Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(3071)

Delta Between Two Patch Sets: ocsp/ocsp.go

Issue 11220043: code review 11220043: go.crypto/ocsp: pass in the issuing certificate. (Closed)
Left Patch Set: Created 10 years, 8 months ago
Right Patch Set: diff -r 96563f6f87f6 https://code.google.com/p/go.crypto/ Created 10 years, 8 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
Right: Side by side diff | Download
« no previous file with change/comment | « no previous file | ocsp/ocsp_test.go » ('j') | no next file with change/comment »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
LEFTRIGHT
(no file at all)
1 // Copyright 2013 The Go Authors. All rights reserved. 1 // Copyright 2013 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style 2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file. 3 // license that can be found in the LICENSE file.
4 4
5 // Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses 5 // Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses
6 // are signed messages attesting to the validity of a certificate for a small 6 // are signed messages attesting to the validity of a certificate for a small
7 // period of time. This is used to manage revocation for X.509 certificates. 7 // period of time. This is used to manage revocation for X.509 certificates.
8 package ocsp 8 package ocsp
9 9
10 import ( 10 import (
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after
164 164
165 // ParseError results from an invalid OCSP response. 165 // ParseError results from an invalid OCSP response.
166 type ParseError string 166 type ParseError string
167 167
168 func (p ParseError) Error() string { 168 func (p ParseError) Error() string {
169 return string(p) 169 return string(p)
170 } 170 }
171 171
172 // ParseResponse parses an OCSP response in DER form. It only supports 172 // ParseResponse parses an OCSP response in DER form. It only supports
173 // responses for a single certificate. If the response contains a certificate 173 // responses for a single certificate. If the response contains a certificate
174 // then the signature over the response is checked. Invalid signatures or parse 174 // then the signature over the response is checked. If issuer is not nil then
175 // failures will result in a ParseError. 175 // it will be used to validate the signature or embedded certificate. Invalid
176 func ParseResponse(bytes []byte) (*Response, error) { 176 // signatures or parse failures will result in a ParseError.
177 func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
177 var resp responseASN1 178 var resp responseASN1
178 rest, err := asn1.Unmarshal(bytes, &resp) 179 rest, err := asn1.Unmarshal(bytes, &resp)
179 if err != nil { 180 if err != nil {
180 return nil, err 181 return nil, err
181 } 182 }
182 if len(rest) > 0 { 183 if len(rest) > 0 {
183 return nil, ParseError("trailing data in OCSP response") 184 return nil, ParseError("trailing data in OCSP response")
184 } 185 }
185 186
186 ret := new(Response) 187 ret := new(Response)
(...skipping 24 matching lines...) Expand all
211 ret.Signature = basicResp.Signature.RightAlign() 212 ret.Signature = basicResp.Signature.RightAlign()
212 ret.SignatureAlgorithm = getSignatureAlgorithmFromOID(basicResp.Signatur eAlgorithm.Algorithm) 213 ret.SignatureAlgorithm = getSignatureAlgorithmFromOID(basicResp.Signatur eAlgorithm.Algorithm)
213 214
214 if len(basicResp.Certificates) > 0 { 215 if len(basicResp.Certificates) > 0 {
215 ret.Certificate, err = x509.ParseCertificate(basicResp.Certifica tes[0].FullBytes) 216 ret.Certificate, err = x509.ParseCertificate(basicResp.Certifica tes[0].FullBytes)
216 if err != nil { 217 if err != nil {
217 return nil, err 218 return nil, err
218 } 219 }
219 220
220 if err := ret.CheckSignatureFrom(ret.Certificate); err != nil { 221 if err := ret.CheckSignatureFrom(ret.Certificate); err != nil {
222 return nil, ParseError("bad OCSP signature")
223 }
224
225 if issuer != nil {
226 if err := issuer.CheckSignature(ret.Certificate.Signatur eAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err ! = nil {
227 return nil, ParseError("bad signature on embedde d certificate")
228 }
229 }
230 } else if issuer != nil {
231 if err := ret.CheckSignatureFrom(issuer); err != nil {
221 return nil, ParseError("bad OCSP signature") 232 return nil, ParseError("bad OCSP signature")
222 } 233 }
223 } 234 }
224 235
225 r := basicResp.TBSResponseData.Responses[0] 236 r := basicResp.TBSResponseData.Responses[0]
226 237
227 ret.SerialNumber = r.CertID.SerialNumber 238 ret.SerialNumber = r.CertID.SerialNumber
228 239
229 switch { 240 switch {
230 case bool(r.Good): 241 case bool(r.Good):
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after
327 }, 338 },
328 issuerNameHash, 339 issuerNameHash,
329 issuerKeyHash, 340 issuerKeyHash,
330 cert.SerialNumber, 341 cert.SerialNumber,
331 }, 342 },
332 }, 343 },
333 }, 344 },
334 }, 345 },
335 }) 346 })
336 } 347 }
LEFTRIGHT
« no previous file | ocsp/ocsp_test.go » ('j') | Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Toggle Comments ('s')

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b