From e433dc13c29f7f0670300b6a396a52ad11b4b9ce Mon Sep 17 00:00:00 2001 From: Ronnie Sahlberg Date: Mon, 29 Nov 2004 09:58:16 +0000 Subject: new protocol : RFC2560 Online Certificate Status Protocol svn path=/trunk/; revision=12618 --- asn1/ocsp/Makefile | 5 ++ asn1/ocsp/OCSP.asn | 174 +++++++++++++++++++++++++++++++++++++++ asn1/ocsp/ocsp.cnf | 48 +++++++++++ asn1/ocsp/packet-ocsp-template.c | 151 +++++++++++++++++++++++++++++++++ asn1/ocsp/packet-ocsp-template.h | 32 +++++++ 5 files changed, 410 insertions(+) create mode 100755 asn1/ocsp/Makefile create mode 100644 asn1/ocsp/OCSP.asn create mode 100644 asn1/ocsp/ocsp.cnf create mode 100644 asn1/ocsp/packet-ocsp-template.c create mode 100644 asn1/ocsp/packet-ocsp-template.h (limited to 'asn1') diff --git a/asn1/ocsp/Makefile b/asn1/ocsp/Makefile new file mode 100755 index 0000000000..29b6ec4e87 --- /dev/null +++ b/asn1/ocsp/Makefile @@ -0,0 +1,5 @@ + +../../epan/dissectors/packet-ocsp.c : ../../tools/asn2eth.py OCSP.asn packet-ocsp-template.c packet-ocsp-template.h ocsp.cnf + python ../../tools/asn2eth.py -X -b -k -e -p ocsp -c ocsp.cnf -s packet-ocsp-template OCSP.asn + cp packet-ocsp.* ../../epan/dissectors + diff --git a/asn1/ocsp/OCSP.asn b/asn1/ocsp/OCSP.asn new file mode 100644 index 0000000000..21f4945eaa --- /dev/null +++ b/asn1/ocsp/OCSP.asn @@ -0,0 +1,174 @@ +-- Online Certificate Status Protocol +-- RFC 2560 +-- This definition was taken from RFC2560 and modified to pass through +-- ASN2ETH. +-- The original copyright from RFC2650 follows below +-- +-- Full Copyright Statement +-- +-- Copyright (C) The Internet Society (1999). All Rights Reserved. +-- +-- This document and translations of it may be copied and furnished to +-- others, and derivative works that comment on or otherwise explain it +-- or assist in its implementation may be prepared, copied, published +-- and distributed, in whole or in part, without restriction of any +-- kind, provided that the above copyright notice and this paragraph are +-- included on all such copies and derivative works. However, this +-- document itself may not be modified in any way, such as by removing +-- the copyright notice or references to the Internet Society or other +-- Internet organizations, except as needed for the purpose of +-- developing Internet standards in which case the procedures for +-- copyrights defined in the Internet Standards process must be +-- followed, or as required to translate it into languages other than +-- English. +-- +-- The limited permissions granted above are perpetual and will not be +-- revoked by the Internet Society or its successors or assigns. +-- +-- This document and the information contained herein is provided on an +-- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +-- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +-- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +-- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +-- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +-- + +OCSP DEFINITIONS EXPLICIT TAGS::= + +BEGIN + +IMPORTS + + -- Directory Authentication Framework (X.509) + Certificate, AlgorithmIdentifier + FROM AuthenticationFramework { joint-iso-itu-t ds(5) + module(1) authenticationFramework(7) 3 } + + CRLReason + FROM CertificateExtensions + +-- PKIX Certificate Extensions + AuthorityInfoAccessSyntax + FROM PKIX1Implicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-implicit-88(2)} + + + Name, GeneralName, CertificateSerialNumber, Extensions, + id-kp, id-ad-ocsp + FROM PKIX1Explicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit-88(1)}; + +OCSPRequest ::= SEQUENCE { + tbsRequest TBSRequest, + optionalSignature [0] EXPLICIT Signature OPTIONAL } + +TBSRequest ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + requestorName [1] EXPLICIT GeneralName OPTIONAL, + requestList SEQUENCE OF Request, + requestExtensions [2] EXPLICIT Extensions OPTIONAL } + +Signature ::= SEQUENCE { + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING, + certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + +Version ::= INTEGER { v1(0) } + +Request ::= SEQUENCE { + reqCert CertID, + singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } + +CertID ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + issuerNameHash OCTET STRING, -- Hash of Issuer's DN + issuerKeyHash OCTET STRING, -- Hash of Issuers public key + serialNumber CertificateSerialNumber } + +OCSPResponse ::= SEQUENCE { + responseStatus OCSPResponseStatus, + responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } + +OCSPResponseStatus ::= ENUMERATED { + successful (0), --Response has valid confirmations + malformedRequest (1), --Illegal confirmation request + internalError (2), --Internal error in issuer + tryLater (3), --Try again later + --(4) is not used + sigRequired (5), --Must sign the request + unauthorized (6) --Request unauthorized +} + +ResponseBytes ::= SEQUENCE { + responseType OBJECT IDENTIFIER, + response OCTET STRING } + +BasicOCSPResponse ::= SEQUENCE { + tbsResponseData ResponseData, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING, + certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + +ResponseData ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + responderID ResponderID, + producedAt GeneralizedTime, + responses SEQUENCE OF SingleResponse, + responseExtensions [1] EXPLICIT Extensions OPTIONAL } + +ResponderID ::= CHOICE { + byName [1] Name, + byKey [2] KeyHash } + +KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + --(excluding the tag and length fields) + +SingleResponse ::= SEQUENCE { + certID CertID, + certStatus CertStatus, + thisUpdate GeneralizedTime, + nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, + singleExtensions [1] EXPLICIT Extensions OPTIONAL } + +CertStatus ::= CHOICE { + good [0] IMPLICIT NULL, + revoked [1] IMPLICIT RevokedInfo, + unknown [2] IMPLICIT UnknownInfo } + +RevokedInfo ::= SEQUENCE { + revocationTime GeneralizedTime, + revocationReason [0] EXPLICIT CRLReason OPTIONAL } + +UnknownInfo ::= NULL -- this can be replaced with an enumeration + +ArchiveCutoff ::= GeneralizedTime + +AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER + +ServiceLocator ::= SEQUENCE { + issuer Name, + locator AuthorityInfoAccessSyntax } + +CrlID ::= SEQUENCE { + crlUrl [0] EXPLICIT IA5String OPTIONAL, + crlNum [1] EXPLICIT INTEGER OPTIONAL, + crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } + + +-- Object Identifiers +-- +--id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } +--id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } +--id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } +--id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } +--id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } +--id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } +--id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } +--id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } +--id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } +-- + +END + diff --git a/asn1/ocsp/ocsp.cnf b/asn1/ocsp/ocsp.cnf new file mode 100644 index 0000000000..037c9870f2 --- /dev/null +++ b/asn1/ocsp/ocsp.cnf @@ -0,0 +1,48 @@ +# ocsp.cnf +# OCSP conformation file + +# $Id: ocsp.cnf 12558 2004-11-21 10:16:06Z sahlberg $ + +#.MODULE_IMPORT +AuthenticationFramework x509af +CertificateExtensions x509ce +PKIX1Implicit88 pkix1implicit +PKIX1Explicit88 pkix1explicit + +#.INCLUDE ../x509af/x509af-exp.cnf +#.INCLUDE ../x509ce/x509ce-exp.cnf +#.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf +#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf + +#.EXPORTS + +#.PDU + +#.REGISTER +BasicOCSPResponse B "1.3.6.1.5.5.7.48.1.1" "id-pkix-ocsp-basic" +CrlID B "1.3.6.1.5.5.7.48.1.3" "id-pkix-ocsp-crl" +AcceptableResponses B "1.3.6.1.5.5.7.48.1.4" "id-pkix-ocsp-response" +ArchiveCutoff B "1.3.6.1.5.5.7.48.1.6" "id-pkix-ocsp-archive-cutoff" +ServiceLocator B "1.3.6.1.5.5.7.48.1.7" "id-pkix-ocsp-service-locator" + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.FN_BODY ResponseBytes/responseType + offset = dissect_ber_object_identifier(FALSE, pinfo, tree, tvb, offset, + hf_ocsp_responseType_id, responseType_id); + +#.FN_BODY ResponseBytes/response + guint8 class; + gboolean pc, ind; + guint32 tag; + guint32 len; + /* skip past the T and L */ + offset = dissect_ber_identifier(pinfo, tree, tvb, offset, &class, &pc, &tag); + offset = dissect_ber_length(pinfo, tree, tvb, offset, &len, &ind); + offset=call_ber_oid_callback(responseType_id, tvb, offset, pinfo, tree); + +#.END diff --git a/asn1/ocsp/packet-ocsp-template.c b/asn1/ocsp/packet-ocsp-template.c new file mode 100644 index 0000000000..d509d4749a --- /dev/null +++ b/asn1/ocsp/packet-ocsp-template.c @@ -0,0 +1,151 @@ +/* packet-ocsp.c + * Routines for Online Certificate Status Protocol (RFC2560) packet dissection + * Ronnie Sahlberg 2004 + * + * $Id: packet-ocsp-template.c 12573 2004-11-22 03:36:26Z sahlberg $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include +#include + +#include "packet-ber.h" +#include "packet-ocsp.h" +#include "packet-x509af.h" +#include "packet-x509ce.h" +#include "packet-pkix1implicit.h" +#include "packet-pkix1explicit.h" + +#define PNAME "Online Certificate Status Protocol" +#define PSNAME "OCSP" +#define PFNAME "ocsp" + +/* Initialize the protocol and registered fields */ +static int proto_ocsp = -1; +static int hf_ocsp_responseType_id = -1; +#include "packet-ocsp-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_ocsp = -1; +#include "packet-ocsp-ett.c" + +static char responseType_id[64]; /*64 chars should be long enough? */ + + +#include "packet-ocsp-fn.c" + + +static int +dissect_ocsp_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, "OCSP"); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_clear(pinfo->cinfo, COL_INFO); + + col_add_fstr(pinfo->cinfo, COL_INFO, "Request"); + } + + + if(parent_tree){ + item=proto_tree_add_item(parent_tree, proto_ocsp, tvb, 0, -1, FALSE); + tree = proto_item_add_subtree(item, ett_ocsp); + } + + return dissect_ocsp_OCSPRequest(FALSE, tvb, 0, pinfo, tree, -1); +} + + +static int +dissect_ocsp_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, "OCSP"); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_clear(pinfo->cinfo, COL_INFO); + + col_add_fstr(pinfo->cinfo, COL_INFO, "Response"); + } + + + if(parent_tree){ + item=proto_tree_add_item(parent_tree, proto_ocsp, tvb, 0, -1, FALSE); + tree = proto_item_add_subtree(item, ett_ocsp); + } + + return dissect_ocsp_OCSPResponse(FALSE, tvb, 0, pinfo, tree, -1); +} + +/*--- proto_register_ocsp ----------------------------------------------*/ +void proto_register_ocsp(void) { + + /* List of fields */ + static hf_register_info hf[] = { + { &hf_ocsp_responseType_id, + { "ResponseType Id", "x509af.responseType.id", + FT_STRING, BASE_NONE, NULL, 0, + "ResponseType Id", HFILL }}, +#include "packet-ocsp-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_ocsp, +#include "packet-ocsp-ettarr.c" + }; + + /* Register protocol */ + proto_ocsp = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_ocsp, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + +} + +/*--- proto_reg_handoff_ocsp -------------------------------------------*/ +void proto_reg_handoff_ocsp(void) { + dissector_handle_t ocsp_request_handle; + dissector_handle_t ocsp_response_handle; + + ocsp_request_handle = new_create_dissector_handle(dissect_ocsp_request, proto_ocsp); + ocsp_response_handle = new_create_dissector_handle(dissect_ocsp_response, proto_ocsp); + + dissector_add_string("media_type", "application/ocsp-request", ocsp_request_handle); + dissector_add_string("media_type", "application/ocsp-response", ocsp_response_handle); + +#include "packet-ocsp-dis-tab.c" +} + diff --git a/asn1/ocsp/packet-ocsp-template.h b/asn1/ocsp/packet-ocsp-template.h new file mode 100644 index 0000000000..6fd1c671c9 --- /dev/null +++ b/asn1/ocsp/packet-ocsp-template.h @@ -0,0 +1,32 @@ +/* packet-ocsp.h + * Routines for Online Certificate Status Protocol (RFC2560) packet dissection + * Ronnie Sahlberg 2004 + * + * $Id: packet-ocsp-template.h 12573 2004-11-22 03:36:26Z sahlberg $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef PACKET_OCSP_H +#define PACKET_OCSP_H + +/*#include "packet-ocsp-exp.h"*/ + +#endif /* PACKET_OCSP_H */ + -- cgit v1.2.3