Copyright	(c) Alexey Radkov 2024
License	BSD-style
Maintainer	alexey.radkov@gmail.com
Stability	experimental
Portability	portable
Safe Haskell	Safe-Inferred
Language	Haskell2010

Data.X509.OCSP

Contents

Shared data
OCSP request
OCSP response
- OCSP response verification

Description

Encode and decode X509 OCSP requests and responses.

This module complies with rfc6960.

Synopsis

data CertId = CertId {
}
encodeOCSPRequestASN1 :: Certificate -> Certificate -> ([ASN1], CertId)
encodeOCSPRequest :: Certificate -> Certificate -> (ByteString, CertId)
data OCSPResponse = OCSPResponse {
- ocspRespStatus :: OCSPResponseStatus
- ocspRespPayload :: Maybe OCSPResponsePayload
}
data OCSPResponseStatus
data OCSPResponsePayload = OCSPResponsePayload {
- ocspRespCertData :: OCSPResponseCertData
- ocspRespASN1 :: [ASN1]
}
data OCSPResponseCertData = OCSPResponseCertData {
}
data OCSPResponseCertStatus
decodeOCSPResponse :: CertId -> ByteString -> Either ASN1Error (Maybe OCSPResponse)
data OCSPResponseVerificationData = OCSPResponseVerificationData {
- ocspRespDer :: ByteString
- ocspRespSignatureAlg :: SignatureALG
- ocspRespSignature :: ByteString
- ocspRespCerts :: [(Signed Certificate, ByteString)]
}
getOCSPResponseVerificationData :: OCSPResponse -> Maybe OCSPResponseVerificationData
getOCSPResponseVerificationData' :: [ASN1] -> Maybe OCSPResponseVerificationData

Shared data

data CertId Source #

Certificate Id.

This data is used when building OCSP requests and parsing OCSP responses.

Constructors

CertId
Fields certIdIssuerNameHash :: ByteString Value of issuerNameHash as defined in rfc6960 certIdIssuerKeyHash :: ByteString Value of issuerKeyHash as defined in rfc6960 certIdSerialNumber :: Integer Certificate serial number

Instances

Instances details

Show CertId Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> CertId -> ShowS # show :: CertId -> String # showList :: [CertId] -> ShowS #
Eq CertId Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: CertId -> CertId -> Bool # (/=) :: CertId -> CertId -> Bool #

OCSP request

encodeOCSPRequestASN1 Source #

Arguments

:: Certificate	Certificate
-> Certificate	Issuer certificate
-> ([ASN1], CertId)

Build and encode OCSP request in ASN.1 format.

The returned value contains the encoded request and an object of type CertId with hashes calculated by the SHA1 algorithm.

encodeOCSPRequest Source #

Arguments

:: Certificate	Certificate
-> Certificate	Issuer certificate
-> (ByteString, CertId)

Build and encode OCSP request in ASN.1/DER format.

The returned value contains the encoded request and an object of type CertId with hashes calculated by the SHA1 algorithm.

OCSP response

data OCSPResponse Source #

OCSP response data.

Constructors

OCSPResponse
Fields ocspRespStatus :: OCSPResponseStatus Response status ocspRespPayload :: Maybe OCSPResponsePayload Response payload data

Instances

Instances details

Show OCSPResponse Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> OCSPResponse -> ShowS # show :: OCSPResponse -> String # showList :: [OCSPResponse] -> ShowS #
Eq OCSPResponse Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: OCSPResponse -> OCSPResponse -> Bool # (/=) :: OCSPResponse -> OCSPResponse -> Bool #

data OCSPResponseStatus Source #

Status of OCSP response as defined in rfc6960.

Constructors

OCSPRespSuccessful
OCSPRespMalformedRequest
OCSPRespInternalError
OCSPRespUnused1
OCSPRespTryLater
OCSPRespSigRequired
OCSPRespUnauthorized

Instances

Instances details

Bounded OCSPResponseStatus Source #
Instance details Defined in Data.X509.OCSP Methods minBound :: OCSPResponseStatus # maxBound :: OCSPResponseStatus #
Enum OCSPResponseStatus Source #
Instance details Defined in Data.X509.OCSP Methods succ :: OCSPResponseStatus -> OCSPResponseStatus # pred :: OCSPResponseStatus -> OCSPResponseStatus # toEnum :: Int -> OCSPResponseStatus # fromEnum :: OCSPResponseStatus -> Int # enumFrom :: OCSPResponseStatus -> [OCSPResponseStatus] # enumFromThen :: OCSPResponseStatus -> OCSPResponseStatus -> [OCSPResponseStatus] # enumFromTo :: OCSPResponseStatus -> OCSPResponseStatus -> [OCSPResponseStatus] # enumFromThenTo :: OCSPResponseStatus -> OCSPResponseStatus -> OCSPResponseStatus -> [OCSPResponseStatus] #
Show OCSPResponseStatus Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> OCSPResponseStatus -> ShowS # show :: OCSPResponseStatus -> String # showList :: [OCSPResponseStatus] -> ShowS #
Eq OCSPResponseStatus Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: OCSPResponseStatus -> OCSPResponseStatus -> Bool # (/=) :: OCSPResponseStatus -> OCSPResponseStatus -> Bool #

data OCSPResponsePayload Source #

Payload data of OCSP response.

Constructors

OCSPResponsePayload
Fields ocspRespCertData :: OCSPResponseCertData Selected certificate data ocspRespASN1 :: [ASN1] Whole response payload

Instances

Instances details

Show OCSPResponsePayload Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> OCSPResponsePayload -> ShowS # show :: OCSPResponsePayload -> String # showList :: [OCSPResponsePayload] -> ShowS #
Eq OCSPResponsePayload Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: OCSPResponsePayload -> OCSPResponsePayload -> Bool # (/=) :: OCSPResponsePayload -> OCSPResponsePayload -> Bool #

data OCSPResponseCertData Source #

Selected certificate data of OCSP response.

Constructors

OCSPResponseCertData
Fields ocspRespCertStatus :: OCSPResponseCertStatus Certificate status ocspRespCertThisUpdate :: ASN1 Value of thisUpdate as defined in rfc6960 ocspRespCertNextUpdate :: Maybe ASN1 Value of nextUpdate as defined in rfc6960

Instances

Instances details

Show OCSPResponseCertData Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> OCSPResponseCertData -> ShowS # show :: OCSPResponseCertData -> String # showList :: [OCSPResponseCertData] -> ShowS #
Eq OCSPResponseCertData Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: OCSPResponseCertData -> OCSPResponseCertData -> Bool # (/=) :: OCSPResponseCertData -> OCSPResponseCertData -> Bool #

data OCSPResponseCertStatus Source #

Certificate status of OCSP response as defined in rfc6960.

Constructors

OCSPRespCertGood
OCSPRespCertRevoked
OCSPRespCertUnknown

Instances

Instances details

Bounded OCSPResponseCertStatus Source #
Instance details Defined in Data.X509.OCSP Methods minBound :: OCSPResponseCertStatus # maxBound :: OCSPResponseCertStatus #
Enum OCSPResponseCertStatus Source #
Instance details Defined in Data.X509.OCSP Methods succ :: OCSPResponseCertStatus -> OCSPResponseCertStatus # pred :: OCSPResponseCertStatus -> OCSPResponseCertStatus # toEnum :: Int -> OCSPResponseCertStatus # fromEnum :: OCSPResponseCertStatus -> Int # enumFrom :: OCSPResponseCertStatus -> [OCSPResponseCertStatus] # enumFromThen :: OCSPResponseCertStatus -> OCSPResponseCertStatus -> [OCSPResponseCertStatus] # enumFromTo :: OCSPResponseCertStatus -> OCSPResponseCertStatus -> [OCSPResponseCertStatus] # enumFromThenTo :: OCSPResponseCertStatus -> OCSPResponseCertStatus -> OCSPResponseCertStatus -> [OCSPResponseCertStatus] #
Show OCSPResponseCertStatus Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> OCSPResponseCertStatus -> ShowS # show :: OCSPResponseCertStatus -> String # showList :: [OCSPResponseCertStatus] -> ShowS #
Eq OCSPResponseCertStatus Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: OCSPResponseCertStatus -> OCSPResponseCertStatus -> Bool # (/=) :: OCSPResponseCertStatus -> OCSPResponseCertStatus -> Bool #

decodeOCSPResponse Source #

Arguments

:: CertId	Certificate Id
-> ByteString	OCSP response
-> Either ASN1Error (Maybe OCSPResponse)

Decode OCSP response.

The value of the certificate id is expected to be equal to what was returned by encodeOCSPRequest as it is used to check the correctness of the response.

The Left value gets returned on parse errors detected by decodeASN1. The Right value with Nothing gets returned on unexpected ASN.1 contents.

OCSP response verification

data OCSPResponseVerificationData Source #

Verification data from OCSP response payload.

This data can be used to verify the signature of the OCSP response with verifySignature. The response is signed with signature ocspRespSignature. Binary data ocspRespDer and algorithm ocspRespSignatureAlg are what has been used to sign the response. The verification process may require the public key of the issuer certificate if it's not been attached in ocspRespCerts. The latter contains a list of signed certificates augmented by DER-encoded tbsCertificate as defined in rfc5280.

See details of signing and verification of OCSP responses in rfc6960.

Below is a simple implementation of the OCSP response signature verification.

{-# LANGUAGE RecordWildCards #-}

-- ...

verifySignature' :: OCSPResponse -> Certificate -> SignatureVerification
verifySignature' resp Certificate {..}
    | Just OCSPResponseVerificationData {..} <-
        getOCSPResponseVerificationData resp =
            verifySignature ocspRespSignatureAlg certPubKey ocspRespDer
                ocspRespSignature
    | otherwise = SignatureFailed SignatureInvalid

Note that the issuer certificate gets passed to verifySignature' rather than looked up in ocspRespCerts. The OCSP Signature Authority Delegation is not checked in this simple example.

To verify update times, check the values of ocspRespCertThisUpdate and ocspRespCertNextUpdate which both must have been constructed as TimeGeneralized.

Constructors

OCSPResponseVerificationData
Fields ocspRespDer :: ByteString Response data (DER-encoded) ocspRespSignatureAlg :: SignatureALG Signature algorithm ocspRespSignature :: ByteString Signature ocspRespCerts :: [(Signed Certificate, ByteString)] List of signed certificates with DER-encoded certificate data

Instances

Instances details

Show OCSPResponseVerificationData Source #
Instance details Defined in Data.X509.OCSP Methods showsPrec :: Int -> OCSPResponseVerificationData -> ShowS # show :: OCSPResponseVerificationData -> String # showList :: [OCSPResponseVerificationData] -> ShowS #
Eq OCSPResponseVerificationData Source #
Instance details Defined in Data.X509.OCSP Methods (==) :: OCSPResponseVerificationData -> OCSPResponseVerificationData -> Bool # (/=) :: OCSPResponseVerificationData -> OCSPResponseVerificationData -> Bool #

getOCSPResponseVerificationData Source #

Arguments

:: OCSPResponse	OCSP response
-> Maybe OCSPResponseVerificationData

Get verification data from OCSP response.

The function returns Nothing on unexpected ASN.1 contents.

getOCSPResponseVerificationData' Source #

Arguments

:: [ASN1]	OCSP response payload
-> Maybe OCSPResponseVerificationData

Get verification data from OCSP response payload.

This is a variant of getOCSPResponseVerificationData that accepts the OCSP response payload in ASN.1 format. The function returns Nothing on unexpected ASN.1 contents.