ocsp_local.h 8.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
  1. /*
  2. * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*- CertID ::= SEQUENCE {
  10. * hashAlgorithm AlgorithmIdentifier,
  11. * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
  12. * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
  13. * serialNumber CertificateSerialNumber }
  14. */
  15. struct ocsp_cert_id_st {
  16. X509_ALGOR hashAlgorithm;
  17. ASN1_OCTET_STRING issuerNameHash;
  18. ASN1_OCTET_STRING issuerKeyHash;
  19. ASN1_INTEGER serialNumber;
  20. };
  21. /*- Request ::= SEQUENCE {
  22. * reqCert CertID,
  23. * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
  24. */
  25. struct ocsp_one_request_st {
  26. OCSP_CERTID *reqCert;
  27. STACK_OF(X509_EXTENSION) *singleRequestExtensions;
  28. };
  29. /*- TBSRequest ::= SEQUENCE {
  30. * version [0] EXPLICIT Version DEFAULT v1,
  31. * requestorName [1] EXPLICIT GeneralName OPTIONAL,
  32. * requestList SEQUENCE OF Request,
  33. * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
  34. */
  35. struct ocsp_req_info_st {
  36. ASN1_INTEGER *version;
  37. GENERAL_NAME *requestorName;
  38. STACK_OF(OCSP_ONEREQ) *requestList;
  39. STACK_OF(X509_EXTENSION) *requestExtensions;
  40. };
  41. /*- Signature ::= SEQUENCE {
  42. * signatureAlgorithm AlgorithmIdentifier,
  43. * signature BIT STRING,
  44. * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  45. */
  46. struct ocsp_signature_st {
  47. X509_ALGOR signatureAlgorithm;
  48. ASN1_BIT_STRING *signature;
  49. STACK_OF(X509) *certs;
  50. };
  51. /*- OCSPRequest ::= SEQUENCE {
  52. * tbsRequest TBSRequest,
  53. * optionalSignature [0] EXPLICIT Signature OPTIONAL }
  54. */
  55. struct ocsp_request_st {
  56. OCSP_REQINFO tbsRequest;
  57. OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
  58. };
  59. /*- OCSPResponseStatus ::= ENUMERATED {
  60. * successful (0), --Response has valid confirmations
  61. * malformedRequest (1), --Illegal confirmation request
  62. * internalError (2), --Internal error in issuer
  63. * tryLater (3), --Try again later
  64. * --(4) is not used
  65. * sigRequired (5), --Must sign the request
  66. * unauthorized (6) --Request unauthorized
  67. * }
  68. */
  69. /*- ResponseBytes ::= SEQUENCE {
  70. * responseType OBJECT IDENTIFIER,
  71. * response OCTET STRING }
  72. */
  73. struct ocsp_resp_bytes_st {
  74. ASN1_OBJECT *responseType;
  75. ASN1_OCTET_STRING *response;
  76. };
  77. /*- OCSPResponse ::= SEQUENCE {
  78. * responseStatus OCSPResponseStatus,
  79. * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
  80. */
  81. struct ocsp_response_st {
  82. ASN1_ENUMERATED *responseStatus;
  83. OCSP_RESPBYTES *responseBytes;
  84. };
  85. /*- ResponderID ::= CHOICE {
  86. * byName [1] Name,
  87. * byKey [2] KeyHash }
  88. */
  89. struct ocsp_responder_id_st {
  90. int type;
  91. union {
  92. X509_NAME *byName;
  93. ASN1_OCTET_STRING *byKey;
  94. } value;
  95. };
  96. /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
  97. * --(excluding the tag and length fields)
  98. */
  99. /*- RevokedInfo ::= SEQUENCE {
  100. * revocationTime GeneralizedTime,
  101. * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
  102. */
  103. struct ocsp_revoked_info_st {
  104. ASN1_GENERALIZEDTIME *revocationTime;
  105. ASN1_ENUMERATED *revocationReason;
  106. };
  107. /*- CertStatus ::= CHOICE {
  108. * good [0] IMPLICIT NULL,
  109. * revoked [1] IMPLICIT RevokedInfo,
  110. * unknown [2] IMPLICIT UnknownInfo }
  111. */
  112. struct ocsp_cert_status_st {
  113. int type;
  114. union {
  115. ASN1_NULL *good;
  116. OCSP_REVOKEDINFO *revoked;
  117. ASN1_NULL *unknown;
  118. } value;
  119. };
  120. /*- SingleResponse ::= SEQUENCE {
  121. * certID CertID,
  122. * certStatus CertStatus,
  123. * thisUpdate GeneralizedTime,
  124. * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
  125. * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
  126. */
  127. struct ocsp_single_response_st {
  128. OCSP_CERTID *certId;
  129. OCSP_CERTSTATUS *certStatus;
  130. ASN1_GENERALIZEDTIME *thisUpdate;
  131. ASN1_GENERALIZEDTIME *nextUpdate;
  132. STACK_OF(X509_EXTENSION) *singleExtensions;
  133. };
  134. /*- ResponseData ::= SEQUENCE {
  135. * version [0] EXPLICIT Version DEFAULT v1,
  136. * responderID ResponderID,
  137. * producedAt GeneralizedTime,
  138. * responses SEQUENCE OF SingleResponse,
  139. * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
  140. */
  141. struct ocsp_response_data_st {
  142. ASN1_INTEGER *version;
  143. OCSP_RESPID responderId;
  144. ASN1_GENERALIZEDTIME *producedAt;
  145. STACK_OF(OCSP_SINGLERESP) *responses;
  146. STACK_OF(X509_EXTENSION) *responseExtensions;
  147. };
  148. /*- BasicOCSPResponse ::= SEQUENCE {
  149. * tbsResponseData ResponseData,
  150. * signatureAlgorithm AlgorithmIdentifier,
  151. * signature BIT STRING,
  152. * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  153. */
  154. /*
  155. * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
  156. * follows: "The value for the signature SHALL be computed on the hash of
  157. * the DER encoding ResponseData." This means that you must hash the
  158. * DER-encoded tbsResponseData, and then run it through a crypto-signing
  159. * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
  160. * operation. This seems a bit odd, but that's the spec. Also note that
  161. * the data structures do not leave anywhere to independently specify the
  162. * algorithm used for the initial hash. So, we look at the
  163. * signature-specification algorithm, and try to do something intelligent.
  164. * -- Kathy Weinhold, CertCo
  165. */
  166. /*
  167. * Note 2: It seems that the mentioned passage from RFC 2560 (section
  168. * 4.2.1) is open for interpretation. I've done tests against another
  169. * responder, and found that it doesn't do the double hashing that the RFC
  170. * seems to say one should. Therefore, all relevant functions take a flag
  171. * saying which variant should be used. -- Richard Levitte, OpenSSL team
  172. * and CeloCom
  173. */
  174. struct ocsp_basic_response_st {
  175. OCSP_RESPDATA tbsResponseData;
  176. X509_ALGOR signatureAlgorithm;
  177. ASN1_BIT_STRING *signature;
  178. STACK_OF(X509) *certs;
  179. };
  180. /*-
  181. * CrlID ::= SEQUENCE {
  182. * crlUrl [0] EXPLICIT IA5String OPTIONAL,
  183. * crlNum [1] EXPLICIT INTEGER OPTIONAL,
  184. * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
  185. */
  186. struct ocsp_crl_id_st {
  187. ASN1_IA5STRING *crlUrl;
  188. ASN1_INTEGER *crlNum;
  189. ASN1_GENERALIZEDTIME *crlTime;
  190. };
  191. /*-
  192. * ServiceLocator ::= SEQUENCE {
  193. * issuer Name,
  194. * locator AuthorityInfoAccessSyntax OPTIONAL }
  195. */
  196. struct ocsp_service_locator_st {
  197. X509_NAME *issuer;
  198. STACK_OF(ACCESS_DESCRIPTION) *locator;
  199. };
  200. # define OCSP_REQUEST_sign(o,pkey,md) \
  201. ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
  202. &(o)->optionalSignature->signatureAlgorithm,NULL,\
  203. (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
  204. # define OCSP_BASICRESP_sign(o,pkey,md,d) \
  205. ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
  206. NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
  207. # define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
  208. ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
  209. NULL,(o)->signature,&(o)->tbsResponseData,ctx)
  210. # define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
  211. &(a)->optionalSignature->signatureAlgorithm,\
  212. (a)->optionalSignature->signature,&(a)->tbsRequest,r)
  213. # define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
  214. &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)