2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
58 #include <openssl/asn1.h>
59 #include <openssl/asn1t.h>
60 #include <openssl/x509v3.h>
65 /* Example of new ASN1 code, OCSP request
67 OCSPRequest ::= SEQUENCE {
68 tbsRequest TBSRequest,
69 optionalSignature [0] EXPLICIT Signature OPTIONAL }
71 TBSRequest ::= SEQUENCE {
72 version [0] EXPLICIT Version DEFAULT v1,
73 requestorName [1] EXPLICIT GeneralName OPTIONAL,
74 requestList SEQUENCE OF Request,
75 requestExtensions [2] EXPLICIT Extensions OPTIONAL }
77 Signature ::= SEQUENCE {
78 signatureAlgorithm AlgorithmIdentifier,
80 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
82 Version ::= INTEGER { v1(0) }
84 Request ::= SEQUENCE {
86 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
89 hashAlgorithm AlgorithmIdentifier,
90 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
91 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
92 serialNumber CertificateSerialNumber }
94 OCSPResponse ::= SEQUENCE {
95 responseStatus OCSPResponseStatus,
96 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
98 OCSPResponseStatus ::= ENUMERATED {
99 successful (0), --Response has valid confirmations
100 malformedRequest (1), --Illegal confirmation request
101 internalError (2), --Internal error in issuer
102 tryLater (3), --Try again later
104 sigRequired (5), --Must sign the request
105 unauthorized (6) --Request unauthorized
108 ResponseBytes ::= SEQUENCE {
109 responseType OBJECT IDENTIFIER,
110 response OCTET STRING }
112 BasicOCSPResponse ::= SEQUENCE {
113 tbsResponseData ResponseData,
114 signatureAlgorithm AlgorithmIdentifier,
115 signature BIT STRING,
116 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
118 ResponseData ::= SEQUENCE {
119 version [0] EXPLICIT Version DEFAULT v1,
120 responderID ResponderID,
121 producedAt GeneralizedTime,
122 responses SEQUENCE OF SingleResponse,
123 responseExtensions [1] EXPLICIT Extensions OPTIONAL }
125 ResponderID ::= CHOICE {
126 byName [1] Name, --EXPLICIT
129 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
130 --(excluding the tag and length fields)
132 SingleResponse ::= SEQUENCE {
134 certStatus CertStatus,
135 thisUpdate GeneralizedTime,
136 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
137 singleExtensions [1] EXPLICIT Extensions OPTIONAL }
139 CertStatus ::= CHOICE {
140 good [0] IMPLICIT NULL,
141 revoked [1] IMPLICIT RevokedInfo,
142 unknown [2] IMPLICIT UnknownInfo }
144 RevokedInfo ::= SEQUENCE {
145 revocationTime GeneralizedTime,
146 revocationReason [0] EXPLICIT CRLReason OPTIONAL }
148 UnknownInfo ::= NULL -- this can be replaced with an enumeration
150 ArchiveCutoff ::= GeneralizedTime
152 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
154 ServiceLocator ::= SEQUENCE {
156 locator AuthorityInfoAccessSyntax }
158 -- Object Identifiers
160 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
161 id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
162 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
163 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
164 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
165 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
166 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
167 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
168 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
172 /* Request Structures */
174 DECLARE_STACK_OF(Request
)
177 ASN1_INTEGER
*version
;
178 GENERAL_NAME
*requestorName
;
179 STACK_OF(Request
) *requestList
;
180 STACK_OF(X509_EXTENSION
) *requestExtensions
;
184 X509_ALGOR
*signatureAlgorithm
;
185 ASN1_BIT_STRING
*signature
;
186 STACK_OF(X509
) *certs
;
190 TBSRequest
*tbsRequest
;
191 Signature
*optionalSignature
;
195 X509_ALGOR
*hashAlgorithm
;
196 ASN1_OCTET_STRING
*issuerNameHash
;
197 ASN1_OCTET_STRING
*issuerKeyHash
;
198 ASN1_INTEGER
*certificateSerialNumber
;
203 STACK_OF(X509_EXTENSION
) *singleRequestExtensions
;
206 /* Response structures */
209 ASN1_OBJECT
*responseType
;
210 ASN1_OCTET_STRING
*response
;
214 ASN1_ENUMERATED
*responseStatus
;
215 ResponseBytes
*responseBytes
;
222 ASN1_OCTET_STRING
*byKey
;
227 ASN1_INTEGER
*version
;
228 ResponderID
*responderID
;
229 ASN1_GENERALIZEDTIME
*producedAt
;
230 STACK_OF(SingleResponse
) *responses
;
231 STACK_OF(X509_EXTENSION
) *responseExtensions
;
235 ResponseData
*tbsResponseData
;
236 X509_ALGOR
*signatureAlgorithm
;
237 ASN1_BIT_STRING
*signature
;
238 STACK_OF(X509
) *certs
;
242 ASN1_GENERALIZEDTIME
*revocationTime
;
243 ASN1_ENUMERATED
* revocationReason
;
250 RevokedInfo
*revoked
;
257 CertStatus
*certStatus
;
258 ASN1_GENERALIZEDTIME
*thisUpdate
;
259 ASN1_GENERALIZEDTIME
*nextUpdate
;
260 STACK_OF(X509_EXTENSION
) *singleExtensions
;
266 STACK_OF(ACCESS_DESCRIPTION
) *locator
;
270 /* Now the ASN1 templates */
272 IMPLEMENT_COMPAT_ASN1(X509
);
273 IMPLEMENT_COMPAT_ASN1(X509_ALGOR
);
274 //IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
275 IMPLEMENT_COMPAT_ASN1(GENERAL_NAME
);
276 IMPLEMENT_COMPAT_ASN1(X509_NAME
);
278 ASN1_SEQUENCE(X509_EXTENSION
) = {
279 ASN1_SIMPLE(X509_EXTENSION
, object
, ASN1_OBJECT
),
280 ASN1_OPT(X509_EXTENSION
, critical
, ASN1_BOOLEAN
),
281 ASN1_SIMPLE(X509_EXTENSION
, value
, ASN1_OCTET_STRING
)
282 } ASN1_SEQUENCE_END(X509_EXTENSION
);
285 ASN1_SEQUENCE(Signature
) = {
286 ASN1_SIMPLE(Signature
, signatureAlgorithm
, X509_ALGOR
),
287 ASN1_SIMPLE(Signature
, signature
, ASN1_BIT_STRING
),
288 ASN1_SEQUENCE_OF(Signature
, certs
, X509
)
289 } ASN1_SEQUENCE_END(Signature
);
291 ASN1_SEQUENCE(CertID
) = {
292 ASN1_SIMPLE(CertID
, hashAlgorithm
, X509_ALGOR
),
293 ASN1_SIMPLE(CertID
, issuerNameHash
, ASN1_OCTET_STRING
),
294 ASN1_SIMPLE(CertID
, issuerKeyHash
, ASN1_OCTET_STRING
),
295 ASN1_SIMPLE(CertID
, certificateSerialNumber
, ASN1_INTEGER
)
296 } ASN1_SEQUENCE_END(CertID
);
298 ASN1_SEQUENCE(Request
) = {
299 ASN1_SIMPLE(Request
, reqCert
, CertID
),
300 ASN1_EXP_SEQUENCE_OF_OPT(Request
, singleRequestExtensions
, X509_EXTENSION
, 0)
301 } ASN1_SEQUENCE_END(Request
);
303 ASN1_SEQUENCE(TBSRequest
) = {
304 ASN1_EXP_OPT(TBSRequest
, version
, ASN1_INTEGER
, 0),
305 ASN1_EXP_OPT(TBSRequest
, requestorName
, GENERAL_NAME
, 1),
306 ASN1_SEQUENCE_OF(TBSRequest
, requestList
, Request
),
307 ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest
, requestExtensions
, X509_EXTENSION
, 2)
308 } ASN1_SEQUENCE_END(TBSRequest
);
310 ASN1_SEQUENCE(OCSPRequest
) = {
311 ASN1_SIMPLE(OCSPRequest
, tbsRequest
, TBSRequest
),
312 ASN1_EXP_OPT(OCSPRequest
, optionalSignature
, Signature
, 0)
313 } ASN1_SEQUENCE_END(OCSPRequest
);
316 /* Response templates */
318 ASN1_SEQUENCE(ResponseBytes
) = {
319 ASN1_SIMPLE(ResponseBytes
, responseType
, ASN1_OBJECT
),
320 ASN1_SIMPLE(ResponseBytes
, response
, ASN1_OCTET_STRING
)
321 } ASN1_SEQUENCE_END(ResponseBytes
);
323 ASN1_SEQUENCE(OCSPResponse
) = {
324 ASN1_SIMPLE(OCSPResponse
, responseStatus
, ASN1_ENUMERATED
),
325 ASN1_EXP_OPT(OCSPResponse
, responseBytes
, ResponseBytes
, 0)
326 } ASN1_SEQUENCE_END(OCSPResponse
);
328 ASN1_CHOICE(ResponderID
) = {
329 ASN1_EXP(ResponderID
, d
.byName
, X509_NAME
, 1),
330 ASN1_IMP(ResponderID
, d
.byKey
, ASN1_OCTET_STRING
, 2)
331 } ASN1_CHOICE_END(ResponderID
);
333 ASN1_SEQUENCE(RevokedInfo
) = {
334 ASN1_SIMPLE(RevokedInfo
, revocationTime
, ASN1_GENERALIZEDTIME
),
335 ASN1_EXP_OPT(RevokedInfo
, revocationReason
, ASN1_ENUMERATED
, 0)
336 } ASN1_SEQUENCE_END(RevokedInfo
);
338 ASN1_CHOICE(CertStatus
) = {
339 ASN1_IMP(CertStatus
, d
.good
, ASN1_NULL
, 0),
340 ASN1_IMP(CertStatus
, d
.revoked
, RevokedInfo
, 1),
341 ASN1_IMP(CertStatus
, d
.unknown
, ASN1_NULL
, 2)
342 } ASN1_CHOICE_END(CertStatus
);
344 ASN1_SEQUENCE(SingleResponse
) = {
345 ASN1_SIMPLE(SingleResponse
, certID
, CertID
),
346 ASN1_SIMPLE(SingleResponse
, certStatus
, CertStatus
),
347 ASN1_SIMPLE(SingleResponse
, thisUpdate
, ASN1_GENERALIZEDTIME
),
348 ASN1_EXP_OPT(SingleResponse
, nextUpdate
, ASN1_GENERALIZEDTIME
, 0),
349 ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse
, singleExtensions
, X509_EXTENSION
, 1)
350 } ASN1_SEQUENCE_END(SingleResponse
);
352 ASN1_SEQUENCE(ResponseData
) = {
353 ASN1_EXP_OPT(ResponseData
, version
, ASN1_INTEGER
, 0),
354 ASN1_SIMPLE(ResponseData
, responderID
, ResponderID
),
355 ASN1_SIMPLE(ResponseData
, producedAt
, ASN1_GENERALIZEDTIME
),
356 ASN1_SEQUENCE_OF(ResponseData
, responses
, SingleResponse
),
357 ASN1_EXP_SEQUENCE_OF_OPT(ResponseData
, responseExtensions
, X509_EXTENSION
, 1)
358 } ASN1_SEQUENCE_END(ResponseData
);
360 ASN1_SEQUENCE(BasicOCSPResponse
) = {
361 ASN1_SIMPLE(BasicOCSPResponse
, tbsResponseData
, ResponseData
),
362 ASN1_SIMPLE(BasicOCSPResponse
, signatureAlgorithm
, X509_ALGOR
),
363 ASN1_SIMPLE(BasicOCSPResponse
, signature
, ASN1_BIT_STRING
),
364 ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse
, certs
, X509
, 0)
365 } ASN1_SEQUENCE_END(BasicOCSPResponse
);