Print OCSP single responses
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_response.c
1 /**
2 * Copyright (C) 2008-2009 Martin Willi
3 * Copyright (C) 2007-2015 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "x509_ocsp_response.h"
20
21 #include <time.h>
22
23 #include <asn1/oid.h>
24 #include <asn1/asn1.h>
25 #include <asn1/asn1_parser.h>
26 #include <utils/identification.h>
27 #include <collections/linked_list.h>
28 #include <utils/debug.h>
29
30 #include <library.h>
31 #include <credentials/certificates/x509.h>
32 #include <credentials/certificates/crl.h>
33
34 /**
35 * how long do we use an OCSP response without a nextUpdate
36 */
37 #define OCSP_DEFAULT_LIFETIME 30
38
39 /* defined in wincrypt.h */
40 #ifdef OCSP_RESPONSE
41 # undef OCSP_RESPONSE
42 #endif
43
44 typedef struct private_x509_ocsp_response_t private_x509_ocsp_response_t;
45
46 /**
47 * Private data of a ocsp_t object.
48 */
49 struct private_x509_ocsp_response_t {
50 /**
51 * Public interface for this ocsp object.
52 */
53 x509_ocsp_response_t public;
54
55 /**
56 * complete encoded OCSP response
57 */
58 chunk_t encoding;
59
60 /**
61 * data for signature verficiation
62 */
63 chunk_t tbsResponseData;
64
65 /**
66 * signature algorithm (OID)
67 */
68 int signatureAlgorithm;
69
70 /**
71 * signature
72 */
73 chunk_t signature;
74
75 /**
76 * name or keyid of the responder
77 */
78 identification_t *responderId;
79
80 /**
81 * time of response production
82 */
83 time_t producedAt;
84
85 /**
86 * latest nextUpdate in this OCSP response
87 */
88 time_t usableUntil;
89
90 /**
91 * list of included certificates
92 */
93 linked_list_t *certs;
94
95 /**
96 * Linked list of OCSP responses, single_response_t
97 */
98 linked_list_t *responses;
99
100 /**
101 * Nonce required for ocsp request and response
102 */
103 chunk_t nonce;
104
105 /**
106 * reference counter
107 */
108 refcount_t ref;
109 };
110
111 /**
112 * single response contained in OCSP response
113 */
114 typedef struct {
115 /** hash algorithm OID to for the two hashes */
116 int hashAlgorithm;
117 /** hash of issuer DN */
118 chunk_t issuerNameHash;
119 /** issuerKeyID */
120 chunk_t issuerKeyHash;
121 /** serial number of certificate */
122 chunk_t serialNumber;
123 /** OCSP certificate status */
124 cert_validation_t status;
125 /** time of revocation, if revoked */
126 time_t revocationTime;
127 /** revocation reason, if revoked */
128 crl_reason_t revocationReason;
129 /** creation of associated CRL */
130 time_t thisUpdate;
131 /** creation of next CRL */
132 time_t nextUpdate;
133 } single_response_t;
134
135 /* our OCSP response version implementation */
136 #define OCSP_BASIC_RESPONSE_VERSION 1
137
138 METHOD(ocsp_response_t, get_status, cert_validation_t,
139 private_x509_ocsp_response_t *this, x509_t *subject, x509_t *issuer,
140 time_t *revocation_time, crl_reason_t *revocation_reason,
141 time_t *this_update, time_t *next_update)
142 {
143 enumerator_t *enumerator;
144 single_response_t *response;
145 cert_validation_t status = VALIDATION_FAILED;
146 certificate_t *issuercert = &issuer->interface;
147
148 enumerator = this->responses->create_enumerator(this->responses);
149 while (enumerator->enumerate(enumerator, &response))
150 {
151 hasher_t *hasher;
152 identification_t *id;
153 cred_encoding_type_t type;
154 chunk_t hash, fingerprint;
155
156 /* check serial first, is cheaper */
157 if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
158 {
159 continue;
160 }
161 /* check issuerKeyHash if available */
162 if (response->issuerKeyHash.ptr)
163 {
164 public_key_t *public;
165
166 public = issuercert->get_public_key(issuercert);
167 if (!public)
168 {
169 continue;
170 }
171 switch (response->hashAlgorithm)
172 {
173 case OID_SHA1:
174 type = KEYID_PUBKEY_SHA1;
175 break;
176 default:
177 public->destroy(public);
178 continue;
179 }
180 if (!public->get_fingerprint(public, type, &fingerprint) ||
181 !chunk_equals(response->issuerKeyHash, fingerprint))
182 {
183 public->destroy(public);
184 continue;
185 }
186 public->destroy(public);
187 }
188 /* check issuerNameHash, if available */
189 else if (response->issuerNameHash.ptr)
190 {
191 id = issuercert->get_subject(issuercert);
192 hasher = lib->crypto->create_hasher(lib->crypto,
193 hasher_algorithm_from_oid(response->hashAlgorithm));
194 if (!hasher ||
195 !hasher->allocate_hash(hasher, id->get_encoding(id), &hash))
196 {
197 DESTROY_IF(hasher);
198 continue;
199 }
200 hasher->destroy(hasher);
201 if (!chunk_equals(hash, response->issuerNameHash))
202 {
203 free(hash.ptr);
204 continue;
205 }
206 free(hash.ptr);
207 }
208 else
209 {
210 continue;
211 }
212 /* got a match */
213 status = response->status;
214 *revocation_time = response->revocationTime;
215 *revocation_reason = response->revocationReason;
216 *this_update = response->thisUpdate;
217 *next_update = response->nextUpdate;
218
219 break;
220 }
221 enumerator->destroy(enumerator);
222 return status;
223 }
224
225 METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*,
226 private_x509_ocsp_response_t *this)
227 {
228 return this->certs->create_enumerator(this->certs);
229 }
230
231 /**
232 * enumerator filter callback for create_response_enumerator
233 */
234 static bool filter(void *data, single_response_t **response,
235 chunk_t *serialNumber,
236 void *p2, cert_validation_t *status,
237 void *p3, time_t *revocationTime,
238 void *p4, crl_reason_t *revocationReason)
239 {
240 if (serialNumber)
241 {
242 *serialNumber = (*response)->serialNumber;
243 }
244 if (status)
245 {
246 *status = (*response)->status;
247 }
248 if (revocationTime)
249 {
250 *revocationTime = (*response)->revocationTime;
251 }
252 if (revocationReason)
253 {
254 *revocationReason = (*response)->revocationReason;
255 }
256 return TRUE;
257 }
258
259 METHOD(ocsp_response_t, create_response_enumerator, enumerator_t*,
260 private_x509_ocsp_response_t *this)
261 {
262 return enumerator_create_filter(
263 this->responses->create_enumerator(this->responses),
264 (void*)filter, NULL, NULL);
265 }
266
267 /**
268 * ASN.1 definition of singleResponse
269 */
270 static const asn1Object_t singleResponseObjects[] = {
271 { 0, "singleResponse", ASN1_SEQUENCE, ASN1_BODY }, /* 0 */
272 { 1, "certID", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
273 { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 2 */
274 { 2, "issuerNameHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 3 */
275 { 2, "issuerKeyHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 4 */
276 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 5 */
277 { 1, "certStatusGood", ASN1_CONTEXT_S_0, ASN1_OPT }, /* 6 */
278 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
279 { 1, "certStatusRevoked", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 8 */
280 { 2, "revocationTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 9 */
281 { 2, "revocationReason", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 10 */
282 { 3, "crlReason", ASN1_ENUMERATED, ASN1_BODY }, /* 11 */
283 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
284 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
285 { 1, "certStatusUnknown", ASN1_CONTEXT_S_2, ASN1_OPT }, /* 14 */
286 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
287 { 1, "thisUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 16 */
288 { 1, "nextUpdateContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 17 */
289 { 2, "nextUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 18 */
290 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
291 { 1, "singleExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 20 */
292 { 2, "singleExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 21 */
293 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
294 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 23 */
295 { 4, "critical", ASN1_BOOLEAN, ASN1_BODY |
296 ASN1_DEF }, /* 24 */
297 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 25 */
298 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 26 */
299 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
300 { 0, "exit", ASN1_EOC, ASN1_EXIT }
301 };
302 #define SINGLE_RESPONSE_ALGORITHM 2
303 #define SINGLE_RESPONSE_ISSUER_NAME_HASH 3
304 #define SINGLE_RESPONSE_ISSUER_KEY_HASH 4
305 #define SINGLE_RESPONSE_SERIAL_NUMBER 5
306 #define SINGLE_RESPONSE_CERT_STATUS_GOOD 6
307 #define SINGLE_RESPONSE_CERT_STATUS_REVOKED 8
308 #define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME 9
309 #define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON 11
310 #define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN 14
311 #define SINGLE_RESPONSE_THIS_UPDATE 16
312 #define SINGLE_RESPONSE_NEXT_UPDATE 18
313 #define SINGLE_RESPONSE_EXT_ID 23
314 #define SINGLE_RESPONSE_CRITICAL 24
315 #define SINGLE_RESPONSE_EXT_VALUE 25
316
317 /**
318 * Parse a single OCSP response
319 */
320 static bool parse_singleResponse(private_x509_ocsp_response_t *this,
321 chunk_t blob, int level0)
322 {
323 asn1_parser_t *parser;
324 chunk_t object;
325 int objectID;
326 bool success = FALSE;
327
328 single_response_t *response;
329
330 response = malloc_thing(single_response_t);
331 response->hashAlgorithm = OID_UNKNOWN;
332 response->issuerNameHash = chunk_empty;
333 response->issuerKeyHash = chunk_empty;
334 response->serialNumber = chunk_empty;
335 response->status = VALIDATION_FAILED;
336 response->revocationTime = 0;
337 response->revocationReason = CRL_REASON_UNSPECIFIED;
338 response->thisUpdate = UNDEFINED_TIME;
339 /* if nextUpdate is missing, we give it a short lifetime */
340 response->nextUpdate = this->producedAt + OCSP_DEFAULT_LIFETIME;
341
342 parser = asn1_parser_create(singleResponseObjects, blob);
343 parser->set_top_level(parser, level0);
344
345 while (parser->iterate(parser, &objectID, &object))
346 {
347 switch (objectID)
348 {
349 case SINGLE_RESPONSE_ALGORITHM:
350 response->hashAlgorithm = asn1_parse_algorithmIdentifier(object,
351 parser->get_level(parser)+1, NULL);
352 break;
353 case SINGLE_RESPONSE_ISSUER_NAME_HASH:
354 response->issuerNameHash = object;
355 break;
356 case SINGLE_RESPONSE_ISSUER_KEY_HASH:
357 response->issuerKeyHash = object;
358 break;
359 case SINGLE_RESPONSE_SERIAL_NUMBER:
360 response->serialNumber = object;
361 break;
362 case SINGLE_RESPONSE_CERT_STATUS_GOOD:
363 response->status = VALIDATION_GOOD;
364 break;
365 case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
366 response->status = VALIDATION_REVOKED;
367 break;
368 case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
369 response->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
370 break;
371 case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
372 if (object.len == 1)
373 {
374 response->revocationReason = *object.ptr;
375 }
376 break;
377 case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
378 response->status = VALIDATION_FAILED;
379 break;
380 case SINGLE_RESPONSE_THIS_UPDATE:
381 response->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
382 break;
383 case SINGLE_RESPONSE_NEXT_UPDATE:
384 response->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
385 if (response->nextUpdate > this->usableUntil)
386 {
387 this->usableUntil = response->nextUpdate;
388 }
389 break;
390 }
391 }
392 success = parser->success(parser);
393 parser->destroy(parser);
394 if (success)
395 {
396 if (this->usableUntil == UNDEFINED_TIME)
397 {
398 this->usableUntil = this->producedAt + OCSP_DEFAULT_LIFETIME;
399 }
400 this->responses->insert_last(this->responses, response);
401 }
402 else
403 {
404 free(response);
405 }
406 return success;
407 }
408
409 /**
410 * ASN.1 definition of responses
411 */
412 static const asn1Object_t responsesObjects[] = {
413 { 0, "responses", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
414 { 1, "singleResponse", ASN1_EOC, ASN1_RAW }, /* 1 */
415 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
416 { 0, "exit", ASN1_EOC, ASN1_EXIT }
417 };
418 #define RESPONSES_SINGLE_RESPONSE 1
419
420 /**
421 * Parse all responses
422 */
423 static bool parse_responses(private_x509_ocsp_response_t *this,
424 chunk_t blob, int level0)
425 {
426 asn1_parser_t *parser;
427 chunk_t object;
428 int objectID;
429 bool success = FALSE;
430
431 parser = asn1_parser_create(responsesObjects, blob);
432 parser->set_top_level(parser, level0);
433
434 while (parser->iterate(parser, &objectID, &object))
435 {
436 switch (objectID)
437 {
438 case RESPONSES_SINGLE_RESPONSE:
439 if (!parse_singleResponse(this, object,
440 parser->get_level(parser)+1))
441 {
442 goto end;
443 }
444 break;
445 default:
446 break;
447 }
448 }
449 success = parser->success(parser);
450
451 end:
452 parser->destroy(parser);
453 return success;
454 }
455
456 /**
457 * ASN.1 definition of basicResponse
458 */
459 static const asn1Object_t basicResponseObjects[] = {
460 { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
461 { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
462 { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE |
463 ASN1_DEF }, /* 2 */
464 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
465 { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */
466 { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
467 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
468 { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */
469 { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */
470 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
471 { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */
472 { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
473 { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
474 { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */
475 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */
476 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */
477 { 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
478 ASN1_DEF }, /* 16 */
479 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
480 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
481 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
482 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
483 { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
484 { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */
485 { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */
486 { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 24 */
487 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
488 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
489 { 0, "exit", ASN1_EOC, ASN1_EXIT }
490 };
491 #define BASIC_RESPONSE_TBS_DATA 1
492 #define BASIC_RESPONSE_VERSION 3
493 #define BASIC_RESPONSE_ID_BY_NAME 5
494 #define BASIC_RESPONSE_ID_BY_KEY 8
495 #define BASIC_RESPONSE_PRODUCED_AT 10
496 #define BASIC_RESPONSE_RESPONSES 11
497 #define BASIC_RESPONSE_EXT_ID 15
498 #define BASIC_RESPONSE_CRITICAL 16
499 #define BASIC_RESPONSE_EXT_VALUE 17
500 #define BASIC_RESPONSE_ALGORITHM 20
501 #define BASIC_RESPONSE_SIGNATURE 21
502 #define BASIC_RESPONSE_CERTIFICATE 24
503
504 /**
505 * Parse a basicOCSPResponse
506 */
507 static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
508 chunk_t blob, int level0)
509 {
510 asn1_parser_t *parser;
511 chunk_t object;
512 chunk_t responses = chunk_empty;
513 int objectID;
514 int extn_oid = OID_UNKNOWN;
515 u_int responses_level = level0;
516 certificate_t *cert;
517 bool success = FALSE;
518 bool critical;
519
520 parser = asn1_parser_create(basicResponseObjects, blob);
521 parser->set_top_level(parser, level0);
522
523 while (parser->iterate(parser, &objectID, &object))
524 {
525 switch (objectID)
526 {
527 case BASIC_RESPONSE_TBS_DATA:
528 this->tbsResponseData = object;
529 break;
530 case BASIC_RESPONSE_VERSION:
531 {
532 u_int version = (object.len)? (1 + (u_int)*object.ptr) : 1;
533
534 if (version != OCSP_BASIC_RESPONSE_VERSION)
535 {
536 DBG1(DBG_ASN, " ocsp ResponseData version %d not "
537 "supported", version);
538 goto end;
539 }
540 break;
541 }
542 case BASIC_RESPONSE_ID_BY_NAME:
543 this->responderId = identification_create_from_encoding(
544 ID_DER_ASN1_DN, object);
545 DBG2(DBG_ASN, " '%Y'", this->responderId);
546 break;
547 case BASIC_RESPONSE_ID_BY_KEY:
548 this->responderId = identification_create_from_encoding(
549 ID_KEY_ID, object);
550 DBG2(DBG_ASN, " '%Y'", this->responderId);
551 break;
552 case BASIC_RESPONSE_PRODUCED_AT:
553 this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
554 break;
555 case BASIC_RESPONSE_RESPONSES:
556 responses = object;
557 responses_level = parser->get_level(parser)+1;
558 break;
559 case BASIC_RESPONSE_EXT_ID:
560 extn_oid = asn1_known_oid(object);
561 break;
562 case BASIC_RESPONSE_CRITICAL:
563 critical = object.len && *object.ptr;
564 DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE");
565 break;
566 case BASIC_RESPONSE_EXT_VALUE:
567 if (extn_oid == OID_NONCE)
568 {
569 this->nonce = object;
570 }
571 break;
572 case BASIC_RESPONSE_ALGORITHM:
573 this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object,
574 parser->get_level(parser)+1, NULL);
575 break;
576 case BASIC_RESPONSE_SIGNATURE:
577 this->signature = chunk_skip(object, 1);
578 break;
579 case BASIC_RESPONSE_CERTIFICATE:
580 {
581 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,CERT_X509,
582 BUILD_BLOB_ASN1_DER, object,
583 BUILD_END);
584 if (cert)
585 {
586 this->certs->insert_last(this->certs, cert);
587 }
588 break;
589 }
590 }
591 }
592 success = parser->success(parser);
593
594 end:
595 parser->destroy(parser);
596 if (success)
597 {
598 if (!this->responderId)
599 {
600 this->responderId = identification_create_from_encoding(ID_ANY,
601 chunk_empty);
602 }
603 success = parse_responses(this, responses, responses_level);
604 }
605 return success;
606 }
607
608 /**
609 * ASN.1 definition of ocspResponse
610 */
611 static const asn1Object_t ocspResponseObjects[] = {
612 { 0, "OCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
613 { 1, "responseStatus", ASN1_ENUMERATED, ASN1_BODY }, /* 1 */
614 { 1, "responseBytesContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 2 */
615 { 2, "responseBytes", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
616 { 3, "responseType", ASN1_OID, ASN1_BODY }, /* 4 */
617 { 3, "response", ASN1_OCTET_STRING, ASN1_BODY }, /* 5 */
618 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
619 { 0, "exit", ASN1_EOC, ASN1_EXIT }
620 };
621 #define OCSP_RESPONSE_STATUS 1
622 #define OCSP_RESPONSE_TYPE 4
623 #define OCSP_RESPONSE 5
624
625 /**
626 * Parse OCSPResponse object
627 */
628 static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
629 {
630 asn1_parser_t *parser;
631 chunk_t object;
632 int objectID;
633 int responseType = OID_UNKNOWN;
634 bool success = FALSE;
635 ocsp_status_t status;
636
637 parser = asn1_parser_create(ocspResponseObjects, this->encoding);
638
639 while (parser->iterate(parser, &objectID, &object))
640 {
641 switch (objectID)
642 {
643 case OCSP_RESPONSE_STATUS:
644 status = (ocsp_status_t)*object.ptr;
645 switch (status)
646 {
647 case OCSP_SUCCESSFUL:
648 break;
649 default:
650 DBG1(DBG_LIB, " ocsp response status: %N",
651 ocsp_status_names, status);
652 goto end;
653 }
654 break;
655 case OCSP_RESPONSE_TYPE:
656 responseType = asn1_known_oid(object);
657 break;
658 case OCSP_RESPONSE:
659 switch (responseType)
660 {
661 case OID_BASIC:
662 success = parse_basicOCSPResponse(this, object,
663 parser->get_level(parser)+1);
664 break;
665 default:
666 DBG1(DBG_LIB, " ocsp response type %#B not supported",
667 &object);
668 goto end;
669 }
670 break;
671 }
672 }
673 success &= parser->success(parser);
674
675 end:
676 parser->destroy(parser);
677 return success;
678 }
679
680 METHOD(certificate_t, get_type, certificate_type_t,
681 private_x509_ocsp_response_t *this)
682 {
683 return CERT_X509_OCSP_RESPONSE;
684 }
685
686 METHOD(certificate_t, get_issuer, identification_t*,
687 private_x509_ocsp_response_t *this)
688 {
689 return this->responderId;
690 }
691
692 METHOD(certificate_t, has_issuer, id_match_t,
693 private_x509_ocsp_response_t *this, identification_t *issuer)
694 {
695 return this->responderId->matches(this->responderId, issuer);
696 }
697
698 METHOD(certificate_t, issued_by, bool,
699 private_x509_ocsp_response_t *this, certificate_t *issuer,
700 signature_scheme_t *schemep)
701 {
702 public_key_t *key;
703 signature_scheme_t scheme;
704 bool valid;
705 x509_t *x509 = (x509_t*)issuer;
706
707 if (issuer->get_type(issuer) != CERT_X509)
708 {
709 return FALSE;
710 }
711 if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
712 {
713 chunk_t fingerprint;
714
715 key = issuer->get_public_key(issuer);
716 if (!key ||
717 !key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
718 !chunk_equals(fingerprint,
719 this->responderId->get_encoding(this->responderId)))
720 {
721 DESTROY_IF(key);
722 return FALSE;
723 }
724 key->destroy(key);
725 }
726 else
727 {
728 if (!this->responderId->equals(this->responderId,
729 issuer->get_subject(issuer)))
730 {
731 return FALSE;
732 }
733 }
734 if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
735 !(x509->get_flags(x509) & X509_CA))
736 {
737 return FALSE;
738 }
739
740 /* get the public key of the issuer */
741 key = issuer->get_public_key(issuer);
742
743 /* determine signature scheme */
744 scheme = signature_scheme_from_oid(this->signatureAlgorithm);
745
746 if (scheme == SIGN_UNKNOWN || key == NULL)
747 {
748 return FALSE;
749 }
750 valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
751 key->destroy(key);
752 if (valid && schemep)
753 {
754 *schemep = scheme;
755 }
756 return valid;
757 }
758
759 METHOD(certificate_t, get_public_key, public_key_t*,
760 private_x509_ocsp_response_t *this)
761 {
762 return NULL;
763 }
764
765 METHOD(certificate_t, get_validity, bool,
766 private_x509_ocsp_response_t *this, time_t *when,
767 time_t *not_before, time_t *not_after)
768 {
769 time_t t = when ? *when : time(NULL);
770
771 if (not_before)
772 {
773 *not_before = this->producedAt;
774 }
775 if (not_after)
776 {
777 *not_after = this->usableUntil;
778 }
779 return (t < this->usableUntil);
780 }
781
782 METHOD(certificate_t, get_encoding, bool,
783 private_x509_ocsp_response_t *this, cred_encoding_type_t type,
784 chunk_t *encoding)
785 {
786 if (type == CERT_ASN1_DER)
787 {
788 *encoding = chunk_clone(this->encoding);
789 return TRUE;
790 }
791 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
792 CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END);
793 }
794
795 METHOD(certificate_t, equals, bool,
796 private_x509_ocsp_response_t *this, certificate_t *other)
797 {
798 chunk_t encoding;
799 bool equal;
800
801 if (this == (private_x509_ocsp_response_t*)other)
802 {
803 return TRUE;
804 }
805 if (other->get_type(other) != CERT_X509_OCSP_RESPONSE)
806 {
807 return FALSE;
808 }
809 if (other->equals == (void*)equals)
810 { /* skip allocation if we have the same implementation */
811 return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
812 }
813 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
814 {
815 return FALSE;
816 }
817 equal = chunk_equals(this->encoding, encoding);
818 free(encoding.ptr);
819 return equal;
820 }
821
822 METHOD(certificate_t, get_ref, certificate_t*,
823 private_x509_ocsp_response_t *this)
824 {
825 ref_get(&this->ref);
826 return &this->public.interface.certificate;
827 }
828
829 METHOD(certificate_t, destroy, void,
830 private_x509_ocsp_response_t *this)
831 {
832 if (ref_put(&this->ref))
833 {
834 this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
835 this->responses->destroy_function(this->responses, free);
836 DESTROY_IF(this->responderId);
837 free(this->encoding.ptr);
838 free(this);
839 }
840 }
841
842 /**
843 * load an OCSP response
844 */
845 static x509_ocsp_response_t *load(chunk_t blob)
846 {
847 private_x509_ocsp_response_t *this;
848
849 INIT(this,
850 .public = {
851 .interface = {
852 .certificate = {
853 .get_type = _get_type,
854 .get_subject = _get_issuer,
855 .get_issuer = _get_issuer,
856 .has_subject = _has_issuer,
857 .has_issuer = _has_issuer,
858 .issued_by = _issued_by,
859 .get_public_key = _get_public_key,
860 .get_validity = _get_validity,
861 .get_encoding = _get_encoding,
862 .equals = _equals,
863 .get_ref = _get_ref,
864 .destroy = _destroy,
865 },
866 .get_status = _get_status,
867 .create_cert_enumerator = _create_cert_enumerator,
868 .create_response_enumerator = _create_response_enumerator,
869 },
870 },
871 .ref = 1,
872 .encoding = chunk_clone(blob),
873 .producedAt = UNDEFINED_TIME,
874 .usableUntil = UNDEFINED_TIME,
875 .responses = linked_list_create(),
876 .signatureAlgorithm = OID_UNKNOWN,
877 .certs = linked_list_create(),
878 );
879
880 if (!parse_OCSPResponse(this))
881 {
882 destroy(this);
883 return NULL;
884 }
885 return &this->public;
886 }
887
888 /**
889 * See header.
890 */
891 x509_ocsp_response_t *x509_ocsp_response_load(certificate_type_t type,
892 va_list args)
893 {
894 chunk_t blob = chunk_empty;
895
896 while (TRUE)
897 {
898 switch (va_arg(args, builder_part_t))
899 {
900 case BUILD_BLOB_ASN1_DER:
901 blob = va_arg(args, chunk_t);
902 continue;
903 case BUILD_END:
904 break;
905 default:
906 return NULL;
907 }
908 break;
909 }
910 if (blob.ptr)
911 {
912 return load(blob);
913 }
914 return NULL;
915 }