packages feed

x509-ocsp 0.3.1.0 → 0.4.0.0

raw patch · 3 files changed

+42/−17 lines, 3 filesdep ~crypton-x509PVP ok

version bump matches the API change (PVP)

Dependency ranges changed: crypton-x509

API changes (from Hackage documentation)

- Data.X509.OCSP: OCSPResponseVerificationData :: ByteString -> SignatureALG -> ByteString -> [Certificate] -> OCSPResponseVerificationData
+ Data.X509.OCSP: OCSPResponseVerificationData :: ByteString -> SignatureALG -> ByteString -> [(Signed Certificate, ByteString)] -> OCSPResponseVerificationData
- Data.X509.OCSP: [ocspRespCerts] :: OCSPResponseVerificationData -> [Certificate]
+ Data.X509.OCSP: [ocspRespCerts] :: OCSPResponseVerificationData -> [(Signed Certificate, ByteString)]

Files

Changelog.md view
@@ -1,3 +1,10 @@+### 0.4.0.0++- Field *ocspRespCerts* of *OCSPResponseVerificationData* now contains a list+  of *signed certificates* augmented by *DER*-encoded *tbsCertificate* as defined+  in *rfc5280*. This enables check of the OCSP Signature Authority Delegation.+  See a basic implementation of the check in the *client-ocsp* example.+ ### 0.3.1.0  - Add function *getOCSPResponseVerificationData'* which is similar to
Data/X509/OCSP.hs view
@@ -254,7 +254,9 @@ -- signature /ocspRespSignature/. Binary data /ocspRespDer/ and algorithm -- /ocspRespSignatureAlg/ are what has been used to sign the response. The -- verification process may require the public key of the issuer certificate--- if it's not been attached in /ocspRespCerts/.+-- if it's not been attached in /ocspRespCerts/. The latter contains a list of+-- signed certificates augmented by DER-encoded /tbsCertificate/ as defined in+-- /rfc5280/. -- -- See details of signing and verification of OCSP responses in /rfc6960/. --@@ -276,21 +278,22 @@ -- -- Note that the issuer certificate gets passed to /verifySignature\'/ rather -- than looked up in /ocspRespCerts/. The OCSP Signature Authority Delegation--- is not checked in the function.+-- is not checked in this simple example. -- -- To verify update times, check the values of 'ocspRespCertThisUpdate' and -- 'ocspRespCertNextUpdate' which both must have been constructed as -- 'TimeGeneralized'. data OCSPResponseVerificationData =-    OCSPResponseVerificationData { ocspRespDer :: ByteString-                                   -- ^ Response data (DER-encoded)-                                 , ocspRespSignatureAlg :: SignatureALG-                                   -- ^ Signature algorithm-                                 , ocspRespSignature :: ByteString-                                   -- ^ Signature-                                 , ocspRespCerts :: [Certificate]-                                   -- ^ Certificates-                                 } deriving (Show, Eq)+    OCSPResponseVerificationData+        { ocspRespDer :: ByteString+          -- ^ Response data (DER-encoded)+        , ocspRespSignatureAlg :: SignatureALG+          -- ^ Signature algorithm+        , ocspRespSignature :: ByteString+          -- ^ Signature+        , ocspRespCerts :: [(Signed Certificate, ByteString)]+          -- ^ List of signed certificates+        } deriving (Show, Eq)  -- | Get verification data from OCSP response. --@@ -316,7 +319,7 @@     case next of         Start Sequence : c2 -> do             let (wrapInSequence -> alg, next') = getConstructedEnd 0 c2-            (alg', _) <- either (const Nothing) Just $ fromASN1 alg+            (alg', []) <- fromASN1' alg             case next' of                 BitString (BitArray _ sig) : c3                     | c3 == [End Sequence] ->@@ -331,10 +334,22 @@                 _ -> Nothing         _ -> Nothing     where collectCerts (Start Sequence : c4) certs-              | (Start Sequence : cert, c5) <- getConstructedEnd 0 c4 =-                  case fromASN1 (getCurrentContainerContents cert) of-                      Right (cert', _) -> collectCerts c5 $ cert' : certs-                      _ -> Nothing+              | (Start Sequence : cert, c5) <- getConstructedEnd 0 c4 = do+                    let (cert', next) = getConstructedEnd 0 cert+                    case next of+                        Start Sequence : cc1 -> do+                            let (wrapInSequence -> alg, next') =+                                    getConstructedEnd 0 cc1+                            (alg', []) <- fromASN1' alg+                            case next' of+                                [BitString (BitArray _ sig)] -> do+                                    (cert'', []) <- fromASN1' cert'+                                    collectCerts c5 $+                                        ( Signed cert'' alg' sig+                                        , encodeASN1' DER $ wrapInSequence cert'+                                        ) : certs+                                _ -> Nothing+                        _ -> Nothing           collectCerts [End Sequence, End (Container Context 0)] certs =               Just certs           collectCerts _ _ =@@ -347,4 +362,7 @@  skipCurrentContainer :: [ASN1] -> [ASN1] skipCurrentContainer = snd . getConstructedEnd 0++fromASN1' :: ASN1Object a => [ASN1] -> Maybe (a, [ASN1])+fromASN1' = either (const Nothing) Just . fromASN1 
x509-ocsp.cabal view
@@ -1,7 +1,7 @@ cabal-version:          2.4  name:                   x509-ocsp-version:                0.3.1.0+version:                0.4.0.0 synopsis:               Basic X509 OCSP implementation description:            Build X509 OCSP requests and parse responses homepage:               https://github.com/lyokha/x509-ocsp