ocsp.h 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627
  1. /* ocsp.h */
  2. /*
  3. * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  4. * project.
  5. */
  6. /*
  7. * History: This file was transfered to Richard Levitte from CertCo by Kathy
  8. * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
  9. * patch kit.
  10. */
  11. /* ====================================================================
  12. * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
  13. *
  14. * Redistribution and use in source and binary forms, with or without
  15. * modification, are permitted provided that the following conditions
  16. * are met:
  17. *
  18. * 1. Redistributions of source code must retain the above copyright
  19. * notice, this list of conditions and the following disclaimer.
  20. *
  21. * 2. Redistributions in binary form must reproduce the above copyright
  22. * notice, this list of conditions and the following disclaimer in
  23. * the documentation and/or other materials provided with the
  24. * distribution.
  25. *
  26. * 3. All advertising materials mentioning features or use of this
  27. * software must display the following acknowledgment:
  28. * "This product includes software developed by the OpenSSL Project
  29. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  30. *
  31. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  32. * endorse or promote products derived from this software without
  33. * prior written permission. For written permission, please contact
  34. * openssl-core@openssl.org.
  35. *
  36. * 5. Products derived from this software may not be called "OpenSSL"
  37. * nor may "OpenSSL" appear in their names without prior written
  38. * permission of the OpenSSL Project.
  39. *
  40. * 6. Redistributions of any form whatsoever must retain the following
  41. * acknowledgment:
  42. * "This product includes software developed by the OpenSSL Project
  43. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  44. *
  45. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  46. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  47. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  48. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  49. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  50. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  51. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  52. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  53. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  54. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  55. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  56. * OF THE POSSIBILITY OF SUCH DAMAGE.
  57. * ====================================================================
  58. *
  59. * This product includes cryptographic software written by Eric Young
  60. * (eay@cryptsoft.com). This product includes software written by Tim
  61. * Hudson (tjh@cryptsoft.com).
  62. *
  63. */
  64. #ifndef HEADER_OCSP_H
  65. # define HEADER_OCSP_H
  66. # include <openssl/ossl_typ.h>
  67. # include <openssl/x509.h>
  68. # include <openssl/x509v3.h>
  69. # include <openssl/safestack.h>
  70. #ifdef __cplusplus
  71. extern "C" {
  72. #endif
  73. /* Various flags and values */
  74. # define OCSP_DEFAULT_NONCE_LENGTH 16
  75. # define OCSP_NOCERTS 0x1
  76. # define OCSP_NOINTERN 0x2
  77. # define OCSP_NOSIGS 0x4
  78. # define OCSP_NOCHAIN 0x8
  79. # define OCSP_NOVERIFY 0x10
  80. # define OCSP_NOEXPLICIT 0x20
  81. # define OCSP_NOCASIGN 0x40
  82. # define OCSP_NODELEGATED 0x80
  83. # define OCSP_NOCHECKS 0x100
  84. # define OCSP_TRUSTOTHER 0x200
  85. # define OCSP_RESPID_KEY 0x400
  86. # define OCSP_NOTIME 0x800
  87. /*- CertID ::= SEQUENCE {
  88. * hashAlgorithm AlgorithmIdentifier,
  89. * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
  90. * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
  91. * serialNumber CertificateSerialNumber }
  92. */
  93. typedef struct ocsp_cert_id_st {
  94. X509_ALGOR *hashAlgorithm;
  95. ASN1_OCTET_STRING *issuerNameHash;
  96. ASN1_OCTET_STRING *issuerKeyHash;
  97. ASN1_INTEGER *serialNumber;
  98. } OCSP_CERTID;
  99. DECLARE_STACK_OF(OCSP_CERTID)
  100. /*- Request ::= SEQUENCE {
  101. * reqCert CertID,
  102. * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
  103. */
  104. typedef struct ocsp_one_request_st {
  105. OCSP_CERTID *reqCert;
  106. STACK_OF(X509_EXTENSION) *singleRequestExtensions;
  107. } OCSP_ONEREQ;
  108. DECLARE_STACK_OF(OCSP_ONEREQ)
  109. DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
  110. /*- TBSRequest ::= SEQUENCE {
  111. * version [0] EXPLICIT Version DEFAULT v1,
  112. * requestorName [1] EXPLICIT GeneralName OPTIONAL,
  113. * requestList SEQUENCE OF Request,
  114. * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
  115. */
  116. typedef struct ocsp_req_info_st {
  117. ASN1_INTEGER *version;
  118. GENERAL_NAME *requestorName;
  119. STACK_OF(OCSP_ONEREQ) *requestList;
  120. STACK_OF(X509_EXTENSION) *requestExtensions;
  121. } OCSP_REQINFO;
  122. /*- Signature ::= SEQUENCE {
  123. * signatureAlgorithm AlgorithmIdentifier,
  124. * signature BIT STRING,
  125. * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  126. */
  127. typedef struct ocsp_signature_st {
  128. X509_ALGOR *signatureAlgorithm;
  129. ASN1_BIT_STRING *signature;
  130. STACK_OF(X509) *certs;
  131. } OCSP_SIGNATURE;
  132. /*- OCSPRequest ::= SEQUENCE {
  133. * tbsRequest TBSRequest,
  134. * optionalSignature [0] EXPLICIT Signature OPTIONAL }
  135. */
  136. typedef struct ocsp_request_st {
  137. OCSP_REQINFO *tbsRequest;
  138. OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
  139. } OCSP_REQUEST;
  140. /*- OCSPResponseStatus ::= ENUMERATED {
  141. * successful (0), --Response has valid confirmations
  142. * malformedRequest (1), --Illegal confirmation request
  143. * internalError (2), --Internal error in issuer
  144. * tryLater (3), --Try again later
  145. * --(4) is not used
  146. * sigRequired (5), --Must sign the request
  147. * unauthorized (6) --Request unauthorized
  148. * }
  149. */
  150. # define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
  151. # define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
  152. # define OCSP_RESPONSE_STATUS_INTERNALERROR 2
  153. # define OCSP_RESPONSE_STATUS_TRYLATER 3
  154. # define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
  155. # define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
  156. /*- ResponseBytes ::= SEQUENCE {
  157. * responseType OBJECT IDENTIFIER,
  158. * response OCTET STRING }
  159. */
  160. typedef struct ocsp_resp_bytes_st {
  161. ASN1_OBJECT *responseType;
  162. ASN1_OCTET_STRING *response;
  163. } OCSP_RESPBYTES;
  164. /*- OCSPResponse ::= SEQUENCE {
  165. * responseStatus OCSPResponseStatus,
  166. * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
  167. */
  168. struct ocsp_response_st {
  169. ASN1_ENUMERATED *responseStatus;
  170. OCSP_RESPBYTES *responseBytes;
  171. };
  172. /*- ResponderID ::= CHOICE {
  173. * byName [1] Name,
  174. * byKey [2] KeyHash }
  175. */
  176. # define V_OCSP_RESPID_NAME 0
  177. # define V_OCSP_RESPID_KEY 1
  178. struct ocsp_responder_id_st {
  179. int type;
  180. union {
  181. X509_NAME *byName;
  182. ASN1_OCTET_STRING *byKey;
  183. } value;
  184. };
  185. DECLARE_STACK_OF(OCSP_RESPID)
  186. DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
  187. /*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
  188. * --(excluding the tag and length fields)
  189. */
  190. /*- RevokedInfo ::= SEQUENCE {
  191. * revocationTime GeneralizedTime,
  192. * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
  193. */
  194. typedef struct ocsp_revoked_info_st {
  195. ASN1_GENERALIZEDTIME *revocationTime;
  196. ASN1_ENUMERATED *revocationReason;
  197. } OCSP_REVOKEDINFO;
  198. /*- CertStatus ::= CHOICE {
  199. * good [0] IMPLICIT NULL,
  200. * revoked [1] IMPLICIT RevokedInfo,
  201. * unknown [2] IMPLICIT UnknownInfo }
  202. */
  203. # define V_OCSP_CERTSTATUS_GOOD 0
  204. # define V_OCSP_CERTSTATUS_REVOKED 1
  205. # define V_OCSP_CERTSTATUS_UNKNOWN 2
  206. typedef struct ocsp_cert_status_st {
  207. int type;
  208. union {
  209. ASN1_NULL *good;
  210. OCSP_REVOKEDINFO *revoked;
  211. ASN1_NULL *unknown;
  212. } value;
  213. } OCSP_CERTSTATUS;
  214. /*- SingleResponse ::= SEQUENCE {
  215. * certID CertID,
  216. * certStatus CertStatus,
  217. * thisUpdate GeneralizedTime,
  218. * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
  219. * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
  220. */
  221. typedef struct ocsp_single_response_st {
  222. OCSP_CERTID *certId;
  223. OCSP_CERTSTATUS *certStatus;
  224. ASN1_GENERALIZEDTIME *thisUpdate;
  225. ASN1_GENERALIZEDTIME *nextUpdate;
  226. STACK_OF(X509_EXTENSION) *singleExtensions;
  227. } OCSP_SINGLERESP;
  228. DECLARE_STACK_OF(OCSP_SINGLERESP)
  229. DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
  230. /*- ResponseData ::= SEQUENCE {
  231. * version [0] EXPLICIT Version DEFAULT v1,
  232. * responderID ResponderID,
  233. * producedAt GeneralizedTime,
  234. * responses SEQUENCE OF SingleResponse,
  235. * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
  236. */
  237. typedef struct ocsp_response_data_st {
  238. ASN1_INTEGER *version;
  239. OCSP_RESPID *responderId;
  240. ASN1_GENERALIZEDTIME *producedAt;
  241. STACK_OF(OCSP_SINGLERESP) *responses;
  242. STACK_OF(X509_EXTENSION) *responseExtensions;
  243. } OCSP_RESPDATA;
  244. /*- BasicOCSPResponse ::= SEQUENCE {
  245. * tbsResponseData ResponseData,
  246. * signatureAlgorithm AlgorithmIdentifier,
  247. * signature BIT STRING,
  248. * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
  249. */
  250. /*
  251. * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
  252. * follows: "The value for the signature SHALL be computed on the hash of
  253. * the DER encoding ResponseData." This means that you must hash the
  254. * DER-encoded tbsResponseData, and then run it through a crypto-signing
  255. * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
  256. * operation. This seems a bit odd, but that's the spec. Also note that
  257. * the data structures do not leave anywhere to independently specify the
  258. * algorithm used for the initial hash. So, we look at the
  259. * signature-specification algorithm, and try to do something intelligent.
  260. * -- Kathy Weinhold, CertCo
  261. */
  262. /*
  263. * Note 2: It seems that the mentioned passage from RFC 2560 (section
  264. * 4.2.1) is open for interpretation. I've done tests against another
  265. * responder, and found that it doesn't do the double hashing that the RFC
  266. * seems to say one should. Therefore, all relevant functions take a flag
  267. * saying which variant should be used. -- Richard Levitte, OpenSSL team
  268. * and CeloCom
  269. */
  270. typedef struct ocsp_basic_response_st {
  271. OCSP_RESPDATA *tbsResponseData;
  272. X509_ALGOR *signatureAlgorithm;
  273. ASN1_BIT_STRING *signature;
  274. STACK_OF(X509) *certs;
  275. } OCSP_BASICRESP;
  276. /*-
  277. * CRLReason ::= ENUMERATED {
  278. * unspecified (0),
  279. * keyCompromise (1),
  280. * cACompromise (2),
  281. * affiliationChanged (3),
  282. * superseded (4),
  283. * cessationOfOperation (5),
  284. * certificateHold (6),
  285. * removeFromCRL (8) }
  286. */
  287. # define OCSP_REVOKED_STATUS_NOSTATUS -1
  288. # define OCSP_REVOKED_STATUS_UNSPECIFIED 0
  289. # define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
  290. # define OCSP_REVOKED_STATUS_CACOMPROMISE 2
  291. # define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
  292. # define OCSP_REVOKED_STATUS_SUPERSEDED 4
  293. # define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
  294. # define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
  295. # define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
  296. /*-
  297. * CrlID ::= SEQUENCE {
  298. * crlUrl [0] EXPLICIT IA5String OPTIONAL,
  299. * crlNum [1] EXPLICIT INTEGER OPTIONAL,
  300. * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
  301. */
  302. typedef struct ocsp_crl_id_st {
  303. ASN1_IA5STRING *crlUrl;
  304. ASN1_INTEGER *crlNum;
  305. ASN1_GENERALIZEDTIME *crlTime;
  306. } OCSP_CRLID;
  307. /*-
  308. * ServiceLocator ::= SEQUENCE {
  309. * issuer Name,
  310. * locator AuthorityInfoAccessSyntax OPTIONAL }
  311. */
  312. typedef struct ocsp_service_locator_st {
  313. X509_NAME *issuer;
  314. STACK_OF(ACCESS_DESCRIPTION) *locator;
  315. } OCSP_SERVICELOC;
  316. # define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
  317. # define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
  318. # define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
  319. # define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
  320. # define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
  321. (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
  322. # define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
  323. (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
  324. # define PEM_write_bio_OCSP_REQUEST(bp,o) \
  325. PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
  326. bp,(char *)o, NULL,NULL,0,NULL,NULL)
  327. # define PEM_write_bio_OCSP_RESPONSE(bp,o) \
  328. PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
  329. bp,(char *)o, NULL,NULL,0,NULL,NULL)
  330. # define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
  331. # define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
  332. # define OCSP_REQUEST_sign(o,pkey,md) \
  333. ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
  334. o->optionalSignature->signatureAlgorithm,NULL,\
  335. o->optionalSignature->signature,o->tbsRequest,pkey,md)
  336. # define OCSP_BASICRESP_sign(o,pkey,md,d) \
  337. ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
  338. o->signature,o->tbsResponseData,pkey,md)
  339. # define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
  340. a->optionalSignature->signatureAlgorithm,\
  341. a->optionalSignature->signature,a->tbsRequest,r)
  342. # define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
  343. a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
  344. # define ASN1_BIT_STRING_digest(data,type,md,len) \
  345. ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
  346. # define OCSP_CERTSTATUS_dup(cs)\
  347. (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
  348. (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
  349. OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
  350. OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
  351. OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
  352. int maxline);
  353. int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
  354. void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
  355. int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
  356. int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
  357. const char *name, const char *value);
  358. OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
  359. OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
  360. X509_NAME *issuerName,
  361. ASN1_BIT_STRING *issuerKey,
  362. ASN1_INTEGER *serialNumber);
  363. OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
  364. int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
  365. int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
  366. int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
  367. int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
  368. int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
  369. int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
  370. int OCSP_request_sign(OCSP_REQUEST *req,
  371. X509 *signer,
  372. EVP_PKEY *key,
  373. const EVP_MD *dgst,
  374. STACK_OF(X509) *certs, unsigned long flags);
  375. int OCSP_response_status(OCSP_RESPONSE *resp);
  376. OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
  377. int OCSP_resp_count(OCSP_BASICRESP *bs);
  378. OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
  379. int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
  380. int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
  381. ASN1_GENERALIZEDTIME **revtime,
  382. ASN1_GENERALIZEDTIME **thisupd,
  383. ASN1_GENERALIZEDTIME **nextupd);
  384. int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
  385. int *reason,
  386. ASN1_GENERALIZEDTIME **revtime,
  387. ASN1_GENERALIZEDTIME **thisupd,
  388. ASN1_GENERALIZEDTIME **nextupd);
  389. int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
  390. ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
  391. int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
  392. X509_STORE *store, unsigned long flags);
  393. int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
  394. int *pssl);
  395. int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
  396. int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
  397. int OCSP_request_onereq_count(OCSP_REQUEST *req);
  398. OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
  399. OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
  400. int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
  401. ASN1_OCTET_STRING **pikeyHash,
  402. ASN1_INTEGER **pserial, OCSP_CERTID *cid);
  403. int OCSP_request_is_signed(OCSP_REQUEST *req);
  404. OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
  405. OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
  406. OCSP_CERTID *cid,
  407. int status, int reason,
  408. ASN1_TIME *revtime,
  409. ASN1_TIME *thisupd,
  410. ASN1_TIME *nextupd);
  411. int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
  412. int OCSP_basic_sign(OCSP_BASICRESP *brsp,
  413. X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
  414. STACK_OF(X509) *certs, unsigned long flags);
  415. X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
  416. X509_EXTENSION *OCSP_accept_responses_new(char **oids);
  417. X509_EXTENSION *OCSP_archive_cutoff_new(char *tim);
  418. X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls);
  419. int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
  420. int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
  421. int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
  422. int lastpos);
  423. int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
  424. X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
  425. X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
  426. void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit,
  427. int *idx);
  428. int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
  429. unsigned long flags);
  430. int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
  431. int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
  432. int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
  433. int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
  434. int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
  435. X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
  436. X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
  437. void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
  438. int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
  439. unsigned long flags);
  440. int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
  441. int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
  442. int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
  443. int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
  444. int lastpos);
  445. int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
  446. int lastpos);
  447. X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
  448. X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
  449. void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
  450. int *idx);
  451. int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
  452. int crit, unsigned long flags);
  453. int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
  454. int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
  455. int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
  456. int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
  457. int lastpos);
  458. int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
  459. int lastpos);
  460. X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
  461. X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
  462. void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
  463. int *idx);
  464. int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
  465. int crit, unsigned long flags);
  466. int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
  467. DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
  468. DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
  469. DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
  470. DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
  471. DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
  472. DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
  473. DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
  474. DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
  475. DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
  476. DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
  477. DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
  478. DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
  479. DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
  480. DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
  481. DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
  482. const char *OCSP_response_status_str(long s);
  483. const char *OCSP_cert_status_str(long s);
  484. const char *OCSP_crl_reason_str(long s);
  485. int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags);
  486. int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags);
  487. int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
  488. X509_STORE *st, unsigned long flags);
  489. /* BEGIN ERROR CODES */
  490. /*
  491. * The following lines are auto generated by the script mkerr.pl. Any changes
  492. * made after this point may be overwritten when the script is next run.
  493. */
  494. void ERR_load_OCSP_strings(void);
  495. /* Error codes for the OCSP functions. */
  496. /* Function codes. */
  497. # define OCSP_F_ASN1_STRING_ENCODE 100
  498. # define OCSP_F_D2I_OCSP_NONCE 102
  499. # define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
  500. # define OCSP_F_OCSP_BASIC_SIGN 104
  501. # define OCSP_F_OCSP_BASIC_VERIFY 105
  502. # define OCSP_F_OCSP_CERT_ID_NEW 101
  503. # define OCSP_F_OCSP_CHECK_DELEGATED 106
  504. # define OCSP_F_OCSP_CHECK_IDS 107
  505. # define OCSP_F_OCSP_CHECK_ISSUER 108
  506. # define OCSP_F_OCSP_CHECK_VALIDITY 115
  507. # define OCSP_F_OCSP_MATCH_ISSUERID 109
  508. # define OCSP_F_OCSP_PARSE_URL 114
  509. # define OCSP_F_OCSP_REQUEST_SIGN 110
  510. # define OCSP_F_OCSP_REQUEST_VERIFY 116
  511. # define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
  512. # define OCSP_F_OCSP_SENDREQ_BIO 112
  513. # define OCSP_F_OCSP_SENDREQ_NBIO 117
  514. # define OCSP_F_PARSE_HTTP_LINE1 118
  515. # define OCSP_F_REQUEST_VERIFY 113
  516. /* Reason codes. */
  517. # define OCSP_R_BAD_DATA 100
  518. # define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
  519. # define OCSP_R_DIGEST_ERR 102
  520. # define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
  521. # define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
  522. # define OCSP_R_ERROR_PARSING_URL 121
  523. # define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
  524. # define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
  525. # define OCSP_R_NOT_BASIC_RESPONSE 104
  526. # define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
  527. # define OCSP_R_NO_CONTENT 106
  528. # define OCSP_R_NO_PUBLIC_KEY 107
  529. # define OCSP_R_NO_RESPONSE_DATA 108
  530. # define OCSP_R_NO_REVOKED_TIME 109
  531. # define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
  532. # define OCSP_R_REQUEST_NOT_SIGNED 128
  533. # define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
  534. # define OCSP_R_ROOT_CA_NOT_TRUSTED 112
  535. # define OCSP_R_SERVER_READ_ERROR 113
  536. # define OCSP_R_SERVER_RESPONSE_ERROR 114
  537. # define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
  538. # define OCSP_R_SERVER_WRITE_ERROR 116
  539. # define OCSP_R_SIGNATURE_FAILURE 117
  540. # define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
  541. # define OCSP_R_STATUS_EXPIRED 125
  542. # define OCSP_R_STATUS_NOT_YET_VALID 126
  543. # define OCSP_R_STATUS_TOO_OLD 127
  544. # define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
  545. # define OCSP_R_UNKNOWN_NID 120
  546. # define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
  547. #ifdef __cplusplus
  548. }
  549. #endif
  550. #endif