]>
Commit | Line | Data |
---|---|---|
6ef869d7 DSH |
1 | /* |
2 | * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL | |
3 | * project. | |
4 | */ | |
5 | ||
6 | /* | |
7 | * History: This file was transfered to Richard Levitte from CertCo by Kathy | |
8 | * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a | |
9 | * patch kit. | |
10 | */ | |
11 | ||
12 | /* ==================================================================== | |
13 | * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. | |
14 | * | |
15 | * Redistribution and use in source and binary forms, with or without | |
16 | * modification, are permitted provided that the following conditions | |
17 | * are met: | |
18 | * | |
19 | * 1. Redistributions of source code must retain the above copyright | |
20 | * notice, this list of conditions and the following disclaimer. | |
21 | * | |
22 | * 2. Redistributions in binary form must reproduce the above copyright | |
23 | * notice, this list of conditions and the following disclaimer in | |
24 | * the documentation and/or other materials provided with the | |
25 | * distribution. | |
26 | * | |
27 | * 3. All advertising materials mentioning features or use of this | |
28 | * software must display the following acknowledgment: | |
29 | * "This product includes software developed by the OpenSSL Project | |
30 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
31 | * | |
32 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
33 | * endorse or promote products derived from this software without | |
34 | * prior written permission. For written permission, please contact | |
35 | * openssl-core@openssl.org. | |
36 | * | |
37 | * 5. Products derived from this software may not be called "OpenSSL" | |
38 | * nor may "OpenSSL" appear in their names without prior written | |
39 | * permission of the OpenSSL Project. | |
40 | * | |
41 | * 6. Redistributions of any form whatsoever must retain the following | |
42 | * acknowledgment: | |
43 | * "This product includes software developed by the OpenSSL Project | |
44 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
45 | * | |
46 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
47 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
48 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
49 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
50 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
51 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
52 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
53 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
54 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
55 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
56 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
57 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
58 | * ==================================================================== | |
59 | * | |
60 | * This product includes cryptographic software written by Eric Young | |
61 | * (eay@cryptsoft.com). This product includes software written by Tim | |
62 | * Hudson (tjh@cryptsoft.com). | |
63 | * | |
64 | */ | |
65 | ||
66 | /*- CertID ::= SEQUENCE { | |
67 | * hashAlgorithm AlgorithmIdentifier, | |
68 | * issuerNameHash OCTET STRING, -- Hash of Issuer's DN | |
69 | * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) | |
70 | * serialNumber CertificateSerialNumber } | |
71 | */ | |
72 | struct ocsp_cert_id_st { | |
a332635e | 73 | X509_ALGOR hashAlgorithm; |
af170194 DSH |
74 | ASN1_OCTET_STRING issuerNameHash; |
75 | ASN1_OCTET_STRING issuerKeyHash; | |
76 | ASN1_INTEGER serialNumber; | |
6ef869d7 DSH |
77 | }; |
78 | ||
79 | /*- Request ::= SEQUENCE { | |
80 | * reqCert CertID, | |
81 | * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | |
82 | */ | |
83 | struct ocsp_one_request_st { | |
84 | OCSP_CERTID *reqCert; | |
85 | STACK_OF(X509_EXTENSION) *singleRequestExtensions; | |
86 | }; | |
87 | ||
88 | /*- TBSRequest ::= SEQUENCE { | |
89 | * version [0] EXPLICIT Version DEFAULT v1, | |
90 | * requestorName [1] EXPLICIT GeneralName OPTIONAL, | |
91 | * requestList SEQUENCE OF Request, | |
92 | * requestExtensions [2] EXPLICIT Extensions OPTIONAL } | |
93 | */ | |
94 | struct ocsp_req_info_st { | |
95 | ASN1_INTEGER *version; | |
96 | GENERAL_NAME *requestorName; | |
97 | STACK_OF(OCSP_ONEREQ) *requestList; | |
98 | STACK_OF(X509_EXTENSION) *requestExtensions; | |
99 | }; | |
100 | ||
101 | /*- Signature ::= SEQUENCE { | |
102 | * signatureAlgorithm AlgorithmIdentifier, | |
103 | * signature BIT STRING, | |
104 | * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |
105 | */ | |
106 | struct ocsp_signature_st { | |
a332635e | 107 | X509_ALGOR signatureAlgorithm; |
6ef869d7 DSH |
108 | ASN1_BIT_STRING *signature; |
109 | STACK_OF(X509) *certs; | |
110 | }; | |
111 | ||
112 | /*- OCSPRequest ::= SEQUENCE { | |
113 | * tbsRequest TBSRequest, | |
114 | * optionalSignature [0] EXPLICIT Signature OPTIONAL } | |
115 | */ | |
116 | struct ocsp_request_st { | |
a332635e | 117 | OCSP_REQINFO tbsRequest; |
6ef869d7 DSH |
118 | OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ |
119 | }; | |
120 | ||
121 | /*- OCSPResponseStatus ::= ENUMERATED { | |
122 | * successful (0), --Response has valid confirmations | |
123 | * malformedRequest (1), --Illegal confirmation request | |
124 | * internalError (2), --Internal error in issuer | |
125 | * tryLater (3), --Try again later | |
126 | * --(4) is not used | |
127 | * sigRequired (5), --Must sign the request | |
128 | * unauthorized (6) --Request unauthorized | |
129 | * } | |
130 | */ | |
131 | ||
132 | /*- ResponseBytes ::= SEQUENCE { | |
133 | * responseType OBJECT IDENTIFIER, | |
134 | * response OCTET STRING } | |
135 | */ | |
136 | struct ocsp_resp_bytes_st { | |
137 | ASN1_OBJECT *responseType; | |
138 | ASN1_OCTET_STRING *response; | |
139 | }; | |
140 | ||
141 | /*- OCSPResponse ::= SEQUENCE { | |
142 | * responseStatus OCSPResponseStatus, | |
143 | * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |
144 | */ | |
145 | struct ocsp_response_st { | |
146 | ASN1_ENUMERATED *responseStatus; | |
147 | OCSP_RESPBYTES *responseBytes; | |
148 | }; | |
149 | ||
150 | /*- ResponderID ::= CHOICE { | |
151 | * byName [1] Name, | |
152 | * byKey [2] KeyHash } | |
153 | */ | |
154 | struct ocsp_responder_id_st { | |
155 | int type; | |
156 | union { | |
157 | X509_NAME *byName; | |
158 | ASN1_OCTET_STRING *byKey; | |
159 | } value; | |
160 | }; | |
161 | ||
162 | /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key | |
163 | * --(excluding the tag and length fields) | |
164 | */ | |
165 | ||
166 | /*- RevokedInfo ::= SEQUENCE { | |
167 | * revocationTime GeneralizedTime, | |
168 | * revocationReason [0] EXPLICIT CRLReason OPTIONAL } | |
169 | */ | |
170 | struct ocsp_revoked_info_st { | |
171 | ASN1_GENERALIZEDTIME *revocationTime; | |
172 | ASN1_ENUMERATED *revocationReason; | |
173 | }; | |
174 | ||
175 | /*- CertStatus ::= CHOICE { | |
176 | * good [0] IMPLICIT NULL, | |
177 | * revoked [1] IMPLICIT RevokedInfo, | |
178 | * unknown [2] IMPLICIT UnknownInfo } | |
179 | */ | |
180 | struct ocsp_cert_status_st { | |
181 | int type; | |
182 | union { | |
183 | ASN1_NULL *good; | |
184 | OCSP_REVOKEDINFO *revoked; | |
185 | ASN1_NULL *unknown; | |
186 | } value; | |
187 | }; | |
188 | ||
189 | /*- SingleResponse ::= SEQUENCE { | |
190 | * certID CertID, | |
191 | * certStatus CertStatus, | |
192 | * thisUpdate GeneralizedTime, | |
193 | * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |
194 | * singleExtensions [1] EXPLICIT Extensions OPTIONAL } | |
195 | */ | |
196 | struct ocsp_single_response_st { | |
197 | OCSP_CERTID *certId; | |
198 | OCSP_CERTSTATUS *certStatus; | |
199 | ASN1_GENERALIZEDTIME *thisUpdate; | |
200 | ASN1_GENERALIZEDTIME *nextUpdate; | |
201 | STACK_OF(X509_EXTENSION) *singleExtensions; | |
202 | }; | |
203 | ||
204 | /*- ResponseData ::= SEQUENCE { | |
205 | * version [0] EXPLICIT Version DEFAULT v1, | |
206 | * responderID ResponderID, | |
207 | * producedAt GeneralizedTime, | |
208 | * responses SEQUENCE OF SingleResponse, | |
209 | * responseExtensions [1] EXPLICIT Extensions OPTIONAL } | |
210 | */ | |
211 | struct ocsp_response_data_st { | |
212 | ASN1_INTEGER *version; | |
a332635e | 213 | OCSP_RESPID responderId; |
6ef869d7 DSH |
214 | ASN1_GENERALIZEDTIME *producedAt; |
215 | STACK_OF(OCSP_SINGLERESP) *responses; | |
216 | STACK_OF(X509_EXTENSION) *responseExtensions; | |
217 | }; | |
218 | ||
219 | /*- BasicOCSPResponse ::= SEQUENCE { | |
220 | * tbsResponseData ResponseData, | |
221 | * signatureAlgorithm AlgorithmIdentifier, | |
222 | * signature BIT STRING, | |
223 | * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |
224 | */ | |
225 | /* | |
226 | * Note 1: The value for "signature" is specified in the OCSP rfc2560 as | |
227 | * follows: "The value for the signature SHALL be computed on the hash of | |
228 | * the DER encoding ResponseData." This means that you must hash the | |
229 | * DER-encoded tbsResponseData, and then run it through a crypto-signing | |
230 | * function, which will (at least w/RSA) do a hash-'n'-private-encrypt | |
231 | * operation. This seems a bit odd, but that's the spec. Also note that | |
232 | * the data structures do not leave anywhere to independently specify the | |
233 | * algorithm used for the initial hash. So, we look at the | |
234 | * signature-specification algorithm, and try to do something intelligent. | |
235 | * -- Kathy Weinhold, CertCo | |
236 | */ | |
237 | /* | |
238 | * Note 2: It seems that the mentioned passage from RFC 2560 (section | |
239 | * 4.2.1) is open for interpretation. I've done tests against another | |
240 | * responder, and found that it doesn't do the double hashing that the RFC | |
241 | * seems to say one should. Therefore, all relevant functions take a flag | |
242 | * saying which variant should be used. -- Richard Levitte, OpenSSL team | |
243 | * and CeloCom | |
244 | */ | |
245 | struct ocsp_basic_response_st { | |
a332635e DSH |
246 | OCSP_RESPDATA tbsResponseData; |
247 | X509_ALGOR signatureAlgorithm; | |
6ef869d7 DSH |
248 | ASN1_BIT_STRING *signature; |
249 | STACK_OF(X509) *certs; | |
250 | }; | |
251 | ||
252 | /*- | |
253 | * CrlID ::= SEQUENCE { | |
254 | * crlUrl [0] EXPLICIT IA5String OPTIONAL, | |
255 | * crlNum [1] EXPLICIT INTEGER OPTIONAL, | |
256 | * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | |
257 | */ | |
258 | struct ocsp_crl_id_st { | |
259 | ASN1_IA5STRING *crlUrl; | |
260 | ASN1_INTEGER *crlNum; | |
261 | ASN1_GENERALIZEDTIME *crlTime; | |
262 | }; | |
263 | ||
264 | /*- | |
265 | * ServiceLocator ::= SEQUENCE { | |
266 | * issuer Name, | |
267 | * locator AuthorityInfoAccessSyntax OPTIONAL } | |
268 | */ | |
269 | struct ocsp_service_locator_st { | |
270 | X509_NAME *issuer; | |
271 | STACK_OF(ACCESS_DESCRIPTION) *locator; | |
272 | }; |