eef01eca24fa83e7054ad81327df24cf75301776
[strongswan.git] / src / libstrongswan / plugins / x509 / x509_ocsp_response.c
1 /**
2 * Copyright (C) 2008-2009 Martin Willi
3 * Copyright (C) 2007 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "x509_ocsp_response.h"
19
20 #include <time.h>
21
22 #include <asn1/oid.h>
23 #include <asn1/asn1.h>
24 #include <asn1/asn1_parser.h>
25 #include <utils/identification.h>
26 #include <utils/linked_list.h>
27 #include <debug.h>
28
29 #include <library.h>
30 #include <credentials/certificates/x509.h>
31 #include <credentials/certificates/crl.h>
32
33 /**
34 * how long do we use an OCSP response without a nextUpdate
35 */
36 #define OCSP_DEFAULT_LIFETIME 30
37
38 typedef struct private_x509_ocsp_response_t private_x509_ocsp_response_t;
39
40 /**
41 * Private data of a ocsp_t object.
42 */
43 struct private_x509_ocsp_response_t {
44 /**
45 * Public interface for this ocsp object.
46 */
47 x509_ocsp_response_t public;
48
49 /**
50 * complete encoded OCSP response
51 */
52 chunk_t encoding;
53
54 /**
55 * data for signature verficiation
56 */
57 chunk_t tbsResponseData;
58
59 /**
60 * signature algorithm (OID)
61 */
62 int signatureAlgorithm;
63
64 /**
65 * signature
66 */
67 chunk_t signature;
68
69 /**
70 * name or keyid of the responder
71 */
72 identification_t *responderId;
73
74 /**
75 * time of response production
76 */
77 time_t producedAt;
78
79 /**
80 * latest nextUpdate in this OCSP response
81 */
82 time_t usableUntil;
83
84 /**
85 * list of included certificates
86 */
87 linked_list_t *certs;
88
89 /**
90 * Linked list of OCSP responses, single_response_t
91 */
92 linked_list_t *responses;
93
94 /**
95 * Nonce required for ocsp request and response
96 */
97 chunk_t nonce;
98
99 /**
100 * reference counter
101 */
102 refcount_t ref;
103 };
104
105 /**
106 * single response contained in OCSP response
107 */
108 typedef struct {
109 /** hash algorithm OID to for the two hashes */
110 int hashAlgorithm;
111 /** hash of issuer DN */
112 chunk_t issuerNameHash;
113 /** issuerKeyID */
114 chunk_t issuerKeyHash;
115 /** serial number of certificate */
116 chunk_t serialNumber;
117 /** OCSP certificate status */
118 cert_validation_t status;
119 /** time of revocation, if revoked */
120 time_t revocationTime;
121 /** revocation reason, if revoked */
122 crl_reason_t revocationReason;
123 /** creation of associated CRL */
124 time_t thisUpdate;
125 /** creation of next CRL */
126 time_t nextUpdate;
127 } single_response_t;
128
129 /* our OCSP response version implementation */
130 #define OCSP_BASIC_RESPONSE_VERSION 1
131
132 /* some OCSP specific prefabricated ASN.1 constants */
133 static const chunk_t ASN1_nonce_oid = chunk_from_chars(
134 0x06, 0x09,
135 0x2B, 0x06,
136 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
137 );
138 static const chunk_t ASN1_response_oid = chunk_from_chars(
139 0x06, 0x09,
140 0x2B, 0x06,
141 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
142 );
143 static const chunk_t ASN1_response_content = chunk_from_chars(
144 0x04, 0x0D,
145 0x30, 0x0B,
146 0x06, 0x09,
147 0x2B, 0x06,
148 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
149 );
150
151 METHOD(ocsp_response_t, get_status, cert_validation_t,
152 private_x509_ocsp_response_t *this, x509_t *subject, x509_t *issuer,
153 time_t *revocation_time, crl_reason_t *revocation_reason,
154 time_t *this_update, time_t *next_update)
155 {
156 enumerator_t *enumerator;
157 single_response_t *response;
158 cert_validation_t status = VALIDATION_FAILED;
159 certificate_t *issuercert = &issuer->interface;
160
161 enumerator = this->responses->create_enumerator(this->responses);
162 while (enumerator->enumerate(enumerator, &response))
163 {
164 hasher_t *hasher;
165 identification_t *id;
166 cred_encoding_type_t type;
167 chunk_t hash, fingerprint;
168
169 /* check serial first, is cheaper */
170 if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
171 {
172 continue;
173 }
174 /* check issuerKeyHash if available */
175 if (response->issuerKeyHash.ptr)
176 {
177 public_key_t *public;
178
179 public = issuercert->get_public_key(issuercert);
180 if (!public)
181 {
182 continue;
183 }
184 switch (response->hashAlgorithm)
185 {
186 case OID_SHA1:
187 type = KEYID_PUBKEY_SHA1;
188 break;
189 default:
190 public->destroy(public);
191 continue;
192 }
193 if (!public->get_fingerprint(public, type, &fingerprint) ||
194 !chunk_equals(response->issuerKeyHash, fingerprint))
195 {
196 public->destroy(public);
197 continue;
198 }
199 public->destroy(public);
200 }
201 /* check issuerNameHash, if available */
202 else if (response->issuerNameHash.ptr)
203 {
204 hasher = lib->crypto->create_hasher(lib->crypto,
205 hasher_algorithm_from_oid(response->hashAlgorithm));
206 if (!hasher)
207 {
208 continue;
209 }
210 id = issuercert->get_subject(issuercert);
211 hasher->allocate_hash(hasher, id->get_encoding(id), &hash);
212 hasher->destroy(hasher);
213 if (!chunk_equals(hash, response->issuerNameHash))
214 {
215 continue;
216 }
217 }
218 else
219 {
220 continue;
221 }
222 /* got a match */
223 status = response->status;
224 *revocation_time = response->revocationTime;
225 *revocation_reason = response->revocationReason;
226 *this_update = response->thisUpdate;
227 *next_update = response->nextUpdate;
228
229 break;
230 }
231 enumerator->destroy(enumerator);
232 return status;
233 }
234
235 METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*,
236 private_x509_ocsp_response_t *this)
237 {
238 return this->certs->create_enumerator(this->certs);
239 }
240
241 /**
242 * ASN.1 definition of singleResponse
243 */
244 static const asn1Object_t singleResponseObjects[] = {
245 { 0, "singleResponse", ASN1_SEQUENCE, ASN1_BODY }, /* 0 */
246 { 1, "certID", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
247 { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 2 */
248 { 2, "issuerNameHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 3 */
249 { 2, "issuerKeyHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 4 */
250 { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 5 */
251 { 1, "certStatusGood", ASN1_CONTEXT_S_0, ASN1_OPT }, /* 6 */
252 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
253 { 1, "certStatusRevoked", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 8 */
254 { 2, "revocationTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 9 */
255 { 2, "revocationReason", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 10 */
256 { 3, "crlReason", ASN1_ENUMERATED, ASN1_BODY }, /* 11 */
257 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
258 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
259 { 1, "certStatusUnknown", ASN1_CONTEXT_S_2, ASN1_OPT }, /* 14 */
260 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
261 { 1, "thisUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 16 */
262 { 1, "nextUpdateContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 17 */
263 { 2, "nextUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 18 */
264 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
265 { 1, "singleExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 20 */
266 { 2, "singleExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 21 */
267 { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
268 { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 23 */
269 { 4, "critical", ASN1_BOOLEAN, ASN1_BODY |
270 ASN1_DEF }, /* 24 */
271 { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 25 */
272 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 26 */
273 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
274 { 0, "exit", ASN1_EOC, ASN1_EXIT }
275 };
276 #define SINGLE_RESPONSE_ALGORITHM 2
277 #define SINGLE_RESPONSE_ISSUER_NAME_HASH 3
278 #define SINGLE_RESPONSE_ISSUER_KEY_HASH 4
279 #define SINGLE_RESPONSE_SERIAL_NUMBER 5
280 #define SINGLE_RESPONSE_CERT_STATUS_GOOD 6
281 #define SINGLE_RESPONSE_CERT_STATUS_REVOKED 8
282 #define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME 9
283 #define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON 11
284 #define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN 14
285 #define SINGLE_RESPONSE_THIS_UPDATE 16
286 #define SINGLE_RESPONSE_NEXT_UPDATE 18
287 #define SINGLE_RESPONSE_EXT_ID 23
288 #define SINGLE_RESPONSE_CRITICAL 24
289 #define SINGLE_RESPONSE_EXT_VALUE 25
290
291 /**
292 * Parse a single OCSP response
293 */
294 static bool parse_singleResponse(private_x509_ocsp_response_t *this,
295 chunk_t blob, int level0)
296 {
297 asn1_parser_t *parser;
298 chunk_t object;
299 int objectID;
300 bool success = FALSE;
301
302 single_response_t *response;
303
304 response = malloc_thing(single_response_t);
305 response->hashAlgorithm = OID_UNKNOWN;
306 response->issuerNameHash = chunk_empty;
307 response->issuerKeyHash = chunk_empty;
308 response->serialNumber = chunk_empty;
309 response->status = VALIDATION_FAILED;
310 response->revocationTime = 0;
311 response->revocationReason = CRL_REASON_UNSPECIFIED;
312 response->thisUpdate = UNDEFINED_TIME;
313 /* if nextUpdate is missing, we give it a short lifetime */
314 response->nextUpdate = this->producedAt + OCSP_DEFAULT_LIFETIME;
315
316 parser = asn1_parser_create(singleResponseObjects, blob);
317 parser->set_top_level(parser, level0);
318
319 while (parser->iterate(parser, &objectID, &object))
320 {
321 switch (objectID)
322 {
323 case SINGLE_RESPONSE_ALGORITHM:
324 response->hashAlgorithm = asn1_parse_algorithmIdentifier(object,
325 parser->get_level(parser)+1, NULL);
326 break;
327 case SINGLE_RESPONSE_ISSUER_NAME_HASH:
328 response->issuerNameHash = object;
329 break;
330 case SINGLE_RESPONSE_ISSUER_KEY_HASH:
331 response->issuerKeyHash = object;
332 break;
333 case SINGLE_RESPONSE_SERIAL_NUMBER:
334 response->serialNumber = object;
335 break;
336 case SINGLE_RESPONSE_CERT_STATUS_GOOD:
337 response->status = VALIDATION_GOOD;
338 break;
339 case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
340 response->status = VALIDATION_REVOKED;
341 break;
342 case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
343 response->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
344 break;
345 case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
346 if (object.len == 1)
347 {
348 response->revocationReason = *object.ptr;
349 }
350 break;
351 case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
352 response->status = VALIDATION_FAILED;
353 break;
354 case SINGLE_RESPONSE_THIS_UPDATE:
355 response->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
356 break;
357 case SINGLE_RESPONSE_NEXT_UPDATE:
358 response->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
359 if (response->nextUpdate > this->usableUntil)
360 {
361 this->usableUntil = response->nextUpdate;
362 }
363 break;
364 }
365 }
366 success = parser->success(parser);
367 parser->destroy(parser);
368 if (success)
369 {
370 if (this->usableUntil == UNDEFINED_TIME)
371 {
372 this->usableUntil = this->producedAt + OCSP_DEFAULT_LIFETIME;
373 }
374 this->responses->insert_last(this->responses, response);
375 }
376 return success;
377 }
378
379 /**
380 * ASN.1 definition of responses
381 */
382 static const asn1Object_t responsesObjects[] = {
383 { 0, "responses", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
384 { 1, "singleResponse", ASN1_EOC, ASN1_RAW }, /* 1 */
385 { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
386 { 0, "exit", ASN1_EOC, ASN1_EXIT }
387 };
388 #define RESPONSES_SINGLE_RESPONSE 1
389
390 /**
391 * Parse all responses
392 */
393 static bool parse_responses(private_x509_ocsp_response_t *this,
394 chunk_t blob, int level0)
395 {
396 asn1_parser_t *parser;
397 chunk_t object;
398 int objectID;
399 bool success = FALSE;
400
401 parser = asn1_parser_create(responsesObjects, blob);
402 parser->set_top_level(parser, level0);
403
404 while (parser->iterate(parser, &objectID, &object))
405 {
406 switch (objectID)
407 {
408 case RESPONSES_SINGLE_RESPONSE:
409 if (!parse_singleResponse(this, object,
410 parser->get_level(parser)+1))
411 {
412 goto end;
413 }
414 break;
415 default:
416 break;
417 }
418 }
419 success = parser->success(parser);
420
421 end:
422 parser->destroy(parser);
423 return success;
424 }
425
426 /**
427 * ASN.1 definition of basicResponse
428 */
429 static const asn1Object_t basicResponseObjects[] = {
430 { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
431 { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
432 { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE |
433 ASN1_DEF }, /* 2 */
434 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
435 { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */
436 { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
437 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
438 { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */
439 { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */
440 { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
441 { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */
442 { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
443 { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
444 { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */
445 { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */
446 { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */
447 { 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
448 ASN1_DEF }, /* 16 */
449 { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
450 { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
451 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
452 { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
453 { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
454 { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */
455 { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */
456 { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 24 */
457 { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
458 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
459 { 0, "exit", ASN1_EOC, ASN1_EXIT }
460 };
461 #define BASIC_RESPONSE_TBS_DATA 1
462 #define BASIC_RESPONSE_VERSION 3
463 #define BASIC_RESPONSE_ID_BY_NAME 5
464 #define BASIC_RESPONSE_ID_BY_KEY 8
465 #define BASIC_RESPONSE_PRODUCED_AT 10
466 #define BASIC_RESPONSE_RESPONSES 11
467 #define BASIC_RESPONSE_EXT_ID 15
468 #define BASIC_RESPONSE_CRITICAL 16
469 #define BASIC_RESPONSE_EXT_VALUE 17
470 #define BASIC_RESPONSE_ALGORITHM 20
471 #define BASIC_RESPONSE_SIGNATURE 21
472 #define BASIC_RESPONSE_CERTIFICATE 24
473
474 /**
475 * Parse a basicOCSPResponse
476 */
477 static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
478 chunk_t blob, int level0)
479 {
480 asn1_parser_t *parser;
481 chunk_t object;
482 chunk_t responses = chunk_empty;
483 int objectID;
484 int extn_oid = OID_UNKNOWN;
485 u_int responses_level = level0;
486 certificate_t *cert;
487 bool success = FALSE;
488 bool critical;
489
490 parser = asn1_parser_create(basicResponseObjects, blob);
491 parser->set_top_level(parser, level0);
492
493 while (parser->iterate(parser, &objectID, &object))
494 {
495 switch (objectID)
496 {
497 case BASIC_RESPONSE_TBS_DATA:
498 this->tbsResponseData = object;
499 break;
500 case BASIC_RESPONSE_VERSION:
501 {
502 u_int version = (object.len)? (1 + (u_int)*object.ptr) : 1;
503
504 if (version != OCSP_BASIC_RESPONSE_VERSION)
505 {
506 DBG1(DBG_LIB, " ocsp ResponseData version %d not "
507 "supported", version);
508 goto end;
509 }
510 break;
511 }
512 case BASIC_RESPONSE_ID_BY_NAME:
513 this->responderId = identification_create_from_encoding(
514 ID_DER_ASN1_DN, object);
515 DBG2(DBG_LIB, " '%Y'", this->responderId);
516 break;
517 case BASIC_RESPONSE_ID_BY_KEY:
518 this->responderId = identification_create_from_encoding(
519 ID_KEY_ID, object);
520 DBG2(DBG_LIB, " '%Y'", this->responderId);
521 break;
522 case BASIC_RESPONSE_PRODUCED_AT:
523 this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
524 break;
525 case BASIC_RESPONSE_RESPONSES:
526 responses = object;
527 responses_level = parser->get_level(parser)+1;
528 break;
529 case BASIC_RESPONSE_EXT_ID:
530 extn_oid = asn1_known_oid(object);
531 break;
532 case BASIC_RESPONSE_CRITICAL:
533 critical = object.len && *object.ptr;
534 DBG2(DBG_LIB, " %s", critical ? "TRUE" : "FALSE");
535 break;
536 case BASIC_RESPONSE_EXT_VALUE:
537 if (extn_oid == OID_NONCE)
538 {
539 this->nonce = object;
540 }
541 break;
542 case BASIC_RESPONSE_ALGORITHM:
543 this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object,
544 parser->get_level(parser)+1, NULL);
545 break;
546 case BASIC_RESPONSE_SIGNATURE:
547 this->signature = object;
548 break;
549 case BASIC_RESPONSE_CERTIFICATE:
550 {
551 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,CERT_X509,
552 BUILD_BLOB_ASN1_DER, object,
553 BUILD_END);
554 if (cert)
555 {
556 this->certs->insert_last(this->certs, cert);
557 }
558 break;
559 }
560 }
561 }
562 success = parser->success(parser);
563
564 end:
565 parser->destroy(parser);
566 if (success)
567 {
568 if (!this->responderId)
569 {
570 this->responderId = identification_create_from_encoding(ID_ANY,
571 chunk_empty);
572 }
573 success = parse_responses(this, responses, responses_level);
574 }
575 return success;
576 }
577
578 /**
579 * ASN.1 definition of ocspResponse
580 */
581 static const asn1Object_t ocspResponseObjects[] = {
582 { 0, "OCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
583 { 1, "responseStatus", ASN1_ENUMERATED, ASN1_BODY }, /* 1 */
584 { 1, "responseBytesContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 2 */
585 { 2, "responseBytes", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
586 { 3, "responseType", ASN1_OID, ASN1_BODY }, /* 4 */
587 { 3, "response", ASN1_OCTET_STRING, ASN1_BODY }, /* 5 */
588 { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
589 { 0, "exit", ASN1_EOC, ASN1_EXIT }
590 };
591 #define OCSP_RESPONSE_STATUS 1
592 #define OCSP_RESPONSE_TYPE 4
593 #define OCSP_RESPONSE 5
594
595 /**
596 * Parse OCSPResponse object
597 */
598 static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
599 {
600 asn1_parser_t *parser;
601 chunk_t object;
602 int objectID;
603 int responseType = OID_UNKNOWN;
604 bool success = FALSE;
605 ocsp_status_t status;
606
607 parser = asn1_parser_create(ocspResponseObjects, this->encoding);
608
609 while (parser->iterate(parser, &objectID, &object))
610 {
611 switch (objectID)
612 {
613 case OCSP_RESPONSE_STATUS:
614 status = (ocsp_status_t)*object.ptr;
615 switch (status)
616 {
617 case OCSP_SUCCESSFUL:
618 break;
619 default:
620 DBG1(DBG_LIB, " ocsp response status: %N",
621 ocsp_status_names, status);
622 goto end;
623 }
624 break;
625 case OCSP_RESPONSE_TYPE:
626 responseType = asn1_known_oid(object);
627 break;
628 case OCSP_RESPONSE:
629 switch (responseType)
630 {
631 case OID_BASIC:
632 success = parse_basicOCSPResponse(this, object,
633 parser->get_level(parser)+1);
634 break;
635 default:
636 DBG1(DBG_LIB, " ocsp response type %#B not supported",
637 &object);
638 goto end;
639 }
640 break;
641 }
642 }
643 success &= parser->success(parser);
644
645 end:
646 parser->destroy(parser);
647 return success;
648 }
649
650 METHOD(certificate_t, get_type, certificate_type_t,
651 private_x509_ocsp_response_t *this)
652 {
653 return CERT_X509_OCSP_RESPONSE;
654 }
655
656 METHOD(certificate_t, get_issuer, identification_t*,
657 private_x509_ocsp_response_t *this)
658 {
659 return this->responderId;
660 }
661
662 METHOD(certificate_t, has_issuer, id_match_t,
663 private_x509_ocsp_response_t *this, identification_t *issuer)
664 {
665 return this->responderId->matches(this->responderId, issuer);
666 }
667
668 METHOD(certificate_t, issued_by, bool,
669 private_x509_ocsp_response_t *this, certificate_t *issuer)
670 {
671 public_key_t *key;
672 signature_scheme_t scheme;
673 bool valid;
674 x509_t *x509 = (x509_t*)issuer;
675
676 if (issuer->get_type(issuer) != CERT_X509)
677 {
678 return FALSE;
679 }
680 if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
681 {
682 chunk_t fingerprint;
683
684 key = issuer->get_public_key(issuer);
685 if (!key ||
686 !key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
687 !chunk_equals(fingerprint,
688 this->responderId->get_encoding(this->responderId)))
689 {
690 DESTROY_IF(key);
691 return FALSE;
692 }
693 key->destroy(key);
694 }
695 else
696 {
697 if (!this->responderId->equals(this->responderId,
698 issuer->get_subject(issuer)))
699 {
700 return FALSE;
701 }
702 }
703 if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
704 !(x509->get_flags(x509) & X509_CA))
705 {
706 return FALSE;
707 }
708
709 /* get the public key of the issuer */
710 key = issuer->get_public_key(issuer);
711
712 /* determine signature scheme */
713 scheme = signature_scheme_from_oid(this->signatureAlgorithm);
714
715 if (scheme == SIGN_UNKNOWN || key == NULL)
716 {
717 return FALSE;
718 }
719 valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
720 key->destroy(key);
721 return valid;
722 }
723
724 METHOD(certificate_t, get_public_key, public_key_t*,
725 private_x509_ocsp_response_t *this)
726 {
727 return NULL;
728 }
729
730 METHOD(certificate_t, get_validity, bool,
731 private_x509_ocsp_response_t *this, time_t *when,
732 time_t *not_before, time_t *not_after)
733 {
734 time_t t = when ? *when : time(NULL);
735
736 if (not_before)
737 {
738 *not_before = this->producedAt;
739 }
740 if (not_after)
741 {
742 *not_after = this->usableUntil;
743 }
744 return (t < this->usableUntil);
745 }
746
747 METHOD(certificate_t, get_encoding, bool,
748 private_x509_ocsp_response_t *this, cred_encoding_type_t type,
749 chunk_t *encoding)
750 {
751 if (type == CERT_ASN1_DER)
752 {
753 *encoding = chunk_clone(this->encoding);
754 return TRUE;
755 }
756 return lib->encoding->encode(lib->encoding, type, NULL, encoding,
757 CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END);
758 }
759
760 METHOD(certificate_t, equals, bool,
761 private_x509_ocsp_response_t *this, certificate_t *other)
762 {
763 chunk_t encoding;
764 bool equal;
765
766 if (this == (private_x509_ocsp_response_t*)other)
767 {
768 return TRUE;
769 }
770 if (other->get_type(other) != CERT_X509_OCSP_RESPONSE)
771 {
772 return FALSE;
773 }
774 if (other->equals == (void*)equals)
775 { /* skip allocation if we have the same implementation */
776 return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
777 }
778 if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
779 {
780 return FALSE;
781 }
782 equal = chunk_equals(this->encoding, encoding);
783 free(encoding.ptr);
784 return equal;
785 }
786
787 METHOD(certificate_t, get_ref, certificate_t*,
788 private_x509_ocsp_response_t *this)
789 {
790 ref_get(&this->ref);
791 return &this->public.interface.certificate;
792 }
793
794 METHOD(certificate_t, destroy, void,
795 private_x509_ocsp_response_t *this)
796 {
797 if (ref_put(&this->ref))
798 {
799 this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
800 this->responses->destroy_function(this->responses, free);
801 DESTROY_IF(this->responderId);
802 free(this->encoding.ptr);
803 free(this);
804 }
805 }
806
807 /**
808 * load an OCSP response
809 */
810 static x509_ocsp_response_t *load(chunk_t blob)
811 {
812 private_x509_ocsp_response_t *this;
813
814 INIT(this,
815 .public = {
816 .interface = {
817 .certificate = {
818 .get_type = _get_type,
819 .get_subject = _get_issuer,
820 .get_issuer = _get_issuer,
821 .has_subject = _has_issuer,
822 .has_issuer = _has_issuer,
823 .issued_by = _issued_by,
824 .get_public_key = _get_public_key,
825 .get_validity = _get_validity,
826 .get_encoding = _get_encoding,
827 .equals = _equals,
828 .get_ref = _get_ref,
829 .destroy = _destroy,
830 },
831 .get_status = _get_status,
832 .create_cert_enumerator = _create_cert_enumerator,
833 },
834 },
835 .ref = 1,
836 .encoding = chunk_clone(blob),
837 .producedAt = UNDEFINED_TIME,
838 .usableUntil = UNDEFINED_TIME,
839 .responses = linked_list_create(),
840 .signatureAlgorithm = OID_UNKNOWN,
841 .certs = linked_list_create(),
842 );
843
844 if (!parse_OCSPResponse(this))
845 {
846 destroy(this);
847 return NULL;
848 }
849 return &this->public;
850 }
851
852 /**
853 * See header.
854 */
855 x509_ocsp_response_t *x509_ocsp_response_load(certificate_type_t type,
856 va_list args)
857 {
858 chunk_t blob = chunk_empty;
859
860 while (TRUE)
861 {
862 switch (va_arg(args, builder_part_t))
863 {
864 case BUILD_BLOB_ASN1_DER:
865 blob = va_arg(args, chunk_t);
866 continue;
867 case BUILD_END:
868 break;
869 default:
870 return NULL;
871 }
872 break;
873 }
874 if (blob.ptr)
875 {
876 return load(blob);
877 }
878 return NULL;
879 }
880