0 | |
/* ocsp.c */
|
1 | |
/*
|
2 | |
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
|
3 | |
* 2000.
|
4 | |
*/
|
5 | |
/* ====================================================================
|
6 | |
* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
|
7 | |
*
|
8 | |
* Redistribution and use in source and binary forms, with or without
|
9 | |
* modification, are permitted provided that the following conditions
|
10 | |
* are met:
|
11 | |
*
|
12 | |
* 1. Redistributions of source code must retain the above copyright
|
13 | |
* notice, this list of conditions and the following disclaimer.
|
14 | |
*
|
15 | |
* 2. Redistributions in binary form must reproduce the above copyright
|
16 | |
* notice, this list of conditions and the following disclaimer in
|
17 | |
* the documentation and/or other materials provided with the
|
18 | |
* distribution.
|
19 | |
*
|
20 | |
* 3. All advertising materials mentioning features or use of this
|
21 | |
* software must display the following acknowledgment:
|
22 | |
* "This product includes software developed by the OpenSSL Project
|
23 | |
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
24 | |
*
|
25 | |
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
26 | |
* endorse or promote products derived from this software without
|
27 | |
* prior written permission. For written permission, please contact
|
28 | |
* licensing@OpenSSL.org.
|
29 | |
*
|
30 | |
* 5. Products derived from this software may not be called "OpenSSL"
|
31 | |
* nor may "OpenSSL" appear in their names without prior written
|
32 | |
* permission of the OpenSSL Project.
|
33 | |
*
|
34 | |
* 6. Redistributions of any form whatsoever must retain the following
|
35 | |
* acknowledgment:
|
36 | |
* "This product includes software developed by the OpenSSL Project
|
37 | |
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
38 | |
*
|
39 | |
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
40 | |
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
41 | |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
42 | |
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
43 | |
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
44 | |
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
45 | |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
46 | |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
47 | |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
48 | |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
49 | |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
50 | |
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
51 | |
* ====================================================================
|
52 | |
*
|
53 | |
* This product includes cryptographic software written by Eric Young
|
54 | |
* (eay@cryptsoft.com). This product includes software written by Tim
|
55 | |
* Hudson (tjh@cryptsoft.com).
|
56 | |
*
|
57 | |
*/
|
58 | |
#include <openssl/asn1.h>
|
59 | |
#include <openssl/asn1t.h>
|
60 | |
#include <openssl/x509v3.h>
|
61 | |
|
62 | |
/*-
|
63 | |
Example of new ASN1 code, OCSP request
|
64 | |
|
65 | |
OCSPRequest ::= SEQUENCE {
|
66 | |
tbsRequest TBSRequest,
|
67 | |
optionalSignature [0] EXPLICIT Signature OPTIONAL }
|
68 | |
|
69 | |
TBSRequest ::= SEQUENCE {
|
70 | |
version [0] EXPLICIT Version DEFAULT v1,
|
71 | |
requestorName [1] EXPLICIT GeneralName OPTIONAL,
|
72 | |
requestList SEQUENCE OF Request,
|
73 | |
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
|
74 | |
|
75 | |
Signature ::= SEQUENCE {
|
76 | |
signatureAlgorithm AlgorithmIdentifier,
|
77 | |
signature BIT STRING,
|
78 | |
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
|
79 | |
|
80 | |
Version ::= INTEGER { v1(0) }
|
81 | |
|
82 | |
Request ::= SEQUENCE {
|
83 | |
reqCert CertID,
|
84 | |
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
|
85 | |
|
86 | |
CertID ::= SEQUENCE {
|
87 | |
hashAlgorithm AlgorithmIdentifier,
|
88 | |
issuerNameHash OCTET STRING, -- Hash of Issuer's DN
|
89 | |
issuerKeyHash OCTET STRING, -- Hash of Issuers public key
|
90 | |
serialNumber CertificateSerialNumber }
|
91 | |
|
92 | |
OCSPResponse ::= SEQUENCE {
|
93 | |
responseStatus OCSPResponseStatus,
|
94 | |
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
|
95 | |
|
96 | |
OCSPResponseStatus ::= ENUMERATED {
|
97 | |
successful (0), --Response has valid confirmations
|
98 | |
malformedRequest (1), --Illegal confirmation request
|
99 | |
internalError (2), --Internal error in issuer
|
100 | |
tryLater (3), --Try again later
|
101 | |
--(4) is not used
|
102 | |
sigRequired (5), --Must sign the request
|
103 | |
unauthorized (6) --Request unauthorized
|
104 | |
}
|
105 | |
|
106 | |
ResponseBytes ::= SEQUENCE {
|
107 | |
responseType OBJECT IDENTIFIER,
|
108 | |
response OCTET STRING }
|
109 | |
|
110 | |
BasicOCSPResponse ::= SEQUENCE {
|
111 | |
tbsResponseData ResponseData,
|
112 | |
signatureAlgorithm AlgorithmIdentifier,
|
113 | |
signature BIT STRING,
|
114 | |
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
|
115 | |
|
116 | |
ResponseData ::= SEQUENCE {
|
117 | |
version [0] EXPLICIT Version DEFAULT v1,
|
118 | |
responderID ResponderID,
|
119 | |
producedAt GeneralizedTime,
|
120 | |
responses SEQUENCE OF SingleResponse,
|
121 | |
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
|
122 | |
|
123 | |
ResponderID ::= CHOICE {
|
124 | |
byName [1] Name, --EXPLICIT
|
125 | |
byKey [2] KeyHash }
|
126 | |
|
127 | |
KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
|
128 | |
--(excluding the tag and length fields)
|
129 | |
|
130 | |
SingleResponse ::= SEQUENCE {
|
131 | |
certID CertID,
|
132 | |
certStatus CertStatus,
|
133 | |
thisUpdate GeneralizedTime,
|
134 | |
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
|
135 | |
singleExtensions [1] EXPLICIT Extensions OPTIONAL }
|
136 | |
|
137 | |
CertStatus ::= CHOICE {
|
138 | |
good [0] IMPLICIT NULL,
|
139 | |
revoked [1] IMPLICIT RevokedInfo,
|
140 | |
unknown [2] IMPLICIT UnknownInfo }
|
141 | |
|
142 | |
RevokedInfo ::= SEQUENCE {
|
143 | |
revocationTime GeneralizedTime,
|
144 | |
revocationReason [0] EXPLICIT CRLReason OPTIONAL }
|
145 | |
|
146 | |
UnknownInfo ::= NULL -- this can be replaced with an enumeration
|
147 | |
|
148 | |
ArchiveCutoff ::= GeneralizedTime
|
149 | |
|
150 | |
AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
|
151 | |
|
152 | |
ServiceLocator ::= SEQUENCE {
|
153 | |
issuer Name,
|
154 | |
locator AuthorityInfoAccessSyntax }
|
155 | |
|
156 | |
-- Object Identifiers
|
157 | |
|
158 | |
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
|
159 | |
id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
|
160 | |
id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
|
161 | |
id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
|
162 | |
id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
|
163 | |
id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
|
164 | |
id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
|
165 | |
id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
|
166 | |
id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
|
167 | |
|
168 | |
*/
|
169 | |
|
170 | |
/* Request Structures */
|
171 | |
|
172 | |
DECLARE_STACK_OF(Request)
|
173 | |
|
174 | |
typedef struct {
|
175 | |
ASN1_INTEGER *version;
|
176 | |
GENERAL_NAME *requestorName;
|
177 | |
STACK_OF(Request) *requestList;
|
178 | |
STACK_OF(X509_EXTENSION) *requestExtensions;
|
179 | |
} TBSRequest;
|
180 | |
|
181 | |
typedef struct {
|
182 | |
X509_ALGOR *signatureAlgorithm;
|
183 | |
ASN1_BIT_STRING *signature;
|
184 | |
STACK_OF(X509) *certs;
|
185 | |
} Signature;
|
186 | |
|
187 | |
typedef struct {
|
188 | |
TBSRequest *tbsRequest;
|
189 | |
Signature *optionalSignature;
|
190 | |
} OCSPRequest;
|
191 | |
|
192 | |
typedef struct {
|
193 | |
X509_ALGOR *hashAlgorithm;
|
194 | |
ASN1_OCTET_STRING *issuerNameHash;
|
195 | |
ASN1_OCTET_STRING *issuerKeyHash;
|
196 | |
ASN1_INTEGER *certificateSerialNumber;
|
197 | |
} CertID;
|
198 | |
|
199 | |
typedef struct {
|
200 | |
CertID *reqCert;
|
201 | |
STACK_OF(X509_EXTENSION) *singleRequestExtensions;
|
202 | |
} Request;
|
203 | |
|
204 | |
/* Response structures */
|
205 | |
|
206 | |
typedef struct {
|
207 | |
ASN1_OBJECT *responseType;
|
208 | |
ASN1_OCTET_STRING *response;
|
209 | |
} ResponseBytes;
|
210 | |
|
211 | |
typedef struct {
|
212 | |
ASN1_ENUMERATED *responseStatus;
|
213 | |
ResponseBytes *responseBytes;
|
214 | |
} OCSPResponse;
|
215 | |
|
216 | |
typedef struct {
|
217 | |
int type;
|
218 | |
union {
|
219 | |
X509_NAME *byName;
|
220 | |
ASN1_OCTET_STRING *byKey;
|
221 | |
} d;
|
222 | |
} ResponderID;
|
223 | |
|
224 | |
typedef struct {
|
225 | |
ASN1_INTEGER *version;
|
226 | |
ResponderID *responderID;
|
227 | |
ASN1_GENERALIZEDTIME *producedAt;
|
228 | |
STACK_OF(SingleResponse) *responses;
|
229 | |
STACK_OF(X509_EXTENSION) *responseExtensions;
|
230 | |
} ResponseData;
|
231 | |
|
232 | |
typedef struct {
|
233 | |
ResponseData *tbsResponseData;
|
234 | |
X509_ALGOR *signatureAlgorithm;
|
235 | |
ASN1_BIT_STRING *signature;
|
236 | |
STACK_OF(X509) *certs;
|
237 | |
} BasicOCSPResponse;
|
238 | |
|
239 | |
typedef struct {
|
240 | |
ASN1_GENERALIZEDTIME *revocationTime;
|
241 | |
ASN1_ENUMERATED *revocationReason;
|
242 | |
} RevokedInfo;
|
243 | |
|
244 | |
typedef struct {
|
245 | |
int type;
|
246 | |
union {
|
247 | |
ASN1_NULL *good;
|
248 | |
RevokedInfo *revoked;
|
249 | |
ASN1_NULL *unknown;
|
250 | |
} d;
|
251 | |
} CertStatus;
|
252 | |
|
253 | |
typedef struct {
|
254 | |
CertID *certID;
|
255 | |
CertStatus *certStatus;
|
256 | |
ASN1_GENERALIZEDTIME *thisUpdate;
|
257 | |
ASN1_GENERALIZEDTIME *nextUpdate;
|
258 | |
STACK_OF(X509_EXTENSION) *singleExtensions;
|
259 | |
} SingleResponse;
|
260 | |
|
261 | |
typedef struct {
|
262 | |
X509_NAME *issuer;
|
263 | |
STACK_OF(ACCESS_DESCRIPTION) *locator;
|
264 | |
} ServiceLocator;
|
265 | |
|
266 | |
/* Now the ASN1 templates */
|
267 | |
|
268 | |
IMPLEMENT_COMPAT_ASN1(X509);
|
269 | |
IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
|
270 | |
// IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
|
271 | |
IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
|
272 | |
IMPLEMENT_COMPAT_ASN1(X509_NAME);
|
273 | |
|
274 | |
ASN1_SEQUENCE(X509_EXTENSION) = {
|
275 | |
ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
|
276 | |
ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
|
277 | |
ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
|
278 | |
} ASN1_SEQUENCE_END(X509_EXTENSION);
|
279 | |
|
280 | |
|
281 | |
ASN1_SEQUENCE(Signature) = {
|
282 | |
ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
|
283 | |
ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
|
284 | |
ASN1_SEQUENCE_OF(Signature, certs, X509)
|
285 | |
} ASN1_SEQUENCE_END(Signature);
|
286 | |
|
287 | |
ASN1_SEQUENCE(CertID) = {
|
288 | |
ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
|
289 | |
ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
|
290 | |
ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
|
291 | |
ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
|
292 | |
} ASN1_SEQUENCE_END(CertID);
|
293 | |
|
294 | |
ASN1_SEQUENCE(Request) = {
|
295 | |
ASN1_SIMPLE(Request, reqCert, CertID),
|
296 | |
ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
|
297 | |
} ASN1_SEQUENCE_END(Request);
|
298 | |
|
299 | |
ASN1_SEQUENCE(TBSRequest) = {
|
300 | |
ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
|
301 | |
ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
|
302 | |
ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
|
303 | |
ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
|
304 | |
} ASN1_SEQUENCE_END(TBSRequest);
|
305 | |
|
306 | |
ASN1_SEQUENCE(OCSPRequest) = {
|
307 | |
ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
|
308 | |
ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
|
309 | |
} ASN1_SEQUENCE_END(OCSPRequest);
|
310 | |
|
311 | |
/* Response templates */
|
312 | |
|
313 | |
ASN1_SEQUENCE(ResponseBytes) = {
|
314 | |
ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
|
315 | |
ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
|
316 | |
} ASN1_SEQUENCE_END(ResponseBytes);
|
317 | |
|
318 | |
ASN1_SEQUENCE(OCSPResponse) = {
|
319 | |
ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
|
320 | |
ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
|
321 | |
} ASN1_SEQUENCE_END(OCSPResponse);
|
322 | |
|
323 | |
ASN1_CHOICE(ResponderID) = {
|
324 | |
ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
|
325 | |
ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
|
326 | |
} ASN1_CHOICE_END(ResponderID);
|
327 | |
|
328 | |
ASN1_SEQUENCE(RevokedInfo) = {
|
329 | |
ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
|
330 | |
ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
|
331 | |
} ASN1_SEQUENCE_END(RevokedInfo);
|
332 | |
|
333 | |
ASN1_CHOICE(CertStatus) = {
|
334 | |
ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
|
335 | |
ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
|
336 | |
ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
|
337 | |
} ASN1_CHOICE_END(CertStatus);
|
338 | |
|
339 | |
ASN1_SEQUENCE(SingleResponse) = {
|
340 | |
ASN1_SIMPLE(SingleResponse, certID, CertID),
|
341 | |
ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
|
342 | |
ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
|
343 | |
ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
|
344 | |
ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
|
345 | |
} ASN1_SEQUENCE_END(SingleResponse);
|
346 | |
|
347 | |
ASN1_SEQUENCE(ResponseData) = {
|
348 | |
ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
|
349 | |
ASN1_SIMPLE(ResponseData, responderID, ResponderID),
|
350 | |
ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
|
351 | |
ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
|
352 | |
ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
|
353 | |
} ASN1_SEQUENCE_END(ResponseData);
|
354 | |
|
355 | |
ASN1_SEQUENCE(BasicOCSPResponse) = {
|
356 | |
ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
|
357 | |
ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
|
358 | |
ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
|
359 | |
ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
|
360 | |
} ASN1_SEQUENCE_END(BasicOCSPResponse);
|