#codec #pki #response #decoding #request-response #lib

ocsp

为Rust编解码OCSP请求和响应的库

2个不稳定版本

0.4.0 2023年1月9日
0.3.3 2021年8月27日

#706加密学

Apache-2.0

115KB
2K SLoC

OCSP-RS

License codecov master

ocsp-rs支持编解码OCSP请求和响应

特性

  • 请求编码 [进行中]
  • 请求解码
  • 响应编码
  • 响应解码 [进行中]

用法

[dependencies]
ocsp = "0.4"

服务器端

1. 解析OCSP请求

use ocsp::request::OcspRequest;

let recv_request: BytesMut = BytesMut::new();

// reading http payload to `recv_request`

let ocsp_request = OcspRequest::parse(&recv_request[..]).unwrap();

// get CertId from request
let cid_list = ocsp_request.extract_certid_owned();

2. 生成OCSP响应

use ocsp::{
    common::asn1::{CertId, GeneralizedTime, Oid},
    oid::{ALGO_SHA256_WITH_RSA_ENCRYPTION_DOT, OCSP_RESPONSE_BASIC_DOT},
    response::{
        BasicResponse, CertStatus as OcspCertStatus, CertStatus, CertStatusCode, CrlReason,
        OcspRespStatus, OcspResponse, OneResp, ResponderId, ResponseBytes, ResponseData,
        RevokedInfo,
    },
};


let key = [0x36, 0x6f, 0x35, 0xfb, 0xef, 0x16, 0xc6, 0xba, 0x8a, 0x31, 0x83, 0x42, 0x6d, 0x97, 0xba, 0x89, 0x4d, 0x55, 0x6e, 0x91];
let id = ResponderId::new_key_hash(&key); // responding by id

// year, month, day, hour(24), minute, second
let produce = GeneralizedTime::new(2021, 1, 12, 21, 26, 43).unwrap();
// you can extract cid from request
let oid = Oid::new_from_dot("1.3.14.3.2.26").unwrap();
let name = vec![ 0x69, 0x4d, 0x18, 0xa9, 0xbe, 0x42, 0xf7, 0x80, 0x26, 0x14, 0xd4, 0x84, 0x4f, 0x23, 0x60, 0x14, 0x78, 0xb7, 0x88, 0x20];
let key = vec![ 0x39, 0x7b, 0xe0, 0x02, 0xa2, 0xf5, 0x71, 0xfd, 0x80, 0xdc, 0xeb, 0x52, 0xa1, 0x7a, 0x7f, 0x8b, 0x63, 0x2b, 0xe7, 0x55];
let sn = vec![0x41, 0x30, 0x09, 0x83, 0x33, 0x1f, 0x9d, 0x4f];
let certid = CertId::new(oid.clone(), &name, &key, &sn);

let good = OcspCertStatus::new(CertStatusCode::Good, None);
let gt = GeneralizedTime::new(2021, 1, 12, 3, 26, 43).unwrap();

let one = OneResp {
    cid: certid.clone(),
    cert_status: good,
    this_update: gt,
    next_update: None,
    one_resp_ext: None,
};

let sn2 = vec![0x63, 0x78, 0xe5, 0x1d, 0x44, 0x8f, 0xf4, 0x6d];
let certid2 = CertId::new(oid, &name, &key, &sn2);
let rev_t = GeneralizedTime::new(2020, 11, 30, 1, 48, 25).unwrap();
let rev_info = RevokedInfo::new(rev_t, Some(CrlReason::OcspRevokeUnspecified));
let revoke = OcspCertStatus::new(CertStatusCode::Revoked, Some(rev_info));
let two = OneResp {
    cid: certid2,
    cert_status: revoke,
    this_update: gt,
    next_update: None,
    one_resp_ext: None,
};

let list = [one, two].to_vec();
let data = ResponseData::new(id, produce, list, None);
// other signatures also supported, see oid
// equivalent to
// let oid = Oid::new_from_dot("1.2.840.113549.1.1.5").await.unwrap();
let oid = Oid::new_from_dot(ALGO_SHA256_WITH_RSA_ENCRYPTION_DOT).unwrap();

let some_signing_machine = || async { vec![ 0x00 ] };
let sign = some_signing_machine().await; //example signature

let basic = BasicResponse::new(data, oid, sign, None);
// equivalent to
// let resp_type = Oid::new_from_dot("1.3.6.1.5.5.7.48.1.1").await.unwrap();
let resp_type = Oid::new_from_dot(OCSP_RESPONSE_BASIC_DOT).unwrap();
let bytes = ResponseBytes::new_basic(resp_type, basic).unwrap();
let ocsp = OcspResponse::new_success(bytes);
let resp_binary = ocsp.to_der().unwrap();

// return resp_binary as response body

客户端 [进行中]

依赖项

~1.6–2.4MB
~42K SLoC