// ResponseData ::= SEQUENCE { // version [0] EXPLICIT Version DEFAULT v1, // responderID ResponderID, // producedAt GeneralizedTime, // responses SEQUENCE OF SingleResponse, // responseExtensions [1] EXPLICIT Extensions OPTIONAL } static inline der::Result ResponseData(der::Input& input, Context& context, const CERTSignedData& signedResponseData, /*const*/ SECItem* certs, size_t numCerts) { uint8_t version; if (der::OptionalVersion(input, version) != der::Success) { return der::Failure; } if (version != der::v1) { // TODO: more specific error code for bad version? return der::Fail(SEC_ERROR_BAD_DER); } // ResponderID ::= CHOICE { // byName [1] Name, // byKey [2] KeyHash } SECItem responderID; uint16_t responderIDLength; ResponderIDType responderIDType = input.Peek(static_cast<uint8_t>(ResponderIDType::byName)) ? ResponderIDType::byName : ResponderIDType::byKey; if (ExpectTagAndGetLength(input, static_cast<uint8_t>(responderIDType), responderIDLength) != der::Success) { return der::Failure; } // TODO: responderID probably needs to have another level of ASN1 tag/length // checked and stripped. if (input.Skip(responderIDLength, responderID) != der::Success) { return der::Failure; } // This is the soonest we can verify the signature. We verify the signature // right away to follow the principal of minimizing the processing of data // before verifying its signature. if (VerifySignature(context, responderIDType, responderID, certs, numCerts, signedResponseData) != SECSuccess) { return der::Failure; } // TODO: Do we even need to parse this? Should we just skip it? PRTime producedAt; if (der::GeneralizedTime(input, producedAt) != der::Success) { return der::Failure; } // We don't accept an empty sequence of responses. In practice, a legit OCSP // responder will never return an empty response, and handling the case of an // empty response makes things unnecessarily complicated. if (der::NestedOf(input, der::SEQUENCE, der::SEQUENCE, der::MustNotBeEmpty, bind(SingleResponse, _1, ref(context))) != der::Success) { return der::Failure; } if (!input.AtEnd()) { if (CheckExtensionsForCriticality(input) != der::Success) { return der::Failure; } } return der::Success; }
// SingleResponse ::= SEQUENCE { // certID CertID, // certStatus CertStatus, // thisUpdate GeneralizedTime, // nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, // singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | // re-ocsp-archive-cutoff | // CrlEntryExtensions, ...} // } OPTIONAL } static inline der::Result SingleResponse(der::Input& input, Context& context) { bool match = false; if (der::Nested(input, der::SEQUENCE, bind(CertID, _1, cref(context), ref(match))) != der::Success) { return der::Failure; } if (!match) { // This response does not reference the certificate we're interested in. // By consuming the rest of our input and returning successfully, we can // continue processing and examine another response that might have what // we want. input.SkipToEnd(); return der::Success; } // CertStatus ::= CHOICE { // good [0] IMPLICIT NULL, // revoked [1] IMPLICIT RevokedInfo, // unknown [2] IMPLICIT UnknownInfo } // // In the event of multiple SingleResponses for a cert that have conflicting // statuses, we use the following precedence rules: // // * revoked overrides good and unknown // * good overrides unknown if (input.Peek(static_cast<uint8_t>(CertStatus::Good))) { if (ExpectTagAndLength(input, static_cast<uint8_t>(CertStatus::Good), 0) != der::Success) { return der::Failure; } if (context.certStatus != CertStatus::Revoked) { context.certStatus = CertStatus::Good; } } else if (input.Peek(static_cast<uint8_t>(CertStatus::Revoked))) { // We don't need any info from the RevokedInfo structure, so we don't even // parse it. TODO: We should mention issues like this in the explanation of // why we treat invalid OCSP responses equivalently to revoked for OCSP // stapling. if (der::Skip(input, static_cast<uint8_t>(CertStatus::Revoked)) != der::Success) { return der::Failure; } context.certStatus = CertStatus::Revoked; } else if (ExpectTagAndLength(input, static_cast<uint8_t>(CertStatus::Unknown), 0) != der::Success) { return der::Failure; } // http://tools.ietf.org/html/rfc6960#section-3.2 // 5. The time at which the status being indicated is known to be // correct (thisUpdate) is sufficiently recent; // 6. When available, the time at or before which newer information will // be available about the status of the certificate (nextUpdate) is // greater than the current time. // We won't accept any OCSP responses that are more than 10 days old, even if // the nextUpdate time is further in the future. static const PRTime OLDEST_ACCEPTABLE = INT64_C(10) * ONE_DAY; PRTime thisUpdate; if (der::GeneralizedTime(input, thisUpdate) != der::Success) { return der::Failure; } if (thisUpdate > context.time + SLOP) { return der::Fail(SEC_ERROR_OCSP_FUTURE_RESPONSE); } PRTime notAfter; static const uint8_t NEXT_UPDATE_TAG = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0; if (input.Peek(NEXT_UPDATE_TAG)) { PRTime nextUpdate; if (der::Nested(input, NEXT_UPDATE_TAG, bind(der::GeneralizedTime, _1, ref(nextUpdate))) != der::Success) { return der::Failure; } if (nextUpdate < thisUpdate) { return der::Fail(SEC_ERROR_OCSP_MALFORMED_RESPONSE); } if (nextUpdate - thisUpdate <= OLDEST_ACCEPTABLE) { notAfter = nextUpdate; } else { notAfter = thisUpdate + OLDEST_ACCEPTABLE; } } else { // NSS requires all OCSP responses without a nextUpdate to be recent. // Match that stricter behavior. notAfter = thisUpdate + ONE_DAY; } if (context.time < SLOP) { // prevent underflow return der::Fail(SEC_ERROR_INVALID_ARGS); } if (context.time - SLOP > notAfter) { return der::Fail(SEC_ERROR_OCSP_OLD_RESPONSE); } if (!input.AtEnd()) { if (CheckExtensionsForCriticality(input) != der::Success) { return der::Failure; } } if (context.thisUpdate) { *context.thisUpdate = thisUpdate; } if (context.validThrough) { *context.validThrough = notAfter; } return der::Success; }
// BasicOCSPResponse ::= SEQUENCE { // tbsResponseData ResponseData, // signatureAlgorithm AlgorithmIdentifier, // signature BIT STRING, // certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } der::Result BasicResponse(der::Input& input, Context& context) { der::Input::Mark mark(input.GetMark()); uint16_t length; if (der::ExpectTagAndGetLength(input, der::SEQUENCE, length) != der::Success) { return der::Failure; } // The signature covers the entire DER encoding of tbsResponseData, including // the beginning tag and length. However, when we're parsing tbsResponseData, // we want to strip off the tag and length because we don't need it after // we've confirmed it's there and figured out what length it is. der::Input tbsResponseData; if (input.Skip(length, tbsResponseData) != der::Success) { return der::Failure; } CERTSignedData signedData; input.GetSECItem(siBuffer, mark, signedData.data); if (der::Nested(input, der::SEQUENCE, bind(der::AlgorithmIdentifier, _1, ref(signedData.signatureAlgorithm))) != der::Success) { return der::Failure; } if (der::Skip(input, der::BIT_STRING, signedData.signature) != der::Success) { return der::Failure; } if (signedData.signature.len == 0) { return der::Fail(SEC_ERROR_OCSP_BAD_SIGNATURE); } unsigned int unusedBitsAtEnd = signedData.signature.data[0]; // XXX: Really the constraint should be that unusedBitsAtEnd must be less // than 7. But, we suspect there are no valid OCSP response signatures with // non-zero unused bits. It seems like NSS assumes this in various places, so // we enforce it. If we find compatibility issues, we'll know we're wrong. if (unusedBitsAtEnd != 0) { return der::Fail(SEC_ERROR_OCSP_BAD_SIGNATURE); } ++signedData.signature.data; --signedData.signature.len; signedData.signature.len = (signedData.signature.len << 3); // Bytes to bits // Parse certificates, if any SECItem certs[8]; size_t numCerts = 0; if (!input.AtEnd()) { // We ignore the lengths of the wrappers because we'll detect bad lengths // during parsing--too short and we'll run out of input for parsing a cert, // and too long and we'll have leftover data that won't parse as a cert. // [0] wrapper if (der::ExpectTagAndIgnoreLength( input, der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0) != der::Success) { return der::Failure; } // SEQUENCE wrapper if (der::ExpectTagAndIgnoreLength(input, der::SEQUENCE) != der::Success) { return der::Failure; } // sequence of certificates while (!input.AtEnd()) { if (numCerts == PR_ARRAY_SIZE(certs)) { return der::Fail(SEC_ERROR_BAD_DER); } // Unwrap the SEQUENCE that contains the certificate, which is itself a // SEQUENCE. der::Input::Mark mark(input.GetMark()); if (der::Skip(input, der::SEQUENCE) != der::Success) { return der::Failure; } input.GetSECItem(siBuffer, mark, certs[numCerts]); ++numCerts; } } return ResponseData(tbsResponseData, context, signedData, certs, numCerts); }