1*f36fa09cStb /* $OpenBSD: ocsp_local.h,v 1.2 2022/01/14 08:32:26 tb Exp $ */ 29f44a700Stb /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL 39f44a700Stb * project. */ 49f44a700Stb 59f44a700Stb /* History: 69f44a700Stb This file was transfered to Richard Levitte from CertCo by Kathy 79f44a700Stb Weinhold in mid-spring 2000 to be included in OpenSSL or released 89f44a700Stb as a patch kit. */ 99f44a700Stb 109f44a700Stb /* ==================================================================== 119f44a700Stb * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 129f44a700Stb * 139f44a700Stb * Redistribution and use in source and binary forms, with or without 149f44a700Stb * modification, are permitted provided that the following conditions 159f44a700Stb * are met: 169f44a700Stb * 179f44a700Stb * 1. Redistributions of source code must retain the above copyright 189f44a700Stb * notice, this list of conditions and the following disclaimer. 199f44a700Stb * 209f44a700Stb * 2. Redistributions in binary form must reproduce the above copyright 219f44a700Stb * notice, this list of conditions and the following disclaimer in 229f44a700Stb * the documentation and/or other materials provided with the 239f44a700Stb * distribution. 249f44a700Stb * 259f44a700Stb * 3. All advertising materials mentioning features or use of this 269f44a700Stb * software must display the following acknowledgment: 279f44a700Stb * "This product includes software developed by the OpenSSL Project 289f44a700Stb * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 299f44a700Stb * 309f44a700Stb * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 319f44a700Stb * endorse or promote products derived from this software without 329f44a700Stb * prior written permission. For written permission, please contact 339f44a700Stb * openssl-core@openssl.org. 349f44a700Stb * 359f44a700Stb * 5. Products derived from this software may not be called "OpenSSL" 369f44a700Stb * nor may "OpenSSL" appear in their names without prior written 379f44a700Stb * permission of the OpenSSL Project. 389f44a700Stb * 399f44a700Stb * 6. Redistributions of any form whatsoever must retain the following 409f44a700Stb * acknowledgment: 419f44a700Stb * "This product includes software developed by the OpenSSL Project 429f44a700Stb * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 439f44a700Stb * 449f44a700Stb * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 459f44a700Stb * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 469f44a700Stb * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 479f44a700Stb * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 489f44a700Stb * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 499f44a700Stb * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 509f44a700Stb * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 519f44a700Stb * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 529f44a700Stb * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 539f44a700Stb * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 549f44a700Stb * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 559f44a700Stb * OF THE POSSIBILITY OF SUCH DAMAGE. 569f44a700Stb * ==================================================================== 579f44a700Stb * 589f44a700Stb * This product includes cryptographic software written by Eric Young 599f44a700Stb * (eay@cryptsoft.com). This product includes software written by Tim 609f44a700Stb * Hudson (tjh@cryptsoft.com). 619f44a700Stb * 629f44a700Stb */ 639f44a700Stb 649f44a700Stb #ifndef HEADER_OCSP_LOCAL_H 659f44a700Stb #define HEADER_OCSP_LOCAL_H 669f44a700Stb 679f44a700Stb __BEGIN_HIDDEN_DECLS 689f44a700Stb 69*f36fa09cStb /* CertID ::= SEQUENCE { 70*f36fa09cStb * hashAlgorithm AlgorithmIdentifier, 71*f36fa09cStb * issuerNameHash OCTET STRING, -- Hash of Issuer's DN 72*f36fa09cStb * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) 73*f36fa09cStb * serialNumber CertificateSerialNumber } 74*f36fa09cStb */ 75*f36fa09cStb struct ocsp_cert_id_st { 76*f36fa09cStb X509_ALGOR *hashAlgorithm; 77*f36fa09cStb ASN1_OCTET_STRING *issuerNameHash; 78*f36fa09cStb ASN1_OCTET_STRING *issuerKeyHash; 79*f36fa09cStb ASN1_INTEGER *serialNumber; 80*f36fa09cStb } /* OCSP_CERTID */; 81*f36fa09cStb 82*f36fa09cStb /* Request ::= SEQUENCE { 83*f36fa09cStb * reqCert CertID, 84*f36fa09cStb * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } 85*f36fa09cStb */ 86*f36fa09cStb struct ocsp_one_request_st { 87*f36fa09cStb OCSP_CERTID *reqCert; 88*f36fa09cStb STACK_OF(X509_EXTENSION) *singleRequestExtensions; 89*f36fa09cStb } /* OCSP_ONEREQ */; 90*f36fa09cStb 91*f36fa09cStb /* TBSRequest ::= SEQUENCE { 92*f36fa09cStb * version [0] EXPLICIT Version DEFAULT v1, 93*f36fa09cStb * requestorName [1] EXPLICIT GeneralName OPTIONAL, 94*f36fa09cStb * requestList SEQUENCE OF Request, 95*f36fa09cStb * requestExtensions [2] EXPLICIT Extensions OPTIONAL } 96*f36fa09cStb */ 97*f36fa09cStb struct ocsp_req_info_st { 98*f36fa09cStb ASN1_INTEGER *version; 99*f36fa09cStb GENERAL_NAME *requestorName; 100*f36fa09cStb STACK_OF(OCSP_ONEREQ) *requestList; 101*f36fa09cStb STACK_OF(X509_EXTENSION) *requestExtensions; 102*f36fa09cStb } /* OCSP_REQINFO */; 103*f36fa09cStb 104*f36fa09cStb /* Signature ::= SEQUENCE { 105*f36fa09cStb * signatureAlgorithm AlgorithmIdentifier, 106*f36fa09cStb * signature BIT STRING, 107*f36fa09cStb * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 108*f36fa09cStb */ 109*f36fa09cStb struct ocsp_signature_st { 110*f36fa09cStb X509_ALGOR *signatureAlgorithm; 111*f36fa09cStb ASN1_BIT_STRING *signature; 112*f36fa09cStb STACK_OF(X509) *certs; 113*f36fa09cStb } /* OCSP_SIGNATURE */; 114*f36fa09cStb 115*f36fa09cStb /* OCSPRequest ::= SEQUENCE { 116*f36fa09cStb * tbsRequest TBSRequest, 117*f36fa09cStb * optionalSignature [0] EXPLICIT Signature OPTIONAL } 118*f36fa09cStb */ 119*f36fa09cStb struct ocsp_request_st { 120*f36fa09cStb OCSP_REQINFO *tbsRequest; 121*f36fa09cStb OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ 122*f36fa09cStb } /* OCSP_REQUEST */; 123*f36fa09cStb 124*f36fa09cStb /* OCSPResponseStatus ::= ENUMERATED { 125*f36fa09cStb * successful (0), --Response has valid confirmations 126*f36fa09cStb * malformedRequest (1), --Illegal confirmation request 127*f36fa09cStb * internalError (2), --Internal error in issuer 128*f36fa09cStb * tryLater (3), --Try again later 129*f36fa09cStb * --(4) is not used 130*f36fa09cStb * sigRequired (5), --Must sign the request 131*f36fa09cStb * unauthorized (6) --Request unauthorized 132*f36fa09cStb * } 133*f36fa09cStb */ 134*f36fa09cStb 135*f36fa09cStb /* ResponseBytes ::= SEQUENCE { 136*f36fa09cStb * responseType OBJECT IDENTIFIER, 137*f36fa09cStb * response OCTET STRING } 138*f36fa09cStb */ 139*f36fa09cStb struct ocsp_resp_bytes_st { 140*f36fa09cStb ASN1_OBJECT *responseType; 141*f36fa09cStb ASN1_OCTET_STRING *response; 142*f36fa09cStb } /* OCSP_RESPBYTES */; 143*f36fa09cStb 144*f36fa09cStb /* OCSPResponse ::= SEQUENCE { 145*f36fa09cStb * responseStatus OCSPResponseStatus, 146*f36fa09cStb * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 147*f36fa09cStb */ 148*f36fa09cStb struct ocsp_response_st { 149*f36fa09cStb ASN1_ENUMERATED *responseStatus; 150*f36fa09cStb OCSP_RESPBYTES *responseBytes; 151*f36fa09cStb }; 152*f36fa09cStb 153*f36fa09cStb /* ResponderID ::= CHOICE { 154*f36fa09cStb * byName [1] Name, 155*f36fa09cStb * byKey [2] KeyHash } 156*f36fa09cStb */ 157*f36fa09cStb struct ocsp_responder_id_st { 158*f36fa09cStb int type; 159*f36fa09cStb union { 160*f36fa09cStb X509_NAME* byName; 161*f36fa09cStb ASN1_OCTET_STRING *byKey; 162*f36fa09cStb } value; 163*f36fa09cStb }; 164*f36fa09cStb 165*f36fa09cStb /* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key 166*f36fa09cStb * --(excluding the tag and length fields) 167*f36fa09cStb */ 168*f36fa09cStb 169*f36fa09cStb /* RevokedInfo ::= SEQUENCE { 170*f36fa09cStb * revocationTime GeneralizedTime, 171*f36fa09cStb * revocationReason [0] EXPLICIT CRLReason OPTIONAL } 172*f36fa09cStb */ 173*f36fa09cStb struct ocsp_revoked_info_st { 174*f36fa09cStb ASN1_GENERALIZEDTIME *revocationTime; 175*f36fa09cStb ASN1_ENUMERATED *revocationReason; 176*f36fa09cStb } /* OCSP_REVOKEDINFO */; 177*f36fa09cStb 178*f36fa09cStb /* CertStatus ::= CHOICE { 179*f36fa09cStb * good [0] IMPLICIT NULL, 180*f36fa09cStb * revoked [1] IMPLICIT RevokedInfo, 181*f36fa09cStb * unknown [2] IMPLICIT UnknownInfo } 182*f36fa09cStb */ 183*f36fa09cStb struct ocsp_cert_status_st { 184*f36fa09cStb int type; 185*f36fa09cStb union { 186*f36fa09cStb ASN1_NULL *good; 187*f36fa09cStb OCSP_REVOKEDINFO *revoked; 188*f36fa09cStb ASN1_NULL *unknown; 189*f36fa09cStb } value; 190*f36fa09cStb } /* OCSP_CERTSTATUS */; 191*f36fa09cStb 192*f36fa09cStb /* SingleResponse ::= SEQUENCE { 193*f36fa09cStb * certID CertID, 194*f36fa09cStb * certStatus CertStatus, 195*f36fa09cStb * thisUpdate GeneralizedTime, 196*f36fa09cStb * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 197*f36fa09cStb * singleExtensions [1] EXPLICIT Extensions OPTIONAL } 198*f36fa09cStb */ 199*f36fa09cStb struct ocsp_single_response_st { 200*f36fa09cStb OCSP_CERTID *certId; 201*f36fa09cStb OCSP_CERTSTATUS *certStatus; 202*f36fa09cStb ASN1_GENERALIZEDTIME *thisUpdate; 203*f36fa09cStb ASN1_GENERALIZEDTIME *nextUpdate; 204*f36fa09cStb STACK_OF(X509_EXTENSION) *singleExtensions; 205*f36fa09cStb } /* OCSP_SINGLERESP */; 206*f36fa09cStb 207*f36fa09cStb /* ResponseData ::= SEQUENCE { 208*f36fa09cStb * version [0] EXPLICIT Version DEFAULT v1, 209*f36fa09cStb * responderID ResponderID, 210*f36fa09cStb * producedAt GeneralizedTime, 211*f36fa09cStb * responses SEQUENCE OF SingleResponse, 212*f36fa09cStb * responseExtensions [1] EXPLICIT Extensions OPTIONAL } 213*f36fa09cStb */ 214*f36fa09cStb struct ocsp_response_data_st { 215*f36fa09cStb ASN1_INTEGER *version; 216*f36fa09cStb OCSP_RESPID *responderId; 217*f36fa09cStb ASN1_GENERALIZEDTIME *producedAt; 218*f36fa09cStb STACK_OF(OCSP_SINGLERESP) *responses; 219*f36fa09cStb STACK_OF(X509_EXTENSION) *responseExtensions; 220*f36fa09cStb } /* OCSP_RESPDATA */; 221*f36fa09cStb 222*f36fa09cStb /* BasicOCSPResponse ::= SEQUENCE { 223*f36fa09cStb * tbsResponseData ResponseData, 224*f36fa09cStb * signatureAlgorithm AlgorithmIdentifier, 225*f36fa09cStb * signature BIT STRING, 226*f36fa09cStb * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 227*f36fa09cStb */ 228*f36fa09cStb /* Note 1: 229*f36fa09cStb The value for "signature" is specified in the OCSP rfc2560 as follows: 230*f36fa09cStb "The value for the signature SHALL be computed on the hash of the DER 231*f36fa09cStb encoding ResponseData." This means that you must hash the DER-encoded 232*f36fa09cStb tbsResponseData, and then run it through a crypto-signing function, which 233*f36fa09cStb will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems 234*f36fa09cStb a bit odd, but that's the spec. Also note that the data structures do not 235*f36fa09cStb leave anywhere to independently specify the algorithm used for the initial 236*f36fa09cStb hash. So, we look at the signature-specification algorithm, and try to do 237*f36fa09cStb something intelligent. -- Kathy Weinhold, CertCo */ 238*f36fa09cStb /* Note 2: 239*f36fa09cStb It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open 240*f36fa09cStb for interpretation. I've done tests against another responder, and found 241*f36fa09cStb that it doesn't do the double hashing that the RFC seems to say one 242*f36fa09cStb should. Therefore, all relevant functions take a flag saying which 243*f36fa09cStb variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */ 244*f36fa09cStb struct ocsp_basic_response_st { 245*f36fa09cStb OCSP_RESPDATA *tbsResponseData; 246*f36fa09cStb X509_ALGOR *signatureAlgorithm; 247*f36fa09cStb ASN1_BIT_STRING *signature; 248*f36fa09cStb STACK_OF(X509) *certs; 249*f36fa09cStb } /* OCSP_BASICRESP */; 250*f36fa09cStb 251*f36fa09cStb /* CrlID ::= SEQUENCE { 252*f36fa09cStb * crlUrl [0] EXPLICIT IA5String OPTIONAL, 253*f36fa09cStb * crlNum [1] EXPLICIT INTEGER OPTIONAL, 254*f36fa09cStb * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } 255*f36fa09cStb */ 256*f36fa09cStb struct ocsp_crl_id_st { 257*f36fa09cStb ASN1_IA5STRING *crlUrl; 258*f36fa09cStb ASN1_INTEGER *crlNum; 259*f36fa09cStb ASN1_GENERALIZEDTIME *crlTime; 260*f36fa09cStb } /* OCSP_CRLID */; 261*f36fa09cStb 262*f36fa09cStb /* ServiceLocator ::= SEQUENCE { 263*f36fa09cStb * issuer Name, 264*f36fa09cStb * locator AuthorityInfoAccessSyntax OPTIONAL } 265*f36fa09cStb */ 266*f36fa09cStb struct ocsp_service_locator_st { 267*f36fa09cStb X509_NAME* issuer; 268*f36fa09cStb STACK_OF(ACCESS_DESCRIPTION) *locator; 269*f36fa09cStb } /* OCSP_SERVICELOC */; 270*f36fa09cStb 271*f36fa09cStb #define OCSP_REQUEST_sign(o,pkey,md) \ 272*f36fa09cStb ASN1_item_sign(&OCSP_REQINFO_it, \ 273*f36fa09cStb (o)->optionalSignature->signatureAlgorithm, NULL, \ 274*f36fa09cStb (o)->optionalSignature->signature,o->tbsRequest, (pkey), (md)) 275*f36fa09cStb 276*f36fa09cStb #define OCSP_BASICRESP_sign(o,pkey,md,d) \ 277*f36fa09cStb ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \ 278*f36fa09cStb (o)->signature,(o)->tbsResponseData,(pkey),(md)) 279*f36fa09cStb 280*f36fa09cStb #define OCSP_REQUEST_verify(a,r) \ 281*f36fa09cStb ASN1_item_verify(&OCSP_REQINFO_it, \ 282*f36fa09cStb (a)->optionalSignature->signatureAlgorithm, \ 283*f36fa09cStb (a)->optionalSignature->signature, (a)->tbsRequest, (r)) 284*f36fa09cStb 285*f36fa09cStb #define OCSP_BASICRESP_verify(a,r,d) \ 286*f36fa09cStb ASN1_item_verify(&OCSP_RESPDATA_it, \ 287*f36fa09cStb (a)->signatureAlgorithm, (a)->signature, (a)->tbsResponseData, (r)) 288*f36fa09cStb 2899f44a700Stb __END_HIDDEN_DECLS 2909f44a700Stb 2919f44a700Stb #endif /* !HEADER_OCSP_LOCAL_H */ 292