]>
Commit | Line | Data |
---|---|---|
6ef869d7 DSH |
1 | /* ocsp_lcl.h */ |
2 | /* | |
3 | * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL | |
4 | * project. | |
5 | */ | |
6 | ||
7 | /* | |
8 | * History: This file was transfered to Richard Levitte from CertCo by Kathy | |
9 | * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a | |
10 | * patch kit. | |
11 | */ | |
12 | ||
13 | /* ==================================================================== | |
14 | * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. | |
15 | * | |
16 | * Redistribution and use in source and binary forms, with or without | |
17 | * modification, are permitted provided that the following conditions | |
18 | * are met: | |
19 | * | |
20 | * 1. Redistributions of source code must retain the above copyright | |
21 | * notice, this list of conditions and the following disclaimer. | |
22 | * | |
23 | * 2. Redistributions in binary form must reproduce the above copyright | |
24 | * notice, this list of conditions and the following disclaimer in | |
25 | * the documentation and/or other materials provided with the | |
26 | * distribution. | |
27 | * | |
28 | * 3. All advertising materials mentioning features or use of this | |
29 | * software must display the following acknowledgment: | |
30 | * "This product includes software developed by the OpenSSL Project | |
31 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
32 | * | |
33 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
34 | * endorse or promote products derived from this software without | |
35 | * prior written permission. For written permission, please contact | |
36 | * openssl-core@openssl.org. | |
37 | * | |
38 | * 5. Products derived from this software may not be called "OpenSSL" | |
39 | * nor may "OpenSSL" appear in their names without prior written | |
40 | * permission of the OpenSSL Project. | |
41 | * | |
42 | * 6. Redistributions of any form whatsoever must retain the following | |
43 | * acknowledgment: | |
44 | * "This product includes software developed by the OpenSSL Project | |
45 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
46 | * | |
47 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
48 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
49 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
50 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
51 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
52 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
53 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
54 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
55 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
56 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
57 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
58 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
59 | * ==================================================================== | |
60 | * | |
61 | * This product includes cryptographic software written by Eric Young | |
62 | * (eay@cryptsoft.com). This product includes software written by Tim | |
63 | * Hudson (tjh@cryptsoft.com). | |
64 | * | |
65 | */ | |
66 | ||
67 | /*- CertID ::= SEQUENCE { | |
68 | * hashAlgorithm AlgorithmIdentifier, | |
69 | * issuerNameHash OCTET STRING, -- Hash of Issuer's DN | |
70 | * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) | |
71 | * serialNumber CertificateSerialNumber } | |
72 | */ | |
73 | struct ocsp_cert_id_st { | |
74 | X509_ALGOR *hashAlgorithm; | |
75 | ASN1_OCTET_STRING *issuerNameHash; | |
76 | ASN1_OCTET_STRING *issuerKeyHash; | |
77 | ASN1_INTEGER *serialNumber; | |
78 | }; | |
79 | ||
80 | /*- Request ::= SEQUENCE { | |
81 | * reqCert CertID, | |
82 | * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | |
83 | */ | |
84 | struct ocsp_one_request_st { | |
85 | OCSP_CERTID *reqCert; | |
86 | STACK_OF(X509_EXTENSION) *singleRequestExtensions; | |
87 | }; | |
88 | ||
89 | /*- TBSRequest ::= SEQUENCE { | |
90 | * version [0] EXPLICIT Version DEFAULT v1, | |
91 | * requestorName [1] EXPLICIT GeneralName OPTIONAL, | |
92 | * requestList SEQUENCE OF Request, | |
93 | * requestExtensions [2] EXPLICIT Extensions OPTIONAL } | |
94 | */ | |
95 | struct ocsp_req_info_st { | |
96 | ASN1_INTEGER *version; | |
97 | GENERAL_NAME *requestorName; | |
98 | STACK_OF(OCSP_ONEREQ) *requestList; | |
99 | STACK_OF(X509_EXTENSION) *requestExtensions; | |
100 | }; | |
101 | ||
102 | /*- Signature ::= SEQUENCE { | |
103 | * signatureAlgorithm AlgorithmIdentifier, | |
104 | * signature BIT STRING, | |
105 | * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |
106 | */ | |
107 | struct ocsp_signature_st { | |
108 | X509_ALGOR *signatureAlgorithm; | |
109 | ASN1_BIT_STRING *signature; | |
110 | STACK_OF(X509) *certs; | |
111 | }; | |
112 | ||
113 | /*- OCSPRequest ::= SEQUENCE { | |
114 | * tbsRequest TBSRequest, | |
115 | * optionalSignature [0] EXPLICIT Signature OPTIONAL } | |
116 | */ | |
117 | struct ocsp_request_st { | |
118 | OCSP_REQINFO *tbsRequest; | |
119 | OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ | |
120 | }; | |
121 | ||
122 | /*- OCSPResponseStatus ::= ENUMERATED { | |
123 | * successful (0), --Response has valid confirmations | |
124 | * malformedRequest (1), --Illegal confirmation request | |
125 | * internalError (2), --Internal error in issuer | |
126 | * tryLater (3), --Try again later | |
127 | * --(4) is not used | |
128 | * sigRequired (5), --Must sign the request | |
129 | * unauthorized (6) --Request unauthorized | |
130 | * } | |
131 | */ | |
132 | ||
133 | /*- ResponseBytes ::= SEQUENCE { | |
134 | * responseType OBJECT IDENTIFIER, | |
135 | * response OCTET STRING } | |
136 | */ | |
137 | struct ocsp_resp_bytes_st { | |
138 | ASN1_OBJECT *responseType; | |
139 | ASN1_OCTET_STRING *response; | |
140 | }; | |
141 | ||
142 | /*- OCSPResponse ::= SEQUENCE { | |
143 | * responseStatus OCSPResponseStatus, | |
144 | * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |
145 | */ | |
146 | struct ocsp_response_st { | |
147 | ASN1_ENUMERATED *responseStatus; | |
148 | OCSP_RESPBYTES *responseBytes; | |
149 | }; | |
150 | ||
151 | /*- ResponderID ::= CHOICE { | |
152 | * byName [1] Name, | |
153 | * byKey [2] KeyHash } | |
154 | */ | |
155 | struct ocsp_responder_id_st { | |
156 | int type; | |
157 | union { | |
158 | X509_NAME *byName; | |
159 | ASN1_OCTET_STRING *byKey; | |
160 | } value; | |
161 | }; | |
162 | ||
163 | /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key | |
164 | * --(excluding the tag and length fields) | |
165 | */ | |
166 | ||
167 | /*- RevokedInfo ::= SEQUENCE { | |
168 | * revocationTime GeneralizedTime, | |
169 | * revocationReason [0] EXPLICIT CRLReason OPTIONAL } | |
170 | */ | |
171 | struct ocsp_revoked_info_st { | |
172 | ASN1_GENERALIZEDTIME *revocationTime; | |
173 | ASN1_ENUMERATED *revocationReason; | |
174 | }; | |
175 | ||
176 | /*- CertStatus ::= CHOICE { | |
177 | * good [0] IMPLICIT NULL, | |
178 | * revoked [1] IMPLICIT RevokedInfo, | |
179 | * unknown [2] IMPLICIT UnknownInfo } | |
180 | */ | |
181 | struct ocsp_cert_status_st { | |
182 | int type; | |
183 | union { | |
184 | ASN1_NULL *good; | |
185 | OCSP_REVOKEDINFO *revoked; | |
186 | ASN1_NULL *unknown; | |
187 | } value; | |
188 | }; | |
189 | ||
190 | /*- SingleResponse ::= SEQUENCE { | |
191 | * certID CertID, | |
192 | * certStatus CertStatus, | |
193 | * thisUpdate GeneralizedTime, | |
194 | * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |
195 | * singleExtensions [1] EXPLICIT Extensions OPTIONAL } | |
196 | */ | |
197 | struct ocsp_single_response_st { | |
198 | OCSP_CERTID *certId; | |
199 | OCSP_CERTSTATUS *certStatus; | |
200 | ASN1_GENERALIZEDTIME *thisUpdate; | |
201 | ASN1_GENERALIZEDTIME *nextUpdate; | |
202 | STACK_OF(X509_EXTENSION) *singleExtensions; | |
203 | }; | |
204 | ||
205 | /*- ResponseData ::= SEQUENCE { | |
206 | * version [0] EXPLICIT Version DEFAULT v1, | |
207 | * responderID ResponderID, | |
208 | * producedAt GeneralizedTime, | |
209 | * responses SEQUENCE OF SingleResponse, | |
210 | * responseExtensions [1] EXPLICIT Extensions OPTIONAL } | |
211 | */ | |
212 | struct ocsp_response_data_st { | |
213 | ASN1_INTEGER *version; | |
214 | OCSP_RESPID *responderId; | |
215 | ASN1_GENERALIZEDTIME *producedAt; | |
216 | STACK_OF(OCSP_SINGLERESP) *responses; | |
217 | STACK_OF(X509_EXTENSION) *responseExtensions; | |
218 | }; | |
219 | ||
220 | /*- BasicOCSPResponse ::= SEQUENCE { | |
221 | * tbsResponseData ResponseData, | |
222 | * signatureAlgorithm AlgorithmIdentifier, | |
223 | * signature BIT STRING, | |
224 | * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |
225 | */ | |
226 | /* | |
227 | * Note 1: The value for "signature" is specified in the OCSP rfc2560 as | |
228 | * follows: "The value for the signature SHALL be computed on the hash of | |
229 | * the DER encoding ResponseData." This means that you must hash the | |
230 | * DER-encoded tbsResponseData, and then run it through a crypto-signing | |
231 | * function, which will (at least w/RSA) do a hash-'n'-private-encrypt | |
232 | * operation. This seems a bit odd, but that's the spec. Also note that | |
233 | * the data structures do not leave anywhere to independently specify the | |
234 | * algorithm used for the initial hash. So, we look at the | |
235 | * signature-specification algorithm, and try to do something intelligent. | |
236 | * -- Kathy Weinhold, CertCo | |
237 | */ | |
238 | /* | |
239 | * Note 2: It seems that the mentioned passage from RFC 2560 (section | |
240 | * 4.2.1) is open for interpretation. I've done tests against another | |
241 | * responder, and found that it doesn't do the double hashing that the RFC | |
242 | * seems to say one should. Therefore, all relevant functions take a flag | |
243 | * saying which variant should be used. -- Richard Levitte, OpenSSL team | |
244 | * and CeloCom | |
245 | */ | |
246 | struct ocsp_basic_response_st { | |
247 | OCSP_RESPDATA *tbsResponseData; | |
248 | X509_ALGOR *signatureAlgorithm; | |
249 | ASN1_BIT_STRING *signature; | |
250 | STACK_OF(X509) *certs; | |
251 | }; | |
252 | ||
253 | /*- | |
254 | * CrlID ::= SEQUENCE { | |
255 | * crlUrl [0] EXPLICIT IA5String OPTIONAL, | |
256 | * crlNum [1] EXPLICIT INTEGER OPTIONAL, | |
257 | * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | |
258 | */ | |
259 | struct ocsp_crl_id_st { | |
260 | ASN1_IA5STRING *crlUrl; | |
261 | ASN1_INTEGER *crlNum; | |
262 | ASN1_GENERALIZEDTIME *crlTime; | |
263 | }; | |
264 | ||
265 | /*- | |
266 | * ServiceLocator ::= SEQUENCE { | |
267 | * issuer Name, | |
268 | * locator AuthorityInfoAccessSyntax OPTIONAL } | |
269 | */ | |
270 | struct ocsp_service_locator_st { | |
271 | X509_NAME *issuer; | |
272 | STACK_OF(ACCESS_DESCRIPTION) *locator; | |
273 | }; |