1# 2# This file is part of pyasn1-modules software. 3# 4# Copyright (c) 2005-2017, Ilya Etingof <etingof@gmail.com> 5# License: http://pyasn1.sf.net/license.html 6# 7# OCSP request/response syntax 8# 9# Derived from a minimal OCSP library (RFC2560) code written by 10# Bud P. Bruegger <bud@ancitel.it> 11# Copyright: Ancitel, S.p.a, Rome, Italy 12# License: BSD 13# 14 15# 16# current limitations: 17# * request and response works only for a single certificate 18# * only some values are parsed out of the response 19# * the request does't set a nonce nor signature 20# * there is no signature validation of the response 21# * dates are left as strings in GeneralizedTime format -- datetime.datetime 22# would be nicer 23# 24from pyasn1.type import tag, namedtype, namedval, univ, useful 25from pyasn1_modules import rfc2459 26 27 28# Start of OCSP module definitions 29 30# This should be in directory Authentication Framework (X.509) module 31 32class CRLReason(univ.Enumerated): 33 namedValues = namedval.NamedValues( 34 ('unspecified', 0), 35 ('keyCompromise', 1), 36 ('cACompromise', 2), 37 ('affiliationChanged', 3), 38 ('superseded', 4), 39 ('cessationOfOperation', 5), 40 ('certificateHold', 6), 41 ('removeFromCRL', 8), 42 ('privilegeWithdrawn', 9), 43 ('aACompromise', 10) 44 ) 45 46 47# end of directory Authentication Framework (X.509) module 48 49# This should be in PKIX Certificate Extensions module 50 51class GeneralName(univ.OctetString): 52 pass 53 54 55# end of PKIX Certificate Extensions module 56 57id_kp_OCSPSigning = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 3, 9)) 58id_pkix_ocsp = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1)) 59id_pkix_ocsp_basic = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 1)) 60id_pkix_ocsp_nonce = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 2)) 61id_pkix_ocsp_crl = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 3)) 62id_pkix_ocsp_response = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 4)) 63id_pkix_ocsp_nocheck = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 5)) 64id_pkix_ocsp_archive_cutoff = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 6)) 65id_pkix_ocsp_service_locator = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 7)) 66 67 68class AcceptableResponses(univ.SequenceOf): 69 componentType = univ.ObjectIdentifier() 70 71 72class ArchiveCutoff(useful.GeneralizedTime): 73 pass 74 75 76class UnknownInfo(univ.Null): 77 pass 78 79 80class RevokedInfo(univ.Sequence): 81 componentType = namedtype.NamedTypes( 82 namedtype.NamedType('revocationTime', useful.GeneralizedTime()), 83 namedtype.OptionalNamedType('revocationReason', CRLReason().subtype( 84 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 85 ) 86 87 88class CertID(univ.Sequence): 89 componentType = namedtype.NamedTypes( 90 namedtype.NamedType('hashAlgorithm', rfc2459.AlgorithmIdentifier()), 91 namedtype.NamedType('issuerNameHash', univ.OctetString()), 92 namedtype.NamedType('issuerKeyHash', univ.OctetString()), 93 namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()) 94 ) 95 96 97class CertStatus(univ.Choice): 98 componentType = namedtype.NamedTypes( 99 namedtype.NamedType('good', 100 univ.Null().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 101 namedtype.NamedType('revoked', 102 RevokedInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 103 namedtype.NamedType('unknown', 104 UnknownInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 105 ) 106 107 108class SingleResponse(univ.Sequence): 109 componentType = namedtype.NamedTypes( 110 namedtype.NamedType('certID', CertID()), 111 namedtype.NamedType('certStatus', CertStatus()), 112 namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), 113 namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype( 114 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 115 namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype( 116 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 117 ) 118 119 120class KeyHash(univ.OctetString): 121 pass 122 123 124class ResponderID(univ.Choice): 125 componentType = namedtype.NamedTypes( 126 namedtype.NamedType('byName', 127 rfc2459.Name().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 128 namedtype.NamedType('byKey', 129 KeyHash().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 130 ) 131 132 133class Version(univ.Integer): 134 namedValues = namedval.NamedValues(('v1', 0)) 135 136 137class ResponseData(univ.Sequence): 138 componentType = namedtype.NamedTypes( 139 namedtype.DefaultedNamedType('version', Version('v1').subtype( 140 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 141 namedtype.NamedType('responderID', ResponderID()), 142 namedtype.NamedType('producedAt', useful.GeneralizedTime()), 143 namedtype.NamedType('responses', univ.SequenceOf(componentType=SingleResponse())), 144 namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype( 145 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 146 ) 147 148 149class BasicOCSPResponse(univ.Sequence): 150 componentType = namedtype.NamedTypes( 151 namedtype.NamedType('tbsResponseData', ResponseData()), 152 namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 153 namedtype.NamedType('signature', univ.BitString()), 154 namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( 155 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 156 ) 157 158 159class ResponseBytes(univ.Sequence): 160 componentType = namedtype.NamedTypes( 161 namedtype.NamedType('responseType', univ.ObjectIdentifier()), 162 namedtype.NamedType('response', univ.OctetString()) 163 ) 164 165 166class OCSPResponseStatus(univ.Enumerated): 167 namedValues = namedval.NamedValues( 168 ('successful', 0), 169 ('malformedRequest', 1), 170 ('internalError', 2), 171 ('tryLater', 3), 172 ('undefinedStatus', 4), # should never occur 173 ('sigRequired', 5), 174 ('unauthorized', 6) 175 ) 176 177 178class OCSPResponse(univ.Sequence): 179 componentType = namedtype.NamedTypes( 180 namedtype.NamedType('responseStatus', OCSPResponseStatus()), 181 namedtype.OptionalNamedType('responseBytes', ResponseBytes().subtype( 182 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 183 ) 184 185 186class Request(univ.Sequence): 187 componentType = namedtype.NamedTypes( 188 namedtype.NamedType('reqCert', CertID()), 189 namedtype.OptionalNamedType('singleRequestExtensions', rfc2459.Extensions().subtype( 190 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 191 ) 192 193 194class Signature(univ.Sequence): 195 componentType = namedtype.NamedTypes( 196 namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 197 namedtype.NamedType('signature', univ.BitString()), 198 namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( 199 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 200 ) 201 202 203class TBSRequest(univ.Sequence): 204 componentType = namedtype.NamedTypes( 205 namedtype.DefaultedNamedType('version', Version('v1').subtype( 206 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 207 namedtype.OptionalNamedType('requestorName', GeneralName().subtype( 208 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 209 namedtype.NamedType('requestList', univ.SequenceOf(componentType=Request())), 210 namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype( 211 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 212 ) 213 214 215class OCSPRequest(univ.Sequence): 216 componentType = namedtype.NamedTypes( 217 namedtype.NamedType('tbsRequest', TBSRequest()), 218 namedtype.OptionalNamedType('optionalSignature', Signature().subtype( 219 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 220 ) 221