| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_ | |
| 6 #define NET_CERT_INTERNAL_PARSE_OCSP_H_ | |
| 7 | |
| 8 #include <memory> | |
| 9 #include <string> | |
| 10 #include <vector> | |
| 11 | |
| 12 #include "net/base/hash_value.h" | |
| 13 #include "net/cert/internal/parse_certificate.h" | |
| 14 #include "net/cert/internal/signature_algorithm.h" | |
| 15 #include "net/der/input.h" | |
| 16 #include "net/der/parse_values.h" | |
| 17 #include "net/der/parser.h" | |
| 18 #include "net/der/tag.h" | |
| 19 | |
| 20 namespace net { | |
| 21 | |
| 22 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID". | |
| 23 // | |
| 24 // CertID ::= SEQUENCE { | |
| 25 // hashAlgorithm AlgorithmIdentifier, | |
| 26 // issuerNameHash OCTET STRING, -- Hash of issuer's DN | |
| 27 // issuerKeyHash OCTET STRING, -- Hash of issuer's public key | |
| 28 // serialNumber CertificateSerialNumber | |
| 29 // } | |
| 30 struct OCSPCertID { | |
| 31 OCSPCertID(); | |
| 32 ~OCSPCertID(); | |
| 33 | |
| 34 DigestAlgorithm hash_algorithm; | |
| 35 der::Input issuer_name_hash; | |
| 36 der::Input issuer_key_hash; | |
| 37 der::Input serial_number; | |
| 38 }; | |
| 39 | |
| 40 // OCSPCertStatus contains a representation of a DER-encoded RFC 6960 | |
| 41 // "CertStatus". |revocation_time| and |has_reason| are only valid when | |
| 42 // |status| is REVOKED. |revocation_reason| is only valid when |has_reason| is | |
| 43 // true. | |
| 44 // | |
| 45 // CertStatus ::= CHOICE { | |
| 46 // good [0] IMPLICIT NULL, | |
| 47 // revoked [1] IMPLICIT RevokedInfo, | |
| 48 // unknown [2] IMPLICIT UnknownInfo | |
| 49 // } | |
| 50 // | |
| 51 // RevokedInfo ::= SEQUENCE { | |
| 52 // revocationTime GeneralizedTime, | |
| 53 // revocationReason [0] EXPLICIT CRLReason OPTIONAL | |
| 54 // } | |
| 55 // | |
| 56 // UnknownInfo ::= NULL | |
| 57 // | |
| 58 // CRLReason ::= ENUMERATED { | |
| 59 // unspecified (0), | |
| 60 // keyCompromise (1), | |
| 61 // cACompromise (2), | |
| 62 // affiliationChanged (3), | |
| 63 // superseded (4), | |
| 64 // cessationOfOperation (5), | |
| 65 // certificateHold (6), | |
| 66 // -- value 7 is not used | |
| 67 // removeFromCRL (8), | |
| 68 // privilegeWithdrawn (9), | |
| 69 // aACompromise (10) | |
| 70 // } | |
| 71 // (from RFC 5280) | |
| 72 struct OCSPCertStatus { | |
| 73 enum class Status { | |
| 74 GOOD, | |
| 75 REVOKED, | |
| 76 UNKNOWN, | |
| 77 }; | |
| 78 | |
| 79 // Correspond to the values of CRLReason | |
| 80 enum class RevocationReason { | |
| 81 UNSPECIFIED = 0, | |
| 82 KEY_COMPROMISE = 1, | |
| 83 CA_COMPROMISE = 2, | |
| 84 AFFILIATION_CHANGED = 3, | |
| 85 SUPERSEDED = 4, | |
| 86 CESSATION_OF_OPERATION = 5, | |
| 87 CERTIFICATE_HOLD = 6, | |
| 88 UNUSED = 7, | |
| 89 REMOVE_FROM_CRL = 8, | |
| 90 PRIVILEGE_WITHDRAWN = 9, | |
| 91 AA_COMPROMISE = 10, | |
| 92 | |
| 93 LAST = AA_COMPROMISE, | |
| 94 }; | |
| 95 | |
| 96 Status status; | |
| 97 der::GeneralizedTime revocation_time; | |
| 98 bool has_reason; | |
| 99 RevocationReason revocation_reason; | |
| 100 }; | |
| 101 | |
| 102 // OCSPSingleResponse contains a representation of a DER-encoded RFC 6960 | |
| 103 // "SingleResponse". The |cert_id_tlv| and |extensions| fields are pointers to | |
| 104 // the original object and are only valid as long as it is alive. They also | |
| 105 // aren't verified until they are parsed. |next_update| is only valid if | |
| 106 // |has_next_update| is true and |extensions| is only valid if |has_extensions| | |
| 107 // is true. | |
| 108 // | |
| 109 // SingleResponse ::= SEQUENCE { | |
| 110 // certID CertID, | |
| 111 // certStatus CertStatus, | |
| 112 // thisUpdate GeneralizedTime, | |
| 113 // nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |
| 114 // singleExtensions [1] EXPLICIT Extensions OPTIONAL | |
| 115 // } | |
| 116 struct NET_EXPORT OCSPSingleResponse { | |
| 117 OCSPSingleResponse(); | |
| 118 ~OCSPSingleResponse(); | |
| 119 | |
| 120 der::Input cert_id_tlv; | |
| 121 OCSPCertStatus cert_status; | |
| 122 der::GeneralizedTime this_update; | |
| 123 bool has_next_update; | |
| 124 der::GeneralizedTime next_update; | |
| 125 bool has_extensions; | |
| 126 der::Input extensions; | |
| 127 }; | |
| 128 | |
| 129 // OCSPResponseData contains a representation of a DER-encoded RFC 6960 | |
| 130 // "ResponseData". The |responses| and |extensions| fields are pointers to the | |
| 131 // original object and are only valid as long as it is alive. They also aren't | |
| 132 // verified until they are parsed into OCSPSingleResponse and ParsedExtensions. | |
| 133 // |extensions| is only valid if |has_extensions| is true. | |
| 134 // | |
| 135 // ResponseData ::= SEQUENCE { | |
| 136 // version [0] EXPLICIT Version DEFAULT v1, | |
| 137 // responderID ResponderID, | |
| 138 // producedAt GeneralizedTime, | |
| 139 // responses SEQUENCE OF SingleResponse, | |
| 140 // responseExtensions [1] EXPLICIT Extensions OPTIONAL | |
| 141 // } | |
| 142 struct NET_EXPORT OCSPResponseData { | |
| 143 enum class ResponderType { NAME, KEY_HASH }; | |
| 144 | |
| 145 struct ResponderID { | |
| 146 ResponderType type; | |
| 147 der::Input name; | |
| 148 HashValue key_hash; | |
| 149 }; | |
| 150 | |
| 151 OCSPResponseData(); | |
| 152 ~OCSPResponseData(); | |
| 153 | |
| 154 uint8_t version; | |
| 155 OCSPResponseData::ResponderID responder_id; | |
| 156 der::GeneralizedTime produced_at; | |
| 157 std::vector<der::Input> responses; | |
| 158 bool has_extensions; | |
| 159 der::Input extensions; | |
| 160 }; | |
| 161 | |
| 162 // OCSPResponse contains a representation of a DER-encoded RFC 6960 | |
| 163 // "OCSPResponse" and the corresponding "BasicOCSPResponse". The |data| field | |
| 164 // is a pointer to the original object and are only valid as long is it is | |
| 165 // alive. The |data| field isn't verified until it is parsed into an | |
| 166 // OCSPResponseData. |data|, |signature_algorithm|, |signature|, and | |
| 167 // |has_certs| is only valid if |status| is SUCCESSFUL. |certs| is only valid | |
| 168 // if |has_certs| is true. | |
| 169 // | |
| 170 // OCSPResponse ::= SEQUENCE { | |
| 171 // responseStatus OCSPResponseStatus, | |
| 172 // responseBytes [0] EXPLICIT ResponseBytes OPTIONAL | |
| 173 // } | |
| 174 // | |
| 175 // ResponseBytes ::= SEQUENCE { | |
| 176 // responseType OBJECT IDENTIFIER, | |
| 177 // response OCTET STRING | |
| 178 // } | |
| 179 // | |
| 180 // BasicOCSPResponse ::= SEQUENCE { | |
| 181 // tbsResponseData ResponseData, | |
| 182 // signatureAlgorithm AlgorithmIdentifier, | |
| 183 // signature BIT STRING, | |
| 184 // certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL | |
| 185 // } | |
| 186 // | |
| 187 // OCSPResponseStatus ::= ENUMERATED { | |
| 188 // successful (0), -- Response has valid confirmations | |
| 189 // malformedRequest (1), -- Illegal confirmation request | |
| 190 // internalError (2), -- Internal error in issuer | |
| 191 // tryLater (3), -- Try again later | |
| 192 // -- (4) is not used | |
| 193 // sigRequired (5), -- Must sign the request | |
| 194 // unauthorized (6) -- Request unauthorized | |
| 195 // } | |
| 196 struct NET_EXPORT OCSPResponse { | |
| 197 // Correspond to the values of OCSPResponseStatus | |
| 198 enum class ResponseStatus { | |
| 199 SUCCESSFUL = 0, | |
| 200 MALFORMED_REQUEST = 1, | |
| 201 INTERNAL_ERROR = 2, | |
| 202 TRY_LATER = 3, | |
| 203 UNUSED = 4, | |
| 204 SIG_REQUIRED = 5, | |
| 205 UNAUTHORIZED = 6, | |
| 206 | |
| 207 LAST = UNAUTHORIZED, | |
| 208 }; | |
| 209 | |
| 210 OCSPResponse(); | |
| 211 ~OCSPResponse(); | |
| 212 | |
| 213 ResponseStatus status; | |
| 214 der::Input data; | |
| 215 std::unique_ptr<SignatureAlgorithm> signature_algorithm; | |
| 216 der::BitString signature; | |
| 217 bool has_certs; | |
| 218 std::vector<der::Input> certs; | |
| 219 }; | |
| 220 | |
| 221 // From RFC 6960: | |
| 222 // | |
| 223 // id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | |
| 224 // id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | |
| 225 // | |
| 226 // In dotted notation: 1.3.6.1.5.5.7.48.1.1 | |
| 227 NET_EXPORT der::Input BasicOCSPResponseOid(); | |
| 228 | |
| 229 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on | |
| 230 // success and sets the results in |out|. | |
| 231 // | |
| 232 // On failure |out| has an undefined state. Some of its fields may have been | |
| 233 // updated during parsing, whereas others may not have been changed. | |
| 234 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, | |
| 235 OCSPCertID* out); | |
| 236 | |
| 237 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns | |
| 238 // true on success and sets the results in |out|. The resulting |out| | |
| 239 // references data from |raw_tlv| and is only valid for the lifetime of | |
| 240 // |raw_tlv|. | |
| 241 // | |
| 242 // On failure |out| has an undefined state. Some of its fields may have been | |
| 243 // updated during parsing, whereas others may not have been changed. | |
| 244 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, | |
| 245 OCSPSingleResponse* out); | |
| 246 | |
| 247 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns | |
| 248 // true on success and sets the results in |out|. The resulting |out| | |
| 249 // references data from |raw_tlv| and is only valid for the lifetime of | |
| 250 // |raw_tlv|. | |
| 251 // | |
| 252 // On failure |out| has an undefined state. Some of its fields may have been | |
| 253 // updated during parsing, whereas others may not have been changed. | |
| 254 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, | |
| 255 OCSPResponseData* out); | |
| 256 | |
| 257 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true | |
| 258 // on success and sets the results in |out|. The resulting |out| | |
| 259 // references data from |raw_tlv| and is only valid for the lifetime of | |
| 260 // |raw_tlv|. | |
| 261 // | |
| 262 // On failure |out| has an undefined state. Some of its fields may have been | |
| 263 // updated during parsing, whereas others may not have been changed. | |
| 264 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, | |
| 265 OCSPResponse* out); | |
| 266 | |
| 267 // Checks the certificate status of |cert| based on the OCSPResponseData | |
| 268 // |response_data| and issuer |issuer| and sets the results in |out|. In the | |
| 269 // case that there are multiple responses for a given certificate, as a result | |
| 270 // of caching or performance (RFC 6960, 4.2.2.3), the strictest response is | |
| 271 // returned (REVOKED > UNKNOWN > GOOD). | |
| 272 // | |
| 273 // On failure |out| has an undefined state. Some of its fields may have been | |
| 274 // updated during parsing, whereas others may not have been changed. | |
| 275 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data, | |
| 276 const ParsedCertificate& issuer, | |
| 277 const ParsedCertificate& cert, | |
| 278 OCSPCertStatus* out); | |
| 279 | |
| 280 } // namespace net | |
| 281 | |
| 282 #endif // NET_CERT_INTERNAL_PARSE_OCSP_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1849773002:
Adding OCSP Verification
Base URL: https://chromium.googlesource.com/chromium/src.git@master