diff options
author | tb <> | 2022-09-11 17:31:19 +0000 |
---|---|---|
committer | tb <> | 2022-09-11 17:31:19 +0000 |
commit | 927eba6a7e1ebb08167c9fd72962c95695e1fbbb (patch) | |
tree | ec1c8803851e0c5ae7f551a696251352c9b2ba80 /src/lib | |
parent | 1e6a38fe37a22fd311807762cf937c6d1cf58aa0 (diff) | |
download | openbsd-927eba6a7e1ebb08167c9fd72962c95695e1fbbb.tar.gz openbsd-927eba6a7e1ebb08167c9fd72962c95695e1fbbb.tar.bz2 openbsd-927eba6a7e1ebb08167c9fd72962c95695e1fbbb.zip |
Make structs in ts.h opaque
ok jsing
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/libcrypto/ts/ts.h | 230 | ||||
-rw-r--r-- | src/lib/libcrypto/ts/ts_local.h | 208 |
2 files changed, 223 insertions, 215 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h index 0397fb8b08..cb372e6616 100644 --- a/src/lib/libcrypto/ts/ts.h +++ b/src/lib/libcrypto/ts/ts.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ts.h,v 1.18 2022/07/24 20:02:04 tb Exp $ */ | 1 | /* $OpenBSD: ts.h,v 1.19 2022/09/11 17:31:19 tb Exp $ */ |
2 | /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL |
3 | * project 2002, 2003, 2004. | 3 | * project 2002, 2003, 2004. |
4 | */ | 4 | */ |
@@ -93,99 +93,12 @@ extern "C" { | |||
93 | #include <openssl/x509.h> | 93 | #include <openssl/x509.h> |
94 | #include <openssl/x509v3.h> | 94 | #include <openssl/x509v3.h> |
95 | 95 | ||
96 | /* | 96 | typedef struct TS_msg_imprint_st TS_MSG_IMPRINT; |
97 | MessageImprint ::= SEQUENCE { | 97 | typedef struct TS_req_st TS_REQ; |
98 | hashAlgorithm AlgorithmIdentifier, | 98 | typedef struct TS_accuracy_st TS_ACCURACY; |
99 | hashedMessage OCTET STRING } | 99 | typedef struct TS_tst_info_st TS_TST_INFO; |
100 | */ | ||
101 | |||
102 | typedef struct TS_msg_imprint_st { | ||
103 | X509_ALGOR *hash_algo; | ||
104 | ASN1_OCTET_STRING *hashed_msg; | ||
105 | } TS_MSG_IMPRINT; | ||
106 | |||
107 | /* | ||
108 | TimeStampReq ::= SEQUENCE { | ||
109 | version INTEGER { v1(1) }, | ||
110 | messageImprint MessageImprint, | ||
111 | --a hash algorithm OID and the hash value of the data to be | ||
112 | --time-stamped | ||
113 | reqPolicy TSAPolicyId OPTIONAL, | ||
114 | nonce INTEGER OPTIONAL, | ||
115 | certReq BOOLEAN DEFAULT FALSE, | ||
116 | extensions [0] IMPLICIT Extensions OPTIONAL } | ||
117 | */ | ||
118 | |||
119 | typedef struct TS_req_st { | ||
120 | ASN1_INTEGER *version; | ||
121 | TS_MSG_IMPRINT *msg_imprint; | ||
122 | ASN1_OBJECT *policy_id; /* OPTIONAL */ | ||
123 | ASN1_INTEGER *nonce; /* OPTIONAL */ | ||
124 | ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ | ||
125 | STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ | ||
126 | } TS_REQ; | ||
127 | |||
128 | /* | ||
129 | Accuracy ::= SEQUENCE { | ||
130 | seconds INTEGER OPTIONAL, | ||
131 | millis [0] INTEGER (1..999) OPTIONAL, | ||
132 | micros [1] INTEGER (1..999) OPTIONAL } | ||
133 | */ | ||
134 | |||
135 | typedef struct TS_accuracy_st { | ||
136 | ASN1_INTEGER *seconds; | ||
137 | ASN1_INTEGER *millis; | ||
138 | ASN1_INTEGER *micros; | ||
139 | } TS_ACCURACY; | ||
140 | |||
141 | /* | ||
142 | TSTInfo ::= SEQUENCE { | ||
143 | version INTEGER { v1(1) }, | ||
144 | policy TSAPolicyId, | ||
145 | messageImprint MessageImprint, | ||
146 | -- MUST have the same value as the similar field in | ||
147 | -- TimeStampReq | ||
148 | serialNumber INTEGER, | ||
149 | -- Time-Stamping users MUST be ready to accommodate integers | ||
150 | -- up to 160 bits. | ||
151 | genTime GeneralizedTime, | ||
152 | accuracy Accuracy OPTIONAL, | ||
153 | ordering BOOLEAN DEFAULT FALSE, | ||
154 | nonce INTEGER OPTIONAL, | ||
155 | -- MUST be present if the similar field was present | ||
156 | -- in TimeStampReq. In that case it MUST have the same value. | ||
157 | tsa [0] GeneralName OPTIONAL, | ||
158 | extensions [1] IMPLICIT Extensions OPTIONAL } | ||
159 | */ | ||
160 | |||
161 | typedef struct TS_tst_info_st { | ||
162 | ASN1_INTEGER *version; | ||
163 | ASN1_OBJECT *policy_id; | ||
164 | TS_MSG_IMPRINT *msg_imprint; | ||
165 | ASN1_INTEGER *serial; | ||
166 | ASN1_GENERALIZEDTIME *time; | ||
167 | TS_ACCURACY *accuracy; | ||
168 | ASN1_BOOLEAN ordering; | ||
169 | ASN1_INTEGER *nonce; | ||
170 | GENERAL_NAME *tsa; | ||
171 | STACK_OF(X509_EXTENSION) *extensions; | ||
172 | } TS_TST_INFO; | ||
173 | |||
174 | /* | ||
175 | PKIStatusInfo ::= SEQUENCE { | ||
176 | status PKIStatus, | ||
177 | statusString PKIFreeText OPTIONAL, | ||
178 | failInfo PKIFailureInfo OPTIONAL } | ||
179 | |||
180 | From RFC 1510 - section 3.1.1: | ||
181 | PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String | ||
182 | -- text encoded as UTF-8 String (note: each UTF8String SHOULD | ||
183 | -- include an RFC 1766 language tag to indicate the language | ||
184 | -- of the contained text) | ||
185 | */ | ||
186 | |||
187 | /* Possible values for status. See ts_rsp_print.c && ts_rsp_verify.c. */ | ||
188 | 100 | ||
101 | /* Possible values for status. */ | ||
189 | #define TS_STATUS_GRANTED 0 | 102 | #define TS_STATUS_GRANTED 0 |
190 | #define TS_STATUS_GRANTED_WITH_MODS 1 | 103 | #define TS_STATUS_GRANTED_WITH_MODS 1 |
191 | #define TS_STATUS_REJECTION 2 | 104 | #define TS_STATUS_REJECTION 2 |
@@ -193,8 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String | |||
193 | #define TS_STATUS_REVOCATION_WARNING 4 | 106 | #define TS_STATUS_REVOCATION_WARNING 4 |
194 | #define TS_STATUS_REVOCATION_NOTIFICATION 5 | 107 | #define TS_STATUS_REVOCATION_NOTIFICATION 5 |
195 | 108 | ||
196 | /* Possible values for failure_info. See ts_rsp_print.c && ts_rsp_verify.c */ | 109 | /* Possible values for failure_info. */ |
197 | |||
198 | #define TS_INFO_BAD_ALG 0 | 110 | #define TS_INFO_BAD_ALG 0 |
199 | #define TS_INFO_BAD_REQUEST 2 | 111 | #define TS_INFO_BAD_REQUEST 2 |
200 | #define TS_INFO_BAD_DATA_FORMAT 5 | 112 | #define TS_INFO_BAD_DATA_FORMAT 5 |
@@ -204,72 +116,21 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String | |||
204 | #define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 | 116 | #define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 |
205 | #define TS_INFO_SYSTEM_FAILURE 25 | 117 | #define TS_INFO_SYSTEM_FAILURE 25 |
206 | 118 | ||
207 | typedef struct TS_status_info_st { | 119 | typedef struct TS_status_info_st TS_STATUS_INFO; |
208 | ASN1_INTEGER *status; | ||
209 | STACK_OF(ASN1_UTF8STRING) *text; | ||
210 | ASN1_BIT_STRING *failure_info; | ||
211 | } TS_STATUS_INFO; | ||
212 | 120 | ||
213 | DECLARE_STACK_OF(ASN1_UTF8STRING) | 121 | DECLARE_STACK_OF(ASN1_UTF8STRING) |
214 | 122 | ||
215 | /* | 123 | typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; |
216 | TimeStampResp ::= SEQUENCE { | 124 | typedef struct ESS_cert_id ESS_CERT_ID; |
217 | status PKIStatusInfo, | ||
218 | timeStampToken TimeStampToken OPTIONAL } | ||
219 | */ | ||
220 | |||
221 | typedef struct TS_resp_st { | ||
222 | TS_STATUS_INFO *status_info; | ||
223 | PKCS7 *token; | ||
224 | TS_TST_INFO *tst_info; | ||
225 | } TS_RESP; | ||
226 | |||
227 | /* The structure below would belong to the ESS component. */ | ||
228 | |||
229 | /* | ||
230 | IssuerSerial ::= SEQUENCE { | ||
231 | issuer GeneralNames, | ||
232 | serialNumber CertificateSerialNumber | ||
233 | } | ||
234 | */ | ||
235 | |||
236 | typedef struct ESS_issuer_serial { | ||
237 | STACK_OF(GENERAL_NAME) *issuer; | ||
238 | ASN1_INTEGER *serial; | ||
239 | } ESS_ISSUER_SERIAL; | ||
240 | |||
241 | /* | ||
242 | ESSCertID ::= SEQUENCE { | ||
243 | certHash Hash, | ||
244 | issuerSerial IssuerSerial OPTIONAL | ||
245 | } | ||
246 | */ | ||
247 | |||
248 | typedef struct ESS_cert_id { | ||
249 | ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ | ||
250 | ESS_ISSUER_SERIAL *issuer_serial; | ||
251 | } ESS_CERT_ID; | ||
252 | |||
253 | DECLARE_STACK_OF(ESS_CERT_ID) | 125 | DECLARE_STACK_OF(ESS_CERT_ID) |
126 | typedef struct ESS_signing_cert ESS_SIGNING_CERT; | ||
254 | 127 | ||
255 | /* | ||
256 | SigningCertificate ::= SEQUENCE { | ||
257 | certs SEQUENCE OF ESSCertID, | ||
258 | policies SEQUENCE OF PolicyInformation OPTIONAL | ||
259 | } | ||
260 | */ | ||
261 | |||
262 | typedef struct ESS_signing_cert { | ||
263 | STACK_OF(ESS_CERT_ID) *cert_ids; | ||
264 | STACK_OF(POLICYINFO) *policy_info; | ||
265 | } ESS_SIGNING_CERT; | ||
266 | |||
267 | #ifdef LIBRESSL_INTERNAL | ||
268 | typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2; | 128 | typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2; |
269 | DECLARE_STACK_OF(ESS_CERT_ID_V2) | 129 | DECLARE_STACK_OF(ESS_CERT_ID_V2) |
270 | 130 | ||
271 | typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2; | 131 | typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2; |
272 | #endif /* LIBRESSL_INTERNAL */ | 132 | |
133 | typedef struct TS_resp_st TS_RESP; | ||
273 | 134 | ||
274 | TS_REQ *TS_REQ_new(void); | 135 | TS_REQ *TS_REQ_new(void); |
275 | void TS_REQ_free(TS_REQ *a); | 136 | void TS_REQ_free(TS_REQ *a); |
@@ -398,13 +259,11 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a); | |||
398 | int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info); | 259 | int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info); |
399 | TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a); | 260 | TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a); |
400 | 261 | ||
401 | #if defined(LIBRESSL_INTERNAL) | ||
402 | const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si); | 262 | const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si); |
403 | const STACK_OF(ASN1_UTF8STRING) * | 263 | const STACK_OF(ASN1_UTF8STRING) * |
404 | TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si); | 264 | TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si); |
405 | const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si); | 265 | const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si); |
406 | int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i); | 266 | int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i); |
407 | #endif | ||
408 | 267 | ||
409 | /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ | 268 | /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ |
410 | void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info); | 269 | void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info); |
@@ -494,35 +353,7 @@ typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, time_t *sec, long *usec) | |||
494 | */ | 353 | */ |
495 | typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *); | 354 | typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *); |
496 | 355 | ||
497 | typedef struct TS_resp_ctx { | 356 | typedef struct TS_resp_ctx TS_RESP_CTX; |
498 | X509 *signer_cert; | ||
499 | EVP_PKEY *signer_key; | ||
500 | STACK_OF(X509) *certs; /* Certs to include in signed data. */ | ||
501 | STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ | ||
502 | ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ | ||
503 | STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ | ||
504 | ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ | ||
505 | ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ | ||
506 | ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ | ||
507 | unsigned clock_precision_digits; /* fraction of seconds in | ||
508 | time stamp token. */ | ||
509 | unsigned flags; /* Optional info, see values above. */ | ||
510 | |||
511 | /* Callback functions. */ | ||
512 | TS_serial_cb serial_cb; | ||
513 | void *serial_cb_data; /* User data for serial_cb. */ | ||
514 | |||
515 | TS_time_cb time_cb; | ||
516 | void *time_cb_data; /* User data for time_cb. */ | ||
517 | |||
518 | TS_extension_cb extension_cb; | ||
519 | void *extension_cb_data; /* User data for extension_cb. */ | ||
520 | |||
521 | /* These members are used only while creating the response. */ | ||
522 | TS_REQ *request; | ||
523 | TS_RESP *response; | ||
524 | TS_TST_INFO *tst_info; | ||
525 | } TS_RESP_CTX; | ||
526 | 357 | ||
527 | DECLARE_STACK_OF(EVP_MD) | 358 | DECLARE_STACK_OF(EVP_MD) |
528 | 359 | ||
@@ -567,10 +398,8 @@ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags); | |||
567 | /* Default callback always returns a constant. */ | 398 | /* Default callback always returns a constant. */ |
568 | void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data); | 399 | void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data); |
569 | 400 | ||
570 | #if defined(LIBRESSL_INTERNAL) | ||
571 | /* Default callback uses gettimeofday() and gmtime(). */ | 401 | /* Default callback uses gettimeofday() and gmtime(). */ |
572 | void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data); | 402 | void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data); |
573 | #endif | ||
574 | 403 | ||
575 | /* Default callback rejects all extensions. The extension callback is called | 404 | /* Default callback rejects all extensions. The extension callback is called |
576 | * when the TS_TST_INFO object is already set up and not signed yet. */ | 405 | * when the TS_TST_INFO object is already set up and not signed yet. */ |
@@ -646,32 +475,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, | |||
646 | | TS_VFY_SIGNER \ | 475 | | TS_VFY_SIGNER \ |
647 | | TS_VFY_TSA_NAME) | 476 | | TS_VFY_TSA_NAME) |
648 | 477 | ||
649 | typedef struct TS_verify_ctx { | 478 | typedef struct TS_verify_ctx TS_VERIFY_CTX; |
650 | /* Set this to the union of TS_VFY_... flags you want to carry out. */ | ||
651 | unsigned flags; | ||
652 | |||
653 | /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ | ||
654 | X509_STORE *store; | ||
655 | STACK_OF(X509) *certs; | ||
656 | |||
657 | /* Must be set only with TS_VFY_POLICY. */ | ||
658 | ASN1_OBJECT *policy; | ||
659 | |||
660 | /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, | ||
661 | the algorithm from the response is used. */ | ||
662 | X509_ALGOR *md_alg; | ||
663 | unsigned char *imprint; | ||
664 | unsigned imprint_len; | ||
665 | |||
666 | /* Must be set only with TS_VFY_DATA. */ | ||
667 | BIO *data; | ||
668 | |||
669 | /* Must be set only with TS_VFY_TSA_NAME. */ | ||
670 | ASN1_INTEGER *nonce; | ||
671 | |||
672 | /* Must be set only with TS_VFY_TSA_NAME. */ | ||
673 | GENERAL_NAME *tsa_name; | ||
674 | } TS_VERIFY_CTX; | ||
675 | 479 | ||
676 | int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); | 480 | int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); |
677 | int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); | 481 | int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); |
@@ -687,7 +491,6 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx); | |||
687 | void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); | 491 | void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); |
688 | void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); | 492 | void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); |
689 | 493 | ||
690 | #if defined(LIBRESSL_INTERNAL) | ||
691 | int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags); | 494 | int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags); |
692 | int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags); | 495 | int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags); |
693 | BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio); | 496 | BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio); |
@@ -698,7 +501,6 @@ STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, | |||
698 | STACK_OF(X509) *certs); | 501 | STACK_OF(X509) *certs); |
699 | unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, | 502 | unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, |
700 | unsigned char *imprint, long imprint_len); | 503 | unsigned char *imprint, long imprint_len); |
701 | #endif | ||
702 | 504 | ||
703 | /* | 505 | /* |
704 | * If ctx is NULL, it allocates and returns a new object, otherwise | 506 | * If ctx is NULL, it allocates and returns a new object, otherwise |
@@ -712,7 +514,7 @@ unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, | |||
712 | * imprint, imprint_len = imprint from request | 514 | * imprint, imprint_len = imprint from request |
713 | * data = NULL | 515 | * data = NULL |
714 | * nonce, nonce_len = nonce from the request or NULL if absent (in this case | 516 | * nonce, nonce_len = nonce from the request or NULL if absent (in this case |
715 | * TS_VFY_NONCE is cleared from flags as well) | 517 | * TS_VFY_NONCE is cleared from flags as well) |
716 | * tsa_name = NULL | 518 | * tsa_name = NULL |
717 | * Important: after calling this method TS_VFY_SIGNATURE should be added! | 519 | * Important: after calling this method TS_VFY_SIGNATURE should be added! |
718 | */ | 520 | */ |
diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h index 01d26de127..cf1e9e0589 100644 --- a/src/lib/libcrypto/ts/ts_local.h +++ b/src/lib/libcrypto/ts/ts_local.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ts_local.h,v 1.1 2022/07/24 08:16:47 tb Exp $ */ | 1 | /* $OpenBSD: ts_local.h,v 1.2 2022/09/11 17:31:19 tb Exp $ */ |
2 | /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL |
3 | * project 2002, 2003, 2004. | 3 | * project 2002, 2003, 2004. |
4 | */ | 4 | */ |
@@ -62,6 +62,153 @@ | |||
62 | __BEGIN_HIDDEN_DECLS | 62 | __BEGIN_HIDDEN_DECLS |
63 | 63 | ||
64 | /* | 64 | /* |
65 | * MessageImprint ::= SEQUENCE { | ||
66 | * hashAlgorithm AlgorithmIdentifier, | ||
67 | * hashedMessage OCTET STRING } | ||
68 | */ | ||
69 | |||
70 | struct TS_msg_imprint_st { | ||
71 | X509_ALGOR *hash_algo; | ||
72 | ASN1_OCTET_STRING *hashed_msg; | ||
73 | }; | ||
74 | |||
75 | /* | ||
76 | * TimeStampReq ::= SEQUENCE { | ||
77 | * version INTEGER { v1(1) }, | ||
78 | * messageImprint MessageImprint, | ||
79 | * --a hash algorithm OID and the hash value of the data to be | ||
80 | * --time-stamped | ||
81 | * reqPolicy TSAPolicyId OPTIONAL, | ||
82 | * nonce INTEGER OPTIONAL, | ||
83 | * certReq BOOLEAN DEFAULT FALSE, | ||
84 | * extensions [0] IMPLICIT Extensions OPTIONAL } | ||
85 | */ | ||
86 | |||
87 | struct TS_req_st { | ||
88 | ASN1_INTEGER *version; | ||
89 | TS_MSG_IMPRINT *msg_imprint; | ||
90 | ASN1_OBJECT *policy_id; /* OPTIONAL */ | ||
91 | ASN1_INTEGER *nonce; /* OPTIONAL */ | ||
92 | ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ | ||
93 | STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ | ||
94 | }; | ||
95 | |||
96 | /* | ||
97 | * Accuracy ::= SEQUENCE { | ||
98 | * seconds INTEGER OPTIONAL, | ||
99 | * millis [0] INTEGER (1..999) OPTIONAL, | ||
100 | * micros [1] INTEGER (1..999) OPTIONAL } | ||
101 | */ | ||
102 | |||
103 | struct TS_accuracy_st { | ||
104 | ASN1_INTEGER *seconds; | ||
105 | ASN1_INTEGER *millis; | ||
106 | ASN1_INTEGER *micros; | ||
107 | }; | ||
108 | |||
109 | /* | ||
110 | * TSTInfo ::= SEQUENCE { | ||
111 | * version INTEGER { v1(1) }, | ||
112 | * policy TSAPolicyId, | ||
113 | * messageImprint MessageImprint, | ||
114 | * -- MUST have the same value as the similar field in | ||
115 | * -- TimeStampReq | ||
116 | * serialNumber INTEGER, | ||
117 | * -- Time-Stamping users MUST be ready to accommodate integers | ||
118 | * -- up to 160 bits. | ||
119 | * genTime GeneralizedTime, | ||
120 | * accuracy Accuracy OPTIONAL, | ||
121 | * ordering BOOLEAN DEFAULT FALSE, | ||
122 | * nonce INTEGER OPTIONAL, | ||
123 | * -- MUST be present if the similar field was present | ||
124 | * -- in TimeStampReq. In that case it MUST have the same value. | ||
125 | * tsa [0] GeneralName OPTIONAL, | ||
126 | * extensions [1] IMPLICIT Extensions OPTIONAL } | ||
127 | */ | ||
128 | |||
129 | struct TS_tst_info_st { | ||
130 | ASN1_INTEGER *version; | ||
131 | ASN1_OBJECT *policy_id; | ||
132 | TS_MSG_IMPRINT *msg_imprint; | ||
133 | ASN1_INTEGER *serial; | ||
134 | ASN1_GENERALIZEDTIME *time; | ||
135 | TS_ACCURACY *accuracy; | ||
136 | ASN1_BOOLEAN ordering; | ||
137 | ASN1_INTEGER *nonce; | ||
138 | GENERAL_NAME *tsa; | ||
139 | STACK_OF(X509_EXTENSION) *extensions; | ||
140 | }; | ||
141 | |||
142 | /* | ||
143 | * PKIStatusInfo ::= SEQUENCE { | ||
144 | * status PKIStatus, | ||
145 | * statusString PKIFreeText OPTIONAL, | ||
146 | * failInfo PKIFailureInfo OPTIONAL } | ||
147 | * | ||
148 | * From RFC 1510 - section 3.1.1: | ||
149 | * PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String | ||
150 | * -- text encoded as UTF-8 String (note: each UTF8String SHOULD | ||
151 | * -- include an RFC 1766 language tag to indicate the language | ||
152 | * -- of the contained text) | ||
153 | */ | ||
154 | |||
155 | struct TS_status_info_st { | ||
156 | ASN1_INTEGER *status; | ||
157 | STACK_OF(ASN1_UTF8STRING) *text; | ||
158 | ASN1_BIT_STRING *failure_info; | ||
159 | }; | ||
160 | |||
161 | /* | ||
162 | * TimeStampResp ::= SEQUENCE { | ||
163 | * status PKIStatusInfo, | ||
164 | * timeStampToken TimeStampToken OPTIONAL } | ||
165 | */ | ||
166 | |||
167 | struct TS_resp_st { | ||
168 | TS_STATUS_INFO *status_info; | ||
169 | PKCS7 *token; | ||
170 | TS_TST_INFO *tst_info; | ||
171 | }; | ||
172 | |||
173 | /* The structure below would belong to the ESS component. */ | ||
174 | |||
175 | /* | ||
176 | * IssuerSerial ::= SEQUENCE { | ||
177 | * issuer GeneralNames, | ||
178 | * serialNumber CertificateSerialNumber | ||
179 | * } | ||
180 | */ | ||
181 | |||
182 | struct ESS_issuer_serial { | ||
183 | STACK_OF(GENERAL_NAME) *issuer; | ||
184 | ASN1_INTEGER *serial; | ||
185 | }; | ||
186 | |||
187 | /* | ||
188 | * ESSCertID ::= SEQUENCE { | ||
189 | * certHash Hash, | ||
190 | * issuerSerial IssuerSerial OPTIONAL | ||
191 | * } | ||
192 | */ | ||
193 | |||
194 | struct ESS_cert_id { | ||
195 | ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ | ||
196 | ESS_ISSUER_SERIAL *issuer_serial; | ||
197 | }; | ||
198 | |||
199 | /* | ||
200 | * SigningCertificate ::= SEQUENCE { | ||
201 | * certs SEQUENCE OF ESSCertID, | ||
202 | * policies SEQUENCE OF PolicyInformation OPTIONAL | ||
203 | * } | ||
204 | */ | ||
205 | |||
206 | struct ESS_signing_cert { | ||
207 | STACK_OF(ESS_CERT_ID) *cert_ids; | ||
208 | STACK_OF(POLICYINFO) *policy_info; | ||
209 | }; | ||
210 | |||
211 | /* | ||
65 | * ESSCertIDv2 ::= SEQUENCE { | 212 | * ESSCertIDv2 ::= SEQUENCE { |
66 | * hashAlgorithm AlgorithmIdentifier | 213 | * hashAlgorithm AlgorithmIdentifier |
67 | * DEFAULT {algorithm id-sha256}, | 214 | * DEFAULT {algorithm id-sha256}, |
@@ -86,6 +233,65 @@ struct ESS_signing_cert_v2 { | |||
86 | STACK_OF(POLICYINFO) *policy_info; | 233 | STACK_OF(POLICYINFO) *policy_info; |
87 | }; | 234 | }; |
88 | 235 | ||
236 | struct TS_resp_ctx { | ||
237 | X509 *signer_cert; | ||
238 | EVP_PKEY *signer_key; | ||
239 | STACK_OF(X509) *certs; /* Certs to include in signed data. */ | ||
240 | STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ | ||
241 | ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ | ||
242 | STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ | ||
243 | ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ | ||
244 | ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ | ||
245 | ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ | ||
246 | unsigned clock_precision_digits; /* fraction of seconds in | ||
247 | time stamp token. */ | ||
248 | unsigned flags; /* Optional info, see values above. */ | ||
249 | |||
250 | /* Callback functions. */ | ||
251 | TS_serial_cb serial_cb; | ||
252 | void *serial_cb_data; /* User data for serial_cb. */ | ||
253 | |||
254 | TS_time_cb time_cb; | ||
255 | void *time_cb_data; /* User data for time_cb. */ | ||
256 | |||
257 | TS_extension_cb extension_cb; | ||
258 | void *extension_cb_data; /* User data for extension_cb. */ | ||
259 | |||
260 | /* These members are used only while creating the response. */ | ||
261 | TS_REQ *request; | ||
262 | TS_RESP *response; | ||
263 | TS_TST_INFO *tst_info; | ||
264 | }; | ||
265 | |||
266 | /* Context structure for the generic verify method. */ | ||
267 | |||
268 | struct TS_verify_ctx { | ||
269 | /* Set this to the union of TS_VFY_... flags you want to carry out. */ | ||
270 | unsigned flags; | ||
271 | |||
272 | /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ | ||
273 | X509_STORE *store; | ||
274 | STACK_OF(X509) *certs; | ||
275 | |||
276 | /* Must be set only with TS_VFY_POLICY. */ | ||
277 | ASN1_OBJECT *policy; | ||
278 | |||
279 | /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, | ||
280 | the algorithm from the response is used. */ | ||
281 | X509_ALGOR *md_alg; | ||
282 | unsigned char *imprint; | ||
283 | unsigned imprint_len; | ||
284 | |||
285 | /* Must be set only with TS_VFY_DATA. */ | ||
286 | BIO *data; | ||
287 | |||
288 | /* Must be set only with TS_VFY_TSA_NAME. */ | ||
289 | ASN1_INTEGER *nonce; | ||
290 | |||
291 | /* Must be set only with TS_VFY_TSA_NAME. */ | ||
292 | GENERAL_NAME *tsa_name; | ||
293 | }; | ||
294 | |||
89 | /* | 295 | /* |
90 | * Public OpenSSL API that we do not currently want to expose. | 296 | * Public OpenSSL API that we do not currently want to expose. |
91 | */ | 297 | */ |