 {
618 switch (objectID)
619 {
620 case OCSP_RESPONSE_STATUS:
621 status = (ocsp_status_t)*object.ptr;
622 switch (status)
623 {
624 case OCSP_SUCCESSFUL:
625 break;
626 default:
627 DBG1(DBG_LIB, " ocsp response status: %N",
628 ocsp_status_names, status);
629 goto end;
630 }
631 break;
632 case OCSP_RESPONSE_TYPE:
633 responseType = asn1_known_oid(object);
634 break;
635 case OCSP_RESPONSE:
636 switch (responseType)
637 {
638 case OID_BASIC:
639 success = parse_basicOCSPResponse(this, object,
640 parser->get_level(parser)+1);
641 break;
642 default:
643 DBG1(DBG_LIB, " ocsp response type %#B not supported",
644 &object);
645 goto end;
646 }
647 break;
648 }
649 }
650 success &= parser->success(parser);
651
652 end:
653 parser->destroy(parser);
654 return success;
655 }
656
657 METHOD(certificate_t, get_type, certificate_type_t,
658 private_x509_ocsp_response_t *this)
659 {
660 return CERT_X509_OCSP_RESPONSE;
661 }
662
663 METHOD(certificate_t, get_issuer, identification_t*,
664 private_x509_ocsp_response_t *this)
665 {
666 return this->responderId;
667 }
668
669 METHOD(certificate_t, has_issuer, id_match_t,
670 private_x509_ocsp_response_t *this, identification_t *issuer)
671 {
672 return this->responderId->matches(this->responderId, issuer);
673 }
674
675 METHOD(certificate_t, issued_by, bool,
676 private_x509_ocsp_response_t *this, certificate_t *issuer,
677 signature_scheme_t *schemep)
678 {
679 public_key_t *key;
680 signature_scheme_t scheme;
681 bool valid;
682 x509_t *x509 = (x509_t*)issuer;
683
684 if (issuer->get_type(issuer) != CERT_X509)
685 {
686 return FALSE;
687 }
688 if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
689 {
690 chunk_t fingerprint;
691
692 key = issuer->get_public_key(issuer);
693 if (!key ||
694 !key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
695 !chunk_equals(fingerprint,
696 this->responderId->get_encoding(this->responderId)))
697 {
698 DESTROY_IF(key);
699 return FALSE;
700 }
701 key->destroy(key);
702 }
703 else
704 {
705 if (!this->responderId->equals(this->responderId,
706 issuer->get_subject(issuer)))
707 {
708 return FALSE;
709 }
710 }
711 if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
712 !(x509->get_flags(x509) & X509_CA))
713 {
714 return FALSE;
715 }
716
717 /* get the public key of the issuer */
718 key = issuer->get_public_key(issuer);
719
720 /* determine signature scheme */
721 scheme = signature_scheme_from_oid(this->signatureAlgorithm);
722
723 if (scheme == SIGN_UNKNOWN || key == NULL)
724 {
725 return FALSE;
726 }
727 valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
728 key->destroy(key);
729 if (valid && schemep)
730 {
731 *schemep = scheme;
732 }
733 return valid;
734 }
735
736 METHOD(certificate_t, get_public_key, public_key_t*,
737 private_x509_ocsp_response_t *this)
738 {
739 return NULL;
740 }
741
742 METHOD(certificate_t, get_validity, bool,
743 private_x509_ocsp_response_t *this, time_t *when,
744 time_t *not_before, time_t *not_after)
745 {
746 time_t t = when ? *when : time(NULL);
747
748 if (not_before)
749 {
750 *not_before = this->producedAt;
751 }
752 if (not_after)
753 {
754 *not_after = this->usableUntil;
755 }
756 return (t < this->usableUntil);
757 }
758
759 METHOD(certificate_t, get_encoding, bool,
760 private_x509_ocsp_response_t *this, cred_encoding_type_t type,
761 chunk_t *encoding)
762 {
763 if (type == CERT_ASN1_DER)
764 {
765 *encoding = chunk_clone(this->encoding);
766 return TRUE;
767 }
768 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
769 CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END);
770 }
771
772 METHOD(certificate_t, equals, bool,
773 private_x509_ocsp_response_t *this, certificate_t *other)
774 {
775 chunk_t encoding;
776 bool equal;
777
778 if (this == (private_x509_ocsp_response_t*)other)
779 {
780 return TRUE;
781 }
782 if (other->get_type(other) != CERT_X509_OCSP_RESPONSE)
783 {
784 return FALSE;
785 }
786 if (other->equals == (void*)equals)
787 { /* skip allocation if we have the same implementation */
788 return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
789 }
790 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
791 {
792 return FALSE;
793 }
794 equal = chunk_equals(this->encoding, encoding);
795 free(encoding.ptr);
796 return equal;
797 }
798
799 METHOD(certificate_t, get_ref, certificate_t*,
800 private_x509_ocsp_response_t *this)
801 {
802 ref_get(&this->ref);
803 return &this->public.interface.certificate;
804 }
805
806 METHOD(certificate_t, destroy, void,
807 private_x509_ocsp_response_t *this)
808 {
809 if (ref_put(&this->ref))
810 {
811 this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
812 this->responses->destroy_function(this->responses, free);
813 DESTROY_IF(this->responderId);
814 free(this->encoding.ptr);
815 free(this);
816 }
817 }
818
819 /**
820 * load an OCSP response
821 */
822 static x509_ocsp_response_t *load(chunk_t blob)
823 {
824 private_x509_ocsp_response_t *this;
825
826 INIT(this,
827 .public = {
828 .interface = {
829 .certificate = {
830 .get_type = _get_type,
831 .get_subject = _get_issuer,
832 .get_issuer = _get_issuer,
833 .has_subject = _has_issuer,
834 .has_issuer = _has_issuer,
835 .issued_by = _issued_by,
836 .get_public_key = _get_public_key,
837 .get_validity = _get_validity,
838 .get_encoding = _get_encoding,
839 .equals = _equals,
840 .get_ref = _get_ref,
841 .destroy = _destroy,
842 },
843 .get_status = _get_status,
844 .create_cert_enumerator = _create_cert_enumerator,
845 },
846 },
847 .ref = 1,
848 .encoding = chunk_clone(blob),
849 .producedAt = UNDEFINED_TIME,
850 .usableUntil = UNDEFINED_TIME,
851 .responses = linked_list_create(),
852 .signatureAlgorithm = OID_UNKNOWN,
853 .certs = linked_list_create(),
854 );
855
856 if (!parse_OCSPResponse(this))
857 {
858 destroy(this);
859 return NULL;
860 }
861 return &this->public;
862 }
863
864 /**
865 * See header.
866 */
867 x509_ocsp_response_t *x509_ocsp_response_load(certificate_type_t type,
868 va_list args)
869 {
870 chunk_t blob = chunk_empty;
871
872 while (TRUE)
873 {
874 switch (va_arg(args, builder_part_t))
875 {
876 case BUILD_BLOB_ASN1_DER:
877 blob = va_arg(args, chunk_t);
878 continue;
879 case BUILD_END:
880 break;
881 default:
882 return NULL;
883 }
884 break;
885 }
886 if (blob.ptr)
887 {
888 return load(blob);
889 }
890 return NULL;
891 }
892