]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ocsp/ocsp_lcl.h
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Remove /* foo.c */ comments
[thirdparty/openssl.git] / crypto / ocsp / ocsp_lcl.h
1 /*
2 * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project.
4 */
5
6 /*
7 * History: This file was transfered to Richard Levitte from CertCo by Kathy
8 * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
9 * patch kit.
10 */
11
12 /* ====================================================================
13 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 *
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 *
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
31 *
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * openssl-core@openssl.org.
36 *
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
40 *
41 * 6. Redistributions of any form whatsoever must retain the following
42 * acknowledgment:
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
45 *
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
59 *
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
63 *
64 */
65
66 /*- CertID ::= SEQUENCE {
67 * hashAlgorithm AlgorithmIdentifier,
68 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
69 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
70 * serialNumber CertificateSerialNumber }
71 */
72 struct ocsp_cert_id_st {
73 X509_ALGOR hashAlgorithm;
74 ASN1_OCTET_STRING issuerNameHash;
75 ASN1_OCTET_STRING issuerKeyHash;
76 ASN1_INTEGER serialNumber;
77 };
78
79 /*- Request ::= SEQUENCE {
80 * reqCert CertID,
81 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
82 */
83 struct ocsp_one_request_st {
84 OCSP_CERTID *reqCert;
85 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
86 };
87
88 /*- TBSRequest ::= SEQUENCE {
89 * version [0] EXPLICIT Version DEFAULT v1,
90 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
91 * requestList SEQUENCE OF Request,
92 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
93 */
94 struct ocsp_req_info_st {
95 ASN1_INTEGER *version;
96 GENERAL_NAME *requestorName;
97 STACK_OF(OCSP_ONEREQ) *requestList;
98 STACK_OF(X509_EXTENSION) *requestExtensions;
99 };
100
101 /*- Signature ::= SEQUENCE {
102 * signatureAlgorithm AlgorithmIdentifier,
103 * signature BIT STRING,
104 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
105 */
106 struct ocsp_signature_st {
107 X509_ALGOR signatureAlgorithm;
108 ASN1_BIT_STRING *signature;
109 STACK_OF(X509) *certs;
110 };
111
112 /*- OCSPRequest ::= SEQUENCE {
113 * tbsRequest TBSRequest,
114 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
115 */
116 struct ocsp_request_st {
117 OCSP_REQINFO tbsRequest;
118 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
119 };
120
121 /*- OCSPResponseStatus ::= ENUMERATED {
122 * successful (0), --Response has valid confirmations
123 * malformedRequest (1), --Illegal confirmation request
124 * internalError (2), --Internal error in issuer
125 * tryLater (3), --Try again later
126 * --(4) is not used
127 * sigRequired (5), --Must sign the request
128 * unauthorized (6) --Request unauthorized
129 * }
130 */
131
132 /*- ResponseBytes ::= SEQUENCE {
133 * responseType OBJECT IDENTIFIER,
134 * response OCTET STRING }
135 */
136 struct ocsp_resp_bytes_st {
137 ASN1_OBJECT *responseType;
138 ASN1_OCTET_STRING *response;
139 };
140
141 /*- OCSPResponse ::= SEQUENCE {
142 * responseStatus OCSPResponseStatus,
143 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
144 */
145 struct ocsp_response_st {
146 ASN1_ENUMERATED *responseStatus;
147 OCSP_RESPBYTES *responseBytes;
148 };
149
150 /*- ResponderID ::= CHOICE {
151 * byName [1] Name,
152 * byKey [2] KeyHash }
153 */
154 struct ocsp_responder_id_st {
155 int type;
156 union {
157 X509_NAME *byName;
158 ASN1_OCTET_STRING *byKey;
159 } value;
160 };
161
162 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
163 * --(excluding the tag and length fields)
164 */
165
166 /*- RevokedInfo ::= SEQUENCE {
167 * revocationTime GeneralizedTime,
168 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
169 */
170 struct ocsp_revoked_info_st {
171 ASN1_GENERALIZEDTIME *revocationTime;
172 ASN1_ENUMERATED *revocationReason;
173 };
174
175 /*- CertStatus ::= CHOICE {
176 * good [0] IMPLICIT NULL,
177 * revoked [1] IMPLICIT RevokedInfo,
178 * unknown [2] IMPLICIT UnknownInfo }
179 */
180 struct ocsp_cert_status_st {
181 int type;
182 union {
183 ASN1_NULL *good;
184 OCSP_REVOKEDINFO *revoked;
185 ASN1_NULL *unknown;
186 } value;
187 };
188
189 /*- SingleResponse ::= SEQUENCE {
190 * certID CertID,
191 * certStatus CertStatus,
192 * thisUpdate GeneralizedTime,
193 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
194 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
195 */
196 struct ocsp_single_response_st {
197 OCSP_CERTID *certId;
198 OCSP_CERTSTATUS *certStatus;
199 ASN1_GENERALIZEDTIME *thisUpdate;
200 ASN1_GENERALIZEDTIME *nextUpdate;
201 STACK_OF(X509_EXTENSION) *singleExtensions;
202 };
203
204 /*- ResponseData ::= SEQUENCE {
205 * version [0] EXPLICIT Version DEFAULT v1,
206 * responderID ResponderID,
207 * producedAt GeneralizedTime,
208 * responses SEQUENCE OF SingleResponse,
209 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
210 */
211 struct ocsp_response_data_st {
212 ASN1_INTEGER *version;
213 OCSP_RESPID responderId;
214 ASN1_GENERALIZEDTIME *producedAt;
215 STACK_OF(OCSP_SINGLERESP) *responses;
216 STACK_OF(X509_EXTENSION) *responseExtensions;
217 };
218
219 /*- BasicOCSPResponse ::= SEQUENCE {
220 * tbsResponseData ResponseData,
221 * signatureAlgorithm AlgorithmIdentifier,
222 * signature BIT STRING,
223 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
224 */
225 /*
226 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
227 * follows: "The value for the signature SHALL be computed on the hash of
228 * the DER encoding ResponseData." This means that you must hash the
229 * DER-encoded tbsResponseData, and then run it through a crypto-signing
230 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
231 * operation. This seems a bit odd, but that's the spec. Also note that
232 * the data structures do not leave anywhere to independently specify the
233 * algorithm used for the initial hash. So, we look at the
234 * signature-specification algorithm, and try to do something intelligent.
235 * -- Kathy Weinhold, CertCo
236 */
237 /*
238 * Note 2: It seems that the mentioned passage from RFC 2560 (section
239 * 4.2.1) is open for interpretation. I've done tests against another
240 * responder, and found that it doesn't do the double hashing that the RFC
241 * seems to say one should. Therefore, all relevant functions take a flag
242 * saying which variant should be used. -- Richard Levitte, OpenSSL team
243 * and CeloCom
244 */
245 struct ocsp_basic_response_st {
246 OCSP_RESPDATA tbsResponseData;
247 X509_ALGOR signatureAlgorithm;
248 ASN1_BIT_STRING *signature;
249 STACK_OF(X509) *certs;
250 };
251
252 /*-
253 * CrlID ::= SEQUENCE {
254 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
255 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
256 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
257 */
258 struct ocsp_crl_id_st {
259 ASN1_IA5STRING *crlUrl;
260 ASN1_INTEGER *crlNum;
261 ASN1_GENERALIZEDTIME *crlTime;
262 };
263
264 /*-
265 * ServiceLocator ::= SEQUENCE {
266 * issuer Name,
267 * locator AuthorityInfoAccessSyntax OPTIONAL }
268 */
269 struct ocsp_service_locator_st {
270 X509_NAME *issuer;
271 STACK_OF(ACCESS_DESCRIPTION) *locator;
272 };
A mirror of the official openssl repository