|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223 |
- #
- # This file is part of pyasn1-modules software.
- #
- # Created by Russ Housley.
- #
- # Copyright (c) 2019, Vigil Security, LLC
- # License: http://snmplabs.com/pyasn1/license.html
- #
- # Online Certificate Status Protocol (OCSP)
- #
- # ASN.1 source from:
- # https://www.rfc-editor.org/rfc/rfc6960.txt
- #
-
- from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful
-
- from pyasn1_modules import rfc2560
- from pyasn1_modules import rfc5280
-
- MAX = float('inf')
-
-
- # Imports from RFC 5280
-
- AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
- AuthorityInfoAccessSyntax = rfc5280.AuthorityInfoAccessSyntax
- Certificate = rfc5280.Certificate
- CertificateSerialNumber = rfc5280.CertificateSerialNumber
- CRLReason = rfc5280.CRLReason
- Extensions = rfc5280.Extensions
- GeneralName = rfc5280.GeneralName
- Name = rfc5280.Name
-
- id_kp = rfc5280.id_kp
-
- id_ad_ocsp = rfc5280.id_ad_ocsp
-
-
- # Imports from the original OCSP module in RFC 2560
-
- AcceptableResponses = rfc2560.AcceptableResponses
- ArchiveCutoff = rfc2560.ArchiveCutoff
- CertStatus = rfc2560.CertStatus
- KeyHash = rfc2560.KeyHash
- OCSPResponse = rfc2560.OCSPResponse
- OCSPResponseStatus = rfc2560.OCSPResponseStatus
- ResponseBytes = rfc2560.ResponseBytes
- RevokedInfo = rfc2560.RevokedInfo
- UnknownInfo = rfc2560.UnknownInfo
- Version = rfc2560.Version
-
- id_kp_OCSPSigning = rfc2560.id_kp_OCSPSigning
-
- id_pkix_ocsp = rfc2560.id_pkix_ocsp
- id_pkix_ocsp_archive_cutoff = rfc2560.id_pkix_ocsp_archive_cutoff
- id_pkix_ocsp_basic = rfc2560.id_pkix_ocsp_basic
- id_pkix_ocsp_crl = rfc2560.id_pkix_ocsp_crl
- id_pkix_ocsp_nocheck = rfc2560.id_pkix_ocsp_nocheck
- id_pkix_ocsp_nonce = rfc2560.id_pkix_ocsp_nonce
- id_pkix_ocsp_response = rfc2560.id_pkix_ocsp_response
- id_pkix_ocsp_service_locator = rfc2560.id_pkix_ocsp_service_locator
-
-
- # Additional object identifiers
-
- id_pkix_ocsp_pref_sig_algs = id_pkix_ocsp + (8, )
- id_pkix_ocsp_extended_revoke = id_pkix_ocsp + (9, )
-
-
- # Updated structures (mostly to improve openTypes support)
-
- class CertID(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('hashAlgorithm', AlgorithmIdentifier()),
- namedtype.NamedType('issuerNameHash', univ.OctetString()),
- namedtype.NamedType('issuerKeyHash', univ.OctetString()),
- namedtype.NamedType('serialNumber', CertificateSerialNumber())
- )
-
-
- class SingleResponse(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('certID', CertID()),
- namedtype.NamedType('certStatus', CertStatus()),
- namedtype.NamedType('thisUpdate', useful.GeneralizedTime()),
- namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
- namedtype.OptionalNamedType('singleExtensions', Extensions().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
- )
-
-
- class ResponderID(univ.Choice):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('byName', Name().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
- namedtype.NamedType('byKey', KeyHash().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
- )
-
-
- class ResponseData(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.DefaultedNamedType('version', Version('v1').subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
- namedtype.NamedType('responderID', ResponderID()),
- namedtype.NamedType('producedAt', useful.GeneralizedTime()),
- namedtype.NamedType('responses', univ.SequenceOf(
- componentType=SingleResponse())),
- namedtype.OptionalNamedType('responseExtensions', Extensions().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
- )
-
-
- class BasicOCSPResponse(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('tbsResponseData', ResponseData()),
- namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()),
- namedtype.NamedType('signature', univ.BitString()),
- namedtype.OptionalNamedType('certs', univ.SequenceOf(
- componentType=Certificate()).subtype(explicitTag=tag.Tag(
- tag.tagClassContext, tag.tagFormatSimple, 0)))
- )
-
-
- class Request(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('reqCert', CertID()),
- namedtype.OptionalNamedType('singleRequestExtensions', Extensions().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
- )
-
-
- class Signature(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()),
- namedtype.NamedType('signature', univ.BitString()),
- namedtype.OptionalNamedType('certs', univ.SequenceOf(
- componentType=Certificate()).subtype(explicitTag=tag.Tag(
- tag.tagClassContext, tag.tagFormatSimple, 0)))
- )
-
-
- class TBSRequest(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.DefaultedNamedType('version', Version('v1').subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
- namedtype.OptionalNamedType('requestorName', GeneralName().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
- namedtype.NamedType('requestList', univ.SequenceOf(
- componentType=Request())),
- namedtype.OptionalNamedType('requestExtensions', Extensions().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
- )
-
-
- class OCSPRequest(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('tbsRequest', TBSRequest()),
- namedtype.OptionalNamedType('optionalSignature', Signature().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
- )
-
-
- # Previously omitted structure
-
- class ServiceLocator(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('issuer', Name()),
- namedtype.NamedType('locator', AuthorityInfoAccessSyntax())
- )
-
-
- # Additional structures
-
- class CrlID(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.OptionalNamedType('crlUrl', char.IA5String().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
- namedtype.OptionalNamedType('crlNum', univ.Integer().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
- namedtype.OptionalNamedType('crlTime', useful.GeneralizedTime().subtype(
- explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
- )
-
-
- class PreferredSignatureAlgorithm(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('sigIdentifier', AlgorithmIdentifier()),
- namedtype.OptionalNamedType('certIdentifier', AlgorithmIdentifier())
- )
-
-
- class PreferredSignatureAlgorithms(univ.SequenceOf):
- componentType = PreferredSignatureAlgorithm()
-
-
-
- # Response Type OID to Response Map
-
- ocspResponseMap = {
- id_pkix_ocsp_basic: BasicOCSPResponse(),
- }
-
-
- # Map of Extension OIDs to Extensions added to the ones
- # that are in rfc5280.py
-
- _certificateExtensionsMapUpdate = {
- # Certificate Extension
- id_pkix_ocsp_nocheck: univ.Null(""),
- # OCSP Request Extensions
- id_pkix_ocsp_nonce: univ.OctetString(),
- id_pkix_ocsp_response: AcceptableResponses(),
- id_pkix_ocsp_service_locator: ServiceLocator(),
- id_pkix_ocsp_pref_sig_algs: PreferredSignatureAlgorithms(),
- # OCSP Response Extensions
- id_pkix_ocsp_crl: CrlID(),
- id_pkix_ocsp_archive_cutoff: ArchiveCutoff(),
- id_pkix_ocsp_extended_revoke: univ.Null(""),
- }
-
- rfc5280.certificateExtensionsMap.update(_certificateExtensionsMapUpdate)
|