rfc2560.py 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225
  1. #
  2. # This file is part of pyasn1-modules software.
  3. #
  4. # Copyright (c) 2005-2020, Ilya Etingof <etingof@gmail.com>
  5. # License: http://snmplabs.com/pyasn1/license.html
  6. #
  7. # OCSP request/response syntax
  8. #
  9. # Derived from a minimal OCSP library (RFC2560) code written by
  10. # Bud P. Bruegger <bud@ancitel.it>
  11. # Copyright: Ancitel, S.p.a, Rome, Italy
  12. # License: BSD
  13. #
  14. #
  15. # current limitations:
  16. # * request and response works only for a single certificate
  17. # * only some values are parsed out of the response
  18. # * the request does't set a nonce nor signature
  19. # * there is no signature validation of the response
  20. # * dates are left as strings in GeneralizedTime format -- datetime.datetime
  21. # would be nicer
  22. #
  23. from pyasn1.type import namedtype
  24. from pyasn1.type import namedval
  25. from pyasn1.type import tag
  26. from pyasn1.type import univ
  27. from pyasn1.type import useful
  28. from pyasn1_modules import rfc2459
  29. # Start of OCSP module definitions
  30. # This should be in directory Authentication Framework (X.509) module
  31. class CRLReason(univ.Enumerated):
  32. namedValues = namedval.NamedValues(
  33. ('unspecified', 0),
  34. ('keyCompromise', 1),
  35. ('cACompromise', 2),
  36. ('affiliationChanged', 3),
  37. ('superseded', 4),
  38. ('cessationOfOperation', 5),
  39. ('certificateHold', 6),
  40. ('removeFromCRL', 8),
  41. ('privilegeWithdrawn', 9),
  42. ('aACompromise', 10)
  43. )
  44. # end of directory Authentication Framework (X.509) module
  45. # This should be in PKIX Certificate Extensions module
  46. class GeneralName(univ.OctetString):
  47. pass
  48. # end of PKIX Certificate Extensions module
  49. id_kp_OCSPSigning = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 3, 9))
  50. id_pkix_ocsp = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1))
  51. id_pkix_ocsp_basic = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 1))
  52. id_pkix_ocsp_nonce = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 2))
  53. id_pkix_ocsp_crl = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 3))
  54. id_pkix_ocsp_response = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 4))
  55. id_pkix_ocsp_nocheck = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 5))
  56. id_pkix_ocsp_archive_cutoff = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 6))
  57. id_pkix_ocsp_service_locator = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 7))
  58. class AcceptableResponses(univ.SequenceOf):
  59. componentType = univ.ObjectIdentifier()
  60. class ArchiveCutoff(useful.GeneralizedTime):
  61. pass
  62. class UnknownInfo(univ.Null):
  63. pass
  64. class RevokedInfo(univ.Sequence):
  65. componentType = namedtype.NamedTypes(
  66. namedtype.NamedType('revocationTime', useful.GeneralizedTime()),
  67. namedtype.OptionalNamedType('revocationReason', CRLReason().subtype(
  68. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
  69. )
  70. class CertID(univ.Sequence):
  71. componentType = namedtype.NamedTypes(
  72. namedtype.NamedType('hashAlgorithm', rfc2459.AlgorithmIdentifier()),
  73. namedtype.NamedType('issuerNameHash', univ.OctetString()),
  74. namedtype.NamedType('issuerKeyHash', univ.OctetString()),
  75. namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber())
  76. )
  77. class CertStatus(univ.Choice):
  78. componentType = namedtype.NamedTypes(
  79. namedtype.NamedType('good',
  80. univ.Null().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
  81. namedtype.NamedType('revoked',
  82. RevokedInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
  83. namedtype.NamedType('unknown',
  84. UnknownInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
  85. )
  86. class SingleResponse(univ.Sequence):
  87. componentType = namedtype.NamedTypes(
  88. namedtype.NamedType('certID', CertID()),
  89. namedtype.NamedType('certStatus', CertStatus()),
  90. namedtype.NamedType('thisUpdate', useful.GeneralizedTime()),
  91. namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype(
  92. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
  93. namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype(
  94. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
  95. )
  96. class KeyHash(univ.OctetString):
  97. pass
  98. class ResponderID(univ.Choice):
  99. componentType = namedtype.NamedTypes(
  100. namedtype.NamedType('byName',
  101. rfc2459.Name().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
  102. namedtype.NamedType('byKey',
  103. KeyHash().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
  104. )
  105. class Version(univ.Integer):
  106. namedValues = namedval.NamedValues(('v1', 0))
  107. class ResponseData(univ.Sequence):
  108. componentType = namedtype.NamedTypes(
  109. namedtype.DefaultedNamedType('version', Version('v1').subtype(
  110. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
  111. namedtype.NamedType('responderID', ResponderID()),
  112. namedtype.NamedType('producedAt', useful.GeneralizedTime()),
  113. namedtype.NamedType('responses', univ.SequenceOf(componentType=SingleResponse())),
  114. namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype(
  115. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
  116. )
  117. class BasicOCSPResponse(univ.Sequence):
  118. componentType = namedtype.NamedTypes(
  119. namedtype.NamedType('tbsResponseData', ResponseData()),
  120. namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()),
  121. namedtype.NamedType('signature', univ.BitString()),
  122. namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype(
  123. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
  124. )
  125. class ResponseBytes(univ.Sequence):
  126. componentType = namedtype.NamedTypes(
  127. namedtype.NamedType('responseType', univ.ObjectIdentifier()),
  128. namedtype.NamedType('response', univ.OctetString())
  129. )
  130. class OCSPResponseStatus(univ.Enumerated):
  131. namedValues = namedval.NamedValues(
  132. ('successful', 0),
  133. ('malformedRequest', 1),
  134. ('internalError', 2),
  135. ('tryLater', 3),
  136. ('undefinedStatus', 4), # should never occur
  137. ('sigRequired', 5),
  138. ('unauthorized', 6)
  139. )
  140. class OCSPResponse(univ.Sequence):
  141. componentType = namedtype.NamedTypes(
  142. namedtype.NamedType('responseStatus', OCSPResponseStatus()),
  143. namedtype.OptionalNamedType('responseBytes', ResponseBytes().subtype(
  144. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
  145. )
  146. class Request(univ.Sequence):
  147. componentType = namedtype.NamedTypes(
  148. namedtype.NamedType('reqCert', CertID()),
  149. namedtype.OptionalNamedType('singleRequestExtensions', rfc2459.Extensions().subtype(
  150. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
  151. )
  152. class Signature(univ.Sequence):
  153. componentType = namedtype.NamedTypes(
  154. namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()),
  155. namedtype.NamedType('signature', univ.BitString()),
  156. namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype(
  157. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
  158. )
  159. class TBSRequest(univ.Sequence):
  160. componentType = namedtype.NamedTypes(
  161. namedtype.DefaultedNamedType('version', Version('v1').subtype(
  162. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
  163. namedtype.OptionalNamedType('requestorName', GeneralName().subtype(
  164. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
  165. namedtype.NamedType('requestList', univ.SequenceOf(componentType=Request())),
  166. namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype(
  167. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
  168. )
  169. class OCSPRequest(univ.Sequence):
  170. componentType = namedtype.NamedTypes(
  171. namedtype.NamedType('tbsRequest', TBSRequest()),
  172. namedtype.OptionalNamedType('optionalSignature', Signature().subtype(
  173. explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
  174. )