42 #define EACCES_CERT_STATUS \ 43 __einfo_error ( EINFO_EACCES_CERT_STATUS ) 44 #define EINFO_EACCES_CERT_STATUS \ 45 __einfo_uniqify ( EINFO_EACCES, 0x01, \ 46 "Certificate status not good" ) 47 #define EACCES_CERT_MISMATCH \ 48 __einfo_error ( EINFO_EACCES_CERT_MISMATCH ) 49 #define EINFO_EACCES_CERT_MISMATCH \ 50 __einfo_uniqify ( EINFO_EACCES, 0x02, \ 51 "Certificate ID mismatch" ) 52 #define EACCES_NON_OCSP_SIGNING \ 53 __einfo_error ( EINFO_EACCES_NON_OCSP_SIGNING ) 54 #define EINFO_EACCES_NON_OCSP_SIGNING \ 55 __einfo_uniqify ( EINFO_EACCES, 0x03, \ 56 "Not an OCSP signing certificate" ) 57 #define EACCES_STALE \ 58 __einfo_error ( EINFO_EACCES_STALE ) 59 #define EINFO_EACCES_STALE \ 60 __einfo_uniqify ( EINFO_EACCES, 0x04, \ 61 "Stale (or premature) OCSP repsonse" ) 62 #define EACCES_NO_RESPONDER \ 63 __einfo_error ( EINFO_EACCES_NO_RESPONDER ) 64 #define EINFO_EACCES_NO_RESPONDER \ 65 __einfo_uniqify ( EINFO_EACCES, 0x05, \ 66 "Missing OCSP responder certificate" ) 67 #define ENOTSUP_RESPONSE_TYPE \ 68 __einfo_error ( EINFO_ENOTSUP_RESPONSE_TYPE ) 69 #define EINFO_ENOTSUP_RESPONSE_TYPE \ 70 __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \ 71 "Unsupported OCSP response type" ) 72 #define ENOTSUP_RESPONDER_ID \ 73 __einfo_error ( EINFO_ENOTSUP_RESPONDER_ID ) 74 #define EINFO_ENOTSUP_RESPONDER_ID \ 75 __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \ 76 "Unsupported OCSP responder ID" ) 77 #define EPROTO_MALFORMED_REQUEST \ 78 __einfo_error ( EINFO_EPROTO_MALFORMED_REQUEST ) 79 #define EINFO_EPROTO_MALFORMED_REQUEST \ 80 __einfo_uniqify ( EINFO_EPROTO, OCSP_STATUS_MALFORMED_REQUEST, \ 81 "Illegal confirmation request" ) 82 #define EPROTO_INTERNAL_ERROR \ 83 __einfo_error ( EINFO_EPROTO_INTERNAL_ERROR ) 84 #define EINFO_EPROTO_INTERNAL_ERROR \ 85 __einfo_uniqify ( EINFO_EPROTO, OCSP_STATUS_INTERNAL_ERROR, \ 86 "Internal error in issuer" ) 87 #define EPROTO_TRY_LATER \ 88 __einfo_error ( EINFO_EPROTO_TRY_LATER ) 89 #define EINFO_EPROTO_TRY_LATER \ 90 __einfo_uniqify ( EINFO_EPROTO, OCSP_STATUS_TRY_LATER, \ 92 #define EPROTO_SIG_REQUIRED \ 93 __einfo_error ( EINFO_EPROTO_SIG_REQUIRED ) 94 #define EINFO_EPROTO_SIG_REQUIRED \ 95 __einfo_uniqify ( EINFO_EPROTO, OCSP_STATUS_SIG_REQUIRED, \ 96 "Must sign the request" ) 97 #define EPROTO_UNAUTHORIZED \ 98 __einfo_error ( EINFO_EPROTO_UNAUTHORIZED ) 99 #define EINFO_EPROTO_UNAUTHORIZED \ 100 __einfo_uniqify ( EINFO_EPROTO, OCSP_STATUS_UNAUTHORIZED, \ 101 "Request unauthorized" ) 102 #define EPROTO_STATUS( status ) \ 103 EUNIQ ( EINFO_EPROTO, (status), EPROTO_MALFORMED_REQUEST, \ 104 EPROTO_INTERNAL_ERROR, EPROTO_TRY_LATER, \ 105 EPROTO_SIG_REQUIRED, EPROTO_UNAUTHORIZED ) 108 #define ocsp_digest_algorithm sha1_algorithm 169 pubkey_digest,
sizeof ( pubkey_digest ) ),
171 name_digest,
sizeof ( name_digest ) ),
180 DBGC ( ocsp,
"OCSP %p \"%s\" could not build request: %s\n",
184 DBGC2 ( ocsp,
"OCSP %p \"%s\" request is:\n",
190 cert_id_tail->
len = builder->
len;
197 DBGC ( ocsp,
"OCSP %p \"%s\" could not locate certID: %s\n",
222 if ( ! responder->
uri.
len ) {
223 DBGC ( ocsp,
"OCSP %p \"%s\" has no OCSP URI\n",
237 goto err_alloc_base64;
247 len = ( responder->
uri.
len + 1 + uri_len );
258 DBGC2 ( ocsp,
"OCSP %p \"%s\" URI is %s\n",
290 *ocsp =
zalloc (
sizeof ( **ocsp ) );
297 (*ocsp)->issuer =
x509_get ( issuer );
331 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
333 DBGC ( ocsp,
"OCSP %p \"%s\" could not locate responseStatus: " 340 DBGC ( ocsp,
"OCSP %p \"%s\" invalid status:\n",
349 DBGC ( ocsp,
"OCSP %p \"%s\" response status %d\n",
369 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
374 DBGC ( ocsp,
"OCSP %p \"%s\" response type not supported:\n",
414 memcpy ( &key_hash, &responder->
id, sizeof ( key_hash ) );
418 difference = (
sizeof ( digest ) - key_hash.
len );
430 return memcmp ( digest, key_hash.
data, sizeof ( digest ) );
447 memcpy ( responder_id,
raw,
sizeof ( *responder_id ) );
454 DBGC2 ( ocsp,
"OCSP %p \"%s\" responder identified by name\n",
459 DBGC2 ( ocsp,
"OCSP %p \"%s\" responder identified by key " 464 DBGC ( ocsp,
"OCSP %p \"%s\" unsupported responder ID type " 488 memcpy ( &cert_id,
raw,
sizeof ( cert_id ) );
492 memcpy ( &cursor, &cert_id,
sizeof ( cursor ) );
496 DBGC ( ocsp,
"OCSP %p \"%s\" certID missing algorithm:\n",
502 DBGC ( ocsp,
"OCSP %p \"%s\" certID wrong algorithm:\n",
511 DBGC ( ocsp,
"OCSP %p \"%s\" certID mismatch:\n",
536 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
549 DBGC ( ocsp,
"OCSP %p \"%s\" non-good certStatus:\n",
559 DBGC ( ocsp,
"OCSP %p \"%s\" could not parse thisUpdate: %s\n",
563 DBGC2 ( ocsp,
"OCSP %p \"%s\" this update was at time %lld\n",
572 DBGC ( ocsp,
"OCSP %p \"%s\" could not parse " 573 "nextUpdate: %s\n", ocsp,
577 DBGC2 ( ocsp,
"OCSP %p \"%s\" next update is at time %lld\n",
587 DBGC ( ocsp,
"OCSP %p \"%s\" responder is a moron\n",
609 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
611 memcpy ( &response->
tbs, &cursor, sizeof ( response->
tbs ) );
649 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
661 while ( cursor.
len ) {
666 DBGC ( ocsp,
"OCSP %p \"%s\" could not parse " 667 "certificate: %s\n", ocsp,
676 DBGC2 ( ocsp,
"OCSP %p \"%s\" response is signed by ",
678 DBGC2 ( ocsp,
"\"%s\"\n",
688 DBGC ( ocsp,
"OCSP %p \"%s\" missing responder certificate\n",
709 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
719 DBGC ( ocsp,
"OCSP %p \"%s\" cannot parse signature " 724 DBGC2 ( ocsp,
"OCSP %p \"%s\" signature algorithm is %s\n",
730 DBGC ( ocsp,
"OCSP %p \"%s\" cannot parse signature: %s\n",
757 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
789 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
822 if ( ! response->
data )
862 DBGC ( ocsp,
"OCSP %p \"%s\" signature verification failed: " 867 DBGC2 ( ocsp,
"OCSP %p \"%s\" signature is correct\n",
896 if ( signer != ocsp->
issuer ) {
906 DBGC ( ocsp,
"OCSP %p \"%s\" could not validate ",
908 DBGC ( ocsp,
"signer \"%s\": %s\n",
918 DBGC ( ocsp,
"OCSP %p \"%s\" ",
920 DBGC ( ocsp,
"signer \"%s\" is not an OCSP-signing " 934 DBGC ( ocsp,
"OCSP %p \"%s\" response is not yet valid (at " 939 DBGC ( ocsp,
"OCSP %p \"%s\" response is stale (at time " 943 DBGC2 ( ocsp,
"OCSP %p \"%s\" response is valid (at time %lld)\n",
952 DBGC ( ocsp,
"OCSP %p \"%s\" could not validate certificate: " 956 DBGC ( ocsp,
"OCSP %p \"%s\" successfully validated ",
struct asn1_cursor id
Responder ID.
struct asn1_bit_string raw_bits
Raw public key bit string.
#define EINVAL
Invalid argument.
An ASN.1 OID-identified algorithm.
struct asn1_cursor raw
Raw public key information.
struct arbelprm_rc_send_wqe rc
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
struct x509_extended_key_usage ext_usage
Extended key usage.
struct asn1_cursor raw
Raw issuer.
static int ocsp_parse_tbs_response_data(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response data.
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const void *signature, size_t signature_len)
#define OCSP_ALGORITHM_IDENTIFIER(...)
OCSP algorithm identifier.
#define ASN1_OID_SHA1
ASN.1 OID for id-sha1 (1.3.14.3.2.26)
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
#define ENOTSUP_RESPONDER_ID
static int ocsp_parse_basic_response(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP basic response.
#define ASN1_IMPLICIT_TAG(number)
ASN.1 implicit tag.
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
int good
OCSP status is good.
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
int asn1_generalized_time(const struct asn1_cursor *cursor, time_t *time)
Parse ASN.1 GeneralizedTime.
unsigned int bits
Usage bits.
#define ENOTSUP_RESPONSE_TYPE
time_t next_update
Time at which newer status information will be available.
struct x509_certificate * signer
Signing certificate.
static int ocsp_compare_responder_key_hash(struct ocsp_check *ocsp, struct x509_certificate *cert)
Compare responder's certificate public key hash.
#define ref_init(refcnt, free)
Initialise a reference counter.
int ocsp_response(struct ocsp_check *ocsp, const void *data, size_t len)
Receive OCSP response.
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
uint32_t type
Operating system type.
struct x509_issuer issuer
Issuer.
struct ocsp_response response
Response.
#define ASN1_ENUMERATED
ASN.1 enumeration.
int asn1_prepend_raw(struct asn1_builder *builder, const void *data, size_t len)
Prepend raw data to ASN.1 builder.
struct x509_certificate * cert
Certificate being checked.
const void * data
Start of data.
struct asn1_algorithm * algorithm
Signature algorithm.
struct asn1_cursor raw
Raw serial number.
int ocsp_validate(struct ocsp_check *ocsp, time_t time)
Validate OCSP response.
#define ASN1_OID_OCSP_BASIC
ASN.1 OID for id-pkix-ocsp-basic ( 1.3.6.1.5.5.7.48.1.1)
static const char base64[64+1]
struct golan_eq_context ctx
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Uniform Resource Identifiers.
static int ocsp_parse_response_bytes(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response bytes.
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
static int ocsp_uri_string(struct ocsp_check *ocsp)
Build OCSP URI string.
static int ocsp_parse_certs(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP certificates.
static int ocsp_parse_response_type(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response type.
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
size_t len
Length of data.
X.509 certificate OCSP responder.
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
struct asn1_bit_string signature
Signature value.
#define ocsp_digest_algorithm
OCSP digest algorithm.
struct asn1_cursor cert_id_tail
Certificate ID (excluding hashAlgorithm)
static size_t base64_encoded_len(size_t raw_len)
Calculate length of base64-encoded data.
#define ENOMEM
Not enough space.
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define EACCES_CERT_MISMATCH
static int ocsp_parse_responder_id(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP responder ID.
size_t uri_encode(unsigned int field, const void *raw, size_t raw_len, char *buf, ssize_t len)
Encode URI field.
static struct asn1_cursor oid_basic_response_type_cursor
OCSP basic response type cursor.
FILE_LICENCE(GPL2_OR_LATER)
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
#define container_of(ptr, type, field)
Get containing structure.
struct x509_root * root
Root against which certificate has been validated (if any)
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
struct asn1_cursor tbs
Raw tbsResponseData.
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
#define EACCES_NON_OCSP_SIGNING
static const uint8_t oid_basic_response_type[]
OCSP basic response type.
struct x509_authority_info_access auth_info
Authority information access.
struct x509_public_key public_key
Public key information.
struct asn1_cursor uri
URI.
static void digest_init(struct digest_algorithm *digest, void *ctx)
int asn1_integral_bit_string(const struct asn1_cursor *cursor, struct asn1_bit_string *bits)
Parse ASN.1 bit string that must be an integral number of bytes.
#define EACCES_CERT_STATUS
char * strerror(int errno)
Retrieve string representation of error number.
static int ocsp_parse_response(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response.
static void(* free)(struct refcnt *refcnt))
struct x509_serial serial
Serial number.
#define OCSP_STATUS_SUCCESSFUL
int(* compare)(struct ocsp_check *ocsp, struct x509_certificate *cert)
Check if certificate is the responder's certificate.
void * zalloc(size_t size)
Allocate cleared memory.
struct x509_certificate * issuer
Issuing certificate.
struct x509_subject subject
Subject.
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
static void ocsp_put(struct ocsp_check *ocsp)
Drop reference to OCSP check.
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
static int ocsp_parse_cert_id(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP certificate ID.
static int ocsp_parse_responses(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP responses.
Online Certificate Status Protocol.
#define EPROTO_STATUS(status)
#define EACCES_NO_RESPONDER
time_t this_update
Time at which status is known to be correct.
int asn1_wrap(struct asn1_builder *builder, unsigned int type)
Wrap ASN.1 builder.
#define ASN1_SEQUENCE
ASN.1 sequence.
struct ocsp_request request
Request.
void * malloc(size_t size)
Allocate memory.
struct asn1_cursor raw
Raw subject.
Cryptographic configuration.
u16 algorithm
Authentication algorithm (Open System or Shared Key)
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
#define ASN1_OID
ASN.1 object identifier.
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
int asn1_skip_if_exists(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object if present.
static const uint8_t ocsp_algorithm_id[]
OCSP digest algorithm identifier.
size_t ctxsize
Context size.
struct digest_algorithm * digest
Digest algorithm (if applicable)
#define ENOTTY
Inappropriate I/O control operation.
static int ocsp_request(struct ocsp_check *ocsp)
Build OCSP request.
size_t digestsize
Digest size.
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
int asn1_skip(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object.
int asn1_prepend(struct asn1_builder *builder, unsigned int type, const void *data, size_t len)
Prepend data to ASN.1 builder.
static int ocsp_parse_response_status(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response status.
#define SHA1_CTX_SIZE
SHA-1 context size.
A message digest algorithm.
uint8_t data[48]
Additional event data.
struct ocsp_responder responder
Responder.
static void ocsp_free(struct refcnt *refcnt)
Free OCSP check.
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
int ocsp_check(struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp)
Create OCSP check.
int64_t time_t
Seconds since the Epoch.
#define ASN1_OCTET_STRING
ASN.1 octet string.
u8 signature
CPU signature.
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
#define NULL
NULL pointer (VOID *)
size_t len
Length of data.
struct x509_ocsp_responder ocsp
OCSP responder.
struct asn1_builder builder
Request builder.
static int ocsp_compare_responder_name(struct ocsp_check *ocsp, struct x509_certificate *cert)
Compare responder's certificate name.
static int ocsp_check_signature(struct ocsp_check *ocsp, struct x509_certificate *signer)
Check OCSP response signature.
size_t base64_encode(const void *raw, size_t raw_len, char *data, size_t len)
Base64-encode data.
struct x509_extensions extensions
Extensions.
char * uri_string
URI string.
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
static void x509_invalidate(struct x509_certificate *cert)
Invalidate X.509 certificate.