Make structs in ts.h opaque

ok jsing
author: tb <> 2022-09-11 17:31:19 +0000
committer: tb <> 2022-09-11 17:31:19 +0000
commit: b7fb781bef534398c94a8cbc267fb62adea0af0c (patch)
tree: ec1c8803851e0c5ae7f551a696251352c9b2ba80 /src
parent: 4669ddc1d171394ba16e6abb6443547df93e040e (diff)
download: openbsd-b7fb781bef534398c94a8cbc267fb62adea0af0c.tar.gz
openbsd-b7fb781bef534398c94a8cbc267fb62adea0af0c.tar.bz2
openbsd-b7fb781bef534398c94a8cbc267fb62adea0af0c.zip
2 files changed, 223 insertions, 215 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index 0397fb8b08..cb372e6616 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.18 2022/07/24 20:02:04 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.19 2022/09/11 17:31:19 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
 * project 2002, 2003, 2004.
 */
@@ -93,99 +93,12 @@ extern "C" {
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-/*
+typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
-MessageImprint ::= SEQUENCE  {
+typedef struct TS_req_st TS_REQ;
-     hashAlgorithm                AlgorithmIdentifier,
+typedef struct TS_accuracy_st TS_ACCURACY;
-     hashedMessage                OCTET STRING  }
+typedef struct TS_tst_info_st TS_TST_INFO;
-*/
-typedef struct TS_msg_imprint_st {
-        X509_ALGOR *hash_algo;
-        ASN1_OCTET_STRING *hashed_msg;
-} TS_MSG_IMPRINT;
-/*
-TimeStampReq ::= SEQUENCE  {
-   version                  INTEGER  { v1(1) },
-   messageImprint           MessageImprint,
-     --a hash algorithm OID and the hash value of the data to be
-     --time-stamped
-   reqPolicy                TSAPolicyId                OPTIONAL,
-   nonce                    INTEGER                    OPTIONAL,
-   certReq                  BOOLEAN                    DEFAULT FALSE,
-   extensions               [0] IMPLICIT Extensions    OPTIONAL  }
-*/
-typedef struct TS_req_st {
-        ASN1_INTEGER *version;
-        TS_MSG_IMPRINT *msg_imprint;
-        ASN1_OBJECT *policy_id;         /* OPTIONAL */
-        ASN1_INTEGER *nonce;            /* OPTIONAL */
-        ASN1_BOOLEAN cert_req;          /* DEFAULT FALSE */
-        STACK_OF(X509_EXTENSION) *extensions;   /* [0] OPTIONAL */
-} TS_REQ;
-/*
-Accuracy ::= SEQUENCE {
-                seconds        INTEGER           OPTIONAL,
-                millis     [0] INTEGER  (1..999) OPTIONAL,
-                micros     [1] INTEGER  (1..999) OPTIONAL  }
-*/
-typedef struct TS_accuracy_st {
-        ASN1_INTEGER *seconds;
-        ASN1_INTEGER *millis;
-        ASN1_INTEGER *micros;
-} TS_ACCURACY;
-/*
-TSTInfo ::= SEQUENCE  {
-    version                      INTEGER  { v1(1) },
-    policy                       TSAPolicyId,
-    messageImprint               MessageImprint,
-      -- MUST have the same value as the similar field in
-      -- TimeStampReq
-    serialNumber                 INTEGER,
-     -- Time-Stamping users MUST be ready to accommodate integers
-     -- up to 160 bits.
-    genTime                      GeneralizedTime,
-    accuracy                     Accuracy                 OPTIONAL,
-    ordering                     BOOLEAN             DEFAULT FALSE,
-    nonce                        INTEGER                  OPTIONAL,
-      -- MUST be present if the similar field was present
-      -- in TimeStampReq.  In that case it MUST have the same value.
-    tsa                          [0] GeneralName          OPTIONAL,
-    extensions                   [1] IMPLICIT Extensions  OPTIONAL   }
-*/
-typedef struct TS_tst_info_st {
-        ASN1_INTEGER *version;
-        ASN1_OBJECT *policy_id;
-        TS_MSG_IMPRINT *msg_imprint;
-        ASN1_INTEGER *serial;
-        ASN1_GENERALIZEDTIME *time;
-        TS_ACCURACY *accuracy;
-        ASN1_BOOLEAN ordering;
-        ASN1_INTEGER *nonce;
-        GENERAL_NAME *tsa;
-        STACK_OF(X509_EXTENSION) *extensions;
-} TS_TST_INFO;
-/*
-PKIStatusInfo ::= SEQUENCE {
-    status        PKIStatus,
-    statusString  PKIFreeText     OPTIONAL,
-    failInfo      PKIFailureInfo  OPTIONAL  }
-From RFC 1510 - section 3.1.1:
-PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-        -- text encoded as UTF-8 String (note:  each UTF8String SHOULD
-        -- include an RFC 1766 language tag to indicate the language
-        -- of the contained text)
-*/
-/* Possible values for status. See ts_rsp_print.c && ts_rsp_verify.c. */
+/* Possible values for status. */
 #define TS_STATUS_GRANTED                       0
 #define TS_STATUS_GRANTED_WITH_MODS             1
 #define TS_STATUS_REJECTION                     2
@@ -193,8 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
 #define TS_STATUS_REVOCATION_WARNING            4
 #define TS_STATUS_REVOCATION_NOTIFICATION       5
-/* Possible values for failure_info. See ts_rsp_print.c && ts_rsp_verify.c */
+/* Possible values for failure_info. */
 #define TS_INFO_BAD_ALG                 0
 #define TS_INFO_BAD_REQUEST             2
 #define TS_INFO_BAD_DATA_FORMAT         5
@@ -204,72 +116,21 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
 #define TS_INFO_ADD_INFO_NOT_AVAILABLE  17
 #define TS_INFO_SYSTEM_FAILURE          25
-typedef struct TS_status_info_st {
+typedef struct TS_status_info_st TS_STATUS_INFO;
-        ASN1_INTEGER *status;
-        STACK_OF(ASN1_UTF8STRING) *text;
-        ASN1_BIT_STRING *failure_info;
-} TS_STATUS_INFO;
 DECLARE_STACK_OF(ASN1_UTF8STRING)
-/*
+typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
-TimeStampResp ::= SEQUENCE  {
+typedef struct ESS_cert_id ESS_CERT_ID;
-     status                  PKIStatusInfo,
-     timeStampToken          TimeStampToken     OPTIONAL }
-*/
-typedef struct TS_resp_st {
-        TS_STATUS_INFO *status_info;
-        PKCS7 *token;
-        TS_TST_INFO *tst_info;
-} TS_RESP;
-/* The structure below would belong to the ESS component. */
-/*
-IssuerSerial ::= SEQUENCE {
-        issuer                   GeneralNames,
-        serialNumber             CertificateSerialNumber
-        }
-*/
-typedef struct ESS_issuer_serial {
-        STACK_OF(GENERAL_NAME)  *issuer;
-        ASN1_INTEGER            *serial;
-} ESS_ISSUER_SERIAL;
-/*
-ESSCertID ::=  SEQUENCE {
-        certHash                 Hash,
-        issuerSerial             IssuerSerial OPTIONAL
-}
-*/
-typedef struct ESS_cert_id {
-        ASN1_OCTET_STRING *hash;        /* Always SHA-1 digest. */
-        ESS_ISSUER_SERIAL *issuer_serial;
-} ESS_CERT_ID;
 DECLARE_STACK_OF(ESS_CERT_ID)
+typedef struct ESS_signing_cert ESS_SIGNING_CERT;
-/*
-SigningCertificate ::=  SEQUENCE {
-       certs        SEQUENCE OF ESSCertID,
-       policies     SEQUENCE OF PolicyInformation OPTIONAL
-}
-*/
-typedef struct ESS_signing_cert {
-        STACK_OF(ESS_CERT_ID) *cert_ids;
-        STACK_OF(POLICYINFO) *policy_info;
-} ESS_SIGNING_CERT;
-#ifdef LIBRESSL_INTERNAL
 typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
 DECLARE_STACK_OF(ESS_CERT_ID_V2)
 typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
-#endif /* LIBRESSL_INTERNAL */
+typedef struct TS_resp_st TS_RESP;
 TS_REQ  *TS_REQ_new(void);
 void    TS_REQ_free(TS_REQ *a);
@@ -398,13 +259,11 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a);
 int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info);
 TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a);
-#if defined(LIBRESSL_INTERNAL)
 const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si);
 const STACK_OF(ASN1_UTF8STRING) *
    TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);
 const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si);
 int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);
-#endif
 /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
 void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info);
@@ -494,35 +353,7 @@ typedef	int (*TS_time_cb)(struct TS_resp_ctx *, void *, time_t *sec, long *usec)
 */
 typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
-typedef struct TS_resp_ctx {
+typedef struct TS_resp_ctx TS_RESP_CTX;
-        X509            *signer_cert;
-        EVP_PKEY        *signer_key;
-        STACK_OF(X509)  *certs; /* Certs to include in signed data. */
-        STACK_OF(ASN1_OBJECT)   *policies;      /* Acceptable policies. */
-        ASN1_OBJECT     *default_policy; /* It may appear in policies, too. */
-        STACK_OF(EVP_MD)        *mds;   /* Acceptable message digests. */
-        ASN1_INTEGER    *seconds;       /* accuracy, 0 means not specified. */
-        ASN1_INTEGER    *millis;        /* accuracy, 0 means not specified. */
-        ASN1_INTEGER    *micros;        /* accuracy, 0 means not specified. */
-        unsigned        clock_precision_digits; /* fraction of seconds in
-                                                   time stamp token. */
-        unsigned        flags;          /* Optional info, see values above. */
-        /* Callback functions. */
-        TS_serial_cb serial_cb;
-        void *serial_cb_data;   /* User data for serial_cb. */
-        TS_time_cb time_cb;
-        void *time_cb_data;     /* User data for time_cb. */
-        TS_extension_cb extension_cb;
-        void *extension_cb_data;        /* User data for extension_cb. */
-        /* These members are used only while creating the response. */
-        TS_REQ          *request;
-        TS_RESP         *response;
-        TS_TST_INFO     *tst_info;
-} TS_RESP_CTX;
 DECLARE_STACK_OF(EVP_MD)
@@ -567,10 +398,8 @@ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
 /* Default callback always returns a constant. */
 void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
-#if defined(LIBRESSL_INTERNAL)
 /* Default callback uses gettimeofday() and gmtime(). */
 void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
-#endif
 /* Default callback rejects all extensions. The extension callback is called
 * when the TS_TST_INFO object is already set up and not signed yet. */
@@ -646,32 +475,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
                                 | TS_VFY_SIGNER        \
                                 | TS_VFY_TSA_NAME)
-typedef struct TS_verify_ctx {
+typedef struct TS_verify_ctx TS_VERIFY_CTX;
-        /* Set this to the union of TS_VFY_... flags you want to carry out. */
-        unsigned        flags;
-        /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
-        X509_STORE      *store;
-        STACK_OF(X509)  *certs;
-        /* Must be set only with TS_VFY_POLICY. */
-        ASN1_OBJECT     *policy;
-        /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
-           the algorithm from the response is used. */
-        X509_ALGOR      *md_alg;
-        unsigned char   *imprint;
-        unsigned        imprint_len;
-        /* Must be set only with TS_VFY_DATA. */
-        BIO             *data;
-        /* Must be set only with TS_VFY_TSA_NAME. */
-        ASN1_INTEGER    *nonce;
-        /* Must be set only with TS_VFY_TSA_NAME. */
-        GENERAL_NAME    *tsa_name;
-} TS_VERIFY_CTX;
 int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
 int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
@@ -687,7 +491,6 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
-#if defined(LIBRESSL_INTERNAL)
 int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
 int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
 BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio);
@@ -698,7 +501,6 @@ STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
    STACK_OF(X509) *certs);
 unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
    unsigned char *imprint, long imprint_len);
-#endif
 /*
 * If ctx is NULL, it allocates and returns a new object, otherwise
@@ -712,7 +514,7 @@ unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
 * imprint, imprint_len = imprint from request
 * data = NULL
 * nonce, nonce_len = nonce from the request or NULL if absent (in this case
- *      TS_VFY_NONCE is cleared from flags as well)
+ *      TS_VFY_NONCE is cleared from flags as well)
 * tsa_name = NULL
 * Important: after calling this method TS_VFY_SIGNATURE should be added!
 */
diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h
index 01d26de127..cf1e9e0589 100644
--- a/src/lib/libcrypto/ts/ts_local.h
+++ b/src/lib/libcrypto/ts/ts_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_local.h,v 1.1 2022/07/24 08:16:47 tb Exp $ */
+/* $OpenBSD: ts_local.h,v 1.2 2022/09/11 17:31:19 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
 * project 2002, 2003, 2004.
 */
@@ -62,6 +62,153 @@
 __BEGIN_HIDDEN_DECLS
 /*
+ * MessageImprint ::= SEQUENCE  {
+ *      hashAlgorithm                AlgorithmIdentifier,
+ *      hashedMessage                OCTET STRING  }
+ */
+struct TS_msg_imprint_st {
+        X509_ALGOR *hash_algo;
+        ASN1_OCTET_STRING *hashed_msg;
+};
+/*
+ * TimeStampReq ::= SEQUENCE  {
+ *    version                  INTEGER  { v1(1) },
+ *    messageImprint           MessageImprint,
+ *      --a hash algorithm OID and the hash value of the data to be
+ *      --time-stamped
+ *    reqPolicy                TSAPolicyId                OPTIONAL,
+ *    nonce                    INTEGER                    OPTIONAL,
+ *    certReq                  BOOLEAN                    DEFAULT FALSE,
+ *    extensions               [0] IMPLICIT Extensions    OPTIONAL  }
+ */
+struct TS_req_st {
+        ASN1_INTEGER *version;
+        TS_MSG_IMPRINT *msg_imprint;
+        ASN1_OBJECT *policy_id;         /* OPTIONAL */
+        ASN1_INTEGER *nonce;            /* OPTIONAL */
+        ASN1_BOOLEAN cert_req;          /* DEFAULT FALSE */
+        STACK_OF(X509_EXTENSION) *extensions;   /* [0] OPTIONAL */
+};
+/*
+ * Accuracy ::= SEQUENCE {
+ *                 seconds        INTEGER           OPTIONAL,
+ *                 millis     [0] INTEGER  (1..999) OPTIONAL,
+ *                 micros     [1] INTEGER  (1..999) OPTIONAL  }
+ */
+struct TS_accuracy_st {
+        ASN1_INTEGER *seconds;
+        ASN1_INTEGER *millis;
+        ASN1_INTEGER *micros;
+};
+/*
+ * TSTInfo ::= SEQUENCE  {
+ *     version                      INTEGER  { v1(1) },
+ *     policy                       TSAPolicyId,
+ *     messageImprint               MessageImprint,
+ *       -- MUST have the same value as the similar field in
+ *       -- TimeStampReq
+ *     serialNumber                 INTEGER,
+ *      -- Time-Stamping users MUST be ready to accommodate integers
+ *      -- up to 160 bits.
+ *     genTime                      GeneralizedTime,
+ *     accuracy                     Accuracy                 OPTIONAL,
+ *     ordering                     BOOLEAN             DEFAULT FALSE,
+ *     nonce                        INTEGER                  OPTIONAL,
+ *       -- MUST be present if the similar field was present
+ *       -- in TimeStampReq.  In that case it MUST have the same value.
+ *     tsa                          [0] GeneralName          OPTIONAL,
+ *     extensions                   [1] IMPLICIT Extensions  OPTIONAL   }
+ */
+struct TS_tst_info_st {
+        ASN1_INTEGER *version;
+        ASN1_OBJECT *policy_id;
+        TS_MSG_IMPRINT *msg_imprint;
+        ASN1_INTEGER *serial;
+        ASN1_GENERALIZEDTIME *time;
+        TS_ACCURACY *accuracy;
+        ASN1_BOOLEAN ordering;
+        ASN1_INTEGER *nonce;
+        GENERAL_NAME *tsa;
+        STACK_OF(X509_EXTENSION) *extensions;
+};
+/*
+ * PKIStatusInfo ::= SEQUENCE {
+ *     status        PKIStatus,
+ *     statusString  PKIFreeText     OPTIONAL,
+ *     failInfo      PKIFailureInfo  OPTIONAL  }
+ *
+ * From RFC 1510 - section 3.1.1:
+ * PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
+ *      -- text encoded as UTF-8 String (note:  each UTF8String SHOULD
+ *      -- include an RFC 1766 language tag to indicate the language
+ *      -- of the contained text)
+ */
+struct TS_status_info_st {
+        ASN1_INTEGER *status;
+        STACK_OF(ASN1_UTF8STRING) *text;
+        ASN1_BIT_STRING *failure_info;
+};
+/*
+ * TimeStampResp ::= SEQUENCE  {
+ *      status                  PKIStatusInfo,
+ *      timeStampToken          TimeStampToken     OPTIONAL }
+ */
+struct TS_resp_st {
+        TS_STATUS_INFO *status_info;
+        PKCS7 *token;
+        TS_TST_INFO *tst_info;
+};
+/* The structure below would belong to the ESS component. */
+/*
+ * IssuerSerial ::= SEQUENCE {
+ *      issuer                   GeneralNames,
+ *      serialNumber             CertificateSerialNumber
+ *      }
+ */
+struct ESS_issuer_serial {
+        STACK_OF(GENERAL_NAME)  *issuer;
+        ASN1_INTEGER            *serial;
+};
+/*
+ * ESSCertID ::=  SEQUENCE {
+ *      certHash                 Hash,
+ *      issuerSerial             IssuerSerial OPTIONAL
+ * }
+ */
+struct ESS_cert_id {
+        ASN1_OCTET_STRING *hash;        /* Always SHA-1 digest. */
+        ESS_ISSUER_SERIAL *issuer_serial;
+};
+/*
+ * SigningCertificate ::=  SEQUENCE {
+ *        certs        SEQUENCE OF ESSCertID,
+ *        policies     SEQUENCE OF PolicyInformation OPTIONAL
+ * }
+ */
+struct ESS_signing_cert {
+        STACK_OF(ESS_CERT_ID) *cert_ids;
+        STACK_OF(POLICYINFO) *policy_info;
+};
+/*
 * ESSCertIDv2 ::=  SEQUENCE {
 *     hashAlgorithm           AlgorithmIdentifier
 *            DEFAULT {algorithm id-sha256},
@@ -86,6 +233,65 @@ struct ESS_signing_cert_v2 {
        STACK_OF(POLICYINFO) *policy_info;
 };
+struct TS_resp_ctx {
+        X509            *signer_cert;
+        EVP_PKEY        *signer_key;
+        STACK_OF(X509)  *certs; /* Certs to include in signed data. */
+        STACK_OF(ASN1_OBJECT)   *policies;      /* Acceptable policies. */
+        ASN1_OBJECT     *default_policy; /* It may appear in policies, too. */
+        STACK_OF(EVP_MD)        *mds;   /* Acceptable message digests. */
+        ASN1_INTEGER    *seconds;       /* accuracy, 0 means not specified. */
+        ASN1_INTEGER    *millis;        /* accuracy, 0 means not specified. */
+        ASN1_INTEGER    *micros;        /* accuracy, 0 means not specified. */
+        unsigned        clock_precision_digits; /* fraction of seconds in
+                                                   time stamp token. */
+        unsigned        flags;          /* Optional info, see values above. */
+        /* Callback functions. */
+        TS_serial_cb serial_cb;
+        void *serial_cb_data;   /* User data for serial_cb. */
+        TS_time_cb time_cb;
+        void *time_cb_data;     /* User data for time_cb. */
+        TS_extension_cb extension_cb;
+        void *extension_cb_data;        /* User data for extension_cb. */
+        /* These members are used only while creating the response. */
+        TS_REQ          *request;
+        TS_RESP         *response;
+        TS_TST_INFO     *tst_info;
+};
+/* Context structure for the generic verify method. */
+struct TS_verify_ctx {
+        /* Set this to the union of TS_VFY_... flags you want to carry out. */
+        unsigned        flags;
+        /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
+        X509_STORE      *store;
+        STACK_OF(X509)  *certs;
+        /* Must be set only with TS_VFY_POLICY. */
+        ASN1_OBJECT     *policy;
+        /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
+           the algorithm from the response is used. */
+        X509_ALGOR      *md_alg;
+        unsigned char   *imprint;
+        unsigned        imprint_len;
+        /* Must be set only with TS_VFY_DATA. */
+        BIO             *data;
+        /* Must be set only with TS_VFY_TSA_NAME. */
+        ASN1_INTEGER    *nonce;
+        /* Must be set only with TS_VFY_TSA_NAME. */
+        GENERAL_NAME    *tsa_name;
+};
 /*
 * Public OpenSSL API that we do not currently want to expose.
 */
author	tb <>	2022-09-11 17:31:19 +0000
committer	tb <>	2022-09-11 17:31:19 +0000
commit	b7fb781bef534398c94a8cbc267fb62adea0af0c (patch)
tree	ec1c8803851e0c5ae7f551a696251352c9b2ba80 /src
parent	4669ddc1d171394ba16e6abb6443547df93e040e (diff)
download	openbsd-b7fb781bef534398c94a8cbc267fb62adea0af0c.tar.gz openbsd-b7fb781bef534398c94a8cbc267fb62adea0af0c.tar.bz2 openbsd-b7fb781bef534398c94a8cbc267fb62adea0af0c.zip

diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h index 0397fb8b08..cb372e6616 100644 --- a/src/lib/libcrypto/ts/ts.h +++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts.h,v 1.18 2022/07/24 20:02:04 tb Exp $ */	1	/* $OpenBSD: ts.h,v 1.19 2022/09/11 17:31:19 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3	* project 2002, 2003, 2004.	3	* project 2002, 2003, 2004.
4	*/	4	*/
@@ -93,99 +93,12 @@ extern "C" {
93	#include <openssl/x509.h>	93	#include <openssl/x509.h>
94	#include <openssl/x509v3.h>	94	#include <openssl/x509v3.h>
95		95
96	/*	96	typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
97	MessageImprint ::= SEQUENCE {	97	typedef struct TS_req_st TS_REQ;
98	hashAlgorithm AlgorithmIdentifier,	98	typedef struct TS_accuracy_st TS_ACCURACY;
99	hashedMessage OCTET STRING }	99	typedef struct TS_tst_info_st TS_TST_INFO;
100	*/
101
102	typedef struct TS_msg_imprint_st {
103	X509_ALGOR *hash_algo;
104	ASN1_OCTET_STRING *hashed_msg;
105	} TS_MSG_IMPRINT;
106
107	/*
108	TimeStampReq ::= SEQUENCE {
109	version INTEGER { v1(1) },
110	messageImprint MessageImprint,
111	--a hash algorithm OID and the hash value of the data to be
112	--time-stamped
113	reqPolicy TSAPolicyId OPTIONAL,
114	nonce INTEGER OPTIONAL,
115	certReq BOOLEAN DEFAULT FALSE,
116	extensions [0] IMPLICIT Extensions OPTIONAL }
117	*/
118
119	typedef struct TS_req_st {
120	ASN1_INTEGER *version;
121	TS_MSG_IMPRINT *msg_imprint;
122	ASN1_OBJECT policy_id; / OPTIONAL */
123	ASN1_INTEGER nonce; / OPTIONAL */
124	ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
125	STACK_OF(X509_EXTENSION) extensions; / [0] OPTIONAL */
126	} TS_REQ;
127
128	/*
129	Accuracy ::= SEQUENCE {
130	seconds INTEGER OPTIONAL,
131	millis [0] INTEGER (1..999) OPTIONAL,
132	micros [1] INTEGER (1..999) OPTIONAL }
133	*/
134
135	typedef struct TS_accuracy_st {
136	ASN1_INTEGER *seconds;
137	ASN1_INTEGER *millis;
138	ASN1_INTEGER *micros;
139	} TS_ACCURACY;
140
141	/*
142	TSTInfo ::= SEQUENCE {
143	version INTEGER { v1(1) },
144	policy TSAPolicyId,
145	messageImprint MessageImprint,
146	-- MUST have the same value as the similar field in
147	-- TimeStampReq
148	serialNumber INTEGER,
149	-- Time-Stamping users MUST be ready to accommodate integers
150	-- up to 160 bits.
151	genTime GeneralizedTime,
152	accuracy Accuracy OPTIONAL,
153	ordering BOOLEAN DEFAULT FALSE,
154	nonce INTEGER OPTIONAL,
155	-- MUST be present if the similar field was present
156	-- in TimeStampReq. In that case it MUST have the same value.
157	tsa [0] GeneralName OPTIONAL,
158	extensions [1] IMPLICIT Extensions OPTIONAL }
159	*/
160
161	typedef struct TS_tst_info_st {
162	ASN1_INTEGER *version;
163	ASN1_OBJECT *policy_id;
164	TS_MSG_IMPRINT *msg_imprint;
165	ASN1_INTEGER *serial;
166	ASN1_GENERALIZEDTIME *time;
167	TS_ACCURACY *accuracy;
168	ASN1_BOOLEAN ordering;
169	ASN1_INTEGER *nonce;
170	GENERAL_NAME *tsa;
171	STACK_OF(X509_EXTENSION) *extensions;
172	} TS_TST_INFO;
173
174	/*
175	PKIStatusInfo ::= SEQUENCE {
176	status PKIStatus,
177	statusString PKIFreeText OPTIONAL,
178	failInfo PKIFailureInfo OPTIONAL }
179
180	From RFC 1510 - section 3.1.1:
181	PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
182	-- text encoded as UTF-8 String (note: each UTF8String SHOULD
183	-- include an RFC 1766 language tag to indicate the language
184	-- of the contained text)
185	*/
186
187	/* Possible values for status. See ts_rsp_print.c && ts_rsp_verify.c. */
188		100
		101	/* Possible values for status. */
189	#define TS_STATUS_GRANTED 0	102	#define TS_STATUS_GRANTED 0
190	#define TS_STATUS_GRANTED_WITH_MODS 1	103	#define TS_STATUS_GRANTED_WITH_MODS 1
191	#define TS_STATUS_REJECTION 2	104	#define TS_STATUS_REJECTION 2
@@ -193,8 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
193	#define TS_STATUS_REVOCATION_WARNING 4	106	#define TS_STATUS_REVOCATION_WARNING 4
194	#define TS_STATUS_REVOCATION_NOTIFICATION 5	107	#define TS_STATUS_REVOCATION_NOTIFICATION 5
195		108
196	/* Possible values for failure_info. See ts_rsp_print.c && ts_rsp_verify.c */	109	/* Possible values for failure_info. */
197
198	#define TS_INFO_BAD_ALG 0	110	#define TS_INFO_BAD_ALG 0
199	#define TS_INFO_BAD_REQUEST 2	111	#define TS_INFO_BAD_REQUEST 2
200	#define TS_INFO_BAD_DATA_FORMAT 5	112	#define TS_INFO_BAD_DATA_FORMAT 5
@@ -204,72 +116,21 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
204	#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17	116	#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
205	#define TS_INFO_SYSTEM_FAILURE 25	117	#define TS_INFO_SYSTEM_FAILURE 25
206		118
207	typedef struct TS_status_info_st {	119	typedef struct TS_status_info_st TS_STATUS_INFO;
208	ASN1_INTEGER *status;
209	STACK_OF(ASN1_UTF8STRING) *text;
210	ASN1_BIT_STRING *failure_info;
211	} TS_STATUS_INFO;
212		120
213	DECLARE_STACK_OF(ASN1_UTF8STRING)	121	DECLARE_STACK_OF(ASN1_UTF8STRING)
214		122
215	/*	123	typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
216	TimeStampResp ::= SEQUENCE {	124	typedef struct ESS_cert_id ESS_CERT_ID;
217	status PKIStatusInfo,
218	timeStampToken TimeStampToken OPTIONAL }
219	*/
220
221	typedef struct TS_resp_st {
222	TS_STATUS_INFO *status_info;
223	PKCS7 *token;
224	TS_TST_INFO *tst_info;
225	} TS_RESP;
226
227	/* The structure below would belong to the ESS component. */
228
229	/*
230	IssuerSerial ::= SEQUENCE {
231	issuer GeneralNames,
232	serialNumber CertificateSerialNumber
233	}
234	*/
235
236	typedef struct ESS_issuer_serial {
237	STACK_OF(GENERAL_NAME) *issuer;
238	ASN1_INTEGER *serial;
239	} ESS_ISSUER_SERIAL;
240
241	/*
242	ESSCertID ::= SEQUENCE {
243	certHash Hash,
244	issuerSerial IssuerSerial OPTIONAL
245	}
246	*/
247
248	typedef struct ESS_cert_id {
249	ASN1_OCTET_STRING hash; / Always SHA-1 digest. */
250	ESS_ISSUER_SERIAL *issuer_serial;
251	} ESS_CERT_ID;
252
253	DECLARE_STACK_OF(ESS_CERT_ID)	125	DECLARE_STACK_OF(ESS_CERT_ID)
		126	typedef struct ESS_signing_cert ESS_SIGNING_CERT;
254		127
255	/*
256	SigningCertificate ::= SEQUENCE {
257	certs SEQUENCE OF ESSCertID,
258	policies SEQUENCE OF PolicyInformation OPTIONAL
259	}
260	*/
261
262	typedef struct ESS_signing_cert {
263	STACK_OF(ESS_CERT_ID) *cert_ids;
264	STACK_OF(POLICYINFO) *policy_info;
265	} ESS_SIGNING_CERT;
266
267	#ifdef LIBRESSL_INTERNAL
268	typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;	128	typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
269	DECLARE_STACK_OF(ESS_CERT_ID_V2)	129	DECLARE_STACK_OF(ESS_CERT_ID_V2)
270		130
271	typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;	131	typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
272	#endif /* LIBRESSL_INTERNAL */	132
		133	typedef struct TS_resp_st TS_RESP;
273		134
274	TS_REQ *TS_REQ_new(void);	135	TS_REQ *TS_REQ_new(void);
275	void TS_REQ_free(TS_REQ *a);	136	void TS_REQ_free(TS_REQ *a);
@@ -398,13 +259,11 @@ int TS_REQ_print_bio(BIO bio, TS_REQ a);
398	int TS_RESP_set_status_info(TS_RESP a, TS_STATUS_INFO info);	259	int TS_RESP_set_status_info(TS_RESP a, TS_STATUS_INFO info);
399	TS_STATUS_INFO TS_RESP_get_status_info(TS_RESP a);	260	TS_STATUS_INFO TS_RESP_get_status_info(TS_RESP a);
400		261
401	#if defined(LIBRESSL_INTERNAL)
402	const ASN1_UTF8STRING TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO si);	262	const ASN1_UTF8STRING TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO si);
403	const STACK_OF(ASN1_UTF8STRING) *	263	const STACK_OF(ASN1_UTF8STRING) *
404	TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);	264	TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);
405	const ASN1_INTEGER TS_STATUS_INFO_get0_status(const TS_STATUS_INFO si);	265	const ASN1_INTEGER TS_STATUS_INFO_get0_status(const TS_STATUS_INFO si);
406	int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);	266	int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);
407	#endif
408		267
409	/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */	268	/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
410	void TS_RESP_set_tst_info(TS_RESP a, PKCS7 p7, TS_TST_INFO *tst_info);	269	void TS_RESP_set_tst_info(TS_RESP a, PKCS7 p7, TS_TST_INFO *tst_info);
@@ -494,35 +353,7 @@ typedef int (TS_time_cb)(struct TS_resp_ctx , void , time_t sec, long *usec)
494	*/	353	*/
495	typedef int (TS_extension_cb)(struct TS_resp_ctx , X509_EXTENSION , void );	354	typedef int (TS_extension_cb)(struct TS_resp_ctx , X509_EXTENSION , void );
496		355
497	typedef struct TS_resp_ctx {	356	typedef struct TS_resp_ctx TS_RESP_CTX;
498	X509 *signer_cert;
499	EVP_PKEY *signer_key;
500	STACK_OF(X509) certs; / Certs to include in signed data. */
501	STACK_OF(ASN1_OBJECT) policies; / Acceptable policies. */
502	ASN1_OBJECT default_policy; / It may appear in policies, too. */
503	STACK_OF(EVP_MD) mds; / Acceptable message digests. */
504	ASN1_INTEGER seconds; / accuracy, 0 means not specified. */
505	ASN1_INTEGER millis; / accuracy, 0 means not specified. */
506	ASN1_INTEGER micros; / accuracy, 0 means not specified. */
507	unsigned clock_precision_digits; /* fraction of seconds in
508	time stamp token. */
509	unsigned flags; /* Optional info, see values above. */
510
511	/* Callback functions. */
512	TS_serial_cb serial_cb;
513	void serial_cb_data; / User data for serial_cb. */
514
515	TS_time_cb time_cb;
516	void time_cb_data; / User data for time_cb. */
517
518	TS_extension_cb extension_cb;
519	void extension_cb_data; / User data for extension_cb. */
520
521	/* These members are used only while creating the response. */
522	TS_REQ *request;
523	TS_RESP *response;
524	TS_TST_INFO *tst_info;
525	} TS_RESP_CTX;
526		357
527	DECLARE_STACK_OF(EVP_MD)	358	DECLARE_STACK_OF(EVP_MD)
528		359
@@ -567,10 +398,8 @@ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
567	/* Default callback always returns a constant. */	398	/* Default callback always returns a constant. */
568	void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX ctx, TS_serial_cb cb, void data);	399	void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX ctx, TS_serial_cb cb, void data);
569		400
570	#if defined(LIBRESSL_INTERNAL)
571	/* Default callback uses gettimeofday() and gmtime(). */	401	/* Default callback uses gettimeofday() and gmtime(). */
572	void TS_RESP_CTX_set_time_cb(TS_RESP_CTX ctx, TS_time_cb cb, void data);	402	void TS_RESP_CTX_set_time_cb(TS_RESP_CTX ctx, TS_time_cb cb, void data);
573	#endif
574		403
575	/* Default callback rejects all extensions. The extension callback is called	404	/* Default callback rejects all extensions. The extension callback is called
576	* when the TS_TST_INFO object is already set up and not signed yet. */	405	* when the TS_TST_INFO object is already set up and not signed yet. */
@@ -646,32 +475,7 @@ int TS_RESP_verify_signature(PKCS7 token, STACK_OF(X509) certs,
646	\| TS_VFY_SIGNER \	475	\| TS_VFY_SIGNER \
647	\| TS_VFY_TSA_NAME)	476	\| TS_VFY_TSA_NAME)
648		477
649	typedef struct TS_verify_ctx {	478	typedef struct TS_verify_ctx TS_VERIFY_CTX;
650	/* Set this to the union of TS_VFY_... flags you want to carry out. */
651	unsigned flags;
652
653	/* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
654	X509_STORE *store;
655	STACK_OF(X509) *certs;
656
657	/* Must be set only with TS_VFY_POLICY. */
658	ASN1_OBJECT *policy;
659
660	/* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
661	the algorithm from the response is used. */
662	X509_ALGOR *md_alg;
663	unsigned char *imprint;
664	unsigned imprint_len;
665
666	/* Must be set only with TS_VFY_DATA. */
667	BIO *data;
668
669	/* Must be set only with TS_VFY_TSA_NAME. */
670	ASN1_INTEGER *nonce;
671
672	/* Must be set only with TS_VFY_TSA_NAME. */
673	GENERAL_NAME *tsa_name;
674	} TS_VERIFY_CTX;
675		479
676	int TS_RESP_verify_response(TS_VERIFY_CTX ctx, TS_RESP response);	480	int TS_RESP_verify_response(TS_VERIFY_CTX ctx, TS_RESP response);
677	int TS_RESP_verify_token(TS_VERIFY_CTX ctx, PKCS7 token);	481	int TS_RESP_verify_token(TS_VERIFY_CTX ctx, PKCS7 token);
@@ -687,7 +491,6 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
687	void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);	491	void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
688	void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);	492	void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
689		493
690	#if defined(LIBRESSL_INTERNAL)
691	int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);	494	int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
692	int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);	495	int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
693	BIO TS_VERIFY_CTX_set_data(TS_VERIFY_CTX ctx, BIO *bio);	496	BIO TS_VERIFY_CTX_set_data(TS_VERIFY_CTX ctx, BIO *bio);
@@ -698,7 +501,6 @@ STACK_OF(X509) TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX ctx,
698	STACK_OF(X509) *certs);	501	STACK_OF(X509) *certs);
699	unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,	502	unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,
700	unsigned char *imprint, long imprint_len);	503	unsigned char *imprint, long imprint_len);
701	#endif
702		504
703	/*	505	/*
704	* If ctx is NULL, it allocates and returns a new object, otherwise	506	* If ctx is NULL, it allocates and returns a new object, otherwise
@@ -712,7 +514,7 @@ unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,
712	* imprint, imprint_len = imprint from request	514	* imprint, imprint_len = imprint from request
713	* data = NULL	515	* data = NULL
714	* nonce, nonce_len = nonce from the request or NULL if absent (in this case	516	* nonce, nonce_len = nonce from the request or NULL if absent (in this case
715	* TS_VFY_NONCE is cleared from flags as well)	517	* TS_VFY_NONCE is cleared from flags as well)
716	* tsa_name = NULL	518	* tsa_name = NULL
717	* Important: after calling this method TS_VFY_SIGNATURE should be added!	519	* Important: after calling this method TS_VFY_SIGNATURE should be added!
718	*/	520	*/


diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h index 01d26de127..cf1e9e0589 100644 --- a/src/lib/libcrypto/ts/ts_local.h +++ b/src/lib/libcrypto/ts/ts_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_local.h,v 1.1 2022/07/24 08:16:47 tb Exp $ */	1	/* $OpenBSD: ts_local.h,v 1.2 2022/09/11 17:31:19 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3	* project 2002, 2003, 2004.	3	* project 2002, 2003, 2004.
4	*/	4	*/
@@ -62,6 +62,153 @@
62	__BEGIN_HIDDEN_DECLS	62	__BEGIN_HIDDEN_DECLS
63		63
64	/*	64	/*
		65	* MessageImprint ::= SEQUENCE {
		66	* hashAlgorithm AlgorithmIdentifier,
		67	* hashedMessage OCTET STRING }
		68	*/
		69
		70	struct TS_msg_imprint_st {
		71	X509_ALGOR *hash_algo;
		72	ASN1_OCTET_STRING *hashed_msg;
		73	};
		74
		75	/*
		76	* TimeStampReq ::= SEQUENCE {
		77	* version INTEGER { v1(1) },
		78	* messageImprint MessageImprint,
		79	* --a hash algorithm OID and the hash value of the data to be
		80	* --time-stamped
		81	* reqPolicy TSAPolicyId OPTIONAL,
		82	* nonce INTEGER OPTIONAL,
		83	* certReq BOOLEAN DEFAULT FALSE,
		84	* extensions [0] IMPLICIT Extensions OPTIONAL }
		85	*/
		86
		87	struct TS_req_st {
		88	ASN1_INTEGER *version;
		89	TS_MSG_IMPRINT *msg_imprint;
		90	ASN1_OBJECT policy_id; / OPTIONAL */
		91	ASN1_INTEGER nonce; / OPTIONAL */
		92	ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
		93	STACK_OF(X509_EXTENSION) extensions; / [0] OPTIONAL */
		94	};
		95
		96	/*
		97	* Accuracy ::= SEQUENCE {
		98	* seconds INTEGER OPTIONAL,
		99	* millis [0] INTEGER (1..999) OPTIONAL,
		100	* micros [1] INTEGER (1..999) OPTIONAL }
		101	*/
		102
		103	struct TS_accuracy_st {
		104	ASN1_INTEGER *seconds;
		105	ASN1_INTEGER *millis;
		106	ASN1_INTEGER *micros;
		107	};
		108
		109	/*
		110	* TSTInfo ::= SEQUENCE {
		111	* version INTEGER { v1(1) },
		112	* policy TSAPolicyId,
		113	* messageImprint MessageImprint,
		114	* -- MUST have the same value as the similar field in
		115	* -- TimeStampReq
		116	* serialNumber INTEGER,
		117	* -- Time-Stamping users MUST be ready to accommodate integers
		118	* -- up to 160 bits.
		119	* genTime GeneralizedTime,
		120	* accuracy Accuracy OPTIONAL,
		121	* ordering BOOLEAN DEFAULT FALSE,
		122	* nonce INTEGER OPTIONAL,
		123	* -- MUST be present if the similar field was present
		124	* -- in TimeStampReq. In that case it MUST have the same value.
		125	* tsa [0] GeneralName OPTIONAL,
		126	* extensions [1] IMPLICIT Extensions OPTIONAL }
		127	*/
		128
		129	struct TS_tst_info_st {
		130	ASN1_INTEGER *version;
		131	ASN1_OBJECT *policy_id;
		132	TS_MSG_IMPRINT *msg_imprint;
		133	ASN1_INTEGER *serial;
		134	ASN1_GENERALIZEDTIME *time;
		135	TS_ACCURACY *accuracy;
		136	ASN1_BOOLEAN ordering;
		137	ASN1_INTEGER *nonce;
		138	GENERAL_NAME *tsa;
		139	STACK_OF(X509_EXTENSION) *extensions;
		140	};
		141
		142	/*
		143	* PKIStatusInfo ::= SEQUENCE {
		144	* status PKIStatus,
		145	* statusString PKIFreeText OPTIONAL,
		146	* failInfo PKIFailureInfo OPTIONAL }
		147	*
		148	* From RFC 1510 - section 3.1.1:
		149	* PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
		150	* -- text encoded as UTF-8 String (note: each UTF8String SHOULD
		151	* -- include an RFC 1766 language tag to indicate the language
		152	* -- of the contained text)
		153	*/
		154
		155	struct TS_status_info_st {
		156	ASN1_INTEGER *status;
		157	STACK_OF(ASN1_UTF8STRING) *text;
		158	ASN1_BIT_STRING *failure_info;
		159	};
		160
		161	/*
		162	* TimeStampResp ::= SEQUENCE {
		163	* status PKIStatusInfo,
		164	* timeStampToken TimeStampToken OPTIONAL }
		165	*/
		166
		167	struct TS_resp_st {
		168	TS_STATUS_INFO *status_info;
		169	PKCS7 *token;
		170	TS_TST_INFO *tst_info;
		171	};
		172
		173	/* The structure below would belong to the ESS component. */
		174
		175	/*
		176	* IssuerSerial ::= SEQUENCE {
		177	* issuer GeneralNames,
		178	* serialNumber CertificateSerialNumber
		179	* }
		180	*/
		181
		182	struct ESS_issuer_serial {
		183	STACK_OF(GENERAL_NAME) *issuer;
		184	ASN1_INTEGER *serial;
		185	};
		186
		187	/*
		188	* ESSCertID ::= SEQUENCE {
		189	* certHash Hash,
		190	* issuerSerial IssuerSerial OPTIONAL
		191	* }
		192	*/
		193
		194	struct ESS_cert_id {
		195	ASN1_OCTET_STRING hash; / Always SHA-1 digest. */
		196	ESS_ISSUER_SERIAL *issuer_serial;
		197	};
		198
		199	/*
		200	* SigningCertificate ::= SEQUENCE {
		201	* certs SEQUENCE OF ESSCertID,
		202	* policies SEQUENCE OF PolicyInformation OPTIONAL
		203	* }
		204	*/
		205
		206	struct ESS_signing_cert {
		207	STACK_OF(ESS_CERT_ID) *cert_ids;
		208	STACK_OF(POLICYINFO) *policy_info;
		209	};
		210
		211	/*
65	* ESSCertIDv2 ::= SEQUENCE {	212	* ESSCertIDv2 ::= SEQUENCE {
66	* hashAlgorithm AlgorithmIdentifier	213	* hashAlgorithm AlgorithmIdentifier
67	* DEFAULT {algorithm id-sha256},	214	* DEFAULT {algorithm id-sha256},
@@ -86,6 +233,65 @@ struct ESS_signing_cert_v2 {
86	STACK_OF(POLICYINFO) *policy_info;	233	STACK_OF(POLICYINFO) *policy_info;
87	};	234	};
88		235
		236	struct TS_resp_ctx {
		237	X509 *signer_cert;
		238	EVP_PKEY *signer_key;
		239	STACK_OF(X509) certs; / Certs to include in signed data. */
		240	STACK_OF(ASN1_OBJECT) policies; / Acceptable policies. */
		241	ASN1_OBJECT default_policy; / It may appear in policies, too. */
		242	STACK_OF(EVP_MD) mds; / Acceptable message digests. */
		243	ASN1_INTEGER seconds; / accuracy, 0 means not specified. */
		244	ASN1_INTEGER millis; / accuracy, 0 means not specified. */
		245	ASN1_INTEGER micros; / accuracy, 0 means not specified. */
		246	unsigned clock_precision_digits; /* fraction of seconds in
		247	time stamp token. */
		248	unsigned flags; /* Optional info, see values above. */
		249
		250	/* Callback functions. */
		251	TS_serial_cb serial_cb;
		252	void serial_cb_data; / User data for serial_cb. */
		253
		254	TS_time_cb time_cb;
		255	void time_cb_data; / User data for time_cb. */
		256
		257	TS_extension_cb extension_cb;
		258	void extension_cb_data; / User data for extension_cb. */
		259
		260	/* These members are used only while creating the response. */
		261	TS_REQ *request;
		262	TS_RESP *response;
		263	TS_TST_INFO *tst_info;
		264	};
		265
		266	/* Context structure for the generic verify method. */
		267
		268	struct TS_verify_ctx {
		269	/* Set this to the union of TS_VFY_... flags you want to carry out. */
		270	unsigned flags;
		271
		272	/* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
		273	X509_STORE *store;
		274	STACK_OF(X509) *certs;
		275
		276	/* Must be set only with TS_VFY_POLICY. */
		277	ASN1_OBJECT *policy;
		278
		279	/* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
		280	the algorithm from the response is used. */
		281	X509_ALGOR *md_alg;
		282	unsigned char *imprint;
		283	unsigned imprint_len;
		284
		285	/* Must be set only with TS_VFY_DATA. */
		286	BIO *data;
		287
		288	/* Must be set only with TS_VFY_TSA_NAME. */
		289	ASN1_INTEGER *nonce;
		290
		291	/* Must be set only with TS_VFY_TSA_NAME. */
		292	GENERAL_NAME *tsa_name;
		293	};
		294
89	/*	295	/*
90	* Public OpenSSL API that we do not currently want to expose.	296	* Public OpenSSL API that we do not currently want to expose.
91	*/	297	*/