OLD | NEW |
| (Empty) |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_ | |
6 #define NET_CERT_INTERNAL_PARSE_OCSP_H_ | |
7 | |
8 #include <memory> | |
9 #include <string> | |
10 #include <vector> | |
11 | |
12 #include "net/base/hash_value.h" | |
13 #include "net/cert/internal/parse_certificate.h" | |
14 #include "net/cert/internal/signature_algorithm.h" | |
15 #include "net/der/input.h" | |
16 #include "net/der/parse_values.h" | |
17 #include "net/der/parser.h" | |
18 #include "net/der/tag.h" | |
19 | |
20 namespace net { | |
21 | |
22 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID". | |
23 // | |
24 // CertID ::= SEQUENCE { | |
25 // hashAlgorithm AlgorithmIdentifier, | |
26 // issuerNameHash OCTET STRING, -- Hash of issuer's DN | |
27 // issuerKeyHash OCTET STRING, -- Hash of issuer's public key | |
28 // serialNumber CertificateSerialNumber | |
29 // } | |
30 struct OCSPCertID { | |
31 OCSPCertID(); | |
32 ~OCSPCertID(); | |
33 | |
34 DigestAlgorithm hash_algorithm; | |
35 der::Input issuer_name_hash; | |
36 der::Input issuer_key_hash; | |
37 der::Input serial_number; | |
38 }; | |
39 | |
40 // OCSPCertStatus contains a representation of a DER-encoded RFC 6960 | |
41 // "CertStatus". |revocation_time| and |has_reason| are only valid when | |
42 // |status| is REVOKED. |revocation_reason| is only valid when |has_reason| is | |
43 // true. | |
44 // | |
45 // CertStatus ::= CHOICE { | |
46 // good [0] IMPLICIT NULL, | |
47 // revoked [1] IMPLICIT RevokedInfo, | |
48 // unknown [2] IMPLICIT UnknownInfo | |
49 // } | |
50 // | |
51 // RevokedInfo ::= SEQUENCE { | |
52 // revocationTime GeneralizedTime, | |
53 // revocationReason [0] EXPLICIT CRLReason OPTIONAL | |
54 // } | |
55 // | |
56 // UnknownInfo ::= NULL | |
57 // | |
58 // CRLReason ::= ENUMERATED { | |
59 // unspecified (0), | |
60 // keyCompromise (1), | |
61 // cACompromise (2), | |
62 // affiliationChanged (3), | |
63 // superseded (4), | |
64 // cessationOfOperation (5), | |
65 // certificateHold (6), | |
66 // -- value 7 is not used | |
67 // removeFromCRL (8), | |
68 // privilegeWithdrawn (9), | |
69 // aACompromise (10) | |
70 // } | |
71 // (from RFC 5280) | |
72 struct OCSPCertStatus { | |
73 enum class Status { | |
74 GOOD, | |
75 REVOKED, | |
76 UNKNOWN, | |
77 }; | |
78 | |
79 // Correspond to the values of CRLReason | |
80 enum class RevocationReason { | |
81 UNSPECIFIED = 0, | |
82 KEY_COMPROMISE = 1, | |
83 CA_COMPROMISE = 2, | |
84 AFFILIATION_CHANGED = 3, | |
85 SUPERSEDED = 4, | |
86 CESSATION_OF_OPERATION = 5, | |
87 CERTIFICATE_HOLD = 6, | |
88 UNUSED = 7, | |
89 REMOVE_FROM_CRL = 8, | |
90 PRIVILEGE_WITHDRAWN = 9, | |
91 AA_COMPROMISE = 10, | |
92 | |
93 LAST = AA_COMPROMISE, | |
94 }; | |
95 | |
96 Status status; | |
97 der::GeneralizedTime revocation_time; | |
98 bool has_reason; | |
99 RevocationReason revocation_reason; | |
100 }; | |
101 | |
102 // OCSPSingleResponse contains a representation of a DER-encoded RFC 6960 | |
103 // "SingleResponse". The |cert_id_tlv| and |extensions| fields are pointers to | |
104 // the original object and are only valid as long as it is alive. They also | |
105 // aren't verified until they are parsed. |next_update| is only valid if | |
106 // |has_next_update| is true and |extensions| is only valid if |has_extensions| | |
107 // is true. | |
108 // | |
109 // SingleResponse ::= SEQUENCE { | |
110 // certID CertID, | |
111 // certStatus CertStatus, | |
112 // thisUpdate GeneralizedTime, | |
113 // nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |
114 // singleExtensions [1] EXPLICIT Extensions OPTIONAL | |
115 // } | |
116 struct NET_EXPORT OCSPSingleResponse { | |
117 OCSPSingleResponse(); | |
118 ~OCSPSingleResponse(); | |
119 | |
120 der::Input cert_id_tlv; | |
121 OCSPCertStatus cert_status; | |
122 der::GeneralizedTime this_update; | |
123 bool has_next_update; | |
124 der::GeneralizedTime next_update; | |
125 bool has_extensions; | |
126 der::Input extensions; | |
127 }; | |
128 | |
129 // OCSPResponseData contains a representation of a DER-encoded RFC 6960 | |
130 // "ResponseData". The |responses| and |extensions| fields are pointers to the | |
131 // original object and are only valid as long as it is alive. They also aren't | |
132 // verified until they are parsed into OCSPSingleResponse and ParsedExtensions. | |
133 // |extensions| is only valid if |has_extensions| is true. | |
134 // | |
135 // ResponseData ::= SEQUENCE { | |
136 // version [0] EXPLICIT Version DEFAULT v1, | |
137 // responderID ResponderID, | |
138 // producedAt GeneralizedTime, | |
139 // responses SEQUENCE OF SingleResponse, | |
140 // responseExtensions [1] EXPLICIT Extensions OPTIONAL | |
141 // } | |
142 struct NET_EXPORT OCSPResponseData { | |
143 enum class ResponderType { NAME, KEY_HASH }; | |
144 | |
145 struct ResponderID { | |
146 ResponderType type; | |
147 der::Input name; | |
148 HashValue key_hash; | |
149 }; | |
150 | |
151 OCSPResponseData(); | |
152 ~OCSPResponseData(); | |
153 | |
154 uint8_t version; | |
155 OCSPResponseData::ResponderID responder_id; | |
156 der::GeneralizedTime produced_at; | |
157 std::vector<der::Input> responses; | |
158 bool has_extensions; | |
159 der::Input extensions; | |
160 }; | |
161 | |
162 // OCSPResponse contains a representation of a DER-encoded RFC 6960 | |
163 // "OCSPResponse" and the corresponding "BasicOCSPResponse". The |data| field | |
164 // is a pointer to the original object and are only valid as long is it is | |
165 // alive. The |data| field isn't verified until it is parsed into an | |
166 // OCSPResponseData. |data|, |signature_algorithm|, |signature|, and | |
167 // |has_certs| is only valid if |status| is SUCCESSFUL. |certs| is only valid | |
168 // if |has_certs| is true. | |
169 // | |
170 // OCSPResponse ::= SEQUENCE { | |
171 // responseStatus OCSPResponseStatus, | |
172 // responseBytes [0] EXPLICIT ResponseBytes OPTIONAL | |
173 // } | |
174 // | |
175 // ResponseBytes ::= SEQUENCE { | |
176 // responseType OBJECT IDENTIFIER, | |
177 // response OCTET STRING | |
178 // } | |
179 // | |
180 // BasicOCSPResponse ::= SEQUENCE { | |
181 // tbsResponseData ResponseData, | |
182 // signatureAlgorithm AlgorithmIdentifier, | |
183 // signature BIT STRING, | |
184 // certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL | |
185 // } | |
186 // | |
187 // OCSPResponseStatus ::= ENUMERATED { | |
188 // successful (0), -- Response has valid confirmations | |
189 // malformedRequest (1), -- Illegal confirmation request | |
190 // internalError (2), -- Internal error in issuer | |
191 // tryLater (3), -- Try again later | |
192 // -- (4) is not used | |
193 // sigRequired (5), -- Must sign the request | |
194 // unauthorized (6) -- Request unauthorized | |
195 // } | |
196 struct NET_EXPORT OCSPResponse { | |
197 // Correspond to the values of OCSPResponseStatus | |
198 enum class ResponseStatus { | |
199 SUCCESSFUL = 0, | |
200 MALFORMED_REQUEST = 1, | |
201 INTERNAL_ERROR = 2, | |
202 TRY_LATER = 3, | |
203 UNUSED = 4, | |
204 SIG_REQUIRED = 5, | |
205 UNAUTHORIZED = 6, | |
206 | |
207 LAST = UNAUTHORIZED, | |
208 }; | |
209 | |
210 OCSPResponse(); | |
211 ~OCSPResponse(); | |
212 | |
213 ResponseStatus status; | |
214 der::Input data; | |
215 std::unique_ptr<SignatureAlgorithm> signature_algorithm; | |
216 der::BitString signature; | |
217 bool has_certs; | |
218 std::vector<der::Input> certs; | |
219 }; | |
220 | |
221 // From RFC 6960: | |
222 // | |
223 // id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | |
224 // id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | |
225 // | |
226 // In dotted notation: 1.3.6.1.5.5.7.48.1.1 | |
227 NET_EXPORT der::Input BasicOCSPResponseOid(); | |
228 | |
229 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on | |
230 // success and sets the results in |out|. | |
231 // | |
232 // On failure |out| has an undefined state. Some of its fields may have been | |
233 // updated during parsing, whereas others may not have been changed. | |
234 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, | |
235 OCSPCertID* out); | |
236 | |
237 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns | |
238 // true on success and sets the results in |out|. The resulting |out| | |
239 // references data from |raw_tlv| and is only valid for the lifetime of | |
240 // |raw_tlv|. | |
241 // | |
242 // On failure |out| has an undefined state. Some of its fields may have been | |
243 // updated during parsing, whereas others may not have been changed. | |
244 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, | |
245 OCSPSingleResponse* out); | |
246 | |
247 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns | |
248 // true on success and sets the results in |out|. The resulting |out| | |
249 // references data from |raw_tlv| and is only valid for the lifetime of | |
250 // |raw_tlv|. | |
251 // | |
252 // On failure |out| has an undefined state. Some of its fields may have been | |
253 // updated during parsing, whereas others may not have been changed. | |
254 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, | |
255 OCSPResponseData* out); | |
256 | |
257 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true | |
258 // on success and sets the results in |out|. The resulting |out| | |
259 // references data from |raw_tlv| and is only valid for the lifetime of | |
260 // |raw_tlv|. | |
261 // | |
262 // On failure |out| has an undefined state. Some of its fields may have been | |
263 // updated during parsing, whereas others may not have been changed. | |
264 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, | |
265 OCSPResponse* out); | |
266 | |
267 // Checks the certificate status of |cert| based on the OCSPResponseData | |
268 // |response_data| and issuer |issuer| and sets the results in |out|. In the | |
269 // case that there are multiple responses for a given certificate, as a result | |
270 // of caching or performance (RFC 6960, 4.2.2.3), the strictest response is | |
271 // returned (REVOKED > UNKNOWN > GOOD). | |
272 // | |
273 // On failure |out| has an undefined state. Some of its fields may have been | |
274 // updated during parsing, whereas others may not have been changed. | |
275 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data, | |
276 const ParsedCertificate& issuer, | |
277 const ParsedCertificate& cert, | |
278 OCSPCertStatus* out); | |
279 | |
280 } // namespace net | |
281 | |
282 #endif // NET_CERT_INTERNAL_PARSE_OCSP_H_ | |
OLD | NEW |