[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Thu Mar 5 14:48:55 UTC 2015
The branch master has been updated
via 6ef869d7d0a9d2e7ea7908c0b5aab1cb451e00fa (commit)
from fd865cadcb603918bdcfcf44e487721c657a1117 (commit)
- Log -----------------------------------------------------------------
commit 6ef869d7d0a9d2e7ea7908c0b5aab1cb451e00fa
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Mar 5 13:41:11 2015 +0000
Make OCSP structures opaque.
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ocsp.c | 8 +-
crypto/ocsp/Makefile | 6 +-
crypto/ocsp/ocsp.h | 219 +++---------------------------
crypto/ocsp/ocsp_asn.c | 1 +
crypto/ocsp/ocsp_cl.c | 6 +
crypto/ocsp/ocsp_ext.c | 1 +
crypto/ocsp/ocsp_lcl.h | 273 ++++++++++++++++++++++++++++++++++++++
crypto/ocsp/ocsp_lib.c | 1 +
crypto/ocsp/ocsp_prn.c | 1 +
crypto/ocsp/ocsp_srv.c | 1 +
crypto/ocsp/ocsp_vfy.c | 1 +
crypto/{x509v3 => ocsp}/v3_ocsp.c | 4 +-
crypto/x509v3/Makefile | 18 +--
13 files changed, 316 insertions(+), 224 deletions(-)
create mode 100644 crypto/ocsp/ocsp_lcl.h
rename crypto/{x509v3 => ocsp}/v3_ocsp.c (99%)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index b0b3069..83a7175 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1110,8 +1110,12 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
- if (badsig)
- bs->signature->data[bs->signature->length - 1] ^= 0x1;
+ if (badsig) {
+ ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
+ unsigned char *sigptr;
+ sigptr = ASN1_STRING_data(sig);
+ sigptr[ASN1_STRING_length(sig) - 1] ^= 0x1;
+ }
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
diff --git a/crypto/ocsp/Makefile b/crypto/ocsp/Makefile
index 60c414c..f5b8445 100644
--- a/crypto/ocsp/Makefile
+++ b/crypto/ocsp/Makefile
@@ -18,15 +18,15 @@ APPS=
LIB=$(TOP)/libcrypto.a
LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \
- ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c
+ ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c v3_ocsp.c
LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \
- ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o
+ ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o v3_ocsp.o
SRC= $(LIBSRC)
EXHEADER= ocsp.h
-HEADER= $(EXHEADER)
+HEADER= ocsp_lcl.h $(EXHEADER)
ALL= $(GENERAL) $(SRC) $(HEADER)
diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index ca2ee76..6999788 100644
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -93,76 +93,19 @@ extern "C" {
# define OCSP_RESPID_KEY 0x400
# define OCSP_NOTIME 0x800
-/*- CertID ::= SEQUENCE {
- * hashAlgorithm AlgorithmIdentifier,
- * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
- * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
- * serialNumber CertificateSerialNumber }
- */
-typedef struct ocsp_cert_id_st {
- X509_ALGOR *hashAlgorithm;
- ASN1_OCTET_STRING *issuerNameHash;
- ASN1_OCTET_STRING *issuerKeyHash;
- ASN1_INTEGER *serialNumber;
-} OCSP_CERTID;
+typedef struct ocsp_cert_id_st OCSP_CERTID;
DECLARE_STACK_OF(OCSP_CERTID)
-/*- Request ::= SEQUENCE {
- * reqCert CertID,
- * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_one_request_st {
- OCSP_CERTID *reqCert;
- STACK_OF(X509_EXTENSION) *singleRequestExtensions;
-} OCSP_ONEREQ;
+typedef struct ocsp_one_request_st OCSP_ONEREQ;
DECLARE_STACK_OF(OCSP_ONEREQ)
DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
-/*- TBSRequest ::= SEQUENCE {
- * version [0] EXPLICIT Version DEFAULT v1,
- * requestorName [1] EXPLICIT GeneralName OPTIONAL,
- * requestList SEQUENCE OF Request,
- * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_req_info_st {
- ASN1_INTEGER *version;
- GENERAL_NAME *requestorName;
- STACK_OF(OCSP_ONEREQ) *requestList;
- STACK_OF(X509_EXTENSION) *requestExtensions;
-} OCSP_REQINFO;
-
-/*- Signature ::= SEQUENCE {
- * signatureAlgorithm AlgorithmIdentifier,
- * signature BIT STRING,
- * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-typedef struct ocsp_signature_st {
- X509_ALGOR *signatureAlgorithm;
- ASN1_BIT_STRING *signature;
- STACK_OF(X509) *certs;
-} OCSP_SIGNATURE;
-
-/*- OCSPRequest ::= SEQUENCE {
- * tbsRequest TBSRequest,
- * optionalSignature [0] EXPLICIT Signature OPTIONAL }
- */
-typedef struct ocsp_request_st {
- OCSP_REQINFO *tbsRequest;
- OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
-} OCSP_REQUEST;
-
-/*- OCSPResponseStatus ::= ENUMERATED {
- * successful (0), --Response has valid confirmations
- * malformedRequest (1), --Illegal confirmation request
- * internalError (2), --Internal error in issuer
- * tryLater (3), --Try again later
- * --(4) is not used
- * sigRequired (5), --Must sign the request
- * unauthorized (6) --Request unauthorized
- * }
- */
+typedef struct ocsp_req_info_st OCSP_REQINFO;
+typedef struct ocsp_signature_st OCSP_SIGNATURE;
+typedef struct ocsp_request_st OCSP_REQUEST;
+
# define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
# define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
# define OCSP_RESPONSE_STATUS_INTERNALERROR 2
@@ -170,136 +113,29 @@ typedef struct ocsp_request_st {
# define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
# define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
-/*- ResponseBytes ::= SEQUENCE {
- * responseType OBJECT IDENTIFIER,
- * response OCTET STRING }
- */
-typedef struct ocsp_resp_bytes_st {
- ASN1_OBJECT *responseType;
- ASN1_OCTET_STRING *response;
-} OCSP_RESPBYTES;
-
-/*- OCSPResponse ::= SEQUENCE {
- * responseStatus OCSPResponseStatus,
- * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
- */
-struct ocsp_response_st {
- ASN1_ENUMERATED *responseStatus;
- OCSP_RESPBYTES *responseBytes;
-};
-
-/*- ResponderID ::= CHOICE {
- * byName [1] Name,
- * byKey [2] KeyHash }
- */
+typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
+
# define V_OCSP_RESPID_NAME 0
# define V_OCSP_RESPID_KEY 1
-struct ocsp_responder_id_st {
- int type;
- union {
- X509_NAME *byName;
- ASN1_OCTET_STRING *byKey;
- } value;
-};
DECLARE_STACK_OF(OCSP_RESPID)
DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
-/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
- * --(excluding the tag and length fields)
- */
+typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
-/*- RevokedInfo ::= SEQUENCE {
- * revocationTime GeneralizedTime,
- * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
- */
-typedef struct ocsp_revoked_info_st {
- ASN1_GENERALIZEDTIME *revocationTime;
- ASN1_ENUMERATED *revocationReason;
-} OCSP_REVOKEDINFO;
-
-/*- CertStatus ::= CHOICE {
- * good [0] IMPLICIT NULL,
- * revoked [1] IMPLICIT RevokedInfo,
- * unknown [2] IMPLICIT UnknownInfo }
- */
# define V_OCSP_CERTSTATUS_GOOD 0
# define V_OCSP_CERTSTATUS_REVOKED 1
# define V_OCSP_CERTSTATUS_UNKNOWN 2
-typedef struct ocsp_cert_status_st {
- int type;
- union {
- ASN1_NULL *good;
- OCSP_REVOKEDINFO *revoked;
- ASN1_NULL *unknown;
- } value;
-} OCSP_CERTSTATUS;
-
-/*- SingleResponse ::= SEQUENCE {
- * certID CertID,
- * certStatus CertStatus,
- * thisUpdate GeneralizedTime,
- * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
- * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_single_response_st {
- OCSP_CERTID *certId;
- OCSP_CERTSTATUS *certStatus;
- ASN1_GENERALIZEDTIME *thisUpdate;
- ASN1_GENERALIZEDTIME *nextUpdate;
- STACK_OF(X509_EXTENSION) *singleExtensions;
-} OCSP_SINGLERESP;
+
+typedef struct ocsp_cert_status_st OCSP_CERTSTATUS;
+typedef struct ocsp_single_response_st OCSP_SINGLERESP;
DECLARE_STACK_OF(OCSP_SINGLERESP)
DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
-/*- ResponseData ::= SEQUENCE {
- * version [0] EXPLICIT Version DEFAULT v1,
- * responderID ResponderID,
- * producedAt GeneralizedTime,
- * responses SEQUENCE OF SingleResponse,
- * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
- */
-typedef struct ocsp_response_data_st {
- ASN1_INTEGER *version;
- OCSP_RESPID *responderId;
- ASN1_GENERALIZEDTIME *producedAt;
- STACK_OF(OCSP_SINGLERESP) *responses;
- STACK_OF(X509_EXTENSION) *responseExtensions;
-} OCSP_RESPDATA;
-
-/*- BasicOCSPResponse ::= SEQUENCE {
- * tbsResponseData ResponseData,
- * signatureAlgorithm AlgorithmIdentifier,
- * signature BIT STRING,
- * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
- /*
- * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
- * follows: "The value for the signature SHALL be computed on the hash of
- * the DER encoding ResponseData." This means that you must hash the
- * DER-encoded tbsResponseData, and then run it through a crypto-signing
- * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
- * operation. This seems a bit odd, but that's the spec. Also note that
- * the data structures do not leave anywhere to independently specify the
- * algorithm used for the initial hash. So, we look at the
- * signature-specification algorithm, and try to do something intelligent.
- * -- Kathy Weinhold, CertCo
- */
- /*
- * Note 2: It seems that the mentioned passage from RFC 2560 (section
- * 4.2.1) is open for interpretation. I've done tests against another
- * responder, and found that it doesn't do the double hashing that the RFC
- * seems to say one should. Therefore, all relevant functions take a flag
- * saying which variant should be used. -- Richard Levitte, OpenSSL team
- * and CeloCom
- */
-typedef struct ocsp_basic_response_st {
- OCSP_RESPDATA *tbsResponseData;
- X509_ALGOR *signatureAlgorithm;
- ASN1_BIT_STRING *signature;
- STACK_OF(X509) *certs;
-} OCSP_BASICRESP;
+typedef struct ocsp_response_data_st OCSP_RESPDATA;
+
+typedef struct ocsp_basic_response_st OCSP_BASICRESP;
/*-
* CRLReason ::= ENUMERATED {
@@ -322,27 +158,8 @@ typedef struct ocsp_basic_response_st {
# define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
# define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
-/*-
- * CrlID ::= SEQUENCE {
- * crlUrl [0] EXPLICIT IA5String OPTIONAL,
- * crlNum [1] EXPLICIT INTEGER OPTIONAL,
- * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
- */
-typedef struct ocsp_crl_id_st {
- ASN1_IA5STRING *crlUrl;
- ASN1_INTEGER *crlNum;
- ASN1_GENERALIZEDTIME *crlTime;
-} OCSP_CRLID;
-
-/*-
- * ServiceLocator ::= SEQUENCE {
- * issuer Name,
- * locator AuthorityInfoAccessSyntax OPTIONAL }
- */
-typedef struct ocsp_service_locator_st {
- X509_NAME *issuer;
- STACK_OF(ACCESS_DESCRIPTION) *locator;
-} OCSP_SERVICELOC;
+typedef struct ocsp_crl_id_st OCSP_CRLID;
+typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
# define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
# define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
@@ -440,6 +257,8 @@ int OCSP_request_sign(OCSP_REQUEST *req,
int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
+ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs);
+
int OCSP_resp_count(OCSP_BASICRESP *bs);
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
diff --git a/crypto/ocsp/ocsp_asn.c b/crypto/ocsp/ocsp_asn.c
index e2e52e7..c3362f0 100644
--- a/crypto/ocsp/ocsp_asn.c
+++ b/crypto/ocsp/ocsp_asn.c
@@ -59,6 +59,7 @@
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
ASN1_SEQUENCE(OCSP_SIGNATURE) = {
ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 7e6ccdd..78d817d 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -73,6 +73,7 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
/*
* Utility functions related to sending OCSP requests and extracting relevant
@@ -216,6 +217,11 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
}
+ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs)
+{
+ return bs->signature;
+}
+
/*
* Return number of OCSP_SINGLERESP reponses present in a basic response.
*/
diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c
index ce31b1b..04ae17f 100644
--- a/crypto/ocsp/ocsp_ext.c
+++ b/crypto/ocsp/ocsp_ext.c
@@ -69,6 +69,7 @@
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
#include <openssl/rand.h>
#include <openssl/x509v3.h>
diff --git a/crypto/ocsp/ocsp_lcl.h b/crypto/ocsp/ocsp_lcl.h
new file mode 100644
index 0000000..86fb0b9
--- /dev/null
+++ b/crypto/ocsp/ocsp_lcl.h
@@ -0,0 +1,273 @@
+/* ocsp_lcl.h */
+/*
+ * Written by Tom Titchener <Tom_Titchener at groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+/*- CertID ::= SEQUENCE {
+ * hashAlgorithm AlgorithmIdentifier,
+ * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
+ * serialNumber CertificateSerialNumber }
+ */
+struct ocsp_cert_id_st {
+ X509_ALGOR *hashAlgorithm;
+ ASN1_OCTET_STRING *issuerNameHash;
+ ASN1_OCTET_STRING *issuerKeyHash;
+ ASN1_INTEGER *serialNumber;
+};
+
+/*- Request ::= SEQUENCE {
+ * reqCert CertID,
+ * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_one_request_st {
+ OCSP_CERTID *reqCert;
+ STACK_OF(X509_EXTENSION) *singleRequestExtensions;
+};
+
+/*- TBSRequest ::= SEQUENCE {
+ * version [0] EXPLICIT Version DEFAULT v1,
+ * requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ * requestList SEQUENCE OF Request,
+ * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_req_info_st {
+ ASN1_INTEGER *version;
+ GENERAL_NAME *requestorName;
+ STACK_OF(OCSP_ONEREQ) *requestList;
+ STACK_OF(X509_EXTENSION) *requestExtensions;
+};
+
+/*- Signature ::= SEQUENCE {
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signature BIT STRING,
+ * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+struct ocsp_signature_st {
+ X509_ALGOR *signatureAlgorithm;
+ ASN1_BIT_STRING *signature;
+ STACK_OF(X509) *certs;
+};
+
+/*- OCSPRequest ::= SEQUENCE {
+ * tbsRequest TBSRequest,
+ * optionalSignature [0] EXPLICIT Signature OPTIONAL }
+ */
+struct ocsp_request_st {
+ OCSP_REQINFO *tbsRequest;
+ OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
+};
+
+/*- OCSPResponseStatus ::= ENUMERATED {
+ * successful (0), --Response has valid confirmations
+ * malformedRequest (1), --Illegal confirmation request
+ * internalError (2), --Internal error in issuer
+ * tryLater (3), --Try again later
+ * --(4) is not used
+ * sigRequired (5), --Must sign the request
+ * unauthorized (6) --Request unauthorized
+ * }
+ */
+
+/*- ResponseBytes ::= SEQUENCE {
+ * responseType OBJECT IDENTIFIER,
+ * response OCTET STRING }
+ */
+struct ocsp_resp_bytes_st {
+ ASN1_OBJECT *responseType;
+ ASN1_OCTET_STRING *response;
+};
+
+/*- OCSPResponse ::= SEQUENCE {
+ * responseStatus OCSPResponseStatus,
+ * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+struct ocsp_response_st {
+ ASN1_ENUMERATED *responseStatus;
+ OCSP_RESPBYTES *responseBytes;
+};
+
+/*- ResponderID ::= CHOICE {
+ * byName [1] Name,
+ * byKey [2] KeyHash }
+ */
+struct ocsp_responder_id_st {
+ int type;
+ union {
+ X509_NAME *byName;
+ ASN1_OCTET_STRING *byKey;
+ } value;
+};
+
+/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+ * --(excluding the tag and length fields)
+ */
+
+/*- RevokedInfo ::= SEQUENCE {
+ * revocationTime GeneralizedTime,
+ * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
+ */
+struct ocsp_revoked_info_st {
+ ASN1_GENERALIZEDTIME *revocationTime;
+ ASN1_ENUMERATED *revocationReason;
+};
+
+/*- CertStatus ::= CHOICE {
+ * good [0] IMPLICIT NULL,
+ * revoked [1] IMPLICIT RevokedInfo,
+ * unknown [2] IMPLICIT UnknownInfo }
+ */
+struct ocsp_cert_status_st {
+ int type;
+ union {
+ ASN1_NULL *good;
+ OCSP_REVOKEDINFO *revoked;
+ ASN1_NULL *unknown;
+ } value;
+};
+
+/*- SingleResponse ::= SEQUENCE {
+ * certID CertID,
+ * certStatus CertStatus,
+ * thisUpdate GeneralizedTime,
+ * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+ * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_single_response_st {
+ OCSP_CERTID *certId;
+ OCSP_CERTSTATUS *certStatus;
+ ASN1_GENERALIZEDTIME *thisUpdate;
+ ASN1_GENERALIZEDTIME *nextUpdate;
+ STACK_OF(X509_EXTENSION) *singleExtensions;
+};
+
+/*- ResponseData ::= SEQUENCE {
+ * version [0] EXPLICIT Version DEFAULT v1,
+ * responderID ResponderID,
+ * producedAt GeneralizedTime,
+ * responses SEQUENCE OF SingleResponse,
+ * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
+ */
+struct ocsp_response_data_st {
+ ASN1_INTEGER *version;
+ OCSP_RESPID *responderId;
+ ASN1_GENERALIZEDTIME *producedAt;
+ STACK_OF(OCSP_SINGLERESP) *responses;
+ STACK_OF(X509_EXTENSION) *responseExtensions;
+};
+
+/*- BasicOCSPResponse ::= SEQUENCE {
+ * tbsResponseData ResponseData,
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signature BIT STRING,
+ * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+ /*
+ * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
+ * follows: "The value for the signature SHALL be computed on the hash of
+ * the DER encoding ResponseData." This means that you must hash the
+ * DER-encoded tbsResponseData, and then run it through a crypto-signing
+ * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
+ * operation. This seems a bit odd, but that's the spec. Also note that
+ * the data structures do not leave anywhere to independently specify the
+ * algorithm used for the initial hash. So, we look at the
+ * signature-specification algorithm, and try to do something intelligent.
+ * -- Kathy Weinhold, CertCo
+ */
+ /*
+ * Note 2: It seems that the mentioned passage from RFC 2560 (section
+ * 4.2.1) is open for interpretation. I've done tests against another
+ * responder, and found that it doesn't do the double hashing that the RFC
+ * seems to say one should. Therefore, all relevant functions take a flag
+ * saying which variant should be used. -- Richard Levitte, OpenSSL team
+ * and CeloCom
+ */
+struct ocsp_basic_response_st {
+ OCSP_RESPDATA *tbsResponseData;
+ X509_ALGOR *signatureAlgorithm;
+ ASN1_BIT_STRING *signature;
+ STACK_OF(X509) *certs;
+};
+
+/*-
+ * CrlID ::= SEQUENCE {
+ * crlUrl [0] EXPLICIT IA5String OPTIONAL,
+ * crlNum [1] EXPLICIT INTEGER OPTIONAL,
+ * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
+ */
+struct ocsp_crl_id_st {
+ ASN1_IA5STRING *crlUrl;
+ ASN1_INTEGER *crlNum;
+ ASN1_GENERALIZEDTIME *crlTime;
+};
+
+/*-
+ * ServiceLocator ::= SEQUENCE {
+ * issuer Name,
+ * locator AuthorityInfoAccessSyntax OPTIONAL }
+ */
+struct ocsp_service_locator_st {
+ X509_NAME *issuer;
+ STACK_OF(ACCESS_DESCRIPTION) *locator;
+};
diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index 24ca40e..8e87f49 100644
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -72,6 +72,7 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
#include <openssl/asn1t.h>
/* Convert a certificate and its issuer to an OCSP_CERTID */
diff --git a/crypto/ocsp/ocsp_prn.c b/crypto/ocsp/ocsp_prn.c
index 1834256..96c2023 100644
--- a/crypto/ocsp/ocsp_prn.c
+++ b/crypto/ocsp/ocsp_prn.c
@@ -67,6 +67,7 @@
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
#include <openssl/pem.h>
static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 2ec2c63..00cafea 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -65,6 +65,7 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
/*
* Utility functions related to sending OCSP responses and extracting
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 6c0ccb5..8beadf7 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -58,6 +58,7 @@
*/
#include <openssl/ocsp.h>
+#include "ocsp_lcl.h"
#include <openssl/err.h>
#include <string.h>
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/ocsp/v3_ocsp.c
similarity index 99%
rename from crypto/x509v3/v3_ocsp.c
rename to crypto/ocsp/v3_ocsp.c
index b151eac..006db17 100644
--- a/crypto/x509v3/v3_ocsp.c
+++ b/crypto/ocsp/v3_ocsp.c
@@ -57,13 +57,12 @@
*
*/
-#ifndef OPENSSL_NO_OCSP
-
# include <stdio.h>
# include "cryptlib.h"
# include <openssl/conf.h>
# include <openssl/asn1.h>
# include <openssl/ocsp.h>
+# include "ocsp_lcl.h"
# include <openssl/x509v3.h>
/*
@@ -309,4 +308,3 @@ static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
err:
return 0;
}
-#endif
diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile
index cdbfd52..284dfa8 100644
--- a/crypto/x509v3/Makefile
+++ b/crypto/x509v3/Makefile
@@ -20,13 +20,13 @@ LIB=$(TOP)/libcrypto.a
LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
v3_asid.c v3_addr.c v3_scts.c
LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
+v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
v3_asid.o v3_addr.o v3_scts.o
@@ -422,20 +422,6 @@ v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
v3_ncons.o: ../cryptlib.h v3_ncons.c
-v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_ocsp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
-v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
More information about the openssl-commits
mailing list