ocsp_local.h@ 86352

最後變更在這個檔案從86352是 83916,由 vboxsync 提交於 5 年前
openssl-1.1.1g: Applied and adjusted our OpenSSL changes to 1.1.1g. bugref:9719
檔案大小: 8.1 KB

行
1	/*
2	* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/*- CertID ::= SEQUENCE {
11	* hashAlgorithm AlgorithmIdentifier,
12	* issuerNameHash OCTET STRING, -- Hash of Issuer's DN
13	* issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
14	* serialNumber CertificateSerialNumber }
15	*/
16	struct ocsp_cert_id_st {
17	X509_ALGOR hashAlgorithm;
18	ASN1_OCTET_STRING issuerNameHash;
19	ASN1_OCTET_STRING issuerKeyHash;
20	ASN1_INTEGER serialNumber;
21	};
22
23	/*- Request ::= SEQUENCE {
24	* reqCert CertID,
25	* singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
26	*/
27	struct ocsp_one_request_st {
28	OCSP_CERTID *reqCert;
29	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
30	};
31
32	/*- TBSRequest ::= SEQUENCE {
33	* version [0] EXPLICIT Version DEFAULT v1,
34	* requestorName [1] EXPLICIT GeneralName OPTIONAL,
35	* requestList SEQUENCE OF Request,
36	* requestExtensions [2] EXPLICIT Extensions OPTIONAL }
37	*/
38	struct ocsp_req_info_st {
39	ASN1_INTEGER *version;
40	GENERAL_NAME *requestorName;
41	STACK_OF(OCSP_ONEREQ) *requestList;
42	STACK_OF(X509_EXTENSION) *requestExtensions;
43	};
44
45	/*- Signature ::= SEQUENCE {
46	* signatureAlgorithm AlgorithmIdentifier,
47	* signature BIT STRING,
48	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
49	*/
50	struct ocsp_signature_st {
51	X509_ALGOR signatureAlgorithm;
52	ASN1_BIT_STRING *signature;
53	STACK_OF(X509) *certs;
54	};
55
56	/*- OCSPRequest ::= SEQUENCE {
57	* tbsRequest TBSRequest,
58	* optionalSignature [0] EXPLICIT Signature OPTIONAL }
59	*/
60	struct ocsp_request_st {
61	OCSP_REQINFO tbsRequest;
62	OCSP_SIGNATURE optionalSignature; / OPTIONAL */
63	};
64
65	/*- OCSPResponseStatus ::= ENUMERATED {
66	* successful (0), --Response has valid confirmations
67	* malformedRequest (1), --Illegal confirmation request
68	* internalError (2), --Internal error in issuer
69	* tryLater (3), --Try again later
70	* --(4) is not used
71	* sigRequired (5), --Must sign the request
72	* unauthorized (6) --Request unauthorized
73	* }
74	*/
75
76	/*- ResponseBytes ::= SEQUENCE {
77	* responseType OBJECT IDENTIFIER,
78	* response OCTET STRING }
79	*/
80	struct ocsp_resp_bytes_st {
81	ASN1_OBJECT *responseType;
82	ASN1_OCTET_STRING *response;
83	};
84
85	/*- OCSPResponse ::= SEQUENCE {
86	* responseStatus OCSPResponseStatus,
87	* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
88	*/
89	struct ocsp_response_st {
90	ASN1_ENUMERATED *responseStatus;
91	OCSP_RESPBYTES *responseBytes;
92	};
93
94	/*- ResponderID ::= CHOICE {
95	* byName [1] Name,
96	* byKey [2] KeyHash }
97	*/
98	struct ocsp_responder_id_st {
99	int type;
100	union {
101	X509_NAME *byName;
102	ASN1_OCTET_STRING *byKey;
103	} value;
104	};
105
106	/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
107	* --(excluding the tag and length fields)
108	*/
109
110	/*- RevokedInfo ::= SEQUENCE {
111	* revocationTime GeneralizedTime,
112	* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
113	*/
114	struct ocsp_revoked_info_st {
115	ASN1_GENERALIZEDTIME *revocationTime;
116	ASN1_ENUMERATED *revocationReason;
117	};
118
119	/*- CertStatus ::= CHOICE {
120	* good [0] IMPLICIT NULL,
121	* revoked [1] IMPLICIT RevokedInfo,
122	* unknown [2] IMPLICIT UnknownInfo }
123	*/
124	struct ocsp_cert_status_st {
125	int type;
126	union {
127	ASN1_NULL *good;
128	OCSP_REVOKEDINFO *revoked;
129	ASN1_NULL *unknown;
130	} value;
131	};
132
133	/*- SingleResponse ::= SEQUENCE {
134	* certID CertID,
135	* certStatus CertStatus,
136	* thisUpdate GeneralizedTime,
137	* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
138	* singleExtensions [1] EXPLICIT Extensions OPTIONAL }
139	*/
140	struct ocsp_single_response_st {
141	OCSP_CERTID *certId;
142	OCSP_CERTSTATUS *certStatus;
143	ASN1_GENERALIZEDTIME *thisUpdate;
144	ASN1_GENERALIZEDTIME *nextUpdate;
145	STACK_OF(X509_EXTENSION) *singleExtensions;
146	};
147
148	/*- ResponseData ::= SEQUENCE {
149	* version [0] EXPLICIT Version DEFAULT v1,
150	* responderID ResponderID,
151	* producedAt GeneralizedTime,
152	* responses SEQUENCE OF SingleResponse,
153	* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
154	*/
155	struct ocsp_response_data_st {
156	ASN1_INTEGER *version;
157	OCSP_RESPID responderId;
158	ASN1_GENERALIZEDTIME *producedAt;
159	STACK_OF(OCSP_SINGLERESP) *responses;
160	STACK_OF(X509_EXTENSION) *responseExtensions;
161	};
162
163	/*- BasicOCSPResponse ::= SEQUENCE {
164	* tbsResponseData ResponseData,
165	* signatureAlgorithm AlgorithmIdentifier,
166	* signature BIT STRING,
167	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
168	*/
169	/*
170	* Note 1: The value for "signature" is specified in the OCSP rfc2560 as
171	* follows: "The value for the signature SHALL be computed on the hash of
172	* the DER encoding ResponseData." This means that you must hash the
173	* DER-encoded tbsResponseData, and then run it through a crypto-signing
174	* function, which will (at least w/RSA) do a hash-'n'-private-encrypt
175	* operation. This seems a bit odd, but that's the spec. Also note that
176	* the data structures do not leave anywhere to independently specify the
177	* algorithm used for the initial hash. So, we look at the
178	* signature-specification algorithm, and try to do something intelligent.
179	* -- Kathy Weinhold, CertCo
180	*/
181	/*
182	* Note 2: It seems that the mentioned passage from RFC 2560 (section
183	* 4.2.1) is open for interpretation. I've done tests against another
184	* responder, and found that it doesn't do the double hashing that the RFC
185	* seems to say one should. Therefore, all relevant functions take a flag
186	* saying which variant should be used. -- Richard Levitte, OpenSSL team
187	* and CeloCom
188	*/
189	struct ocsp_basic_response_st {
190	OCSP_RESPDATA tbsResponseData;
191	X509_ALGOR signatureAlgorithm;
192	ASN1_BIT_STRING *signature;
193	STACK_OF(X509) *certs;
194	};
195
196	/*-
197	* CrlID ::= SEQUENCE {
198	* crlUrl [0] EXPLICIT IA5String OPTIONAL,
199	* crlNum [1] EXPLICIT INTEGER OPTIONAL,
200	* crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
201	*/
202	struct ocsp_crl_id_st {
203	ASN1_IA5STRING *crlUrl;
204	ASN1_INTEGER *crlNum;
205	ASN1_GENERALIZEDTIME *crlTime;
206	};
207
208	/*-
209	* ServiceLocator ::= SEQUENCE {
210	* issuer Name,
211	* locator AuthorityInfoAccessSyntax OPTIONAL }
212	*/
213	struct ocsp_service_locator_st {
214	X509_NAME *issuer;
215	STACK_OF(ACCESS_DESCRIPTION) *locator;
216	};
217
218	# define OCSP_REQUEST_sign(o,pkey,md) \
219	ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
220	&(o)->optionalSignature->signatureAlgorithm,NULL,\
221	(o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
222
223	# define OCSP_BASICRESP_sign(o,pkey,md,d) \
224	ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
225	NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
226
227	# define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
228	ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
229	NULL,(o)->signature,&(o)->tbsResponseData,ctx)
230
231	# define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
232	&(a)->optionalSignature->signatureAlgorithm,\
233	(a)->optionalSignature->signature,&(a)->tbsRequest,r)
234
235	# define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
236	&(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-1.1.1g/crypto/ocsp/ocsp_local.h@ 86352

以其他格式下載: