2
0

ocsp_local.h 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246
  1. /*
  2. * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
  10. /*- CertID ::= SEQUENCE {
  11. * hashAlgorithm AlgorithmIdentifier,
  12. * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
  13. * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
  14. * serialNumber CertificateSerialNumber }
  15. */
  16. struct ocsp_cert_id_st {
  17. X509_ALGOR hashAlgorithm;
  18. ASN1_OCTET_STRING issuerNameHash;
  19. ASN1_OCTET_STRING issuerKeyHash;
  20. ASN1_INTEGER serialNumber;
  21. };
  22. /*- Request ::= SEQUENCE {
  23. * reqCert CertID,
  24. * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
  25. */
  26. struct ocsp_one_request_st {
  27. OCSP_CERTID *reqCert;
  28. STACK_OF(X509_EXTENSION) *singleRequestExtensions;
  29. };
  30. /*- TBSRequest ::= SEQUENCE {
  31. * version [0] EXPLICIT Version DEFAULT v1,
  32. * requestorName [1] EXPLICIT GeneralName OPTIONAL,
  33. * requestList SEQUENCE OF Request,
  34. * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
  35. */
  36. struct ocsp_req_info_st {
  37. ASN1_INTEGER *version;
  38. GENERAL_NAME *requestorName;
  39. STACK_OF(OCSP_ONEREQ) *requestList;
  40. STACK_OF(X509_EXTENSION) *requestExtensions;
  41. };
  42. /*- Signature ::= SEQUENCE {
  43. * signatureAlgorithm AlgorithmIdentifier,
  44. * signature BIT STRING,
  45. * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  46. */
  47. struct ocsp_signature_st {
  48. X509_ALGOR signatureAlgorithm;
  49. ASN1_BIT_STRING *signature;
  50. STACK_OF(X509) *certs;
  51. };
  52. /*- OCSPRequest ::= SEQUENCE {
  53. * tbsRequest TBSRequest,
  54. * optionalSignature [0] EXPLICIT Signature OPTIONAL }
  55. */
  56. struct ocsp_request_st {
  57. OCSP_REQINFO tbsRequest;
  58. OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
  59. };
  60. /*- OCSPResponseStatus ::= ENUMERATED {
  61. * successful (0), --Response has valid confirmations
  62. * malformedRequest (1), --Illegal confirmation request
  63. * internalError (2), --Internal error in issuer
  64. * tryLater (3), --Try again later
  65. * --(4) is not used
  66. * sigRequired (5), --Must sign the request
  67. * unauthorized (6) --Request unauthorized
  68. * }
  69. */
  70. /*- ResponseBytes ::= SEQUENCE {
  71. * responseType OBJECT IDENTIFIER,
  72. * response OCTET STRING }
  73. */
  74. struct ocsp_resp_bytes_st {
  75. ASN1_OBJECT *responseType;
  76. ASN1_OCTET_STRING *response;
  77. };
  78. /*- OCSPResponse ::= SEQUENCE {
  79. * responseStatus OCSPResponseStatus,
  80. * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
  81. */
  82. struct ocsp_response_st {
  83. ASN1_ENUMERATED *responseStatus;
  84. OCSP_RESPBYTES *responseBytes;
  85. };
  86. /*- ResponderID ::= CHOICE {
  87. * byName [1] Name,
  88. * byKey [2] KeyHash }
  89. */
  90. struct ocsp_responder_id_st {
  91. int type;
  92. union {
  93. X509_NAME *byName;
  94. ASN1_OCTET_STRING *byKey;
  95. } value;
  96. };
  97. /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
  98. * --(excluding the tag and length fields)
  99. */
  100. /*- RevokedInfo ::= SEQUENCE {
  101. * revocationTime GeneralizedTime,
  102. * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
  103. */
  104. struct ocsp_revoked_info_st {
  105. ASN1_GENERALIZEDTIME *revocationTime;
  106. ASN1_ENUMERATED *revocationReason;
  107. };
  108. /*- CertStatus ::= CHOICE {
  109. * good [0] IMPLICIT NULL,
  110. * revoked [1] IMPLICIT RevokedInfo,
  111. * unknown [2] IMPLICIT UnknownInfo }
  112. */
  113. struct ocsp_cert_status_st {
  114. int type;
  115. union {
  116. ASN1_NULL *good;
  117. OCSP_REVOKEDINFO *revoked;
  118. ASN1_NULL *unknown;
  119. } value;
  120. };
  121. /*- SingleResponse ::= SEQUENCE {
  122. * certID CertID,
  123. * certStatus CertStatus,
  124. * thisUpdate GeneralizedTime,
  125. * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
  126. * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
  127. */
  128. struct ocsp_single_response_st {
  129. OCSP_CERTID *certId;
  130. OCSP_CERTSTATUS *certStatus;
  131. ASN1_GENERALIZEDTIME *thisUpdate;
  132. ASN1_GENERALIZEDTIME *nextUpdate;
  133. STACK_OF(X509_EXTENSION) *singleExtensions;
  134. };
  135. /*- ResponseData ::= SEQUENCE {
  136. * version [0] EXPLICIT Version DEFAULT v1,
  137. * responderID ResponderID,
  138. * producedAt GeneralizedTime,
  139. * responses SEQUENCE OF SingleResponse,
  140. * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
  141. */
  142. struct ocsp_response_data_st {
  143. ASN1_INTEGER *version;
  144. OCSP_RESPID responderId;
  145. ASN1_GENERALIZEDTIME *producedAt;
  146. STACK_OF(OCSP_SINGLERESP) *responses;
  147. STACK_OF(X509_EXTENSION) *responseExtensions;
  148. };
  149. /*- BasicOCSPResponse ::= SEQUENCE {
  150. * tbsResponseData ResponseData,
  151. * signatureAlgorithm AlgorithmIdentifier,
  152. * signature BIT STRING,
  153. * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  154. */
  155. /*
  156. * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
  157. * follows: "The value for the signature SHALL be computed on the hash of
  158. * the DER encoding ResponseData." This means that you must hash the
  159. * DER-encoded tbsResponseData, and then run it through a crypto-signing
  160. * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
  161. * operation. This seems a bit odd, but that's the spec. Also note that
  162. * the data structures do not leave anywhere to independently specify the
  163. * algorithm used for the initial hash. So, we look at the
  164. * signature-specification algorithm, and try to do something intelligent.
  165. * -- Kathy Weinhold, CertCo
  166. */
  167. /*
  168. * Note 2: It seems that the mentioned passage from RFC 2560 (section
  169. * 4.2.1) is open for interpretation. I've done tests against another
  170. * responder, and found that it doesn't do the double hashing that the RFC
  171. * seems to say one should. Therefore, all relevant functions take a flag
  172. * saying which variant should be used. -- Richard Levitte, OpenSSL team
  173. * and CeloCom
  174. */
  175. struct ocsp_basic_response_st {
  176. OCSP_RESPDATA tbsResponseData;
  177. X509_ALGOR signatureAlgorithm;
  178. ASN1_BIT_STRING *signature;
  179. STACK_OF(X509) *certs;
  180. };
  181. /*-
  182. * CrlID ::= SEQUENCE {
  183. * crlUrl [0] EXPLICIT IA5String OPTIONAL,
  184. * crlNum [1] EXPLICIT INTEGER OPTIONAL,
  185. * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
  186. */
  187. struct ocsp_crl_id_st {
  188. ASN1_IA5STRING *crlUrl;
  189. ASN1_INTEGER *crlNum;
  190. ASN1_GENERALIZEDTIME *crlTime;
  191. };
  192. /*-
  193. * ServiceLocator ::= SEQUENCE {
  194. * issuer Name,
  195. * locator AuthorityInfoAccessSyntax OPTIONAL }
  196. */
  197. struct ocsp_service_locator_st {
  198. X509_NAME *issuer;
  199. STACK_OF(ACCESS_DESCRIPTION) *locator;
  200. };
  201. # define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
  202. ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
  203. &(o)->optionalSignature->signatureAlgorithm, NULL,\
  204. (o)->optionalSignature->signature, &(o)->tbsRequest,\
  205. NULL, pkey, md, libctx, propq)
  206. # define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
  207. ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
  208. &(o)->signatureAlgorithm, NULL,\
  209. (o)->signature, &(o)->tbsResponseData,\
  210. NULL, pkey, md, libctx, propq)
  211. # define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
  212. ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
  213. &(o)->signatureAlgorithm, NULL,\
  214. (o)->signature, &(o)->tbsResponseData, ctx)
  215. # define OCSP_REQUEST_verify(a, r, libctx, propq)\
  216. ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
  217. &(a)->optionalSignature->signatureAlgorithm,\
  218. (a)->optionalSignature->signature, &(a)->tbsRequest,\
  219. NULL, r, libctx, propq)
  220. # define OCSP_BASICRESP_verify(a, r, libctx, propq)\
  221. ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
  222. &(a)->signatureAlgorithm, (a)->signature,\
  223. &(a)->tbsResponseData, NULL, r, libctx, propq)