rasn_ocsp/
lib.rs

1#![doc = include_str!("../README.md")]
2#![no_std]
3
4use rasn::prelude::*;
5
6use rasn_pkix::{
7    AlgorithmIdentifier, AuthorityInfoAccessSyntax, Certificate, CertificateSerialNumber,
8    CrlReason, Extensions, GeneralName, Name,
9};
10
11pub type Version = Integer;
12pub type Nonce = OctetString;
13pub type KeyHash = OctetString;
14pub type UnknownInfo = ();
15pub type ArchiveCutoff = GeneralizedTime;
16pub type AcceptableResponses = SequenceOf<ObjectIdentifier>;
17
18/// The (optionally signed) OCSP request.
19#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
20pub struct OcspRequest {
21    /// The body of the request.
22    pub tbs_request: TbsRequest,
23    /// The signature, if present.
24    #[rasn(tag(explicit(0)))]
25    pub optional_signature: Option<Signature>,
26}
27
28/// The body of the [OcspRequest].
29#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
30pub struct TbsRequest {
31    /// The version of the protocol.
32    #[rasn(tag(explicit(0)), default)]
33    pub version: Version,
34    /// The name of the OCSP requestor.
35    #[rasn(tag(explicit(1)))]
36    pub requestor_name: Option<GeneralName>,
37    /// One or more single certificate status requests.
38    pub request_list: SequenceOf<Request>,
39    /// Extensions applicable to the requests.
40    #[rasn(tag(explicit(2)))]
41    pub request_extensions: Option<Extensions>,
42}
43
44/// The signature for an [OcspRequest].
45#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
46pub struct Signature {
47    /// The algorithm used to sign the request.
48    pub signature_algorithm: AlgorithmIdentifier,
49    /// the actual signature contents
50    pub signature: BitString,
51    /// Certificates the server needs to verify the signed response (normally up
52    /// to but not including the client's root certificate).
53    #[rasn(tag(explicit(0)))]
54    pub certs: Option<SequenceOf<Certificate>>,
55}
56
57/// A single request.
58#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
59pub struct Request {
60    /// The identifier of a target certificate.
61    pub req_cert: CertId,
62    /// Extensions applicable to this single certificate status request.
63    #[rasn(tag(explicit(0)))]
64    pub single_request_extensions: Option<Extensions>,
65}
66
67/// The identifier of the certificate.
68#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
69pub struct CertId {
70    /// The hash algorithm used to generate the `issuer_name_hash` and
71    /// `issuer_key_hash` values.
72    pub hash_algorithm: AlgorithmIdentifier,
73    /// The hash of the issuer's distinguished name.
74    ///
75    /// The hash shall be calculated over the DER encoding of the issuer's name
76    /// field in the certificate being checked.
77    pub issuer_name_hash: OctetString,
78    /// The hash of the issuer's public key.
79    ///
80    /// The hash shall be calculated over the value (excluding tag and length)
81    /// of the subject public key field in the issuer's certificate.
82    pub issuer_key_hash: OctetString,
83    /// The serial number of the certificate for which status is
84    /// being requested.
85    pub serial_number: CertificateSerialNumber,
86}
87
88/// A confirmation response.
89#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
90pub struct OcspResponse {
91    /// The processing status of the prior request.
92    pub status: OcspResponseStatus,
93    /// The body of the response.
94    #[rasn(tag(explicit(0)))]
95    pub bytes: Option<ResponseBytes>,
96}
97
98#[derive(AsnType, Clone, Copy, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
99#[rasn(enumerated)]
100pub enum OcspResponseStatus {
101    /// Response has valid confirmations.
102    Successful = 0,
103    /// Illegal confirmation request.
104    MalformedRequest = 1,
105    /// Internal error in issuer.
106    InternalError = 2,
107    /// Try again later.
108    TryLater = 3,
109    /// Must sign the request.
110    SigRequired = 5,
111    /// Request unauthorized.
112    Unauthorized = 6,
113}
114
115/// The body of a [OcspResponse].
116#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
117pub struct ResponseBytes {
118    /// The OID identifying the type of response.
119    pub r#type: ObjectIdentifier,
120    /// The DER encoded response.
121    pub response: OctetString,
122}
123
124/// A Basic OCSP response.
125#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
126pub struct BasicOcspResponse {
127    /// The response body.
128    pub tbs_response_data: ResponseData,
129    /// The algorithm used to generate the signature.
130    pub signature_algorithm: AlgorithmIdentifier,
131    /// The actual signature of the response.
132    ///
133    /// The value for shall be computed on the hash of the DER encoding
134    /// of [ResponseData].
135    pub signature: BitString,
136    /// certificates in that help the OCSP client verify the
137    /// responder's signature.
138    #[rasn(tag(explicit(0)))]
139    pub certs: Option<SequenceOf<Certificate>>,
140}
141
142/// The body of [BasicOcspResponse].
143#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
144pub struct ResponseData {
145    #[rasn(tag(explicit(0)), default)]
146    pub version: Version,
147    pub responder_id: ResponderId,
148    pub produced_at: GeneralizedTime,
149    pub responses: SequenceOf<SingleResponse>,
150    #[rasn(tag(explicit(1)))]
151    pub response_extensions: Option<Extensions>,
152}
153
154#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
155#[rasn(choice)]
156pub enum ResponderId {
157    #[rasn(tag(explicit(1)))]
158    ByName(Name),
159    #[rasn(tag(explicit(2)))]
160    ByKey(KeyHash),
161}
162
163#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
164pub struct SingleResponse {
165    /// The identifier of the certificate.
166    pub cert_id: CertId,
167    /// The revocation status of the certificate.
168    pub cert_status: CertStatus,
169    /// The start of the validity interval of the response.
170    pub this_update: GeneralizedTime,
171    /// The end of the validity interval of the response.
172    #[rasn(tag(explicit(0)))]
173    pub next_update: Option<GeneralizedTime>,
174    /// The optional extensions.
175    #[rasn(tag(explicit(1)))]
176    pub single_extensions: Option<Extensions>,
177}
178
179/// The revocation status of the certificate.
180#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
181#[rasn(choice)]
182pub enum CertStatus {
183    #[rasn(tag(0))]
184    Good,
185    #[rasn(tag(1))]
186    Revoked(RevokedInfo),
187    #[rasn(tag(2))]
188    Unknown(UnknownInfo),
189}
190
191#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
192pub struct RevokedInfo {
193    pub revocation_time: GeneralizedTime,
194    #[rasn(tag(explicit(0)))]
195    pub revocation_reason: Option<CrlReason>,
196}
197
198#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
199pub struct ServiceLocator {
200    pub issuer: Name,
201    pub locator: AuthorityInfoAccessSyntax,
202}
203
204#[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
205pub struct CrlId {
206    #[rasn(tag(explicit(0)))]
207    pub url: Option<Ia5String>,
208    #[rasn(tag(explicit(1)))]
209    pub num: Option<Integer>,
210    #[rasn(tag(explicit(2)))]
211    pub time: Option<GeneralizedTime>,
212}
rasn_ocsp/lib.rs

rasn_ocsp/
lib.rs
