]>
Commit | Line | Data |
---|---|---|
8869ad4a AK |
1 | /* |
2 | * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * Copyright Nokia 2007-2019 | |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | * | |
11 | * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. | |
12 | */ | |
13 | ||
14 | #ifndef OSSL_HEADER_CMP_INT_H | |
15 | # define OSSL_HEADER_CMP_INT_H | |
16 | ||
17 | # include "internal/cryptlib.h" | |
18 | ||
19 | # include <openssl/cmp.h> | |
20 | # include <openssl/err.h> | |
21 | ||
22 | /* explicit #includes not strictly needed since implied by the above: */ | |
23 | # include <openssl/crmf.h> | |
24 | # include <openssl/ossl_typ.h> | |
25 | # include <openssl/safestack.h> | |
26 | # include <openssl/x509.h> | |
27 | # include <openssl/x509v3.h> | |
28 | ||
29 | /* | |
30 | * ########################################################################## | |
31 | * ASN.1 DECLARATIONS | |
32 | * ########################################################################## | |
33 | */ | |
34 | ||
35 | /*- | |
36 | * RevAnnContent ::= SEQUENCE { | |
37 | * status PKIStatus, | |
38 | * certId CertId, | |
39 | * willBeRevokedAt GeneralizedTime, | |
40 | * badSinceDate GeneralizedTime, | |
41 | * crlDetails Extensions OPTIONAL | |
42 | * -- extra CRL details (e.g., crl number, reason, location, etc.) | |
43 | * } | |
44 | */ | |
45 | typedef struct OSSL_cmp_revanncontent_st { | |
46 | ASN1_INTEGER *status; | |
47 | OSSL_CRMF_CERTID *certId; | |
48 | ASN1_GENERALIZEDTIME *willBeRevokedAt; | |
49 | ASN1_GENERALIZEDTIME *badSinceDate; | |
50 | X509_EXTENSIONS *crlDetails; | |
51 | } OSSL_CMP_REVANNCONTENT; | |
52 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) | |
53 | ||
54 | /*- | |
55 | * Challenge ::= SEQUENCE { | |
56 | * owf AlgorithmIdentifier OPTIONAL, | |
57 | * | |
58 | * -- MUST be present in the first Challenge; MAY be omitted in | |
59 | * -- any subsequent Challenge in POPODecKeyChallContent (if | |
60 | * -- omitted, then the owf used in the immediately preceding | |
61 | * -- Challenge is to be used). | |
62 | * | |
63 | * witness OCTET STRING, | |
64 | * -- the result of applying the one-way function (owf) to a | |
65 | * -- randomly-generated INTEGER, A. [Note that a different | |
66 | * -- INTEGER MUST be used for each Challenge.] | |
67 | * challenge OCTET STRING | |
68 | * -- the encryption (under the public key for which the cert. | |
69 | * -- request is being made) of Rand, where Rand is specified as | |
70 | * -- Rand ::= SEQUENCE { | |
71 | * -- int INTEGER, | |
72 | * -- - the randomly-generated INTEGER A (above) | |
73 | * -- sender GeneralName | |
74 | * -- - the sender's name (as included in PKIHeader) | |
75 | * -- } | |
76 | * } | |
77 | */ | |
78 | typedef struct OSSL_cmp_challenge_st { | |
79 | X509_ALGOR *owf; | |
80 | ASN1_OCTET_STRING *witness; | |
81 | ASN1_OCTET_STRING *challenge; | |
82 | } OSSL_CMP_CHALLENGE; | |
83 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) | |
84 | ||
85 | /*- | |
86 | * CAKeyUpdAnnContent ::= SEQUENCE { | |
87 | * oldWithNew Certificate, | |
88 | * newWithOld Certificate, | |
89 | * newWithNew Certificate | |
90 | * } | |
91 | */ | |
92 | typedef struct OSSL_cmp_cakeyupdanncontent_st { | |
93 | X509 *oldWithNew; | |
94 | X509 *newWithOld; | |
95 | X509 *newWithNew; | |
96 | } OSSL_CMP_CAKEYUPDANNCONTENT; | |
97 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) | |
98 | ||
99 | /*- | |
100 | * declared already here as it will be used in OSSL_CMP_MSG (nested) and | |
101 | * infoType and infoValue | |
102 | */ | |
103 | typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS; | |
104 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) | |
105 | ||
106 | /*- | |
107 | * InfoTypeAndValue ::= SEQUENCE { | |
108 | * infoType OBJECT IDENTIFIER, | |
109 | * infoValue ANY DEFINED BY infoType OPTIONAL | |
110 | * } | |
111 | */ | |
112 | struct OSSL_cmp_itav_st { | |
113 | ASN1_OBJECT *infoType; | |
114 | union { | |
115 | char *ptr; | |
116 | /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */ | |
117 | X509 *caProtEncCert; | |
118 | /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */ | |
119 | STACK_OF(X509_ALGOR) *signKeyPairTypes; | |
120 | /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */ | |
121 | STACK_OF(X509_ALGOR) *encKeyPairTypes; | |
122 | /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */ | |
123 | X509_ALGOR *preferredSymmAlg; | |
124 | /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */ | |
125 | OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo; | |
126 | /* NID_id_it_currentCRL - CRL */ | |
127 | X509_CRL *currentCRL; | |
128 | /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */ | |
129 | STACK_OF(ASN1_OBJECT) *unsupportedOIDs; | |
130 | /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */ | |
131 | ASN1_OBJECT *keyPairParamReq; | |
132 | /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */ | |
133 | X509_ALGOR *keyPairParamRep; | |
134 | /* NID_id_it_revPassphrase - Revocation Passphrase */ | |
135 | OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase; | |
136 | /* NID_id_it_implicitConfirm - ImplicitConfirm */ | |
137 | ASN1_NULL *implicitConfirm; | |
138 | /* NID_id_it_confirmWaitTime - ConfirmWaitTime */ | |
139 | ASN1_GENERALIZEDTIME *confirmWaitTime; | |
140 | /* NID_id_it_origPKIMessage - origPKIMessage */ | |
141 | OSSL_CMP_MSGS *origPKIMessage; | |
142 | /* NID_id_it_suppLangTags - Supported Language Tags */ | |
143 | STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue; | |
144 | /* this is to be used for so far undeclared objects */ | |
145 | ASN1_TYPE *other; | |
146 | } infoValue; | |
147 | } /* OSSL_CMP_ITAV */; | |
148 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) | |
149 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) | |
150 | ||
151 | ||
152 | typedef struct OSSL_cmp_certorenccert_st { | |
153 | int type; | |
154 | union { | |
155 | X509 *certificate; | |
156 | OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; | |
157 | } value; | |
158 | } OSSL_CMP_CERTORENCCERT; | |
159 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) | |
160 | ||
161 | /*- | |
162 | * CertifiedKeyPair ::= SEQUENCE { | |
163 | * certOrEncCert CertOrEncCert, | |
164 | * privateKey [0] EncryptedValue OPTIONAL, | |
165 | * -- see [CRMF] for comment on encoding | |
166 | * publicationInfo [1] PKIPublicationInfo OPTIONAL | |
167 | * } | |
168 | */ | |
169 | typedef struct OSSL_cmp_certifiedkeypair_st { | |
170 | OSSL_CMP_CERTORENCCERT *certOrEncCert; | |
171 | OSSL_CRMF_ENCRYPTEDVALUE *privateKey; | |
172 | OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; | |
173 | } OSSL_CMP_CERTIFIEDKEYPAIR; | |
174 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) | |
175 | ||
176 | /*- | |
177 | * PKIStatusInfo ::= SEQUENCE { | |
178 | * status PKIStatus, | |
179 | * statusString PKIFreeText OPTIONAL, | |
180 | * failInfo PKIFailureInfo OPTIONAL | |
181 | * } | |
182 | */ | |
183 | struct OSSL_cmp_pkisi_st { | |
184 | OSSL_CMP_PKISTATUS *status; | |
185 | OSSL_CMP_PKIFREETEXT *statusString; | |
186 | OSSL_CMP_PKIFAILUREINFO *failInfo; | |
187 | } /* OSSL_CMP_PKISI */; | |
188 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI) | |
189 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) | |
190 | ||
191 | /*- | |
192 | * RevReqContent ::= SEQUENCE OF RevDetails | |
193 | * | |
194 | * RevDetails ::= SEQUENCE { | |
195 | * certDetails CertTemplate, | |
196 | * crlEntryDetails Extensions OPTIONAL | |
197 | * } | |
198 | */ | |
199 | typedef struct OSSL_cmp_revdetails_st { | |
200 | OSSL_CRMF_CERTTEMPLATE *certDetails; | |
201 | X509_EXTENSIONS *crlEntryDetails; | |
202 | } OSSL_CMP_REVDETAILS; | |
203 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) | |
204 | DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) | |
205 | ||
206 | /*- | |
207 | * RevRepContent ::= SEQUENCE { | |
208 | * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, | |
209 | * -- in same order as was sent in RevReqContent | |
210 | * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId | |
211 | * OPTIONAL, | |
212 | * -- IDs for which revocation was requested | |
213 | * -- (same order as status) | |
214 | * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList | |
215 | * OPTIONAL | |
216 | * -- the resulting CRLs (there may be more than one) | |
217 | * } | |
218 | */ | |
219 | struct OSSL_cmp_revrepcontent_st { | |
220 | STACK_OF(OSSL_CMP_PKISI) *status; | |
221 | STACK_OF(OSSL_CRMF_CERTID) *revCerts; | |
222 | STACK_OF(X509_CRL) *crls; | |
223 | } /* OSSL_CMP_REVREPCONTENT */; | |
224 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) | |
225 | ||
226 | /*- | |
227 | * KeyRecRepContent ::= SEQUENCE { | |
228 | * status PKIStatusInfo, | |
229 | * newSigCert [0] Certificate OPTIONAL, | |
230 | * caCerts [1] SEQUENCE SIZE (1..MAX) OF | |
231 | * Certificate OPTIONAL, | |
232 | * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF | |
233 | * CertifiedKeyPair OPTIONAL | |
234 | * } | |
235 | */ | |
236 | typedef struct OSSL_cmp_keyrecrepcontent_st { | |
237 | OSSL_CMP_PKISI *status; | |
238 | X509 *newSigCert; | |
239 | STACK_OF(X509) *caCerts; | |
240 | STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist; | |
241 | } OSSL_CMP_KEYRECREPCONTENT; | |
242 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) | |
243 | ||
244 | /*- | |
245 | * ErrorMsgContent ::= SEQUENCE { | |
246 | * pKIStatusInfo PKIStatusInfo, | |
247 | * errorCode INTEGER OPTIONAL, | |
248 | * -- implementation-specific error codes | |
249 | * errorDetails PKIFreeText OPTIONAL | |
250 | * -- implementation-specific error details | |
251 | * } | |
252 | */ | |
253 | typedef struct OSSL_cmp_errormsgcontent_st { | |
254 | OSSL_CMP_PKISI *pKIStatusInfo; | |
255 | ASN1_INTEGER *errorCode; | |
256 | OSSL_CMP_PKIFREETEXT *errorDetails; | |
257 | } OSSL_CMP_ERRORMSGCONTENT; | |
258 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) | |
259 | ||
260 | /*- | |
261 | * CertConfirmContent ::= SEQUENCE OF CertStatus | |
262 | * | |
263 | * CertStatus ::= SEQUENCE { | |
264 | * certHash OCTET STRING, | |
265 | * -- the hash of the certificate, using the same hash algorithm | |
266 | * -- as is used to create and verify the certificate signature | |
267 | * certReqId INTEGER, | |
268 | * -- to match this confirmation with the corresponding req/rep | |
269 | * statusInfo PKIStatusInfo OPTIONAL | |
270 | * } | |
271 | */ | |
272 | struct OSSL_cmp_certstatus_st { | |
273 | ASN1_OCTET_STRING *certHash; | |
274 | ASN1_INTEGER *certReqId; | |
275 | OSSL_CMP_PKISI *statusInfo; | |
276 | } /* OSSL_CMP_CERTSTATUS */; | |
277 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) | |
278 | ||
279 | typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; | |
280 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) | |
281 | ||
282 | /*- | |
283 | * CertResponse ::= SEQUENCE { | |
284 | * certReqId INTEGER, | |
285 | * -- to match this response with corresponding request (a value | |
286 | * -- of -1 is to be used if certReqId is not specified in the | |
287 | * -- corresponding request) | |
288 | * status PKIStatusInfo, | |
289 | * certifiedKeyPair CertifiedKeyPair OPTIONAL, | |
290 | * rspInfo OCTET STRING OPTIONAL | |
291 | * -- analogous to the id-regInfo-utf8Pairs string defined | |
292 | * -- for regInfo in CertReqMsg [CRMF] | |
293 | * } | |
294 | */ | |
295 | struct OSSL_cmp_certresponse_st { | |
296 | ASN1_INTEGER *certReqId; | |
297 | OSSL_CMP_PKISI *status; | |
298 | OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair; | |
299 | ASN1_OCTET_STRING *rspInfo; | |
300 | } /* OSSL_CMP_CERTRESPONSE */; | |
301 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) | |
302 | ||
303 | /*- | |
304 | * CertRepMessage ::= SEQUENCE { | |
305 | * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate | |
306 | * OPTIONAL, | |
307 | * response SEQUENCE OF CertResponse | |
308 | * } | |
309 | */ | |
310 | struct OSSL_cmp_certrepmessage_st { | |
311 | STACK_OF(X509) *caPubs; | |
312 | STACK_OF(OSSL_CMP_CERTRESPONSE) *response; | |
313 | } /* OSSL_CMP_CERTREPMESSAGE */; | |
314 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) | |
315 | ||
316 | /*- | |
317 | * PollReqContent ::= SEQUENCE OF SEQUENCE { | |
318 | * certReqId INTEGER | |
319 | * } | |
320 | */ | |
321 | typedef struct OSSL_cmp_pollreq_st { | |
322 | ASN1_INTEGER *certReqId; | |
323 | } OSSL_CMP_POLLREQ; | |
324 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) | |
325 | DEFINE_STACK_OF(OSSL_CMP_POLLREQ) | |
326 | typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT; | |
327 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT) | |
328 | ||
329 | /*- | |
330 | * PollRepContent ::= SEQUENCE OF SEQUENCE { | |
331 | * certReqId INTEGER, | |
332 | * checkAfter INTEGER, -- time in seconds | |
333 | * reason PKIFreeText OPTIONAL | |
334 | * } | |
335 | */ | |
336 | struct OSSL_cmp_pollrep_st { | |
337 | ASN1_INTEGER *certReqId; | |
338 | ASN1_INTEGER *checkAfter; | |
339 | OSSL_CMP_PKIFREETEXT *reason; | |
340 | } /* OSSL_CMP_POLLREP */; | |
341 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP) | |
342 | DEFINE_STACK_OF(OSSL_CMP_POLLREP) | |
343 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT) | |
344 | ||
345 | /*- | |
346 | * PKIHeader ::= SEQUENCE { | |
347 | * pvno INTEGER { cmp1999(1), cmp2000(2) }, | |
348 | * sender GeneralName, | |
349 | * -- identifies the sender | |
350 | * recipient GeneralName, | |
351 | * -- identifies the intended recipient | |
352 | * messageTime [0] GeneralizedTime OPTIONAL, | |
353 | * -- time of production of this message (used when sender | |
354 | * -- believes that the transport will be "suitable"; i.e., | |
355 | * -- that the time will still be meaningful upon receipt) | |
356 | * protectionAlg [1] AlgorithmIdentifier OPTIONAL, | |
357 | * -- algorithm used for calculation of protection bits | |
358 | * senderKID [2] KeyIdentifier OPTIONAL, | |
359 | * recipKID [3] KeyIdentifier OPTIONAL, | |
360 | * -- to identify specific keys used for protection | |
361 | * transactionID [4] OCTET STRING OPTIONAL, | |
362 | * -- identifies the transaction; i.e., this will be the same in | |
363 | * -- corresponding request, response, certConf, and PKIConf | |
364 | * -- messages | |
365 | * senderNonce [5] OCTET STRING OPTIONAL, | |
366 | * recipNonce [6] OCTET STRING OPTIONAL, | |
367 | * -- nonces used to provide replay protection, senderNonce | |
368 | * -- is inserted by the creator of this message; recipNonce | |
369 | * -- is a nonce previously inserted in a related message by | |
370 | * -- the intended recipient of this message | |
371 | * freeText [7] PKIFreeText OPTIONAL, | |
372 | * -- this may be used to indicate context-specific instructions | |
373 | * -- (this field is intended for human consumption) | |
374 | * generalInfo [8] SEQUENCE SIZE (1..MAX) OF | |
375 | * InfoTypeAndValue OPTIONAL | |
376 | * -- this may be used to convey context-specific information | |
377 | * -- (this field not primarily intended for human consumption) | |
378 | * } | |
379 | */ | |
380 | struct OSSL_cmp_pkiheader_st { | |
381 | ASN1_INTEGER *pvno; | |
382 | GENERAL_NAME *sender; | |
383 | GENERAL_NAME *recipient; | |
384 | ASN1_GENERALIZEDTIME *messageTime; /* 0 */ | |
385 | X509_ALGOR *protectionAlg; /* 1 */ | |
386 | ASN1_OCTET_STRING *senderKID; /* 2 */ | |
387 | ASN1_OCTET_STRING *recipKID; /* 3 */ | |
388 | ASN1_OCTET_STRING *transactionID; /* 4 */ | |
389 | ASN1_OCTET_STRING *senderNonce; /* 5 */ | |
390 | ASN1_OCTET_STRING *recipNonce; /* 6 */ | |
391 | OSSL_CMP_PKIFREETEXT *freeText; /* 7 */ | |
392 | STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */ | |
393 | } /* OSSL_CMP_PKIHEADER */; | |
394 | ||
395 | typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT; | |
396 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT) | |
397 | typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT; | |
398 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT) | |
399 | typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT; | |
400 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT) | |
401 | typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT; | |
402 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT) | |
403 | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT; | |
404 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT) | |
405 | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT; | |
406 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT) | |
407 | ||
408 | /*- | |
409 | * PKIBody ::= CHOICE { -- message-specific body elements | |
410 | * ir [0] CertReqMessages, --Initialization Request | |
411 | * ip [1] CertRepMessage, --Initialization Response | |
412 | * cr [2] CertReqMessages, --Certification Request | |
413 | * cp [3] CertRepMessage, --Certification Response | |
414 | * p10cr [4] CertificationRequest, --imported from [PKCS10] | |
415 | * popdecc [5] POPODecKeyChallContent, --pop Challenge | |
416 | * popdecr [6] POPODecKeyRespContent, --pop Response | |
417 | * kur [7] CertReqMessages, --Key Update Request | |
418 | * kup [8] CertRepMessage, --Key Update Response | |
419 | * krr [9] CertReqMessages, --Key Recovery Request | |
420 | * krp [10] KeyRecRepContent, --Key Recovery Response | |
421 | * rr [11] RevReqContent, --Revocation Request | |
422 | * rp [12] RevRepContent, --Revocation Response | |
423 | * ccr [13] CertReqMessages, --Cross-Cert. Request | |
424 | * ccp [14] CertRepMessage, --Cross-Cert. Response | |
425 | * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. | |
426 | * cann [16] CertAnnContent, --Certificate Ann. | |
427 | * rann [17] RevAnnContent, --Revocation Ann. | |
428 | * crlann [18] CRLAnnContent, --CRL Announcement | |
429 | * pkiconf [19] PKIConfirmContent, --Confirmation | |
430 | * nested [20] NestedMessageContent, --Nested Message | |
431 | * genm [21] GenMsgContent, --General Message | |
432 | * genp [22] GenRepContent, --General Response | |
433 | * error [23] ErrorMsgContent, --Error Message | |
434 | * certConf [24] CertConfirmContent, --Certificate confirm | |
435 | * pollReq [25] PollReqContent, --Polling request | |
436 | * pollRep [26] PollRepContent --Polling response | |
437 | */ | |
438 | typedef struct OSSL_cmp_pkibody_st { | |
439 | int type; | |
440 | union { | |
441 | OSSL_CRMF_MSGS *ir; /* 0 */ | |
442 | OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */ | |
443 | OSSL_CRMF_MSGS *cr; /* 2 */ | |
444 | OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */ | |
445 | /* p10cr [4] CertificationRequest, --imported from [PKCS10] */ | |
446 | /* | |
447 | * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ | |
448 | * so it is used directly | |
449 | */ | |
450 | X509_REQ *p10cr; /* 4 */ | |
451 | /* popdecc [5] POPODecKeyChallContent, --pop Challenge */ | |
452 | /* POPODecKeyChallContent ::= SEQUENCE OF Challenge */ | |
453 | OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */ | |
454 | /* popdecr [6] POPODecKeyRespContent, --pop Response */ | |
455 | /* POPODecKeyRespContent ::= SEQUENCE OF INTEGER */ | |
456 | OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */ | |
457 | OSSL_CRMF_MSGS *kur; /* 7 */ | |
458 | OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */ | |
459 | OSSL_CRMF_MSGS *krr; /* 9 */ | |
460 | ||
461 | /* krp [10] KeyRecRepContent, --Key Recovery Response */ | |
462 | OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */ | |
463 | /* rr [11] RevReqContent, --Revocation Request */ | |
464 | OSSL_CMP_REVREQCONTENT *rr; /* 11 */ | |
465 | /* rp [12] RevRepContent, --Revocation Response */ | |
466 | OSSL_CMP_REVREPCONTENT *rp; /* 12 */ | |
467 | /* ccr [13] CertReqMessages, --Cross-Cert. Request */ | |
468 | OSSL_CRMF_MSGS *ccr; /* 13 */ | |
469 | /* ccp [14] CertRepMessage, --Cross-Cert. Response */ | |
470 | OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */ | |
471 | /* ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. */ | |
472 | OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */ | |
473 | /* cann [16] CertAnnContent, --Certificate Ann. */ | |
474 | /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ | |
475 | X509 *cann; /* 16 */ | |
476 | /* rann [17] RevAnnContent, --Revocation Ann. */ | |
477 | OSSL_CMP_REVANNCONTENT *rann; /* 17 */ | |
478 | /* crlann [18] CRLAnnContent, --CRL Announcement */ | |
479 | /* CRLAnnContent ::= SEQUENCE OF CertificateList */ | |
480 | OSSL_CMP_CRLANNCONTENT *crlann; | |
481 | /* PKIConfirmContent ::= NULL */ | |
482 | /* pkiconf [19] PKIConfirmContent, --Confirmation */ | |
483 | /* OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL */ | |
484 | /* OSSL_CMP_CONFIRMCONTENT *pkiconf; */ | |
485 | /* | |
486 | * NOTE: this should ASN1_NULL according to the RFC | |
487 | * but there might be a struct in it when sent from faulty servers... | |
488 | */ | |
489 | ASN1_TYPE *pkiconf; /* 19 */ | |
490 | /* nested [20] NestedMessageContent, --Nested Message */ | |
491 | /* NestedMessageContent ::= PKIMessages */ | |
492 | OSSL_CMP_MSGS *nested; /* 20 */ | |
493 | /* genm [21] GenMsgContent, --General Message */ | |
494 | /* GenMsgContent ::= SEQUENCE OF InfoTypeAndValue */ | |
495 | OSSL_CMP_GENMSGCONTENT *genm; /* 21 */ | |
496 | /* genp [22] GenRepContent, --General Response */ | |
497 | /* GenRepContent ::= SEQUENCE OF InfoTypeAndValue */ | |
498 | OSSL_CMP_GENREPCONTENT *genp; /* 22 */ | |
499 | /* error [23] ErrorMsgContent, --Error Message */ | |
500 | OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */ | |
501 | /* certConf [24] CertConfirmContent, --Certificate confirm */ | |
502 | OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */ | |
503 | /* pollReq [25] PollReqContent, --Polling request */ | |
504 | OSSL_CMP_POLLREQCONTENT *pollReq; | |
505 | /* pollRep [26] PollRepContent --Polling response */ | |
506 | OSSL_CMP_POLLREPCONTENT *pollRep; | |
507 | } value; | |
508 | } OSSL_CMP_PKIBODY; | |
509 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) | |
510 | ||
511 | /*- | |
512 | * PKIProtection ::= BIT STRING | |
513 | * | |
514 | * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage | |
515 | * | |
516 | * PKIMessage ::= SEQUENCE { | |
517 | * header PKIHeader, | |
518 | * body PKIBody, | |
519 | * protection [0] PKIProtection OPTIONAL, | |
520 | * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate | |
521 | * OPTIONAL | |
522 | * } | |
523 | */ | |
524 | struct OSSL_cmp_msg_st { | |
525 | OSSL_CMP_PKIHEADER *header; | |
526 | OSSL_CMP_PKIBODY *body; | |
527 | ASN1_BIT_STRING *protection; /* 0 */ | |
528 | /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ | |
529 | STACK_OF(X509) *extraCerts; /* 1 */ | |
530 | } /* OSSL_CMP_MSG */; | |
531 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG) | |
532 | ||
533 | /*- | |
534 | * ProtectedPart ::= SEQUENCE { | |
535 | * header PKIHeader, | |
536 | * body PKIBody | |
537 | * } | |
538 | */ | |
539 | typedef struct cmp_protectedpart_st { | |
540 | OSSL_CMP_PKIHEADER *header; | |
541 | OSSL_CMP_PKIBODY *body; | |
542 | } CMP_PROTECTEDPART; | |
543 | DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART) | |
544 | ||
545 | /*- | |
546 | * this is not defined here as it is already in CRMF: | |
547 | * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} | |
548 | * PBMParameter ::= SEQUENCE { | |
549 | * salt OCTET STRING, | |
550 | * -- note: implementations MAY wish to limit acceptable sizes | |
551 | * -- of this string to values appropriate for their environment | |
552 | * -- in order to reduce the risk of denial-of-service attacks | |
553 | * owf AlgorithmIdentifier, | |
554 | * -- AlgId for a One-Way Function (SHA-1 recommended) | |
555 | * iterationCount INTEGER, | |
556 | * -- number of times the OWF is applied | |
557 | * -- note: implementations MAY wish to limit acceptable sizes | |
558 | * -- of this integer to values appropriate for their environment | |
559 | * -- in order to reduce the risk of denial-of-service attacks | |
560 | * mac AlgorithmIdentifier | |
561 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], | |
562 | * } -- or HMAC [RFC2104, RFC2202]) | |
563 | */ | |
564 | /*- | |
565 | * TODO: this is not yet defined here - but DH is anyway not used yet | |
566 | * | |
567 | * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} | |
568 | * DHBMParameter ::= SEQUENCE { | |
569 | * owf AlgorithmIdentifier, | |
570 | * -- AlgId for a One-Way Function (SHA-1 recommended) | |
571 | * mac AlgorithmIdentifier | |
572 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], | |
573 | * } -- or HMAC [RFC2104, RFC2202]) | |
574 | */ | |
575 | /*- | |
576 | * The following is not cared for, because it is described in section 5.2.5 | |
577 | * that this is beyond the scope of CMP | |
578 | * OOBCert ::= CMPCertificate | |
579 | * | |
580 | * OOBCertHash ::= SEQUENCE { | |
581 | * hashAlg [0] AlgorithmIdentifier OPTIONAL, | |
582 | * certId [1] CertId OPTIONAL, | |
583 | * hashVal BIT STRING | |
584 | * -- hashVal is calculated over the DER encoding of the | |
585 | * -- self-signed certificate with the identifier certID. | |
586 | * } | |
587 | */ | |
588 | ||
589 | #endif /* !defined OSSL_HEADER_CMP_INT_H */ |