|
1 // Copyright (c) 2003-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
2 // All rights reserved. |
|
3 // This component and the accompanying materials are made available |
|
4 // under the terms of "Eclipse Public License v1.0" |
|
5 // which accompanies this distribution, and is available |
|
6 // at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
7 // |
|
8 // Initial Contributors: |
|
9 // Nokia Corporation - initial contribution. |
|
10 // |
|
11 // Contributors: |
|
12 // |
|
13 // Description: |
|
14 // requestencoder.cpp |
|
15 // Implementation for OCSP response decoder object. |
|
16 // See RFC2560 S4.2.1 for response specification. |
|
17 // |
|
18 // |
|
19 |
|
20 #include "responsedecoder.h" |
|
21 #include "oids.h" |
|
22 #include <ocsp.h> |
|
23 #include <asn1dec.h> |
|
24 #include <x509cert.h> |
|
25 #include "ocsprequestandresponse.h" |
|
26 |
|
27 // Enum values in DER encoding of response status |
|
28 enum |
|
29 { |
|
30 ESuccessfulEncoding = 0, |
|
31 EMalformedRequestEncoding = 1, |
|
32 EInternalErrorEncoding = 2, |
|
33 ETryLaterEncoding = 3, |
|
34 ESigRequiredEncoding = 5, |
|
35 EUnauthorisedEncoding = 6 |
|
36 }; |
|
37 |
|
38 |
|
39 // Tag values in DER encoded response data |
|
40 const TUint KResponseBytesTag = 0; |
|
41 const TUint KCertificatesTag = 0; |
|
42 |
|
43 /** Version tag number in ResponseData, RFC2560, S4.2.1. */ |
|
44 const TUint KOcspResponseVersionTag = 0; |
|
45 |
|
46 /** |
|
47 Supported OCSP response Version, RFC2560, S4.2.1. |
|
48 This is the integer value in Version, which means response |
|
49 format version 1. |
|
50 */ |
|
51 const TUint KOcspResponseVersion1 = 0; |
|
52 |
|
53 const TUint KResponderIDNameTag = 1; |
|
54 const TUint KResponderIDKeyHashTag = 2; |
|
55 const TUint KResponseExtensionsTag = 1; |
|
56 |
|
57 |
|
58 COCSPResponseDecoder* COCSPResponseDecoder::NewL(const TDesC8& aEncoding) |
|
59 { |
|
60 COCSPResponseDecoder* self = new (ELeave) COCSPResponseDecoder; |
|
61 CleanupStack::PushL(self); |
|
62 self->ConstructL(aEncoding); |
|
63 CleanupStack::Pop(self); |
|
64 return self; |
|
65 } |
|
66 |
|
67 |
|
68 COCSPResponseDecoder::COCSPResponseDecoder() |
|
69 { |
|
70 } |
|
71 |
|
72 |
|
73 COCSPResponseDecoder::~COCSPResponseDecoder() |
|
74 { |
|
75 delete iResponse; |
|
76 } |
|
77 |
|
78 |
|
79 void COCSPResponseDecoder::ConstructL(const TDesC8& aEncoding) |
|
80 { |
|
81 iResponse = new (ELeave) COCSPResponse; |
|
82 |
|
83 // Populate CSignedObject data members |
|
84 iResponse->iKeyFactory = new (ELeave) TX509KeyFactory; // Unconventional class name |
|
85 iResponse->iEncoding = aEncoding.AllocL(); |
|
86 |
|
87 TRAPD(error, DecodeOCSPResponseL(aEncoding)); |
|
88 if (error == KErrArgument || error == KErrNotSupported) |
|
89 { |
|
90 // These arise from problems parsing the data in X509 or ASN1 |
|
91 error = OCSP::EMalformedResponse; |
|
92 } |
|
93 |
|
94 if (error != KErrNone) |
|
95 { |
|
96 // Errors and our status codes go back to the client |
|
97 delete iResponse; |
|
98 iResponse = NULL; |
|
99 User::Leave(error); |
|
100 } |
|
101 } |
|
102 |
|
103 |
|
104 COCSPResponse* COCSPResponseDecoder::TakeResponse() |
|
105 { |
|
106 COCSPResponse* result = iResponse; |
|
107 iResponse = NULL; |
|
108 return result; |
|
109 } |
|
110 |
|
111 |
|
112 CArrayPtr<TASN1DecGeneric>* COCSPResponseDecoder::DecodeSequenceLC(const TDesC8& aEncoding) |
|
113 { |
|
114 CArrayPtr<TASN1DecGeneric>* items = NULL; |
|
115 |
|
116 // Check we've got a sequence |
|
117 TASN1DecGeneric decGen(aEncoding); |
|
118 decGen.InitL(); |
|
119 if (decGen.Tag() != EASN1Sequence) |
|
120 { |
|
121 User::Leave(KErrArgument); |
|
122 } |
|
123 else |
|
124 { |
|
125 // Decode the sequence |
|
126 TASN1DecSequence decSeq; |
|
127 items = decSeq.DecodeDERLC(decGen); |
|
128 } |
|
129 return items; |
|
130 } |
|
131 |
|
132 |
|
133 CArrayPtr<TASN1DecGeneric>* COCSPResponseDecoder::DecodeSequenceLC(const TDesC8& aEncoding, |
|
134 const TInt aMinTerms, |
|
135 const TInt aMaxTerms) |
|
136 { |
|
137 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding); |
|
138 TInt count = items->Count(); |
|
139 if (count < aMinTerms || count > aMaxTerms) |
|
140 { |
|
141 User::Leave(KErrArgument); |
|
142 } |
|
143 |
|
144 return items; |
|
145 } |
|
146 |
|
147 |
|
148 void COCSPResponseDecoder::DecodeOCSPResponseL(const TDesC8& aEncoding) |
|
149 { |
|
150 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 1, 2); |
|
151 |
|
152 // Use integer decoding for enumerated |
|
153 TASN1DecInteger decInt; |
|
154 TInt status = decInt.DecodeDERShortL(*items->At(0)); |
|
155 if (status == ESuccessfulEncoding) |
|
156 { |
|
157 if (items->Count() != 2) |
|
158 { |
|
159 User::Leave(OCSP::EMalformedResponse); |
|
160 } |
|
161 |
|
162 // Check tag on second part is [0] |
|
163 // We ignore any other parts in the sequence after that |
|
164 TASN1DecGeneric& responseBytesDec = *items->At(1); |
|
165 if (responseBytesDec.Tag() != KResponseBytesTag) |
|
166 { |
|
167 User::Leave(OCSP::EMalformedResponse); |
|
168 } |
|
169 |
|
170 // It's OK, so decode the response bytes object therein |
|
171 DecodeResponseBytesL(responseBytesDec.GetContentDER()); |
|
172 } |
|
173 else |
|
174 { |
|
175 if (items->Count() != 1) |
|
176 { |
|
177 User::Leave(KErrArgument); |
|
178 } |
|
179 |
|
180 switch (status) |
|
181 { |
|
182 case EMalformedRequestEncoding: |
|
183 User::Leave(OCSP::EMalformedRequest); |
|
184 case EInternalErrorEncoding: |
|
185 User::Leave(OCSP::EServerInternalError); |
|
186 break; |
|
187 case ETryLaterEncoding: |
|
188 User::Leave(OCSP::ETryLater); |
|
189 break; |
|
190 case ESigRequiredEncoding: |
|
191 User::Leave(OCSP::ESignatureRequired); |
|
192 break; |
|
193 case EUnauthorisedEncoding: |
|
194 User::Leave(OCSP::EClientUnauthorised); |
|
195 break; |
|
196 default: |
|
197 User::Leave(OCSP::EMalformedResponse); |
|
198 } |
|
199 } |
|
200 CleanupStack::PopAndDestroy(); // items |
|
201 } |
|
202 |
|
203 |
|
204 void COCSPResponseDecoder::DecodeResponseBytesL(const TDesC8& aEncoding) |
|
205 { |
|
206 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 2, 2); |
|
207 |
|
208 TASN1DecObjectIdentifier decOid; |
|
209 HBufC* oid = decOid.DecodeDERL(*items->At(0)); |
|
210 CleanupStack::PushL(oid); |
|
211 if (*oid != KOCSPOidBasic) |
|
212 { |
|
213 User::Leave(OCSP::EUnknownResponseType); |
|
214 } |
|
215 |
|
216 TASN1DecGeneric& response = *items->At(1); |
|
217 if (response.Tag() != EASN1OctetString) |
|
218 { |
|
219 User::Leave(OCSP::EMalformedResponse); |
|
220 } |
|
221 |
|
222 DecodeBasicOCSPResponseL(response.GetContentDER()); |
|
223 |
|
224 CleanupStack::PopAndDestroy(2); // oid, items |
|
225 } |
|
226 |
|
227 |
|
228 void COCSPResponseDecoder::DecodeBasicOCSPResponseL(const TDesC8& aEncoding) |
|
229 { |
|
230 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 3, 4); |
|
231 |
|
232 // First, the ResponseData object |
|
233 DecodeResponseDataL(items->At(0)->Encoding()); |
|
234 |
|
235 // Continue, with the AlgorithmIdentifier |
|
236 iResponse->iSigningAlgorithm = CX509SigningAlgorithmIdentifier::NewL(items->At(1)->Encoding()); |
|
237 |
|
238 // Now move on to the signature |
|
239 TASN1DecBitString encBS; |
|
240 iResponse->iSignature = encBS.ExtractOctetStringL(*items->At(2)); |
|
241 |
|
242 // And finally, the certs (if they're there) |
|
243 if (items->Count() == 4) |
|
244 { |
|
245 // Check explicit tag [0] |
|
246 TASN1DecGeneric& certsDec = *items->At(3); |
|
247 if (certsDec.Tag() != KCertificatesTag) |
|
248 { |
|
249 User::Leave(OCSP::EMalformedResponse); |
|
250 } |
|
251 |
|
252 // It's OK, so decode the response bytes object therein |
|
253 DecodeCertificatesL(certsDec.GetContentDER()); |
|
254 } |
|
255 |
|
256 CleanupStack::PopAndDestroy(); // Cleans up items |
|
257 } |
|
258 |
|
259 |
|
260 void COCSPResponseDecoder::DecodeCertificatesL(const TDesC8& aEncoding) |
|
261 { |
|
262 TASN1DecGeneric dec(aEncoding); |
|
263 dec.InitL(); |
|
264 if (dec.Tag() != EASN1Sequence) |
|
265 { |
|
266 User::Leave(OCSP::EMalformedResponse); |
|
267 } |
|
268 |
|
269 // Just stores a reference to the encoding |
|
270 iResponse->iSigningCerts.Set(dec.GetContentDER()); |
|
271 } |
|
272 |
|
273 |
|
274 void COCSPResponseDecoder::DecodeResponseDataL(const TDesC8& aEncoding) |
|
275 { |
|
276 // This is the signed data |
|
277 iResponse->iSignedData.Set(aEncoding); |
|
278 |
|
279 // version and responseExtensions are optional |
|
280 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 3, 5); |
|
281 |
|
282 TInt seqIndex = 0; // index of currently-parsed item |
|
283 TASN1DecGeneric& item0 = *items->At(0); |
|
284 |
|
285 // If a version number is supplied, it must be the default version, v1, |
|
286 // which is encoded as an integer with value zero. (The version should |
|
287 // not be sent at all if it has the default value - S11.5, ITU-Y X.690 |
|
288 // (07/2002) ASN.1 encoding rules - but some servers can still send it.) |
|
289 if (item0.Class() == EContextSpecific && item0.Tag() == KOcspResponseVersionTag) |
|
290 { |
|
291 TASN1DecGeneric vDecGen(item0.GetContentDER()); |
|
292 vDecGen.InitL(); |
|
293 if (!(vDecGen.Class() == EUniversal && vDecGen.Tag() == EASN1Integer)) |
|
294 { |
|
295 User::Leave(OCSP::EMalformedResponse); |
|
296 } |
|
297 |
|
298 TASN1DecInteger vDecInt; |
|
299 TInt version = vDecInt.DecodeDERShortL(vDecGen); |
|
300 if (version != KOcspResponseVersion1) |
|
301 { |
|
302 User::Leave(OCSP::EMalformedResponse); |
|
303 } |
|
304 ++seqIndex; |
|
305 } |
|
306 |
|
307 TASN1DecGeneric& respIdDecGen = *items->At(seqIndex++); |
|
308 switch (respIdDecGen.Tag()) |
|
309 { |
|
310 case KResponderIDNameTag: |
|
311 // Set to Name DER encoding |
|
312 iResponse->iResponderIDName.Set(respIdDecGen.GetContentDER()); |
|
313 break; |
|
314 case KResponderIDKeyHashTag: |
|
315 { |
|
316 // Set to KeyHash to value within the octet string |
|
317 TASN1DecGeneric keyHashDecGen(respIdDecGen.GetContentDER()); |
|
318 keyHashDecGen.InitL(); |
|
319 iResponse->iResponderIDKeyHash.Set(keyHashDecGen.GetContentDER()); |
|
320 break; |
|
321 } |
|
322 default: |
|
323 User::Leave(OCSP::EMalformedResponse); |
|
324 } |
|
325 |
|
326 |
|
327 // ProducedAt is a GeneralizedTime |
|
328 TASN1DecGeneralizedTime decGT; |
|
329 iResponse->iProducedAt = decGT.DecodeDERL(*items->At(seqIndex++)); |
|
330 |
|
331 // Now the responses themselves |
|
332 DecodeResponsesL(items->At(seqIndex++)->Encoding()); |
|
333 |
|
334 // Continue if extensions exist |
|
335 if (seqIndex < items->Count()) |
|
336 { |
|
337 // Check tag on responseExtensions |
|
338 TASN1DecGeneric& extDecGen = *items->At(seqIndex++); |
|
339 if (extDecGen.Tag() != KResponseExtensionsTag) |
|
340 { |
|
341 User::Leave(OCSP::EMalformedResponse); |
|
342 } |
|
343 |
|
344 DecodeResponseExtensionsL(extDecGen.GetContentDER()); |
|
345 } |
|
346 CleanupStack::PopAndDestroy(items); |
|
347 } |
|
348 |
|
349 |
|
350 void COCSPResponseDecoder::DecodeResponseExtensionsL(const TDesC8& aEncoding) |
|
351 { |
|
352 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding); |
|
353 TInt count = items->Count(); |
|
354 for (TInt index = 0; index < count; ++index) |
|
355 { |
|
356 DecodeResponseExtensionL(items->At(index)->Encoding()); |
|
357 } |
|
358 |
|
359 CleanupStack::PopAndDestroy(); // items |
|
360 } |
|
361 |
|
362 |
|
363 void COCSPResponseDecoder::DecodeResponseExtensionL(const TDesC8& aEncoding) |
|
364 { |
|
365 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 2, 3); |
|
366 |
|
367 // Get oid |
|
368 TASN1DecGeneric& oid = *items->At(0); |
|
369 if (oid.Tag() != EASN1ObjectIdentifier) |
|
370 { |
|
371 User::Leave(OCSP::EMalformedResponse); |
|
372 } |
|
373 |
|
374 TASN1DecObjectIdentifier oidDec; |
|
375 HBufC* oidVal = oidDec.DecodeDERL(oid); |
|
376 CleanupStack::PushL(oidVal); |
|
377 |
|
378 TBool critical = EFalse; // Default value of critical flag |
|
379 if (items->Count() == 3) |
|
380 { |
|
381 // The critical flag is specified - what does it say? |
|
382 TASN1DecBoolean decBool; |
|
383 critical = decBool.DecodeDERL(*items->At(1)); |
|
384 } |
|
385 |
|
386 TASN1DecGeneric& extnVal = items->Count() == 3 ? *items->At(2) : *items->At(1); |
|
387 if (extnVal.Tag() != EASN1OctetString) |
|
388 { |
|
389 User::Leave(OCSP::EMalformedResponse); |
|
390 } |
|
391 |
|
392 // Check oid to decide what to do |
|
393 if (*oidVal == KOCSPOidNonce) |
|
394 { |
|
395 iResponse->iNonce.Set(extnVal.GetContentDER()); |
|
396 } |
|
397 else if (*oidVal == KOCSPOidArchiveCutoff) |
|
398 { |
|
399 TASN1DecGeneralizedTime decGT; |
|
400 TInt pos = 0; |
|
401 iResponse->iArchiveCutoff = new (ELeave) TTime(decGT.DecodeDERL(extnVal.GetContentDER(), pos)); |
|
402 } |
|
403 else if (critical) |
|
404 { |
|
405 // Didn't understand extension, and it was critical! Erk! |
|
406 User::Leave(OCSP::EUnknownCriticalExtension); |
|
407 } |
|
408 |
|
409 CleanupStack::PopAndDestroy(2); // oidVal, items |
|
410 } |
|
411 |
|
412 |
|
413 void COCSPResponseDecoder::DecodeResponsesL(const TDesC8& aEncoding) |
|
414 { |
|
415 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding); |
|
416 TInt count = items->Count(); |
|
417 for (TInt index = 0; index < count; ++index) |
|
418 { |
|
419 DecodeSingleResponseL(items->At(index)->Encoding()); |
|
420 } |
|
421 |
|
422 CleanupStack::PopAndDestroy(); // items |
|
423 } |
|
424 |
|
425 |
|
426 void COCSPResponseDecoder::DecodeSingleResponseL(const TDesC8& aEncoding) |
|
427 { |
|
428 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 3, 5); |
|
429 |
|
430 COCSPResponseCertInfo* response = COCSPResponseCertInfo::NewLC(*items); |
|
431 User::LeaveIfError(iResponse->iCertInfos.Append(response)); |
|
432 CleanupStack::Pop(response); // Now owned through iSingleResponses |
|
433 |
|
434 CleanupStack::PopAndDestroy(); // Clean up items |
|
435 } |