xref: /dragonfly/crypto/libressl/crypto/ocsp/ocsp_local.h (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: ocsp_local.h,v 1.2 2022/01/14 08:32:26 tb Exp $ */
2 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3  * project. */
4 
5 /* History:
6    This file was transfered to Richard Levitte from CertCo by Kathy
7    Weinhold in mid-spring 2000 to be included in OpenSSL or released
8    as a patch kit. */
9 
10 /* ====================================================================
11  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  *
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  *
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in
22  *    the documentation and/or other materials provided with the
23  *    distribution.
24  *
25  * 3. All advertising materials mentioning features or use of this
26  *    software must display the following acknowledgment:
27  *    "This product includes software developed by the OpenSSL Project
28  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29  *
30  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31  *    endorse or promote products derived from this software without
32  *    prior written permission. For written permission, please contact
33  *    openssl-core@openssl.org.
34  *
35  * 5. Products derived from this software may not be called "OpenSSL"
36  *    nor may "OpenSSL" appear in their names without prior written
37  *    permission of the OpenSSL Project.
38  *
39  * 6. Redistributions of any form whatsoever must retain the following
40  *    acknowledgment:
41  *    "This product includes software developed by the OpenSSL Project
42  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43  *
44  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
48  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55  * OF THE POSSIBILITY OF SUCH DAMAGE.
56  * ====================================================================
57  *
58  * This product includes cryptographic software written by Eric Young
59  * (eay@cryptsoft.com).  This product includes software written by Tim
60  * Hudson (tjh@cryptsoft.com).
61  *
62  */
63 
64 #ifndef HEADER_OCSP_LOCAL_H
65 #define HEADER_OCSP_LOCAL_H
66 
67 __BEGIN_HIDDEN_DECLS
68 
69 /*   CertID ::= SEQUENCE {
70  *       hashAlgorithm            AlgorithmIdentifier,
71  *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
72  *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
73  *       serialNumber       CertificateSerialNumber }
74  */
75 struct ocsp_cert_id_st {
76           X509_ALGOR *hashAlgorithm;
77           ASN1_OCTET_STRING *issuerNameHash;
78           ASN1_OCTET_STRING *issuerKeyHash;
79           ASN1_INTEGER *serialNumber;
80 } /* OCSP_CERTID */;
81 
82 /*   Request ::=     SEQUENCE {
83  *       reqCert                    CertID,
84  *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
85  */
86 struct ocsp_one_request_st {
87           OCSP_CERTID *reqCert;
88           STACK_OF(X509_EXTENSION) *singleRequestExtensions;
89 } /* OCSP_ONEREQ */;
90 
91 /*   TBSRequest      ::=     SEQUENCE {
92  *       version             [0] EXPLICIT Version DEFAULT v1,
93  *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
94  *       requestList             SEQUENCE OF Request,
95  *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
96  */
97 struct ocsp_req_info_st {
98           ASN1_INTEGER *version;
99           GENERAL_NAME *requestorName;
100           STACK_OF(OCSP_ONEREQ) *requestList;
101           STACK_OF(X509_EXTENSION) *requestExtensions;
102 } /* OCSP_REQINFO */;
103 
104 /*   Signature       ::=     SEQUENCE {
105  *       signatureAlgorithm   AlgorithmIdentifier,
106  *       signature            BIT STRING,
107  *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
108  */
109 struct ocsp_signature_st {
110           X509_ALGOR *signatureAlgorithm;
111           ASN1_BIT_STRING *signature;
112           STACK_OF(X509) *certs;
113 } /* OCSP_SIGNATURE */;
114 
115 /*   OCSPRequest     ::=     SEQUENCE {
116  *       tbsRequest                  TBSRequest,
117  *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
118  */
119 struct ocsp_request_st {
120           OCSP_REQINFO *tbsRequest;
121           OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
122 } /* OCSP_REQUEST */;
123 
124 /*   OCSPResponseStatus ::= ENUMERATED {
125  *       successful            (0),      --Response has valid confirmations
126  *       malformedRequest      (1),      --Illegal confirmation request
127  *       internalError         (2),      --Internal error in issuer
128  *       tryLater              (3),      --Try again later
129  *                                       --(4) is not used
130  *       sigRequired           (5),      --Must sign the request
131  *       unauthorized          (6)       --Request unauthorized
132  *   }
133  */
134 
135 /*   ResponseBytes ::=       SEQUENCE {
136  *       responseType   OBJECT IDENTIFIER,
137  *       response       OCTET STRING }
138  */
139 struct ocsp_resp_bytes_st {
140           ASN1_OBJECT *responseType;
141           ASN1_OCTET_STRING *response;
142 } /* OCSP_RESPBYTES */;
143 
144 /*   OCSPResponse ::= SEQUENCE {
145  *      responseStatus         OCSPResponseStatus,
146  *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
147  */
148 struct ocsp_response_st {
149           ASN1_ENUMERATED *responseStatus;
150           OCSP_RESPBYTES  *responseBytes;
151 };
152 
153 /*   ResponderID ::= CHOICE {
154  *      byName   [1] Name,
155  *      byKey    [2] KeyHash }
156  */
157 struct ocsp_responder_id_st {
158           int type;
159           union {
160                     X509_NAME* byName;
161                     ASN1_OCTET_STRING *byKey;
162           } value;
163 };
164 
165 /*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
166  *                            --(excluding the tag and length fields)
167  */
168 
169 /*   RevokedInfo ::= SEQUENCE {
170  *       revocationTime              GeneralizedTime,
171  *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
172  */
173 struct ocsp_revoked_info_st {
174           ASN1_GENERALIZEDTIME *revocationTime;
175           ASN1_ENUMERATED *revocationReason;
176 } /* OCSP_REVOKEDINFO */;
177 
178 /*   CertStatus ::= CHOICE {
179  *       good                [0]     IMPLICIT NULL,
180  *       revoked             [1]     IMPLICIT RevokedInfo,
181  *       unknown             [2]     IMPLICIT UnknownInfo }
182  */
183 struct ocsp_cert_status_st {
184           int type;
185           union {
186                     ASN1_NULL *good;
187                     OCSP_REVOKEDINFO *revoked;
188                     ASN1_NULL *unknown;
189           } value;
190 } /* OCSP_CERTSTATUS */;
191 
192 /*   SingleResponse ::= SEQUENCE {
193  *      certID                       CertID,
194  *      certStatus                   CertStatus,
195  *      thisUpdate                   GeneralizedTime,
196  *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
197  *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
198  */
199 struct ocsp_single_response_st {
200           OCSP_CERTID *certId;
201           OCSP_CERTSTATUS *certStatus;
202           ASN1_GENERALIZEDTIME *thisUpdate;
203           ASN1_GENERALIZEDTIME *nextUpdate;
204           STACK_OF(X509_EXTENSION) *singleExtensions;
205 } /* OCSP_SINGLERESP */;
206 
207 /*   ResponseData ::= SEQUENCE {
208  *      version              [0] EXPLICIT Version DEFAULT v1,
209  *      responderID              ResponderID,
210  *      producedAt               GeneralizedTime,
211  *      responses                SEQUENCE OF SingleResponse,
212  *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
213  */
214 struct ocsp_response_data_st {
215           ASN1_INTEGER *version;
216           OCSP_RESPID  *responderId;
217           ASN1_GENERALIZEDTIME *producedAt;
218           STACK_OF(OCSP_SINGLERESP) *responses;
219           STACK_OF(X509_EXTENSION) *responseExtensions;
220 } /* OCSP_RESPDATA */;
221 
222 /*   BasicOCSPResponse       ::= SEQUENCE {
223  *      tbsResponseData      ResponseData,
224  *      signatureAlgorithm   AlgorithmIdentifier,
225  *      signature            BIT STRING,
226  *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
227  */
228   /* Note 1:
229      The value for "signature" is specified in the OCSP rfc2560 as follows:
230      "The value for the signature SHALL be computed on the hash of the DER
231      encoding ResponseData."  This means that you must hash the DER-encoded
232      tbsResponseData, and then run it through a crypto-signing function, which
233      will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
234      a bit odd, but that's the spec.  Also note that the data structures do not
235      leave anywhere to independently specify the algorithm used for the initial
236      hash. So, we look at the signature-specification algorithm, and try to do
237      something intelligent.   -- Kathy Weinhold, CertCo */
238   /* Note 2:
239      It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
240      for interpretation.  I've done tests against another responder, and found
241      that it doesn't do the double hashing that the RFC seems to say one
242      should.  Therefore, all relevant functions take a flag saying which
243      variant should be used.  -- Richard Levitte, OpenSSL team and CeloCom */
244 struct ocsp_basic_response_st {
245           OCSP_RESPDATA *tbsResponseData;
246           X509_ALGOR *signatureAlgorithm;
247           ASN1_BIT_STRING *signature;
248           STACK_OF(X509) *certs;
249 } /* OCSP_BASICRESP */;
250 
251 /* CrlID ::= SEQUENCE {
252  *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
253  *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
254  *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
255  */
256 struct ocsp_crl_id_st {
257           ASN1_IA5STRING *crlUrl;
258           ASN1_INTEGER *crlNum;
259           ASN1_GENERALIZEDTIME *crlTime;
260 } /* OCSP_CRLID */;
261 
262 /* ServiceLocator ::= SEQUENCE {
263  *      issuer    Name,
264  *      locator   AuthorityInfoAccessSyntax OPTIONAL }
265  */
266 struct ocsp_service_locator_st {
267           X509_NAME* issuer;
268           STACK_OF(ACCESS_DESCRIPTION) *locator;
269 } /* OCSP_SERVICELOC */;
270 
271 #define OCSP_REQUEST_sign(o,pkey,md) \
272     ASN1_item_sign(&OCSP_REQINFO_it, \
273           (o)->optionalSignature->signatureAlgorithm, NULL, \
274           (o)->optionalSignature->signature,o->tbsRequest, (pkey), (md))
275 
276 #define OCSP_BASICRESP_sign(o,pkey,md,d) \
277     ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \
278           (o)->signature,(o)->tbsResponseData,(pkey),(md))
279 
280 #define OCSP_REQUEST_verify(a,r) \
281     ASN1_item_verify(&OCSP_REQINFO_it, \
282           (a)->optionalSignature->signatureAlgorithm, \
283           (a)->optionalSignature->signature, (a)->tbsRequest, (r))
284 
285 #define OCSP_BASICRESP_verify(a,r,d) \
286     ASN1_item_verify(&OCSP_RESPDATA_it, \
287           (a)->signatureAlgorithm, (a)->signature, (a)->tbsResponseData, (r))
288 
289 __END_HIDDEN_DECLS
290 
291 #endif /* !HEADER_OCSP_LOCAL_H */
292