ocsp_local.h@ 94082

Last change on this file since 94082 was 94082, checked in by vboxsync, 3 years ago
libs/openssl-3.0.1: started applying and adjusting our OpenSSL changes to 3.0.1. bugref:10128
File size: 8.7 KB

Line
1	/*
2	* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
11
12	/*- CertID ::= SEQUENCE {
13	* hashAlgorithm AlgorithmIdentifier,
14	* issuerNameHash OCTET STRING, -- Hash of Issuer's DN
15	* issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
16	* serialNumber CertificateSerialNumber }
17	*/
18	struct ocsp_cert_id_st {
19	X509_ALGOR hashAlgorithm;
20	ASN1_OCTET_STRING issuerNameHash;
21	ASN1_OCTET_STRING issuerKeyHash;
22	ASN1_INTEGER serialNumber;
23	};
24
25	/*- Request ::= SEQUENCE {
26	* reqCert CertID,
27	* singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
28	*/
29	struct ocsp_one_request_st {
30	OCSP_CERTID *reqCert;
31	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
32	};
33
34	/*- TBSRequest ::= SEQUENCE {
35	* version [0] EXPLICIT Version DEFAULT v1,
36	* requestorName [1] EXPLICIT GeneralName OPTIONAL,
37	* requestList SEQUENCE OF Request,
38	* requestExtensions [2] EXPLICIT Extensions OPTIONAL }
39	*/
40	struct ocsp_req_info_st {
41	ASN1_INTEGER *version;
42	GENERAL_NAME *requestorName;
43	STACK_OF(OCSP_ONEREQ) *requestList;
44	STACK_OF(X509_EXTENSION) *requestExtensions;
45	};
46
47	/*- Signature ::= SEQUENCE {
48	* signatureAlgorithm AlgorithmIdentifier,
49	* signature BIT STRING,
50	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
51	*/
52	struct ocsp_signature_st {
53	X509_ALGOR signatureAlgorithm;
54	ASN1_BIT_STRING *signature;
55	STACK_OF(X509) *certs;
56	};
57
58	/*- OCSPRequest ::= SEQUENCE {
59	* tbsRequest TBSRequest,
60	* optionalSignature [0] EXPLICIT Signature OPTIONAL }
61	*/
62	struct ocsp_request_st {
63	OCSP_REQINFO tbsRequest;
64	OCSP_SIGNATURE optionalSignature; / OPTIONAL */
65	};
66
67	/*- OCSPResponseStatus ::= ENUMERATED {
68	* successful (0), --Response has valid confirmations
69	* malformedRequest (1), --Illegal confirmation request
70	* internalError (2), --Internal error in issuer
71	* tryLater (3), --Try again later
72	* --(4) is not used
73	* sigRequired (5), --Must sign the request
74	* unauthorized (6) --Request unauthorized
75	* }
76	*/
77
78	/*- ResponseBytes ::= SEQUENCE {
79	* responseType OBJECT IDENTIFIER,
80	* response OCTET STRING }
81	*/
82	struct ocsp_resp_bytes_st {
83	ASN1_OBJECT *responseType;
84	ASN1_OCTET_STRING *response;
85	};
86
87	/*- OCSPResponse ::= SEQUENCE {
88	* responseStatus OCSPResponseStatus,
89	* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
90	*/
91	struct ocsp_response_st {
92	ASN1_ENUMERATED *responseStatus;
93	OCSP_RESPBYTES *responseBytes;
94	};
95
96	/*- ResponderID ::= CHOICE {
97	* byName [1] Name,
98	* byKey [2] KeyHash }
99	*/
100	struct ocsp_responder_id_st {
101	int type;
102	union {
103	X509_NAME *byName;
104	ASN1_OCTET_STRING *byKey;
105	} value;
106	};
107
108	/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
109	* --(excluding the tag and length fields)
110	*/
111
112	/*- RevokedInfo ::= SEQUENCE {
113	* revocationTime GeneralizedTime,
114	* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
115	*/
116	struct ocsp_revoked_info_st {
117	ASN1_GENERALIZEDTIME *revocationTime;
118	ASN1_ENUMERATED *revocationReason;
119	};
120
121	/*- CertStatus ::= CHOICE {
122	* good [0] IMPLICIT NULL,
123	* revoked [1] IMPLICIT RevokedInfo,
124	* unknown [2] IMPLICIT UnknownInfo }
125	*/
126	struct ocsp_cert_status_st {
127	int type;
128	union {
129	ASN1_NULL *good;
130	OCSP_REVOKEDINFO *revoked;
131	ASN1_NULL *unknown;
132	} value;
133	};
134
135	/*- SingleResponse ::= SEQUENCE {
136	* certID CertID,
137	* certStatus CertStatus,
138	* thisUpdate GeneralizedTime,
139	* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
140	* singleExtensions [1] EXPLICIT Extensions OPTIONAL }
141	*/
142	struct ocsp_single_response_st {
143	OCSP_CERTID *certId;
144	OCSP_CERTSTATUS *certStatus;
145	ASN1_GENERALIZEDTIME *thisUpdate;
146	ASN1_GENERALIZEDTIME *nextUpdate;
147	STACK_OF(X509_EXTENSION) *singleExtensions;
148	};
149
150	/*- ResponseData ::= SEQUENCE {
151	* version [0] EXPLICIT Version DEFAULT v1,
152	* responderID ResponderID,
153	* producedAt GeneralizedTime,
154	* responses SEQUENCE OF SingleResponse,
155	* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
156	*/
157	struct ocsp_response_data_st {
158	ASN1_INTEGER *version;
159	OCSP_RESPID responderId;
160	ASN1_GENERALIZEDTIME *producedAt;
161	STACK_OF(OCSP_SINGLERESP) *responses;
162	STACK_OF(X509_EXTENSION) *responseExtensions;
163	};
164
165	/*- BasicOCSPResponse ::= SEQUENCE {
166	* tbsResponseData ResponseData,
167	* signatureAlgorithm AlgorithmIdentifier,
168	* signature BIT STRING,
169	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
170	*/
171	/*
172	* Note 1: The value for "signature" is specified in the OCSP rfc2560 as
173	* follows: "The value for the signature SHALL be computed on the hash of
174	* the DER encoding ResponseData." This means that you must hash the
175	* DER-encoded tbsResponseData, and then run it through a crypto-signing
176	* function, which will (at least w/RSA) do a hash-'n'-private-encrypt
177	* operation. This seems a bit odd, but that's the spec. Also note that
178	* the data structures do not leave anywhere to independently specify the
179	* algorithm used for the initial hash. So, we look at the
180	* signature-specification algorithm, and try to do something intelligent.
181	* -- Kathy Weinhold, CertCo
182	*/
183	/*
184	* Note 2: It seems that the mentioned passage from RFC 2560 (section
185	* 4.2.1) is open for interpretation. I've done tests against another
186	* responder, and found that it doesn't do the double hashing that the RFC
187	* seems to say one should. Therefore, all relevant functions take a flag
188	* saying which variant should be used. -- Richard Levitte, OpenSSL team
189	* and CeloCom
190	*/
191	struct ocsp_basic_response_st {
192	OCSP_RESPDATA tbsResponseData;
193	X509_ALGOR signatureAlgorithm;
194	ASN1_BIT_STRING *signature;
195	STACK_OF(X509) *certs;
196	};
197
198	/*-
199	* CrlID ::= SEQUENCE {
200	* crlUrl [0] EXPLICIT IA5String OPTIONAL,
201	* crlNum [1] EXPLICIT INTEGER OPTIONAL,
202	* crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
203	*/
204	struct ocsp_crl_id_st {
205	ASN1_IA5STRING *crlUrl;
206	ASN1_INTEGER *crlNum;
207	ASN1_GENERALIZEDTIME *crlTime;
208	};
209
210	/*-
211	* ServiceLocator ::= SEQUENCE {
212	* issuer Name,
213	* locator AuthorityInfoAccessSyntax OPTIONAL }
214	*/
215	struct ocsp_service_locator_st {
216	X509_NAME *issuer;
217	STACK_OF(ACCESS_DESCRIPTION) *locator;
218	};
219
220	# define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
221	ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
222	&(o)->optionalSignature->signatureAlgorithm, NULL,\
223	(o)->optionalSignature->signature, &(o)->tbsRequest,\
224	NULL, pkey, md, libctx, propq)
225
226	# define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
227	ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
228	&(o)->signatureAlgorithm, NULL,\
229	(o)->signature, &(o)->tbsResponseData,\
230	NULL, pkey, md, libctx, propq)
231
232	# define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
233	ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
234	&(o)->signatureAlgorithm, NULL,\
235	(o)->signature, &(o)->tbsResponseData, ctx)
236
237	# define OCSP_REQUEST_verify(a, r, libctx, propq)\
238	ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
239	&(a)->optionalSignature->signatureAlgorithm,\
240	(a)->optionalSignature->signature, &(a)->tbsRequest,\
241	NULL, r, libctx, propq)
242
243	# define OCSP_BASICRESP_verify(a, r, libctx, propq)\
244	ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
245	&(a)->signatureAlgorithm, (a)->signature,\
246	&(a)->tbsResponseData, NULL, r, libctx, propq)

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.0.1/crypto/ocsp/ocsp_local.h@ 94082

Download in other formats: