wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 1 | # coding: utf-8 |
wbond | ea25fc2 | 2015-06-19 15:07:04 -0400 | [diff] [blame] | 2 | |
| 3 | """ |
| 4 | ASN.1 type classes for the online certificate status protocol (OCSP). Exports |
| 5 | the following items: |
| 6 | |
| 7 | - OCSPRequest() |
| 8 | - OCSPResponse() |
| 9 | |
| 10 | Other type classes are defined that help compose the types listed above. |
| 11 | """ |
| 12 | |
wbond | 6b66ab5 | 2015-06-21 10:26:45 -0400 | [diff] [blame] | 13 | from __future__ import unicode_literals, division, absolute_import, print_function |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 14 | |
| 15 | from .algos import DigestAlgorithm, SignedDigestAlgorithm |
| 16 | from .core import ( |
| 17 | Boolean, |
| 18 | Choice, |
| 19 | Enumerated, |
| 20 | GeneralizedTime, |
| 21 | IA5String, |
| 22 | Integer, |
| 23 | Null, |
| 24 | ObjectIdentifier, |
| 25 | OctetBitString, |
| 26 | OctetString, |
| 27 | Sequence, |
| 28 | SequenceOf, |
| 29 | ) |
| 30 | from .crl import AuthorityInfoAccessSyntax, CRLReason |
| 31 | from .keys import PublicKeyAlgorithm |
| 32 | from .x509 import Certificate, GeneralName, GeneralNames, Name |
| 33 | |
| 34 | |
| 35 | |
| 36 | # The structures in this file are taken from https://tools.ietf.org/html/rfc6960 |
| 37 | |
| 38 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame^] | 39 | class Version(Integer): |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 40 | _map = { |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame^] | 41 | 0: 'v1' |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 42 | } |
| 43 | |
| 44 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame^] | 45 | class CertId(Sequence): |
| 46 | _fields = [ |
| 47 | ('hash_algorithm', DigestAlgorithm), |
| 48 | ('issuer_name_hash', OctetString), |
| 49 | ('issuer_key_hash', OctetString), |
| 50 | ('serial_number', Integer), |
| 51 | ] |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 52 | |
| 53 | |
| 54 | class ServiceLocator(Sequence): |
| 55 | _fields = [ |
| 56 | ('issuer', Name), |
| 57 | ('locator', AuthorityInfoAccessSyntax), |
| 58 | ] |
| 59 | |
| 60 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 61 | class RequestExtensionId(ObjectIdentifier): |
| 62 | _map = { |
| 63 | '1.3.6.1.5.5.7.48.1.7': 'ocsp_service_locator', |
| 64 | } |
| 65 | |
| 66 | |
| 67 | class RequestExtension(Sequence): |
| 68 | _fields = [ |
| 69 | ('extn_id', RequestExtensionId), |
| 70 | ('critical', Boolean, {'default': False}), |
| 71 | ('extn_value', OctetString), |
| 72 | ] |
| 73 | |
| 74 | _oid_pair = ('extn_id', 'extn_value') |
| 75 | _oid_specs = { |
| 76 | 'ocsp_service_locator': ServiceLocator, |
| 77 | } |
| 78 | |
| 79 | |
| 80 | class RequestExtensions(SequenceOf): |
| 81 | _child_spec = RequestExtension |
| 82 | |
| 83 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame^] | 84 | class Request(Sequence): |
| 85 | _fields = [ |
| 86 | ('req_cert', CertId), |
| 87 | ('single_request_extensions', RequestExtensions, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 88 | ] |
| 89 | |
| 90 | |
| 91 | class Requests(SequenceOf): |
| 92 | _child_spec = Request |
| 93 | |
| 94 | |
| 95 | class ResponseType(ObjectIdentifier): |
| 96 | _map = { |
| 97 | '1.3.6.1.5.5.7.48.1.1': 'basic_ocsp_response', |
| 98 | } |
| 99 | |
| 100 | |
| 101 | class AcceptableResponses(SequenceOf): |
| 102 | _child_spec = ResponseType |
| 103 | |
| 104 | |
| 105 | class PreferredSignatureAlgorithm(Sequence): |
| 106 | _fields = [ |
| 107 | ('sig_identifier', SignedDigestAlgorithm), |
| 108 | ('cert_identifier', PublicKeyAlgorithm, {'optional': True}), |
| 109 | ] |
| 110 | |
| 111 | |
| 112 | class PreferredSignatureAlgorithms(SequenceOf): |
| 113 | _child_spec = PreferredSignatureAlgorithm |
| 114 | |
| 115 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 116 | class TBSRequestExtensionId(ObjectIdentifier): |
| 117 | _map = { |
wbond | 77b0ccd | 2015-07-17 11:17:02 -0400 | [diff] [blame] | 118 | '1.3.6.1.5.5.7.48.1.2': 'ocsp_nonce', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 119 | '1.3.6.1.5.5.7.48.1.4': 'ocsp_response', |
| 120 | '1.3.6.1.5.5.7.48.1.8': 'ocsp_preferred_signature_algorithms', |
| 121 | } |
| 122 | |
| 123 | |
| 124 | class TBSRequestExtension(Sequence): |
| 125 | _fields = [ |
| 126 | ('extn_id', TBSRequestExtensionId), |
| 127 | ('critical', Boolean, {'default': False}), |
| 128 | ('extn_value', OctetString), |
| 129 | ] |
| 130 | |
| 131 | _oid_pair = ('extn_id', 'extn_value') |
| 132 | _oid_specs = { |
wbond | 77b0ccd | 2015-07-17 11:17:02 -0400 | [diff] [blame] | 133 | 'ocsp_nonce': OctetString, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 134 | 'ocsp_response': AcceptableResponses, |
| 135 | 'ocsp_preferred_signature_algorithms': PreferredSignatureAlgorithms, |
| 136 | } |
| 137 | |
| 138 | |
| 139 | class TBSRequestExtensions(SequenceOf): |
| 140 | _child_spec = TBSRequestExtension |
| 141 | |
| 142 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 143 | class TBSRequest(Sequence): |
| 144 | _fields = [ |
| 145 | ('version', Version, {'tag_type': 'explicit', 'tag': 0, 'default': 'v1'}), |
| 146 | ('requestor_name', GeneralName, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 147 | ('request_list', Requests), |
| 148 | ('request_extensions', TBSRequestExtensions, {'tag_type': 'explicit', 'tag': 2, 'optional': True}), |
| 149 | ] |
| 150 | |
| 151 | |
| 152 | class Certificates(SequenceOf): |
| 153 | _child_spec = Certificate |
| 154 | |
| 155 | |
| 156 | class Signature(Sequence): |
| 157 | _fields = [ |
| 158 | ('signature_algorithm', SignedDigestAlgorithm), |
| 159 | ('signature', OctetBitString), |
| 160 | ('certs', Certificates, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 161 | ] |
| 162 | |
| 163 | |
| 164 | class OCSPRequest(Sequence): |
| 165 | _fields = [ |
| 166 | ('tbs_request', TBSRequest), |
| 167 | ('optional_signature', Signature, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 168 | ] |
| 169 | |
| 170 | |
| 171 | class OCSPResponseStatus(Enumerated): |
| 172 | _map = { |
| 173 | 0: 'successful', |
| 174 | 1: 'malformed_request', |
| 175 | 2: 'internal_error', |
| 176 | 3: 'try_later', |
| 177 | 5: 'sign_required', |
wbond | 77b0ccd | 2015-07-17 11:17:02 -0400 | [diff] [blame] | 178 | 6: 'unauthorized', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 179 | } |
| 180 | |
| 181 | |
| 182 | class ResponderId(Choice): |
| 183 | _alternatives = [ |
| 184 | ('by_name', Name, {'tag_type': 'explicit', 'tag': 1}), |
| 185 | ('by_key', OctetString, {'tag_type': 'explicit', 'tag': 2}), |
| 186 | ] |
| 187 | |
| 188 | |
| 189 | class RevokedInfo(Sequence): |
| 190 | _fields = [ |
| 191 | ('revocation_time', GeneralizedTime), |
| 192 | ('revocation_reason', CRLReason, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 193 | ] |
| 194 | |
| 195 | |
| 196 | class CertStatus(Choice): |
| 197 | _alternatives = [ |
| 198 | ('good', Null, {'tag_type': 'implicit', 'tag': 0}), |
| 199 | ('revoked', RevokedInfo, {'tag_type': 'implicit', 'tag': 1}), |
| 200 | ('unknown', Null, {'tag_type': 'implicit', 'tag': 2}), |
| 201 | ] |
| 202 | |
| 203 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame^] | 204 | class CrlId(Sequence): |
| 205 | _fields = [ |
| 206 | ('crl_url', IA5String, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 207 | ('crl_num', Integer, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 208 | ('crl_time', GeneralizedTime, {'tag_type': 'explicit', 'tag': 2, 'optional': True}), |
| 209 | ] |
| 210 | |
| 211 | |
| 212 | class SingleResponseExtensionId(ObjectIdentifier): |
| 213 | _map = { |
| 214 | '1.3.6.1.5.5.7.48.1.3': 'ocsp_crl', |
| 215 | '1.3.6.1.5.5.7.48.1.6': 'ocsp_archive_cutoff', |
| 216 | # These are CRLEntryExtension values from https://tools.ietf.org/html/rfc5280 |
| 217 | '2.5.29.21': 'crl_reason', |
| 218 | '2.5.29.24': 'invalidity_date', |
| 219 | '2.5.29.29': 'certificate_issuer', |
| 220 | } |
| 221 | |
| 222 | |
| 223 | class SingleResponseExtension(Sequence): |
| 224 | _fields = [ |
| 225 | ('extn_id', SingleResponseExtensionId), |
| 226 | ('critical', Boolean, {'default': False}), |
| 227 | ('extn_value', OctetString), |
| 228 | ] |
| 229 | |
| 230 | _oid_pair = ('extn_id', 'extn_value') |
| 231 | _oid_specs = { |
| 232 | 'ocsp_crl': CrlId, |
| 233 | 'ocsp_archive_cutoff': GeneralizedTime, |
| 234 | 'crl_reason': CRLReason, |
| 235 | 'invalidity_date': GeneralizedTime, |
| 236 | 'certificate_issuer': GeneralNames, |
| 237 | } |
| 238 | |
| 239 | |
| 240 | class SingleResponseExtensions(SequenceOf): |
| 241 | _child_spec = SingleResponseExtension |
| 242 | |
| 243 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 244 | class SingleResponse(Sequence): |
| 245 | _fields = [ |
| 246 | ('cert_id', CertId), |
| 247 | ('cert_status', CertStatus), |
| 248 | ('this_update', GeneralizedTime), |
| 249 | ('next_update', GeneralizedTime, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 250 | ('single_extensions', SingleResponseExtensions, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 251 | ] |
| 252 | |
| 253 | |
| 254 | class Responses(SequenceOf): |
| 255 | _child_spec = SingleResponse |
| 256 | |
| 257 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame^] | 258 | class ResponseDataExtensionId(ObjectIdentifier): |
| 259 | _map = { |
| 260 | '1.3.6.1.5.5.7.48.1.2': 'ocsp_nonce', |
| 261 | '1.3.6.1.5.5.7.48.1.9': 'ocsp_extended_revoke', |
| 262 | } |
| 263 | |
| 264 | |
| 265 | class ResponseDataExtension(Sequence): |
| 266 | _fields = [ |
| 267 | ('extn_id', ResponseDataExtensionId), |
| 268 | ('critical', Boolean, {'default': False}), |
| 269 | ('extn_value', OctetString), |
| 270 | ] |
| 271 | |
| 272 | _oid_pair = ('extn_id', 'extn_value') |
| 273 | _oid_specs = { |
| 274 | 'ocsp_nonce': OctetString, |
| 275 | 'ocsp_extended_revoke': Null, |
| 276 | } |
| 277 | |
| 278 | |
| 279 | class ResponseDataExtensions(SequenceOf): |
| 280 | _child_spec = ResponseDataExtension |
| 281 | |
| 282 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 283 | class ResponseData(Sequence): |
| 284 | _fields = [ |
| 285 | ('version', Version, {'tag_type': 'explicit', 'tag': 0, 'default': 'v1'}), |
| 286 | ('responder_id', ResponderId), |
| 287 | ('produced_at', GeneralizedTime), |
| 288 | ('responses', Responses), |
| 289 | ('response_extensions', ResponseDataExtensions, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 290 | ] |
| 291 | |
| 292 | |
| 293 | class BasicOCSPResponse(Sequence): |
| 294 | _fields = [ |
| 295 | ('tbs_response_data', ResponseData), |
| 296 | ('signature_algorithm', SignedDigestAlgorithm), |
| 297 | ('signature', OctetBitString), |
| 298 | ('certs', Certificates, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 299 | ] |
| 300 | |
| 301 | |
| 302 | class ResponseBytes(Sequence): |
| 303 | _fields = [ |
| 304 | ('response_type', ResponseType), |
| 305 | ('response', OctetString), |
| 306 | ] |
| 307 | |
| 308 | _oid_pair = ('response_type', 'response') |
| 309 | _oid_specs = { |
| 310 | 'basic_ocsp_response': BasicOCSPResponse, |
| 311 | } |
| 312 | |
| 313 | |
| 314 | class OCSPResponse(Sequence): |
| 315 | _fields = [ |
| 316 | ('response_status', OCSPResponseStatus), |
| 317 | ('response_bytes', ResponseBytes, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 318 | ] |