2 * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /*- CertID ::= SEQUENCE {
11 * hashAlgorithm AlgorithmIdentifier,
12 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
13 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
14 * serialNumber CertificateSerialNumber }
16 struct ocsp_cert_id_st {
17 X509_ALGOR hashAlgorithm;
18 ASN1_OCTET_STRING issuerNameHash;
19 ASN1_OCTET_STRING issuerKeyHash;
20 ASN1_INTEGER serialNumber;
23 /*- Request ::= SEQUENCE {
25 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
27 struct ocsp_one_request_st {
29 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
32 /*- TBSRequest ::= SEQUENCE {
33 * version [0] EXPLICIT Version DEFAULT v1,
34 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
35 * requestList SEQUENCE OF Request,
36 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
38 struct ocsp_req_info_st {
39 ASN1_INTEGER *version;
40 GENERAL_NAME *requestorName;
41 STACK_OF(OCSP_ONEREQ) *requestList;
42 STACK_OF(X509_EXTENSION) *requestExtensions;
45 /*- Signature ::= SEQUENCE {
46 * signatureAlgorithm AlgorithmIdentifier,
47 * signature BIT STRING,
48 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
50 struct ocsp_signature_st {
51 X509_ALGOR signatureAlgorithm;
52 ASN1_BIT_STRING *signature;
53 STACK_OF(X509) *certs;
56 /*- OCSPRequest ::= SEQUENCE {
57 * tbsRequest TBSRequest,
58 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
60 struct ocsp_request_st {
61 OCSP_REQINFO tbsRequest;
62 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
65 /*- OCSPResponseStatus ::= ENUMERATED {
66 * successful (0), --Response has valid confirmations
67 * malformedRequest (1), --Illegal confirmation request
68 * internalError (2), --Internal error in issuer
69 * tryLater (3), --Try again later
71 * sigRequired (5), --Must sign the request
72 * unauthorized (6) --Request unauthorized
76 /*- ResponseBytes ::= SEQUENCE {
77 * responseType OBJECT IDENTIFIER,
78 * response OCTET STRING }
80 struct ocsp_resp_bytes_st {
81 ASN1_OBJECT *responseType;
82 ASN1_OCTET_STRING *response;
85 /*- OCSPResponse ::= SEQUENCE {
86 * responseStatus OCSPResponseStatus,
87 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
89 struct ocsp_response_st {
90 ASN1_ENUMERATED *responseStatus;
91 OCSP_RESPBYTES *responseBytes;
94 /*- ResponderID ::= CHOICE {
98 struct ocsp_responder_id_st {
102 ASN1_OCTET_STRING *byKey;
106 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
107 * --(excluding the tag and length fields)
110 /*- RevokedInfo ::= SEQUENCE {
111 * revocationTime GeneralizedTime,
112 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
114 struct ocsp_revoked_info_st {
115 ASN1_GENERALIZEDTIME *revocationTime;
116 ASN1_ENUMERATED *revocationReason;
119 /*- CertStatus ::= CHOICE {
120 * good [0] IMPLICIT NULL,
121 * revoked [1] IMPLICIT RevokedInfo,
122 * unknown [2] IMPLICIT UnknownInfo }
124 struct ocsp_cert_status_st {
128 OCSP_REVOKEDINFO *revoked;
133 /*- SingleResponse ::= SEQUENCE {
135 * certStatus CertStatus,
136 * thisUpdate GeneralizedTime,
137 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
138 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
140 struct ocsp_single_response_st {
142 OCSP_CERTSTATUS *certStatus;
143 ASN1_GENERALIZEDTIME *thisUpdate;
144 ASN1_GENERALIZEDTIME *nextUpdate;
145 STACK_OF(X509_EXTENSION) *singleExtensions;
148 /*- ResponseData ::= SEQUENCE {
149 * version [0] EXPLICIT Version DEFAULT v1,
150 * responderID ResponderID,
151 * producedAt GeneralizedTime,
152 * responses SEQUENCE OF SingleResponse,
153 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
155 struct ocsp_response_data_st {
156 ASN1_INTEGER *version;
157 OCSP_RESPID responderId;
158 ASN1_GENERALIZEDTIME *producedAt;
159 STACK_OF(OCSP_SINGLERESP) *responses;
160 STACK_OF(X509_EXTENSION) *responseExtensions;
163 /*- BasicOCSPResponse ::= SEQUENCE {
164 * tbsResponseData ResponseData,
165 * signatureAlgorithm AlgorithmIdentifier,
166 * signature BIT STRING,
167 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
170 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
171 * follows: "The value for the signature SHALL be computed on the hash of
172 * the DER encoding ResponseData." This means that you must hash the
173 * DER-encoded tbsResponseData, and then run it through a crypto-signing
174 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
175 * operation. This seems a bit odd, but that's the spec. Also note that
176 * the data structures do not leave anywhere to independently specify the
177 * algorithm used for the initial hash. So, we look at the
178 * signature-specification algorithm, and try to do something intelligent.
179 * -- Kathy Weinhold, CertCo
182 * Note 2: It seems that the mentioned passage from RFC 2560 (section
183 * 4.2.1) is open for interpretation. I've done tests against another
184 * responder, and found that it doesn't do the double hashing that the RFC
185 * seems to say one should. Therefore, all relevant functions take a flag
186 * saying which variant should be used. -- Richard Levitte, OpenSSL team
189 struct ocsp_basic_response_st {
190 OCSP_RESPDATA tbsResponseData;
191 X509_ALGOR signatureAlgorithm;
192 ASN1_BIT_STRING *signature;
193 STACK_OF(X509) *certs;
197 * CrlID ::= SEQUENCE {
198 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
199 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
200 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
202 struct ocsp_crl_id_st {
203 ASN1_IA5STRING *crlUrl;
204 ASN1_INTEGER *crlNum;
205 ASN1_GENERALIZEDTIME *crlTime;
209 * ServiceLocator ::= SEQUENCE {
211 * locator AuthorityInfoAccessSyntax OPTIONAL }
213 struct ocsp_service_locator_st {
215 STACK_OF(ACCESS_DESCRIPTION) *locator;