| # |
| # This file is part of pyasn1-modules software. |
| # |
| # Created by Russ Housley. |
| # |
| # Copyright (c) 2019, Vigil Security, LLC |
| # License: http://snmplabs.com/pyasn1/license.html |
| # |
| # Online Certificate Status Protocol (OCSP) |
| # |
| # ASN.1 source from: |
| # https://www.rfc-editor.org/rfc/rfc6960.txt |
| # |
| |
| from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful |
| |
| from pyasn1_modules import rfc2560 |
| from pyasn1_modules import rfc5280 |
| |
| MAX = float('inf') |
| |
| |
| # Imports from RFC 5280 |
| |
| AlgorithmIdentifier = rfc5280.AlgorithmIdentifier |
| AuthorityInfoAccessSyntax = rfc5280.AuthorityInfoAccessSyntax |
| Certificate = rfc5280.Certificate |
| CertificateSerialNumber = rfc5280.CertificateSerialNumber |
| CRLReason = rfc5280.CRLReason |
| Extensions = rfc5280.Extensions |
| GeneralName = rfc5280.GeneralName |
| Name = rfc5280.Name |
| |
| id_kp = rfc5280.id_kp |
| |
| id_ad_ocsp = rfc5280.id_ad_ocsp |
| |
| |
| # Imports from the original OCSP module in RFC 2560 |
| |
| AcceptableResponses = rfc2560.AcceptableResponses |
| ArchiveCutoff = rfc2560.ArchiveCutoff |
| CertStatus = rfc2560.CertStatus |
| KeyHash = rfc2560.KeyHash |
| OCSPResponse = rfc2560.OCSPResponse |
| OCSPResponseStatus = rfc2560.OCSPResponseStatus |
| ResponseBytes = rfc2560.ResponseBytes |
| RevokedInfo = rfc2560.RevokedInfo |
| UnknownInfo = rfc2560.UnknownInfo |
| Version = rfc2560.Version |
| |
| id_kp_OCSPSigning = rfc2560.id_kp_OCSPSigning |
| |
| id_pkix_ocsp = rfc2560.id_pkix_ocsp |
| id_pkix_ocsp_archive_cutoff = rfc2560.id_pkix_ocsp_archive_cutoff |
| id_pkix_ocsp_basic = rfc2560.id_pkix_ocsp_basic |
| id_pkix_ocsp_crl = rfc2560.id_pkix_ocsp_crl |
| id_pkix_ocsp_nocheck = rfc2560.id_pkix_ocsp_nocheck |
| id_pkix_ocsp_nonce = rfc2560.id_pkix_ocsp_nonce |
| id_pkix_ocsp_response = rfc2560.id_pkix_ocsp_response |
| id_pkix_ocsp_service_locator = rfc2560.id_pkix_ocsp_service_locator |
| |
| |
| # Additional object identifiers |
| |
| id_pkix_ocsp_pref_sig_algs = id_pkix_ocsp + (8, ) |
| id_pkix_ocsp_extended_revoke = id_pkix_ocsp + (9, ) |
| |
| |
| # Updated structures (mostly to improve openTypes support) |
| |
| class CertID(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('hashAlgorithm', AlgorithmIdentifier()), |
| namedtype.NamedType('issuerNameHash', univ.OctetString()), |
| namedtype.NamedType('issuerKeyHash', univ.OctetString()), |
| namedtype.NamedType('serialNumber', CertificateSerialNumber()) |
| ) |
| |
| |
| class SingleResponse(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('certID', CertID()), |
| namedtype.NamedType('certStatus', CertStatus()), |
| namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), |
| namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), |
| namedtype.OptionalNamedType('singleExtensions', Extensions().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) |
| ) |
| |
| |
| class ResponderID(univ.Choice): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('byName', Name().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), |
| namedtype.NamedType('byKey', KeyHash().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) |
| ) |
| |
| |
| class ResponseData(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.DefaultedNamedType('version', Version('v1').subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), |
| namedtype.NamedType('responderID', ResponderID()), |
| namedtype.NamedType('producedAt', useful.GeneralizedTime()), |
| namedtype.NamedType('responses', univ.SequenceOf( |
| componentType=SingleResponse())), |
| namedtype.OptionalNamedType('responseExtensions', Extensions().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) |
| ) |
| |
| |
| class BasicOCSPResponse(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('tbsResponseData', ResponseData()), |
| namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()), |
| namedtype.NamedType('signature', univ.BitString()), |
| namedtype.OptionalNamedType('certs', univ.SequenceOf( |
| componentType=Certificate()).subtype(explicitTag=tag.Tag( |
| tag.tagClassContext, tag.tagFormatSimple, 0))) |
| ) |
| |
| |
| class Request(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('reqCert', CertID()), |
| namedtype.OptionalNamedType('singleRequestExtensions', Extensions().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) |
| ) |
| |
| |
| class Signature(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()), |
| namedtype.NamedType('signature', univ.BitString()), |
| namedtype.OptionalNamedType('certs', univ.SequenceOf( |
| componentType=Certificate()).subtype(explicitTag=tag.Tag( |
| tag.tagClassContext, tag.tagFormatSimple, 0))) |
| ) |
| |
| |
| class TBSRequest(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.DefaultedNamedType('version', Version('v1').subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), |
| namedtype.OptionalNamedType('requestorName', GeneralName().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), |
| namedtype.NamedType('requestList', univ.SequenceOf( |
| componentType=Request())), |
| namedtype.OptionalNamedType('requestExtensions', Extensions().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) |
| ) |
| |
| |
| class OCSPRequest(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('tbsRequest', TBSRequest()), |
| namedtype.OptionalNamedType('optionalSignature', Signature().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) |
| ) |
| |
| |
| # Previously omitted structure |
| |
| class ServiceLocator(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('issuer', Name()), |
| namedtype.NamedType('locator', AuthorityInfoAccessSyntax()) |
| ) |
| |
| |
| # Additional structures |
| |
| class CrlID(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.OptionalNamedType('crlUrl', char.IA5String().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), |
| namedtype.OptionalNamedType('crlNum', univ.Integer().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), |
| namedtype.OptionalNamedType('crlTime', useful.GeneralizedTime().subtype( |
| explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) |
| ) |
| |
| |
| class PreferredSignatureAlgorithm(univ.Sequence): |
| componentType = namedtype.NamedTypes( |
| namedtype.NamedType('sigIdentifier', AlgorithmIdentifier()), |
| namedtype.OptionalNamedType('certIdentifier', AlgorithmIdentifier()) |
| ) |
| |
| |
| class PreferredSignatureAlgorithms(univ.SequenceOf): |
| componentType = PreferredSignatureAlgorithm() |
| |
| |
| |
| # Response Type OID to Response Map |
| |
| ocspResponseMap = { |
| id_pkix_ocsp_basic: BasicOCSPResponse(), |
| } |
| |
| |
| # Map of Extension OIDs to Extensions added to the ones |
| # that are in rfc5280.py |
| |
| _certificateExtensionsMapUpdate = { |
| # Certificate Extension |
| id_pkix_ocsp_nocheck: univ.Null(""), |
| # OCSP Request Extensions |
| id_pkix_ocsp_nonce: univ.OctetString(), |
| id_pkix_ocsp_response: AcceptableResponses(), |
| id_pkix_ocsp_service_locator: ServiceLocator(), |
| id_pkix_ocsp_pref_sig_algs: PreferredSignatureAlgorithms(), |
| # OCSP Response Extensions |
| id_pkix_ocsp_crl: CrlID(), |
| id_pkix_ocsp_archive_cutoff: ArchiveCutoff(), |
| id_pkix_ocsp_extended_revoke: univ.Null(""), |
| } |
| |
| rfc5280.certificateExtensionsMap.update(_certificateExtensionsMapUpdate) |