ocsp.c revision 296465
1/* ocsp.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 4 * 2000. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59#include <openssl/asn1.h> 60#include <openssl/asn1t.h> 61#include <openssl/x509v3.h> 62 63/*- 64 Example of new ASN1 code, OCSP request 65 66 OCSPRequest ::= SEQUENCE { 67 tbsRequest TBSRequest, 68 optionalSignature [0] EXPLICIT Signature OPTIONAL } 69 70 TBSRequest ::= SEQUENCE { 71 version [0] EXPLICIT Version DEFAULT v1, 72 requestorName [1] EXPLICIT GeneralName OPTIONAL, 73 requestList SEQUENCE OF Request, 74 requestExtensions [2] EXPLICIT Extensions OPTIONAL } 75 76 Signature ::= SEQUENCE { 77 signatureAlgorithm AlgorithmIdentifier, 78 signature BIT STRING, 79 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 80 81 Version ::= INTEGER { v1(0) } 82 83 Request ::= SEQUENCE { 84 reqCert CertID, 85 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } 86 87 CertID ::= SEQUENCE { 88 hashAlgorithm AlgorithmIdentifier, 89 issuerNameHash OCTET STRING, -- Hash of Issuer's DN 90 issuerKeyHash OCTET STRING, -- Hash of Issuers public key 91 serialNumber CertificateSerialNumber } 92 93 OCSPResponse ::= SEQUENCE { 94 responseStatus OCSPResponseStatus, 95 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 96 97 OCSPResponseStatus ::= ENUMERATED { 98 successful (0), --Response has valid confirmations 99 malformedRequest (1), --Illegal confirmation request 100 internalError (2), --Internal error in issuer 101 tryLater (3), --Try again later 102 --(4) is not used 103 sigRequired (5), --Must sign the request 104 unauthorized (6) --Request unauthorized 105 } 106 107 ResponseBytes ::= SEQUENCE { 108 responseType OBJECT IDENTIFIER, 109 response OCTET STRING } 110 111 BasicOCSPResponse ::= SEQUENCE { 112 tbsResponseData ResponseData, 113 signatureAlgorithm AlgorithmIdentifier, 114 signature BIT STRING, 115 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 116 117 ResponseData ::= SEQUENCE { 118 version [0] EXPLICIT Version DEFAULT v1, 119 responderID ResponderID, 120 producedAt GeneralizedTime, 121 responses SEQUENCE OF SingleResponse, 122 responseExtensions [1] EXPLICIT Extensions OPTIONAL } 123 124 ResponderID ::= CHOICE { 125 byName [1] Name, --EXPLICIT 126 byKey [2] KeyHash } 127 128 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key 129 --(excluding the tag and length fields) 130 131 SingleResponse ::= SEQUENCE { 132 certID CertID, 133 certStatus CertStatus, 134 thisUpdate GeneralizedTime, 135 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 136 singleExtensions [1] EXPLICIT Extensions OPTIONAL } 137 138 CertStatus ::= CHOICE { 139 good [0] IMPLICIT NULL, 140 revoked [1] IMPLICIT RevokedInfo, 141 unknown [2] IMPLICIT UnknownInfo } 142 143 RevokedInfo ::= SEQUENCE { 144 revocationTime GeneralizedTime, 145 revocationReason [0] EXPLICIT CRLReason OPTIONAL } 146 147 UnknownInfo ::= NULL -- this can be replaced with an enumeration 148 149 ArchiveCutoff ::= GeneralizedTime 150 151 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER 152 153 ServiceLocator ::= SEQUENCE { 154 issuer Name, 155 locator AuthorityInfoAccessSyntax } 156 157 -- Object Identifiers 158 159 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 160 id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } 161 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } 162 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } 163 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } 164 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } 165 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } 166 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } 167 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } 168 169*/ 170 171/* Request Structures */ 172 173DECLARE_STACK_OF(Request) 174 175typedef struct { 176 ASN1_INTEGER *version; 177 GENERAL_NAME *requestorName; 178 STACK_OF(Request) *requestList; 179 STACK_OF(X509_EXTENSION) *requestExtensions; 180} TBSRequest; 181 182typedef struct { 183 X509_ALGOR *signatureAlgorithm; 184 ASN1_BIT_STRING *signature; 185 STACK_OF(X509) *certs; 186} Signature; 187 188typedef struct { 189 TBSRequest *tbsRequest; 190 Signature *optionalSignature; 191} OCSPRequest; 192 193typedef struct { 194 X509_ALGOR *hashAlgorithm; 195 ASN1_OCTET_STRING *issuerNameHash; 196 ASN1_OCTET_STRING *issuerKeyHash; 197 ASN1_INTEGER *certificateSerialNumber; 198} CertID; 199 200typedef struct { 201 CertID *reqCert; 202 STACK_OF(X509_EXTENSION) *singleRequestExtensions; 203} Request; 204 205/* Response structures */ 206 207typedef struct { 208 ASN1_OBJECT *responseType; 209 ASN1_OCTET_STRING *response; 210} ResponseBytes; 211 212typedef struct { 213 ASN1_ENUMERATED *responseStatus; 214 ResponseBytes *responseBytes; 215} OCSPResponse; 216 217typedef struct { 218 int type; 219 union { 220 X509_NAME *byName; 221 ASN1_OCTET_STRING *byKey; 222 } d; 223} ResponderID; 224 225typedef struct { 226 ASN1_INTEGER *version; 227 ResponderID *responderID; 228 ASN1_GENERALIZEDTIME *producedAt; 229 STACK_OF(SingleResponse) *responses; 230 STACK_OF(X509_EXTENSION) *responseExtensions; 231} ResponseData; 232 233typedef struct { 234 ResponseData *tbsResponseData; 235 X509_ALGOR *signatureAlgorithm; 236 ASN1_BIT_STRING *signature; 237 STACK_OF(X509) *certs; 238} BasicOCSPResponse; 239 240typedef struct { 241 ASN1_GENERALIZEDTIME *revocationTime; 242 ASN1_ENUMERATED *revocationReason; 243} RevokedInfo; 244 245typedef struct { 246 int type; 247 union { 248 ASN1_NULL *good; 249 RevokedInfo *revoked; 250 ASN1_NULL *unknown; 251 } d; 252} CertStatus; 253 254typedef struct { 255 CertID *certID; 256 CertStatus *certStatus; 257 ASN1_GENERALIZEDTIME *thisUpdate; 258 ASN1_GENERALIZEDTIME *nextUpdate; 259 STACK_OF(X509_EXTENSION) *singleExtensions; 260} SingleResponse; 261 262typedef struct { 263 X509_NAME *issuer; 264 STACK_OF(ACCESS_DESCRIPTION) *locator; 265} ServiceLocator; 266 267/* Now the ASN1 templates */ 268 269IMPLEMENT_COMPAT_ASN1(X509); 270IMPLEMENT_COMPAT_ASN1(X509_ALGOR); 271// IMPLEMENT_COMPAT_ASN1(X509_EXTENSION); 272IMPLEMENT_COMPAT_ASN1(GENERAL_NAME); 273IMPLEMENT_COMPAT_ASN1(X509_NAME); 274 275ASN1_SEQUENCE(X509_EXTENSION) = { 276 ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT), 277 ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN), 278 ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING) 279} ASN1_SEQUENCE_END(X509_EXTENSION); 280 281 282ASN1_SEQUENCE(Signature) = { 283 ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR), 284 ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING), 285 ASN1_SEQUENCE_OF(Signature, certs, X509) 286} ASN1_SEQUENCE_END(Signature); 287 288ASN1_SEQUENCE(CertID) = { 289 ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR), 290 ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING), 291 ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING), 292 ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER) 293} ASN1_SEQUENCE_END(CertID); 294 295ASN1_SEQUENCE(Request) = { 296 ASN1_SIMPLE(Request, reqCert, CertID), 297 ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0) 298} ASN1_SEQUENCE_END(Request); 299 300ASN1_SEQUENCE(TBSRequest) = { 301 ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0), 302 ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1), 303 ASN1_SEQUENCE_OF(TBSRequest, requestList, Request), 304 ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2) 305} ASN1_SEQUENCE_END(TBSRequest); 306 307ASN1_SEQUENCE(OCSPRequest) = { 308 ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest), 309 ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0) 310} ASN1_SEQUENCE_END(OCSPRequest); 311 312/* Response templates */ 313 314ASN1_SEQUENCE(ResponseBytes) = { 315 ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT), 316 ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING) 317} ASN1_SEQUENCE_END(ResponseBytes); 318 319ASN1_SEQUENCE(OCSPResponse) = { 320 ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED), 321 ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0) 322} ASN1_SEQUENCE_END(OCSPResponse); 323 324ASN1_CHOICE(ResponderID) = { 325 ASN1_EXP(ResponderID, d.byName, X509_NAME, 1), 326 ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2) 327} ASN1_CHOICE_END(ResponderID); 328 329ASN1_SEQUENCE(RevokedInfo) = { 330 ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME), 331 ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0) 332} ASN1_SEQUENCE_END(RevokedInfo); 333 334ASN1_CHOICE(CertStatus) = { 335 ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0), 336 ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1), 337 ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2) 338} ASN1_CHOICE_END(CertStatus); 339 340ASN1_SEQUENCE(SingleResponse) = { 341 ASN1_SIMPLE(SingleResponse, certID, CertID), 342 ASN1_SIMPLE(SingleResponse, certStatus, CertStatus), 343 ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME), 344 ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0), 345 ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1) 346} ASN1_SEQUENCE_END(SingleResponse); 347 348ASN1_SEQUENCE(ResponseData) = { 349 ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0), 350 ASN1_SIMPLE(ResponseData, responderID, ResponderID), 351 ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME), 352 ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse), 353 ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1) 354} ASN1_SEQUENCE_END(ResponseData); 355 356ASN1_SEQUENCE(BasicOCSPResponse) = { 357 ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData), 358 ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR), 359 ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING), 360 ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0) 361} ASN1_SEQUENCE_END(BasicOCSPResponse); 362