3 * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
8 * History: This file was transfered to Richard Levitte from CertCo by Kathy
9 * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
13 /* ====================================================================
14 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in
25 * the documentation and/or other materials provided with the
28 * 3. All advertising materials mentioning features or use of this
29 * software must display the following acknowledgment:
30 * "This product includes software developed by the OpenSSL Project
31 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
33 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
34 * endorse or promote products derived from this software without
35 * prior written permission. For written permission, please contact
36 * openssl-core@openssl.org.
38 * 5. Products derived from this software may not be called "OpenSSL"
39 * nor may "OpenSSL" appear in their names without prior written
40 * permission of the OpenSSL Project.
42 * 6. Redistributions of any form whatsoever must retain the following
44 * "This product includes software developed by the OpenSSL Project
45 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
47 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
48 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
50 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
51 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
52 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
53 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
54 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
56 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
57 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
58 * OF THE POSSIBILITY OF SUCH DAMAGE.
59 * ====================================================================
61 * This product includes cryptographic software written by Eric Young
62 * (eay@cryptsoft.com). This product includes software written by Tim
63 * Hudson (tjh@cryptsoft.com).
67 /*- CertID ::= SEQUENCE {
68 * hashAlgorithm AlgorithmIdentifier,
69 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
70 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
71 * serialNumber CertificateSerialNumber }
73 struct ocsp_cert_id_st {
74 X509_ALGOR hashAlgorithm;
75 ASN1_OCTET_STRING issuerNameHash;
76 ASN1_OCTET_STRING issuerKeyHash;
77 ASN1_INTEGER serialNumber;
80 /*- Request ::= SEQUENCE {
82 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
84 struct ocsp_one_request_st {
86 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
89 /*- TBSRequest ::= SEQUENCE {
90 * version [0] EXPLICIT Version DEFAULT v1,
91 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
92 * requestList SEQUENCE OF Request,
93 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
95 struct ocsp_req_info_st {
96 ASN1_INTEGER *version;
97 GENERAL_NAME *requestorName;
98 STACK_OF(OCSP_ONEREQ) *requestList;
99 STACK_OF(X509_EXTENSION) *requestExtensions;
102 /*- Signature ::= SEQUENCE {
103 * signatureAlgorithm AlgorithmIdentifier,
104 * signature BIT STRING,
105 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
107 struct ocsp_signature_st {
108 X509_ALGOR signatureAlgorithm;
109 ASN1_BIT_STRING *signature;
110 STACK_OF(X509) *certs;
113 /*- OCSPRequest ::= SEQUENCE {
114 * tbsRequest TBSRequest,
115 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
117 struct ocsp_request_st {
118 OCSP_REQINFO tbsRequest;
119 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
122 /*- OCSPResponseStatus ::= ENUMERATED {
123 * successful (0), --Response has valid confirmations
124 * malformedRequest (1), --Illegal confirmation request
125 * internalError (2), --Internal error in issuer
126 * tryLater (3), --Try again later
128 * sigRequired (5), --Must sign the request
129 * unauthorized (6) --Request unauthorized
133 /*- ResponseBytes ::= SEQUENCE {
134 * responseType OBJECT IDENTIFIER,
135 * response OCTET STRING }
137 struct ocsp_resp_bytes_st {
138 ASN1_OBJECT *responseType;
139 ASN1_OCTET_STRING *response;
142 /*- OCSPResponse ::= SEQUENCE {
143 * responseStatus OCSPResponseStatus,
144 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
146 struct ocsp_response_st {
147 ASN1_ENUMERATED *responseStatus;
148 OCSP_RESPBYTES *responseBytes;
151 /*- ResponderID ::= CHOICE {
153 * byKey [2] KeyHash }
155 struct ocsp_responder_id_st {
159 ASN1_OCTET_STRING *byKey;
163 /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
164 * --(excluding the tag and length fields)
167 /*- RevokedInfo ::= SEQUENCE {
168 * revocationTime GeneralizedTime,
169 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
171 struct ocsp_revoked_info_st {
172 ASN1_GENERALIZEDTIME *revocationTime;
173 ASN1_ENUMERATED *revocationReason;
176 /*- CertStatus ::= CHOICE {
177 * good [0] IMPLICIT NULL,
178 * revoked [1] IMPLICIT RevokedInfo,
179 * unknown [2] IMPLICIT UnknownInfo }
181 struct ocsp_cert_status_st {
185 OCSP_REVOKEDINFO *revoked;
190 /*- SingleResponse ::= SEQUENCE {
192 * certStatus CertStatus,
193 * thisUpdate GeneralizedTime,
194 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
195 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
197 struct ocsp_single_response_st {
199 OCSP_CERTSTATUS *certStatus;
200 ASN1_GENERALIZEDTIME *thisUpdate;
201 ASN1_GENERALIZEDTIME *nextUpdate;
202 STACK_OF(X509_EXTENSION) *singleExtensions;
205 /*- ResponseData ::= SEQUENCE {
206 * version [0] EXPLICIT Version DEFAULT v1,
207 * responderID ResponderID,
208 * producedAt GeneralizedTime,
209 * responses SEQUENCE OF SingleResponse,
210 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
212 struct ocsp_response_data_st {
213 ASN1_INTEGER *version;
214 OCSP_RESPID responderId;
215 ASN1_GENERALIZEDTIME *producedAt;
216 STACK_OF(OCSP_SINGLERESP) *responses;
217 STACK_OF(X509_EXTENSION) *responseExtensions;
220 /*- BasicOCSPResponse ::= SEQUENCE {
221 * tbsResponseData ResponseData,
222 * signatureAlgorithm AlgorithmIdentifier,
223 * signature BIT STRING,
224 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
227 * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
228 * follows: "The value for the signature SHALL be computed on the hash of
229 * the DER encoding ResponseData." This means that you must hash the
230 * DER-encoded tbsResponseData, and then run it through a crypto-signing
231 * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
232 * operation. This seems a bit odd, but that's the spec. Also note that
233 * the data structures do not leave anywhere to independently specify the
234 * algorithm used for the initial hash. So, we look at the
235 * signature-specification algorithm, and try to do something intelligent.
236 * -- Kathy Weinhold, CertCo
239 * Note 2: It seems that the mentioned passage from RFC 2560 (section
240 * 4.2.1) is open for interpretation. I've done tests against another
241 * responder, and found that it doesn't do the double hashing that the RFC
242 * seems to say one should. Therefore, all relevant functions take a flag
243 * saying which variant should be used. -- Richard Levitte, OpenSSL team
246 struct ocsp_basic_response_st {
247 OCSP_RESPDATA tbsResponseData;
248 X509_ALGOR signatureAlgorithm;
249 ASN1_BIT_STRING *signature;
250 STACK_OF(X509) *certs;
254 * CrlID ::= SEQUENCE {
255 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
256 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
257 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
259 struct ocsp_crl_id_st {
260 ASN1_IA5STRING *crlUrl;
261 ASN1_INTEGER *crlNum;
262 ASN1_GENERALIZEDTIME *crlTime;
266 * ServiceLocator ::= SEQUENCE {
268 * locator AuthorityInfoAccessSyntax OPTIONAL }
270 struct ocsp_service_locator_st {
272 STACK_OF(ACCESS_DESCRIPTION) *locator;