Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
erlang.30244
feature-upstream-ocsp-2.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File feature-upstream-ocsp-2.patch of Package erlang.30244
From ccb20d8a61165ddfc0edf584c9cbc3c2e7197f70 Mon Sep 17 00:00:00 2001 From: Ao Song <andy@erlang.org> Date: Mon, 6 Jul 2020 15:20:06 +0200 Subject: [PATCH] public_key: Add initial support for OCSP --- lib/public_key/asn1/OCSP-2013-88.asn1 | 148 +++++++++ lib/public_key/asn1/OTP-PUB-KEY.set.asn | 1 + lib/public_key/src/Makefile | 3 +- lib/public_key/src/pubkey_ocsp.erl | 356 ++++++++++++++++++++ lib/public_key/src/public_key.app.src | 1 + lib/public_key/src/public_key.erl | 57 +++- lib/public_key/test/pubkey_ocsp_SUITE.erl | 376 ++++++++++++++++++++++ 7 files changed, 940 insertions(+), 2 deletions(-) create mode 100644 lib/public_key/asn1/OCSP-2013-88.asn1 create mode 100644 lib/public_key/src/pubkey_ocsp.erl create mode 100644 lib/public_key/test/pubkey_ocsp_SUITE.erl diff --git a/lib/public_key/asn1/OCSP-2013-88.asn1 b/lib/public_key/asn1/OCSP-2013-88.asn1 new file mode 100644 index 000000000000..6e937f617448 --- /dev/null +++ b/lib/public_key/asn1/OCSP-2013-88.asn1 @@ -0,0 +1,148 @@ +-- OCSP definition from RFC6960, 1998 Syntax + +OCSP-2013-88 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-ocsp-2013-88(81) +} + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +IMPORTS + + -- PKIX Certificate Extensions + AuthorityInfoAccessSyntax, CRLReason, GeneralName + FROM PKIX1Implicit88 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-implicit(19) } + + Name, CertificateSerialNumber, Extensions, + id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier + FROM PKIX1Explicit88 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit(18) }; + +OCSPRequest ::= SEQUENCE { + tbsRequest TBSRequest, + optionalSignature [0] EXPLICIT Signature OPTIONAL } + +TBSRequest ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + requestorName [1] EXPLICIT GeneralName OPTIONAL, + requestList SEQUENCE OF Request, + requestExtensions [2] EXPLICIT Extensions OPTIONAL } + +Signature ::= SEQUENCE { + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING, + certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + +Version ::= INTEGER { v1(0) } + +Request ::= SEQUENCE { + reqCert CertID, + singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } + +CertID ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + issuerNameHash OCTET STRING, -- Hash of issuer's DN + issuerKeyHash OCTET STRING, -- Hash of issuer's public key + serialNumber CertificateSerialNumber } + +OCSPResponse ::= SEQUENCE { + responseStatus OCSPResponseStatus, + responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } + +OCSPResponseStatus ::= ENUMERATED { + successful (0), -- Response has valid confirmations + malformedRequest (1), -- Illegal confirmation request + internalError (2), -- Internal error in issuer + tryLater (3), -- Try again later + -- (4) is not used + sigRequired (5), -- Must sign the request + unauthorized (6) -- Request unauthorized +} + +ResponseBytes ::= SEQUENCE { + responseType OBJECT IDENTIFIER, + response OCTET STRING } + +BasicOCSPResponse ::= SEQUENCE { + tbsResponseData ResponseData, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING, + certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + +ResponseData ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + responderID ResponderID, + producedAt GeneralizedTime, + responses SEQUENCE OF SingleResponse, + responseExtensions [1] EXPLICIT Extensions OPTIONAL } + +ResponderID ::= CHOICE { + byName [1] Name, + byKey [2] KeyHash } + +KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key + -- (i.e., the SHA-1 hash of the value of the + -- BIT STRING subjectPublicKey [excluding + -- the tag, length, and number of unused + -- bits] in the responder's certificate) + +SingleResponse ::= SEQUENCE { + certID CertID, + certStatus CertStatus, + thisUpdate GeneralizedTime, + nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, + singleExtensions [1] EXPLICIT Extensions OPTIONAL } + +CertStatus ::= CHOICE { + good [0] IMPLICIT NULL, + revoked [1] IMPLICIT RevokedInfo, + unknown [2] IMPLICIT UnknownInfo } + +RevokedInfo ::= SEQUENCE { + revocationTime GeneralizedTime, + revocationReason [0] EXPLICIT CRLReason OPTIONAL } + +UnknownInfo ::= NULL + +ArchiveCutoff ::= GeneralizedTime + +AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER + +ServiceLocator ::= SEQUENCE { + issuer Name, + locator AuthorityInfoAccessSyntax } + +CrlID ::= SEQUENCE { + crlUrl [0] EXPLICIT IA5String OPTIONAL, + crlNum [1] EXPLICIT INTEGER OPTIONAL, + crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } + +PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm + +PreferredSignatureAlgorithm ::= SEQUENCE { + sigIdentifier AlgorithmIdentifier, + certIdentifier AlgorithmIdentifier OPTIONAL } + +Nonce ::= OCTET STRING + +-- Object Identifiers + +id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } +id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } +id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } +id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } +id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } +id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } +id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } +id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } +id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } +id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } +id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } + +END diff --git a/lib/public_key/asn1/OTP-PUB-KEY.set.asn b/lib/public_key/asn1/OTP-PUB-KEY.set.asn index 7ab1684ff332..74964a1c8fe1 100644 --- a/lib/public_key/asn1/OTP-PUB-KEY.set.asn +++ b/lib/public_key/asn1/OTP-PUB-KEY.set.asn @@ -11,4 +11,5 @@ PKCS-7.asn1 PKCS-10.asn1 RFC5639.asn1 CMSAesRsaesOaep.asn1 +OCSP-2013-88.asn1 diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile index e61390bce37f..76bdffe0893d 100644 --- a/lib/public_key/src/Makefile +++ b/lib/public_key/src/Makefile @@ -46,7 +46,8 @@ MODULES = \ pubkey_pbe \ pubkey_cert \ pubkey_cert_records \ - pubkey_crl + pubkey_crl\ + pubkey_ocsp HRL_FILES = $(INCLUDE)/public_key.hrl diff --git a/lib/public_key/src/pubkey_ocsp.erl b/lib/public_key/src/pubkey_ocsp.erl new file mode 100644 index 000000000000..2d9367dcdbef --- /dev/null +++ b/lib/public_key/src/pubkey_ocsp.erl @@ -0,0 +1,356 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2020. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +-module(pubkey_ocsp). + +-include("public_key.hrl"). + +-export([otp_cert/1, get_ocsp_responder_id/1, get_nonce/0, get_nonce_extn/1, + decode_ocsp_response/1, verify_ocsp_response/3, + get_acceptable_response_types_extn/0, find_single_response/3]). + +%%-------------------------------------------------------------------- +-spec verify_ocsp_response(binary(), list(), undefined | binary()) -> + {ok, term()} | {error, term()}. +%% +%% Description: Verify the OCSP response to get the certificate status +%%-------------------------------------------------------------------- +verify_ocsp_response(OCSPResponseDer, ResponderCerts, Nonce) -> + do_verify_ocsp_response( + decode_ocsp_response(OCSPResponseDer), ResponderCerts, Nonce + ). + +%%-------------------------------------------------------------------- +-spec do_verify_ocsp_response({ok, #'BasicOCSPResponse'{}} | {error, term()}, + list(), undefined | binary()) -> + {ok, term()} | {error, term()}. +%% +%% Description: Verify the OCSP response to get the certificate status +%%-------------------------------------------------------------------- +do_verify_ocsp_response( + {ok, #'BasicOCSPResponse'{ + tbsResponseData = ResponseData, + signatureAlgorithm = SignatureAlgo, + signature = Signature, + certs = Certs + }}, ResponderCerts, Nonce) -> + + #'ResponseData'{ + responderID = ResponderID + } = ResponseData, + + case verify_ocsp_signature( + public_key:der_encode('ResponseData', ResponseData), + SignatureAlgo#'AlgorithmIdentifier'.algorithm, + Signature, Certs ++ ResponderCerts, + ResponderID) of + ok -> + verify_ocsp_nonce(ResponseData, Nonce); + {error, Reason} -> + {error, Reason} + end; +do_verify_ocsp_response({error, Reason}, _ResponderCerts, _Nonce) -> + {error, Reason}. + +%%-------------------------------------------------------------------- +-spec verify_ocsp_nonce(#'ResponseData'{}, undefined | binary()) -> + {ok, term()} | {error, nonce_mismatch}. +%% +%% Description: Check if the nonces matches in OCSP response +%%-------------------------------------------------------------------- +verify_ocsp_nonce(ResponseData, Nonce) -> + #'ResponseData'{ + responses = Responses, + responseExtensions = ResponseExtns + } = ResponseData, + + case get_nonce_value(ResponseExtns) of + Nonce -> + {ok, Responses}; + _Other -> + {error, nonce_mismatch} + end. + +%%-------------------------------------------------------------------- +-spec get_nonce_value(asn1_NOVALUE | list()) -> + undefined | binary(). +%% +%% Description: Get the nonce value from extensions +%%-------------------------------------------------------------------- +%% no extensions present in response +get_nonce_value(asn1_NOVALUE) -> + undefined; +%% extensions exist, but no oscp nonce +get_nonce_value([]) -> + undefined; +get_nonce_value([#'Extension'{ + extnID = ?'id-pkix-ocsp-nonce', + extnValue = Value} | _Extns]) -> + Value; +get_nonce_value([_Extn | Rest]) -> + get_nonce_value(Rest). + +%%-------------------------------------------------------------------- +-spec decode_ocsp_response(binary()) -> + {ok, #'BasicOCSPResponse'{}} | {error, term()}. +%% +%% Description: Decode the OCSP response der +%%-------------------------------------------------------------------- +decode_ocsp_response(Response) -> + Resp = public_key:der_decode('OCSPResponse', Response), + case Resp#'OCSPResponse'.responseStatus of + successful -> + decode_response_bytes( + Resp#'OCSPResponse'.responseBytes + ); + Error -> + {error, Error} + end. + +%%-------------------------------------------------------------------- +-spec decode_response_bytes(#'ResponseBytes'{}) -> + {ok, #'BasicOCSPResponse'{}} | {error, term()}. +%% +%% Description: Get basic ocsp response field +%%-------------------------------------------------------------------- +decode_response_bytes(#'ResponseBytes'{ + responseType = ?'id-pkix-ocsp-basic', + response = Data}) -> + {ok, public_key:der_decode('BasicOCSPResponse', Data)}; +decode_response_bytes(#'ResponseBytes'{responseType = RespType}) -> + {error, {ocsp_response_type_not_supported, RespType}}. + +%%-------------------------------------------------------------------- +-spec verify_ocsp_signature(binary(), term(), term(), list(), term()) -> + ok | {error, term()}. +%% +%% Description: Verify the signature of OCSP response +%%-------------------------------------------------------------------- +verify_ocsp_signature( + ResponseDataDer, SignatureAlgo, Signature, Certs, ResponderID) -> + case find_responder_cert(ResponderID, Certs) of + {ok, Cert} -> + do_verify_ocsp_signature( + ResponseDataDer, Signature, SignatureAlgo, Cert); + {error, Reason} -> + {error, Reason} + end. + +%%-------------------------------------------------------------------- +-spec find_responder_cert(term(), list()) -> + {ok, #'Certificate'{} | #'OTPCertificate'{}} | {error, term()}. +%% +%% Description: Find the OCSP responder's cert in input list +%%-------------------------------------------------------------------- +find_responder_cert(_ResponderID, []) -> + {error, ocsp_responder_cert_not_found}; +find_responder_cert(ResponderID, [Cert | TCerts]) -> + case is_responder(ResponderID, Cert) of + true -> + {ok, Cert}; + false -> + find_responder_cert(ResponderID, TCerts) + end. + +%%-------------------------------------------------------------------- +-spec do_verify_ocsp_signature( + binary(), term(), term(), #'Certificate'{} | #'OTPCertificate'{}) -> + ok | {error, term()}. +%% +%% Description: Verify the signature of OCSP response +%%-------------------------------------------------------------------- +do_verify_ocsp_signature(ResponseDataDer, Signature, AlgorithmID, Cert) -> + {DigestType, _SignatureType} = public_key:pkix_sign_types(AlgorithmID), + case public_key:verify( + ResponseDataDer, DigestType, Signature, + get_public_key_rec(Cert)) of + true -> + ok; + false -> + {error, ocsp_response_bad_signature} + end. + +%%-------------------------------------------------------------------- +-spec get_public_key_rec(#'Certificate'{} | #'OTPCertificate'{}) -> + term(). +%% +%% Description: Get the subject public key field +%%-------------------------------------------------------------------- +get_public_key_rec(#'Certificate'{} = Cert) -> + get_public_key_rec(otp_cert(Cert)); +get_public_key_rec(#'OTPCertificate'{tbsCertificate = TbsCert}) -> + PKInfo = TbsCert#'OTPTBSCertificate'.subjectPublicKeyInfo, + PKInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey. + +%%-------------------------------------------------------------------- +-spec is_responder(tuple(), #'Certificate'{} | #'OTPCertificate'{}) -> + boolean(). +%% +%% Description: Check if is OCSP responder's cert +%%-------------------------------------------------------------------- +is_responder({byName, Name}, Cert) -> + public_key:der_encode('Name', Name) == get_subject_name(Cert); +is_responder({byKey, Key}, Cert) -> + Key == crypto:hash(sha, get_public_key(Cert)). + +%%-------------------------------------------------------------------- +-spec otp_cert(#'Certificate'{} | #'OTPCertificate'{} | binary()) -> + #'OTPCertificate'{}. +%% +%% Description: Convert to #'OTPCertificate'{} +%%-------------------------------------------------------------------- +otp_cert(#'OTPCertificate'{} = Cert) -> + Cert; +otp_cert(#'Certificate'{} = Cert) -> + public_key:pkix_decode_cert( + public_key:der_encode('Certificate', Cert), otp); +otp_cert(CertDer) when is_binary(CertDer) -> + public_key:pkix_decode_cert(CertDer, otp). + +%%-------------------------------------------------------------------- +-spec get_ocsp_responder_id(#'Certificate'{}) -> binary(). +%% +%% Description: Get the OCSP responder ID der +%%-------------------------------------------------------------------- +get_ocsp_responder_id(#'Certificate'{tbsCertificate = TbsCert}) -> + public_key:der_encode( + 'ResponderID', {byName, TbsCert#'TBSCertificate'.subject}). + +%%-------------------------------------------------------------------- +-spec get_subject_name(#'Certificate'{} | #'OTPCertificate'{}) -> binary(). +%% +%% Description: Get the subject der from cert +%%-------------------------------------------------------------------- +get_subject_name(#'Certificate'{} = Cert) -> + get_subject_name(otp_cert(Cert)); +get_subject_name(#'OTPCertificate'{tbsCertificate = TbsCert}) -> + public_key:pkix_encode('Name', TbsCert#'OTPTBSCertificate'.subject, otp). + +%%-------------------------------------------------------------------- +-spec get_public_key(#'Certificate'{} | #'OTPCertificate'{}) -> binary(). +%% +%% Description: Get the public key from cert +%%-------------------------------------------------------------------- +get_public_key(#'Certificate'{} = Cert) -> + get_public_key(otp_cert(Cert)); +get_public_key(#'OTPCertificate'{tbsCertificate = TbsCert}) -> + PKInfo = TbsCert#'OTPTBSCertificate'.subjectPublicKeyInfo, + enc_pub_key(PKInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey). + +enc_pub_key(Key = #'RSAPublicKey'{}) -> + public_key:der_encode('RSAPublicKey', Key); +enc_pub_key({DsaInt, #'Dss-Parms'{}}) when is_integer(DsaInt) -> + public_key:der_encode('DSAPublicKey', DsaInt); +enc_pub_key({#'ECPoint'{point = Key}, _ECParam}) -> + Key. + +%%-------------------------------------------------------------------- +-spec get_nonce() -> binary(). +%% +%% Description: Get an OCSP nonce +%%-------------------------------------------------------------------- +get_nonce() -> + public_key:der_encode('Nonce', crypto:strong_rand_bytes(8)). + +%%-------------------------------------------------------------------- +-spec get_nonce_extn(undefined | binary()) -> undefined | #'Extension'{}. +%% +%% Description: Get an OCSP nonce der +%%-------------------------------------------------------------------- +get_nonce_extn(undefined) -> + undefined; +get_nonce_extn(Nonce) when is_binary(Nonce) -> + #'Extension'{ + extnID = ?'id-pkix-ocsp-nonce', + extnValue = Nonce + }. + +%%-------------------------------------------------------------------- +-spec get_acceptable_response_types_extn() -> #'Extension'{}. +%% +%% Description: Get an acceptable response types der +%%-------------------------------------------------------------------- +get_acceptable_response_types_extn() -> + #'Extension'{ + extnID = ?'id-pkix-ocsp-response', + extnValue = public_key:der_encode( + 'AcceptableResponses', [?'id-pkix-ocsp-basic']) + }. + +%%-------------------------------------------------------------------- +-spec get_serial_num(binary | #'Certificate'{} | #'OTPCertificate'{}) -> + term(). +%% +%% Description: Get the serial number of a certificate +%%-------------------------------------------------------------------- +get_serial_num(Cert) -> + #'OTPCertificate'{tbsCertificate = TbsCert} = otp_cert(Cert), + TbsCert#'OTPTBSCertificate'.serialNumber. + + +%%-------------------------------------------------------------------- +-spec find_single_response( + binary | #'Certificate'{} | #'OTPCertificate'{}, list(), list()) -> + #'SingleResponse'{} | {error, no_matched_response}. +%% +%% Description: Find the matched single response. +%%-------------------------------------------------------------------- +find_single_response(Cert, CertPath, SingleResponseList) -> + case find_issuer(Cert, CertPath) of + {ok, Issuer} -> + OtpCert = otp_cert(Cert), + IssuerName = get_subject_name(Issuer), + IssuerKey = get_public_key(Issuer), + SerialNum = get_serial_num(OtpCert), + match_single_response( + IssuerName, IssuerKey, SerialNum, SingleResponseList); + {error, issuer_not_found} -> + {error, no_matched_response} + end. + +match_single_response(_IssuerName, _IssuerKey, _SerialNum, []) -> + {error, no_matched_response}; +match_single_response( + IssuerName, IssuerKey, SerialNum, + [#'SingleResponse'{ + certID = #'CertID'{hashAlgorithm = Algo} = CertID + } = Response | Reponses]) -> + HashType = public_key:pkix_hash_type( + Algo#'AlgorithmIdentifier'.algorithm), + case (SerialNum == CertID#'CertID'.serialNumber) andalso + (crypto:hash( + HashType, IssuerName) == CertID#'CertID'.issuerNameHash) andalso + (crypto:hash( + HashType, IssuerKey) == CertID#'CertID'.issuerKeyHash) of + true -> + {ok, Response}; + false -> + match_single_response(IssuerName, IssuerKey, SerialNum, Reponses) + end. + +find_issuer(_Cert, []) -> + {error, issuer_not_found}; +find_issuer(Cert, [Issuer | CertPath]) -> + case public_key:pkix_is_issuer(Cert, Issuer) of + true -> + {ok, otp_cert(Issuer)}; + false -> + find_issuer(Cert, CertPath) + end. \ No newline at end of file diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src index 5833141e8736..6be7cd3bc494 100644 --- a/lib/public_key/src/public_key.app.src +++ b/lib/public_key/src/public_key.app.src @@ -8,6 +8,7 @@ pubkey_cert, pubkey_cert_records, pubkey_crl, + pubkey_ocsp, 'OTP-PUB-KEY', 'PKCS-FRAME' ]}, diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 5decfd49bdd6..604386977053 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -63,7 +63,12 @@ pkix_crl_issuer/1, short_name_hash/1, pkix_test_data/1, - pkix_test_root_cert/2 + pkix_test_root_cert/2, + ocsp_status/3, + ocsp_responses/3, + ocsp_nonce/0, + ocsp_responder_id/1, + ocsp_extensions/1 ]). -export_type([public_key/0, private_key/0, pem_entry/0, @@ -1275,6 +1280,56 @@ pkix_test_data(#{} = Chain) -> pkix_test_root_cert(Name, Opts) -> pubkey_cert:root_cert(Name, Opts). +%%-------------------------------------------------------------------- +-spec ocsp_status(binary | #'Certificate'{} | #'OTPCertificate'{}, + list(), list()) -> + {good, term()} | {unknown, term()} | {revoked, term()} | no_matched_response. +%% +%% Description: Get Certificate status +%%-------------------------------------------------------------------- +ocsp_status(Cert, CertPath, Responses) -> + case pubkey_ocsp:find_single_response(Cert, CertPath, Responses) of + {ok, #'SingleResponse'{certStatus = CertStatus}} -> + CertStatus; + {error, no_matched_response} -> + no_matched_response + end. + +%%-------------------------------------------------------------------- +-spec ocsp_responses(binary(), list(), undefined | binary()) -> + {ok, [#'SingleResponse'{}]} | {error, Reason::term()}. +%% +%% Description: Get verified OCSP responses +%%-------------------------------------------------------------------- +ocsp_responses(OCSPResponseDer, ResponderCerts, Nonce) -> + catch pubkey_ocsp:verify_ocsp_response( + OCSPResponseDer, ResponderCerts, Nonce). + +%%-------------------------------------------------------------------- +-spec ocsp_extensions(undefined | binary()) -> list(). +%% Description: Get OCSP stapling extensions for request +%%-------------------------------------------------------------------- +ocsp_extensions(Nonce) -> + [Extn || Extn <- [pubkey_ocsp:get_nonce_extn(Nonce), + pubkey_ocsp:get_acceptable_response_types_extn()], + erlang:is_record(Extn, 'Extension')]. + +%%-------------------------------------------------------------------- +-spec ocsp_responder_id(#'Certificate'{}) -> binary(). +%% +%% Description: Get the OCSP responder ID der +%%-------------------------------------------------------------------- +ocsp_responder_id(Cert) -> + pubkey_ocsp:get_ocsp_responder_id(Cert). + +%%-------------------------------------------------------------------- +-spec ocsp_nonce() -> binary(). +%% +%% Description: Get an OCSP nonce +%%-------------------------------------------------------------------- +ocsp_nonce() -> + pubkey_ocsp:get_nonce(). + %%-------------------------------------------------------------------- %%% Internal functions %%-------------------------------------------------------------------- diff --git a/lib/public_key/test/pubkey_ocsp_SUITE.erl b/lib/public_key/test/pubkey_ocsp_SUITE.erl new file mode 100644 index 000000000000..006741e81a61 --- /dev/null +++ b/lib/public_key/test/pubkey_ocsp_SUITE.erl @@ -0,0 +1,376 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2011-2020. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +-module(pubkey_ocsp_SUITE). + +-include_lib("common_test/include/ct.hrl"). +-include_lib("public_key/include/public_key.hrl"). + +%% Note: This directive should only be used in test suites. +-compile(export_all). + +%%-------------------------------------------------------------------- +%% Common Test interface functions ----------------------------------- +%%-------------------------------------------------------------------- +all() -> + [ocsp_test]. + +groups() -> + []. + +%%-------------------------------------------------------------------- +init_per_suite(Config) -> + Config. + +end_per_suite(_Config) -> + ok. + +%%-------------------------------------------------------------------- + +init_per_group(_GroupName, Config) -> + Config. + +end_per_group(_GroupName, Config) -> + Config. + +%%-------------------------------------------------------------------- +init_per_testcase(_TestCase, Config) -> + Config. + +end_per_testcase(_TestCase, _Config) -> + ok. + +%%-------------------------------------------------------------------- +%% Test Cases -------------------------------------------------------- +%%-------------------------------------------------------------------- +ocsp_test() -> + [{doc, "Test functions in pubkey_ocsp"}]. +ocsp_test(Config) when is_list(Config) -> + %% Feeding data + SingleResponseGood = + [#'SingleResponse'{ + certID = {'CertID', + {'AlgorithmIdentifier',{1,3,14,3,2,26},<<5,0>>}, + <<227,147,252,182,155,101,129,45,194,162, + 22,93,127,46,112,193,196,28,241,232>>, + <<99,34,37,88,164,188,98,22,125,252,71,72, + 246,115,141,222,108,19,122,168>>,7}, + certStatus = {good,'NULL'}, + thisUpdate = "20200428083205Z", + nextUpdate = asn1_NOVALUE, + singleExtensions = asn1_NOVALUE}], + + Nonce = <<226,210,104,247,153,233,71,246>>, + + NonceExtension = + #'Extension'{ + extnID = ?'id-pkix-ocsp-nonce', + extnValue = Nonce + }, + + OCSPResponseDer = + <<48,130,7,6,10,1,0,160,130,6,255,48,130,6,251,6,9,43,6,1,5,5,7,48,1,1,4,130,6, + 236,48,130,6,232,48,130,1,11,161,129,137,48,129,134,49,17,48,15,6,3,85,4,3, + 12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,114,108, + 97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115, + 111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12, + 9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9, + 1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111, + 110,46,115,101,24,15,50,48,50,48,48,52,50,56,48,56,51,50,48,53,90,48,81,48, + 79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194, + 162,22,93,127,46,112,193,196,28,241,232,4,20,99,34,37,88,164,188,98,22,125, + 252,71,72,246,115,141,222,108,19,122,168,2,1,7,128,0,24,15,50,48,50,48,48,52, + 50,56,48,56,51,50,48,53,90,161,25,48,23,48,21,6,9,43,6,1,5,5,7,48,1,2,4,8, + 226,210,104,247,153,233,71,246,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3, + 130,1,1,0,85,82,43,226,38,172,139,105,77,248,24,250,244,154,2,174,232,141,52, + 93,102,37,177,31,59,105,104,242,117,238,102,93,61,56,24,47,69,169,184,234, + 109,204,5,64,109,101,23,197,234,6,250,223,95,175,131,138,227,66,123,199,182, + 57,102,47,221,72,112,208,1,4,128,209,235,108,64,209,31,128,37,130,176,132, + 203,119,24,188,187,254,8,167,54,80,28,208,26,118,236,149,184,182,25,236,252, + 158,253,167,143,114,14,184,198,144,51,195,44,16,38,255,112,124,81,201,255, + 132,143,98,119,135,23,232,10,184,54,150,227,131,212,81,101,158,152,82,252, + 156,28,30,163,203,145,11,179,105,230,187,132,119,186,189,67,198,165,48,106, + 114,75,151,128,108,28,44,121,195,162,222,25,45,99,46,84,116,125,51,72,191, + 250,186,71,78,21,222,219,232,143,233,226,56,163,23,51,170,69,152,223,0,63,8, + 236,219,175,18,165,88,166,125,71,31,53,40,12,133,64,250,30,190,113,10,187,38, + 171,17,210,170,126,198,232,195,224,228,1,246,75,140,139,121,229,17,153,115, + 199,68,227,171,176,163,117,171,160,130,4,193,48,130,4,189,48,130,4,185,48, + 130,3,161,160,3,2,1,2,2,1,9,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,129, + 131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12, + 10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114, + 105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16, + 6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72, + 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105, + 99,115,115,111,110,46,115,101,48,30,23,13,50,48,48,52,50,56,48,56,51,50,48, + 53,90,23,13,51,48,48,51,48,55,48,56,51,50,48,53,90,48,129,134,49,17,48,15,6, + 3,85,4,3,12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69, + 114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99, + 115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85, + 4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247, + 13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115, + 115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0, + 3,130,1,15,0,48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217, + 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,127,79,157,147, + 235,14,61,25,162,207,134,25,239,35,62,57,10,214,115,231,71,203,226,198,73, + 223,222,199,165,82,67,33,78,176,116,241,192,97,169,143,164,219,152,40,115, + 229,242,128,97,98,183,217,199,35,127,146,94,20,115,0,250,200,39,9,255,230, + 216,80,140,6,133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98, + 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,228,220,249, + 113,86,186,212,176,194,66,14,164,236,219,138,254,80,57,118,232,163,192,94,78, + 224,100,124,206,199,81,105,54,222,26,245,170,147,184,192,237,77,143,154,180, + 79,42,107,75,77,81,215,19,75,8,160,106,199,196,66,53,16,233,184,175,85,167, + 148,12,232,248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29, + 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,227,64,152,209, + 205,63,24,172,223,194,254,97,133,255,192,133,148,237,178,115,2,3,1,0,1,163, + 130,1,49,48,130,1,45,48,9,6,3,85,29,19,4,2,48,0,48,11,6,3,85,29,15,4,4,3,2,5, + 224,48,29,6,3,85,29,14,4,22,4,20,63,72,140,0,84,13,114,48,50,31,9,241,231, + 177,20,184,8,114,244,29,48,129,179,6,3,85,29,35,4,129,171,48,129,168,128,20, + 99,34,37,88,164,188,98,22,125,252,71,72,246,115,141,222,108,19,122,168,161, + 129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97, + 110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84, + 80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49, + 18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85, + 4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116, + 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130, + 1,1,48,27,6,3,85,29,17,4,20,48,18,130,16,104,111,115,116,46,101,120,97,109, + 112,108,101,46,99,111,109,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,116, + 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48, + 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,86,112,29,225,102,143,193, + 55,126,115,187,208,118,153,111,177,160,121,55,33,184,60,27,111,40,7,93,241,9, + 226,40,125,181,36,173,116,190,43,187,52,254,50,229,222,56,215,132,67,217,174, + 121,24,94,240,163,56,12,36,212,2,40,94,102,126,206,52,40,32,218,59,86,166, + 238,137,144,90,57,211,141,81,32,102,215,180,59,133,125,208,199,166,81,35,49, + 24,88,100,127,90,145,237,150,249,227,123,120,98,230,12,106,72,201,127,54,94, + 164,204,23,158,3,230,232,181,95,251,98,6,28,115,46,153,241,233,254,152,176, + 114,12,148,24,234,185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101, + 56,222,188,78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206, + 52,220,63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77, + 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,242, + 247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,122,111, + 22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>, + + MalOCSPResponseDer = + <<48,130,7,6,10,1,0,160,130,6,255,48,130,6,251,6,9,43,6,1,5,5,7,48,1,1,4,130,6, + 236,48,130,6,232,48,130,1,11,161,129,137,48,129,134,49,17,48,15,6,3,85,4,3, + 12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,114,108, + 97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115, + 111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12, + 9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9, + 1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111, + 110,46,115,101,24,15,50,48,50,48,48,52,50,56,48,56,51,50,48,53,90,48,81,48, + 79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194, + 162,22,93,127,46,112,193,196,28,241,232,4,20,99,34,37,88,164,188,98,22,125, + 252,71,72,246,115,141,222,108,19,122,168,2,1,7,128,0,24,15,50,48,50,48,48,52, + 50,56,48,56,51,50,48,53,90,161,25,48,23,48,21,6,9,43,6,1,5,5,7,48,1,2,4,8, + 226,210,104,247,153,233,71,246,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3, + 130,1,1,0,85,82,43,226,38,172,139,105,77,248,24,250,244,154,2,174,232,141,52, + 93,102,37,177,31,59,105,104,242,117,238,102,93,61,56,24,47,69,169,184,234, + 109,204,5,64,109,101,23,197,234,6,250,223,95,175,131,138,227,66,123,199,182, + 57,102,47,221,72,112,208,1,4,128,209,235,108,64,209,31,128,37,130,176,132, + 203,119,24,188,187,254,8,167,54,80,28,208,26,118,236,149,184,182,25,236,252, + 158,253,167,143,114,14,184,198,168,56,195,44,16,38,255,112,124,81,201,255, + 132,143,98,119,135,23,232,10,184,54,150,227,131,212,81,101,158,152,82,252, + 156,28,30,163,203,145,11,179,105,230,187,132,119,186,189,67,198,165,48,106, + 114,75,151,128,108,28,44,121,195,162,222,25,45,99,46,84,116,125,51,72,191, + 250,186,71,78,21,222,219,232,143,233,226,56,163,23,51,170,69,152,223,0,63,8, + 236,219,175,18,165,88,166,125,71,31,53,40,12,133,64,250,30,190,113,10,187,38, + 171,17,210,170,126,198,232,195,224,228,1,246,75,140,139,121,229,17,153,115, + 199,68,227,171,176,163,117,171,160,130,4,193,48,130,4,189,48,130,4,185,48, + 130,3,161,160,3,2,1,2,2,1,9,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,129, + 131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12, + 10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114, + 105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16, + 6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72, + 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105, + 99,115,115,111,110,46,115,101,48,30,23,13,50,48,48,52,50,56,48,56,51,50,48, + 53,90,23,13,51,48,48,51,48,55,48,56,51,50,48,53,90,48,129,134,49,17,48,15,6, + 3,85,4,3,12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69, + 114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99, + 115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85, + 4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247, + 13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115, + 115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0, + 3,130,1,15,0,48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217, + 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,127,79,157,147, + 235,14,61,25,162,207,134,25,239,35,62,57,10,214,115,231,71,203,226,198,73, + 223,222,199,165,82,67,33,78,176,116,241,192,97,169,143,164,219,152,40,115, + 229,242,128,97,98,183,217,199,35,127,146,94,20,115,0,250,200,39,9,255,230, + 216,80,140,6,133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98, + 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,228,220,249, + 113,86,186,212,176,194,66,14,164,236,219,138,254,80,57,118,232,163,192,94,78, + 224,100,124,206,199,81,105,54,222,26,245,170,147,184,192,237,77,143,154,180, + 79,42,107,75,77,81,215,19,75,8,160,106,199,196,66,53,16,233,184,175,85,167, + 148,12,232,248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29, + 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,227,64,152,209, + 205,63,24,172,223,194,254,97,133,255,192,133,148,237,178,115,2,3,1,0,1,163, + 130,1,49,48,130,1,45,48,9,6,3,85,29,19,4,2,48,0,48,11,6,3,85,29,15,4,4,3,2,5, + 224,48,29,6,3,85,29,14,4,22,4,20,63,72,140,0,84,13,114,48,50,31,9,241,231, + 177,20,184,8,114,244,29,48,129,179,6,3,85,29,35,4,129,171,48,129,168,128,20, + 99,34,37,88,164,188,98,22,125,252,71,72,246,115,141,222,108,19,122,168,161, + 129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97, + 110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84, + 80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49, + 18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85, + 4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116, + 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130, + 1,1,48,27,6,3,85,29,17,4,20,48,18,130,16,104,111,115,116,46,101,120,97,109, + 112,108,101,46,99,111,109,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,116, + 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48, + 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,86,112,29,225,102,143,193, + 55,126,115,187,208,118,153,111,177,160,121,55,33,184,60,27,111,40,7,93,241,9, + 226,40,125,181,36,173,116,190,43,187,52,254,50,229,222,56,215,132,67,217,174, + 121,24,94,240,163,56,12,36,212,2,40,94,102,126,206,52,40,32,218,59,86,166, + 238,137,144,90,57,211,141,81,32,102,215,180,59,133,125,208,199,166,81,35,49, + 24,88,100,127,90,145,237,150,249,227,123,120,98,230,12,106,72,201,127,54,94, + 164,204,23,158,3,230,232,181,95,251,98,6,28,115,46,153,241,233,254,152,176, + 114,12,148,24,234,185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101, + 56,222,188,78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206, + 52,220,63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77, + 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,242, + 247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,122,111, + 22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>, + + ResponderIDer = + <<161,129,135,48,129,132,49,17,48,15,6,3,85,4,3,12,8,98,46, + 115,101,114,118,101,114,49,18,48,16,6,3,85,4,11,12,10,69, + 114,108,97,110,103,79,84,80,49,19,48,17,6,3,85,4,10,12,11, + 69,114,105,99,115,115,111,110,65,66,49,11,48,9,6,3,85,4,6, + 19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107, + 104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1, + 22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105, + 99,115,115,111,110,46,115,101>>, + + Cert = + #'Certificate'{ + tbsCertificate = #'TBSCertificate'{ + version = v3, + serialNumber = 9, + signature = {'AlgorithmIdentifier',{1,2,840,113549,1,1,5},<<5,0>>}, + issuer = {rdnSequence, + [[{'AttributeTypeAndValue',{2,5,4,3},<<12,5,111,116,112,67,65>>}], + [{'AttributeTypeAndValue',{2,5,4,11},<<"\f\nErlangOTP">>}], + [{'AttributeTypeAndValue',{2,5,4,10},<<"\f\vEricssonAB">>}], + [{'AttributeTypeAndValue',{2,5,4,6},<<19,2,83,69>>}], + [{'AttributeTypeAndValue',{2,5,4,7},<<"\f\tStockholm">>}], + [{'AttributeTypeAndValue', + {1,2,840,113549,1,9,1}, + <<22,22,112,101,116,101,114,64,101,114,105,120,46,101, + 114,105,99,115,115,111,110,46,115,101>>}]]}, + validity = {'Validity',{utcTime,"200428083205Z"},{utcTime,"300307083205Z"}}, + subject = {rdnSequence, + [[{'AttributeTypeAndValue',{2,5,4,3},<<"\f\bb.server">>}], + [{'AttributeTypeAndValue',{2,5,4,11},<<"\f\nErlangOTP">>}], + [{'AttributeTypeAndValue',{2,5,4,10},<<"\f\vEricssonAB">>}], + [{'AttributeTypeAndValue',{2,5,4,6},<<19,2,83,69>>}], + [{'AttributeTypeAndValue',{2,5,4,7},<<"\f\tStockholm">>}], + [{'AttributeTypeAndValue', + {1,2,840,113549,1,9,1}, + <<22,22,112,101,116,101,114,64,101,114,105,120,46,101, + 114,105,99,115,115,111,110,46,115,101>>}]]}, + subjectPublicKeyInfo = {'SubjectPublicKeyInfo', + {'AlgorithmIdentifier',{1,2,840,113549,1,1,1},<<5,0>>}, + <<48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217, + 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171, + 127,79,157,147,235,14,61,25,162,207,134,25,239,35,62,57,10,214, + 115,231,71,203,226,198,73,223,222,199,165,82,67,33,78,176,116, + 241,192,97,169,143,164,219,152,40,115,229,242,128,97,98,183,217, + 199,35,127,146,94,20,115,0,250,200,39,9,255,230,216,80,140,6, + 133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98, + 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232, + 228,220,249,113,86,186,212,176,194,66,14,164,236,219,138,254,80, + 57,118,232,163,192,94,78,224,100,124,206,199,81,105,54,222,26, + 245,170,147,184,192,237,77,143,154,180,79,42,107,75,77,81,215, + 19,75,8,160,106,199,196,66,53,16,233,184,175,85,167,148,12,232, + 248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29, + 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131, + 227,64,152,209,205,63,24,172,223,194,254,97,133,255,192,133,148, + 237,178,115,2,3,1,0,1>>}, + issuerUniqueID = asn1_NOVALUE, + subjectUniqueID = asn1_NOVALUE, + extensions = [{'Extension',{2,5,29,19},false,<<48,0>>}, + {'Extension',{2,5,29,15},false,<<3,2,5,224>>}, + {'Extension', + {2,5,29,14}, + false, + <<4,20,63,72,140,0,84,13,114,48,50,31,9,241,231,177,20,184,8,114, + 244,29>>}, + {'Extension', + {2,5,29,35}, + false, + <<48,129,168,128,20,99,34,37,88,164,188,98,22,125,252,71,72,246, + 115,141,222,108,19,122,168,161,129,140,164,129,137,48,129,134, + 49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19, + 48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49, + 20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65, + 66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108, + 109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72, + 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120, + 46,101,114,105,99,115,115,111,110,46,115,101,130,1,1>>}, + {'Extension', + {2,5,29,17}, + false, + <<48,18,130,16,104,111,115,116,46,101,120,97,109,112,108,101,46, + 99,111,109>>}, + {'Extension', + {2,5,29,18}, + false, + <<48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101, + 114,105,99,115,115,111,110,46,115,101>>}]}, + signatureAlgorithm = {'AlgorithmIdentifier',{1,2,840,113549,1,1,5},<<5,0>>}, + signature = <<86,112,29,225,102,143,193,55,126,115,187,208,118,153,111,177,160,121,55, + 33,184,60,27,111,40,7,93,241,9,226,40,125,181,36,173,116,190,43,187,52, + 254,50,229,222,56,215,132,67,217,174,121,24,94,240,163,56,12,36,212,2, + 40,94,102,126,206,52,40,32,218,59,86,166,238,137,144,90,57,211,141,81, + 32,102,215,180,59,133,125,208,199,166,81,35,49,24,88,100,127,90,145,237, + 150,249,227,123,120,98,230,12,106,72,201,127,54,94,164,204,23,158,3,230, + 232,181,95,251,98,6,28,115,46,153,241,233,254,152,176,114,12,148,24,234, + 185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101,56,222,188, + 78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206,52,220, + 63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77, + 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160, + 242,247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13, + 122,111,22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>}, + + %% test of the exported functions + ct:pal("Check pubkey_ocsp:verify_ocsp_response/3~n"), + {ok, SingleResponseGood} = + pubkey_ocsp:verify_ocsp_response(OCSPResponseDer, [Cert], Nonce), + {error, ocsp_response_bad_signature} = + pubkey_ocsp:verify_ocsp_response(MalOCSPResponseDer, [Cert], Nonce), + {error, nonce_mismatch} = + pubkey_ocsp:verify_ocsp_response(OCSPResponseDer, [Cert], <<1,2,3>>), + ct:pal("pubkey_ocsp:verify_ocsp_response/3...ok~n"), + + ct:pal("Check pubkey_ocsp:decode_ocsp_response/1~n"), + {ok, #'BasicOCSPResponse'{}} = + pubkey_ocsp:decode_ocsp_response(OCSPResponseDer), + ct:pal("pubkey_ocsp:decode_ocsp_response/1...ok~n"), + + ct:pal("Check pubkey_ocsp:get_ocsp_responder_id/1~n"), + ResponderIDer = + pubkey_ocsp:get_ocsp_responder_id(Cert), + ct:pal("pubkey_ocsp:get_ocsp_responder_id/1...ok~n"), + + ct:pal("Check pubkey_ocsp:get_nonce_extn/1~n"), + undefined = + pubkey_ocsp:get_nonce_extn(undefined), + NonceExtension = + pubkey_ocsp:get_nonce_extn(Nonce), + ct:pal("pubkey_ocsp:get_nonce_extn/1...ok~n"). \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor