LEFT | RIGHT |
(no file at all) | |
1 // Copyright 2013 The Go Authors. All rights reserved. | 1 // Copyright 2013 The Go Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
4 | 4 |
5 // Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses | 5 // Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses |
6 // are signed messages attesting to the validity of a certificate for a small | 6 // are signed messages attesting to the validity of a certificate for a small |
7 // period of time. This is used to manage revocation for X.509 certificates. | 7 // period of time. This is used to manage revocation for X.509 certificates. |
8 package ocsp | 8 package ocsp |
9 | 9 |
10 import ( | 10 import ( |
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
164 | 164 |
165 // ParseError results from an invalid OCSP response. | 165 // ParseError results from an invalid OCSP response. |
166 type ParseError string | 166 type ParseError string |
167 | 167 |
168 func (p ParseError) Error() string { | 168 func (p ParseError) Error() string { |
169 return string(p) | 169 return string(p) |
170 } | 170 } |
171 | 171 |
172 // ParseResponse parses an OCSP response in DER form. It only supports | 172 // ParseResponse parses an OCSP response in DER form. It only supports |
173 // responses for a single certificate. If the response contains a certificate | 173 // responses for a single certificate. If the response contains a certificate |
174 // then the signature over the response is checked. Invalid signatures or parse | 174 // then the signature over the response is checked. If issuer is not nil then |
175 // failures will result in a ParseError. | 175 // it will be used to validate the signature or embedded certificate. Invalid |
176 func ParseResponse(bytes []byte) (*Response, error) { | 176 // signatures or parse failures will result in a ParseError. |
| 177 func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) { |
177 var resp responseASN1 | 178 var resp responseASN1 |
178 rest, err := asn1.Unmarshal(bytes, &resp) | 179 rest, err := asn1.Unmarshal(bytes, &resp) |
179 if err != nil { | 180 if err != nil { |
180 return nil, err | 181 return nil, err |
181 } | 182 } |
182 if len(rest) > 0 { | 183 if len(rest) > 0 { |
183 return nil, ParseError("trailing data in OCSP response") | 184 return nil, ParseError("trailing data in OCSP response") |
184 } | 185 } |
185 | 186 |
186 ret := new(Response) | 187 ret := new(Response) |
(...skipping 24 matching lines...) Expand all Loading... |
211 ret.Signature = basicResp.Signature.RightAlign() | 212 ret.Signature = basicResp.Signature.RightAlign() |
212 ret.SignatureAlgorithm = getSignatureAlgorithmFromOID(basicResp.Signatur
eAlgorithm.Algorithm) | 213 ret.SignatureAlgorithm = getSignatureAlgorithmFromOID(basicResp.Signatur
eAlgorithm.Algorithm) |
213 | 214 |
214 if len(basicResp.Certificates) > 0 { | 215 if len(basicResp.Certificates) > 0 { |
215 ret.Certificate, err = x509.ParseCertificate(basicResp.Certifica
tes[0].FullBytes) | 216 ret.Certificate, err = x509.ParseCertificate(basicResp.Certifica
tes[0].FullBytes) |
216 if err != nil { | 217 if err != nil { |
217 return nil, err | 218 return nil, err |
218 } | 219 } |
219 | 220 |
220 if err := ret.CheckSignatureFrom(ret.Certificate); err != nil { | 221 if err := ret.CheckSignatureFrom(ret.Certificate); err != nil { |
| 222 return nil, ParseError("bad OCSP signature") |
| 223 } |
| 224 |
| 225 if issuer != nil { |
| 226 if err := issuer.CheckSignature(ret.Certificate.Signatur
eAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err !
= nil { |
| 227 return nil, ParseError("bad signature on embedde
d certificate") |
| 228 } |
| 229 } |
| 230 } else if issuer != nil { |
| 231 if err := ret.CheckSignatureFrom(issuer); err != nil { |
221 return nil, ParseError("bad OCSP signature") | 232 return nil, ParseError("bad OCSP signature") |
222 } | 233 } |
223 } | 234 } |
224 | 235 |
225 r := basicResp.TBSResponseData.Responses[0] | 236 r := basicResp.TBSResponseData.Responses[0] |
226 | 237 |
227 ret.SerialNumber = r.CertID.SerialNumber | 238 ret.SerialNumber = r.CertID.SerialNumber |
228 | 239 |
229 switch { | 240 switch { |
230 case bool(r.Good): | 241 case bool(r.Good): |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
327 }, | 338 }, |
328 issuerNameHash, | 339 issuerNameHash, |
329 issuerKeyHash, | 340 issuerKeyHash, |
330 cert.SerialNumber, | 341 cert.SerialNumber, |
331 }, | 342 }, |
332 }, | 343 }, |
333 }, | 344 }, |
334 }, | 345 }, |
335 }) | 346 }) |
336 } | 347 } |
LEFT | RIGHT |