3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
6 /* ====================================================================
7 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 #include <openssl/asn1.h>
60 #include <openssl/asn1t.h>
61 #include <openssl/x509v3.h>
64 Example of new ASN1 code, OCSP request
66 OCSPRequest ::= SEQUENCE {
67 tbsRequest TBSRequest,
68 optionalSignature [0] EXPLICIT Signature OPTIONAL }
70 TBSRequest ::= SEQUENCE {
71 version [0] EXPLICIT Version DEFAULT v1,
72 requestorName [1] EXPLICIT GeneralName OPTIONAL,
73 requestList SEQUENCE OF Request,
74 requestExtensions [2] EXPLICIT Extensions OPTIONAL }
76 Signature ::= SEQUENCE {
77 signatureAlgorithm AlgorithmIdentifier,
79 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
81 Version ::= INTEGER { v1(0) }
83 Request ::= SEQUENCE {
85 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
88 hashAlgorithm AlgorithmIdentifier,
89 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
90 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
91 serialNumber CertificateSerialNumber }
93 OCSPResponse ::= SEQUENCE {
94 responseStatus OCSPResponseStatus,
95 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
97 OCSPResponseStatus ::= ENUMERATED {
98 successful (0), --Response has valid confirmations
99 malformedRequest (1), --Illegal confirmation request
100 internalError (2), --Internal error in issuer
101 tryLater (3), --Try again later
103 sigRequired (5), --Must sign the request
104 unauthorized (6) --Request unauthorized
107 ResponseBytes ::= SEQUENCE {
108 responseType OBJECT IDENTIFIER,
109 response OCTET STRING }
111 BasicOCSPResponse ::= SEQUENCE {
112 tbsResponseData ResponseData,
113 signatureAlgorithm AlgorithmIdentifier,
114 signature BIT STRING,
115 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
117 ResponseData ::= SEQUENCE {
118 version [0] EXPLICIT Version DEFAULT v1,
119 responderID ResponderID,
120 producedAt GeneralizedTime,
121 responses SEQUENCE OF SingleResponse,
122 responseExtensions [1] EXPLICIT Extensions OPTIONAL }
124 ResponderID ::= CHOICE {
125 byName [1] Name, --EXPLICIT
128 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
129 --(excluding the tag and length fields)
131 SingleResponse ::= SEQUENCE {
133 certStatus CertStatus,
134 thisUpdate GeneralizedTime,
135 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
136 singleExtensions [1] EXPLICIT Extensions OPTIONAL }
138 CertStatus ::= CHOICE {
139 good [0] IMPLICIT NULL,
140 revoked [1] IMPLICIT RevokedInfo,
141 unknown [2] IMPLICIT UnknownInfo }
143 RevokedInfo ::= SEQUENCE {
144 revocationTime GeneralizedTime,
145 revocationReason [0] EXPLICIT CRLReason OPTIONAL }
147 UnknownInfo ::= NULL -- this can be replaced with an enumeration
149 ArchiveCutoff ::= GeneralizedTime
151 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
153 ServiceLocator ::= SEQUENCE {
155 locator AuthorityInfoAccessSyntax }
157 -- Object Identifiers
159 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
160 id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
161 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
162 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
163 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
164 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
165 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
166 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
167 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
171 /* Request Structures */
173 DECLARE_STACK_OF(Request)
176 ASN1_INTEGER *version;
177 GENERAL_NAME *requestorName;
178 STACK_OF(Request) *requestList;
179 STACK_OF(X509_EXTENSION) *requestExtensions;
183 X509_ALGOR *signatureAlgorithm;
184 ASN1_BIT_STRING *signature;
185 STACK_OF(X509) *certs;
189 TBSRequest *tbsRequest;
190 Signature *optionalSignature;
194 X509_ALGOR *hashAlgorithm;
195 ASN1_OCTET_STRING *issuerNameHash;
196 ASN1_OCTET_STRING *issuerKeyHash;
197 ASN1_INTEGER *certificateSerialNumber;
202 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
205 /* Response structures */
208 ASN1_OBJECT *responseType;
209 ASN1_OCTET_STRING *response;
213 ASN1_ENUMERATED *responseStatus;
214 ResponseBytes *responseBytes;
221 ASN1_OCTET_STRING *byKey;
226 ASN1_INTEGER *version;
227 ResponderID *responderID;
228 ASN1_GENERALIZEDTIME *producedAt;
229 STACK_OF(SingleResponse) *responses;
230 STACK_OF(X509_EXTENSION) *responseExtensions;
234 ResponseData *tbsResponseData;
235 X509_ALGOR *signatureAlgorithm;
236 ASN1_BIT_STRING *signature;
237 STACK_OF(X509) *certs;
241 ASN1_GENERALIZEDTIME *revocationTime;
242 ASN1_ENUMERATED *revocationReason;
249 RevokedInfo *revoked;
256 CertStatus *certStatus;
257 ASN1_GENERALIZEDTIME *thisUpdate;
258 ASN1_GENERALIZEDTIME *nextUpdate;
259 STACK_OF(X509_EXTENSION) *singleExtensions;
264 STACK_OF(ACCESS_DESCRIPTION) *locator;
267 /* Now the ASN1 templates */
269 IMPLEMENT_COMPAT_ASN1(X509);
270 IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
271 // IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
272 IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
273 IMPLEMENT_COMPAT_ASN1(X509_NAME);
275 ASN1_SEQUENCE(X509_EXTENSION) = {
276 ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
277 ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
278 ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
279 } ASN1_SEQUENCE_END(X509_EXTENSION);
282 ASN1_SEQUENCE(Signature) = {
283 ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
284 ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
285 ASN1_SEQUENCE_OF(Signature, certs, X509)
286 } ASN1_SEQUENCE_END(Signature);
288 ASN1_SEQUENCE(CertID) = {
289 ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
290 ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
291 ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
292 ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
293 } ASN1_SEQUENCE_END(CertID);
295 ASN1_SEQUENCE(Request) = {
296 ASN1_SIMPLE(Request, reqCert, CertID),
297 ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
298 } ASN1_SEQUENCE_END(Request);
300 ASN1_SEQUENCE(TBSRequest) = {
301 ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
302 ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
303 ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
304 ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
305 } ASN1_SEQUENCE_END(TBSRequest);
307 ASN1_SEQUENCE(OCSPRequest) = {
308 ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
309 ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
310 } ASN1_SEQUENCE_END(OCSPRequest);
312 /* Response templates */
314 ASN1_SEQUENCE(ResponseBytes) = {
315 ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
316 ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
317 } ASN1_SEQUENCE_END(ResponseBytes);
319 ASN1_SEQUENCE(OCSPResponse) = {
320 ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
321 ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
322 } ASN1_SEQUENCE_END(OCSPResponse);
324 ASN1_CHOICE(ResponderID) = {
325 ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
326 ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
327 } ASN1_CHOICE_END(ResponderID);
329 ASN1_SEQUENCE(RevokedInfo) = {
330 ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
331 ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
332 } ASN1_SEQUENCE_END(RevokedInfo);
334 ASN1_CHOICE(CertStatus) = {
335 ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
336 ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
337 ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
338 } ASN1_CHOICE_END(CertStatus);
340 ASN1_SEQUENCE(SingleResponse) = {
341 ASN1_SIMPLE(SingleResponse, certID, CertID),
342 ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
343 ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
344 ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
345 ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
346 } ASN1_SEQUENCE_END(SingleResponse);
348 ASN1_SEQUENCE(ResponseData) = {
349 ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
350 ASN1_SIMPLE(ResponseData, responderID, ResponderID),
351 ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
352 ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
353 ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
354 } ASN1_SEQUENCE_END(ResponseData);
356 ASN1_SEQUENCE(BasicOCSPResponse) = {
357 ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
358 ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
359 ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
360 ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
361 } ASN1_SEQUENCE_END(BasicOCSPResponse);