2
0

ocsp.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366
  1. /* ocsp.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project 2000.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. *
  53. * This product includes cryptographic software written by Eric Young
  54. * (eay@cryptsoft.com). This product includes software written by Tim
  55. * Hudson (tjh@cryptsoft.com).
  56. *
  57. */
  58. #include <openssl/asn1.h>
  59. #include <openssl/asn1t.h>
  60. #include <openssl/x509v3.h>
  61. /* Example of new ASN1 code, OCSP request
  62. OCSPRequest ::= SEQUENCE {
  63. tbsRequest TBSRequest,
  64. optionalSignature [0] EXPLICIT Signature OPTIONAL }
  65. TBSRequest ::= SEQUENCE {
  66. version [0] EXPLICIT Version DEFAULT v1,
  67. requestorName [1] EXPLICIT GeneralName OPTIONAL,
  68. requestList SEQUENCE OF Request,
  69. requestExtensions [2] EXPLICIT Extensions OPTIONAL }
  70. Signature ::= SEQUENCE {
  71. signatureAlgorithm AlgorithmIdentifier,
  72. signature BIT STRING,
  73. certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  74. Version ::= INTEGER { v1(0) }
  75. Request ::= SEQUENCE {
  76. reqCert CertID,
  77. singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
  78. CertID ::= SEQUENCE {
  79. hashAlgorithm AlgorithmIdentifier,
  80. issuerNameHash OCTET STRING, -- Hash of Issuer's DN
  81. issuerKeyHash OCTET STRING, -- Hash of Issuers public key
  82. serialNumber CertificateSerialNumber }
  83. OCSPResponse ::= SEQUENCE {
  84. responseStatus OCSPResponseStatus,
  85. responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
  86. OCSPResponseStatus ::= ENUMERATED {
  87. successful (0), --Response has valid confirmations
  88. malformedRequest (1), --Illegal confirmation request
  89. internalError (2), --Internal error in issuer
  90. tryLater (3), --Try again later
  91. --(4) is not used
  92. sigRequired (5), --Must sign the request
  93. unauthorized (6) --Request unauthorized
  94. }
  95. ResponseBytes ::= SEQUENCE {
  96. responseType OBJECT IDENTIFIER,
  97. response OCTET STRING }
  98. BasicOCSPResponse ::= SEQUENCE {
  99. tbsResponseData ResponseData,
  100. signatureAlgorithm AlgorithmIdentifier,
  101. signature BIT STRING,
  102. certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  103. ResponseData ::= SEQUENCE {
  104. version [0] EXPLICIT Version DEFAULT v1,
  105. responderID ResponderID,
  106. producedAt GeneralizedTime,
  107. responses SEQUENCE OF SingleResponse,
  108. responseExtensions [1] EXPLICIT Extensions OPTIONAL }
  109. ResponderID ::= CHOICE {
  110. byName [1] Name, --EXPLICIT
  111. byKey [2] KeyHash }
  112. KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
  113. --(excluding the tag and length fields)
  114. SingleResponse ::= SEQUENCE {
  115. certID CertID,
  116. certStatus CertStatus,
  117. thisUpdate GeneralizedTime,
  118. nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
  119. singleExtensions [1] EXPLICIT Extensions OPTIONAL }
  120. CertStatus ::= CHOICE {
  121. good [0] IMPLICIT NULL,
  122. revoked [1] IMPLICIT RevokedInfo,
  123. unknown [2] IMPLICIT UnknownInfo }
  124. RevokedInfo ::= SEQUENCE {
  125. revocationTime GeneralizedTime,
  126. revocationReason [0] EXPLICIT CRLReason OPTIONAL }
  127. UnknownInfo ::= NULL -- this can be replaced with an enumeration
  128. ArchiveCutoff ::= GeneralizedTime
  129. AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
  130. ServiceLocator ::= SEQUENCE {
  131. issuer Name,
  132. locator AuthorityInfoAccessSyntax }
  133. -- Object Identifiers
  134. id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
  135. id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
  136. id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
  137. id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
  138. id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
  139. id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
  140. id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
  141. id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
  142. id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
  143. */
  144. /* Request Structures */
  145. DECLARE_STACK_OF(Request)
  146. typedef struct {
  147. ASN1_INTEGER *version;
  148. GENERAL_NAME *requestorName;
  149. STACK_OF(Request) *requestList;
  150. STACK_OF(X509_EXTENSION) *requestExtensions;
  151. } TBSRequest;
  152. typedef struct {
  153. X509_ALGOR *signatureAlgorithm;
  154. ASN1_BIT_STRING *signature;
  155. STACK_OF(X509) *certs;
  156. } Signature;
  157. typedef struct {
  158. TBSRequest *tbsRequest;
  159. Signature *optionalSignature;
  160. } OCSPRequest;
  161. typedef struct {
  162. X509_ALGOR *hashAlgorithm;
  163. ASN1_OCTET_STRING *issuerNameHash;
  164. ASN1_OCTET_STRING *issuerKeyHash;
  165. ASN1_INTEGER *certificateSerialNumber;
  166. } CertID;
  167. typedef struct {
  168. CertID *reqCert;
  169. STACK_OF(X509_EXTENSION) *singleRequestExtensions;
  170. } Request;
  171. /* Response structures */
  172. typedef struct {
  173. ASN1_OBJECT *responseType;
  174. ASN1_OCTET_STRING *response;
  175. } ResponseBytes;
  176. typedef struct {
  177. ASN1_ENUMERATED *responseStatus;
  178. ResponseBytes *responseBytes;
  179. } OCSPResponse;
  180. typedef struct {
  181. int type;
  182. union {
  183. X509_NAME *byName;
  184. ASN1_OCTET_STRING *byKey;
  185. }d;
  186. } ResponderID;
  187. typedef struct {
  188. ASN1_INTEGER *version;
  189. ResponderID *responderID;
  190. ASN1_GENERALIZEDTIME *producedAt;
  191. STACK_OF(SingleResponse) *responses;
  192. STACK_OF(X509_EXTENSION) *responseExtensions;
  193. } ResponseData;
  194. typedef struct {
  195. ResponseData *tbsResponseData;
  196. X509_ALGOR *signatureAlgorithm;
  197. ASN1_BIT_STRING *signature;
  198. STACK_OF(X509) *certs;
  199. } BasicOCSPResponse;
  200. typedef struct {
  201. ASN1_GENERALIZEDTIME *revocationTime;
  202. ASN1_ENUMERATED * revocationReason;
  203. } RevokedInfo;
  204. typedef struct {
  205. int type;
  206. union {
  207. ASN1_NULL *good;
  208. RevokedInfo *revoked;
  209. ASN1_NULL *unknown;
  210. } d;
  211. } CertStatus;
  212. typedef struct {
  213. CertID *certID;
  214. CertStatus *certStatus;
  215. ASN1_GENERALIZEDTIME *thisUpdate;
  216. ASN1_GENERALIZEDTIME *nextUpdate;
  217. STACK_OF(X509_EXTENSION) *singleExtensions;
  218. } SingleResponse;
  219. typedef struct {
  220. X509_NAME *issuer;
  221. STACK_OF(ACCESS_DESCRIPTION) *locator;
  222. } ServiceLocator;
  223. /* Now the ASN1 templates */
  224. IMPLEMENT_COMPAT_ASN1(X509);
  225. IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
  226. //IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
  227. IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
  228. IMPLEMENT_COMPAT_ASN1(X509_NAME);
  229. ASN1_SEQUENCE(X509_EXTENSION) = {
  230. ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
  231. ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
  232. ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
  233. } ASN1_SEQUENCE_END(X509_EXTENSION);
  234. ASN1_SEQUENCE(Signature) = {
  235. ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
  236. ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
  237. ASN1_SEQUENCE_OF(Signature, certs, X509)
  238. } ASN1_SEQUENCE_END(Signature);
  239. ASN1_SEQUENCE(CertID) = {
  240. ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
  241. ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
  242. ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
  243. ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
  244. } ASN1_SEQUENCE_END(CertID);
  245. ASN1_SEQUENCE(Request) = {
  246. ASN1_SIMPLE(Request, reqCert, CertID),
  247. ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
  248. } ASN1_SEQUENCE_END(Request);
  249. ASN1_SEQUENCE(TBSRequest) = {
  250. ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
  251. ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
  252. ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
  253. ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
  254. } ASN1_SEQUENCE_END(TBSRequest);
  255. ASN1_SEQUENCE(OCSPRequest) = {
  256. ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
  257. ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
  258. } ASN1_SEQUENCE_END(OCSPRequest);
  259. /* Response templates */
  260. ASN1_SEQUENCE(ResponseBytes) = {
  261. ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
  262. ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
  263. } ASN1_SEQUENCE_END(ResponseBytes);
  264. ASN1_SEQUENCE(OCSPResponse) = {
  265. ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
  266. ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
  267. } ASN1_SEQUENCE_END(OCSPResponse);
  268. ASN1_CHOICE(ResponderID) = {
  269. ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
  270. ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
  271. } ASN1_CHOICE_END(ResponderID);
  272. ASN1_SEQUENCE(RevokedInfo) = {
  273. ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
  274. ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
  275. } ASN1_SEQUENCE_END(RevokedInfo);
  276. ASN1_CHOICE(CertStatus) = {
  277. ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
  278. ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
  279. ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
  280. } ASN1_CHOICE_END(CertStatus);
  281. ASN1_SEQUENCE(SingleResponse) = {
  282. ASN1_SIMPLE(SingleResponse, certID, CertID),
  283. ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
  284. ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
  285. ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
  286. ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
  287. } ASN1_SEQUENCE_END(SingleResponse);
  288. ASN1_SEQUENCE(ResponseData) = {
  289. ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
  290. ASN1_SIMPLE(ResponseData, responderID, ResponderID),
  291. ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
  292. ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
  293. ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
  294. } ASN1_SEQUENCE_END(ResponseData);
  295. ASN1_SEQUENCE(BasicOCSPResponse) = {
  296. ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
  297. ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
  298. ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
  299. ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
  300. } ASN1_SEQUENCE_END(BasicOCSPResponse);