ocsp_client_misc.c
Go to the documentation of this file.
1 /**
2  * @file ocsp_client_misc.c
3  * @brief Helper functions for OCSP client
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCRYPTO Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.5.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL OCSP_TRACE_LEVEL
33 
34 //Dependencies
35 #include "ocsp/ocsp_client.h"
36 #include "ocsp/ocsp_client_misc.h"
37 #include "ocsp/ocsp_req_create.h"
38 #include "ocsp/ocsp_resp_parse.h"
39 #include "pkix/pem_import.h"
40 #include "pkix/x509_cert_parse.h"
41 #include "debug.h"
42 
43 //Check crypto library configuration
44 #if (OCSP_CLIENT_SUPPORT == ENABLED)
45 
46 
47 /**
48  * @brief Nonce generation
49  * @param[in] context Pointer to the OCSP client context
50  * @return Error code
51  **/
52 
53 error_t ocspClientGenerateNonce(OcspClientContext *context)
54 {
55  error_t error;
56 
57  //Initialize status code
58  error = NO_ERROR;
59 
60  //The value of the nonce must be generated using a cryptographically
61  //strong pseudorandom number generator
62  if(context->prngAlgo != NULL && context->prngContext != NULL)
63  {
64  //If the Nonce extension is present, then the length of the nonce
65  //must be at least 1 octet and can be up to 32 octets (refer to
66  //RFC 8954, section 2.1)
67  error = context->prngAlgo->generate(context->prngContext,
68  context->nonce, OCSP_CLIENT_NONCE_SIZE);
69 
70  //Check status code
71  if(!error)
72  {
73  //Save the length of the nonce
74  context->nonceLen = OCSP_CLIENT_NONCE_SIZE;
75  }
76  }
77  else
78  {
79  //The Nonce extension is optional
80  context->nonceLen = 0;
81  }
82 
83  //Return status code
84  return error;
85 }
86 
87 
88 /**
89  * @brief Format HTTP request header
90  * @param[in] context Pointer to the OCSP client context
91  * @return Error code
92  **/
93 
94 error_t ocspClientFormatHeader(OcspClientContext *context)
95 {
96  bool_t defaultPort;
97 
98  //Create an HTTP request
99  httpClientCreateRequest(&context->httpClientContext);
100  httpClientSetMethod(&context->httpClientContext, "POST");
101  httpClientSetUri(&context->httpClientContext, context->uri);
102 
103 #if (OCSP_CLIENT_TLS_SUPPORT == ENABLED)
104  //"https" URI scheme?
105  if(context->tlsInitCallback != NULL)
106  {
107  //The default port number is 443 for "https" URI scheme
108  defaultPort = (context->serverPort == HTTPS_PORT) ? TRUE : FALSE;
109  }
110  else
111 #endif
112  //"http" URI scheme?
113  {
114  //The default port number is 80 for "http" URI scheme
115  defaultPort = (context->serverPort == HTTP_PORT) ? TRUE : FALSE;
116  }
117 
118  //A client must send a Host header field in all HTTP/1.1 requests (refer
119  //to RFC 7230, section 5.4)
120  if(defaultPort)
121  {
122  //A host without any trailing port information implies the default port
123  //for the service requested
124  httpClientAddHeaderField(&context->httpClientContext, "Host",
125  context->serverName);
126  }
127  else
128  {
129  //Append the port number information to the host
130  httpClientFormatHeaderField(&context->httpClientContext,
131  "Host", "%s:%" PRIu16, context->serverName, context->serverPort);
132  }
133 
134  //Add HTTP header fields
135  httpClientAddHeaderField(&context->httpClientContext, "User-Agent",
136  "Mozilla/5.0");
137 
138  httpClientAddHeaderField(&context->httpClientContext, "Content-Type",
139  "application/ocsp-request");
140 
141  //Specify the length of the request body
142  httpClientSetContentLength(&context->httpClientContext, context->bufferLen);
143 
144  //Successful processing
145  return NO_ERROR;
146 }
147 
148 
149 /**
150  * @brief Format OCSP request
151  * @param[in] context Pointer to the OCSP client context
152  * @param[in] cert Certificate to be checked (PEM or DER format)
153  * @param[in] certLen Length of the certificate, in bytes
154  * @param[in] issuerCert Issuer's certificate (PEM or DER format)
155  * @param[in] issuerCertLen Length of the issuer certificate, in bytes
156  * @return Error code
157  **/
158 
159 error_t ocspClientFormatRequest(OcspClientContext *context, const char_t *cert,
160  size_t certLen, const char_t *issuerCert, size_t issuerCertLen)
161 {
162  error_t error;
163  uint8_t *derCert;
164  size_t derCertLen;
165  uint8_t *derIssuerCert;
166  size_t derIssuerCertLen;
167  X509CertInfo *certInfo;
168  X509CertInfo *issuerCertInfo;
169  X509Options options;
170 
171  //Initialize status code
172  error = NO_ERROR;
173 
174  //Initialize variables
175  derCert = NULL;
176  derIssuerCert = NULL;
177  certInfo = NULL;
178  issuerCertInfo = NULL;
179 
180  //Additional certificate parsing options
181  options = X509_DEFAULT_OPTIONS;
182  options.ignoreUnknownExtensions = TRUE;
183 
184  //Start of exception handling block
185  do
186  {
187  //Allocate a memory buffer to store X.509 certificate info
188  certInfo = cryptoAllocMem(sizeof(X509CertInfo));
189  //Failed to allocate memory?
190  if(certInfo == NULL)
191  {
192  error = ERROR_OUT_OF_MEMORY;
193  break;
194  }
195 
196  //The OCSP client accepts certificates in either PEM or DER format
197  error = pemImportCertificate(cert, certLen, NULL, &derCertLen, NULL);
198 
199  //PEM or DER format?
200  if(!error)
201  {
202  //Allocate a memory buffer to hold the DER-encoded certificate
203  derCert = cryptoAllocMem(derCertLen);
204  //Failed to allocate memory?
205  if(derCert == NULL)
206  {
207  error = ERROR_OUT_OF_MEMORY;
208  break;
209  }
210 
211  //The second pass decodes the PEM certificate
212  error = pemImportCertificate(cert, certLen, derCert, &derCertLen,
213  NULL);
214  //Any error to report?
215  if(error)
216  break;
217 
218  //Parse X.509 certificate
219  error = x509ParseCertificateEx(derCert, derCertLen, certInfo,
220  &options);
221  //Any error to report?
222  if(error)
223  break;
224  }
225  else
226  {
227  //Parse X.509 certificate
228  error = x509ParseCertificateEx(cert, certLen, certInfo, &options);
229  //Any error to report?
230  if(error)
231  break;
232  }
233 
234  //Allocate a memory buffer to store X.509 certificate info
235  issuerCertInfo = cryptoAllocMem(sizeof(X509CertInfo));
236  //Failed to allocate memory?
237  if(certInfo == NULL)
238  {
239  error = ERROR_OUT_OF_MEMORY;
240  break;
241  }
242 
243  //The OCSP client accepts certificates in either PEM or DER format
244  error = pemImportCertificate(issuerCert, issuerCertLen, NULL,
245  &derIssuerCertLen, NULL);
246 
247  //PEM or DER format?
248  if(!error)
249  {
250  //Allocate a memory buffer to hold the DER-encoded certificate
251  derIssuerCert = cryptoAllocMem(derIssuerCertLen);
252  //Failed to allocate memory?
253  if(derCert == NULL)
254  {
255  error = ERROR_OUT_OF_MEMORY;
256  break;
257  }
258 
259  //The second pass decodes the PEM certificate
260  error = pemImportCertificate(issuerCert, issuerCertLen, derIssuerCert,
261  &derIssuerCertLen, NULL);
262  //Any error to report?
263  if(error)
264  break;
265 
266  //Parse X.509 certificate
267  error = x509ParseCertificateEx(derIssuerCert, derIssuerCertLen,
268  issuerCertInfo, &options);
269  //Any error to report?
270  if(error)
271  break;
272  }
273  else
274  {
275  //Parse X.509 certificate
276  error = x509ParseCertificateEx(issuerCert, issuerCertLen,
277  issuerCertInfo, &options);
278  //Any error to report?
279  if(error)
280  break;
281  }
282 
283  //Generate an OCSP request
284  error = ocspCreateRequest(certInfo, issuerCertInfo, context->nonce,
285  context->nonceLen, context->buffer, &context->bufferLen);
286  //Any error to report?
287  if(error)
288  break;
289 
290  //End of exception handling block
291  } while(0);
292 
293  //Release previously allocated memory
294  if(derCert != NULL)
295  {
296  cryptoFreeMem(derCert);
297  }
298 
299  if(derIssuerCert != NULL)
300  {
301  cryptoFreeMem(derIssuerCert);
302  }
303 
304  if(certInfo != NULL)
305  {
306  cryptoFreeMem(certInfo);
307  }
308 
309  if(issuerCertInfo != NULL)
310  {
311  cryptoFreeMem(issuerCertInfo);
312  }
313 
314  //Return status code
315  return error;
316 }
317 
318 
319 /**
320  * @brief Parse HTTP response header
321  * @param[in] context Pointer to the OCSP client context
322  * @return Error code
323  **/
324 
325 error_t ocspClientParseHeader(OcspClientContext *context)
326 {
327  const char_t *contentType;
328 
329  //Retrieve HTTP status code
330  context->httpStatusCode = httpClientGetStatus(&context->httpClientContext);
331 
332  //Check HTTP status code
333  if(!HTTP_STATUS_CODE_2YZ(context->httpStatusCode))
334  return ERROR_UNEXPECTED_STATUS;
335 
336  //Get the Content-Type header field
337  contentType = httpClientGetHeaderField(&context->httpClientContext,
338  "Content-Type");
339 
340  //Make sure the Content-Type header field is present
341  if(contentType == NULL)
342  return ERROR_INVALID_RESPONSE;
343 
344  //Check the value of the Content-Type header field
345  if(osStrcasecmp(contentType, "application/ocsp-response") != 0)
346  return ERROR_INVALID_RESPONSE;
347 
348  //Successful processing
349  return NO_ERROR;
350 }
351 
352 
353 #if (OCSP_CLIENT_TLS_SUPPORT == ENABLED)
354 
355 /**
356  * @brief TLS initialization
357  * @param[in] httpClientContext Pointer to the HTTP client context
358  * @param[in] tlsContext Pointer to the TLS context
359  * @param[in] param Pointer to the OCSP client context
360  * @return Error code
361  **/
362 
363 error_t ocspClientInitTlsContext(HttpClientContext *httpClientContext,
364  TlsContext *tlsContext, void *param)
365 {
366  error_t error;
367  OcspClientContext *context;
368 
369  //Point to the OCSP client context
370  context = (OcspClientContext *) param;
371 
372  //Set the PRNG algorithm to be used
373  error = tlsSetPrng(tlsContext, context->prngAlgo, context->prngContext);
374 
375  //Check status code
376  if(!error)
377  {
378  //Perform TLS related initialization
379  if(context->tlsInitCallback != NULL)
380  {
381  //Invoke callback function
382  error = context->tlsInitCallback(context, tlsContext);
383  }
384  else
385  {
386  //Report an error
387  error = ERROR_FAILURE;
388  }
389  }
390 
391  //Return status code
392  return error;
393 }
394 
395 #endif
396 #endif
x509_cert_parse.h
X.509 certificate parsing.
OCSP_CLIENT_NONCE_SIZE
#define OCSP_CLIENT_NONCE_SIZE
Definition: ocsp_client.h:83
bool_t
int bool_t
Definition: compiler_port.h:61
httpClientSetUri
error_t httpClientSetUri(HttpClientContext *context, const char_t *uri)
Set request URI.
Definition: http_client.c:513
HTTP_STATUS_CODE_2YZ
#define HTTP_STATUS_CODE_2YZ(code)
Definition: http_common.h:44
TRUE
#define TRUE
Definition: os_port.h:50
ERROR_OUT_OF_MEMORY
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
httpClientSetContentLength
error_t httpClientSetContentLength(HttpClientContext *context, size_t length)
Set the length of the HTTP request body.
Definition: http_client.c:1038
httpClientCreateRequest
error_t httpClientCreateRequest(HttpClientContext *context)
Create a new HTTP request.
Definition: http_client.c:416
X509Options
Certificate parsing options.
Definition: x509_common.h:1336
FALSE
#define FALSE
Definition: os_port.h:46
pemImportCertificate
error_t pemImportCertificate(const char_t *input, size_t inputLen, uint8_t *output, size_t *outputLen, size_t *consumed)
Decode a PEM file containing a certificate.
Definition: pem_import.c:55
pem_import.h
PEM file import functions.
ERROR_UNEXPECTED_STATUS
@ ERROR_UNEXPECTED_STATUS
Definition: error.h:284
HttpClientContext
#define HttpClientContext
Definition: http_client.h:198
X509_DEFAULT_OPTIONS
const X509Options X509_DEFAULT_OPTIONS
Definition: x509_common.c:173
X509CertInfo
X.509 certificate.
Definition: x509_common.h:1121
TlsContext
#define TlsContext
Definition: tls.h:36
error_t
error_t
Error codes.
Definition: error.h:43
httpClientFormatHeaderField
error_t httpClientFormatHeaderField(HttpClientContext *context, const char_t *name, const char_t *format,...)
Format an HTTP header field.
Definition: http_client.c:941
ocspClientFormatHeader
error_t ocspClientFormatHeader(OcspClientContext *context)
Format HTTP request header.
Definition: ocsp_client_misc.c:94
x509ParseCertificateEx
error_t x509ParseCertificateEx(const uint8_t *data, size_t length, X509CertInfo *certInfo, const X509Options *options)
Parse a X.509 certificate.
Definition: x509_cert_parse.c:73
ocspClientInitTlsContext
error_t ocspClientInitTlsContext(HttpClientContext *httpClientContext, TlsContext *tlsContext, void *param)
TLS initialization.
Definition: ocsp_client_misc.c:363
ERROR_FAILURE
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
httpClientGetHeaderField
const char_t * httpClientGetHeaderField(HttpClientContext *context, const char_t *name)
Retrieve the value of the specified header field name.
Definition: http_client.c:1592
ocsp_req_create.h
OCSP request generation.
osStrcasecmp
#define osStrcasecmp(s1, s2)
Definition: os_port.h:186
ocspCreateRequest
error_t ocspCreateRequest(const X509CertInfo *certInfo, const X509CertInfo *issuerCertInfo, const uint8_t *nonce, size_t nonceLen, uint8_t *output, size_t *written)
Generate an OCSP request.
Definition: ocsp_req_create.c:55
ocsp_client.h
OCSP client.
ocsp_resp_parse.h
OCSP response parsing.
httpClientGetStatus
uint_t httpClientGetStatus(HttpClientContext *context)
Retrieve the HTTP status code of the response.
Definition: http_client.c:1565
HTTPS_PORT
#define HTTPS_PORT
Definition: http_common.h:40
char_t
char char_t
Definition: compiler_port.h:55
httpClientAddHeaderField
error_t httpClientAddHeaderField(HttpClientContext *context, const char_t *name, const char_t *value)
Add a header field to the HTTP request.
Definition: http_client.c:859
HTTP_PORT
#define HTTP_PORT
Definition: http_common.h:38
ocspClientGenerateNonce
error_t ocspClientGenerateNonce(OcspClientContext *context)
Nonce generation.
Definition: ocsp_client_misc.c:53
ocspClientParseHeader
error_t ocspClientParseHeader(OcspClientContext *context)
Parse HTTP response header.
Definition: ocsp_client_misc.c:325
cryptoFreeMem
#define cryptoFreeMem(p)
Definition: crypto.h:861
cryptoAllocMem
#define cryptoAllocMem(size)
Definition: crypto.h:856
options
uint8_t options[]
Definition: tcp.h:364
ocsp_client_misc.h
Helper functions for OCSP client.
ocspClientFormatRequest
error_t ocspClientFormatRequest(OcspClientContext *context, const char_t *cert, size_t certLen, const char_t *issuerCert, size_t issuerCertLen)
Format OCSP request.
Definition: ocsp_client_misc.c:159
httpClientSetMethod
error_t httpClientSetMethod(HttpClientContext *context, const char_t *method)
Set HTTP request method.
Definition: http_client.c:453
OcspClientContext
#define OcspClientContext
Definition: ocsp_client.h:95
tlsSetPrng
error_t tlsSetPrng(TlsContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Set the pseudo-random number generator to be used.
Definition: tls.c:390
ERROR_INVALID_RESPONSE
@ ERROR_INVALID_RESPONSE
Definition: error.h:71
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
debug.h
Debugging facilities.