1# 2# This file is part of pyasn1-modules software. 3# 4# Copyright (c) 2005-2019, Ilya Etingof <etingof@gmail.com> 5# License: http://snmplabs.com/pyasn1/license.html 6# 7# OCSP request/response syntax 8# 9# Derived from a minimal OCSP library (RFC2560) code written by 10# Bud P. Bruegger <bud@ancitel.it> 11# Copyright: Ancitel, S.p.a, Rome, Italy 12# License: BSD 13# 14 15# 16# current limitations: 17# * request and response works only for a single certificate 18# * only some values are parsed out of the response 19# * the request does't set a nonce nor signature 20# * there is no signature validation of the response 21# * dates are left as strings in GeneralizedTime format -- datetime.datetime 22# would be nicer 23# 24from pyasn1.type import namedtype 25from pyasn1.type import namedval 26from pyasn1.type import tag 27from pyasn1.type import univ 28from pyasn1.type import useful 29 30from pyasn1_modules import rfc2459 31 32 33# Start of OCSP module definitions 34 35# This should be in directory Authentication Framework (X.509) module 36 37class CRLReason(univ.Enumerated): 38 namedValues = namedval.NamedValues( 39 ('unspecified', 0), 40 ('keyCompromise', 1), 41 ('cACompromise', 2), 42 ('affiliationChanged', 3), 43 ('superseded', 4), 44 ('cessationOfOperation', 5), 45 ('certificateHold', 6), 46 ('removeFromCRL', 8), 47 ('privilegeWithdrawn', 9), 48 ('aACompromise', 10) 49 ) 50 51 52# end of directory Authentication Framework (X.509) module 53 54# This should be in PKIX Certificate Extensions module 55 56class GeneralName(univ.OctetString): 57 pass 58 59 60# end of PKIX Certificate Extensions module 61 62id_kp_OCSPSigning = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 3, 9)) 63id_pkix_ocsp = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1)) 64id_pkix_ocsp_basic = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 1)) 65id_pkix_ocsp_nonce = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 2)) 66id_pkix_ocsp_crl = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 3)) 67id_pkix_ocsp_response = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 4)) 68id_pkix_ocsp_nocheck = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 5)) 69id_pkix_ocsp_archive_cutoff = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 6)) 70id_pkix_ocsp_service_locator = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 7)) 71 72 73class AcceptableResponses(univ.SequenceOf): 74 componentType = univ.ObjectIdentifier() 75 76 77class ArchiveCutoff(useful.GeneralizedTime): 78 pass 79 80 81class UnknownInfo(univ.Null): 82 pass 83 84 85class RevokedInfo(univ.Sequence): 86 componentType = namedtype.NamedTypes( 87 namedtype.NamedType('revocationTime', useful.GeneralizedTime()), 88 namedtype.OptionalNamedType('revocationReason', CRLReason().subtype( 89 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 90 ) 91 92 93class CertID(univ.Sequence): 94 componentType = namedtype.NamedTypes( 95 namedtype.NamedType('hashAlgorithm', rfc2459.AlgorithmIdentifier()), 96 namedtype.NamedType('issuerNameHash', univ.OctetString()), 97 namedtype.NamedType('issuerKeyHash', univ.OctetString()), 98 namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()) 99 ) 100 101 102class CertStatus(univ.Choice): 103 componentType = namedtype.NamedTypes( 104 namedtype.NamedType('good', 105 univ.Null().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 106 namedtype.NamedType('revoked', 107 RevokedInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 108 namedtype.NamedType('unknown', 109 UnknownInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 110 ) 111 112 113class SingleResponse(univ.Sequence): 114 componentType = namedtype.NamedTypes( 115 namedtype.NamedType('certID', CertID()), 116 namedtype.NamedType('certStatus', CertStatus()), 117 namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), 118 namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype( 119 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 120 namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype( 121 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 122 ) 123 124 125class KeyHash(univ.OctetString): 126 pass 127 128 129class ResponderID(univ.Choice): 130 componentType = namedtype.NamedTypes( 131 namedtype.NamedType('byName', 132 rfc2459.Name().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 133 namedtype.NamedType('byKey', 134 KeyHash().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 135 ) 136 137 138class Version(univ.Integer): 139 namedValues = namedval.NamedValues(('v1', 0)) 140 141 142class ResponseData(univ.Sequence): 143 componentType = namedtype.NamedTypes( 144 namedtype.DefaultedNamedType('version', Version('v1').subtype( 145 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 146 namedtype.NamedType('responderID', ResponderID()), 147 namedtype.NamedType('producedAt', useful.GeneralizedTime()), 148 namedtype.NamedType('responses', univ.SequenceOf(componentType=SingleResponse())), 149 namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype( 150 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 151 ) 152 153 154class BasicOCSPResponse(univ.Sequence): 155 componentType = namedtype.NamedTypes( 156 namedtype.NamedType('tbsResponseData', ResponseData()), 157 namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 158 namedtype.NamedType('signature', univ.BitString()), 159 namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( 160 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 161 ) 162 163 164class ResponseBytes(univ.Sequence): 165 componentType = namedtype.NamedTypes( 166 namedtype.NamedType('responseType', univ.ObjectIdentifier()), 167 namedtype.NamedType('response', univ.OctetString()) 168 ) 169 170 171class OCSPResponseStatus(univ.Enumerated): 172 namedValues = namedval.NamedValues( 173 ('successful', 0), 174 ('malformedRequest', 1), 175 ('internalError', 2), 176 ('tryLater', 3), 177 ('undefinedStatus', 4), # should never occur 178 ('sigRequired', 5), 179 ('unauthorized', 6) 180 ) 181 182 183class OCSPResponse(univ.Sequence): 184 componentType = namedtype.NamedTypes( 185 namedtype.NamedType('responseStatus', OCSPResponseStatus()), 186 namedtype.OptionalNamedType('responseBytes', ResponseBytes().subtype( 187 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 188 ) 189 190 191class Request(univ.Sequence): 192 componentType = namedtype.NamedTypes( 193 namedtype.NamedType('reqCert', CertID()), 194 namedtype.OptionalNamedType('singleRequestExtensions', rfc2459.Extensions().subtype( 195 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 196 ) 197 198 199class Signature(univ.Sequence): 200 componentType = namedtype.NamedTypes( 201 namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 202 namedtype.NamedType('signature', univ.BitString()), 203 namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( 204 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 205 ) 206 207 208class TBSRequest(univ.Sequence): 209 componentType = namedtype.NamedTypes( 210 namedtype.DefaultedNamedType('version', Version('v1').subtype( 211 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 212 namedtype.OptionalNamedType('requestorName', GeneralName().subtype( 213 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 214 namedtype.NamedType('requestList', univ.SequenceOf(componentType=Request())), 215 namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype( 216 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 217 ) 218 219 220class OCSPRequest(univ.Sequence): 221 componentType = namedtype.NamedTypes( 222 namedtype.NamedType('tbsRequest', TBSRequest()), 223 namedtype.OptionalNamedType('optionalSignature', Signature().subtype( 224 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 225 ) 226