packages feed

x509-ocsp 0.3.0.0 → 0.3.1.0

raw patch · 3 files changed

+59/−34 lines, 3 filesPVP ok

version bump matches the API change (PVP)

API changes (from Hackage documentation)

+ Data.X509.OCSP: getOCSPResponseVerificationData' :: [ASN1] -> Maybe OCSPResponseVerificationData

Files

Changelog.md view
@@ -1,3 +1,9 @@+### 0.3.1.0++- Add function *getOCSPResponseVerificationData'* which is similar to+  *getOCSPResponseVerificationData* except it accepts the OCSP response payload+  in *ASN.1* format. See how it can be used in the *client-ocsp* example.+ ### 0.3.0.0  - Add function *getOCSPResponseVerificationData* to help verify the signature of
Data/X509/OCSP.hs view
@@ -28,9 +28,10 @@                       ,OCSPResponseCertData (..)                       ,OCSPResponseCertStatus (..)                       ,decodeOCSPResponse-    -- * OCSP response verification+    -- ** OCSP response verification                       ,OCSPResponseVerificationData (..)                       ,getOCSPResponseVerificationData+                      ,getOCSPResponseVerificationData'                       ) where  import Data.X509@@ -250,10 +251,10 @@ -- -- This data can be used to verify the signature of the OCSP response with -- 'Data.X509.Validation.verifySignature'. The response is signed with--- signature /ocspRespSignature/. Binary data /ocspRespDer/ and algorthm--- /ocspRespSignatureAlg/ are what was used to sign the response. The+-- signature /ocspRespSignature/. Binary data /ocspRespDer/ and algorithm+-- /ocspRespSignatureAlg/ are what has been used to sign the response. The -- verification process may require the public key of the issuer certificate--- if it's not attached in /ocspRespCerts/.+-- if it's not been attached in /ocspRespCerts/. -- -- See details of signing and verification of OCSP responses in /rfc6960/. --@@ -264,7 +265,7 @@ -- -- -- ... ----- verifySignature\' :: 'OCSPResponse' -> 'Certificate' -> 'Data.X509.Validation.SignatureVerification'+-- verifySignature\' :: 'OCSPResponse' -> 'Certificate' -> t'Data.X509.Validation.SignatureVerification' -- verifySignature\' resp v'Certificate' {..} --     | Just __/OCSPResponseVerificationData/__ {..} <- --         'getOCSPResponseVerificationData' resp =@@ -276,6 +277,10 @@ -- Note that the issuer certificate gets passed to /verifySignature\'/ rather -- than looked up in /ocspRespCerts/. The OCSP Signature Authority Delegation -- is not checked in the function.+--+-- To verify update times, check the values of 'ocspRespCertThisUpdate' and+-- 'ocspRespCertNextUpdate' which both must have been constructed as+-- 'TimeGeneralized'. data OCSPResponseVerificationData =     OCSPResponseVerificationData { ocspRespDer :: ByteString                                    -- ^ Response data (DER-encoded)@@ -287,44 +292,55 @@                                    -- ^ Certificates                                  } deriving (Show, Eq) --- | Get verification data from OCSP response payload.+-- | Get verification data from OCSP response. -- -- The function returns /Nothing/ on unexpected ASN.1 contents.-getOCSPResponseVerificationData :: OCSPResponse ->-    Maybe OCSPResponseVerificationData-getOCSPResponseVerificationData resp-    | Just resp' <- ocspRespPayload resp-    , Start Sequence : Start Sequence : c1 <- ocspRespASN1 resp' = do-        let (wrapInSequence -> resp'', next) = getConstructedEnd 0 c1-            der = encodeASN1' DER resp''-        case next of-            Start Sequence : c2 -> do-                let (wrapInSequence -> alg, next') = getConstructedEnd 0 c2-                (alg', _) <- either (const Nothing) Just $ fromASN1 alg-                case next' of-                    BitString (BitArray _ sig) : c3-                        | c3 == [End Sequence] ->+getOCSPResponseVerificationData+    :: OCSPResponse             -- ^ OCSP response+    -> Maybe OCSPResponseVerificationData+getOCSPResponseVerificationData (ocspRespPayload -> Just pl) =+    getOCSPResponseVerificationData' $ ocspRespASN1 pl+getOCSPResponseVerificationData _ = Nothing++-- | Get verification data from OCSP response payload.+--+-- This is a variant of 'getOCSPResponseVerificationData' that accepts the+-- OCSP response payload in ASN.1 format. The function returns /Nothing/ on+-- unexpected ASN.1 contents.+getOCSPResponseVerificationData'+    :: [ASN1]                   -- ^ OCSP response payload+    -> Maybe OCSPResponseVerificationData+getOCSPResponseVerificationData' (Start Sequence : Start Sequence : c1) = do+    let (wrapInSequence -> resp'', next) = getConstructedEnd 0 c1+        der = encodeASN1' DER resp''+    case next of+        Start Sequence : c2 -> do+            let (wrapInSequence -> alg, next') = getConstructedEnd 0 c2+            (alg', _) <- either (const Nothing) Just $ fromASN1 alg+            case next' of+                BitString (BitArray _ sig) : c3+                    | c3 == [End Sequence] ->+                        Just $ OCSPResponseVerificationData+                            der alg' sig []+                    | Start (Container Context 0)+                        : Start Sequence+                        : certs <- getCurrentContainerContents c3 -> do+                            certs' <- reverse <$> collectCerts certs []                             Just $ OCSPResponseVerificationData-                                der alg' sig []-                        | Start (Container Context 0)-                            : Start Sequence-                            : certs <- getCurrentContainerContents c3 -> do-                                certs' <- reverse <$> collectCerts certs []-                                Just $ OCSPResponseVerificationData-                                    der alg' sig certs'-                    _ -> Nothing-            _ -> Nothing-    where collectCerts (Start Sequence : c1) certs-              | (Start Sequence : cert, c2) <- getConstructedEnd 0 c1 =+                                der alg' sig certs'+                _ -> Nothing+        _ -> Nothing+    where collectCerts (Start Sequence : c4) certs+              | (Start Sequence : cert, c5) <- getConstructedEnd 0 c4 =                   case fromASN1 (getCurrentContainerContents cert) of-                      Right (cert', _) -> collectCerts c2 $ cert' : certs+                      Right (cert', _) -> collectCerts c5 $ cert' : certs                       _ -> Nothing           collectCerts [End Sequence, End (Container Context 0)] certs =               Just certs           collectCerts _ _ =               Nothing           wrapInSequence = (Start Sequence :) . (++ [End Sequence])-getOCSPResponseVerificationData _ = Nothing+getOCSPResponseVerificationData' _ = Nothing  getCurrentContainerContents :: [ASN1] -> [ASN1] getCurrentContainerContents = fst . getConstructedEnd 0
x509-ocsp.cabal view
@@ -1,7 +1,7 @@ cabal-version:          2.4  name:                   x509-ocsp-version:                0.3.0.0+version:                0.3.1.0 synopsis:               Basic X509 OCSP implementation description:            Build X509 OCSP requests and parse responses homepage:               https://github.com/lyokha/x509-ocsp@@ -28,6 +28,9 @@                       , asn1-encoding                       , asn1-types                       , cryptohash-sha1++            -- only needed for haddock to hyperlink entities in code examples:+                      , crypton-x509-validation    exposed-modules:      Data.X509.AIA                       , Data.X509.OCSP