]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ocsp/ocsp_local.h
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright year
[thirdparty/openssl.git] / crypto / ocsp / ocsp_local.h
1 /*
2 * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "crypto/x509.h" /* for X509_add_cert_new() */
11
12 /*- CertID ::= SEQUENCE {
13 * hashAlgorithm AlgorithmIdentifier,
14 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
15 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
16 * serialNumber CertificateSerialNumber }
17 */
18 struct ocsp_cert_id_st {
19 X509_ALGOR hashAlgorithm;
20 ASN1_OCTET_STRING issuerNameHash;
21 ASN1_OCTET_STRING issuerKeyHash;
22 ASN1_INTEGER serialNumber;
23 };
24
25 /*- Request ::= SEQUENCE {
26 * reqCert CertID,
27 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
28 */
29 struct ocsp_one_request_st {
30 OCSP_CERTID *reqCert;
31 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
32 };
33
34 /*- TBSRequest ::= SEQUENCE {
35 * version [0] EXPLICIT Version DEFAULT v1,
36 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
37 * requestList SEQUENCE OF Request,
38 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
39 */
40 struct ocsp_req_info_st {
41 ASN1_INTEGER *version;
42 GENERAL_NAME *requestorName;
43 STACK_OF(OCSP_ONEREQ) *requestList;
44 STACK_OF(X509_EXTENSION) *requestExtensions;
45 };
46
47 /*- Signature ::= SEQUENCE {
48 * signatureAlgorithm AlgorithmIdentifier,
49 * signature BIT STRING,
50 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
51 */
52 struct ocsp_signature_st {
53 X509_ALGOR signatureAlgorithm;
54 ASN1_BIT_STRING *signature;
55 STACK_OF(X509) *certs;
56 };
57
58 /*- OCSPRequest ::= SEQUENCE {
59 * tbsRequest TBSRequest,
60 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
61 */
62 struct ocsp_request_st {
63 OCSP_REQINFO tbsRequest;
64 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
65 };
66
67 /*- OCSPResponseStatus ::= ENUMERATED {
68 * successful (0), --Response has valid confirmations
69 * malformedRequest (1), --Illegal confirmation request
70 * internalError (2), --Internal error in issuer
71 * tryLater (3), --Try again later
72 * --(4) is not used
73 * sigRequired (5), --Must sign the request
74 * unauthorized (6) --Request unauthorized
75 * }
76 */
77
78 /*- ResponseBytes ::= SEQUENCE {
79 * responseType OBJECT IDENTIFIER,
80 * response OCTET STRING }
81 */
82 struct ocsp_resp_bytes_st {
83 ASN1_OBJECT *responseType;
84 ASN1_OCTET_STRING *response;
85 };
86
87 /*- OCSPResponse ::= SEQUENCE {
88 * responseStatus OCSPResponseStatus,
89 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
90 */
91 struct ocsp_response_st {
92 ASN1_ENUMERATED *responseStatus;
93 OCSP_RESPBYTES *responseBytes;
94 };
95
96 /*- ResponderID ::= CHOICE {
97 * byName [1] Name,
98 * byKey [2] KeyHash }
99 */
100 struct ocsp_responder_id_st {
101 int type;
102 union {
103 X509_NAME *byName;
104 ASN1_OCTET_STRING *byKey;
105 } value;
106 };
107
108 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
109 * --(excluding the tag and length fields)
110 */
111
112 /*- RevokedInfo ::= SEQUENCE {
113 * revocationTime GeneralizedTime,
114 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
115 */
116 struct ocsp_revoked_info_st {
117 ASN1_GENERALIZEDTIME *revocationTime;
118 ASN1_ENUMERATED *revocationReason;
119 };
120
121 /*- CertStatus ::= CHOICE {
122 * good [0] IMPLICIT NULL,
123 * revoked [1] IMPLICIT RevokedInfo,
124 * unknown [2] IMPLICIT UnknownInfo }
125 */
126 struct ocsp_cert_status_st {
127 int type;
128 union {
129 ASN1_NULL *good;
130 OCSP_REVOKEDINFO *revoked;
131 ASN1_NULL *unknown;
132 } value;
133 };
134
135 /*- SingleResponse ::= SEQUENCE {
136 * certID CertID,
137 * certStatus CertStatus,
138 * thisUpdate GeneralizedTime,
139 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
140 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
141 */
142 struct ocsp_single_response_st {
143 OCSP_CERTID *certId;
144 OCSP_CERTSTATUS *certStatus;
145 ASN1_GENERALIZEDTIME *thisUpdate;
146 ASN1_GENERALIZEDTIME *nextUpdate;
147 STACK_OF(X509_EXTENSION) *singleExtensions;
148 };
149
150 /*- ResponseData ::= SEQUENCE {
151 * version [0] EXPLICIT Version DEFAULT v1,
152 * responderID ResponderID,
153 * producedAt GeneralizedTime,
154 * responses SEQUENCE OF SingleResponse,
155 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
156 */
157 struct ocsp_response_data_st {
158 ASN1_INTEGER *version;
159 OCSP_RESPID responderId;
160 ASN1_GENERALIZEDTIME *producedAt;
161 STACK_OF(OCSP_SINGLERESP) *responses;
162 STACK_OF(X509_EXTENSION) *responseExtensions;
163 };
164
165 /*- BasicOCSPResponse ::= SEQUENCE {
166 * tbsResponseData ResponseData,
167 * signatureAlgorithm AlgorithmIdentifier,
168 * signature BIT STRING,
169 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
170 */
171 /*
172 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
173 * follows: "The value for the signature SHALL be computed on the hash of
174 * the DER encoding ResponseData." This means that you must hash the
175 * DER-encoded tbsResponseData, and then run it through a crypto-signing
176 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
177 * operation. This seems a bit odd, but that's the spec. Also note that
178 * the data structures do not leave anywhere to independently specify the
179 * algorithm used for the initial hash. So, we look at the
180 * signature-specification algorithm, and try to do something intelligent.
181 * -- Kathy Weinhold, CertCo
182 */
183 /*
184 * Note 2: It seems that the mentioned passage from RFC 2560 (section
185 * 4.2.1) is open for interpretation. I've done tests against another
186 * responder, and found that it doesn't do the double hashing that the RFC
187 * seems to say one should. Therefore, all relevant functions take a flag
188 * saying which variant should be used. -- Richard Levitte, OpenSSL team
189 * and CeloCom
190 */
191 struct ocsp_basic_response_st {
192 OCSP_RESPDATA tbsResponseData;
193 X509_ALGOR signatureAlgorithm;
194 ASN1_BIT_STRING *signature;
195 STACK_OF(X509) *certs;
196 };
197
198 /*-
199 * CrlID ::= SEQUENCE {
200 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
201 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
202 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
203 */
204 struct ocsp_crl_id_st {
205 ASN1_IA5STRING *crlUrl;
206 ASN1_INTEGER *crlNum;
207 ASN1_GENERALIZEDTIME *crlTime;
208 };
209
210 /*-
211 * ServiceLocator ::= SEQUENCE {
212 * issuer Name,
213 * locator AuthorityInfoAccessSyntax OPTIONAL }
214 */
215 struct ocsp_service_locator_st {
216 X509_NAME *issuer;
217 STACK_OF(ACCESS_DESCRIPTION) *locator;
218 };
219
220 # define OCSP_REQUEST_sign(o,pkey,md) \
221 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
222 &(o)->optionalSignature->signatureAlgorithm,NULL,\
223 (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
224
225 # define OCSP_BASICRESP_sign(o,pkey,md,d) \
226 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
227 NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
228
229 # define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
230 ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
231 NULL,(o)->signature,&(o)->tbsResponseData,ctx)
232
233 # define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
234 &(a)->optionalSignature->signatureAlgorithm,\
235 (a)->optionalSignature->signature,&(a)->tbsRequest,r)
236
237 # define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
238 &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)
A mirror of the official openssl repository