new protocol : RFC2560 Online Certificate Status Protocol
svn path=/trunk/; revision=12618
This commit is contained in:
parent
8b4a9a21e1
commit
e433dc13c2
|
@ -0,0 +1,5 @@
|
|||
|
||||
../../epan/dissectors/packet-ocsp.c : ../../tools/asn2eth.py OCSP.asn packet-ocsp-template.c packet-ocsp-template.h ocsp.cnf
|
||||
python ../../tools/asn2eth.py -X -b -k -e -p ocsp -c ocsp.cnf -s packet-ocsp-template OCSP.asn
|
||||
cp packet-ocsp.* ../../epan/dissectors
|
||||
|
|
@ -0,0 +1,174 @@
|
|||
-- Online Certificate Status Protocol
|
||||
-- RFC 2560
|
||||
-- This definition was taken from RFC2560 and modified to pass through
|
||||
-- ASN2ETH.
|
||||
-- The original copyright from RFC2650 follows below
|
||||
--
|
||||
-- Full Copyright Statement
|
||||
--
|
||||
-- Copyright (C) The Internet Society (1999). All Rights Reserved.
|
||||
--
|
||||
-- This document and translations of it may be copied and furnished to
|
||||
-- others, and derivative works that comment on or otherwise explain it
|
||||
-- or assist in its implementation may be prepared, copied, published
|
||||
-- and distributed, in whole or in part, without restriction of any
|
||||
-- kind, provided that the above copyright notice and this paragraph are
|
||||
-- included on all such copies and derivative works. However, this
|
||||
-- document itself may not be modified in any way, such as by removing
|
||||
-- the copyright notice or references to the Internet Society or other
|
||||
-- Internet organizations, except as needed for the purpose of
|
||||
-- developing Internet standards in which case the procedures for
|
||||
-- copyrights defined in the Internet Standards process must be
|
||||
-- followed, or as required to translate it into languages other than
|
||||
-- English.
|
||||
--
|
||||
-- The limited permissions granted above are perpetual and will not be
|
||||
-- revoked by the Internet Society or its successors or assigns.
|
||||
--
|
||||
-- This document and the information contained herein is provided on an
|
||||
-- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||||
-- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||||
-- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||||
-- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||||
-- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
--
|
||||
|
||||
OCSP DEFINITIONS EXPLICIT TAGS::=
|
||||
|
||||
BEGIN
|
||||
|
||||
IMPORTS
|
||||
|
||||
-- Directory Authentication Framework (X.509)
|
||||
Certificate, AlgorithmIdentifier
|
||||
FROM AuthenticationFramework { joint-iso-itu-t ds(5)
|
||||
module(1) authenticationFramework(7) 3 }
|
||||
|
||||
CRLReason
|
||||
FROM CertificateExtensions
|
||||
|
||||
-- PKIX Certificate Extensions
|
||||
AuthorityInfoAccessSyntax
|
||||
FROM PKIX1Implicit88 {iso(1) identified-organization(3)
|
||||
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
|
||||
id-mod(0) id-pkix1-implicit-88(2)}
|
||||
|
||||
|
||||
Name, GeneralName, CertificateSerialNumber, Extensions,
|
||||
id-kp, id-ad-ocsp
|
||||
FROM PKIX1Explicit88 {iso(1) identified-organization(3)
|
||||
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
|
||||
id-mod(0) id-pkix1-explicit-88(1)};
|
||||
|
||||
OCSPRequest ::= SEQUENCE {
|
||||
tbsRequest TBSRequest,
|
||||
optionalSignature [0] EXPLICIT Signature OPTIONAL }
|
||||
|
||||
TBSRequest ::= SEQUENCE {
|
||||
version [0] EXPLICIT Version DEFAULT v1,
|
||||
requestorName [1] EXPLICIT GeneralName OPTIONAL,
|
||||
requestList SEQUENCE OF Request,
|
||||
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
|
||||
|
||||
Signature ::= SEQUENCE {
|
||||
signatureAlgorithm AlgorithmIdentifier,
|
||||
signature BIT STRING,
|
||||
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
|
||||
|
||||
Version ::= INTEGER { v1(0) }
|
||||
|
||||
Request ::= SEQUENCE {
|
||||
reqCert CertID,
|
||||
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
|
||||
|
||||
CertID ::= SEQUENCE {
|
||||
hashAlgorithm AlgorithmIdentifier,
|
||||
issuerNameHash OCTET STRING, -- Hash of Issuer's DN
|
||||
issuerKeyHash OCTET STRING, -- Hash of Issuers public key
|
||||
serialNumber CertificateSerialNumber }
|
||||
|
||||
OCSPResponse ::= SEQUENCE {
|
||||
responseStatus OCSPResponseStatus,
|
||||
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
|
||||
|
||||
OCSPResponseStatus ::= ENUMERATED {
|
||||
successful (0), --Response has valid confirmations
|
||||
malformedRequest (1), --Illegal confirmation request
|
||||
internalError (2), --Internal error in issuer
|
||||
tryLater (3), --Try again later
|
||||
--(4) is not used
|
||||
sigRequired (5), --Must sign the request
|
||||
unauthorized (6) --Request unauthorized
|
||||
}
|
||||
|
||||
ResponseBytes ::= SEQUENCE {
|
||||
responseType OBJECT IDENTIFIER,
|
||||
response OCTET STRING }
|
||||
|
||||
BasicOCSPResponse ::= SEQUENCE {
|
||||
tbsResponseData ResponseData,
|
||||
signatureAlgorithm AlgorithmIdentifier,
|
||||
signature BIT STRING,
|
||||
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
|
||||
|
||||
ResponseData ::= SEQUENCE {
|
||||
version [0] EXPLICIT Version DEFAULT v1,
|
||||
responderID ResponderID,
|
||||
producedAt GeneralizedTime,
|
||||
responses SEQUENCE OF SingleResponse,
|
||||
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
|
||||
|
||||
ResponderID ::= CHOICE {
|
||||
byName [1] Name,
|
||||
byKey [2] KeyHash }
|
||||
|
||||
KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
|
||||
--(excluding the tag and length fields)
|
||||
|
||||
SingleResponse ::= SEQUENCE {
|
||||
certID CertID,
|
||||
certStatus CertStatus,
|
||||
thisUpdate GeneralizedTime,
|
||||
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
|
||||
singleExtensions [1] EXPLICIT Extensions OPTIONAL }
|
||||
|
||||
CertStatus ::= CHOICE {
|
||||
good [0] IMPLICIT NULL,
|
||||
revoked [1] IMPLICIT RevokedInfo,
|
||||
unknown [2] IMPLICIT UnknownInfo }
|
||||
|
||||
RevokedInfo ::= SEQUENCE {
|
||||
revocationTime GeneralizedTime,
|
||||
revocationReason [0] EXPLICIT CRLReason OPTIONAL }
|
||||
|
||||
UnknownInfo ::= NULL -- this can be replaced with an enumeration
|
||||
|
||||
ArchiveCutoff ::= GeneralizedTime
|
||||
|
||||
AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
|
||||
|
||||
ServiceLocator ::= SEQUENCE {
|
||||
issuer Name,
|
||||
locator AuthorityInfoAccessSyntax }
|
||||
|
||||
CrlID ::= SEQUENCE {
|
||||
crlUrl [0] EXPLICIT IA5String OPTIONAL,
|
||||
crlNum [1] EXPLICIT INTEGER OPTIONAL,
|
||||
crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
|
||||
|
||||
|
||||
-- Object Identifiers
|
||||
--
|
||||
--id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
|
||||
--id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
|
||||
--id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
|
||||
--id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
|
||||
--id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
|
||||
--id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
|
||||
--id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
|
||||
--id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
|
||||
--id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
|
||||
--
|
||||
|
||||
END
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
# ocsp.cnf
|
||||
# OCSP conformation file
|
||||
|
||||
# $Id: ocsp.cnf 12558 2004-11-21 10:16:06Z sahlberg $
|
||||
|
||||
#.MODULE_IMPORT
|
||||
AuthenticationFramework x509af
|
||||
CertificateExtensions x509ce
|
||||
PKIX1Implicit88 pkix1implicit
|
||||
PKIX1Explicit88 pkix1explicit
|
||||
|
||||
#.INCLUDE ../x509af/x509af-exp.cnf
|
||||
#.INCLUDE ../x509ce/x509ce-exp.cnf
|
||||
#.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf
|
||||
#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
|
||||
|
||||
#.EXPORTS
|
||||
|
||||
#.PDU
|
||||
|
||||
#.REGISTER
|
||||
BasicOCSPResponse B "1.3.6.1.5.5.7.48.1.1" "id-pkix-ocsp-basic"
|
||||
CrlID B "1.3.6.1.5.5.7.48.1.3" "id-pkix-ocsp-crl"
|
||||
AcceptableResponses B "1.3.6.1.5.5.7.48.1.4" "id-pkix-ocsp-response"
|
||||
ArchiveCutoff B "1.3.6.1.5.5.7.48.1.6" "id-pkix-ocsp-archive-cutoff"
|
||||
ServiceLocator B "1.3.6.1.5.5.7.48.1.7" "id-pkix-ocsp-service-locator"
|
||||
|
||||
#.NO_EMIT
|
||||
|
||||
#.TYPE_RENAME
|
||||
|
||||
#.FIELD_RENAME
|
||||
|
||||
#.FN_BODY ResponseBytes/responseType
|
||||
offset = dissect_ber_object_identifier(FALSE, pinfo, tree, tvb, offset,
|
||||
hf_ocsp_responseType_id, responseType_id);
|
||||
|
||||
#.FN_BODY ResponseBytes/response
|
||||
guint8 class;
|
||||
gboolean pc, ind;
|
||||
guint32 tag;
|
||||
guint32 len;
|
||||
/* skip past the T and L */
|
||||
offset = dissect_ber_identifier(pinfo, tree, tvb, offset, &class, &pc, &tag);
|
||||
offset = dissect_ber_length(pinfo, tree, tvb, offset, &len, &ind);
|
||||
offset=call_ber_oid_callback(responseType_id, tvb, offset, pinfo, tree);
|
||||
|
||||
#.END
|
|
@ -0,0 +1,151 @@
|
|||
/* packet-ocsp.c
|
||||
* Routines for Online Certificate Status Protocol (RFC2560) packet dissection
|
||||
* Ronnie Sahlberg 2004
|
||||
*
|
||||
* $Id: packet-ocsp-template.c 12573 2004-11-22 03:36:26Z sahlberg $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
* Copyright 1998 Gerald Combs
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <glib.h>
|
||||
#include <epan/packet.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "packet-ber.h"
|
||||
#include "packet-ocsp.h"
|
||||
#include "packet-x509af.h"
|
||||
#include "packet-x509ce.h"
|
||||
#include "packet-pkix1implicit.h"
|
||||
#include "packet-pkix1explicit.h"
|
||||
|
||||
#define PNAME "Online Certificate Status Protocol"
|
||||
#define PSNAME "OCSP"
|
||||
#define PFNAME "ocsp"
|
||||
|
||||
/* Initialize the protocol and registered fields */
|
||||
static int proto_ocsp = -1;
|
||||
static int hf_ocsp_responseType_id = -1;
|
||||
#include "packet-ocsp-hf.c"
|
||||
|
||||
/* Initialize the subtree pointers */
|
||||
static gint ett_ocsp = -1;
|
||||
#include "packet-ocsp-ett.c"
|
||||
|
||||
static char responseType_id[64]; /*64 chars should be long enough? */
|
||||
|
||||
|
||||
#include "packet-ocsp-fn.c"
|
||||
|
||||
|
||||
static int
|
||||
dissect_ocsp_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
|
||||
{
|
||||
proto_item *item=NULL;
|
||||
proto_tree *tree=NULL;
|
||||
|
||||
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
||||
col_set_str(pinfo->cinfo, COL_PROTOCOL, "OCSP");
|
||||
|
||||
if (check_col(pinfo->cinfo, COL_INFO)) {
|
||||
col_clear(pinfo->cinfo, COL_INFO);
|
||||
|
||||
col_add_fstr(pinfo->cinfo, COL_INFO, "Request");
|
||||
}
|
||||
|
||||
|
||||
if(parent_tree){
|
||||
item=proto_tree_add_item(parent_tree, proto_ocsp, tvb, 0, -1, FALSE);
|
||||
tree = proto_item_add_subtree(item, ett_ocsp);
|
||||
}
|
||||
|
||||
return dissect_ocsp_OCSPRequest(FALSE, tvb, 0, pinfo, tree, -1);
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
dissect_ocsp_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
|
||||
{
|
||||
proto_item *item=NULL;
|
||||
proto_tree *tree=NULL;
|
||||
|
||||
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
||||
col_set_str(pinfo->cinfo, COL_PROTOCOL, "OCSP");
|
||||
|
||||
if (check_col(pinfo->cinfo, COL_INFO)) {
|
||||
col_clear(pinfo->cinfo, COL_INFO);
|
||||
|
||||
col_add_fstr(pinfo->cinfo, COL_INFO, "Response");
|
||||
}
|
||||
|
||||
|
||||
if(parent_tree){
|
||||
item=proto_tree_add_item(parent_tree, proto_ocsp, tvb, 0, -1, FALSE);
|
||||
tree = proto_item_add_subtree(item, ett_ocsp);
|
||||
}
|
||||
|
||||
return dissect_ocsp_OCSPResponse(FALSE, tvb, 0, pinfo, tree, -1);
|
||||
}
|
||||
|
||||
/*--- proto_register_ocsp ----------------------------------------------*/
|
||||
void proto_register_ocsp(void) {
|
||||
|
||||
/* List of fields */
|
||||
static hf_register_info hf[] = {
|
||||
{ &hf_ocsp_responseType_id,
|
||||
{ "ResponseType Id", "x509af.responseType.id",
|
||||
FT_STRING, BASE_NONE, NULL, 0,
|
||||
"ResponseType Id", HFILL }},
|
||||
#include "packet-ocsp-hfarr.c"
|
||||
};
|
||||
|
||||
/* List of subtrees */
|
||||
static gint *ett[] = {
|
||||
&ett_ocsp,
|
||||
#include "packet-ocsp-ettarr.c"
|
||||
};
|
||||
|
||||
/* Register protocol */
|
||||
proto_ocsp = proto_register_protocol(PNAME, PSNAME, PFNAME);
|
||||
|
||||
/* Register fields and subtrees */
|
||||
proto_register_field_array(proto_ocsp, hf, array_length(hf));
|
||||
proto_register_subtree_array(ett, array_length(ett));
|
||||
|
||||
}
|
||||
|
||||
/*--- proto_reg_handoff_ocsp -------------------------------------------*/
|
||||
void proto_reg_handoff_ocsp(void) {
|
||||
dissector_handle_t ocsp_request_handle;
|
||||
dissector_handle_t ocsp_response_handle;
|
||||
|
||||
ocsp_request_handle = new_create_dissector_handle(dissect_ocsp_request, proto_ocsp);
|
||||
ocsp_response_handle = new_create_dissector_handle(dissect_ocsp_response, proto_ocsp);
|
||||
|
||||
dissector_add_string("media_type", "application/ocsp-request", ocsp_request_handle);
|
||||
dissector_add_string("media_type", "application/ocsp-response", ocsp_response_handle);
|
||||
|
||||
#include "packet-ocsp-dis-tab.c"
|
||||
}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
/* packet-ocsp.h
|
||||
* Routines for Online Certificate Status Protocol (RFC2560) packet dissection
|
||||
* Ronnie Sahlberg 2004
|
||||
*
|
||||
* $Id: packet-ocsp-template.h 12573 2004-11-22 03:36:26Z sahlberg $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
* Copyright 1998 Gerald Combs
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*/
|
||||
|
||||
#ifndef PACKET_OCSP_H
|
||||
#define PACKET_OCSP_H
|
||||
|
||||
/*#include "packet-ocsp-exp.h"*/
|
||||
|
||||
#endif /* PACKET_OCSP_H */
|
||||
|
|
@ -379,6 +379,7 @@ DISSECTOR_SRC = \
|
|||
packet-ntlmssp.c \
|
||||
packet-ntp.c \
|
||||
packet-null.c \
|
||||
packet-ocsp.c \
|
||||
packet-olsr.c \
|
||||
packet-osi-options.c \
|
||||
packet-osi.c \
|
||||
|
@ -673,6 +674,7 @@ DISSECTOR_INCLUDES = \
|
|||
packet-ntlmssp.h \
|
||||
packet-ntp.h \
|
||||
packet-null.h \
|
||||
packet-ocsp.h \
|
||||
packet-osi-options.h \
|
||||
packet-osi.h \
|
||||
packet-pcnfsd.h \
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,39 @@
|
|||
/* Do not modify this file. */
|
||||
/* It is created automatically by the ASN.1 to Ethereal dissector compiler */
|
||||
/* ./packet-ocsp.h */
|
||||
/* ../../tools/asn2eth.py -X -b -k -e -p ocsp -c ocsp.cnf -s packet-ocsp-template OCSP.asn */
|
||||
|
||||
/* Input file: packet-ocsp-template.h */
|
||||
|
||||
/* packet-ocsp.h
|
||||
* Routines for Online Certificate Status Protocol (RFC2560) packet dissection
|
||||
* Ronnie Sahlberg 2004
|
||||
*
|
||||
* $Id: packet-ocsp-template.h 12573 2004-11-22 03:36:26Z sahlberg $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
* Copyright 1998 Gerald Combs
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*/
|
||||
|
||||
#ifndef PACKET_OCSP_H
|
||||
#define PACKET_OCSP_H
|
||||
|
||||
/*#include "packet-ocsp-exp.h"*/
|
||||
|
||||
#endif /* PACKET_OCSP_H */
|
||||
|
Loading…
Reference in New Issue