1// Copyright 2013 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses 6// are signed messages attesting to the validity of a certificate for a small 7// period of time. This is used to manage revocation for X.509 certificates. 8package ocsp // import "golang.org/x/crypto/ocsp" 9 10import ( 11 "crypto" 12 "crypto/ecdsa" 13 "crypto/elliptic" 14 "crypto/rand" 15 "crypto/rsa" 16 _ "crypto/sha1" 17 _ "crypto/sha256" 18 _ "crypto/sha512" 19 "crypto/x509" 20 "crypto/x509/pkix" 21 "encoding/asn1" 22 "errors" 23 "fmt" 24 "math/big" 25 "strconv" 26 "time" 27) 28 29var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1}) 30 31// ResponseStatus contains the result of an OCSP request. See 32// https://tools.ietf.org/html/rfc6960#section-2.3 33type ResponseStatus int 34 35const ( 36 Success ResponseStatus = 0 37 Malformed ResponseStatus = 1 38 InternalError ResponseStatus = 2 39 TryLater ResponseStatus = 3 40 // Status code four is unused in OCSP. See 41 // https://tools.ietf.org/html/rfc6960#section-4.2.1 42 SignatureRequired ResponseStatus = 5 43 Unauthorized ResponseStatus = 6 44) 45 46func (r ResponseStatus) String() string { 47 switch r { 48 case Success: 49 return "success" 50 case Malformed: 51 return "malformed" 52 case InternalError: 53 return "internal error" 54 case TryLater: 55 return "try later" 56 case SignatureRequired: 57 return "signature required" 58 case Unauthorized: 59 return "unauthorized" 60 default: 61 return "unknown OCSP status: " + strconv.Itoa(int(r)) 62 } 63} 64 65// ResponseError is an error that may be returned by ParseResponse to indicate 66// that the response itself is an error, not just that it's indicating that a 67// certificate is revoked, unknown, etc. 68type ResponseError struct { 69 Status ResponseStatus 70} 71 72func (r ResponseError) Error() string { 73 return "ocsp: error from server: " + r.Status.String() 74} 75 76// These are internal structures that reflect the ASN.1 structure of an OCSP 77// response. See RFC 2560, section 4.2. 78 79type certID struct { 80 HashAlgorithm pkix.AlgorithmIdentifier 81 NameHash []byte 82 IssuerKeyHash []byte 83 SerialNumber *big.Int 84} 85 86// https://tools.ietf.org/html/rfc2560#section-4.1.1 87type ocspRequest struct { 88 TBSRequest tbsRequest 89} 90 91type tbsRequest struct { 92 Version int `asn1:"explicit,tag:0,default:0,optional"` 93 RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"` 94 RequestList []request 95} 96 97type request struct { 98 Cert certID 99} 100 101type responseASN1 struct { 102 Status asn1.Enumerated 103 Response responseBytes `asn1:"explicit,tag:0,optional"` 104} 105 106type responseBytes struct { 107 ResponseType asn1.ObjectIdentifier 108 Response []byte 109} 110 111type basicResponse struct { 112 TBSResponseData responseData 113 SignatureAlgorithm pkix.AlgorithmIdentifier 114 Signature asn1.BitString 115 Certificates []asn1.RawValue `asn1:"explicit,tag:0,optional"` 116} 117 118type responseData struct { 119 Raw asn1.RawContent 120 Version int `asn1:"optional,default:0,explicit,tag:0"` 121 RawResponderID asn1.RawValue 122 ProducedAt time.Time `asn1:"generalized"` 123 Responses []singleResponse 124} 125 126type singleResponse struct { 127 CertID certID 128 Good asn1.Flag `asn1:"tag:0,optional"` 129 Revoked revokedInfo `asn1:"tag:1,optional"` 130 Unknown asn1.Flag `asn1:"tag:2,optional"` 131 ThisUpdate time.Time `asn1:"generalized"` 132 NextUpdate time.Time `asn1:"generalized,explicit,tag:0,optional"` 133 SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"` 134} 135 136type revokedInfo struct { 137 RevocationTime time.Time `asn1:"generalized"` 138 Reason asn1.Enumerated `asn1:"explicit,tag:0,optional"` 139} 140 141var ( 142 oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} 143 oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} 144 oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} 145 oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} 146 oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} 147 oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} 148 oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3} 149 oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2} 150 oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1} 151 oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2} 152 oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3} 153 oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4} 154) 155 156var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{ 157 crypto.SHA1: asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}), 158 crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}), 159 crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}), 160 crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}), 161} 162 163// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below 164var signatureAlgorithmDetails = []struct { 165 algo x509.SignatureAlgorithm 166 oid asn1.ObjectIdentifier 167 pubKeyAlgo x509.PublicKeyAlgorithm 168 hash crypto.Hash 169}{ 170 {x509.MD2WithRSA, oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */}, 171 {x509.MD5WithRSA, oidSignatureMD5WithRSA, x509.RSA, crypto.MD5}, 172 {x509.SHA1WithRSA, oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1}, 173 {x509.SHA256WithRSA, oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256}, 174 {x509.SHA384WithRSA, oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384}, 175 {x509.SHA512WithRSA, oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512}, 176 {x509.DSAWithSHA1, oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1}, 177 {x509.DSAWithSHA256, oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256}, 178 {x509.ECDSAWithSHA1, oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1}, 179 {x509.ECDSAWithSHA256, oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256}, 180 {x509.ECDSAWithSHA384, oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384}, 181 {x509.ECDSAWithSHA512, oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512}, 182} 183 184// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below 185func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) { 186 var pubType x509.PublicKeyAlgorithm 187 188 switch pub := pub.(type) { 189 case *rsa.PublicKey: 190 pubType = x509.RSA 191 hashFunc = crypto.SHA256 192 sigAlgo.Algorithm = oidSignatureSHA256WithRSA 193 sigAlgo.Parameters = asn1.RawValue{ 194 Tag: 5, 195 } 196 197 case *ecdsa.PublicKey: 198 pubType = x509.ECDSA 199 200 switch pub.Curve { 201 case elliptic.P224(), elliptic.P256(): 202 hashFunc = crypto.SHA256 203 sigAlgo.Algorithm = oidSignatureECDSAWithSHA256 204 case elliptic.P384(): 205 hashFunc = crypto.SHA384 206 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 207 case elliptic.P521(): 208 hashFunc = crypto.SHA512 209 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 210 default: 211 err = errors.New("x509: unknown elliptic curve") 212 } 213 214 default: 215 err = errors.New("x509: only RSA and ECDSA keys supported") 216 } 217 218 if err != nil { 219 return 220 } 221 222 if requestedSigAlgo == 0 { 223 return 224 } 225 226 found := false 227 for _, details := range signatureAlgorithmDetails { 228 if details.algo == requestedSigAlgo { 229 if details.pubKeyAlgo != pubType { 230 err = errors.New("x509: requested SignatureAlgorithm does not match private key type") 231 return 232 } 233 sigAlgo.Algorithm, hashFunc = details.oid, details.hash 234 if hashFunc == 0 { 235 err = errors.New("x509: cannot sign with hash function requested") 236 return 237 } 238 found = true 239 break 240 } 241 } 242 243 if !found { 244 err = errors.New("x509: unknown SignatureAlgorithm") 245 } 246 247 return 248} 249 250// TODO(agl): this is taken from crypto/x509 and so should probably be exported 251// from crypto/x509 or crypto/x509/pkix. 252func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm { 253 for _, details := range signatureAlgorithmDetails { 254 if oid.Equal(details.oid) { 255 return details.algo 256 } 257 } 258 return x509.UnknownSignatureAlgorithm 259} 260 261// TODO(rlb): This is not taken from crypto/x509, but it's of the same general form. 262func getHashAlgorithmFromOID(target asn1.ObjectIdentifier) crypto.Hash { 263 for hash, oid := range hashOIDs { 264 if oid.Equal(target) { 265 return hash 266 } 267 } 268 return crypto.Hash(0) 269} 270 271func getOIDFromHashAlgorithm(target crypto.Hash) asn1.ObjectIdentifier { 272 for hash, oid := range hashOIDs { 273 if hash == target { 274 return oid 275 } 276 } 277 return nil 278} 279 280// This is the exposed reflection of the internal OCSP structures. 281 282// The status values that can be expressed in OCSP. See RFC 6960. 283const ( 284 // Good means that the certificate is valid. 285 Good = iota 286 // Revoked means that the certificate has been deliberately revoked. 287 Revoked 288 // Unknown means that the OCSP responder doesn't know about the certificate. 289 Unknown 290 // ServerFailed is unused and was never used (see 291 // https://go-review.googlesource.com/#/c/18944). ParseResponse will 292 // return a ResponseError when an error response is parsed. 293 ServerFailed 294) 295 296// The enumerated reasons for revoking a certificate. See RFC 5280. 297const ( 298 Unspecified = 0 299 KeyCompromise = 1 300 CACompromise = 2 301 AffiliationChanged = 3 302 Superseded = 4 303 CessationOfOperation = 5 304 CertificateHold = 6 305 306 RemoveFromCRL = 8 307 PrivilegeWithdrawn = 9 308 AACompromise = 10 309) 310 311// Request represents an OCSP request. See RFC 6960. 312type Request struct { 313 HashAlgorithm crypto.Hash 314 IssuerNameHash []byte 315 IssuerKeyHash []byte 316 SerialNumber *big.Int 317} 318 319// Marshal marshals the OCSP request to ASN.1 DER encoded form. 320func (req *Request) Marshal() ([]byte, error) { 321 hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm) 322 if hashAlg == nil { 323 return nil, errors.New("Unknown hash algorithm") 324 } 325 return asn1.Marshal(ocspRequest{ 326 tbsRequest{ 327 Version: 0, 328 RequestList: []request{ 329 { 330 Cert: certID{ 331 pkix.AlgorithmIdentifier{ 332 Algorithm: hashAlg, 333 Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */}, 334 }, 335 req.IssuerNameHash, 336 req.IssuerKeyHash, 337 req.SerialNumber, 338 }, 339 }, 340 }, 341 }, 342 }) 343} 344 345// Response represents an OCSP response containing a single SingleResponse. See 346// RFC 6960. 347type Response struct { 348 // Status is one of {Good, Revoked, Unknown} 349 Status int 350 SerialNumber *big.Int 351 ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time 352 RevocationReason int 353 Certificate *x509.Certificate 354 // TBSResponseData contains the raw bytes of the signed response. If 355 // Certificate is nil then this can be used to verify Signature. 356 TBSResponseData []byte 357 Signature []byte 358 SignatureAlgorithm x509.SignatureAlgorithm 359 360 // IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash. 361 // Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512. 362 // If zero, the default is crypto.SHA1. 363 IssuerHash crypto.Hash 364 365 // RawResponderName optionally contains the DER-encoded subject of the 366 // responder certificate. Exactly one of RawResponderName and 367 // ResponderKeyHash is set. 368 RawResponderName []byte 369 // ResponderKeyHash optionally contains the SHA-1 hash of the 370 // responder's public key. Exactly one of RawResponderName and 371 // ResponderKeyHash is set. 372 ResponderKeyHash []byte 373 374 // Extensions contains raw X.509 extensions from the singleExtensions field 375 // of the OCSP response. When parsing certificates, this can be used to 376 // extract non-critical extensions that are not parsed by this package. When 377 // marshaling OCSP responses, the Extensions field is ignored, see 378 // ExtraExtensions. 379 Extensions []pkix.Extension 380 381 // ExtraExtensions contains extensions to be copied, raw, into any marshaled 382 // OCSP response (in the singleExtensions field). Values override any 383 // extensions that would otherwise be produced based on the other fields. The 384 // ExtraExtensions field is not populated when parsing certificates, see 385 // Extensions. 386 ExtraExtensions []pkix.Extension 387} 388 389// These are pre-serialized error responses for the various non-success codes 390// defined by OCSP. The Unauthorized code in particular can be used by an OCSP 391// responder that supports only pre-signed responses as a response to requests 392// for certificates with unknown status. See RFC 5019. 393var ( 394 MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01} 395 InternalErrorErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x02} 396 TryLaterErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x03} 397 SigRequredErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x05} 398 UnauthorizedErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x06} 399) 400 401// CheckSignatureFrom checks that the signature in resp is a valid signature 402// from issuer. This should only be used if resp.Certificate is nil. Otherwise, 403// the OCSP response contained an intermediate certificate that created the 404// signature. That signature is checked by ParseResponse and only 405// resp.Certificate remains to be validated. 406func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error { 407 return issuer.CheckSignature(resp.SignatureAlgorithm, resp.TBSResponseData, resp.Signature) 408} 409 410// ParseError results from an invalid OCSP response. 411type ParseError string 412 413func (p ParseError) Error() string { 414 return string(p) 415} 416 417// ParseRequest parses an OCSP request in DER form. It only supports 418// requests for a single certificate. Signed requests are not supported. 419// If a request includes a signature, it will result in a ParseError. 420func ParseRequest(bytes []byte) (*Request, error) { 421 var req ocspRequest 422 rest, err := asn1.Unmarshal(bytes, &req) 423 if err != nil { 424 return nil, err 425 } 426 if len(rest) > 0 { 427 return nil, ParseError("trailing data in OCSP request") 428 } 429 430 if len(req.TBSRequest.RequestList) == 0 { 431 return nil, ParseError("OCSP request contains no request body") 432 } 433 innerRequest := req.TBSRequest.RequestList[0] 434 435 hashFunc := getHashAlgorithmFromOID(innerRequest.Cert.HashAlgorithm.Algorithm) 436 if hashFunc == crypto.Hash(0) { 437 return nil, ParseError("OCSP request uses unknown hash function") 438 } 439 440 return &Request{ 441 HashAlgorithm: hashFunc, 442 IssuerNameHash: innerRequest.Cert.NameHash, 443 IssuerKeyHash: innerRequest.Cert.IssuerKeyHash, 444 SerialNumber: innerRequest.Cert.SerialNumber, 445 }, nil 446} 447 448// ParseResponse parses an OCSP response in DER form. It only supports 449// responses for a single certificate. If the response contains a certificate 450// then the signature over the response is checked. If issuer is not nil then 451// it will be used to validate the signature or embedded certificate. 452// 453// Invalid responses and parse failures will result in a ParseError. 454// Error responses will result in a ResponseError. 455func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) { 456 return ParseResponseForCert(bytes, nil, issuer) 457} 458 459// ParseResponseForCert parses an OCSP response in DER form and searches for a 460// Response relating to cert. If such a Response is found and the OCSP response 461// contains a certificate then the signature over the response is checked. If 462// issuer is not nil then it will be used to validate the signature or embedded 463// certificate. 464// 465// Invalid responses and parse failures will result in a ParseError. 466// Error responses will result in a ResponseError. 467func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) { 468 var resp responseASN1 469 rest, err := asn1.Unmarshal(bytes, &resp) 470 if err != nil { 471 return nil, err 472 } 473 if len(rest) > 0 { 474 return nil, ParseError("trailing data in OCSP response") 475 } 476 477 if status := ResponseStatus(resp.Status); status != Success { 478 return nil, ResponseError{status} 479 } 480 481 if !resp.Response.ResponseType.Equal(idPKIXOCSPBasic) { 482 return nil, ParseError("bad OCSP response type") 483 } 484 485 var basicResp basicResponse 486 rest, err = asn1.Unmarshal(resp.Response.Response, &basicResp) 487 if err != nil { 488 return nil, err 489 } 490 if len(rest) > 0 { 491 return nil, ParseError("trailing data in OCSP response") 492 } 493 494 if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 { 495 return nil, ParseError("OCSP response contains bad number of responses") 496 } 497 498 var singleResp singleResponse 499 if cert == nil { 500 singleResp = basicResp.TBSResponseData.Responses[0] 501 } else { 502 match := false 503 for _, resp := range basicResp.TBSResponseData.Responses { 504 if cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 { 505 singleResp = resp 506 match = true 507 break 508 } 509 } 510 if !match { 511 return nil, ParseError("no response matching the supplied certificate") 512 } 513 } 514 515 ret := &Response{ 516 TBSResponseData: basicResp.TBSResponseData.Raw, 517 Signature: basicResp.Signature.RightAlign(), 518 SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm), 519 Extensions: singleResp.SingleExtensions, 520 SerialNumber: singleResp.CertID.SerialNumber, 521 ProducedAt: basicResp.TBSResponseData.ProducedAt, 522 ThisUpdate: singleResp.ThisUpdate, 523 NextUpdate: singleResp.NextUpdate, 524 } 525 526 // Handle the ResponderID CHOICE tag. ResponderID can be flattened into 527 // TBSResponseData once https://go-review.googlesource.com/34503 has been 528 // released. 529 rawResponderID := basicResp.TBSResponseData.RawResponderID 530 switch rawResponderID.Tag { 531 case 1: // Name 532 var rdn pkix.RDNSequence 533 if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &rdn); err != nil || len(rest) != 0 { 534 return nil, ParseError("invalid responder name") 535 } 536 ret.RawResponderName = rawResponderID.Bytes 537 case 2: // KeyHash 538 if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &ret.ResponderKeyHash); err != nil || len(rest) != 0 { 539 return nil, ParseError("invalid responder key hash") 540 } 541 default: 542 return nil, ParseError("invalid responder id tag") 543 } 544 545 if len(basicResp.Certificates) > 0 { 546 // Responders should only send a single certificate (if they 547 // send any) that connects the responder's certificate to the 548 // original issuer. We accept responses with multiple 549 // certificates due to a number responders sending them[1], but 550 // ignore all but the first. 551 // 552 // [1] https://github.com/golang/go/issues/21527 553 ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes) 554 if err != nil { 555 return nil, err 556 } 557 558 if err := ret.CheckSignatureFrom(ret.Certificate); err != nil { 559 return nil, ParseError("bad signature on embedded certificate: " + err.Error()) 560 } 561 562 if issuer != nil { 563 if err := issuer.CheckSignature(ret.Certificate.SignatureAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err != nil { 564 return nil, ParseError("bad OCSP signature: " + err.Error()) 565 } 566 } 567 } else if issuer != nil { 568 if err := ret.CheckSignatureFrom(issuer); err != nil { 569 return nil, ParseError("bad OCSP signature: " + err.Error()) 570 } 571 } 572 573 for _, ext := range singleResp.SingleExtensions { 574 if ext.Critical { 575 return nil, ParseError("unsupported critical extension") 576 } 577 } 578 579 for h, oid := range hashOIDs { 580 if singleResp.CertID.HashAlgorithm.Algorithm.Equal(oid) { 581 ret.IssuerHash = h 582 break 583 } 584 } 585 if ret.IssuerHash == 0 { 586 return nil, ParseError("unsupported issuer hash algorithm") 587 } 588 589 switch { 590 case bool(singleResp.Good): 591 ret.Status = Good 592 case bool(singleResp.Unknown): 593 ret.Status = Unknown 594 default: 595 ret.Status = Revoked 596 ret.RevokedAt = singleResp.Revoked.RevocationTime 597 ret.RevocationReason = int(singleResp.Revoked.Reason) 598 } 599 600 return ret, nil 601} 602 603// RequestOptions contains options for constructing OCSP requests. 604type RequestOptions struct { 605 // Hash contains the hash function that should be used when 606 // constructing the OCSP request. If zero, SHA-1 will be used. 607 Hash crypto.Hash 608} 609 610func (opts *RequestOptions) hash() crypto.Hash { 611 if opts == nil || opts.Hash == 0 { 612 // SHA-1 is nearly universally used in OCSP. 613 return crypto.SHA1 614 } 615 return opts.Hash 616} 617 618// CreateRequest returns a DER-encoded, OCSP request for the status of cert. If 619// opts is nil then sensible defaults are used. 620func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error) { 621 hashFunc := opts.hash() 622 623 // OCSP seems to be the only place where these raw hash identifiers are 624 // used. I took the following from 625 // http://msdn.microsoft.com/en-us/library/ff635603.aspx 626 _, ok := hashOIDs[hashFunc] 627 if !ok { 628 return nil, x509.ErrUnsupportedAlgorithm 629 } 630 631 if !hashFunc.Available() { 632 return nil, x509.ErrUnsupportedAlgorithm 633 } 634 h := opts.hash().New() 635 636 var publicKeyInfo struct { 637 Algorithm pkix.AlgorithmIdentifier 638 PublicKey asn1.BitString 639 } 640 if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil { 641 return nil, err 642 } 643 644 h.Write(publicKeyInfo.PublicKey.RightAlign()) 645 issuerKeyHash := h.Sum(nil) 646 647 h.Reset() 648 h.Write(issuer.RawSubject) 649 issuerNameHash := h.Sum(nil) 650 651 req := &Request{ 652 HashAlgorithm: hashFunc, 653 IssuerNameHash: issuerNameHash, 654 IssuerKeyHash: issuerKeyHash, 655 SerialNumber: cert.SerialNumber, 656 } 657 return req.Marshal() 658} 659 660// CreateResponse returns a DER-encoded OCSP response with the specified contents. 661// The fields in the response are populated as follows: 662// 663// The responder cert is used to populate the responder's name field, and the 664// certificate itself is provided alongside the OCSP response signature. 665// 666// The issuer cert is used to puplate the IssuerNameHash and IssuerKeyHash fields. 667// 668// The template is used to populate the SerialNumber, Status, RevokedAt, 669// RevocationReason, ThisUpdate, and NextUpdate fields. 670// 671// If template.IssuerHash is not set, SHA1 will be used. 672// 673// The ProducedAt date is automatically set to the current date, to the nearest minute. 674func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error) { 675 var publicKeyInfo struct { 676 Algorithm pkix.AlgorithmIdentifier 677 PublicKey asn1.BitString 678 } 679 if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil { 680 return nil, err 681 } 682 683 if template.IssuerHash == 0 { 684 template.IssuerHash = crypto.SHA1 685 } 686 hashOID := getOIDFromHashAlgorithm(template.IssuerHash) 687 if hashOID == nil { 688 return nil, errors.New("unsupported issuer hash algorithm") 689 } 690 691 if !template.IssuerHash.Available() { 692 return nil, fmt.Errorf("issuer hash algorithm %v not linked into binary", template.IssuerHash) 693 } 694 h := template.IssuerHash.New() 695 h.Write(publicKeyInfo.PublicKey.RightAlign()) 696 issuerKeyHash := h.Sum(nil) 697 698 h.Reset() 699 h.Write(issuer.RawSubject) 700 issuerNameHash := h.Sum(nil) 701 702 innerResponse := singleResponse{ 703 CertID: certID{ 704 HashAlgorithm: pkix.AlgorithmIdentifier{ 705 Algorithm: hashOID, 706 Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */}, 707 }, 708 NameHash: issuerNameHash, 709 IssuerKeyHash: issuerKeyHash, 710 SerialNumber: template.SerialNumber, 711 }, 712 ThisUpdate: template.ThisUpdate.UTC(), 713 NextUpdate: template.NextUpdate.UTC(), 714 SingleExtensions: template.ExtraExtensions, 715 } 716 717 switch template.Status { 718 case Good: 719 innerResponse.Good = true 720 case Unknown: 721 innerResponse.Unknown = true 722 case Revoked: 723 innerResponse.Revoked = revokedInfo{ 724 RevocationTime: template.RevokedAt.UTC(), 725 Reason: asn1.Enumerated(template.RevocationReason), 726 } 727 } 728 729 rawResponderID := asn1.RawValue{ 730 Class: 2, // context-specific 731 Tag: 1, // Name (explicit tag) 732 IsCompound: true, 733 Bytes: responderCert.RawSubject, 734 } 735 tbsResponseData := responseData{ 736 Version: 0, 737 RawResponderID: rawResponderID, 738 ProducedAt: time.Now().Truncate(time.Minute).UTC(), 739 Responses: []singleResponse{innerResponse}, 740 } 741 742 tbsResponseDataDER, err := asn1.Marshal(tbsResponseData) 743 if err != nil { 744 return nil, err 745 } 746 747 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm) 748 if err != nil { 749 return nil, err 750 } 751 752 responseHash := hashFunc.New() 753 responseHash.Write(tbsResponseDataDER) 754 signature, err := priv.Sign(rand.Reader, responseHash.Sum(nil), hashFunc) 755 if err != nil { 756 return nil, err 757 } 758 759 response := basicResponse{ 760 TBSResponseData: tbsResponseData, 761 SignatureAlgorithm: signatureAlgorithm, 762 Signature: asn1.BitString{ 763 Bytes: signature, 764 BitLength: 8 * len(signature), 765 }, 766 } 767 if template.Certificate != nil { 768 response.Certificates = []asn1.RawValue{ 769 {FullBytes: template.Certificate.Raw}, 770 } 771 } 772 responseDER, err := asn1.Marshal(response) 773 if err != nil { 774 return nil, err 775 } 776 777 return asn1.Marshal(responseASN1{ 778 Status: asn1.Enumerated(Success), 779 Response: responseBytes{ 780 ResponseType: idPKIXOCSPBasic, 781 Response: responseDER, 782 }, 783 }) 784} 785