2 -- $Id: ocsp.asn1,v 1.1 2008/03/22 09:42:41 mlelstv Exp $
3 OCSP DEFINITIONS EXPLICIT TAGS::=
8 Certificate, AlgorithmIdentifier, CRLReason,
9 Name, GeneralName, CertificateSerialNumber, Extensions
12 OCSPVersion ::= INTEGER { ocsp-v1(0) }
14 OCSPCertStatus ::= CHOICE {
15 good [0] IMPLICIT NULL,
16 revoked [1] IMPLICIT -- OCSPRevokedInfo -- SEQUENCE {
17 revocationTime GeneralizedTime,
18 revocationReason[0] EXPLICIT CRLReason OPTIONAL
20 unknown [2] IMPLICIT NULL }
22 OCSPCertID ::= SEQUENCE {
23 hashAlgorithm AlgorithmIdentifier,
24 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
25 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
26 serialNumber CertificateSerialNumber }
28 OCSPSingleResponse ::= SEQUENCE {
30 certStatus OCSPCertStatus,
31 thisUpdate GeneralizedTime,
32 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
33 singleExtensions [1] EXPLICIT Extensions OPTIONAL }
35 OCSPInnerRequest ::= SEQUENCE {
37 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
39 OCSPTBSRequest ::= SEQUENCE {
40 version [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
41 requestorName [1] EXPLICIT GeneralName OPTIONAL,
42 requestList SEQUENCE OF OCSPInnerRequest,
43 requestExtensions [2] EXPLICIT Extensions OPTIONAL }
45 OCSPSignature ::= SEQUENCE {
46 signatureAlgorithm AlgorithmIdentifier,
48 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
50 OCSPRequest ::= SEQUENCE {
51 tbsRequest OCSPTBSRequest,
52 optionalSignature [0] EXPLICIT OCSPSignature OPTIONAL }
54 OCSPResponseBytes ::= SEQUENCE {
55 responseType OBJECT IDENTIFIER,
56 response OCTET STRING }
58 OCSPResponseStatus ::= ENUMERATED {
59 successful (0), --Response has valid confirmations
60 malformedRequest (1), --Illegal confirmation request
61 internalError (2), --Internal error in issuer
62 tryLater (3), --Try again later
64 sigRequired (5), --Must sign the request
65 unauthorized (6) --Request unauthorized
68 OCSPResponse ::= SEQUENCE {
69 responseStatus OCSPResponseStatus,
70 responseBytes [0] EXPLICIT OCSPResponseBytes OPTIONAL }
72 OCSPKeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
73 --(excluding the tag and length fields)
75 OCSPResponderID ::= CHOICE {
77 byKey [2] OCSPKeyHash }
79 OCSPResponseData ::= SEQUENCE {
80 version [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
81 responderID OCSPResponderID,
82 producedAt GeneralizedTime,
83 responses SEQUENCE OF OCSPSingleResponse,
84 responseExtensions [1] EXPLICIT Extensions OPTIONAL }
86 OCSPBasicOCSPResponse ::= SEQUENCE {
87 tbsResponseData OCSPResponseData,
88 signatureAlgorithm AlgorithmIdentifier,
90 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
92 -- ArchiveCutoff ::= GeneralizedTime
94 -- AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
98 id-pkix-ocsp OBJECT IDENTIFIER ::= {
99 iso(1) identified-organization(3) dod(6) internet(1)
100 security(5) mechanisms(5) pkix(7) pkix-ad(48) 1
103 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
104 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
105 -- id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
106 -- id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
107 -- id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
108 -- id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
109 -- id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }