Skip to content

Commit

Permalink
updating Response type to have Raw field instead of Marshal method
Browse files Browse the repository at this point in the history
  • Loading branch information
nathanejohnson committed Apr 15, 2020
1 parent fffe4d8 commit 87ee9ea
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 77 deletions.
106 changes: 36 additions & 70 deletions ocsp/ocsp.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,50 +181,32 @@ var signatureAlgorithmDetails = []struct {
{x509.ECDSAWithSHA512, oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512},
}

func signingParamsForAlgo(requestedSigAlgo x509.SignatureAlgorithm) (sigAlgo pkix.AlgorithmIdentifier, err error) {
found := false
for _, details := range signatureAlgorithmDetails {
if details.algo == requestedSigAlgo {
found = true
sigAlgo.Algorithm = details.oid
if details.pubKeyAlgo == x509.RSA {
sigAlgo.Parameters = asn1.RawValue{
Tag: 5,
}
}
}
}
if !found {
err = fmt.Errorf("invalid requestedSigAlgo: %s", requestedSigAlgo)
}
return
}

// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
// NOTE(nej) - modified this a bit to return x509.SignatureAlgorithm instead of the pkix.AlgorithmIdentifier, see
// signingParamsForAlgo above.
func signingAlgoForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo x509.SignatureAlgorithm, err error) {
func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
var pubType x509.PublicKeyAlgorithm

switch pub := pub.(type) {
case *rsa.PublicKey:
pubType = x509.RSA
hashFunc = crypto.SHA256
sigAlgo = x509.SHA256WithRSA
sigAlgo.Algorithm = oidSignatureSHA256WithRSA
sigAlgo.Parameters = asn1.RawValue{
Tag: 5,
}

case *ecdsa.PublicKey:
pubType = x509.ECDSA

switch pub.Curve {
case elliptic.P224(), elliptic.P256():
hashFunc = crypto.SHA256
sigAlgo = x509.ECDSAWithSHA256
sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
case elliptic.P384():
hashFunc = crypto.SHA384
sigAlgo = x509.ECDSAWithSHA384
sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
case elliptic.P521():
hashFunc = crypto.SHA512
sigAlgo = x509.ECDSAWithSHA512
sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
default:
err = errors.New("x509: unknown elliptic curve")
}
Expand All @@ -248,7 +230,7 @@ func signingAlgoForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlg
err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
return
}
sigAlgo, hashFunc = details.algo, details.hash
sigAlgo.Algorithm, hashFunc = details.oid, details.hash
if hashFunc == 0 {
err = errors.New("x509: cannot sign with hash function requested")
return
Expand Down Expand Up @@ -363,6 +345,8 @@ func (req *Request) Marshal() ([]byte, error) {
// Response represents an OCSP response containing a single SingleResponse. See
// RFC 6960.
type Response struct {
// raw DER encoded ASN.1 response data
Raw asn1.RawContent
// Status is one of {Good, Revoked, Unknown}
Status int
SerialNumber *big.Int
Expand Down Expand Up @@ -425,42 +409,6 @@ func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error {
return issuer.CheckSignature(resp.SignatureAlgorithm, resp.TBSResponseData, resp.Signature)
}

// Marshal marshals the OCSP response to ASN.1 DER encoded form
func (resp *Response) Marshal() ([]byte, error) {

signatureAlgorithm, err := signingParamsForAlgo(resp.SignatureAlgorithm)
if err != nil {
return nil, err
}
response := basicResponse{
TBSResponseData: responseData{Raw: asn1.RawContent(resp.TBSResponseData)},
SignatureAlgorithm: signatureAlgorithm,
Signature: asn1.BitString{
Bytes: resp.Signature,
BitLength: 8 * len(resp.Signature),
},
}

if resp.Certificate != nil {
response.Certificates = []asn1.RawValue{
{FullBytes: resp.Certificate.Raw},
}
}

responseDER, err := asn1.Marshal(response)
if err != nil {
return nil, err
}

return asn1.Marshal(responseASN1{
Status: asn1.Enumerated(Success),
Response: responseBytes{
ResponseType: idPKIXOCSPBasic,
Response: responseDER,
},
})
}

// ParseError results from an invalid OCSP response.
type ParseError string

Expand Down Expand Up @@ -567,6 +515,7 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon
}

ret := &Response{
Raw: bytes,
TBSResponseData: basicResp.TBSResponseData.Raw,
Signature: basicResp.Signature.RightAlign(),
SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm),
Expand Down Expand Up @@ -798,7 +747,7 @@ func CreateResponse(issuer, responderCert *x509.Certificate, template Response,
return nil, err
}

hashFunc, sigAlgo, err := signingAlgoForPublicKey(priv.Public(), template.SignatureAlgorithm)
hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
if err != nil {
return nil, err
}
Expand All @@ -810,12 +759,29 @@ func CreateResponse(issuer, responderCert *x509.Certificate, template Response,
return nil, err
}

resp := &Response{
Certificate: template.Certificate,
TBSResponseData: tbsResponseDataDER,
Signature: signature,
SignatureAlgorithm: sigAlgo,
response := basicResponse{
TBSResponseData: tbsResponseData,
SignatureAlgorithm: signatureAlgorithm,
Signature: asn1.BitString{
Bytes: signature,
BitLength: 8 * len(signature),
},
}
if template.Certificate != nil {
response.Certificates = []asn1.RawValue{
{FullBytes: template.Certificate.Raw},
}
}
responseDER, err := asn1.Marshal(response)
if err != nil {
return nil, err
}

return resp.Marshal()
return asn1.Marshal(responseASN1{
Status: asn1.Enumerated(Success),
Response: responseBytes{
ResponseType: idPKIXOCSPBasic,
Response: responseDER,
},
})
}
9 changes: 2 additions & 7 deletions ocsp/ocsp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func TestOCSPDecode(t *testing.T) {
}
}

func TestOCSPResponseMarshal(t *testing.T) {
func TestOCSPResponseRaw(t *testing.T) {
for _, tData := range []struct {
name string
ocspRespHex string
Expand Down Expand Up @@ -100,12 +100,7 @@ func TestOCSPResponseMarshal(t *testing.T) {
return
}

marshalBytes, err := resp.Marshal()
if err != nil {
t.Errorf("unexpected error on marshal: %s", err)
return
}
if !bytes.Equal(responseBytes, marshalBytes) {
if !bytes.Equal(responseBytes, resp.Raw) {
t.Errorf("bytes not equal on marshal")
}
})
Expand Down

0 comments on commit 87ee9ea

Please sign in to comment.