|
1 /* |
|
2 * Copyright (c) 2002-2008 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: OCSP response decoder for given response |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 #include "responsedecoder.h" |
|
20 #include "oids.h" |
|
21 #include "RoapOcsp.h" |
|
22 #include <asn1dec.h> |
|
23 #include <x509cert.h> |
|
24 |
|
25 // Enum values in DER encoding of response status |
|
26 enum |
|
27 { |
|
28 ESuccessfulEncoding = 0, |
|
29 EMalformedRequestEncoding = 1, |
|
30 EInternalErrorEncoding = 2, |
|
31 ETryLaterEncoding = 3, |
|
32 ESigRequiredEncoding = 5, |
|
33 EUnauthorisedEncoding = 6 |
|
34 }; |
|
35 |
|
36 |
|
37 // Tag values in DER encoded response data |
|
38 const TUint KResponseBytesTag = 0; |
|
39 const TUint KCertificatesTag = 0; |
|
40 const TUint KVersionTag = 0; |
|
41 const TUint KResponderIDNameTag = 1; |
|
42 const TUint KReponsderIDKeyHashTag = 2; |
|
43 const TUint KResponseExtensionsTag = 1; |
|
44 |
|
45 |
|
46 COCSPResponseDecoder* COCSPResponseDecoder::NewL(const TDesC8& aEncoding) |
|
47 { |
|
48 COCSPResponseDecoder* self = new (ELeave) COCSPResponseDecoder; |
|
49 CleanupStack::PushL(self); |
|
50 self->ConstructL(aEncoding); |
|
51 CleanupStack::Pop(self); |
|
52 return self; |
|
53 } |
|
54 |
|
55 |
|
56 COCSPResponseDecoder::COCSPResponseDecoder() |
|
57 { |
|
58 } |
|
59 |
|
60 |
|
61 COCSPResponseDecoder::~COCSPResponseDecoder() |
|
62 { |
|
63 delete iResponse; |
|
64 } |
|
65 |
|
66 |
|
67 void COCSPResponseDecoder::ConstructL(const TDesC8& aEncoding) |
|
68 { |
|
69 iResponse = new (ELeave) COCSPResponse; |
|
70 |
|
71 // Populate CSignedObject data members |
|
72 iResponse->iKeyFactory = new (ELeave) TX509KeyFactory; // Unconventional class name |
|
73 iResponse->iEncoding = aEncoding.AllocL(); |
|
74 |
|
75 TRAPD(error, DecodeOCSPResponseL(*iResponse->iEncoding)); |
|
76 if (error == KErrArgument || error == KErrNotSupported) |
|
77 { |
|
78 // These arise from problems parsing the data in X509 or ASN1 |
|
79 error = OCSP::EMalformedResponse; |
|
80 } |
|
81 |
|
82 if (error != KErrNone) |
|
83 { |
|
84 // Errors and our status codes go back to the client |
|
85 delete iResponse; |
|
86 iResponse = NULL; |
|
87 User::Leave(error); |
|
88 } |
|
89 } |
|
90 |
|
91 |
|
92 COCSPResponse* COCSPResponseDecoder::TakeResponse() |
|
93 { |
|
94 COCSPResponse* result = iResponse; |
|
95 iResponse = NULL; |
|
96 return result; |
|
97 } |
|
98 |
|
99 |
|
100 CArrayPtr<TASN1DecGeneric>* COCSPResponseDecoder::DecodeSequenceLC(const TDesC8& aEncoding) |
|
101 { |
|
102 CArrayPtr<TASN1DecGeneric>* items = NULL; |
|
103 |
|
104 // Check we've got a sequence |
|
105 TASN1DecGeneric decGen(aEncoding); |
|
106 decGen.InitL(); |
|
107 if (decGen.Tag() != EASN1Sequence) |
|
108 { |
|
109 User::Leave(KErrArgument); |
|
110 } |
|
111 else |
|
112 { |
|
113 // Decode the sequence |
|
114 TASN1DecSequence decSeq; |
|
115 items = decSeq.DecodeDERLC(decGen); |
|
116 } |
|
117 return items; |
|
118 } |
|
119 |
|
120 |
|
121 CArrayPtr<TASN1DecGeneric>* COCSPResponseDecoder::DecodeSequenceLC(const TDesC8& aEncoding, |
|
122 const TInt aMinTerms, |
|
123 const TInt aMaxTerms) |
|
124 { |
|
125 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding); |
|
126 TInt count = items->Count(); |
|
127 if (count < aMinTerms || count > aMaxTerms) |
|
128 { |
|
129 // User::Leave(KErrArgument); |
|
130 } |
|
131 |
|
132 return items; |
|
133 } |
|
134 |
|
135 |
|
136 void COCSPResponseDecoder::DecodeOCSPResponseL(const TDesC8& aEncoding) |
|
137 { |
|
138 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 1, 2); |
|
139 |
|
140 // Use integer decoding for enumerated |
|
141 TASN1DecInteger decInt; |
|
142 TInt status = decInt.DecodeDERShortL(*items->At(0)); |
|
143 if (status == ESuccessfulEncoding) |
|
144 { |
|
145 if (items->Count() != 2) |
|
146 { |
|
147 User::Leave(OCSP::EMalformedResponse); |
|
148 } |
|
149 |
|
150 // Check tag on second part is [0] |
|
151 // We ignore any other parts in the sequence after that |
|
152 TASN1DecGeneric& responseBytesDec = *items->At(1); |
|
153 if (responseBytesDec.Tag() != KResponseBytesTag) |
|
154 { |
|
155 User::Leave(OCSP::EMalformedResponse); |
|
156 } |
|
157 |
|
158 // It's OK, so decode the response bytes object therein |
|
159 DecodeResponseBytesL(responseBytesDec.GetContentDER()); |
|
160 } |
|
161 else |
|
162 { |
|
163 if (items->Count() != 1) |
|
164 { |
|
165 User::Leave(KErrArgument); |
|
166 } |
|
167 |
|
168 switch (status) |
|
169 { |
|
170 case EMalformedRequestEncoding: |
|
171 User::Leave(OCSP::EMalformedRequest); |
|
172 case EInternalErrorEncoding: |
|
173 User::Leave(OCSP::EServerInternalError); |
|
174 break; |
|
175 case ETryLaterEncoding: |
|
176 User::Leave(OCSP::ETryLater); |
|
177 break; |
|
178 case ESigRequiredEncoding: |
|
179 User::Leave(OCSP::ESignatureRequired); |
|
180 break; |
|
181 case EUnauthorisedEncoding: |
|
182 User::Leave(OCSP::EClientUnauthorised); |
|
183 break; |
|
184 default: |
|
185 User::Leave(OCSP::EMalformedResponse); |
|
186 } |
|
187 } |
|
188 CleanupStack::PopAndDestroy(items); |
|
189 } |
|
190 |
|
191 |
|
192 void COCSPResponseDecoder::DecodeResponseBytesL(const TDesC8& aEncoding) |
|
193 { |
|
194 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 2, 2); |
|
195 |
|
196 TASN1DecObjectIdentifier decOid; |
|
197 HBufC* oid = decOid.DecodeDERL(*items->At(0)); |
|
198 CleanupStack::PushL(oid); |
|
199 if (*oid != KOCSPOidBasic) |
|
200 { |
|
201 User::Leave(OCSP::EUnknownResponseType); |
|
202 } |
|
203 |
|
204 TASN1DecGeneric& response = *items->At(1); |
|
205 if (response.Tag() != EASN1OctetString) |
|
206 { |
|
207 User::Leave(OCSP::EMalformedResponse); |
|
208 } |
|
209 |
|
210 DecodeBasicOCSPResponseL(response.GetContentDER()); |
|
211 |
|
212 CleanupStack::PopAndDestroy(2, items); // oid, items |
|
213 } |
|
214 |
|
215 |
|
216 void COCSPResponseDecoder::DecodeBasicOCSPResponseL(const TDesC8& aEncoding) |
|
217 { |
|
218 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 3, 4); |
|
219 |
|
220 // First, the ResponseData object |
|
221 DecodeResponseDataL(items->At(0)->Encoding()); |
|
222 |
|
223 // Continue, with the AlgorithmIdentifier |
|
224 iResponse->iSigningAlgorithm = CX509SigningAlgorithmIdentifier::NewL(items->At(1)->Encoding()); |
|
225 |
|
226 // Now move on to the signature |
|
227 TASN1DecBitString encBS; |
|
228 iResponse->iSignature = encBS.ExtractOctetStringL(*items->At(2)); |
|
229 |
|
230 // And finally, the certs (if they're there) |
|
231 if (items->Count() == 4) |
|
232 { |
|
233 // Check explicit tag [0] |
|
234 TASN1DecGeneric& certsDec = *items->At(3); |
|
235 if (certsDec.Tag() != KCertificatesTag) |
|
236 { |
|
237 User::Leave(OCSP::EMalformedResponse); |
|
238 } |
|
239 |
|
240 // It's OK, so decode the response bytes object therein |
|
241 DecodeCertificatesL(certsDec.GetContentDER()); |
|
242 } |
|
243 |
|
244 CleanupStack::PopAndDestroy(items); |
|
245 } |
|
246 |
|
247 |
|
248 void COCSPResponseDecoder::DecodeCertificatesL(const TDesC8& aEncoding) |
|
249 { |
|
250 TASN1DecGeneric dec(aEncoding); |
|
251 dec.InitL(); |
|
252 if (dec.Tag() != EASN1Sequence) |
|
253 { |
|
254 User::Leave(OCSP::EMalformedResponse); |
|
255 } |
|
256 |
|
257 // Just stores a reference to the encoding |
|
258 iResponse->iSigningCerts.Set(dec.GetContentDER()); |
|
259 } |
|
260 |
|
261 |
|
262 void COCSPResponseDecoder::DecodeResponseDataL(const TDesC8& aEncoding) |
|
263 { |
|
264 TInt index = 0; |
|
265 |
|
266 // This is the signed data |
|
267 iResponse->iSignedData.Set(aEncoding); |
|
268 |
|
269 // Exclude 5 items in sequence - defaulted version v1 shouldn't appear in DER |
|
270 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 3, 4); |
|
271 |
|
272 // First item is responderID choice, or maybe version |
|
273 TASN1DecGeneric& item0 = *items->At(index); // index = 0 |
|
274 |
|
275 ++index; |
|
276 |
|
277 switch (item0.Tag()) |
|
278 { |
|
279 case KResponderIDNameTag: |
|
280 // Set to Name DER encoding |
|
281 iResponse->iResponderIDName.Set(item0.GetContentDER()); |
|
282 break; |
|
283 case KReponsderIDKeyHashTag: |
|
284 { |
|
285 // Set to KeyHash to value within the octet string |
|
286 TASN1DecGeneric decGen(item0.GetContentDER()); |
|
287 decGen.InitL(); |
|
288 iResponse->iResponderIDKeyHash.Set(decGen.GetContentDER()); |
|
289 break; |
|
290 } |
|
291 case KVersionTag: |
|
292 { |
|
293 // skip the version, the next one should be responderID |
|
294 TASN1DecGeneric item1 = *items->At(index); // index = 1 |
|
295 ++index; |
|
296 if (item1.Tag() == KResponderIDNameTag) |
|
297 { |
|
298 iResponse->iResponderIDName.Set(item1.GetContentDER()); |
|
299 break; |
|
300 } |
|
301 else if (item1.Tag() == KReponsderIDKeyHashTag) |
|
302 { |
|
303 TASN1DecGeneric decGen(item1.GetContentDER()); |
|
304 decGen.InitL(); |
|
305 iResponse->iResponderIDKeyHash.Set(decGen.GetContentDER()); |
|
306 break; |
|
307 } |
|
308 else |
|
309 { |
|
310 // falling through... |
|
311 } |
|
312 } |
|
313 default: |
|
314 User::Leave(OCSP::EMalformedResponse); |
|
315 } |
|
316 |
|
317 |
|
318 // ProducedAt is a GeneralizedTime |
|
319 TASN1DecGeneralizedTime decGT; |
|
320 iResponse->iProducedAt = decGT.DecodeDERL(*items->At(index)); // index = 1 | 2 |
|
321 ++index; |
|
322 |
|
323 // Now the responses themselves |
|
324 DecodeResponsesL(items->At(index)->Encoding()); // index = 2 | 3 |
|
325 ++index; |
|
326 |
|
327 // Continue if extensions exist |
|
328 if (items->Count() == index + 1) // index = 3 | 4 |
|
329 { |
|
330 // Check tag on responseExtensions |
|
331 TASN1DecGeneric& item3 = *items->At(index); |
|
332 if (item3.Tag() != KResponseExtensionsTag) |
|
333 { |
|
334 User::Leave(OCSP::EMalformedResponse); |
|
335 } |
|
336 |
|
337 DecodeResponseExtensionsL(item3.GetContentDER()); |
|
338 } |
|
339 CleanupStack::PopAndDestroy(items); |
|
340 } |
|
341 |
|
342 |
|
343 void COCSPResponseDecoder::DecodeResponseExtensionsL(const TDesC8& aEncoding) |
|
344 { |
|
345 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding); |
|
346 TInt count = items->Count(); |
|
347 for (TInt index = 0; index < count; ++index) |
|
348 { |
|
349 DecodeResponseExtensionL(items->At(index)->Encoding()); |
|
350 } |
|
351 |
|
352 CleanupStack::PopAndDestroy(items); |
|
353 } |
|
354 |
|
355 |
|
356 void COCSPResponseDecoder::DecodeResponseExtensionL(const TDesC8& aEncoding) |
|
357 { |
|
358 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 2, 3); |
|
359 |
|
360 // Get oid |
|
361 TASN1DecGeneric& oid = *items->At(0); |
|
362 if (oid.Tag() != EASN1ObjectIdentifier) |
|
363 { |
|
364 User::Leave(OCSP::EMalformedResponse); |
|
365 } |
|
366 |
|
367 TASN1DecObjectIdentifier oidDec; |
|
368 HBufC* oidVal = oidDec.DecodeDERL(oid); |
|
369 CleanupStack::PushL(oidVal); |
|
370 |
|
371 TBool critical = EFalse; // Default value of critical flag |
|
372 if (items->Count() == 3) |
|
373 { |
|
374 // The critical flag is specified - what does it say? |
|
375 TASN1DecBoolean decBool; |
|
376 critical = decBool.DecodeDERL(*items->At(1)); |
|
377 } |
|
378 |
|
379 TASN1DecGeneric& extnVal = items->Count() == 3 ? *items->At(2) : *items->At(1); |
|
380 if (extnVal.Tag() != EASN1OctetString) |
|
381 { |
|
382 User::Leave(OCSP::EMalformedResponse); |
|
383 } |
|
384 |
|
385 // Check oid to decide what to do |
|
386 if (*oidVal == KOCSPOidNonce) |
|
387 { |
|
388 iResponse->iNonce.Set(extnVal.GetContentDER()); |
|
389 } |
|
390 else if (*oidVal == KOCSPOidArchiveCutoff) |
|
391 { |
|
392 TASN1DecGeneralizedTime decGT; |
|
393 TInt pos = 0; |
|
394 iResponse->iArchiveCutoff = new (ELeave) TTime(decGT.DecodeDERL(extnVal.GetContentDER(), pos)); |
|
395 } |
|
396 else if (critical) |
|
397 { |
|
398 // Didn't understand extension, and it was critical! Erk! |
|
399 User::Leave(OCSP::EUnknownCriticalExtension); |
|
400 } |
|
401 |
|
402 CleanupStack::PopAndDestroy(2, items); // oidVal, items |
|
403 } |
|
404 |
|
405 |
|
406 void COCSPResponseDecoder::DecodeResponsesL(const TDesC8& aEncoding) |
|
407 { |
|
408 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding); |
|
409 TInt count = items->Count(); |
|
410 for (TInt index = 0; index < count; ++index) |
|
411 { |
|
412 DecodeSingleResponseL(items->At(index)->Encoding()); |
|
413 } |
|
414 |
|
415 CleanupStack::PopAndDestroy(items); |
|
416 } |
|
417 |
|
418 |
|
419 void COCSPResponseDecoder::DecodeSingleResponseL(const TDesC8& aEncoding) |
|
420 { |
|
421 CArrayPtr<TASN1DecGeneric>* items = DecodeSequenceLC(aEncoding, 3, 5); |
|
422 |
|
423 COCSPResponseCertInfo* response = COCSPResponseCertInfo::NewLC(*items); |
|
424 User::LeaveIfError(iResponse->iCertInfos.Append(response)); |
|
425 CleanupStack::Pop(response); // Now owned through iSingleResponses |
|
426 |
|
427 CleanupStack::PopAndDestroy(items); |
|
428 } |