2 * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
7 * History: This file was transferred to Richard Levitte from CertCo by Kathy
8 * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
12 /* ====================================================================
13 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * openssl-core@openssl.org.
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
41 * 6. Redistributions of any form whatsoever must retain the following
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
66 /*- CertID ::= SEQUENCE {
67 * hashAlgorithm AlgorithmIdentifier,
68 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
69 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
70 * serialNumber CertificateSerialNumber }
72 struct ocsp_cert_id_st {
73 X509_ALGOR hashAlgorithm;
74 ASN1_OCTET_STRING issuerNameHash;
75 ASN1_OCTET_STRING issuerKeyHash;
76 ASN1_INTEGER serialNumber;
79 /*- Request ::= SEQUENCE {
81 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
83 struct ocsp_one_request_st {
85 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
88 /*- TBSRequest ::= SEQUENCE {
89 * version [0] EXPLICIT Version DEFAULT v1,
90 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
91 * requestList SEQUENCE OF Request,
92 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
94 struct ocsp_req_info_st {
95 ASN1_INTEGER *version;
96 GENERAL_NAME *requestorName;
97 STACK_OF(OCSP_ONEREQ) *requestList;
98 STACK_OF(X509_EXTENSION) *requestExtensions;
101 /*- Signature ::= SEQUENCE {
102 * signatureAlgorithm AlgorithmIdentifier,
103 * signature BIT STRING,
104 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
106 struct ocsp_signature_st {
107 X509_ALGOR signatureAlgorithm;
108 ASN1_BIT_STRING *signature;
109 STACK_OF(X509) *certs;
112 /*- OCSPRequest ::= SEQUENCE {
113 * tbsRequest TBSRequest,
114 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
116 struct ocsp_request_st {
117 OCSP_REQINFO tbsRequest;
118 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
121 /*- OCSPResponseStatus ::= ENUMERATED {
122 * successful (0), --Response has valid confirmations
123 * malformedRequest (1), --Illegal confirmation request
124 * internalError (2), --Internal error in issuer
125 * tryLater (3), --Try again later
127 * sigRequired (5), --Must sign the request
128 * unauthorized (6) --Request unauthorized
132 /*- ResponseBytes ::= SEQUENCE {
133 * responseType OBJECT IDENTIFIER,
134 * response OCTET STRING }
136 struct ocsp_resp_bytes_st {
137 ASN1_OBJECT *responseType;
138 ASN1_OCTET_STRING *response;
141 /*- OCSPResponse ::= SEQUENCE {
142 * responseStatus OCSPResponseStatus,
143 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
145 struct ocsp_response_st {
146 ASN1_ENUMERATED *responseStatus;
147 OCSP_RESPBYTES *responseBytes;
150 /*- ResponderID ::= CHOICE {
152 * byKey [2] KeyHash }
154 struct ocsp_responder_id_st {
158 ASN1_OCTET_STRING *byKey;
162 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
163 * --(excluding the tag and length fields)
166 /*- RevokedInfo ::= SEQUENCE {
167 * revocationTime GeneralizedTime,
168 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
170 struct ocsp_revoked_info_st {
171 ASN1_GENERALIZEDTIME *revocationTime;
172 ASN1_ENUMERATED *revocationReason;
175 /*- CertStatus ::= CHOICE {
176 * good [0] IMPLICIT NULL,
177 * revoked [1] IMPLICIT RevokedInfo,
178 * unknown [2] IMPLICIT UnknownInfo }
180 struct ocsp_cert_status_st {
184 OCSP_REVOKEDINFO *revoked;
189 /*- SingleResponse ::= SEQUENCE {
191 * certStatus CertStatus,
192 * thisUpdate GeneralizedTime,
193 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
194 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
196 struct ocsp_single_response_st {
198 OCSP_CERTSTATUS *certStatus;
199 ASN1_GENERALIZEDTIME *thisUpdate;
200 ASN1_GENERALIZEDTIME *nextUpdate;
201 STACK_OF(X509_EXTENSION) *singleExtensions;
204 /*- ResponseData ::= SEQUENCE {
205 * version [0] EXPLICIT Version DEFAULT v1,
206 * responderID ResponderID,
207 * producedAt GeneralizedTime,
208 * responses SEQUENCE OF SingleResponse,
209 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
211 struct ocsp_response_data_st {
212 ASN1_INTEGER *version;
213 OCSP_RESPID responderId;
214 ASN1_GENERALIZEDTIME *producedAt;
215 STACK_OF(OCSP_SINGLERESP) *responses;
216 STACK_OF(X509_EXTENSION) *responseExtensions;
219 /*- BasicOCSPResponse ::= SEQUENCE {
220 * tbsResponseData ResponseData,
221 * signatureAlgorithm AlgorithmIdentifier,
222 * signature BIT STRING,
223 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
226 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
227 * follows: "The value for the signature SHALL be computed on the hash of
228 * the DER encoding ResponseData." This means that you must hash the
229 * DER-encoded tbsResponseData, and then run it through a crypto-signing
230 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
231 * operation. This seems a bit odd, but that's the spec. Also note that
232 * the data structures do not leave anywhere to independently specify the
233 * algorithm used for the initial hash. So, we look at the
234 * signature-specification algorithm, and try to do something intelligent.
235 * -- Kathy Weinhold, CertCo
238 * Note 2: It seems that the mentioned passage from RFC 2560 (section
239 * 4.2.1) is open for interpretation. I've done tests against another
240 * responder, and found that it doesn't do the double hashing that the RFC
241 * seems to say one should. Therefore, all relevant functions take a flag
242 * saying which variant should be used. -- Richard Levitte, OpenSSL team
245 struct ocsp_basic_response_st {
246 OCSP_RESPDATA tbsResponseData;
247 X509_ALGOR signatureAlgorithm;
248 ASN1_BIT_STRING *signature;
249 STACK_OF(X509) *certs;
253 * CrlID ::= SEQUENCE {
254 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
255 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
256 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
258 struct ocsp_crl_id_st {
259 ASN1_IA5STRING *crlUrl;
260 ASN1_INTEGER *crlNum;
261 ASN1_GENERALIZEDTIME *crlTime;
265 * ServiceLocator ::= SEQUENCE {
267 * locator AuthorityInfoAccessSyntax OPTIONAL }
269 struct ocsp_service_locator_st {
271 STACK_OF(ACCESS_DESCRIPTION) *locator;