third_party/js/PKI.js/src/OCSPRequest.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279

import * as asn1js from "asn1js";
import * as pvutils from "pvutils";
import * as common from "./common";
import { TBSRequest, TBSRequestJson, TBSRequestSchema } from "./TBSRequest";
import { Signature, SignatureJson, SignatureSchema } from "./Signature";
import { Request } from "./Request";
import { CertID, CertIDCreateParams } from "./CertID";
import * as Schema from "./Schema";
import { Certificate } from "./Certificate";
import { AsnError, ParameterError } from "./errors";
import { PkiObject, PkiObjectParameters } from "./PkiObject";

const TBS_REQUEST = "tbsRequest";
const OPTIONAL_SIGNATURE = "optionalSignature";
const CLEAR_PROPS = [
  TBS_REQUEST,
  OPTIONAL_SIGNATURE
];

export interface IOCSPRequest {
  tbsRequest: TBSRequest;
  optionalSignature?: Signature;
}

export interface OCSPRequestJson {
  tbsRequest: TBSRequestJson;
  optionalSignature?: SignatureJson;
}

export type OCSPRequestParameters = PkiObjectParameters & Partial<IOCSPRequest>;

/**
 * Represents an OCSP request described in [RFC6960 Section 4.1](https://datatracker.ietf.org/doc/html/rfc6960#section-4.1)
 *
 * @example The following example demonstrates how to create OCSP request
 * ```js
 * // Create OCSP request
 * const ocspReq = new pkijs.OCSPRequest();
 *
 * ocspReq.tbsRequest.requestorName = new pkijs.GeneralName({
 *   type: 4,
 *   value: cert.subject,
 * });
 *
 * await ocspReq.createForCertificate(cert, {
 *   hashAlgorithm: "SHA-256",
 *   issuerCertificate: issuerCert,
 * });
 *
 * const nonce = pkijs.getRandomValues(new Uint8Array(10));
 * ocspReq.tbsRequest.requestExtensions = [
 *   new pkijs.Extension({
 *     extnID: "1.3.6.1.5.5.7.48.1.2", // nonce
 *     extnValue: new asn1js.OctetString({ valueHex: nonce.buffer }).toBER(),
 *   })
 * ];
 *
 * // Encode OCSP request
 * const ocspReqRaw = ocspReq.toSchema(true).toBER();
 * ```
 */
export class OCSPRequest extends PkiObject implements IOCSPRequest {

  public static override CLASS_NAME = "OCSPRequest";

  public tbsRequest!: TBSRequest;
  public optionalSignature?: Signature;

  /**
   * Initializes a new instance of the {@link OCSPRequest} class
   * @param parameters Initialization parameters
   */
  constructor(parameters: OCSPRequestParameters = {}) {
    super();

    this.tbsRequest = pvutils.getParametersValue(parameters, TBS_REQUEST, OCSPRequest.defaultValues(TBS_REQUEST));
    if (OPTIONAL_SIGNATURE in parameters) {
      this.optionalSignature = pvutils.getParametersValue(parameters, OPTIONAL_SIGNATURE, OCSPRequest.defaultValues(OPTIONAL_SIGNATURE));
    }

    if (parameters.schema) {
      this.fromSchema(parameters.schema);
    }
  }

  /**
   * Returns default values for all class members
   * @param memberName String name for a class member
   * @returns Default value
   */
  public static override defaultValues(memberName: typeof TBS_REQUEST): TBSRequest;
  public static override defaultValues(memberName: typeof OPTIONAL_SIGNATURE): Signature;
  public static override defaultValues(memberName: string): any {
    switch (memberName) {
      case TBS_REQUEST:
        return new TBSRequest();
      case OPTIONAL_SIGNATURE:
        return new Signature();
      default:
        return super.defaultValues(memberName);
    }
  }

  /**
   * Compare values with default values for all class members
   * @param memberName String name for a class member
   * @param memberValue Value to compare with default value
   * @returns Returns `true` if `memberValue` is equal to default value for selected class member
   */
  public static compareWithDefault(memberName: string, memberValue: any): boolean {
    switch (memberName) {
      case TBS_REQUEST:
        return ((TBSRequest.compareWithDefault("tbs", memberValue.tbs)) &&
          (TBSRequest.compareWithDefault("version", memberValue.version)) &&
          (TBSRequest.compareWithDefault("requestorName", memberValue.requestorName)) &&
          (TBSRequest.compareWithDefault("requestList", memberValue.requestList)) &&
          (TBSRequest.compareWithDefault("requestExtensions", memberValue.requestExtensions)));
      case OPTIONAL_SIGNATURE:
        return ((Signature.compareWithDefault("signatureAlgorithm", memberValue.signatureAlgorithm)) &&
          (Signature.compareWithDefault("signature", memberValue.signature)) &&
          (Signature.compareWithDefault("certs", memberValue.certs)));
      default:
        return super.defaultValues(memberName);
    }
  }

  /**
   * @inheritdoc
   * @asn ASN.1 schema
   * ```asn
   * OCSPRequest ::= SEQUENCE {
   *    tbsRequest                  TBSRequest,
   *    optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
   *```
   */
  public static override schema(parameters: Schema.SchemaParameters<{
    tbsRequest?: TBSRequestSchema;
    optionalSignature?: SignatureSchema;
  }> = {}): Schema.SchemaType {
    const names = pvutils.getParametersValue<NonNullable<typeof parameters.names>>(parameters, "names", {});

    return (new asn1js.Sequence({
      name: names.blockName || "OCSPRequest",
      value: [
        TBSRequest.schema(names.tbsRequest || {
          names: {
            blockName: TBS_REQUEST
          }
        }),
        new asn1js.Constructed({
          optional: true,
          idBlock: {
            tagClass: 3, // CONTEXT-SPECIFIC
            tagNumber: 0 // [0]
          },
          value: [
            Signature.schema(names.optionalSignature || {
              names: {
                blockName: OPTIONAL_SIGNATURE
              }
            })
          ]
        })
      ]
    }));
  }

  public fromSchema(schema: Schema.SchemaType): void {
    // Clear input data first
    pvutils.clearProps(schema, CLEAR_PROPS);

    // Check the schema is valid
    const asn1 = asn1js.compareSchema(schema,
      schema,
      OCSPRequest.schema()
    );
    AsnError.assertSchema(asn1, this.className);

    // Get internal properties from parsed schema
    this.tbsRequest = new TBSRequest({ schema: asn1.result.tbsRequest });
    if (OPTIONAL_SIGNATURE in asn1.result)
      this.optionalSignature = new Signature({ schema: asn1.result.optionalSignature });
  }

  public toSchema(encodeFlag = false) {
    //#region Create array for output sequence
    const outputArray = [];

    outputArray.push(this.tbsRequest.toSchema(encodeFlag));
    if (this.optionalSignature)
      outputArray.push(
        new asn1js.Constructed({
          optional: true,
          idBlock: {
            tagClass: 3, // CONTEXT-SPECIFIC
            tagNumber: 0 // [0]
          },
          value: [
            this.optionalSignature.toSchema()
          ]
        }));
    //#endregion

    //#region Construct and return new ASN.1 schema for this object
    return (new asn1js.Sequence({
      value: outputArray
    }));
    //#endregion
  }

  public toJSON(): OCSPRequestJson {
    const res: OCSPRequestJson = {
      tbsRequest: this.tbsRequest.toJSON()
    };

    if (this.optionalSignature) {
      res.optionalSignature = this.optionalSignature.toJSON();
    }

    return res;
  }

  /**
   * Making OCSP Request for specific certificate
   * @param certificate Certificate making OCSP Request for
   * @param parameters Additional parameters
   * @param crypto Crypto engine
   */
  public async createForCertificate(certificate: Certificate, parameters: CertIDCreateParams, crypto = common.getCrypto(true)): Promise<void> {
    //#region Initial variables
    const certID = new CertID();
    //#endregion

    //#region Create OCSP certificate identifier for the certificate
    await certID.createForCertificate(certificate, parameters, crypto);
    //#endregion

    //#region Make final request data
    this.tbsRequest.requestList.push(new Request({
      reqCert: certID,
    }));
    //#endregion
  }

  /**
   * Make signature for current OCSP Request
   * @param privateKey Private key for "subjectPublicKeyInfo" structure
   * @param hashAlgorithm Hashing algorithm. Default SHA-1
   * @param crypto Crypto engine
   */
  public async sign(privateKey: CryptoKey, hashAlgorithm = "SHA-1", crypto = common.getCrypto(true)) {
    // Initial checking
    ParameterError.assertEmpty(privateKey, "privateKey", "OCSPRequest.sign method");

    // Check that OPTIONAL_SIGNATURE exists in the current request
    if (!this.optionalSignature) {
      throw new Error("Need to create \"optionalSignature\" field before signing");
    }

    //#region Get a "default parameters" for current algorithm and set correct signature algorithm
    const signatureParams = await crypto.getSignatureParameters(privateKey, hashAlgorithm);
    const parameters = signatureParams.parameters;
    this.optionalSignature.signatureAlgorithm = signatureParams.signatureAlgorithm;
    //#endregion

    //#region Create TBS data for signing
    const tbs = this.tbsRequest.toSchema(true).toBER(false);
    //#endregion

    // Signing TBS data on provided private key
    const signature = await crypto.signWithPrivateKey(tbs, privateKey, parameters as any);
    this.optionalSignature.signature = new asn1js.BitString({ valueHex: signature });
  }

  verify() {
    // TODO: Create the function
  }

}