1/* ocsp.c */ 2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL 3 * project 2000. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58#include <openssl/asn1.h> 59#include <openssl/asn1t.h> 60#include <openssl/x509v3.h> 61 62 63 64 65/* Example of new ASN1 code, OCSP request 66 67 OCSPRequest ::= SEQUENCE { 68 tbsRequest TBSRequest, 69 optionalSignature [0] EXPLICIT Signature OPTIONAL } 70 71 TBSRequest ::= SEQUENCE { 72 version [0] EXPLICIT Version DEFAULT v1, 73 requestorName [1] EXPLICIT GeneralName OPTIONAL, 74 requestList SEQUENCE OF Request, 75 requestExtensions [2] EXPLICIT Extensions OPTIONAL } 76 77 Signature ::= SEQUENCE { 78 signatureAlgorithm AlgorithmIdentifier, 79 signature BIT STRING, 80 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 81 82 Version ::= INTEGER { v1(0) } 83 84 Request ::= SEQUENCE { 85 reqCert CertID, 86 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } 87 88 CertID ::= SEQUENCE { 89 hashAlgorithm AlgorithmIdentifier, 90 issuerNameHash OCTET STRING, -- Hash of Issuer's DN 91 issuerKeyHash OCTET STRING, -- Hash of Issuers public key 92 serialNumber CertificateSerialNumber } 93 94 OCSPResponse ::= SEQUENCE { 95 responseStatus OCSPResponseStatus, 96 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 97 98 OCSPResponseStatus ::= ENUMERATED { 99 successful (0), --Response has valid confirmations 100 malformedRequest (1), --Illegal confirmation request 101 internalError (2), --Internal error in issuer 102 tryLater (3), --Try again later 103 --(4) is not used 104 sigRequired (5), --Must sign the request 105 unauthorized (6) --Request unauthorized 106 } 107 108 ResponseBytes ::= SEQUENCE { 109 responseType OBJECT IDENTIFIER, 110 response OCTET STRING } 111 112 BasicOCSPResponse ::= SEQUENCE { 113 tbsResponseData ResponseData, 114 signatureAlgorithm AlgorithmIdentifier, 115 signature BIT STRING, 116 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 117 118 ResponseData ::= SEQUENCE { 119 version [0] EXPLICIT Version DEFAULT v1, 120 responderID ResponderID, 121 producedAt GeneralizedTime, 122 responses SEQUENCE OF SingleResponse, 123 responseExtensions [1] EXPLICIT Extensions OPTIONAL } 124 125 ResponderID ::= CHOICE { 126 byName [1] Name, --EXPLICIT 127 byKey [2] KeyHash } 128 129 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key 130 --(excluding the tag and length fields) 131 132 SingleResponse ::= SEQUENCE { 133 certID CertID, 134 certStatus CertStatus, 135 thisUpdate GeneralizedTime, 136 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 137 singleExtensions [1] EXPLICIT Extensions OPTIONAL } 138 139 CertStatus ::= CHOICE { 140 good [0] IMPLICIT NULL, 141 revoked [1] IMPLICIT RevokedInfo, 142 unknown [2] IMPLICIT UnknownInfo } 143 144 RevokedInfo ::= SEQUENCE { 145 revocationTime GeneralizedTime, 146 revocationReason [0] EXPLICIT CRLReason OPTIONAL } 147 148 UnknownInfo ::= NULL -- this can be replaced with an enumeration 149 150 ArchiveCutoff ::= GeneralizedTime 151 152 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER 153 154 ServiceLocator ::= SEQUENCE { 155 issuer Name, 156 locator AuthorityInfoAccessSyntax } 157 158 -- Object Identifiers 159 160 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 161 id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } 162 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } 163 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } 164 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } 165 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } 166 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } 167 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } 168 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } 169 170*/ 171 172/* Request Structures */ 173 174DECLARE_STACK_OF(Request) 175 176typedef struct { 177 ASN1_INTEGER *version; 178 GENERAL_NAME *requestorName; 179 STACK_OF(Request) *requestList; 180 STACK_OF(X509_EXTENSION) *requestExtensions; 181} TBSRequest; 182 183typedef struct { 184 X509_ALGOR *signatureAlgorithm; 185 ASN1_BIT_STRING *signature; 186 STACK_OF(X509) *certs; 187} Signature; 188 189typedef struct { 190 TBSRequest *tbsRequest; 191 Signature *optionalSignature; 192} OCSPRequest; 193 194typedef struct { 195 X509_ALGOR *hashAlgorithm; 196 ASN1_OCTET_STRING *issuerNameHash; 197 ASN1_OCTET_STRING *issuerKeyHash; 198 ASN1_INTEGER *certificateSerialNumber; 199} CertID; 200 201typedef struct { 202 CertID *reqCert; 203 STACK_OF(X509_EXTENSION) *singleRequestExtensions; 204} Request; 205 206/* Response structures */ 207 208typedef struct { 209 ASN1_OBJECT *responseType; 210 ASN1_OCTET_STRING *response; 211} ResponseBytes; 212 213typedef struct { 214 ASN1_ENUMERATED *responseStatus; 215 ResponseBytes *responseBytes; 216} OCSPResponse; 217 218typedef struct { 219 int type; 220 union { 221 X509_NAME *byName; 222 ASN1_OCTET_STRING *byKey; 223 }d; 224} ResponderID; 225 226typedef struct { 227 ASN1_INTEGER *version; 228 ResponderID *responderID; 229 ASN1_GENERALIZEDTIME *producedAt; 230 STACK_OF(SingleResponse) *responses; 231 STACK_OF(X509_EXTENSION) *responseExtensions; 232} ResponseData; 233 234typedef struct { 235 ResponseData *tbsResponseData; 236 X509_ALGOR *signatureAlgorithm; 237 ASN1_BIT_STRING *signature; 238 STACK_OF(X509) *certs; 239} BasicOCSPResponse; 240 241typedef struct { 242 ASN1_GENERALIZEDTIME *revocationTime; 243 ASN1_ENUMERATED * revocationReason; 244} RevokedInfo; 245 246typedef struct { 247 int type; 248 union { 249 ASN1_NULL *good; 250 RevokedInfo *revoked; 251 ASN1_NULL *unknown; 252 } d; 253} CertStatus; 254 255typedef struct { 256 CertID *certID; 257 CertStatus *certStatus; 258 ASN1_GENERALIZEDTIME *thisUpdate; 259 ASN1_GENERALIZEDTIME *nextUpdate; 260 STACK_OF(X509_EXTENSION) *singleExtensions; 261} SingleResponse; 262 263 264typedef struct { 265 X509_NAME *issuer; 266 STACK_OF(ACCESS_DESCRIPTION) *locator; 267} ServiceLocator; 268 269 270/* Now the ASN1 templates */ 271 272IMPLEMENT_COMPAT_ASN1(X509); 273IMPLEMENT_COMPAT_ASN1(X509_ALGOR); 274//IMPLEMENT_COMPAT_ASN1(X509_EXTENSION); 275IMPLEMENT_COMPAT_ASN1(GENERAL_NAME); 276IMPLEMENT_COMPAT_ASN1(X509_NAME); 277 278ASN1_SEQUENCE(X509_EXTENSION) = { 279 ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT), 280 ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN), 281 ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING) 282} ASN1_SEQUENCE_END(X509_EXTENSION); 283 284 285ASN1_SEQUENCE(Signature) = { 286 ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR), 287 ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING), 288 ASN1_SEQUENCE_OF(Signature, certs, X509) 289} ASN1_SEQUENCE_END(Signature); 290 291ASN1_SEQUENCE(CertID) = { 292 ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR), 293 ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING), 294 ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING), 295 ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER) 296} ASN1_SEQUENCE_END(CertID); 297 298ASN1_SEQUENCE(Request) = { 299 ASN1_SIMPLE(Request, reqCert, CertID), 300 ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0) 301} ASN1_SEQUENCE_END(Request); 302 303ASN1_SEQUENCE(TBSRequest) = { 304 ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0), 305 ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1), 306 ASN1_SEQUENCE_OF(TBSRequest, requestList, Request), 307 ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2) 308} ASN1_SEQUENCE_END(TBSRequest); 309 310ASN1_SEQUENCE(OCSPRequest) = { 311 ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest), 312 ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0) 313} ASN1_SEQUENCE_END(OCSPRequest); 314 315 316/* Response templates */ 317 318ASN1_SEQUENCE(ResponseBytes) = { 319 ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT), 320 ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING) 321} ASN1_SEQUENCE_END(ResponseBytes); 322 323ASN1_SEQUENCE(OCSPResponse) = { 324 ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED), 325 ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0) 326} ASN1_SEQUENCE_END(OCSPResponse); 327 328ASN1_CHOICE(ResponderID) = { 329 ASN1_EXP(ResponderID, d.byName, X509_NAME, 1), 330 ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2) 331} ASN1_CHOICE_END(ResponderID); 332 333ASN1_SEQUENCE(RevokedInfo) = { 334 ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME), 335 ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0) 336} ASN1_SEQUENCE_END(RevokedInfo); 337 338ASN1_CHOICE(CertStatus) = { 339 ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0), 340 ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1), 341 ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2) 342} ASN1_CHOICE_END(CertStatus); 343 344ASN1_SEQUENCE(SingleResponse) = { 345 ASN1_SIMPLE(SingleResponse, certID, CertID), 346 ASN1_SIMPLE(SingleResponse, certStatus, CertStatus), 347 ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME), 348 ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0), 349 ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1) 350} ASN1_SEQUENCE_END(SingleResponse); 351 352ASN1_SEQUENCE(ResponseData) = { 353 ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0), 354 ASN1_SIMPLE(ResponseData, responderID, ResponderID), 355 ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME), 356 ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse), 357 ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1) 358} ASN1_SEQUENCE_END(ResponseData); 359 360ASN1_SEQUENCE(BasicOCSPResponse) = { 361 ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData), 362 ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR), 363 ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING), 364 ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0) 365} ASN1_SEQUENCE_END(BasicOCSPResponse); 366 367