[331] | 1 | /*
|
---|
| 2 | * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | /*- CertID ::= SEQUENCE {
|
---|
| 11 | * hashAlgorithm AlgorithmIdentifier,
|
---|
| 12 | * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
|
---|
| 13 | * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
|
---|
| 14 | * serialNumber CertificateSerialNumber }
|
---|
| 15 | */
|
---|
| 16 | struct ocsp_cert_id_st {
|
---|
| 17 | X509_ALGOR hashAlgorithm;
|
---|
| 18 | ASN1_OCTET_STRING issuerNameHash;
|
---|
| 19 | ASN1_OCTET_STRING issuerKeyHash;
|
---|
| 20 | ASN1_INTEGER serialNumber;
|
---|
| 21 | };
|
---|
| 22 |
|
---|
| 23 | /*- Request ::= SEQUENCE {
|
---|
| 24 | * reqCert CertID,
|
---|
| 25 | * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
|
---|
| 26 | */
|
---|
| 27 | struct ocsp_one_request_st {
|
---|
| 28 | OCSP_CERTID *reqCert;
|
---|
| 29 | STACK_OF(X509_EXTENSION) *singleRequestExtensions;
|
---|
| 30 | };
|
---|
| 31 |
|
---|
| 32 | /*- TBSRequest ::= SEQUENCE {
|
---|
| 33 | * version [0] EXPLICIT Version DEFAULT v1,
|
---|
| 34 | * requestorName [1] EXPLICIT GeneralName OPTIONAL,
|
---|
| 35 | * requestList SEQUENCE OF Request,
|
---|
| 36 | * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
|
---|
| 37 | */
|
---|
| 38 | struct ocsp_req_info_st {
|
---|
| 39 | ASN1_INTEGER *version;
|
---|
| 40 | GENERAL_NAME *requestorName;
|
---|
| 41 | STACK_OF(OCSP_ONEREQ) *requestList;
|
---|
| 42 | STACK_OF(X509_EXTENSION) *requestExtensions;
|
---|
| 43 | };
|
---|
| 44 |
|
---|
| 45 | /*- Signature ::= SEQUENCE {
|
---|
| 46 | * signatureAlgorithm AlgorithmIdentifier,
|
---|
| 47 | * signature BIT STRING,
|
---|
| 48 | * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
|
---|
| 49 | */
|
---|
| 50 | struct ocsp_signature_st {
|
---|
| 51 | X509_ALGOR signatureAlgorithm;
|
---|
| 52 | ASN1_BIT_STRING *signature;
|
---|
| 53 | STACK_OF(X509) *certs;
|
---|
| 54 | };
|
---|
| 55 |
|
---|
| 56 | /*- OCSPRequest ::= SEQUENCE {
|
---|
| 57 | * tbsRequest TBSRequest,
|
---|
| 58 | * optionalSignature [0] EXPLICIT Signature OPTIONAL }
|
---|
| 59 | */
|
---|
| 60 | struct ocsp_request_st {
|
---|
| 61 | OCSP_REQINFO tbsRequest;
|
---|
| 62 | OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
|
---|
| 63 | };
|
---|
| 64 |
|
---|
| 65 | /*- OCSPResponseStatus ::= ENUMERATED {
|
---|
| 66 | * successful (0), --Response has valid confirmations
|
---|
| 67 | * malformedRequest (1), --Illegal confirmation request
|
---|
| 68 | * internalError (2), --Internal error in issuer
|
---|
| 69 | * tryLater (3), --Try again later
|
---|
| 70 | * --(4) is not used
|
---|
| 71 | * sigRequired (5), --Must sign the request
|
---|
| 72 | * unauthorized (6) --Request unauthorized
|
---|
| 73 | * }
|
---|
| 74 | */
|
---|
| 75 |
|
---|
| 76 | /*- ResponseBytes ::= SEQUENCE {
|
---|
| 77 | * responseType OBJECT IDENTIFIER,
|
---|
| 78 | * response OCTET STRING }
|
---|
| 79 | */
|
---|
| 80 | struct ocsp_resp_bytes_st {
|
---|
| 81 | ASN1_OBJECT *responseType;
|
---|
| 82 | ASN1_OCTET_STRING *response;
|
---|
| 83 | };
|
---|
| 84 |
|
---|
| 85 | /*- OCSPResponse ::= SEQUENCE {
|
---|
| 86 | * responseStatus OCSPResponseStatus,
|
---|
| 87 | * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
|
---|
| 88 | */
|
---|
| 89 | struct ocsp_response_st {
|
---|
| 90 | ASN1_ENUMERATED *responseStatus;
|
---|
| 91 | OCSP_RESPBYTES *responseBytes;
|
---|
| 92 | };
|
---|
| 93 |
|
---|
| 94 | /*- ResponderID ::= CHOICE {
|
---|
| 95 | * byName [1] Name,
|
---|
| 96 | * byKey [2] KeyHash }
|
---|
| 97 | */
|
---|
| 98 | struct ocsp_responder_id_st {
|
---|
| 99 | int type;
|
---|
| 100 | union {
|
---|
| 101 | X509_NAME *byName;
|
---|
| 102 | ASN1_OCTET_STRING *byKey;
|
---|
| 103 | } value;
|
---|
| 104 | };
|
---|
| 105 |
|
---|
| 106 | /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
|
---|
| 107 | * --(excluding the tag and length fields)
|
---|
| 108 | */
|
---|
| 109 |
|
---|
| 110 | /*- RevokedInfo ::= SEQUENCE {
|
---|
| 111 | * revocationTime GeneralizedTime,
|
---|
| 112 | * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
|
---|
| 113 | */
|
---|
| 114 | struct ocsp_revoked_info_st {
|
---|
| 115 | ASN1_GENERALIZEDTIME *revocationTime;
|
---|
| 116 | ASN1_ENUMERATED *revocationReason;
|
---|
| 117 | };
|
---|
| 118 |
|
---|
| 119 | /*- CertStatus ::= CHOICE {
|
---|
| 120 | * good [0] IMPLICIT NULL,
|
---|
| 121 | * revoked [1] IMPLICIT RevokedInfo,
|
---|
| 122 | * unknown [2] IMPLICIT UnknownInfo }
|
---|
| 123 | */
|
---|
| 124 | struct ocsp_cert_status_st {
|
---|
| 125 | int type;
|
---|
| 126 | union {
|
---|
| 127 | ASN1_NULL *good;
|
---|
| 128 | OCSP_REVOKEDINFO *revoked;
|
---|
| 129 | ASN1_NULL *unknown;
|
---|
| 130 | } value;
|
---|
| 131 | };
|
---|
| 132 |
|
---|
| 133 | /*- SingleResponse ::= SEQUENCE {
|
---|
| 134 | * certID CertID,
|
---|
| 135 | * certStatus CertStatus,
|
---|
| 136 | * thisUpdate GeneralizedTime,
|
---|
| 137 | * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
|
---|
| 138 | * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
|
---|
| 139 | */
|
---|
| 140 | struct ocsp_single_response_st {
|
---|
| 141 | OCSP_CERTID *certId;
|
---|
| 142 | OCSP_CERTSTATUS *certStatus;
|
---|
| 143 | ASN1_GENERALIZEDTIME *thisUpdate;
|
---|
| 144 | ASN1_GENERALIZEDTIME *nextUpdate;
|
---|
| 145 | STACK_OF(X509_EXTENSION) *singleExtensions;
|
---|
| 146 | };
|
---|
| 147 |
|
---|
| 148 | /*- ResponseData ::= SEQUENCE {
|
---|
| 149 | * version [0] EXPLICIT Version DEFAULT v1,
|
---|
| 150 | * responderID ResponderID,
|
---|
| 151 | * producedAt GeneralizedTime,
|
---|
| 152 | * responses SEQUENCE OF SingleResponse,
|
---|
| 153 | * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
|
---|
| 154 | */
|
---|
| 155 | struct ocsp_response_data_st {
|
---|
| 156 | ASN1_INTEGER *version;
|
---|
| 157 | OCSP_RESPID responderId;
|
---|
| 158 | ASN1_GENERALIZEDTIME *producedAt;
|
---|
| 159 | STACK_OF(OCSP_SINGLERESP) *responses;
|
---|
| 160 | STACK_OF(X509_EXTENSION) *responseExtensions;
|
---|
| 161 | };
|
---|
| 162 |
|
---|
| 163 | /*- BasicOCSPResponse ::= SEQUENCE {
|
---|
| 164 | * tbsResponseData ResponseData,
|
---|
| 165 | * signatureAlgorithm AlgorithmIdentifier,
|
---|
| 166 | * signature BIT STRING,
|
---|
| 167 | * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
|
---|
| 168 | */
|
---|
| 169 | /*
|
---|
| 170 | * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
|
---|
| 171 | * follows: "The value for the signature SHALL be computed on the hash of
|
---|
| 172 | * the DER encoding ResponseData." This means that you must hash the
|
---|
| 173 | * DER-encoded tbsResponseData, and then run it through a crypto-signing
|
---|
| 174 | * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
|
---|
| 175 | * operation. This seems a bit odd, but that's the spec. Also note that
|
---|
| 176 | * the data structures do not leave anywhere to independently specify the
|
---|
| 177 | * algorithm used for the initial hash. So, we look at the
|
---|
| 178 | * signature-specification algorithm, and try to do something intelligent.
|
---|
| 179 | * -- Kathy Weinhold, CertCo
|
---|
| 180 | */
|
---|
| 181 | /*
|
---|
| 182 | * Note 2: It seems that the mentioned passage from RFC 2560 (section
|
---|
| 183 | * 4.2.1) is open for interpretation. I've done tests against another
|
---|
| 184 | * responder, and found that it doesn't do the double hashing that the RFC
|
---|
| 185 | * seems to say one should. Therefore, all relevant functions take a flag
|
---|
| 186 | * saying which variant should be used. -- Richard Levitte, OpenSSL team
|
---|
| 187 | * and CeloCom
|
---|
| 188 | */
|
---|
| 189 | struct ocsp_basic_response_st {
|
---|
| 190 | OCSP_RESPDATA tbsResponseData;
|
---|
| 191 | X509_ALGOR signatureAlgorithm;
|
---|
| 192 | ASN1_BIT_STRING *signature;
|
---|
| 193 | STACK_OF(X509) *certs;
|
---|
| 194 | };
|
---|
| 195 |
|
---|
| 196 | /*-
|
---|
| 197 | * CrlID ::= SEQUENCE {
|
---|
| 198 | * crlUrl [0] EXPLICIT IA5String OPTIONAL,
|
---|
| 199 | * crlNum [1] EXPLICIT INTEGER OPTIONAL,
|
---|
| 200 | * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
|
---|
| 201 | */
|
---|
| 202 | struct ocsp_crl_id_st {
|
---|
| 203 | ASN1_IA5STRING *crlUrl;
|
---|
| 204 | ASN1_INTEGER *crlNum;
|
---|
| 205 | ASN1_GENERALIZEDTIME *crlTime;
|
---|
| 206 | };
|
---|
| 207 |
|
---|
| 208 | /*-
|
---|
| 209 | * ServiceLocator ::= SEQUENCE {
|
---|
| 210 | * issuer Name,
|
---|
| 211 | * locator AuthorityInfoAccessSyntax OPTIONAL }
|
---|
| 212 | */
|
---|
| 213 | struct ocsp_service_locator_st {
|
---|
| 214 | X509_NAME *issuer;
|
---|
| 215 | STACK_OF(ACCESS_DESCRIPTION) *locator;
|
---|
| 216 | };
|
---|