diff options
author | George Hazan <george.hazan@gmail.com> | 2016-03-18 16:56:24 +0000 |
---|---|---|
committer | George Hazan <george.hazan@gmail.com> | 2016-03-18 16:56:24 +0000 |
commit | 6a6db513258224651c8e12c43545d368c7456bbc (patch) | |
tree | 8af5da797e64907778db6738959fed3c30f618dd /include/openssl/ocsp.h | |
parent | f0efe2dabd75888cb31ea023f10ed930c2056307 (diff) |
git-svn-id: http://svn.miranda-ng.org/main/trunk@16502 1316c22d-e87f-b044-9b9b-93d7a3e3ba9c
Diffstat (limited to 'include/openssl/ocsp.h')
-rw-r--r-- | include/openssl/ocsp.h | 262 |
1 files changed, 40 insertions, 222 deletions
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index ca2ee76dce..02fd6b06be 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -1,11 +1,10 @@ -/* ocsp.h */ /* * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL * project. */ /* - * History: This file was transfered to Richard Levitte from CertCo by Kathy + * History: This file was transferred to Richard Levitte from CertCo by Kathy * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a * patch kit. */ @@ -93,76 +92,18 @@ extern "C" { # define OCSP_RESPID_KEY 0x400 # define OCSP_NOTIME 0x800 -/*- CertID ::= SEQUENCE { - * hashAlgorithm AlgorithmIdentifier, - * issuerNameHash OCTET STRING, -- Hash of Issuer's DN - * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) - * serialNumber CertificateSerialNumber } - */ -typedef struct ocsp_cert_id_st { - X509_ALGOR *hashAlgorithm; - ASN1_OCTET_STRING *issuerNameHash; - ASN1_OCTET_STRING *issuerKeyHash; - ASN1_INTEGER *serialNumber; -} OCSP_CERTID; - -DECLARE_STACK_OF(OCSP_CERTID) - -/*- Request ::= SEQUENCE { - * reqCert CertID, - * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_one_request_st { - OCSP_CERTID *reqCert; - STACK_OF(X509_EXTENSION) *singleRequestExtensions; -} OCSP_ONEREQ; - -DECLARE_STACK_OF(OCSP_ONEREQ) -DECLARE_ASN1_SET_OF(OCSP_ONEREQ) - -/*- TBSRequest ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * requestorName [1] EXPLICIT GeneralName OPTIONAL, - * requestList SEQUENCE OF Request, - * requestExtensions [2] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_req_info_st { - ASN1_INTEGER *version; - GENERAL_NAME *requestorName; - STACK_OF(OCSP_ONEREQ) *requestList; - STACK_OF(X509_EXTENSION) *requestExtensions; -} OCSP_REQINFO; - -/*- Signature ::= SEQUENCE { - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ -typedef struct ocsp_signature_st { - X509_ALGOR *signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -} OCSP_SIGNATURE; - -/*- OCSPRequest ::= SEQUENCE { - * tbsRequest TBSRequest, - * optionalSignature [0] EXPLICIT Signature OPTIONAL } - */ -typedef struct ocsp_request_st { - OCSP_REQINFO *tbsRequest; - OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ -} OCSP_REQUEST; - -/*- OCSPResponseStatus ::= ENUMERATED { - * successful (0), --Response has valid confirmations - * malformedRequest (1), --Illegal confirmation request - * internalError (2), --Internal error in issuer - * tryLater (3), --Try again later - * --(4) is not used - * sigRequired (5), --Must sign the request - * unauthorized (6) --Request unauthorized - * } - */ +typedef struct ocsp_cert_id_st OCSP_CERTID; + +DEFINE_STACK_OF(OCSP_CERTID) + +typedef struct ocsp_one_request_st OCSP_ONEREQ; + +DEFINE_STACK_OF(OCSP_ONEREQ) + +typedef struct ocsp_req_info_st OCSP_REQINFO; +typedef struct ocsp_signature_st OCSP_SIGNATURE; +typedef struct ocsp_request_st OCSP_REQUEST; + # define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 # define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 # define OCSP_RESPONSE_STATUS_INTERNALERROR 2 @@ -170,136 +111,28 @@ typedef struct ocsp_request_st { # define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 # define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 -/*- ResponseBytes ::= SEQUENCE { - * responseType OBJECT IDENTIFIER, - * response OCTET STRING } - */ -typedef struct ocsp_resp_bytes_st { - ASN1_OBJECT *responseType; - ASN1_OCTET_STRING *response; -} OCSP_RESPBYTES; - -/*- OCSPResponse ::= SEQUENCE { - * responseStatus OCSPResponseStatus, - * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } - */ -struct ocsp_response_st { - ASN1_ENUMERATED *responseStatus; - OCSP_RESPBYTES *responseBytes; -}; - -/*- ResponderID ::= CHOICE { - * byName [1] Name, - * byKey [2] KeyHash } - */ +typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES; + # define V_OCSP_RESPID_NAME 0 # define V_OCSP_RESPID_KEY 1 -struct ocsp_responder_id_st { - int type; - union { - X509_NAME *byName; - ASN1_OCTET_STRING *byKey; - } value; -}; - -DECLARE_STACK_OF(OCSP_RESPID) + +DEFINE_STACK_OF(OCSP_RESPID) DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) -/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key - * --(excluding the tag and length fields) - */ +typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; -/*- RevokedInfo ::= SEQUENCE { - * revocationTime GeneralizedTime, - * revocationReason [0] EXPLICIT CRLReason OPTIONAL } - */ -typedef struct ocsp_revoked_info_st { - ASN1_GENERALIZEDTIME *revocationTime; - ASN1_ENUMERATED *revocationReason; -} OCSP_REVOKEDINFO; - -/*- CertStatus ::= CHOICE { - * good [0] IMPLICIT NULL, - * revoked [1] IMPLICIT RevokedInfo, - * unknown [2] IMPLICIT UnknownInfo } - */ # define V_OCSP_CERTSTATUS_GOOD 0 # define V_OCSP_CERTSTATUS_REVOKED 1 # define V_OCSP_CERTSTATUS_UNKNOWN 2 -typedef struct ocsp_cert_status_st { - int type; - union { - ASN1_NULL *good; - OCSP_REVOKEDINFO *revoked; - ASN1_NULL *unknown; - } value; -} OCSP_CERTSTATUS; - -/*- SingleResponse ::= SEQUENCE { - * certID CertID, - * certStatus CertStatus, - * thisUpdate GeneralizedTime, - * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, - * singleExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_single_response_st { - OCSP_CERTID *certId; - OCSP_CERTSTATUS *certStatus; - ASN1_GENERALIZEDTIME *thisUpdate; - ASN1_GENERALIZEDTIME *nextUpdate; - STACK_OF(X509_EXTENSION) *singleExtensions; -} OCSP_SINGLERESP; - -DECLARE_STACK_OF(OCSP_SINGLERESP) -DECLARE_ASN1_SET_OF(OCSP_SINGLERESP) - -/*- ResponseData ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * responderID ResponderID, - * producedAt GeneralizedTime, - * responses SEQUENCE OF SingleResponse, - * responseExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_response_data_st { - ASN1_INTEGER *version; - OCSP_RESPID *responderId; - ASN1_GENERALIZEDTIME *producedAt; - STACK_OF(OCSP_SINGLERESP) *responses; - STACK_OF(X509_EXTENSION) *responseExtensions; -} OCSP_RESPDATA; - -/*- BasicOCSPResponse ::= SEQUENCE { - * tbsResponseData ResponseData, - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ - /* - * Note 1: The value for "signature" is specified in the OCSP rfc2560 as - * follows: "The value for the signature SHALL be computed on the hash of - * the DER encoding ResponseData." This means that you must hash the - * DER-encoded tbsResponseData, and then run it through a crypto-signing - * function, which will (at least w/RSA) do a hash-'n'-private-encrypt - * operation. This seems a bit odd, but that's the spec. Also note that - * the data structures do not leave anywhere to independently specify the - * algorithm used for the initial hash. So, we look at the - * signature-specification algorithm, and try to do something intelligent. - * -- Kathy Weinhold, CertCo - */ - /* - * Note 2: It seems that the mentioned passage from RFC 2560 (section - * 4.2.1) is open for interpretation. I've done tests against another - * responder, and found that it doesn't do the double hashing that the RFC - * seems to say one should. Therefore, all relevant functions take a flag - * saying which variant should be used. -- Richard Levitte, OpenSSL team - * and CeloCom - */ -typedef struct ocsp_basic_response_st { - OCSP_RESPDATA *tbsResponseData; - X509_ALGOR *signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -} OCSP_BASICRESP; + +typedef struct ocsp_cert_status_st OCSP_CERTSTATUS; +typedef struct ocsp_single_response_st OCSP_SINGLERESP; + +DEFINE_STACK_OF(OCSP_SINGLERESP) + +typedef struct ocsp_response_data_st OCSP_RESPDATA; + +typedef struct ocsp_basic_response_st OCSP_BASICRESP; /*- * CRLReason ::= ENUMERATED { @@ -322,27 +155,8 @@ typedef struct ocsp_basic_response_st { # define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 # define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 -/*- - * CrlID ::= SEQUENCE { - * crlUrl [0] EXPLICIT IA5String OPTIONAL, - * crlNum [1] EXPLICIT INTEGER OPTIONAL, - * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } - */ -typedef struct ocsp_crl_id_st { - ASN1_IA5STRING *crlUrl; - ASN1_INTEGER *crlNum; - ASN1_GENERALIZEDTIME *crlTime; -} OCSP_CRLID; - -/*- - * ServiceLocator ::= SEQUENCE { - * issuer Name, - * locator AuthorityInfoAccessSyntax OPTIONAL } - */ -typedef struct ocsp_service_locator_st { - X509_NAME *issuer; - STACK_OF(ACCESS_DESCRIPTION) *locator; -} OCSP_SERVICELOC; +typedef struct ocsp_crl_id_st OCSP_CRLID; +typedef struct ocsp_service_locator_st OCSP_SERVICELOC; # define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" # define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" @@ -371,19 +185,19 @@ typedef struct ocsp_service_locator_st { # define OCSP_REQUEST_sign(o,pkey,md) \ ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\ - o->optionalSignature->signatureAlgorithm,NULL,\ - o->optionalSignature->signature,o->tbsRequest,pkey,md) + &o->optionalSignature->signatureAlgorithm,NULL,\ + o->optionalSignature->signature,&o->tbsRequest,pkey,md) # define OCSP_BASICRESP_sign(o,pkey,md,d) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\ - o->signature,o->tbsResponseData,pkey,md) + ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&o->signatureAlgorithm,NULL,\ + o->signature,&o->tbsResponseData,pkey,md) # define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\ - a->optionalSignature->signatureAlgorithm,\ - a->optionalSignature->signature,a->tbsRequest,r) + &a->optionalSignature->signatureAlgorithm,\ + a->optionalSignature->signature,&a->tbsRequest,r) # define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\ - a->signatureAlgorithm,a->signature,a->tbsResponseData,r) + &a->signatureAlgorithm,a->signature,&a->tbsResponseData,r) # define ASN1_BIT_STRING_digest(data,type,md,len) \ ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len) @@ -440,8 +254,11 @@ int OCSP_request_sign(OCSP_REQUEST *req, int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); +ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs); + int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); +ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(OCSP_BASICRESP* bs); int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, ASN1_GENERALIZEDTIME **revtime, @@ -542,6 +359,7 @@ void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, unsigned long flags); int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc); +OCSP_CERTID *OCSP_SINGLERESP_get0_id(OCSP_SINGLERESP *x); DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP) DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS) |