/* ocsp.c */
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2000.
*/
/* ====================================================================
* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
/* Example of new ASN1 code, OCSP request
OCSPRequest ::= SEQUENCE {
tbsRequest TBSRequest,
optionalSignature [0] EXPLICIT Signature OPTIONAL }
TBSRequest ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
requestorName [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF Request,
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
Signature ::= SEQUENCE {
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Version ::= INTEGER { v1(0) }
Request ::= SEQUENCE {
reqCert CertID,
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of Issuer's DN
issuerKeyHash OCTET STRING, -- Hash of Issuers public key
serialNumber CertificateSerialNumber }
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
ResponseData ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
responderID ResponderID,
producedAt GeneralizedTime,
responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
ResponderID ::= CHOICE {
byName [1] Name, --EXPLICIT
byKey [2] KeyHash }
KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
--(excluding the tag and length fields)
SingleResponse ::= SEQUENCE {
certID CertID,
certStatus CertStatus,
thisUpdate GeneralizedTime,
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
singleExtensions [1] EXPLICIT Extensions OPTIONAL }
CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }
RevokedInfo ::= SEQUENCE {
revocationTime GeneralizedTime,
revocationReason [0] EXPLICIT CRLReason OPTIONAL }
UnknownInfo ::= NULL -- this can be replaced with an enumeration
ArchiveCutoff ::= GeneralizedTime
AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
ServiceLocator ::= SEQUENCE {
issuer Name,
locator AuthorityInfoAccessSyntax }
-- Object Identifiers
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
*/
/* Request Structures */
DECLARE_STACK_OF(Request)
typedef struct {
ASN1_INTEGER *version;
GENERAL_NAME *requestorName;
STACK_OF(Request) *requestList;
STACK_OF(X509_EXTENSION) *requestExtensions;
} TBSRequest;
typedef struct {
X509_ALGOR *signatureAlgorithm;
ASN1_BIT_STRING *signature;
STACK_OF(X509) *certs;
} Signature;
typedef struct {
TBSRequest *tbsRequest;
Signature *optionalSignature;
} OCSPRequest;
typedef struct {
X509_ALGOR *hashAlgorithm;
ASN1_OCTET_STRING *issuerNameHash;
ASN1_OCTET_STRING *issuerKeyHash;
ASN1_INTEGER *certificateSerialNumber;
} CertID;
typedef struct {
CertID *reqCert;
STACK_OF(X509_EXTENSION) *singleRequestExtensions;
} Request;
/* Response structures */
typedef struct {
ASN1_OBJECT *responseType;
ASN1_OCTET_STRING *response;
} ResponseBytes;
typedef struct {
ASN1_ENUMERATED *responseStatus;
ResponseBytes *responseBytes;
} OCSPResponse;
typedef struct {
int type;
union {
X509_NAME *byName;
ASN1_OCTET_STRING *byKey;
}d;
} ResponderID;
typedef struct {
ASN1_INTEGER *version;
ResponderID *responderID;
ASN1_GENERALIZEDTIME *producedAt;
STACK_OF(SingleResponse) *responses;
STACK_OF(X509_EXTENSION) *responseExtensions;
} ResponseData;
typedef struct {
ResponseData *tbsResponseData;
X509_ALGOR *signatureAlgorithm;
ASN1_BIT_STRING *signature;
STACK_OF(X509) *certs;
} BasicOCSPResponse;
typedef struct {
ASN1_GENERALIZEDTIME *revocationTime;
ASN1_ENUMERATED * revocationReason;
} RevokedInfo;
typedef struct {
int type;
union {
ASN1_NULL *good;
RevokedInfo *revoked;
ASN1_NULL *unknown;
} d;
} CertStatus;
typedef struct {
CertID *certID;
CertStatus *certStatus;
ASN1_GENERALIZEDTIME *thisUpdate;
ASN1_GENERALIZEDTIME *nextUpdate;
STACK_OF(X509_EXTENSION) *singleExtensions;
} SingleResponse;
typedef struct {
X509_NAME *issuer;
STACK_OF(ACCESS_DESCRIPTION) *locator;
} ServiceLocator;
/* Now the ASN1 templates */
IMPLEMENT_COMPAT_ASN1(X509);
IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
//IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
IMPLEMENT_COMPAT_ASN1(X509_NAME);
ASN1_SEQUENCE(X509_EXTENSION) = {
ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(X509_EXTENSION);
ASN1_SEQUENCE(Signature) = {
ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
ASN1_SEQUENCE_OF(Signature, certs, X509)
} ASN1_SEQUENCE_END(Signature);
ASN1_SEQUENCE(CertID) = {
ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
} ASN1_SEQUENCE_END(CertID);
ASN1_SEQUENCE(Request) = {
ASN1_SIMPLE(Request, reqCert, CertID),
ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
} ASN1_SEQUENCE_END(Request);
ASN1_SEQUENCE(TBSRequest) = {
ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
} ASN1_SEQUENCE_END(TBSRequest);
ASN1_SEQUENCE(OCSPRequest) = {
ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
} ASN1_SEQUENCE_END(OCSPRequest);
/* Response templates */
ASN1_SEQUENCE(ResponseBytes) = {
ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(ResponseBytes);
ASN1_SEQUENCE(OCSPResponse) = {
ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
} ASN1_SEQUENCE_END(OCSPResponse);
ASN1_CHOICE(ResponderID) = {
ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
} ASN1_CHOICE_END(ResponderID);
ASN1_SEQUENCE(RevokedInfo) = {
ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
} ASN1_SEQUENCE_END(RevokedInfo);
ASN1_CHOICE(CertStatus) = {
ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
} ASN1_CHOICE_END(CertStatus);
ASN1_SEQUENCE(SingleResponse) = {
ASN1_SIMPLE(SingleResponse, certID, CertID),
ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
} ASN1_SEQUENCE_END(SingleResponse);
ASN1_SEQUENCE(ResponseData) = {
ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
ASN1_SIMPLE(ResponseData, responderID, ResponderID),
ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
} ASN1_SEQUENCE_END(ResponseData);
ASN1_SEQUENCE(BasicOCSPResponse) = {
ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
} ASN1_SEQUENCE_END(BasicOCSPResponse);
|