ocsp_client_misc.c
Go to the documentation of this file.
1 /**
2  * @file ocsp_client_misc.c
3  * @brief Helper functions for OCSP client
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCRYPTO Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL OCSP_TRACE_LEVEL
33 
34 //Dependencies
35 #include "ocsp/ocsp_client.h"
36 #include "ocsp/ocsp_client_misc.h"
37 #include "ocsp/ocsp_req_create.h"
38 #include "ocsp/ocsp_resp_parse.h"
39 #include "pkix/pem_import.h"
40 #include "pkix/x509_cert_parse.h"
41 #include "debug.h"
42 
43 //Check crypto library configuration
44 #if (OCSP_CLIENT_SUPPORT == ENABLED)
45 
46 
47 /**
48  * @brief Nonce generation
49  * @param[in] context Pointer to the OCSP client context
50  * @return Error code
51  **/
52 
54 {
55  error_t error;
56 
57  //Initialize status code
58  error = NO_ERROR;
59 
60  //The value of the nonce must be generated using a cryptographically
61  //strong pseudorandom number generator
62  if(context->prngAlgo != NULL && context->prngContext != NULL)
63  {
64  //If the Nonce extension is present, then the length of the nonce
65  //must be at least 1 octet and can be up to 32 octets (refer to
66  //RFC 8954, section 2.1)
67  error = context->prngAlgo->read(context->prngContext,
68  context->nonce, OCSP_CLIENT_NONCE_SIZE);
69 
70  //Check status code
71  if(!error)
72  {
73  //Save the length of the nonce
75  }
76  }
77  else
78  {
79  //The Nonce extension is optional
80  context->nonceLen = 0;
81  }
82 
83  //Return status code
84  return error;
85 }
86 
87 
88 /**
89  * @brief Format HTTP request header
90  * @param[in] context Pointer to the OCSP client context
91  * @return Error code
92  **/
93 
95 {
96  bool_t defaultPort;
97 
98  //Create an HTTP request
100  httpClientSetMethod(&context->httpClientContext, "POST");
101  httpClientSetUri(&context->httpClientContext, context->uri);
102 
103 #if (OCSP_CLIENT_TLS_SUPPORT == ENABLED)
104  //"https" URI scheme?
105  if(context->tlsInitCallback != NULL)
106  {
107  //The default port number is 443 for "https" URI scheme
108  defaultPort = (context->serverPort == HTTPS_PORT) ? TRUE : FALSE;
109  }
110  else
111 #endif
112  //"http" URI scheme?
113  {
114  //The default port number is 80 for "http" URI scheme
115  defaultPort = (context->serverPort == HTTP_PORT) ? TRUE : FALSE;
116  }
117 
118  //A client must send a Host header field in all HTTP/1.1 requests (refer
119  //to RFC 7230, section 5.4)
120  if(defaultPort)
121  {
122  //A host without any trailing port information implies the default port
123  //for the service requested
125  context->serverName);
126  }
127  else
128  {
129  //Append the port number information to the host
131  "Host", "%s:%" PRIu16, context->serverName, context->serverPort);
132  }
133 
134  //Add HTTP header fields
135  httpClientAddHeaderField(&context->httpClientContext, "User-Agent",
136  "Mozilla/5.0");
137 
138  httpClientAddHeaderField(&context->httpClientContext, "Content-Type",
139  "application/ocsp-request");
140 
141  //Specify the length of the request body
143 
144  //Successful processing
145  return NO_ERROR;
146 }
147 
148 
149 /**
150  * @brief Format OCSP request
151  * @param[in] context Pointer to the OCSP client context
152  * @param[in] cert Certificate to be checked (PEM or DER format)
153  * @param[in] certLen Length of the certificate, in bytes
154  * @param[in] issuerCert Issuer's certificate (PEM or DER format)
155  * @param[in] issuerCertLen Length of the issuer certificate, in bytes
156  * @return Error code
157  **/
158 
160  size_t certLen, const char_t *issuerCert, size_t issuerCertLen)
161 {
162  error_t error;
163  uint8_t *derCert;
164  size_t derCertLen;
165  uint8_t *derIssuerCert;
166  size_t derIssuerCertLen;
167  X509CertInfo *certInfo;
168  X509CertInfo *issuerCertInfo;
169 
170  //Initialize status code
171  error = NO_ERROR;
172 
173  //Initialize variables
174  derCert = NULL;
175  derIssuerCert = NULL;
176  certInfo = NULL;
177  issuerCertInfo = NULL;
178 
179  //Start of exception handling block
180  do
181  {
182  //Allocate a memory buffer to store X.509 certificate info
183  certInfo = cryptoAllocMem(sizeof(X509CertInfo));
184  //Failed to allocate memory?
185  if(certInfo == NULL)
186  {
187  error = ERROR_OUT_OF_MEMORY;
188  break;
189  }
190 
191  //The OCSP client accepts certificates in either PEM or DER format
192  error = pemImportCertificate(cert, certLen, NULL, &derCertLen, NULL);
193 
194  //PEM or DER format?
195  if(!error)
196  {
197  //Allocate a memory buffer to hold the DER-encoded certificate
198  derCert = cryptoAllocMem(derCertLen);
199  //Failed to allocate memory?
200  if(derCert == NULL)
201  {
202  error = ERROR_OUT_OF_MEMORY;
203  break;
204  }
205 
206  //The second pass decodes the PEM certificate
207  error = pemImportCertificate(cert, certLen, derCert, &derCertLen, NULL);
208  //Any error to report?
209  if(error)
210  break;
211 
212  //Parse X.509 certificate
213  error = x509ParseCertificateEx(derCert, derCertLen, certInfo, TRUE);
214  //Any error to report?
215  if(error)
216  break;
217  }
218  else
219  {
220  //Parse X.509 certificate
221  error = x509ParseCertificateEx(cert, certLen, certInfo, TRUE);
222  //Any error to report?
223  if(error)
224  break;
225  }
226 
227  //Allocate a memory buffer to store X.509 certificate info
228  issuerCertInfo = cryptoAllocMem(sizeof(X509CertInfo));
229  //Failed to allocate memory?
230  if(certInfo == NULL)
231  {
232  error = ERROR_OUT_OF_MEMORY;
233  break;
234  }
235 
236  //The OCSP client accepts certificates in either PEM or DER format
237  error = pemImportCertificate(issuerCert, issuerCertLen, NULL,
238  &derIssuerCertLen, NULL);
239 
240  //PEM or DER format?
241  if(!error)
242  {
243  //Allocate a memory buffer to hold the DER-encoded certificate
244  derIssuerCert = cryptoAllocMem(derIssuerCertLen);
245  //Failed to allocate memory?
246  if(derCert == NULL)
247  {
248  error = ERROR_OUT_OF_MEMORY;
249  break;
250  }
251 
252  //The second pass decodes the PEM certificate
253  error = pemImportCertificate(issuerCert, issuerCertLen, derIssuerCert,
254  &derIssuerCertLen, NULL);
255  //Any error to report?
256  if(error)
257  break;
258 
259  //Parse X.509 certificate
260  error = x509ParseCertificateEx(derIssuerCert, derIssuerCertLen,
261  issuerCertInfo, TRUE);
262  //Any error to report?
263  if(error)
264  break;
265  }
266  else
267  {
268  //Parse X.509 certificate
269  error = x509ParseCertificateEx(issuerCert, issuerCertLen,
270  issuerCertInfo, TRUE);
271  //Any error to report?
272  if(error)
273  break;
274  }
275 
276  //Generate an OCSP request
277  error = ocspCreateRequest(certInfo, issuerCertInfo, context->nonce,
278  context->nonceLen, context->buffer, &context->bufferLen);
279  //Any error to report?
280  if(error)
281  break;
282 
283  //End of exception handling block
284  } while(0);
285 
286  //Release previously allocated memory
287  if(derCert != NULL)
288  {
289  cryptoFreeMem(derCert);
290  }
291 
292  if(derIssuerCert != NULL)
293  {
294  cryptoFreeMem(derIssuerCert);
295  }
296 
297  if(certInfo != NULL)
298  {
299  cryptoFreeMem(certInfo);
300  }
301 
302  if(issuerCertInfo != NULL)
303  {
304  cryptoFreeMem(issuerCertInfo);
305  }
306 
307  //Return status code
308  return error;
309 }
310 
311 
312 /**
313  * @brief Parse HTTP response header
314  * @param[in] context Pointer to the OCSP client context
315  * @return Error code
316  **/
317 
319 {
320  const char_t *contentType;
321 
322  //Retrieve HTTP status code
324 
325  //Check HTTP status code
326  if(!HTTP_STATUS_CODE_2YZ(context->httpStatusCode))
328 
329  //Get the Content-Type header field
330  contentType = httpClientGetHeaderField(&context->httpClientContext,
331  "Content-Type");
332 
333  //Make sure the Content-Type header field is present
334  if(contentType == NULL)
335  return ERROR_INVALID_RESPONSE;
336 
337  //Check the value of the Content-Type header field
338  if(osStrcasecmp(contentType, "application/ocsp-response") != 0)
339  return ERROR_INVALID_RESPONSE;
340 
341  //Successful processing
342  return NO_ERROR;
343 }
344 
345 #endif
X.509 certificate parsing.
#define OCSP_CLIENT_NONCE_SIZE
Definition: ocsp_client.h:83
int bool_t
Definition: compiler_port.h:53
error_t httpClientSetUri(HttpClientContext *context, const char_t *uri)
Set request URI.
Definition: http_client.c:462
#define HTTP_STATUS_CODE_2YZ(code)
Definition: http_common.h:44
size_t bufferLen
Length of the buffer, in bytes.
Definition: ocsp_client.h:155
uint8_t nonce[OCSP_CLIENT_NONCE_SIZE]
Random nonce.
Definition: ocsp_client.h:152
#define TRUE
Definition: os_port.h:50
uint8_t buffer[OCSP_CLIENT_BUFFER_SIZE]
Memory buffer for input/output operations.
Definition: ocsp_client.h:154
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
char_t serverName[OCSP_CLIENT_MAX_HOST_LEN+1]
Host name of the OCSP server.
Definition: ocsp_client.h:149
const PrngAlgo * prngAlgo
Pseudo-random number generator to be used.
Definition: ocsp_client.h:143
error_t httpClientSetContentLength(HttpClientContext *context, size_t length)
Set the length of the HTTP request body.
Definition: http_client.c:987
error_t httpClientCreateRequest(HttpClientContext *context)
Create a new HTTP request.
Definition: http_client.c:365
OCSP client context.
Definition: ocsp_client.h:139
#define FALSE
Definition: os_port.h:46
error_t pemImportCertificate(const char_t *input, size_t inputLen, uint8_t *output, size_t *outputLen, size_t *consumed)
Decode a PEM file containing a certificate.
Definition: pem_import.c:61
PEM file import functions.
size_t nonceLen
Length of the nonce, in bytes.
Definition: ocsp_client.h:153
@ ERROR_UNEXPECTED_STATUS
Definition: error.h:283
X.509 certificate.
Definition: x509_common.h:1071
error_t
Error codes.
Definition: error.h:43
error_t httpClientFormatHeaderField(HttpClientContext *context, const char_t *name, const char_t *format,...)
Format an HTTP header field.
Definition: http_client.c:890
error_t ocspClientFormatHeader(OcspClientContext *context)
Format HTTP request header.
const char_t * httpClientGetHeaderField(HttpClientContext *context, const char_t *name)
Retrieve the value of the specified header field name.
Definition: http_client.c:1539
OCSP request generation.
#define osStrcasecmp(s1, s2)
Definition: os_port.h:183
error_t ocspCreateRequest(const X509CertInfo *certInfo, const X509CertInfo *issuerCertInfo, const uint8_t *nonce, size_t nonceLen, uint8_t *output, size_t *written)
Generate an OCSP request.
OCSP client.
OCSP response parsing.
uint_t httpClientGetStatus(HttpClientContext *context)
Retrieve the HTTP status code of the response.
Definition: http_client.c:1512
OcspClientTlsInitCallback tlsInitCallback
TLS initialization callback function.
Definition: ocsp_client.h:147
#define HTTPS_PORT
Definition: http_common.h:40
char char_t
Definition: compiler_port.h:48
error_t httpClientAddHeaderField(HttpClientContext *context, const char_t *name, const char_t *value)
Add a header field to the HTTP request.
Definition: http_client.c:808
#define HTTP_PORT
Definition: http_common.h:38
error_t ocspClientGenerateNonce(OcspClientContext *context)
Nonce generation.
error_t ocspClientParseHeader(OcspClientContext *context)
Parse HTTP response header.
#define cryptoFreeMem(p)
Definition: crypto.h:791
error_t x509ParseCertificateEx(const uint8_t *data, size_t length, X509CertInfo *certInfo, bool_t ignoreUnknown)
Parse a X.509 certificate.
#define cryptoAllocMem(size)
Definition: crypto.h:786
Helper functions for OCSP client.
void * prngContext
Pseudo-random number generator context.
Definition: ocsp_client.h:144
error_t ocspClientFormatRequest(OcspClientContext *context, const char_t *cert, size_t certLen, const char_t *issuerCert, size_t issuerCertLen)
Format OCSP request.
error_t httpClientSetMethod(HttpClientContext *context, const char_t *method)
Set HTTP request method.
Definition: http_client.c:402
uint_t httpStatusCode
HTTP status code.
Definition: ocsp_client.h:157
@ ERROR_INVALID_RESPONSE
Definition: error.h:71
HttpClientContext httpClientContext
HTTP client context.
Definition: ocsp_client.h:145
uint16_t serverPort
TCP port number.
Definition: ocsp_client.h:150
char_t uri[OCSP_CLIENT_MAX_URI_LEN+1]
URI.
Definition: ocsp_client.h:151
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.