2 * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "crypto/x509.h" /* for X509_add_cert_new() */
12 /*- CertID ::= SEQUENCE {
13 * hashAlgorithm AlgorithmIdentifier,
14 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
15 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
16 * serialNumber CertificateSerialNumber }
18 struct ocsp_cert_id_st
{
19 X509_ALGOR hashAlgorithm
;
20 ASN1_OCTET_STRING issuerNameHash
;
21 ASN1_OCTET_STRING issuerKeyHash
;
22 ASN1_INTEGER serialNumber
;
25 /*- Request ::= SEQUENCE {
27 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
29 struct ocsp_one_request_st
{
31 STACK_OF(X509_EXTENSION
) *singleRequestExtensions
;
34 /*- TBSRequest ::= SEQUENCE {
35 * version [0] EXPLICIT Version DEFAULT v1,
36 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
37 * requestList SEQUENCE OF Request,
38 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
40 struct ocsp_req_info_st
{
41 ASN1_INTEGER
*version
;
42 GENERAL_NAME
*requestorName
;
43 STACK_OF(OCSP_ONEREQ
) *requestList
;
44 STACK_OF(X509_EXTENSION
) *requestExtensions
;
47 /*- Signature ::= SEQUENCE {
48 * signatureAlgorithm AlgorithmIdentifier,
49 * signature BIT STRING,
50 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
52 struct ocsp_signature_st
{
53 X509_ALGOR signatureAlgorithm
;
54 ASN1_BIT_STRING
*signature
;
55 STACK_OF(X509
) *certs
;
58 /*- OCSPRequest ::= SEQUENCE {
59 * tbsRequest TBSRequest,
60 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
62 struct ocsp_request_st
{
63 OCSP_REQINFO tbsRequest
;
64 OCSP_SIGNATURE
*optionalSignature
; /* OPTIONAL */
67 /*- OCSPResponseStatus ::= ENUMERATED {
68 * successful (0), --Response has valid confirmations
69 * malformedRequest (1), --Illegal confirmation request
70 * internalError (2), --Internal error in issuer
71 * tryLater (3), --Try again later
73 * sigRequired (5), --Must sign the request
74 * unauthorized (6) --Request unauthorized
78 /*- ResponseBytes ::= SEQUENCE {
79 * responseType OBJECT IDENTIFIER,
80 * response OCTET STRING }
82 struct ocsp_resp_bytes_st
{
83 ASN1_OBJECT
*responseType
;
84 ASN1_OCTET_STRING
*response
;
87 /*- OCSPResponse ::= SEQUENCE {
88 * responseStatus OCSPResponseStatus,
89 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
91 struct ocsp_response_st
{
92 ASN1_ENUMERATED
*responseStatus
;
93 OCSP_RESPBYTES
*responseBytes
;
96 /*- ResponderID ::= CHOICE {
100 struct ocsp_responder_id_st
{
104 ASN1_OCTET_STRING
*byKey
;
108 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
109 * --(excluding the tag and length fields)
112 /*- RevokedInfo ::= SEQUENCE {
113 * revocationTime GeneralizedTime,
114 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
116 struct ocsp_revoked_info_st
{
117 ASN1_GENERALIZEDTIME
*revocationTime
;
118 ASN1_ENUMERATED
*revocationReason
;
121 /*- CertStatus ::= CHOICE {
122 * good [0] IMPLICIT NULL,
123 * revoked [1] IMPLICIT RevokedInfo,
124 * unknown [2] IMPLICIT UnknownInfo }
126 struct ocsp_cert_status_st
{
130 OCSP_REVOKEDINFO
*revoked
;
135 /*- SingleResponse ::= SEQUENCE {
137 * certStatus CertStatus,
138 * thisUpdate GeneralizedTime,
139 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
140 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
142 struct ocsp_single_response_st
{
144 OCSP_CERTSTATUS
*certStatus
;
145 ASN1_GENERALIZEDTIME
*thisUpdate
;
146 ASN1_GENERALIZEDTIME
*nextUpdate
;
147 STACK_OF(X509_EXTENSION
) *singleExtensions
;
150 /*- ResponseData ::= SEQUENCE {
151 * version [0] EXPLICIT Version DEFAULT v1,
152 * responderID ResponderID,
153 * producedAt GeneralizedTime,
154 * responses SEQUENCE OF SingleResponse,
155 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
157 struct ocsp_response_data_st
{
158 ASN1_INTEGER
*version
;
159 OCSP_RESPID responderId
;
160 ASN1_GENERALIZEDTIME
*producedAt
;
161 STACK_OF(OCSP_SINGLERESP
) *responses
;
162 STACK_OF(X509_EXTENSION
) *responseExtensions
;
165 /*- BasicOCSPResponse ::= SEQUENCE {
166 * tbsResponseData ResponseData,
167 * signatureAlgorithm AlgorithmIdentifier,
168 * signature BIT STRING,
169 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
172 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
173 * follows: "The value for the signature SHALL be computed on the hash of
174 * the DER encoding ResponseData." This means that you must hash the
175 * DER-encoded tbsResponseData, and then run it through a crypto-signing
176 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
177 * operation. This seems a bit odd, but that's the spec. Also note that
178 * the data structures do not leave anywhere to independently specify the
179 * algorithm used for the initial hash. So, we look at the
180 * signature-specification algorithm, and try to do something intelligent.
181 * -- Kathy Weinhold, CertCo
184 * Note 2: It seems that the mentioned passage from RFC 2560 (section
185 * 4.2.1) is open for interpretation. I've done tests against another
186 * responder, and found that it doesn't do the double hashing that the RFC
187 * seems to say one should. Therefore, all relevant functions take a flag
188 * saying which variant should be used. -- Richard Levitte, OpenSSL team
191 struct ocsp_basic_response_st
{
192 OCSP_RESPDATA tbsResponseData
;
193 X509_ALGOR signatureAlgorithm
;
194 ASN1_BIT_STRING
*signature
;
195 STACK_OF(X509
) *certs
;
199 * CrlID ::= SEQUENCE {
200 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
201 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
202 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
204 struct ocsp_crl_id_st
{
205 ASN1_IA5STRING
*crlUrl
;
206 ASN1_INTEGER
*crlNum
;
207 ASN1_GENERALIZEDTIME
*crlTime
;
211 * ServiceLocator ::= SEQUENCE {
213 * locator AuthorityInfoAccessSyntax OPTIONAL }
215 struct ocsp_service_locator_st
{
217 STACK_OF(ACCESS_DESCRIPTION
) *locator
;
220 # define OCSP_REQUEST_sign(o,pkey,md) \
221 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
222 &(o)->optionalSignature->signatureAlgorithm,NULL,\
223 (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
225 # define OCSP_BASICRESP_sign(o,pkey,md,d) \
226 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
227 NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
229 # define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
230 ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
231 NULL,(o)->signature,&(o)->tbsResponseData,ctx)
233 # define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
234 &(a)->optionalSignature->signatureAlgorithm,\
235 (a)->optionalSignature->signature,&(a)->tbsRequest,r)
237 # define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
238 &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)