OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_ |
| 6 #define NET_CERT_INTERNAL_PARSE_OCSP_H_ |
| 7 |
| 8 #include <string> |
| 9 #include <vector> |
| 10 |
| 11 #include "base/memory/scoped_ptr.h" |
| 12 #include "net/base/hash_value.h" |
| 13 #include "net/cert/internal/parse_certificate.h" |
| 14 #include "net/cert/internal/signature_algorithm.h" |
| 15 #include "net/der/input.h" |
| 16 #include "net/der/parse_values.h" |
| 17 #include "net/der/parser.h" |
| 18 #include "net/der/tag.h" |
| 19 |
| 20 namespace net { |
| 21 |
| 22 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID". |
| 23 // |
| 24 // CertID ::= SEQUENCE { |
| 25 // hashAlgorithm AlgorithmIdentifier, |
| 26 // issuerNameHash OCTET STRING, -- Hash of issuer's DN |
| 27 // issuerKeyHash OCTET STRING, -- Hash of issuer's public key |
| 28 // serialNumber CertificateSerialNumber |
| 29 // } |
| 30 struct OCSPCertID { |
| 31 OCSPCertID(); |
| 32 ~OCSPCertID(); |
| 33 |
| 34 DigestAlgorithm hash_algorithm; |
| 35 der::Input issuer_name_hash; |
| 36 der::Input issuer_key_hash; |
| 37 der::Input serial_number; |
| 38 }; |
| 39 |
| 40 // OCSPCertStatus contains a representation of a DER-encoded RFC 6960 |
| 41 // "CertStatus". |revocation_time| and |has_reason| are only valid when |
| 42 // |status| is REVOKED. |revocation_reason| is only valid when |has_reason| is |
| 43 // true. |
| 44 // |
| 45 // CertStatus ::= CHOICE { |
| 46 // good [0] IMPLICIT NULL, |
| 47 // revoked [1] IMPLICIT RevokedInfo, |
| 48 // unknown [2] IMPLICIT UnknownInfo |
| 49 // } |
| 50 // |
| 51 // RevokedInfo ::= SEQUENCE { |
| 52 // revocationTime GeneralizedTime, |
| 53 // revocationReason [0] EXPLICIT CRLReason OPTIONAL |
| 54 // } |
| 55 // |
| 56 // UnknownInfo ::= NULL |
| 57 // |
| 58 // CRLReason ::= ENUMERATED { |
| 59 // unspecified (0), |
| 60 // keyCompromise (1), |
| 61 // cACompromise (2), |
| 62 // affiliationChanged (3), |
| 63 // superseded (4), |
| 64 // cessationOfOperation (5), |
| 65 // certificateHold (6), |
| 66 // -- value 7 is not used |
| 67 // removeFromCRL (8), |
| 68 // privilegeWithdrawn (9), |
| 69 // aACompromise (10) |
| 70 // } |
| 71 // (from RFC 5280) |
| 72 struct OCSPCertStatus { |
| 73 enum class Status { |
| 74 GOOD, |
| 75 REVOKED, |
| 76 UNKNOWN, |
| 77 }; |
| 78 |
| 79 // Correspond to the values of CRLReason |
| 80 enum class RevocationReason { |
| 81 UNSPECIFIED = 0, |
| 82 KEY_COMPROMISE = 1, |
| 83 CA_COMPROMISE = 2, |
| 84 AFFILIATION_CHANGED = 3, |
| 85 SUPERSEDED = 4, |
| 86 CESSATION_OF_OPERATION = 5, |
| 87 CERTIFICATE_HOLD = 6, |
| 88 UNUSED = 7, |
| 89 REMOVE_FROM_CRL = 8, |
| 90 PRIVILEGE_WITHDRAWN = 9, |
| 91 AA_COMPROMISE = 10, |
| 92 |
| 93 LAST = AA_COMPROMISE, |
| 94 }; |
| 95 |
| 96 Status status; |
| 97 der::GeneralizedTime revocation_time; |
| 98 bool has_reason; |
| 99 RevocationReason revocation_reason; |
| 100 }; |
| 101 |
| 102 // OCSPSingleResponse contains a representation of a DER-encoded RFC 6960 |
| 103 // "SingleResponse". The |cert_id_tlv| and |extensions| fields are pointers to |
| 104 // the original object and are only valid as long as it is alive. They also |
| 105 // aren't verified until they are parsed. |next_update| is only valid if |
| 106 // |has_next_update| is true and |extensions| is only valid if |has_extensions| |
| 107 // is true. |
| 108 // |
| 109 // SingleResponse ::= SEQUENCE { |
| 110 // certID CertID, |
| 111 // certStatus CertStatus, |
| 112 // thisUpdate GeneralizedTime, |
| 113 // nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, |
| 114 // singleExtensions [1] EXPLICIT Extensions OPTIONAL |
| 115 // } |
| 116 struct NET_EXPORT OCSPSingleResponse { |
| 117 OCSPSingleResponse(); |
| 118 ~OCSPSingleResponse(); |
| 119 |
| 120 der::Input cert_id_tlv; |
| 121 OCSPCertStatus cert_status; |
| 122 der::GeneralizedTime this_update; |
| 123 bool has_next_update; |
| 124 der::GeneralizedTime next_update; |
| 125 bool has_extensions; |
| 126 der::Input extensions; |
| 127 }; |
| 128 |
| 129 // OCSPResponseData contains a representation of a DER-encoded RFC 6960 |
| 130 // "ResponseData". The |responses| and |extensions| fields are pointers to the |
| 131 // original object and are only valid as long as it is alive. They also aren't |
| 132 // verified until they are parsed into OCSPSingleResponse and ParsedExtensions. |
| 133 // |extensions| is only valid if |has_extensions| is true. |
| 134 // |
| 135 // ResponseData ::= SEQUENCE { |
| 136 // version [0] EXPLICIT Version DEFAULT v1, |
| 137 // responderID ResponderID, |
| 138 // producedAt GeneralizedTime, |
| 139 // responses SEQUENCE OF SingleResponse, |
| 140 // responseExtensions [1] EXPLICIT Extensions OPTIONAL |
| 141 // } |
| 142 struct NET_EXPORT OCSPResponseData { |
| 143 enum class ResponderType { NAME, KEY_HASH }; |
| 144 |
| 145 struct ResponderID { |
| 146 ResponderType type; |
| 147 der::Input name; |
| 148 HashValue key_hash; |
| 149 }; |
| 150 |
| 151 OCSPResponseData(); |
| 152 ~OCSPResponseData(); |
| 153 |
| 154 uint8_t version; |
| 155 OCSPResponseData::ResponderID responder_id; |
| 156 der::GeneralizedTime produced_at; |
| 157 std::vector<der::Input> responses; |
| 158 bool has_extensions; |
| 159 der::Input extensions; |
| 160 }; |
| 161 |
| 162 // OCSPResponse contains a representation of a DER-encoded RFC 6960 |
| 163 // "OCSPResponse" and the corresponding "BasicOCSPResponse". The |data| field |
| 164 // is a pointer to the original object and are only valid as long is it is |
| 165 // alive. The |data| field isn't verified until it is parsed into an |
| 166 // OCSPResponseData. |data|, |signature_algorithm|, |signature|, and |
| 167 // |has_certs| is only valid if |status| is SUCCESSFUL. |certs| is only valid |
| 168 // if |has_certs| is true. |
| 169 // |
| 170 // OCSPResponse ::= SEQUENCE { |
| 171 // responseStatus OCSPResponseStatus, |
| 172 // responseBytes [0] EXPLICIT ResponseBytes OPTIONAL |
| 173 // } |
| 174 // |
| 175 // ResponseBytes ::= SEQUENCE { |
| 176 // responseType OBJECT IDENTIFIER, |
| 177 // response OCTET STRING |
| 178 // } |
| 179 // |
| 180 // BasicOCSPResponse ::= SEQUENCE { |
| 181 // tbsResponseData ResponseData, |
| 182 // signatureAlgorithm AlgorithmIdentifier, |
| 183 // signature BIT STRING, |
| 184 // certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL |
| 185 // } |
| 186 // |
| 187 // OCSPResponseStatus ::= ENUMERATED { |
| 188 // successful (0), -- Response has valid confirmations |
| 189 // malformedRequest (1), -- Illegal confirmation request |
| 190 // internalError (2), -- Internal error in issuer |
| 191 // tryLater (3), -- Try again later |
| 192 // -- (4) is not used |
| 193 // sigRequired (5), -- Must sign the request |
| 194 // unauthorized (6) -- Request unauthorized |
| 195 // } |
| 196 struct NET_EXPORT OCSPResponse { |
| 197 // Correspond to the values of OCSPResponseStatus |
| 198 enum class ResponseStatus { |
| 199 SUCCESSFUL = 0, |
| 200 MALFORMED_REQUEST = 1, |
| 201 INTERNAL_ERROR = 2, |
| 202 TRY_LATER = 3, |
| 203 UNUSED = 4, |
| 204 SIG_REQUIRED = 5, |
| 205 UNAUTHORIZED = 6, |
| 206 |
| 207 LAST = UNAUTHORIZED, |
| 208 }; |
| 209 |
| 210 OCSPResponse(); |
| 211 ~OCSPResponse(); |
| 212 |
| 213 ResponseStatus status; |
| 214 der::Input data; |
| 215 scoped_ptr<SignatureAlgorithm> signature_algorithm; |
| 216 der::BitString signature; |
| 217 bool has_certs; |
| 218 std::vector<der::Input> certs; |
| 219 }; |
| 220 |
| 221 // From RFC 6960: |
| 222 // |
| 223 // id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } |
| 224 // id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } |
| 225 // |
| 226 // In dotted notation: 1.3.6.1.5.5.7.48.1.1 |
| 227 NET_EXPORT der::Input BasicOCSPResponseOid(); |
| 228 |
| 229 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on |
| 230 // success and sets the results in |out|. |
| 231 // |
| 232 // On failure |out| has an undefined state. Some of its fields may have been |
| 233 // updated during parsing, whereas others may not have been changed. |
| 234 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, |
| 235 OCSPCertID* out); |
| 236 |
| 237 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns |
| 238 // true on success and sets the results in |out|. The resulting |out| |
| 239 // references data from |raw_tlv| and is only valid for the lifetime of |
| 240 // |raw_tlv|. |
| 241 // |
| 242 // On failure |out| has an undefined state. Some of its fields may have been |
| 243 // updated during parsing, whereas others may not have been changed. |
| 244 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, |
| 245 OCSPSingleResponse* out); |
| 246 |
| 247 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns |
| 248 // true on success and sets the results in |out|. The resulting |out| |
| 249 // references data from |raw_tlv| and is only valid for the lifetime of |
| 250 // |raw_tlv|. |
| 251 // |
| 252 // On failure |out| has an undefined state. Some of its fields may have been |
| 253 // updated during parsing, whereas others may not have been changed. |
| 254 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, |
| 255 OCSPResponseData* out); |
| 256 |
| 257 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true |
| 258 // on success and sets the results in |out|. The resulting |out| |
| 259 // references data from |raw_tlv| and is only valid for the lifetime of |
| 260 // |raw_tlv|. |
| 261 // |
| 262 // On failure |out| has an undefined state. Some of its fields may have been |
| 263 // updated during parsing, whereas others may not have been changed. |
| 264 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, |
| 265 OCSPResponse* out); |
| 266 |
| 267 // Checks the certificate status of |cert| based on the OCSPResponseData |
| 268 // |response_data| and issuer |issuer| and sets the results in |out|. In the |
| 269 // case that there are multiple responses for a given certificate, as a result |
| 270 // of caching or performance (RFC 6960, 4.2.2.3), the strictest response is |
| 271 // returned (REVOKED > UNKNOWN > GOOD). |
| 272 // |
| 273 // On failure |out| has an undefined state. Some of its fields may have been |
| 274 // updated during parsing, whereas others may not have been changed. |
| 275 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data, |
| 276 const ParsedCertificate& issuer, |
| 277 const ParsedCertificate& cert, |
| 278 OCSPCertStatus* out); |
| 279 |
| 280 } // namespace net |
| 281 |
| 282 #endif // NET_CERT_INTERNAL_PARSE_OCSP_H_ |
OLD | NEW |