1# 2# This file is part of pyasn1-modules software. 3# 4# Created by Russ Housley. 5# 6# Copyright (c) 2019, Vigil Security, LLC 7# License: http://snmplabs.com/pyasn1/license.html 8# 9# Online Certificate Status Protocol (OCSP) 10# 11# ASN.1 source from: 12# https://www.rfc-editor.org/rfc/rfc6960.txt 13# 14 15from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful 16 17from pyasn1_modules import rfc2560 18from pyasn1_modules import rfc5280 19 20MAX = float('inf') 21 22 23# Imports from RFC 5280 24 25AlgorithmIdentifier = rfc5280.AlgorithmIdentifier 26AuthorityInfoAccessSyntax = rfc5280.AuthorityInfoAccessSyntax 27Certificate = rfc5280.Certificate 28CertificateSerialNumber = rfc5280.CertificateSerialNumber 29CRLReason = rfc5280.CRLReason 30Extensions = rfc5280.Extensions 31GeneralName = rfc5280.GeneralName 32Name = rfc5280.Name 33 34id_kp = rfc5280.id_kp 35 36id_ad_ocsp = rfc5280.id_ad_ocsp 37 38 39# Imports from the original OCSP module in RFC 2560 40 41AcceptableResponses = rfc2560.AcceptableResponses 42ArchiveCutoff = rfc2560.ArchiveCutoff 43CertStatus = rfc2560.CertStatus 44KeyHash = rfc2560.KeyHash 45OCSPResponse = rfc2560.OCSPResponse 46OCSPResponseStatus = rfc2560.OCSPResponseStatus 47ResponseBytes = rfc2560.ResponseBytes 48RevokedInfo = rfc2560.RevokedInfo 49UnknownInfo = rfc2560.UnknownInfo 50Version = rfc2560.Version 51 52id_kp_OCSPSigning = rfc2560.id_kp_OCSPSigning 53 54id_pkix_ocsp = rfc2560.id_pkix_ocsp 55id_pkix_ocsp_archive_cutoff = rfc2560.id_pkix_ocsp_archive_cutoff 56id_pkix_ocsp_basic = rfc2560.id_pkix_ocsp_basic 57id_pkix_ocsp_crl = rfc2560.id_pkix_ocsp_crl 58id_pkix_ocsp_nocheck = rfc2560.id_pkix_ocsp_nocheck 59id_pkix_ocsp_nonce = rfc2560.id_pkix_ocsp_nonce 60id_pkix_ocsp_response = rfc2560.id_pkix_ocsp_response 61id_pkix_ocsp_service_locator = rfc2560.id_pkix_ocsp_service_locator 62 63 64# Additional object identifiers 65 66id_pkix_ocsp_pref_sig_algs = id_pkix_ocsp + (8, ) 67id_pkix_ocsp_extended_revoke = id_pkix_ocsp + (9, ) 68 69 70# Updated structures (mostly to improve openTypes support) 71 72class CertID(univ.Sequence): 73 componentType = namedtype.NamedTypes( 74 namedtype.NamedType('hashAlgorithm', AlgorithmIdentifier()), 75 namedtype.NamedType('issuerNameHash', univ.OctetString()), 76 namedtype.NamedType('issuerKeyHash', univ.OctetString()), 77 namedtype.NamedType('serialNumber', CertificateSerialNumber()) 78 ) 79 80 81class SingleResponse(univ.Sequence): 82 componentType = namedtype.NamedTypes( 83 namedtype.NamedType('certID', CertID()), 84 namedtype.NamedType('certStatus', CertStatus()), 85 namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), 86 namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype( 87 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 88 namedtype.OptionalNamedType('singleExtensions', Extensions().subtype( 89 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 90 ) 91 92 93class ResponderID(univ.Choice): 94 componentType = namedtype.NamedTypes( 95 namedtype.NamedType('byName', Name().subtype( 96 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 97 namedtype.NamedType('byKey', KeyHash().subtype( 98 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 99 ) 100 101 102class ResponseData(univ.Sequence): 103 componentType = namedtype.NamedTypes( 104 namedtype.DefaultedNamedType('version', Version('v1').subtype( 105 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 106 namedtype.NamedType('responderID', ResponderID()), 107 namedtype.NamedType('producedAt', useful.GeneralizedTime()), 108 namedtype.NamedType('responses', univ.SequenceOf( 109 componentType=SingleResponse())), 110 namedtype.OptionalNamedType('responseExtensions', Extensions().subtype( 111 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 112 ) 113 114 115class BasicOCSPResponse(univ.Sequence): 116 componentType = namedtype.NamedTypes( 117 namedtype.NamedType('tbsResponseData', ResponseData()), 118 namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()), 119 namedtype.NamedType('signature', univ.BitString()), 120 namedtype.OptionalNamedType('certs', univ.SequenceOf( 121 componentType=Certificate()).subtype(explicitTag=tag.Tag( 122 tag.tagClassContext, tag.tagFormatSimple, 0))) 123 ) 124 125 126class Request(univ.Sequence): 127 componentType = namedtype.NamedTypes( 128 namedtype.NamedType('reqCert', CertID()), 129 namedtype.OptionalNamedType('singleRequestExtensions', Extensions().subtype( 130 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 131 ) 132 133 134class Signature(univ.Sequence): 135 componentType = namedtype.NamedTypes( 136 namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()), 137 namedtype.NamedType('signature', univ.BitString()), 138 namedtype.OptionalNamedType('certs', univ.SequenceOf( 139 componentType=Certificate()).subtype(explicitTag=tag.Tag( 140 tag.tagClassContext, tag.tagFormatSimple, 0))) 141 ) 142 143 144class TBSRequest(univ.Sequence): 145 componentType = namedtype.NamedTypes( 146 namedtype.DefaultedNamedType('version', Version('v1').subtype( 147 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 148 namedtype.OptionalNamedType('requestorName', GeneralName().subtype( 149 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 150 namedtype.NamedType('requestList', univ.SequenceOf( 151 componentType=Request())), 152 namedtype.OptionalNamedType('requestExtensions', Extensions().subtype( 153 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 154 ) 155 156 157class OCSPRequest(univ.Sequence): 158 componentType = namedtype.NamedTypes( 159 namedtype.NamedType('tbsRequest', TBSRequest()), 160 namedtype.OptionalNamedType('optionalSignature', Signature().subtype( 161 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 162 ) 163 164 165# Previously omitted structure 166 167class ServiceLocator(univ.Sequence): 168 componentType = namedtype.NamedTypes( 169 namedtype.NamedType('issuer', Name()), 170 namedtype.NamedType('locator', AuthorityInfoAccessSyntax()) 171 ) 172 173 174# Additional structures 175 176class CrlID(univ.Sequence): 177 componentType = namedtype.NamedTypes( 178 namedtype.OptionalNamedType('crlUrl', char.IA5String().subtype( 179 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 180 namedtype.OptionalNamedType('crlNum', univ.Integer().subtype( 181 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 182 namedtype.OptionalNamedType('crlTime', useful.GeneralizedTime().subtype( 183 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 184 ) 185 186 187class PreferredSignatureAlgorithm(univ.Sequence): 188 componentType = namedtype.NamedTypes( 189 namedtype.NamedType('sigIdentifier', AlgorithmIdentifier()), 190 namedtype.OptionalNamedType('certIdentifier', AlgorithmIdentifier()) 191 ) 192 193 194class PreferredSignatureAlgorithms(univ.SequenceOf): 195 componentType = PreferredSignatureAlgorithm() 196 197 198 199# Response Type OID to Response Map 200 201ocspResponseMap = { 202 id_pkix_ocsp_basic: BasicOCSPResponse(), 203} 204 205 206# Map of Extension OIDs to Extensions added to the ones 207# that are in rfc5280.py 208 209_certificateExtensionsMapUpdate = { 210 # Certificate Extension 211 id_pkix_ocsp_nocheck: univ.Null(""), 212 # OCSP Request Extensions 213 id_pkix_ocsp_nonce: univ.OctetString(), 214 id_pkix_ocsp_response: AcceptableResponses(), 215 id_pkix_ocsp_service_locator: ServiceLocator(), 216 id_pkix_ocsp_pref_sig_algs: PreferredSignatureAlgorithms(), 217 # OCSP Response Extensions 218 id_pkix_ocsp_crl: CrlID(), 219 id_pkix_ocsp_archive_cutoff: ArchiveCutoff(), 220 id_pkix_ocsp_extended_revoke: univ.Null(""), 221} 222 223rfc5280.certificateExtensionsMap.update(_certificateExtensionsMapUpdate) 224