]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ocsp/ocsp_lcl.h
projects / thirdparty / openssl.git / blob
? search:


c60d956099a1bb10f903674a9de330972054a5ff
[thirdparty/openssl.git] / crypto / ocsp / ocsp_lcl.h
1 /* ocsp_lcl.h */
2 /*
3 * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
4 * project.
5 */
6
7 /*
8 * History: This file was transfered to Richard Levitte from CertCo by Kathy
9 * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
10 * patch kit.
11 */
12
13 /* ====================================================================
14 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 *
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 *
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in
25 * the documentation and/or other materials provided with the
26 * distribution.
27 *
28 * 3. All advertising materials mentioning features or use of this
29 * software must display the following acknowledgment:
30 * "This product includes software developed by the OpenSSL Project
31 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
32 *
33 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
34 * endorse or promote products derived from this software without
35 * prior written permission. For written permission, please contact
36 * openssl-core@openssl.org.
37 *
38 * 5. Products derived from this software may not be called "OpenSSL"
39 * nor may "OpenSSL" appear in their names without prior written
40 * permission of the OpenSSL Project.
41 *
42 * 6. Redistributions of any form whatsoever must retain the following
43 * acknowledgment:
44 * "This product includes software developed by the OpenSSL Project
45 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
46 *
47 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
48 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
50 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
51 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
52 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
53 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
54 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
56 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
57 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
58 * OF THE POSSIBILITY OF SUCH DAMAGE.
59 * ====================================================================
60 *
61 * This product includes cryptographic software written by Eric Young
62 * (eay@cryptsoft.com). This product includes software written by Tim
63 * Hudson (tjh@cryptsoft.com).
64 *
65 */
66
67 /*- CertID ::= SEQUENCE {
68 * hashAlgorithm AlgorithmIdentifier,
69 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
70 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
71 * serialNumber CertificateSerialNumber }
72 */
73 struct ocsp_cert_id_st {
74 X509_ALGOR hashAlgorithm;
75 ASN1_OCTET_STRING issuerNameHash;
76 ASN1_OCTET_STRING issuerKeyHash;
77 ASN1_INTEGER serialNumber;
78 };
79
80 /*- Request ::= SEQUENCE {
81 * reqCert CertID,
82 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
83 */
84 struct ocsp_one_request_st {
85 OCSP_CERTID *reqCert;
86 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
87 };
88
89 /*- TBSRequest ::= SEQUENCE {
90 * version [0] EXPLICIT Version DEFAULT v1,
91 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
92 * requestList SEQUENCE OF Request,
93 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
94 */
95 struct ocsp_req_info_st {
96 ASN1_INTEGER *version;
97 GENERAL_NAME *requestorName;
98 STACK_OF(OCSP_ONEREQ) *requestList;
99 STACK_OF(X509_EXTENSION) *requestExtensions;
100 };
101
102 /*- Signature ::= SEQUENCE {
103 * signatureAlgorithm AlgorithmIdentifier,
104 * signature BIT STRING,
105 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
106 */
107 struct ocsp_signature_st {
108 X509_ALGOR signatureAlgorithm;
109 ASN1_BIT_STRING *signature;
110 STACK_OF(X509) *certs;
111 };
112
113 /*- OCSPRequest ::= SEQUENCE {
114 * tbsRequest TBSRequest,
115 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
116 */
117 struct ocsp_request_st {
118 OCSP_REQINFO tbsRequest;
119 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
120 };
121
122 /*- OCSPResponseStatus ::= ENUMERATED {
123 * successful (0), --Response has valid confirmations
124 * malformedRequest (1), --Illegal confirmation request
125 * internalError (2), --Internal error in issuer
126 * tryLater (3), --Try again later
127 * --(4) is not used
128 * sigRequired (5), --Must sign the request
129 * unauthorized (6) --Request unauthorized
130 * }
131 */
132
133 /*- ResponseBytes ::= SEQUENCE {
134 * responseType OBJECT IDENTIFIER,
135 * response OCTET STRING }
136 */
137 struct ocsp_resp_bytes_st {
138 ASN1_OBJECT *responseType;
139 ASN1_OCTET_STRING *response;
140 };
141
142 /*- OCSPResponse ::= SEQUENCE {
143 * responseStatus OCSPResponseStatus,
144 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
145 */
146 struct ocsp_response_st {
147 ASN1_ENUMERATED *responseStatus;
148 OCSP_RESPBYTES *responseBytes;
149 };
150
151 /*- ResponderID ::= CHOICE {
152 * byName [1] Name,
153 * byKey [2] KeyHash }
154 */
155 struct ocsp_responder_id_st {
156 int type;
157 union {
158 X509_NAME *byName;
159 ASN1_OCTET_STRING *byKey;
160 } value;
161 };
162
163 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
164 * --(excluding the tag and length fields)
165 */
166
167 /*- RevokedInfo ::= SEQUENCE {
168 * revocationTime GeneralizedTime,
169 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
170 */
171 struct ocsp_revoked_info_st {
172 ASN1_GENERALIZEDTIME *revocationTime;
173 ASN1_ENUMERATED *revocationReason;
174 };
175
176 /*- CertStatus ::= CHOICE {
177 * good [0] IMPLICIT NULL,
178 * revoked [1] IMPLICIT RevokedInfo,
179 * unknown [2] IMPLICIT UnknownInfo }
180 */
181 struct ocsp_cert_status_st {
182 int type;
183 union {
184 ASN1_NULL *good;
185 OCSP_REVOKEDINFO *revoked;
186 ASN1_NULL *unknown;
187 } value;
188 };
189
190 /*- SingleResponse ::= SEQUENCE {
191 * certID CertID,
192 * certStatus CertStatus,
193 * thisUpdate GeneralizedTime,
194 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
195 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
196 */
197 struct ocsp_single_response_st {
198 OCSP_CERTID *certId;
199 OCSP_CERTSTATUS *certStatus;
200 ASN1_GENERALIZEDTIME *thisUpdate;
201 ASN1_GENERALIZEDTIME *nextUpdate;
202 STACK_OF(X509_EXTENSION) *singleExtensions;
203 };
204
205 /*- ResponseData ::= SEQUENCE {
206 * version [0] EXPLICIT Version DEFAULT v1,
207 * responderID ResponderID,
208 * producedAt GeneralizedTime,
209 * responses SEQUENCE OF SingleResponse,
210 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
211 */
212 struct ocsp_response_data_st {
213 ASN1_INTEGER *version;
214 OCSP_RESPID responderId;
215 ASN1_GENERALIZEDTIME *producedAt;
216 STACK_OF(OCSP_SINGLERESP) *responses;
217 STACK_OF(X509_EXTENSION) *responseExtensions;
218 };
219
220 /*- BasicOCSPResponse ::= SEQUENCE {
221 * tbsResponseData ResponseData,
222 * signatureAlgorithm AlgorithmIdentifier,
223 * signature BIT STRING,
224 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
225 */
226 /*
227 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
228 * follows: "The value for the signature SHALL be computed on the hash of
229 * the DER encoding ResponseData." This means that you must hash the
230 * DER-encoded tbsResponseData, and then run it through a crypto-signing
231 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
232 * operation. This seems a bit odd, but that's the spec. Also note that
233 * the data structures do not leave anywhere to independently specify the
234 * algorithm used for the initial hash. So, we look at the
235 * signature-specification algorithm, and try to do something intelligent.
236 * -- Kathy Weinhold, CertCo
237 */
238 /*
239 * Note 2: It seems that the mentioned passage from RFC 2560 (section
240 * 4.2.1) is open for interpretation. I've done tests against another
241 * responder, and found that it doesn't do the double hashing that the RFC
242 * seems to say one should. Therefore, all relevant functions take a flag
243 * saying which variant should be used. -- Richard Levitte, OpenSSL team
244 * and CeloCom
245 */
246 struct ocsp_basic_response_st {
247 OCSP_RESPDATA tbsResponseData;
248 X509_ALGOR signatureAlgorithm;
249 ASN1_BIT_STRING *signature;
250 STACK_OF(X509) *certs;
251 };
252
253 /*-
254 * CrlID ::= SEQUENCE {
255 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
256 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
257 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
258 */
259 struct ocsp_crl_id_st {
260 ASN1_IA5STRING *crlUrl;
261 ASN1_INTEGER *crlNum;
262 ASN1_GENERALIZEDTIME *crlTime;
263 };
264
265 /*-
266 * ServiceLocator ::= SEQUENCE {
267 * issuer Name,
268 * locator AuthorityInfoAccessSyntax OPTIONAL }
269 */
270 struct ocsp_service_locator_st {
271 X509_NAME *issuer;
272 STACK_OF(ACCESS_DESCRIPTION) *locator;
273 };
A mirror of the official openssl repository