1 files changed, 207 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h
index 01d26de127..cf1e9e0589 100644
--- a/src/lib/libcrypto/ts/ts_local.h
+++ b/src/lib/libcrypto/ts/ts_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_local.h,v 1.1 2022/07/24 08:16:47 tb Exp $ */
+/* $OpenBSD: ts_local.h,v 1.2 2022/09/11 17:31:19 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
 * project 2002, 2003, 2004.
 */
@@ -62,6 +62,153 @@
 __BEGIN_HIDDEN_DECLS
 /*
+ * MessageImprint ::= SEQUENCE  {
+ *      hashAlgorithm                AlgorithmIdentifier,
+ *      hashedMessage                OCTET STRING  }
+ */
+struct TS_msg_imprint_st {
+        X509_ALGOR *hash_algo;
+        ASN1_OCTET_STRING *hashed_msg;
+};
+/*
+ * TimeStampReq ::= SEQUENCE  {
+ *    version                  INTEGER  { v1(1) },
+ *    messageImprint           MessageImprint,
+ *      --a hash algorithm OID and the hash value of the data to be
+ *      --time-stamped
+ *    reqPolicy                TSAPolicyId                OPTIONAL,
+ *    nonce                    INTEGER                    OPTIONAL,
+ *    certReq                  BOOLEAN                    DEFAULT FALSE,
+ *    extensions               [0] IMPLICIT Extensions    OPTIONAL  }
+ */
+struct TS_req_st {
+        ASN1_INTEGER *version;
+        TS_MSG_IMPRINT *msg_imprint;
+        ASN1_OBJECT *policy_id;         /* OPTIONAL */
+        ASN1_INTEGER *nonce;            /* OPTIONAL */
+        ASN1_BOOLEAN cert_req;          /* DEFAULT FALSE */
+        STACK_OF(X509_EXTENSION) *extensions;   /* [0] OPTIONAL */
+};
+/*
+ * Accuracy ::= SEQUENCE {
+ *                 seconds        INTEGER           OPTIONAL,
+ *                 millis     [0] INTEGER  (1..999) OPTIONAL,
+ *                 micros     [1] INTEGER  (1..999) OPTIONAL  }
+ */
+struct TS_accuracy_st {
+        ASN1_INTEGER *seconds;
+        ASN1_INTEGER *millis;
+        ASN1_INTEGER *micros;
+};
+/*
+ * TSTInfo ::= SEQUENCE  {
+ *     version                      INTEGER  { v1(1) },
+ *     policy                       TSAPolicyId,
+ *     messageImprint               MessageImprint,
+ *       -- MUST have the same value as the similar field in
+ *       -- TimeStampReq
+ *     serialNumber                 INTEGER,
+ *      -- Time-Stamping users MUST be ready to accommodate integers
+ *      -- up to 160 bits.
+ *     genTime                      GeneralizedTime,
+ *     accuracy                     Accuracy                 OPTIONAL,
+ *     ordering                     BOOLEAN             DEFAULT FALSE,
+ *     nonce                        INTEGER                  OPTIONAL,
+ *       -- MUST be present if the similar field was present
+ *       -- in TimeStampReq.  In that case it MUST have the same value.
+ *     tsa                          [0] GeneralName          OPTIONAL,
+ *     extensions                   [1] IMPLICIT Extensions  OPTIONAL   }
+ */
+struct TS_tst_info_st {
+        ASN1_INTEGER *version;
+        ASN1_OBJECT *policy_id;
+        TS_MSG_IMPRINT *msg_imprint;
+        ASN1_INTEGER *serial;
+        ASN1_GENERALIZEDTIME *time;
+        TS_ACCURACY *accuracy;
+        ASN1_BOOLEAN ordering;
+        ASN1_INTEGER *nonce;
+        GENERAL_NAME *tsa;
+        STACK_OF(X509_EXTENSION) *extensions;
+};
+/*
+ * PKIStatusInfo ::= SEQUENCE {
+ *     status        PKIStatus,
+ *     statusString  PKIFreeText     OPTIONAL,
+ *     failInfo      PKIFailureInfo  OPTIONAL  }
+ *
+ * From RFC 1510 - section 3.1.1:
+ * PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
+ *      -- text encoded as UTF-8 String (note:  each UTF8String SHOULD
+ *      -- include an RFC 1766 language tag to indicate the language
+ *      -- of the contained text)
+ */
+struct TS_status_info_st {
+        ASN1_INTEGER *status;
+        STACK_OF(ASN1_UTF8STRING) *text;
+        ASN1_BIT_STRING *failure_info;
+};
+/*
+ * TimeStampResp ::= SEQUENCE  {
+ *      status                  PKIStatusInfo,
+ *      timeStampToken          TimeStampToken     OPTIONAL }
+ */
+struct TS_resp_st {
+        TS_STATUS_INFO *status_info;
+        PKCS7 *token;
+        TS_TST_INFO *tst_info;
+};
+/* The structure below would belong to the ESS component. */
+/*
+ * IssuerSerial ::= SEQUENCE {
+ *      issuer                   GeneralNames,
+ *      serialNumber             CertificateSerialNumber
+ *      }
+ */
+struct ESS_issuer_serial {
+        STACK_OF(GENERAL_NAME)  *issuer;
+        ASN1_INTEGER            *serial;
+};
+/*
+ * ESSCertID ::=  SEQUENCE {
+ *      certHash                 Hash,
+ *      issuerSerial             IssuerSerial OPTIONAL
+ * }
+ */
+struct ESS_cert_id {
+        ASN1_OCTET_STRING *hash;        /* Always SHA-1 digest. */
+        ESS_ISSUER_SERIAL *issuer_serial;
+};
+/*
+ * SigningCertificate ::=  SEQUENCE {
+ *        certs        SEQUENCE OF ESSCertID,
+ *        policies     SEQUENCE OF PolicyInformation OPTIONAL
+ * }
+ */
+struct ESS_signing_cert {
+        STACK_OF(ESS_CERT_ID) *cert_ids;
+        STACK_OF(POLICYINFO) *policy_info;
+};
+/*
 * ESSCertIDv2 ::=  SEQUENCE {
 *     hashAlgorithm           AlgorithmIdentifier
 *            DEFAULT {algorithm id-sha256},
@@ -86,6 +233,65 @@ struct ESS_signing_cert_v2 {
        STACK_OF(POLICYINFO) *policy_info;
 };
+struct TS_resp_ctx {
+        X509            *signer_cert;
+        EVP_PKEY        *signer_key;
+        STACK_OF(X509)  *certs; /* Certs to include in signed data. */
+        STACK_OF(ASN1_OBJECT)   *policies;      /* Acceptable policies. */
+        ASN1_OBJECT     *default_policy; /* It may appear in policies, too. */
+        STACK_OF(EVP_MD)        *mds;   /* Acceptable message digests. */
+        ASN1_INTEGER    *seconds;       /* accuracy, 0 means not specified. */
+        ASN1_INTEGER    *millis;        /* accuracy, 0 means not specified. */
+        ASN1_INTEGER    *micros;        /* accuracy, 0 means not specified. */
+        unsigned        clock_precision_digits; /* fraction of seconds in
+                                                   time stamp token. */
+        unsigned        flags;          /* Optional info, see values above. */
+        /* Callback functions. */
+        TS_serial_cb serial_cb;
+        void *serial_cb_data;   /* User data for serial_cb. */
+        TS_time_cb time_cb;
+        void *time_cb_data;     /* User data for time_cb. */
+        TS_extension_cb extension_cb;
+        void *extension_cb_data;        /* User data for extension_cb. */
+        /* These members are used only while creating the response. */
+        TS_REQ          *request;
+        TS_RESP         *response;
+        TS_TST_INFO     *tst_info;
+};
+/* Context structure for the generic verify method. */
+struct TS_verify_ctx {
+        /* Set this to the union of TS_VFY_... flags you want to carry out. */
+        unsigned        flags;
+        /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
+        X509_STORE      *store;
+        STACK_OF(X509)  *certs;
+        /* Must be set only with TS_VFY_POLICY. */
+        ASN1_OBJECT     *policy;
+        /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
+           the algorithm from the response is used. */
+        X509_ALGOR      *md_alg;
+        unsigned char   *imprint;
+        unsigned        imprint_len;
+        /* Must be set only with TS_VFY_DATA. */
+        BIO             *data;
+        /* Must be set only with TS_VFY_TSA_NAME. */
+        ASN1_INTEGER    *nonce;
+        /* Must be set only with TS_VFY_TSA_NAME. */
+        GENERAL_NAME    *tsa_name;
+};
 /*
 * Public OpenSSL API that we do not currently want to expose.
 */

diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h index 01d26de127..cf1e9e0589 100644 --- a/src/lib/libcrypto/ts/ts_local.h +++ b/src/lib/libcrypto/ts/ts_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_local.h,v 1.1 2022/07/24 08:16:47 tb Exp $ */	1	/* $OpenBSD: ts_local.h,v 1.2 2022/09/11 17:31:19 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3	* project 2002, 2003, 2004.	3	* project 2002, 2003, 2004.
4	*/	4	*/
@@ -62,6 +62,153 @@
62	__BEGIN_HIDDEN_DECLS	62	__BEGIN_HIDDEN_DECLS
63		63
64	/*	64	/*
		65	* MessageImprint ::= SEQUENCE {
		66	* hashAlgorithm AlgorithmIdentifier,
		67	* hashedMessage OCTET STRING }
		68	*/
		69
		70	struct TS_msg_imprint_st {
		71	X509_ALGOR *hash_algo;
		72	ASN1_OCTET_STRING *hashed_msg;
		73	};
		74
		75	/*
		76	* TimeStampReq ::= SEQUENCE {
		77	* version INTEGER { v1(1) },
		78	* messageImprint MessageImprint,
		79	* --a hash algorithm OID and the hash value of the data to be
		80	* --time-stamped
		81	* reqPolicy TSAPolicyId OPTIONAL,
		82	* nonce INTEGER OPTIONAL,
		83	* certReq BOOLEAN DEFAULT FALSE,
		84	* extensions [0] IMPLICIT Extensions OPTIONAL }
		85	*/
		86
		87	struct TS_req_st {
		88	ASN1_INTEGER *version;
		89	TS_MSG_IMPRINT *msg_imprint;
		90	ASN1_OBJECT policy_id; / OPTIONAL */
		91	ASN1_INTEGER nonce; / OPTIONAL */
		92	ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
		93	STACK_OF(X509_EXTENSION) extensions; / [0] OPTIONAL */
		94	};
		95
		96	/*
		97	* Accuracy ::= SEQUENCE {
		98	* seconds INTEGER OPTIONAL,
		99	* millis [0] INTEGER (1..999) OPTIONAL,
		100	* micros [1] INTEGER (1..999) OPTIONAL }
		101	*/
		102
		103	struct TS_accuracy_st {
		104	ASN1_INTEGER *seconds;
		105	ASN1_INTEGER *millis;
		106	ASN1_INTEGER *micros;
		107	};
		108
		109	/*
		110	* TSTInfo ::= SEQUENCE {
		111	* version INTEGER { v1(1) },
		112	* policy TSAPolicyId,
		113	* messageImprint MessageImprint,
		114	* -- MUST have the same value as the similar field in
		115	* -- TimeStampReq
		116	* serialNumber INTEGER,
		117	* -- Time-Stamping users MUST be ready to accommodate integers
		118	* -- up to 160 bits.
		119	* genTime GeneralizedTime,
		120	* accuracy Accuracy OPTIONAL,
		121	* ordering BOOLEAN DEFAULT FALSE,
		122	* nonce INTEGER OPTIONAL,
		123	* -- MUST be present if the similar field was present
		124	* -- in TimeStampReq. In that case it MUST have the same value.
		125	* tsa [0] GeneralName OPTIONAL,
		126	* extensions [1] IMPLICIT Extensions OPTIONAL }
		127	*/
		128
		129	struct TS_tst_info_st {
		130	ASN1_INTEGER *version;
		131	ASN1_OBJECT *policy_id;
		132	TS_MSG_IMPRINT *msg_imprint;
		133	ASN1_INTEGER *serial;
		134	ASN1_GENERALIZEDTIME *time;
		135	TS_ACCURACY *accuracy;
		136	ASN1_BOOLEAN ordering;
		137	ASN1_INTEGER *nonce;
		138	GENERAL_NAME *tsa;
		139	STACK_OF(X509_EXTENSION) *extensions;
		140	};
		141
		142	/*
		143	* PKIStatusInfo ::= SEQUENCE {
		144	* status PKIStatus,
		145	* statusString PKIFreeText OPTIONAL,
		146	* failInfo PKIFailureInfo OPTIONAL }
		147	*
		148	* From RFC 1510 - section 3.1.1:
		149	* PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
		150	* -- text encoded as UTF-8 String (note: each UTF8String SHOULD
		151	* -- include an RFC 1766 language tag to indicate the language
		152	* -- of the contained text)
		153	*/
		154
		155	struct TS_status_info_st {
		156	ASN1_INTEGER *status;
		157	STACK_OF(ASN1_UTF8STRING) *text;
		158	ASN1_BIT_STRING *failure_info;
		159	};
		160
		161	/*
		162	* TimeStampResp ::= SEQUENCE {
		163	* status PKIStatusInfo,
		164	* timeStampToken TimeStampToken OPTIONAL }
		165	*/
		166
		167	struct TS_resp_st {
		168	TS_STATUS_INFO *status_info;
		169	PKCS7 *token;
		170	TS_TST_INFO *tst_info;
		171	};
		172
		173	/* The structure below would belong to the ESS component. */
		174
		175	/*
		176	* IssuerSerial ::= SEQUENCE {
		177	* issuer GeneralNames,
		178	* serialNumber CertificateSerialNumber
		179	* }
		180	*/
		181
		182	struct ESS_issuer_serial {
		183	STACK_OF(GENERAL_NAME) *issuer;
		184	ASN1_INTEGER *serial;
		185	};
		186
		187	/*
		188	* ESSCertID ::= SEQUENCE {
		189	* certHash Hash,
		190	* issuerSerial IssuerSerial OPTIONAL
		191	* }
		192	*/
		193
		194	struct ESS_cert_id {
		195	ASN1_OCTET_STRING hash; / Always SHA-1 digest. */
		196	ESS_ISSUER_SERIAL *issuer_serial;
		197	};
		198
		199	/*
		200	* SigningCertificate ::= SEQUENCE {
		201	* certs SEQUENCE OF ESSCertID,
		202	* policies SEQUENCE OF PolicyInformation OPTIONAL
		203	* }
		204	*/
		205
		206	struct ESS_signing_cert {
		207	STACK_OF(ESS_CERT_ID) *cert_ids;
		208	STACK_OF(POLICYINFO) *policy_info;
		209	};
		210
		211	/*
65	* ESSCertIDv2 ::= SEQUENCE {	212	* ESSCertIDv2 ::= SEQUENCE {
66	* hashAlgorithm AlgorithmIdentifier	213	* hashAlgorithm AlgorithmIdentifier
67	* DEFAULT {algorithm id-sha256},	214	* DEFAULT {algorithm id-sha256},
@@ -86,6 +233,65 @@ struct ESS_signing_cert_v2 {
86	STACK_OF(POLICYINFO) *policy_info;	233	STACK_OF(POLICYINFO) *policy_info;
87	};	234	};
88		235
		236	struct TS_resp_ctx {
		237	X509 *signer_cert;
		238	EVP_PKEY *signer_key;
		239	STACK_OF(X509) certs; / Certs to include in signed data. */
		240	STACK_OF(ASN1_OBJECT) policies; / Acceptable policies. */
		241	ASN1_OBJECT default_policy; / It may appear in policies, too. */
		242	STACK_OF(EVP_MD) mds; / Acceptable message digests. */
		243	ASN1_INTEGER seconds; / accuracy, 0 means not specified. */
		244	ASN1_INTEGER millis; / accuracy, 0 means not specified. */
		245	ASN1_INTEGER micros; / accuracy, 0 means not specified. */
		246	unsigned clock_precision_digits; /* fraction of seconds in
		247	time stamp token. */
		248	unsigned flags; /* Optional info, see values above. */
		249
		250	/* Callback functions. */
		251	TS_serial_cb serial_cb;
		252	void serial_cb_data; / User data for serial_cb. */
		253
		254	TS_time_cb time_cb;
		255	void time_cb_data; / User data for time_cb. */
		256
		257	TS_extension_cb extension_cb;
		258	void extension_cb_data; / User data for extension_cb. */
		259
		260	/* These members are used only while creating the response. */
		261	TS_REQ *request;
		262	TS_RESP *response;
		263	TS_TST_INFO *tst_info;
		264	};
		265
		266	/* Context structure for the generic verify method. */
		267
		268	struct TS_verify_ctx {
		269	/* Set this to the union of TS_VFY_... flags you want to carry out. */
		270	unsigned flags;
		271
		272	/* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
		273	X509_STORE *store;
		274	STACK_OF(X509) *certs;
		275
		276	/* Must be set only with TS_VFY_POLICY. */
		277	ASN1_OBJECT *policy;
		278
		279	/* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
		280	the algorithm from the response is used. */
		281	X509_ALGOR *md_alg;
		282	unsigned char *imprint;
		283	unsigned imprint_len;
		284
		285	/* Must be set only with TS_VFY_DATA. */
		286	BIO *data;
		287
		288	/* Must be set only with TS_VFY_TSA_NAME. */
		289	ASN1_INTEGER *nonce;
		290
		291	/* Must be set only with TS_VFY_TSA_NAME. */
		292	GENERAL_NAME *tsa_name;
		293	};
		294
89	/*	295	/*
90	* Public OpenSSL API that we do not currently want to expose.	296	* Public OpenSSL API that we do not currently want to expose.
91	*/	297	*/