Make structs in ocsp.h opaque

This adds a little order to this pig sty. ok inoguchi jsing
author: tb <> 2022-01-14 08:32:26 +0000
committer: tb <> 2022-01-14 08:32:26 +0000
commit: 3acb0bae7f358a317f5ebe092026edc36a05d43b (patch)
tree: d802662423bae827bfe070f535bf214990b1a361 /src/lib/libc
parent: 61219b77d5b56d0f4d1297df47aac4c8a542dbeb (diff)
download: openbsd-3acb0bae7f358a317f5ebe092026edc36a05d43b.tar.gz
openbsd-3acb0bae7f358a317f5ebe092026edc36a05d43b.tar.bz2
openbsd-3acb0bae7f358a317f5ebe092026edc36a05d43b.zip
2 files changed, 260 insertions, 234 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
index f942a8a0eb..f869f8aa96 100644
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ b/src/lib/libcrypto/ocsp/ocsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.h,v 1.18 2021/11/01 08:14:36 tb Exp $ */
+/* $OpenBSD: ocsp.h,v 1.19 2022/01/14 08:32:26 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -73,6 +73,28 @@
 extern "C" {
 #endif
+/*
+ *   CRLReason ::= ENUMERATED {
+ *        unspecified             (0),
+ *        keyCompromise           (1),
+ *        cACompromise            (2),
+ *        affiliationChanged      (3),
+ *        superseded              (4),
+ *        cessationOfOperation    (5),
+ *        certificateHold         (6),
+ *        removeFromCRL           (8) }
+ */
+#define OCSP_REVOKED_STATUS_NOSTATUS                    -1
+#define OCSP_REVOKED_STATUS_UNSPECIFIED                 0
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE               1
+#define OCSP_REVOKED_STATUS_CACOMPROMISE                2
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED          3
+#define OCSP_REVOKED_STATUS_SUPERSEDED                  4
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION        5
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD             6
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL               8
 /* Various flags and values */
 #define OCSP_DEFAULT_NONCE_LENGTH       16
@@ -90,76 +112,18 @@ extern "C" {
 #define OCSP_RESPID_KEY                 0x400
 #define OCSP_NOTIME                     0x800
-/*   CertID ::= SEQUENCE {
+typedef struct ocsp_cert_id_st OCSP_CERTID;
- *       hashAlgorithm            AlgorithmIdentifier,
- *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
- *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
- *       serialNumber       CertificateSerialNumber }
- */
-typedef struct ocsp_cert_id_st {
-        X509_ALGOR *hashAlgorithm;
-        ASN1_OCTET_STRING *issuerNameHash;
-        ASN1_OCTET_STRING *issuerKeyHash;
-        ASN1_INTEGER *serialNumber;
-} OCSP_CERTID;
 DECLARE_STACK_OF(OCSP_CERTID)
-/*   Request ::=     SEQUENCE {
+typedef struct ocsp_one_request_st OCSP_ONEREQ;
- *       reqCert                    CertID,
- *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_one_request_st {
-        OCSP_CERTID *reqCert;
-        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
-} OCSP_ONEREQ;
 DECLARE_STACK_OF(OCSP_ONEREQ)
+typedef struct ocsp_req_info_st OCSP_REQINFO;
+typedef struct ocsp_signature_st OCSP_SIGNATURE;
+typedef struct ocsp_request_st OCSP_REQUEST;
-/*   TBSRequest      ::=     SEQUENCE {
- *       version             [0] EXPLICIT Version DEFAULT v1,
- *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
- *       requestList             SEQUENCE OF Request,
- *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_req_info_st {
-        ASN1_INTEGER *version;
-        GENERAL_NAME *requestorName;
-        STACK_OF(OCSP_ONEREQ) *requestList;
-        STACK_OF(X509_EXTENSION) *requestExtensions;
-} OCSP_REQINFO;
-/*   Signature       ::=     SEQUENCE {
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING,
- *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-typedef struct ocsp_signature_st {
-        X509_ALGOR *signatureAlgorithm;
-        ASN1_BIT_STRING *signature;
-        STACK_OF(X509) *certs;
-} OCSP_SIGNATURE;
-/*   OCSPRequest     ::=     SEQUENCE {
- *       tbsRequest                  TBSRequest,
- *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
- */
-typedef struct ocsp_request_st {
-        OCSP_REQINFO *tbsRequest;
-        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
-} OCSP_REQUEST;
-/*   OCSPResponseStatus ::= ENUMERATED {
- *       successful            (0),      --Response has valid confirmations
- *       malformedRequest      (1),      --Illegal confirmation request
- *       internalError         (2),      --Internal error in issuer
- *       tryLater              (3),      --Try again later
- *                                       --(4) is not used
- *       sigRequired           (5),      --Must sign the request
- *       unauthorized          (6)       --Request unauthorized
- *   }
- */
 #define OCSP_RESPONSE_STATUS_SUCCESSFUL         0
 #define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST   1
 #define OCSP_RESPONSE_STATUS_INTERNALERROR      2
@@ -167,176 +131,36 @@ typedef struct ocsp_request_st {
 #define OCSP_RESPONSE_STATUS_SIGREQUIRED        5
 #define OCSP_RESPONSE_STATUS_UNAUTHORIZED       6
-/*   ResponseBytes ::=       SEQUENCE {
+typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
- *       responseType   OBJECT IDENTIFIER,
- *       response       OCTET STRING }
- */
-typedef struct ocsp_resp_bytes_st {
-        ASN1_OBJECT *responseType;
-        ASN1_OCTET_STRING *response;
-} OCSP_RESPBYTES;
-/*   OCSPResponse ::= SEQUENCE {
- *      responseStatus         OCSPResponseStatus,
- *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
- */
-struct ocsp_response_st {
-        ASN1_ENUMERATED *responseStatus;
-        OCSP_RESPBYTES  *responseBytes;
-};
-/*   ResponderID ::= CHOICE {
- *      byName   [1] Name,
- *      byKey    [2] KeyHash }
- */
 #define V_OCSP_RESPID_NAME 0
 #define V_OCSP_RESPID_KEY  1
-struct ocsp_responder_id_st {
-        int type;
-        union {
-                X509_NAME* byName;
-                ASN1_OCTET_STRING *byKey;
-        } value;
-};
 DECLARE_STACK_OF(OCSP_RESPID)
 OCSP_RESPID *OCSP_RESPID_new(void);
 void OCSP_RESPID_free(OCSP_RESPID *a);
 OCSP_RESPID *d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len);
 int i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out);
 extern const ASN1_ITEM OCSP_RESPID_it;
-/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
- *                            --(excluding the tag and length fields)
- */
-/*   RevokedInfo ::= SEQUENCE {
- *       revocationTime              GeneralizedTime,
- *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
- */
-typedef struct ocsp_revoked_info_st {
-        ASN1_GENERALIZEDTIME *revocationTime;
-        ASN1_ENUMERATED *revocationReason;
-} OCSP_REVOKEDINFO;
-/*   CertStatus ::= CHOICE {
- *       good                [0]     IMPLICIT NULL,
- *       revoked             [1]     IMPLICIT RevokedInfo,
- *       unknown             [2]     IMPLICIT UnknownInfo }
- */
 #define V_OCSP_CERTSTATUS_GOOD    0
 #define V_OCSP_CERTSTATUS_REVOKED 1
 #define V_OCSP_CERTSTATUS_UNKNOWN 2
-typedef struct ocsp_cert_status_st {
-        int type;
+typedef struct ocsp_cert_status_st OCSP_CERTSTATUS;
-        union {
+typedef struct ocsp_single_response_st OCSP_SINGLERESP;
-                ASN1_NULL *good;
-                OCSP_REVOKEDINFO *revoked;
-                ASN1_NULL *unknown;
-        } value;
-} OCSP_CERTSTATUS;
-/*   SingleResponse ::= SEQUENCE {
- *      certID                       CertID,
- *      certStatus                   CertStatus,
- *      thisUpdate                   GeneralizedTime,
- *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
- *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_single_response_st {
-        OCSP_CERTID *certId;
-        OCSP_CERTSTATUS *certStatus;
-        ASN1_GENERALIZEDTIME *thisUpdate;
-        ASN1_GENERALIZEDTIME *nextUpdate;
-        STACK_OF(X509_EXTENSION) *singleExtensions;
-} OCSP_SINGLERESP;
 DECLARE_STACK_OF(OCSP_SINGLERESP)
-/*   ResponseData ::= SEQUENCE {
+typedef struct ocsp_response_data_st OCSP_RESPDATA;
- *      version              [0] EXPLICIT Version DEFAULT v1,
- *      responderID              ResponderID,
- *      producedAt               GeneralizedTime,
- *      responses                SEQUENCE OF SingleResponse,
- *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_response_data_st {
-        ASN1_INTEGER *version;
-        OCSP_RESPID  *responderId;
-        ASN1_GENERALIZEDTIME *producedAt;
-        STACK_OF(OCSP_SINGLERESP) *responses;
-        STACK_OF(X509_EXTENSION) *responseExtensions;
-} OCSP_RESPDATA;
-/*   BasicOCSPResponse       ::= SEQUENCE {
- *      tbsResponseData      ResponseData,
- *      signatureAlgorithm   AlgorithmIdentifier,
- *      signature            BIT STRING,
- *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-  /* Note 1:
-     The value for "signature" is specified in the OCSP rfc2560 as follows:
-     "The value for the signature SHALL be computed on the hash of the DER
-     encoding ResponseData."  This means that you must hash the DER-encoded
-     tbsResponseData, and then run it through a crypto-signing function, which
-     will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
-     a bit odd, but that's the spec.  Also note that the data structures do not
-     leave anywhere to independently specify the algorithm used for the initial
-     hash. So, we look at the signature-specification algorithm, and try to do
-     something intelligent.     -- Kathy Weinhold, CertCo */
-  /* Note 2:
-     It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
-     for interpretation.  I've done tests against another responder, and found
-     that it doesn't do the double hashing that the RFC seems to say one
-     should.  Therefore, all relevant functions take a flag saying which
-     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
-typedef struct ocsp_basic_response_st {
-        OCSP_RESPDATA *tbsResponseData;
-        X509_ALGOR *signatureAlgorithm;
-        ASN1_BIT_STRING *signature;
-        STACK_OF(X509) *certs;
-} OCSP_BASICRESP;
-/*
+typedef struct ocsp_basic_response_st OCSP_BASICRESP;
- *   CRLReason ::= ENUMERATED {
- *        unspecified             (0),
- *        keyCompromise           (1),
- *        cACompromise            (2),
- *        affiliationChanged      (3),
- *        superseded              (4),
- *        cessationOfOperation    (5),
- *        certificateHold         (6),
- *        removeFromCRL           (8) }
- */
-#define OCSP_REVOKED_STATUS_NOSTATUS                    -1
-#define OCSP_REVOKED_STATUS_UNSPECIFIED                 0
-#define OCSP_REVOKED_STATUS_KEYCOMPROMISE               1
-#define OCSP_REVOKED_STATUS_CACOMPROMISE                2
-#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED          3
-#define OCSP_REVOKED_STATUS_SUPERSEDED                  4
-#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION        5
-#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD             6
-#define OCSP_REVOKED_STATUS_REMOVEFROMCRL               8
-/* CrlID ::= SEQUENCE {
+typedef struct ocsp_crl_id_st OCSP_CRLID;
- *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
+typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
- *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
- *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
- */
-typedef struct ocsp_crl_id_st {
-        ASN1_IA5STRING *crlUrl;
-        ASN1_INTEGER *crlNum;
-        ASN1_GENERALIZEDTIME *crlTime;
-} OCSP_CRLID;
-/* ServiceLocator ::= SEQUENCE {
- *      issuer    Name,
- *      locator   AuthorityInfoAccessSyntax OPTIONAL }
- */
-typedef struct ocsp_service_locator_st {
-        X509_NAME* issuer;
-        STACK_OF(ACCESS_DESCRIPTION) *locator;
-} OCSP_SERVICELOC;
 #define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
 #define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
@@ -357,24 +181,6 @@ typedef struct ocsp_service_locator_st {
    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
        bp,(char *)o, NULL,NULL,0,NULL,NULL)
-#define OCSP_REQUEST_sign(o,pkey,md) \
-    ASN1_item_sign(&OCSP_REQINFO_it, \
-        o->optionalSignature->signatureAlgorithm,NULL, \
-        o->optionalSignature->signature,o->tbsRequest,pkey,md)
-#define OCSP_BASICRESP_sign(o,pkey,md,d) \
-    ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \
-        o->signature,o->tbsResponseData,pkey,md)
-#define OCSP_REQUEST_verify(a,r) \
-    ASN1_item_verify(&OCSP_REQINFO_it, \
-        a->optionalSignature->signatureAlgorithm, \
-        a->optionalSignature->signature,a->tbsRequest,r)
-#define OCSP_BASICRESP_verify(a,r,d) \
-    ASN1_item_verify(&OCSP_RESPDATA_it, \
-        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
 #define ASN1_BIT_STRING_digest(data,type,md,len) \
    ASN1_item_digest(&ASN1_BIT_STRING_it,type,data,md,len)
diff --git a/src/lib/libcrypto/ocsp/ocsp_local.h b/src/lib/libcrypto/ocsp/ocsp_local.h
index 5651f9f795..bd933b1915 100644
--- a/src/lib/libcrypto/ocsp/ocsp_local.h
+++ b/src/lib/libcrypto/ocsp/ocsp_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_local.h,v 1.1 2022/01/07 09:45:52 tb Exp $ */
+/* $OpenBSD: ocsp_local.h,v 1.2 2022/01/14 08:32:26 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -66,6 +66,226 @@
 __BEGIN_HIDDEN_DECLS
+/*   CertID ::= SEQUENCE {
+ *       hashAlgorithm            AlgorithmIdentifier,
+ *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+ *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
+ *       serialNumber       CertificateSerialNumber }
+ */
+struct ocsp_cert_id_st {
+        X509_ALGOR *hashAlgorithm;
+        ASN1_OCTET_STRING *issuerNameHash;
+        ASN1_OCTET_STRING *issuerKeyHash;
+        ASN1_INTEGER *serialNumber;
+} /* OCSP_CERTID */;
+/*   Request ::=     SEQUENCE {
+ *       reqCert                    CertID,
+ *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_one_request_st {
+        OCSP_CERTID *reqCert;
+        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
+} /* OCSP_ONEREQ */;
+/*   TBSRequest      ::=     SEQUENCE {
+ *       version             [0] EXPLICIT Version DEFAULT v1,
+ *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+ *       requestList             SEQUENCE OF Request,
+ *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_req_info_st {
+        ASN1_INTEGER *version;
+        GENERAL_NAME *requestorName;
+        STACK_OF(OCSP_ONEREQ) *requestList;
+        STACK_OF(X509_EXTENSION) *requestExtensions;
+} /* OCSP_REQINFO */;
+/*   Signature       ::=     SEQUENCE {
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING,
+ *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+struct ocsp_signature_st {
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+} /* OCSP_SIGNATURE */;
+/*   OCSPRequest     ::=     SEQUENCE {
+ *       tbsRequest                  TBSRequest,
+ *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+ */
+struct ocsp_request_st {
+        OCSP_REQINFO *tbsRequest;
+        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
+} /* OCSP_REQUEST */;
+/*   OCSPResponseStatus ::= ENUMERATED {
+ *       successful            (0),      --Response has valid confirmations
+ *       malformedRequest      (1),      --Illegal confirmation request
+ *       internalError         (2),      --Internal error in issuer
+ *       tryLater              (3),      --Try again later
+ *                                       --(4) is not used
+ *       sigRequired           (5),      --Must sign the request
+ *       unauthorized          (6)       --Request unauthorized
+ *   }
+ */
+/*   ResponseBytes ::=       SEQUENCE {
+ *       responseType   OBJECT IDENTIFIER,
+ *       response       OCTET STRING }
+ */
+struct ocsp_resp_bytes_st {
+        ASN1_OBJECT *responseType;
+        ASN1_OCTET_STRING *response;
+} /* OCSP_RESPBYTES */;
+/*   OCSPResponse ::= SEQUENCE {
+ *      responseStatus         OCSPResponseStatus,
+ *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+struct ocsp_response_st {
+        ASN1_ENUMERATED *responseStatus;
+        OCSP_RESPBYTES  *responseBytes;
+};
+/*   ResponderID ::= CHOICE {
+ *      byName   [1] Name,
+ *      byKey    [2] KeyHash }
+ */
+struct ocsp_responder_id_st {
+        int type;
+        union {
+                X509_NAME* byName;
+                ASN1_OCTET_STRING *byKey;
+        } value;
+};
+/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+ *                            --(excluding the tag and length fields)
+ */
+/*   RevokedInfo ::= SEQUENCE {
+ *       revocationTime              GeneralizedTime,
+ *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+ */
+struct ocsp_revoked_info_st {
+        ASN1_GENERALIZEDTIME *revocationTime;
+        ASN1_ENUMERATED *revocationReason;
+} /* OCSP_REVOKEDINFO */;
+/*   CertStatus ::= CHOICE {
+ *       good                [0]     IMPLICIT NULL,
+ *       revoked             [1]     IMPLICIT RevokedInfo,
+ *       unknown             [2]     IMPLICIT UnknownInfo }
+ */
+struct ocsp_cert_status_st {
+        int type;
+        union {
+                ASN1_NULL *good;
+                OCSP_REVOKEDINFO *revoked;
+                ASN1_NULL *unknown;
+        } value;
+} /* OCSP_CERTSTATUS */;
+/*   SingleResponse ::= SEQUENCE {
+ *      certID                       CertID,
+ *      certStatus                   CertStatus,
+ *      thisUpdate                   GeneralizedTime,
+ *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+ *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_single_response_st {
+        OCSP_CERTID *certId;
+        OCSP_CERTSTATUS *certStatus;
+        ASN1_GENERALIZEDTIME *thisUpdate;
+        ASN1_GENERALIZEDTIME *nextUpdate;
+        STACK_OF(X509_EXTENSION) *singleExtensions;
+} /* OCSP_SINGLERESP */;
+/*   ResponseData ::= SEQUENCE {
+ *      version              [0] EXPLICIT Version DEFAULT v1,
+ *      responderID              ResponderID,
+ *      producedAt               GeneralizedTime,
+ *      responses                SEQUENCE OF SingleResponse,
+ *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_response_data_st {
+        ASN1_INTEGER *version;
+        OCSP_RESPID  *responderId;
+        ASN1_GENERALIZEDTIME *producedAt;
+        STACK_OF(OCSP_SINGLERESP) *responses;
+        STACK_OF(X509_EXTENSION) *responseExtensions;
+} /* OCSP_RESPDATA */;
+/*   BasicOCSPResponse       ::= SEQUENCE {
+ *      tbsResponseData      ResponseData,
+ *      signatureAlgorithm   AlgorithmIdentifier,
+ *      signature            BIT STRING,
+ *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+  /* Note 1:
+     The value for "signature" is specified in the OCSP rfc2560 as follows:
+     "The value for the signature SHALL be computed on the hash of the DER
+     encoding ResponseData."  This means that you must hash the DER-encoded
+     tbsResponseData, and then run it through a crypto-signing function, which
+     will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
+     a bit odd, but that's the spec.  Also note that the data structures do not
+     leave anywhere to independently specify the algorithm used for the initial
+     hash. So, we look at the signature-specification algorithm, and try to do
+     something intelligent.     -- Kathy Weinhold, CertCo */
+  /* Note 2:
+     It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
+     for interpretation.  I've done tests against another responder, and found
+     that it doesn't do the double hashing that the RFC seems to say one
+     should.  Therefore, all relevant functions take a flag saying which
+     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
+struct ocsp_basic_response_st {
+        OCSP_RESPDATA *tbsResponseData;
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+} /* OCSP_BASICRESP */;
+/* CrlID ::= SEQUENCE {
+ *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
+ *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
+ *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
+ */
+struct ocsp_crl_id_st {
+        ASN1_IA5STRING *crlUrl;
+        ASN1_INTEGER *crlNum;
+        ASN1_GENERALIZEDTIME *crlTime;
+} /* OCSP_CRLID */;
+/* ServiceLocator ::= SEQUENCE {
+ *      issuer    Name,
+ *      locator   AuthorityInfoAccessSyntax OPTIONAL }
+ */
+struct ocsp_service_locator_st {
+        X509_NAME* issuer;
+        STACK_OF(ACCESS_DESCRIPTION) *locator;
+} /* OCSP_SERVICELOC */;
+#define OCSP_REQUEST_sign(o,pkey,md) \
+    ASN1_item_sign(&OCSP_REQINFO_it, \
+        (o)->optionalSignature->signatureAlgorithm, NULL, \
+        (o)->optionalSignature->signature,o->tbsRequest, (pkey), (md))
+#define OCSP_BASICRESP_sign(o,pkey,md,d) \
+    ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \
+        (o)->signature,(o)->tbsResponseData,(pkey),(md))
+#define OCSP_REQUEST_verify(a,r) \
+    ASN1_item_verify(&OCSP_REQINFO_it, \
+        (a)->optionalSignature->signatureAlgorithm, \
+        (a)->optionalSignature->signature, (a)->tbsRequest, (r))
+#define OCSP_BASICRESP_verify(a,r,d) \
+    ASN1_item_verify(&OCSP_RESPDATA_it, \
+        (a)->signatureAlgorithm, (a)->signature, (a)->tbsResponseData, (r))
 __END_HIDDEN_DECLS
 #endif /* !HEADER_OCSP_LOCAL_H */
author	tb <>	2022-01-14 08:32:26 +0000
committer	tb <>	2022-01-14 08:32:26 +0000
commit	3acb0bae7f358a317f5ebe092026edc36a05d43b (patch)
tree	d802662423bae827bfe070f535bf214990b1a361 /src/lib/libc
parent	61219b77d5b56d0f4d1297df47aac4c8a542dbeb (diff)
download	openbsd-3acb0bae7f358a317f5ebe092026edc36a05d43b.tar.gz openbsd-3acb0bae7f358a317f5ebe092026edc36a05d43b.tar.bz2 openbsd-3acb0bae7f358a317f5ebe092026edc36a05d43b.zip

diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h index f942a8a0eb..f869f8aa96 100644 --- a/src/lib/libcrypto/ocsp/ocsp.h +++ b/src/lib/libcrypto/ocsp/ocsp.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp.h,v 1.18 2021/11/01 08:14:36 tb Exp $ */	1	/* $OpenBSD: ocsp.h,v 1.19 2022/01/14 08:32:26 tb Exp $ */
2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL	2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3	* project. */	3	* project. */
4		4
@@ -73,6 +73,28 @@
73	extern "C" {	73	extern "C" {
74	#endif	74	#endif
75		75
		76	/*
		77	* CRLReason ::= ENUMERATED {
		78	* unspecified (0),
		79	* keyCompromise (1),
		80	* cACompromise (2),
		81	* affiliationChanged (3),
		82	* superseded (4),
		83	* cessationOfOperation (5),
		84	* certificateHold (6),
		85	* removeFromCRL (8) }
		86	*/
		87	#define OCSP_REVOKED_STATUS_NOSTATUS -1
		88	#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
		89	#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
		90	#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
		91	#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
		92	#define OCSP_REVOKED_STATUS_SUPERSEDED 4
		93	#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
		94	#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
		95	#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
		96
		97
76	/* Various flags and values */	98	/* Various flags and values */
77		99
78	#define OCSP_DEFAULT_NONCE_LENGTH 16	100	#define OCSP_DEFAULT_NONCE_LENGTH 16
@@ -90,76 +112,18 @@ extern "C" {
90	#define OCSP_RESPID_KEY 0x400	112	#define OCSP_RESPID_KEY 0x400
91	#define OCSP_NOTIME 0x800	113	#define OCSP_NOTIME 0x800
92		114
93	/* CertID ::= SEQUENCE {	115	typedef struct ocsp_cert_id_st OCSP_CERTID;
94	* hashAlgorithm AlgorithmIdentifier,
95	* issuerNameHash OCTET STRING, -- Hash of Issuer's DN
96	* issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
97	* serialNumber CertificateSerialNumber }
98	*/
99	typedef struct ocsp_cert_id_st {
100	X509_ALGOR *hashAlgorithm;
101	ASN1_OCTET_STRING *issuerNameHash;
102	ASN1_OCTET_STRING *issuerKeyHash;
103	ASN1_INTEGER *serialNumber;
104	} OCSP_CERTID;
105		116
106	DECLARE_STACK_OF(OCSP_CERTID)	117	DECLARE_STACK_OF(OCSP_CERTID)
107		118
108	/* Request ::= SEQUENCE {	119	typedef struct ocsp_one_request_st OCSP_ONEREQ;
109	* reqCert CertID,
110	* singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
111	*/
112	typedef struct ocsp_one_request_st {
113	OCSP_CERTID *reqCert;
114	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
115	} OCSP_ONEREQ;
116		120
117	DECLARE_STACK_OF(OCSP_ONEREQ)	121	DECLARE_STACK_OF(OCSP_ONEREQ)
118		122
		123	typedef struct ocsp_req_info_st OCSP_REQINFO;
		124	typedef struct ocsp_signature_st OCSP_SIGNATURE;
		125	typedef struct ocsp_request_st OCSP_REQUEST;
119		126
120	/* TBSRequest ::= SEQUENCE {
121	* version [0] EXPLICIT Version DEFAULT v1,
122	* requestorName [1] EXPLICIT GeneralName OPTIONAL,
123	* requestList SEQUENCE OF Request,
124	* requestExtensions [2] EXPLICIT Extensions OPTIONAL }
125	*/
126	typedef struct ocsp_req_info_st {
127	ASN1_INTEGER *version;
128	GENERAL_NAME *requestorName;
129	STACK_OF(OCSP_ONEREQ) *requestList;
130	STACK_OF(X509_EXTENSION) *requestExtensions;
131	} OCSP_REQINFO;
132
133	/* Signature ::= SEQUENCE {
134	* signatureAlgorithm AlgorithmIdentifier,
135	* signature BIT STRING,
136	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
137	*/
138	typedef struct ocsp_signature_st {
139	X509_ALGOR *signatureAlgorithm;
140	ASN1_BIT_STRING *signature;
141	STACK_OF(X509) *certs;
142	} OCSP_SIGNATURE;
143
144	/* OCSPRequest ::= SEQUENCE {
145	* tbsRequest TBSRequest,
146	* optionalSignature [0] EXPLICIT Signature OPTIONAL }
147	*/
148	typedef struct ocsp_request_st {
149	OCSP_REQINFO *tbsRequest;
150	OCSP_SIGNATURE optionalSignature; / OPTIONAL */
151	} OCSP_REQUEST;
152
153	/* OCSPResponseStatus ::= ENUMERATED {
154	* successful (0), --Response has valid confirmations
155	* malformedRequest (1), --Illegal confirmation request
156	* internalError (2), --Internal error in issuer
157	* tryLater (3), --Try again later
158	* --(4) is not used
159	* sigRequired (5), --Must sign the request
160	* unauthorized (6) --Request unauthorized
161	* }
162	*/
163	#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0	127	#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
164	#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1	128	#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
165	#define OCSP_RESPONSE_STATUS_INTERNALERROR 2	129	#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
@@ -167,176 +131,36 @@ typedef struct ocsp_request_st {
167	#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5	131	#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
168	#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6	132	#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
169		133
170	/* ResponseBytes ::= SEQUENCE {	134	typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
171	* responseType OBJECT IDENTIFIER,	135
172	* response OCTET STRING }
173	*/
174	typedef struct ocsp_resp_bytes_st {
175	ASN1_OBJECT *responseType;
176	ASN1_OCTET_STRING *response;
177	} OCSP_RESPBYTES;
178
179	/* OCSPResponse ::= SEQUENCE {
180	* responseStatus OCSPResponseStatus,
181	* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
182	*/
183	struct ocsp_response_st {
184	ASN1_ENUMERATED *responseStatus;
185	OCSP_RESPBYTES *responseBytes;
186	};
187
188	/* ResponderID ::= CHOICE {
189	* byName [1] Name,
190	* byKey [2] KeyHash }
191	*/
192	#define V_OCSP_RESPID_NAME 0	136	#define V_OCSP_RESPID_NAME 0
193	#define V_OCSP_RESPID_KEY 1	137	#define V_OCSP_RESPID_KEY 1
194	struct ocsp_responder_id_st {
195	int type;
196	union {
197	X509_NAME* byName;
198	ASN1_OCTET_STRING *byKey;
199	} value;
200	};
201		138
202	DECLARE_STACK_OF(OCSP_RESPID)	139	DECLARE_STACK_OF(OCSP_RESPID)
		140
203	OCSP_RESPID *OCSP_RESPID_new(void);	141	OCSP_RESPID *OCSP_RESPID_new(void);
204	void OCSP_RESPID_free(OCSP_RESPID *a);	142	void OCSP_RESPID_free(OCSP_RESPID *a);
205	OCSP_RESPID d2i_OCSP_RESPID(OCSP_RESPID a, const unsigned char *in, long len);	143	OCSP_RESPID d2i_OCSP_RESPID(OCSP_RESPID a, const unsigned char *in, long len);
206	int i2d_OCSP_RESPID(OCSP_RESPID a, unsigned char *out);	144	int i2d_OCSP_RESPID(OCSP_RESPID a, unsigned char *out);
207	extern const ASN1_ITEM OCSP_RESPID_it;	145	extern const ASN1_ITEM OCSP_RESPID_it;
208		146
209	/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key	147	typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
210	* --(excluding the tag and length fields)
211	*/
212		148
213	/* RevokedInfo ::= SEQUENCE {
214	* revocationTime GeneralizedTime,
215	* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
216	*/
217	typedef struct ocsp_revoked_info_st {
218	ASN1_GENERALIZEDTIME *revocationTime;
219	ASN1_ENUMERATED *revocationReason;
220	} OCSP_REVOKEDINFO;
221
222	/* CertStatus ::= CHOICE {
223	* good [0] IMPLICIT NULL,
224	* revoked [1] IMPLICIT RevokedInfo,
225	* unknown [2] IMPLICIT UnknownInfo }
226	*/
227	#define V_OCSP_CERTSTATUS_GOOD 0	149	#define V_OCSP_CERTSTATUS_GOOD 0
228	#define V_OCSP_CERTSTATUS_REVOKED 1	150	#define V_OCSP_CERTSTATUS_REVOKED 1
229	#define V_OCSP_CERTSTATUS_UNKNOWN 2	151	#define V_OCSP_CERTSTATUS_UNKNOWN 2
230	typedef struct ocsp_cert_status_st {	152
231	int type;	153	typedef struct ocsp_cert_status_st OCSP_CERTSTATUS;
232	union {	154	typedef struct ocsp_single_response_st OCSP_SINGLERESP;
233	ASN1_NULL *good;
234	OCSP_REVOKEDINFO *revoked;
235	ASN1_NULL *unknown;
236	} value;
237	} OCSP_CERTSTATUS;
238
239	/* SingleResponse ::= SEQUENCE {
240	* certID CertID,
241	* certStatus CertStatus,
242	* thisUpdate GeneralizedTime,
243	* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
244	* singleExtensions [1] EXPLICIT Extensions OPTIONAL }
245	*/
246	typedef struct ocsp_single_response_st {
247	OCSP_CERTID *certId;
248	OCSP_CERTSTATUS *certStatus;
249	ASN1_GENERALIZEDTIME *thisUpdate;
250	ASN1_GENERALIZEDTIME *nextUpdate;
251	STACK_OF(X509_EXTENSION) *singleExtensions;
252	} OCSP_SINGLERESP;
253		155
254	DECLARE_STACK_OF(OCSP_SINGLERESP)	156	DECLARE_STACK_OF(OCSP_SINGLERESP)
255		157
256	/* ResponseData ::= SEQUENCE {	158	typedef struct ocsp_response_data_st OCSP_RESPDATA;
257	* version [0] EXPLICIT Version DEFAULT v1,
258	* responderID ResponderID,
259	* producedAt GeneralizedTime,
260	* responses SEQUENCE OF SingleResponse,
261	* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
262	*/
263	typedef struct ocsp_response_data_st {
264	ASN1_INTEGER *version;
265	OCSP_RESPID *responderId;
266	ASN1_GENERALIZEDTIME *producedAt;
267	STACK_OF(OCSP_SINGLERESP) *responses;
268	STACK_OF(X509_EXTENSION) *responseExtensions;
269	} OCSP_RESPDATA;
270
271	/* BasicOCSPResponse ::= SEQUENCE {
272	* tbsResponseData ResponseData,
273	* signatureAlgorithm AlgorithmIdentifier,
274	* signature BIT STRING,
275	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
276	*/
277	/* Note 1:
278	The value for "signature" is specified in the OCSP rfc2560 as follows:
279	"The value for the signature SHALL be computed on the hash of the DER
280	encoding ResponseData." This means that you must hash the DER-encoded
281	tbsResponseData, and then run it through a crypto-signing function, which
282	will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
283	a bit odd, but that's the spec. Also note that the data structures do not
284	leave anywhere to independently specify the algorithm used for the initial
285	hash. So, we look at the signature-specification algorithm, and try to do
286	something intelligent. -- Kathy Weinhold, CertCo */
287	/* Note 2:
288	It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
289	for interpretation. I've done tests against another responder, and found
290	that it doesn't do the double hashing that the RFC seems to say one
291	should. Therefore, all relevant functions take a flag saying which
292	variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
293	typedef struct ocsp_basic_response_st {
294	OCSP_RESPDATA *tbsResponseData;
295	X509_ALGOR *signatureAlgorithm;
296	ASN1_BIT_STRING *signature;
297	STACK_OF(X509) *certs;
298	} OCSP_BASICRESP;
299		159
300	/*	160	typedef struct ocsp_basic_response_st OCSP_BASICRESP;
301	* CRLReason ::= ENUMERATED {
302	* unspecified (0),
303	* keyCompromise (1),
304	* cACompromise (2),
305	* affiliationChanged (3),
306	* superseded (4),
307	* cessationOfOperation (5),
308	* certificateHold (6),
309	* removeFromCRL (8) }
310	*/
311	#define OCSP_REVOKED_STATUS_NOSTATUS -1
312	#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
313	#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
314	#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
315	#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
316	#define OCSP_REVOKED_STATUS_SUPERSEDED 4
317	#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
318	#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
319	#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
320		161
321	/* CrlID ::= SEQUENCE {	162	typedef struct ocsp_crl_id_st OCSP_CRLID;
322	* crlUrl [0] EXPLICIT IA5String OPTIONAL,	163	typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
323	* crlNum [1] EXPLICIT INTEGER OPTIONAL,
324	* crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
325	*/
326	typedef struct ocsp_crl_id_st {
327	ASN1_IA5STRING *crlUrl;
328	ASN1_INTEGER *crlNum;
329	ASN1_GENERALIZEDTIME *crlTime;
330	} OCSP_CRLID;
331
332	/* ServiceLocator ::= SEQUENCE {
333	* issuer Name,
334	* locator AuthorityInfoAccessSyntax OPTIONAL }
335	*/
336	typedef struct ocsp_service_locator_st {
337	X509_NAME* issuer;
338	STACK_OF(ACCESS_DESCRIPTION) *locator;
339	} OCSP_SERVICELOC;
340		164
341	#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"	165	#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
342	#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"	166	#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
@@ -357,24 +181,6 @@ typedef struct ocsp_service_locator_st {
357	PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\	181	PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
358	bp,(char *)o, NULL,NULL,0,NULL,NULL)	182	bp,(char *)o, NULL,NULL,0,NULL,NULL)
359		183
360	#define OCSP_REQUEST_sign(o,pkey,md) \
361	ASN1_item_sign(&OCSP_REQINFO_it, \
362	o->optionalSignature->signatureAlgorithm,NULL, \
363	o->optionalSignature->signature,o->tbsRequest,pkey,md)
364
365	#define OCSP_BASICRESP_sign(o,pkey,md,d) \
366	ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \
367	o->signature,o->tbsResponseData,pkey,md)
368
369	#define OCSP_REQUEST_verify(a,r) \
370	ASN1_item_verify(&OCSP_REQINFO_it, \
371	a->optionalSignature->signatureAlgorithm, \
372	a->optionalSignature->signature,a->tbsRequest,r)
373
374	#define OCSP_BASICRESP_verify(a,r,d) \
375	ASN1_item_verify(&OCSP_RESPDATA_it, \
376	a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
377
378	#define ASN1_BIT_STRING_digest(data,type,md,len) \	184	#define ASN1_BIT_STRING_digest(data,type,md,len) \
379	ASN1_item_digest(&ASN1_BIT_STRING_it,type,data,md,len)	185	ASN1_item_digest(&ASN1_BIT_STRING_it,type,data,md,len)
380		186


diff --git a/src/lib/libcrypto/ocsp/ocsp_local.h b/src/lib/libcrypto/ocsp/ocsp_local.h index 5651f9f795..bd933b1915 100644 --- a/src/lib/libcrypto/ocsp/ocsp_local.h +++ b/src/lib/libcrypto/ocsp/ocsp_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_local.h,v 1.1 2022/01/07 09:45:52 tb Exp $ */	1	/* $OpenBSD: ocsp_local.h,v 1.2 2022/01/14 08:32:26 tb Exp $ */
2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL	2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3	* project. */	3	* project. */
4		4
@@ -66,6 +66,226 @@
66		66
67	__BEGIN_HIDDEN_DECLS	67	__BEGIN_HIDDEN_DECLS
68		68
		69	/* CertID ::= SEQUENCE {
		70	* hashAlgorithm AlgorithmIdentifier,
		71	* issuerNameHash OCTET STRING, -- Hash of Issuer's DN
		72	* issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
		73	* serialNumber CertificateSerialNumber }
		74	*/
		75	struct ocsp_cert_id_st {
		76	X509_ALGOR *hashAlgorithm;
		77	ASN1_OCTET_STRING *issuerNameHash;
		78	ASN1_OCTET_STRING *issuerKeyHash;
		79	ASN1_INTEGER *serialNumber;
		80	} /* OCSP_CERTID */;
		81
		82	/* Request ::= SEQUENCE {
		83	* reqCert CertID,
		84	* singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
		85	*/
		86	struct ocsp_one_request_st {
		87	OCSP_CERTID *reqCert;
		88	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
		89	} /* OCSP_ONEREQ */;
		90
		91	/* TBSRequest ::= SEQUENCE {
		92	* version [0] EXPLICIT Version DEFAULT v1,
		93	* requestorName [1] EXPLICIT GeneralName OPTIONAL,
		94	* requestList SEQUENCE OF Request,
		95	* requestExtensions [2] EXPLICIT Extensions OPTIONAL }
		96	*/
		97	struct ocsp_req_info_st {
		98	ASN1_INTEGER *version;
		99	GENERAL_NAME *requestorName;
		100	STACK_OF(OCSP_ONEREQ) *requestList;
		101	STACK_OF(X509_EXTENSION) *requestExtensions;
		102	} /* OCSP_REQINFO */;
		103
		104	/* Signature ::= SEQUENCE {
		105	* signatureAlgorithm AlgorithmIdentifier,
		106	* signature BIT STRING,
		107	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
		108	*/
		109	struct ocsp_signature_st {
		110	X509_ALGOR *signatureAlgorithm;
		111	ASN1_BIT_STRING *signature;
		112	STACK_OF(X509) *certs;
		113	} /* OCSP_SIGNATURE */;
		114
		115	/* OCSPRequest ::= SEQUENCE {
		116	* tbsRequest TBSRequest,
		117	* optionalSignature [0] EXPLICIT Signature OPTIONAL }
		118	*/
		119	struct ocsp_request_st {
		120	OCSP_REQINFO *tbsRequest;
		121	OCSP_SIGNATURE optionalSignature; / OPTIONAL */
		122	} /* OCSP_REQUEST */;
		123
		124	/* OCSPResponseStatus ::= ENUMERATED {
		125	* successful (0), --Response has valid confirmations
		126	* malformedRequest (1), --Illegal confirmation request
		127	* internalError (2), --Internal error in issuer
		128	* tryLater (3), --Try again later
		129	* --(4) is not used
		130	* sigRequired (5), --Must sign the request
		131	* unauthorized (6) --Request unauthorized
		132	* }
		133	*/
		134
		135	/* ResponseBytes ::= SEQUENCE {
		136	* responseType OBJECT IDENTIFIER,
		137	* response OCTET STRING }
		138	*/
		139	struct ocsp_resp_bytes_st {
		140	ASN1_OBJECT *responseType;
		141	ASN1_OCTET_STRING *response;
		142	} /* OCSP_RESPBYTES */;
		143
		144	/* OCSPResponse ::= SEQUENCE {
		145	* responseStatus OCSPResponseStatus,
		146	* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
		147	*/
		148	struct ocsp_response_st {
		149	ASN1_ENUMERATED *responseStatus;
		150	OCSP_RESPBYTES *responseBytes;
		151	};
		152
		153	/* ResponderID ::= CHOICE {
		154	* byName [1] Name,
		155	* byKey [2] KeyHash }
		156	*/
		157	struct ocsp_responder_id_st {
		158	int type;
		159	union {
		160	X509_NAME* byName;
		161	ASN1_OCTET_STRING *byKey;
		162	} value;
		163	};
		164
		165	/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
		166	* --(excluding the tag and length fields)
		167	*/
		168
		169	/* RevokedInfo ::= SEQUENCE {
		170	* revocationTime GeneralizedTime,
		171	* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
		172	*/
		173	struct ocsp_revoked_info_st {
		174	ASN1_GENERALIZEDTIME *revocationTime;
		175	ASN1_ENUMERATED *revocationReason;
		176	} /* OCSP_REVOKEDINFO */;
		177
		178	/* CertStatus ::= CHOICE {
		179	* good [0] IMPLICIT NULL,
		180	* revoked [1] IMPLICIT RevokedInfo,
		181	* unknown [2] IMPLICIT UnknownInfo }
		182	*/
		183	struct ocsp_cert_status_st {
		184	int type;
		185	union {
		186	ASN1_NULL *good;
		187	OCSP_REVOKEDINFO *revoked;
		188	ASN1_NULL *unknown;
		189	} value;
		190	} /* OCSP_CERTSTATUS */;
		191
		192	/* SingleResponse ::= SEQUENCE {
		193	* certID CertID,
		194	* certStatus CertStatus,
		195	* thisUpdate GeneralizedTime,
		196	* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
		197	* singleExtensions [1] EXPLICIT Extensions OPTIONAL }
		198	*/
		199	struct ocsp_single_response_st {
		200	OCSP_CERTID *certId;
		201	OCSP_CERTSTATUS *certStatus;
		202	ASN1_GENERALIZEDTIME *thisUpdate;
		203	ASN1_GENERALIZEDTIME *nextUpdate;
		204	STACK_OF(X509_EXTENSION) *singleExtensions;
		205	} /* OCSP_SINGLERESP */;
		206
		207	/* ResponseData ::= SEQUENCE {
		208	* version [0] EXPLICIT Version DEFAULT v1,
		209	* responderID ResponderID,
		210	* producedAt GeneralizedTime,
		211	* responses SEQUENCE OF SingleResponse,
		212	* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
		213	*/
		214	struct ocsp_response_data_st {
		215	ASN1_INTEGER *version;
		216	OCSP_RESPID *responderId;
		217	ASN1_GENERALIZEDTIME *producedAt;
		218	STACK_OF(OCSP_SINGLERESP) *responses;
		219	STACK_OF(X509_EXTENSION) *responseExtensions;
		220	} /* OCSP_RESPDATA */;
		221
		222	/* BasicOCSPResponse ::= SEQUENCE {
		223	* tbsResponseData ResponseData,
		224	* signatureAlgorithm AlgorithmIdentifier,
		225	* signature BIT STRING,
		226	* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
		227	*/
		228	/* Note 1:
		229	The value for "signature" is specified in the OCSP rfc2560 as follows:
		230	"The value for the signature SHALL be computed on the hash of the DER
		231	encoding ResponseData." This means that you must hash the DER-encoded
		232	tbsResponseData, and then run it through a crypto-signing function, which
		233	will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
		234	a bit odd, but that's the spec. Also note that the data structures do not
		235	leave anywhere to independently specify the algorithm used for the initial
		236	hash. So, we look at the signature-specification algorithm, and try to do
		237	something intelligent. -- Kathy Weinhold, CertCo */
		238	/* Note 2:
		239	It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
		240	for interpretation. I've done tests against another responder, and found
		241	that it doesn't do the double hashing that the RFC seems to say one
		242	should. Therefore, all relevant functions take a flag saying which
		243	variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
		244	struct ocsp_basic_response_st {
		245	OCSP_RESPDATA *tbsResponseData;
		246	X509_ALGOR *signatureAlgorithm;
		247	ASN1_BIT_STRING *signature;
		248	STACK_OF(X509) *certs;
		249	} /* OCSP_BASICRESP */;
		250
		251	/* CrlID ::= SEQUENCE {
		252	* crlUrl [0] EXPLICIT IA5String OPTIONAL,
		253	* crlNum [1] EXPLICIT INTEGER OPTIONAL,
		254	* crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
		255	*/
		256	struct ocsp_crl_id_st {
		257	ASN1_IA5STRING *crlUrl;
		258	ASN1_INTEGER *crlNum;
		259	ASN1_GENERALIZEDTIME *crlTime;
		260	} /* OCSP_CRLID */;
		261
		262	/* ServiceLocator ::= SEQUENCE {
		263	* issuer Name,
		264	* locator AuthorityInfoAccessSyntax OPTIONAL }
		265	*/
		266	struct ocsp_service_locator_st {
		267	X509_NAME* issuer;
		268	STACK_OF(ACCESS_DESCRIPTION) *locator;
		269	} /* OCSP_SERVICELOC */;
		270
		271	#define OCSP_REQUEST_sign(o,pkey,md) \
		272	ASN1_item_sign(&OCSP_REQINFO_it, \
		273	(o)->optionalSignature->signatureAlgorithm, NULL, \
		274	(o)->optionalSignature->signature,o->tbsRequest, (pkey), (md))
		275
		276	#define OCSP_BASICRESP_sign(o,pkey,md,d) \
		277	ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \
		278	(o)->signature,(o)->tbsResponseData,(pkey),(md))
		279
		280	#define OCSP_REQUEST_verify(a,r) \
		281	ASN1_item_verify(&OCSP_REQINFO_it, \
		282	(a)->optionalSignature->signatureAlgorithm, \
		283	(a)->optionalSignature->signature, (a)->tbsRequest, (r))
		284
		285	#define OCSP_BASICRESP_verify(a,r,d) \
		286	ASN1_item_verify(&OCSP_RESPDATA_it, \
		287	(a)->signatureAlgorithm, (a)->signature, (a)->tbsResponseData, (r))
		288
69	__END_HIDDEN_DECLS	289	__END_HIDDEN_DECLS
70		290
71	#endif /* !HEADER_OCSP_LOCAL_H */	291	#endif /* !HEADER_OCSP_LOCAL_H */