new protocol : RFC2560 Online Certificate Status Protocol

svn path=/trunk/; revision=12618

asn1/ocsp/Makefile

@@ -0,0 +1,5 @@
+
+../../epan/dissectors/packet-ocsp.c : ../../tools/asn2eth.py OCSP.asn packet-ocsp-template.c packet-ocsp-template.h ocsp.cnf
+	python ../../tools/asn2eth.py -X -b -k -e -p ocsp -c ocsp.cnf -s packet-ocsp-template OCSP.asn
+	cp packet-ocsp.* ../../epan/dissectors
+

asn1/ocsp/OCSP.asn

@@ -0,0 +1,174 @@
+-- Online Certificate Status Protocol
+-- RFC 2560
+-- This definition was taken from RFC2560 and modified to pass through
+-- ASN2ETH.
+-- The original copyright from RFC2650 follows below
+-- 
+-- Full Copyright Statement
+-- 
+--    Copyright (C) The Internet Society (1999).  All Rights Reserved.
+-- 
+--    This document and translations of it may be copied and furnished to
+--    others, and derivative works that comment on or otherwise explain it
+--    or assist in its implementation may be prepared, copied, published
+--    and distributed, in whole or in part, without restriction of any
+--    kind, provided that the above copyright notice and this paragraph are
+--    included on all such copies and derivative works.  However, this
+--    document itself may not be modified in any way, such as by removing
+--    the copyright notice or references to the Internet Society or other
+--    Internet organizations, except as needed for the purpose of
+--    developing Internet standards in which case the procedures for
+--    copyrights defined in the Internet Standards process must be
+--    followed, or as required to translate it into languages other than
+--    English.
+-- 
+--    The limited permissions granted above are perpetual and will not be
+--    revoked by the Internet Society or its successors or assigns.
+-- 
+--    This document and the information contained herein is provided on an
+--    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+--    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+--    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+--    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+--    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+-- 
+
+OCSP DEFINITIONS EXPLICIT TAGS::=
+
+BEGIN
+
+IMPORTS
+
+      -- Directory Authentication Framework (X.509)
+             Certificate, AlgorithmIdentifier
+             FROM AuthenticationFramework { joint-iso-itu-t ds(5)
+                      module(1) authenticationFramework(7) 3 }
+
+	     CRLReason
+	     FROM CertificateExtensions
+
+-- PKIX Certificate Extensions
+             AuthorityInfoAccessSyntax
+          FROM PKIX1Implicit88 {iso(1) identified-organization(3)
+                  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                  id-mod(0) id-pkix1-implicit-88(2)}
+
+
+          Name, GeneralName, CertificateSerialNumber, Extensions,
+           id-kp, id-ad-ocsp
+             FROM PKIX1Explicit88 {iso(1) identified-organization(3)
+                  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+                  id-mod(0) id-pkix1-explicit-88(1)};
+
+OCSPRequest     ::=     SEQUENCE {
+    tbsRequest                  TBSRequest,
+    optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+
+TBSRequest      ::=     SEQUENCE {
+    version             [0] EXPLICIT Version DEFAULT v1,
+    requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+    requestList             SEQUENCE OF Request,
+    requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+
+Signature       ::=     SEQUENCE {
+    signatureAlgorithm   AlgorithmIdentifier,
+    signature            BIT STRING,
+    certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+
+Version  ::=  INTEGER  {  v1(0) }
+
+Request ::=     SEQUENCE {
+    reqCert                    CertID,
+    singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+
+CertID ::= SEQUENCE {
+    hashAlgorithm            AlgorithmIdentifier,
+    issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+    issuerKeyHash      OCTET STRING, -- Hash of Issuers public key
+    serialNumber       CertificateSerialNumber }
+
+OCSPResponse ::= SEQUENCE {
+   responseStatus         OCSPResponseStatus,
+   responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+
+OCSPResponseStatus ::= ENUMERATED {
+    successful            (0),      --Response has valid confirmations
+    malformedRequest      (1),      --Illegal confirmation request
+    internalError         (2),      --Internal error in issuer
+    tryLater              (3),      --Try again later
+                                    --(4) is not used
+    sigRequired           (5),      --Must sign the request
+    unauthorized          (6)       --Request unauthorized
+}
+
+ResponseBytes ::=       SEQUENCE {
+    responseType   OBJECT IDENTIFIER,
+    response       OCTET STRING }
+
+BasicOCSPResponse       ::= SEQUENCE {
+   tbsResponseData      ResponseData,
+   signatureAlgorithm   AlgorithmIdentifier,
+   signature            BIT STRING,
+   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+
+ResponseData ::= SEQUENCE {
+   version              [0] EXPLICIT Version DEFAULT v1,
+   responderID              ResponderID,
+   producedAt               GeneralizedTime,
+   responses                SEQUENCE OF SingleResponse,
+   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+
+ResponderID ::= CHOICE {
+   byName   [1] Name,
+   byKey    [2] KeyHash }
+
+KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+                         --(excluding the tag and length fields)
+
+SingleResponse ::= SEQUENCE {
+   certID                       CertID,
+   certStatus                   CertStatus,
+   thisUpdate                   GeneralizedTime,
+   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+
+CertStatus ::= CHOICE {
+    good                [0]     IMPLICIT NULL,
+    revoked             [1]     IMPLICIT RevokedInfo,
+    unknown             [2]     IMPLICIT UnknownInfo }
+
+RevokedInfo ::= SEQUENCE {
+    revocationTime              GeneralizedTime,
+    revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+
+UnknownInfo ::= NULL -- this can be replaced with an enumeration
+
+ArchiveCutoff ::= GeneralizedTime
+
+AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
+
+ServiceLocator ::= SEQUENCE {
+    issuer    Name,
+    locator   AuthorityInfoAccessSyntax }
+
+CrlID ::= SEQUENCE {
+      crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
+      crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
+      crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
+
+
+-- Object Identifiers
+--
+--id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
+--id-pkix-ocsp                 OBJECT IDENTIFIER ::= { id-ad-ocsp }
+--id-pkix-ocsp-basic           OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
+--id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
+--id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
+--id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
+--id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
+--id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
+--id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
+--
+
+END
+

asn1/ocsp/ocsp.cnf

@@ -0,0 +1,48 @@
+# ocsp.cnf
+# OCSP conformation file
+
+# $Id: ocsp.cnf 12558 2004-11-21 10:16:06Z sahlberg $
+
+#.MODULE_IMPORT
+AuthenticationFramework x509af
+CertificateExtensions x509ce
+PKIX1Implicit88 pkix1implicit
+PKIX1Explicit88 pkix1explicit
+
+#.INCLUDE ../x509af/x509af-exp.cnf
+#.INCLUDE ../x509ce/x509ce-exp.cnf
+#.INCLUDE ../pkix1implicit/pkix1implicit_exp.cnf
+#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
+
+#.EXPORTS
+
+#.PDU
+
+#.REGISTER
+BasicOCSPResponse	B	"1.3.6.1.5.5.7.48.1.1"	"id-pkix-ocsp-basic"
+CrlID			B	"1.3.6.1.5.5.7.48.1.3"	"id-pkix-ocsp-crl"
+AcceptableResponses	B	"1.3.6.1.5.5.7.48.1.4"	"id-pkix-ocsp-response"
+ArchiveCutoff		B	"1.3.6.1.5.5.7.48.1.6"	"id-pkix-ocsp-archive-cutoff"
+ServiceLocator		B	"1.3.6.1.5.5.7.48.1.7"	"id-pkix-ocsp-service-locator"
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.FIELD_RENAME
+
+#.FN_BODY ResponseBytes/responseType
+  offset = dissect_ber_object_identifier(FALSE, pinfo, tree, tvb, offset,
+                                 hf_ocsp_responseType_id, responseType_id);
+
+#.FN_BODY ResponseBytes/response
+  guint8 class;
+  gboolean pc, ind;
+  guint32 tag;
+  guint32 len;
+  /* skip past the T and L  */
+  offset = dissect_ber_identifier(pinfo, tree, tvb, offset, &class, &pc, &tag);
+  offset = dissect_ber_length(pinfo, tree, tvb, offset, &len, &ind);
+  offset=call_ber_oid_callback(responseType_id, tvb, offset, pinfo, tree);
+
+#.END

asn1/ocsp/packet-ocsp-template.c

@@ -0,0 +1,151 @@
+/* packet-ocsp.c
+ * Routines for Online Certificate Status Protocol (RFC2560) packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * $Id: packet-ocsp-template.c 12573 2004-11-22 03:36:26Z sahlberg $
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <glib.h>
+#include <epan/packet.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include "packet-ber.h"
+#include "packet-ocsp.h"
+#include "packet-x509af.h"
+#include "packet-x509ce.h"
+#include "packet-pkix1implicit.h"
+#include "packet-pkix1explicit.h"
+
+#define PNAME  "Online Certificate Status Protocol"
+#define PSNAME "OCSP"
+#define PFNAME "ocsp"
+
+/* Initialize the protocol and registered fields */
+static int proto_ocsp = -1;
+static int hf_ocsp_responseType_id = -1;
+#include "packet-ocsp-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_ocsp = -1;
+#include "packet-ocsp-ett.c"
+
+static char responseType_id[64]; /*64 chars should be long enough? */
+
+
+#include "packet-ocsp-fn.c"
+
+
+static int
+dissect_ocsp_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+	proto_item *item=NULL;
+	proto_tree *tree=NULL;
+
+	if (check_col(pinfo->cinfo, COL_PROTOCOL)) 
+		col_set_str(pinfo->cinfo, COL_PROTOCOL, "OCSP");
+
+	if (check_col(pinfo->cinfo, COL_INFO)) {
+		col_clear(pinfo->cinfo, COL_INFO);
+		
+		col_add_fstr(pinfo->cinfo, COL_INFO, "Request");
+	}
+
+
+	if(parent_tree){
+		item=proto_tree_add_item(parent_tree, proto_ocsp, tvb, 0, -1, FALSE);
+		tree = proto_item_add_subtree(item, ett_ocsp);
+	}
+
+	return dissect_ocsp_OCSPRequest(FALSE, tvb, 0, pinfo, tree, -1);
+}
+
+
+static int
+dissect_ocsp_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+	proto_item *item=NULL;
+	proto_tree *tree=NULL;
+
+	if (check_col(pinfo->cinfo, COL_PROTOCOL)) 
+		col_set_str(pinfo->cinfo, COL_PROTOCOL, "OCSP");
+
+	if (check_col(pinfo->cinfo, COL_INFO)) {
+		col_clear(pinfo->cinfo, COL_INFO);
+		
+		col_add_fstr(pinfo->cinfo, COL_INFO, "Response");
+	}
+
+
+	if(parent_tree){
+		item=proto_tree_add_item(parent_tree, proto_ocsp, tvb, 0, -1, FALSE);
+		tree = proto_item_add_subtree(item, ett_ocsp);
+	}
+
+	return dissect_ocsp_OCSPResponse(FALSE, tvb, 0, pinfo, tree, -1);
+}
+
+/*--- proto_register_ocsp ----------------------------------------------*/
+void proto_register_ocsp(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+    { &hf_ocsp_responseType_id,
+      { "ResponseType Id", "x509af.responseType.id",
+        FT_STRING, BASE_NONE, NULL, 0,
+        "ResponseType Id", HFILL }},
+#include "packet-ocsp-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+    &ett_ocsp,
+#include "packet-ocsp-ettarr.c"
+  };
+
+  /* Register protocol */
+  proto_ocsp = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_ocsp, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+}
+
+/*--- proto_reg_handoff_ocsp -------------------------------------------*/
+void proto_reg_handoff_ocsp(void) {
+	dissector_handle_t ocsp_request_handle;
+	dissector_handle_t ocsp_response_handle;
+
+	ocsp_request_handle = new_create_dissector_handle(dissect_ocsp_request, proto_ocsp);
+	ocsp_response_handle = new_create_dissector_handle(dissect_ocsp_response, proto_ocsp);
+
+	dissector_add_string("media_type", "application/ocsp-request", ocsp_request_handle);
+	dissector_add_string("media_type", "application/ocsp-response", ocsp_response_handle);
+
+#include "packet-ocsp-dis-tab.c"
+}
+

asn1/ocsp/packet-ocsp-template.h

@@ -0,0 +1,32 @@
+/* packet-ocsp.h
+ * Routines for Online Certificate Status Protocol (RFC2560) packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * $Id: packet-ocsp-template.h 12573 2004-11-22 03:36:26Z sahlberg $
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifndef PACKET_OCSP_H
+#define PACKET_OCSP_H
+
+/*#include "packet-ocsp-exp.h"*/
+
+#endif  /* PACKET_OCSP_H */
+

epan/dissectors/Makefile.common

@@ -379,6 +379,7 @@ DISSECTOR_SRC =	\
 	packet-ntlmssp.c	\
 	packet-ntp.c	\
 	packet-null.c	\
+	packet-ocsp.c	\
 	packet-olsr.c	\
 	packet-osi-options.c	\
 	packet-osi.c	\
@@ -673,6 +674,7 @@ DISSECTOR_INCLUDES =	\
 	packet-ntlmssp.h	\
 	packet-ntp.h	\
 	packet-null.h	\
+	packet-ocsp.h	\
 	packet-osi-options.h	\
 	packet-osi.h	\
 	packet-pcnfsd.h	\

epan/dissectors/packet-ocsp.h

@@ -0,0 +1,39 @@
+/* Do not modify this file.                                                   */
+/* It is created automatically by the ASN.1 to Ethereal dissector compiler    */
+/* ./packet-ocsp.h                                                            */
+/* ../../tools/asn2eth.py -X -b -k -e -p ocsp -c ocsp.cnf -s packet-ocsp-template OCSP.asn */
+
+/* Input file: packet-ocsp-template.h */
+
+/* packet-ocsp.h
+ * Routines for Online Certificate Status Protocol (RFC2560) packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * $Id: packet-ocsp-template.h 12573 2004-11-22 03:36:26Z sahlberg $
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifndef PACKET_OCSP_H
+#define PACKET_OCSP_H
+
+/*#include "packet-ocsp-exp.h"*/
+
+#endif  /* PACKET_OCSP_H */
+