// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
static inline Result
CertID(Input& input, const Context& context, /*out*/ bool& match)
{
match = false;
DigestAlgorithm hashAlgorithm;
Result rv = der::DigestAlgorithmIdentifier(input, hashAlgorithm);
if (rv != Success) {
if (PR_GetError() == SEC_ERROR_INVALID_ALGORITHM) {
// Skip entries that are hashed with algorithms we don't support.
input.SkipToEnd();
return Success;
}
return rv;
}
SECItem issuerNameHash;
rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerNameHash);
if (rv != Success) {
return rv;
}
SECItem issuerKeyHash;
rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerKeyHash);
if (rv != Success) {
return rv;
}
SECItem serialNumber;
rv = der::CertificateSerialNumber(input, serialNumber);
if (rv != Success) {
return rv;
}
if (!SECITEM_ItemsAreEqual(&serialNumber, &context.certID.serialNumber)) {
// This does not reference the certificate we're interested in.
// Consume the rest of the input and return successfully to
// potentially continue processing other responses.
input.SkipToEnd();
return Success;
}
// TODO: support SHA-2 hashes.
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.len != TrustDomain::DIGEST_LENGTH) {
return Fail(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
}
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked."
uint8_t hashBuf[TrustDomain::DIGEST_LENGTH];
if (context.trustDomain.DigestBuf(context.certID.issuer, hashBuf,
sizeof(hashBuf)) != SECSuccess) {
return MapSECStatus(SECFailure);
}
if (memcmp(hashBuf, issuerNameHash.data, issuerNameHash.len)) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
return MatchKeyHash(context.trustDomain, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match);
}
// SingleResponse ::= SEQUENCE {
// certID CertID,
// certStatus CertStatus,
// thisUpdate GeneralizedTime,
// nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
// singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl |
// re-ocsp-archive-cutoff |
// CrlEntryExtensions, ...}
// } OPTIONAL }
static inline Result
SingleResponse(Input& input, Context& context)
{
bool match = false;
Result rv = der::Nested(input, der::SEQUENCE,
bind(CertID, _1, cref(context), ref(match)));
if (rv != Success) {
return rv;
}
if (!match) {
// This response does not reference the certificate we're interested in.
// By consuming the rest of our input and returning successfully, we can
// continue processing and examine another response that might have what
// we want.
input.SkipToEnd();
return Success;
}
// CertStatus ::= CHOICE {
// good [0] IMPLICIT NULL,
// revoked [1] IMPLICIT RevokedInfo,
// unknown [2] IMPLICIT UnknownInfo }
//
// In the event of multiple SingleResponses for a cert that have conflicting
// statuses, we use the following precedence rules:
//
// * revoked overrides good and unknown
// * good overrides unknown
if (input.Peek(static_cast<uint8_t>(CertStatus::Good))) {
rv = der::ExpectTagAndLength(input, static_cast<uint8_t>(CertStatus::Good),
0);
if (rv != Success) {
return rv;
}
if (context.certStatus != CertStatus::Revoked) {
context.certStatus = CertStatus::Good;
}
} else if (input.Peek(static_cast<uint8_t>(CertStatus::Revoked))) {
// We don't need any info from the RevokedInfo structure, so we don't even
// parse it. TODO: We should mention issues like this in the explanation of
// why we treat invalid OCSP responses equivalently to revoked for OCSP
// stapling.
rv = der::ExpectTagAndSkipValue(input,
static_cast<uint8_t>(CertStatus::Revoked));
if (rv != Success) {
return rv;
}
context.certStatus = CertStatus::Revoked;
} else {
rv = der::ExpectTagAndLength(input,
static_cast<uint8_t>(CertStatus::Unknown), 0);
if (rv != Success) {
return rv;
}
}
// http://tools.ietf.org/html/rfc6960#section-3.2
// 5. The time at which the status being indicated is known to be
// correct (thisUpdate) is sufficiently recent;
// 6. When available, the time at or before which newer information will
// be available about the status of the certificate (nextUpdate) is
// greater than the current time.
const PRTime maxLifetime =
context.maxLifetimeInDays * ONE_DAY;
PRTime thisUpdate;
rv = der::GeneralizedTime(input, thisUpdate);
if (rv != Success) {
return rv;
}
if (thisUpdate > context.time + SLOP) {
return Fail(SEC_ERROR_OCSP_FUTURE_RESPONSE);
}
PRTime notAfter;
static const uint8_t NEXT_UPDATE_TAG =
der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0;
if (input.Peek(NEXT_UPDATE_TAG)) {
PRTime nextUpdate;
rv = der::Nested(input, NEXT_UPDATE_TAG,
bind(der::GeneralizedTime, _1, ref(nextUpdate)));
if (rv != Success) {
return rv;
}
if (nextUpdate < thisUpdate) {
return Fail(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
}
if (nextUpdate - thisUpdate <= maxLifetime) {
notAfter = nextUpdate;
} else {
notAfter = thisUpdate + maxLifetime;
}
} else {
// NSS requires all OCSP responses without a nextUpdate to be recent.
// Match that stricter behavior.
notAfter = thisUpdate + ONE_DAY;
}
if (context.time < SLOP) { // prevent underflow
return Fail(SEC_ERROR_INVALID_ARGS);
}
if (context.time - SLOP > notAfter) {
context.expired = true;
}
rv = der::OptionalExtensions(input,
der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
ExtensionNotUnderstood);
if (rv != Success) {
return rv;
}
if (context.thisUpdate) {
*context.thisUpdate = thisUpdate;
}
if (context.validThrough) {
*context.validThrough = notAfter;
}
return Success;
}
