[thirdparty/openssl.git] / demos / asn1 / ocsp.c

/* ocsp.c */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>


/*- 
   Example of new ASN1 code, OCSP request

	OCSPRequest     ::=     SEQUENCE {
	    tbsRequest                  TBSRequest,
	    optionalSignature   [0]     EXPLICIT Signature OPTIONAL }

	TBSRequest      ::=     SEQUENCE {
	    version             [0] EXPLICIT Version DEFAULT v1,
	    requestorName       [1] EXPLICIT GeneralName OPTIONAL,
	    requestList             SEQUENCE OF Request,
	    requestExtensions   [2] EXPLICIT Extensions OPTIONAL }

	Signature       ::=     SEQUENCE {
	    signatureAlgorithm   AlgorithmIdentifier,
	    signature            BIT STRING,
	    certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

	Version  ::=  INTEGER  {  v1(0) }

	Request ::=     SEQUENCE {
	    reqCert                    CertID,
	    singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }

	CertID ::= SEQUENCE {
	    hashAlgorithm            AlgorithmIdentifier,
	    issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
	    issuerKeyHash      OCTET STRING, -- Hash of Issuers public key
	    serialNumber       CertificateSerialNumber }

	OCSPResponse ::= SEQUENCE {
	   responseStatus         OCSPResponseStatus,
	   responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }

	OCSPResponseStatus ::= ENUMERATED {
	    successful            (0),      --Response has valid confirmations
	    malformedRequest      (1),      --Illegal confirmation request
	    internalError         (2),      --Internal error in issuer
	    tryLater              (3),      --Try again later
					    --(4) is not used
	    sigRequired           (5),      --Must sign the request
	    unauthorized          (6)       --Request unauthorized
	}

	ResponseBytes ::=       SEQUENCE {
	    responseType   OBJECT IDENTIFIER,
	    response       OCTET STRING }

	BasicOCSPResponse       ::= SEQUENCE {
	   tbsResponseData      ResponseData,
	   signatureAlgorithm   AlgorithmIdentifier,
	   signature            BIT STRING,
	   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

	ResponseData ::= SEQUENCE {
	   version              [0] EXPLICIT Version DEFAULT v1,
	   responderID              ResponderID,
	   producedAt               GeneralizedTime,
	   responses                SEQUENCE OF SingleResponse,
	   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }

	ResponderID ::= CHOICE {
	   byName   [1] Name,    --EXPLICIT
	   byKey    [2] KeyHash }

	KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
				 --(excluding the tag and length fields)

	SingleResponse ::= SEQUENCE {
	   certID                       CertID,
	   certStatus                   CertStatus,
	   thisUpdate                   GeneralizedTime,
	   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
	   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }

	CertStatus ::= CHOICE {
	    good                [0]     IMPLICIT NULL,
	    revoked             [1]     IMPLICIT RevokedInfo,
	    unknown             [2]     IMPLICIT UnknownInfo }

	RevokedInfo ::= SEQUENCE {
	    revocationTime              GeneralizedTime,
	    revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }

	UnknownInfo ::= NULL -- this can be replaced with an enumeration

	ArchiveCutoff ::= GeneralizedTime

	AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER

	ServiceLocator ::= SEQUENCE {
	    issuer    Name,
	    locator   AuthorityInfoAccessSyntax }

	-- Object Identifiers

	id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
	id-pkix-ocsp                 OBJECT IDENTIFIER ::= { id-ad-ocsp }
	id-pkix-ocsp-basic           OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
	id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
	id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
	id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
	id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
	id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
	id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }

*/

/* Request Structures */

DECLARE_STACK_OF(Request)

typedef struct {
	ASN1_INTEGER *version;
	GENERAL_NAME *requestorName;
	STACK_OF(Request) *requestList;
	STACK_OF(X509_EXTENSION) *requestExtensions;
} TBSRequest;

typedef struct {
	X509_ALGOR *signatureAlgorithm;
	ASN1_BIT_STRING *signature;
	STACK_OF(X509) *certs;
} Signature;

typedef struct {
	TBSRequest *tbsRequest;
	Signature *optionalSignature;
} OCSPRequest;

typedef struct {
	X509_ALGOR *hashAlgorithm;
	ASN1_OCTET_STRING *issuerNameHash;
	ASN1_OCTET_STRING *issuerKeyHash;
	ASN1_INTEGER *certificateSerialNumber;
} CertID;

typedef struct {
	CertID *reqCert;
	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
} Request;

/* Response structures */

typedef struct {
	ASN1_OBJECT *responseType;
	ASN1_OCTET_STRING *response;
} ResponseBytes;

typedef struct {
	ASN1_ENUMERATED *responseStatus;
	ResponseBytes *responseBytes;
} OCSPResponse;

typedef struct {
	int type;
	union {
	   X509_NAME *byName;
	   ASN1_OCTET_STRING *byKey;
	}d;
} ResponderID;

typedef struct {
	   ASN1_INTEGER *version;
	   ResponderID *responderID;
	   ASN1_GENERALIZEDTIME *producedAt;
	   STACK_OF(SingleResponse) *responses;
	   STACK_OF(X509_EXTENSION) *responseExtensions;
} ResponseData;

typedef struct {
	   ResponseData *tbsResponseData;
	   X509_ALGOR *signatureAlgorithm;
	   ASN1_BIT_STRING *signature;
	   STACK_OF(X509) *certs;
} BasicOCSPResponse;

typedef struct {
	ASN1_GENERALIZEDTIME *revocationTime;
	ASN1_ENUMERATED * revocationReason;
} RevokedInfo;

typedef struct {
	int type;
	union {
	    ASN1_NULL *good;
	    RevokedInfo *revoked;
	    ASN1_NULL *unknown;
	} d;
} CertStatus;

typedef struct {
	   CertID *certID;
	   CertStatus *certStatus;
	   ASN1_GENERALIZEDTIME *thisUpdate;
	   ASN1_GENERALIZEDTIME *nextUpdate;
	   STACK_OF(X509_EXTENSION) *singleExtensions;
} SingleResponse;


typedef struct {
    X509_NAME *issuer;
    STACK_OF(ACCESS_DESCRIPTION) *locator;
} ServiceLocator;


/* Now the ASN1 templates */

IMPLEMENT_COMPAT_ASN1(X509);
IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
//IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
IMPLEMENT_COMPAT_ASN1(X509_NAME);

ASN1_SEQUENCE(X509_EXTENSION) = {
	ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
	ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
	ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(X509_EXTENSION);
	

ASN1_SEQUENCE(Signature) = {
	ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
	ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
	ASN1_SEQUENCE_OF(Signature, certs, X509)
} ASN1_SEQUENCE_END(Signature);

ASN1_SEQUENCE(CertID) = {
	ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
	ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
	ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
	ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
} ASN1_SEQUENCE_END(CertID);

ASN1_SEQUENCE(Request) = {
	ASN1_SIMPLE(Request, reqCert, CertID),
	ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
} ASN1_SEQUENCE_END(Request);

ASN1_SEQUENCE(TBSRequest) = {
	ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
	ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
	ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
	ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
} ASN1_SEQUENCE_END(TBSRequest);

ASN1_SEQUENCE(OCSPRequest) = {
	ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
	ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
} ASN1_SEQUENCE_END(OCSPRequest);


/* Response templates */

ASN1_SEQUENCE(ResponseBytes) = {
	    ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
	    ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(ResponseBytes);

ASN1_SEQUENCE(OCSPResponse) = {
	ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
	ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
} ASN1_SEQUENCE_END(OCSPResponse);

ASN1_CHOICE(ResponderID) = {
	   ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
	   ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
} ASN1_CHOICE_END(ResponderID);

ASN1_SEQUENCE(RevokedInfo) = {
	ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
  	ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
} ASN1_SEQUENCE_END(RevokedInfo);

ASN1_CHOICE(CertStatus) = {
	ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
	ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
	ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
} ASN1_CHOICE_END(CertStatus);

ASN1_SEQUENCE(SingleResponse) = {
	   ASN1_SIMPLE(SingleResponse, certID, CertID),
	   ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
	   ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
	   ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
	   ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
} ASN1_SEQUENCE_END(SingleResponse);

ASN1_SEQUENCE(ResponseData) = {
	   ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
	   ASN1_SIMPLE(ResponseData, responderID, ResponderID),
	   ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
	   ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
	   ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
} ASN1_SEQUENCE_END(ResponseData);

ASN1_SEQUENCE(BasicOCSPResponse) = {
	   ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
	   ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
	   ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
	   ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
} ASN1_SEQUENCE_END(BasicOCSPResponse);
Commit	Line	Data
9d6b1ce6	1	/* ocsp.c */
2e597528	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
9d6b1ce6 DSH	3	* project 2000.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58	#include <openssl/asn1.h>
	59	#include <openssl/asn1t.h>
	60	#include <openssl/x509v3.h>
	61
	62
	63
	64
3e9a08ec TH	65	/*-
3e9a08ec TH	66	Example of new ASN1 code, OCSP request
9d6b1ce6 DSH	67
	68	OCSPRequest ::= SEQUENCE {
	69	tbsRequest TBSRequest,
	70	optionalSignature [0] EXPLICIT Signature OPTIONAL }
	71
	72	TBSRequest ::= SEQUENCE {
	73	version [0] EXPLICIT Version DEFAULT v1,
	74	requestorName [1] EXPLICIT GeneralName OPTIONAL,
	75	requestList SEQUENCE OF Request,
	76	requestExtensions [2] EXPLICIT Extensions OPTIONAL }
	77
	78	Signature ::= SEQUENCE {
	79	signatureAlgorithm AlgorithmIdentifier,
	80	signature BIT STRING,
	81	certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
	82
	83	Version ::= INTEGER { v1(0) }
	84
	85	Request ::= SEQUENCE {
	86	reqCert CertID,
	87	singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
	88
	89	CertID ::= SEQUENCE {
	90	hashAlgorithm AlgorithmIdentifier,
	91	issuerNameHash OCTET STRING, -- Hash of Issuer's DN
	92	issuerKeyHash OCTET STRING, -- Hash of Issuers public key
	93	serialNumber CertificateSerialNumber }
	94
	95	OCSPResponse ::= SEQUENCE {
	96	responseStatus OCSPResponseStatus,
	97	responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
	98
	99	OCSPResponseStatus ::= ENUMERATED {
	100	successful (0), --Response has valid confirmations
	101	malformedRequest (1), --Illegal confirmation request
	102	internalError (2), --Internal error in issuer
	103	tryLater (3), --Try again later
	104	--(4) is not used
	105	sigRequired (5), --Must sign the request
	106	unauthorized (6) --Request unauthorized
	107	}
	108
	109	ResponseBytes ::= SEQUENCE {
	110	responseType OBJECT IDENTIFIER,
	111	response OCTET STRING }
	112
	113	BasicOCSPResponse ::= SEQUENCE {
	114	tbsResponseData ResponseData,
	115	signatureAlgorithm AlgorithmIdentifier,
	116	signature BIT STRING,
	117	certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
	118
	119	ResponseData ::= SEQUENCE {
	120	version [0] EXPLICIT Version DEFAULT v1,
	121	responderID ResponderID,
	122	producedAt GeneralizedTime,
	123	responses SEQUENCE OF SingleResponse,
	124	responseExtensions [1] EXPLICIT Extensions OPTIONAL }
	125
	126	ResponderID ::= CHOICE {
	127	byName [1] Name, --EXPLICIT
	128	byKey [2] KeyHash }
	129
	130	KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
131	--(excluding the tag and length fields)
132
133	SingleResponse ::= SEQUENCE {
134	certID CertID,
135	certStatus CertStatus,
136	thisUpdate GeneralizedTime,
137	nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
138	singleExtensions [1] EXPLICIT Extensions OPTIONAL }
139
140	CertStatus ::= CHOICE {
141	good [0] IMPLICIT NULL,
142	revoked [1] IMPLICIT RevokedInfo,
143	unknown [2] IMPLICIT UnknownInfo }
144
145	RevokedInfo ::= SEQUENCE {
146	revocationTime GeneralizedTime,
147	revocationReason [0] EXPLICIT CRLReason OPTIONAL }
148
149	UnknownInfo ::= NULL -- this can be replaced with an enumeration
150
151	ArchiveCutoff ::= GeneralizedTime
152
153	AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
154
155	ServiceLocator ::= SEQUENCE {
156	issuer Name,
157	locator AuthorityInfoAccessSyntax }
158
159	-- Object Identifiers
160
161	id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
162	id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
163	id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
164	id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
165	id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
166	id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
167	id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
168	id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
169	id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
170
171	*/
172
173	/* Request Structures */
174
175	DECLARE_STACK_OF(Request)
176
177	typedef struct {
178	ASN1_INTEGER *version;
179	GENERAL_NAME *requestorName;
180	STACK_OF(Request) *requestList;
181	STACK_OF(X509_EXTENSION) *requestExtensions;
182	} TBSRequest;
183
184	typedef struct {
185	X509_ALGOR *signatureAlgorithm;
186	ASN1_BIT_STRING *signature;
187	STACK_OF(X509) *certs;
188	} Signature;
189
190	typedef struct {
191	TBSRequest *tbsRequest;
192	Signature *optionalSignature;
193	} OCSPRequest;
194
195	typedef struct {
196	X509_ALGOR *hashAlgorithm;
197	ASN1_OCTET_STRING *issuerNameHash;
198	ASN1_OCTET_STRING *issuerKeyHash;
199	ASN1_INTEGER *certificateSerialNumber;
200	} CertID;
201
202	typedef struct {
203	CertID *reqCert;
204	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
205	} Request;
206
207	/* Response structures */
208
209	typedef struct {
210	ASN1_OBJECT *responseType;
211	ASN1_OCTET_STRING *response;
212	} ResponseBytes;
213
214	typedef struct {
215	ASN1_ENUMERATED *responseStatus;
216	ResponseBytes *responseBytes;
217	} OCSPResponse;
218
219	typedef struct {
220	int type;
221	union {
222	X509_NAME *byName;
223	ASN1_OCTET_STRING *byKey;
224	}d;
225	} ResponderID;
226
227	typedef struct {
228	ASN1_INTEGER *version;
229	ResponderID *responderID;
230	ASN1_GENERALIZEDTIME *producedAt;
231	STACK_OF(SingleResponse) *responses;
232	STACK_OF(X509_EXTENSION) *responseExtensions;
233	} ResponseData;
234
235	typedef struct {
236	ResponseData *tbsResponseData;
237	X509_ALGOR *signatureAlgorithm;
238	ASN1_BIT_STRING *signature;
239	STACK_OF(X509) *certs;
240	} BasicOCSPResponse;
241
242	typedef struct {
243	ASN1_GENERALIZEDTIME *revocationTime;
244	ASN1_ENUMERATED * revocationReason;
245	} RevokedInfo;
246
247	typedef struct {
248	int type;
249	union {
250	ASN1_NULL *good;
251	RevokedInfo *revoked;
252	ASN1_NULL *unknown;
253	} d;
254	} CertStatus;
255
256	typedef struct {
257	CertID *certID;
258	CertStatus *certStatus;
259	ASN1_GENERALIZEDTIME *thisUpdate;
260	ASN1_GENERALIZEDTIME *nextUpdate;
261	STACK_OF(X509_EXTENSION) *singleExtensions;
262	} SingleResponse;
263
264
265	typedef struct {
266	X509_NAME *issuer;
267	STACK_OF(ACCESS_DESCRIPTION) *locator;
268	} ServiceLocator;
269
270
271	/* Now the ASN1 templates */
272
273	IMPLEMENT_COMPAT_ASN1(X509);
274	IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
275	//IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
276	IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
277	IMPLEMENT_COMPAT_ASN1(X509_NAME);
278
279	ASN1_SEQUENCE(X509_EXTENSION) = {
280	ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
281	ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
282	ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
283	} ASN1_SEQUENCE_END(X509_EXTENSION);
284
285
286	ASN1_SEQUENCE(Signature) = {
287	ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
288	ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
289	ASN1_SEQUENCE_OF(Signature, certs, X509)
290	} ASN1_SEQUENCE_END(Signature);
291
292	ASN1_SEQUENCE(CertID) = {
293	ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
294	ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
295	ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
296	ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
297	} ASN1_SEQUENCE_END(CertID);
298
299	ASN1_SEQUENCE(Request) = {
300	ASN1_SIMPLE(Request, reqCert, CertID),
301	ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
302	} ASN1_SEQUENCE_END(Request);
303
304	ASN1_SEQUENCE(TBSRequest) = {
305	ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
306	ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
307	ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
308	ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
309	} ASN1_SEQUENCE_END(TBSRequest);
310
311	ASN1_SEQUENCE(OCSPRequest) = {
312	ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
313	ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
314	} ASN1_SEQUENCE_END(OCSPRequest);
315
316
317	/* Response templates */
318
319	ASN1_SEQUENCE(ResponseBytes) = {
320	ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
321	ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
322	} ASN1_SEQUENCE_END(ResponseBytes);
323
324	ASN1_SEQUENCE(OCSPResponse) = {
325	ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
326	ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
327	} ASN1_SEQUENCE_END(OCSPResponse);
328
329	ASN1_CHOICE(ResponderID) = {
330	ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
331	ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
332	} ASN1_CHOICE_END(ResponderID);
333
334	ASN1_SEQUENCE(RevokedInfo) = {
335	ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
336	ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
337	} ASN1_SEQUENCE_END(RevokedInfo);
338
339	ASN1_CHOICE(CertStatus) = {
340	ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
341	ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
342	ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
343	} ASN1_CHOICE_END(CertStatus);
344
345	ASN1_SEQUENCE(SingleResponse) = {
346	ASN1_SIMPLE(SingleResponse, certID, CertID),
347	ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
348	ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
349	ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
350	ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
351	} ASN1_SEQUENCE_END(SingleResponse);
352
353	ASN1_SEQUENCE(ResponseData) = {
354	ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
355	ASN1_SIMPLE(ResponseData, responderID, ResponderID),
356	ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
357	ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
358	ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
359	} ASN1_SEQUENCE_END(ResponseData);
360
361	ASN1_SEQUENCE(BasicOCSPResponse) = {
362	ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
363	ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
364	ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
365	ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
366	} ASN1_SEQUENCE_END(BasicOCSPResponse);
367