18d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# 28d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# OCSP request/response syntax 38d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# 48d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# Derived from a minimal OCSP library (RFC2560) code written by 58d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# Bud P. Bruegger <bud@ancitel.it> 68d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# Copyright: Ancitel, S.p.a, Rome, Italy 78d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# License: BSD 88d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# 98d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 108d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# 118d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# current limitations: 128d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# * request and response works only for a single certificate 138d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# * only some values are parsed out of the response 148d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# * the request does't set a nonce nor signature 158d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# * there is no signature validation of the response 168d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# * dates are left as strings in GeneralizedTime format -- datetime.datetime 178d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# would be nicer 188d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# 198d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoifrom pyasn1.type import tag, namedtype, namedval, univ, constraint, useful 208d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoifrom pyasn1_modules import rfc2459 218d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 228d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# Start of OCSP module definitions 238d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 248d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# This should be in directory Authentication Framework (X.509) module 258d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 268d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass CRLReason(univ.Enumerated): 278d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedValues = namedval.NamedValues( 288d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('unspecified', 0), 298d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('keyCompromise', 1), 308d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('cACompromise', 2), 318d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('affiliationChanged', 3), 328d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('superseded', 4), 338d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('cessationOfOperation', 5), 348d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('certificateHold', 6), 358d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('removeFromCRL', 8), 368d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('privilegeWithdrawn', 9), 378d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('aACompromise', 10) 388d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 398d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 408d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# end of directory Authentication Framework (X.509) module 418d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 428d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# This should be in PKIX Certificate Extensions module 438d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 448d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass GeneralName(univ.OctetString): pass 458d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 468d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi# end of PKIX Certificate Extensions module 478d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 488d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_kp_OCSPSigning = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 3, 9)) 498d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1)) 508d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_basic = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 1)) 518d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_nonce = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 2)) 528d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_crl = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 3)) 538d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_response = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 4)) 548d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_nocheck = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 5)) 558d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_archive_cutoff = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 6)) 568d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiid_pkix_ocsp_service_locator = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, 48, 1, 7)) 578d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 588d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass AcceptableResponses(univ.SequenceOf): 598d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = univ.ObjectIdentifier() 608d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 618d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass ArchiveCutoff(useful.GeneralizedTime): pass 628d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 638d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass UnknownInfo(univ.Null): pass 648d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 658d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass RevokedInfo(univ.Sequence): 668d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 678d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('revocationTime', useful.GeneralizedTime()), 688d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('revocationReason', CRLReason().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 698d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 708d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 718d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass CertID(univ.Sequence): 728d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 738d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('hashAlgorithm', rfc2459.AlgorithmIdentifier()), 748d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('issuerNameHash', univ.OctetString()), 758d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('issuerKeyHash', univ.OctetString()), 768d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()) 778d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 788d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 798d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass CertStatus(univ.Choice): 808d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 818d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('good', univ.Null().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 828d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('revoked', RevokedInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 838d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('unknown', UnknownInfo().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 848d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 858d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 868d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass SingleResponse(univ.Sequence): 878d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 888d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('certID', CertID()), 898d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('certStatus', CertStatus()), 908d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), 918d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 928d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 938d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 948d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 958d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass KeyHash(univ.OctetString): pass 968d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 978d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass ResponderID(univ.Choice): 988d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 998d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('byName', rfc2459.Name().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 1008d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('byKey', KeyHash().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 1018d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1028d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1038d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass Version(univ.Integer): 1048d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedValues = namedval.NamedValues(('v1', 0)) 1058d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1068d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass ResponseData(univ.Sequence): 1078d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1088d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.DefaultedNamedType('version', Version('v1').subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 1098d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('responderID', ResponderID()), 1108d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('producedAt', useful.GeneralizedTime()), 1118d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('responses', univ.SequenceOf(SingleResponse())), 1128d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) 1138d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1148d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1158d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass BasicOCSPResponse(univ.Sequence): 1168d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1178d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('tbsResponseData', ResponseData()), 1188d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 1198d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('signature', univ.BitString()), 1208d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('certs', univ.SequenceOf(rfc2459.Certificate()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 1218d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1228d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1238d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass ResponseBytes(univ.Sequence): 1248d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1258d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('responseType', univ.ObjectIdentifier()), 1268d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('response', univ.OctetString()) 1278d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1288d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1298d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass OCSPResponseStatus(univ.Enumerated): 1308d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedValues = namedval.NamedValues( 1318d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('successful', 0), 1328d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('malformedRequest', 1), 1338d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('internalError', 2), 1348d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('tryLater', 3), 1358d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('undefinedStatus', 4), # should never occur 1368d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('sigRequired', 5), 1378d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ('unauthorized', 6) 1388d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1398d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1408d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass OCSPResponse(univ.Sequence): 1418d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1428d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('responseStatus', OCSPResponseStatus()), 1438d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('responseBytes', ResponseBytes().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 1448d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1458d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1468d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass Request(univ.Sequence): 1478d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1488d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('reqCert', CertID()), 1498d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('singleRequestExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 1508d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1518d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1528d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass Signature(univ.Sequence): 1538d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1548d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), 1558d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('signature', univ.BitString()), 1568d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('certs', univ.SequenceOf(rfc2459.Certificate()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 1578d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1588d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1598d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass TBSRequest(univ.Sequence): 1608d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1618d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.DefaultedNamedType('version', Version('v1').subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), 1628d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('requestorName', GeneralName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), 1638d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('requestList', univ.SequenceOf(Request())), 1648d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) 1658d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 1668d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi 1678d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoiclass OCSPRequest(univ.Sequence): 1688d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi componentType = namedtype.NamedTypes( 1698d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.NamedType('tbsRequest', TBSRequest()), 1708d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi namedtype.OptionalNamedType('optionalSignature', Signature().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) 1718d2b206a675ec20ea07100c35df34e65ee1e45e8Ruchi Kandoi ) 172