1/* 2 * {- join("\n * ", @autowarntext) -} 3 * 4 * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12{- 13use OpenSSL::stackhash qw(generate_stack_macros); 14-} 15 16#ifndef OPENSSL_OCSP_H 17# define OPENSSL_OCSP_H 18# pragma once 19 20# include <openssl/macros.h> 21# ifndef OPENSSL_NO_DEPRECATED_3_0 22# define HEADER_OCSP_H 23# endif 24 25# include <openssl/opensslconf.h> 26# include <openssl/http.h> 27# include <openssl/asn1.h> 28 29/* 30 * These definitions are outside the OPENSSL_NO_OCSP guard because although for 31 * historical reasons they have OCSP_* names, they can actually be used 32 * independently of OCSP. E.g. see RFC5280 33 */ 34/*- 35 * CRLReason ::= ENUMERATED { 36 * unspecified (0), 37 * keyCompromise (1), 38 * cACompromise (2), 39 * affiliationChanged (3), 40 * superseded (4), 41 * cessationOfOperation (5), 42 * certificateHold (6), 43 * -- value 7 is not used 44 * removeFromCRL (8), 45 * privilegeWithdrawn (9), 46 * aACompromise (10) } 47 */ 48# define OCSP_REVOKED_STATUS_NOSTATUS -1 49# define OCSP_REVOKED_STATUS_UNSPECIFIED 0 50# define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 51# define OCSP_REVOKED_STATUS_CACOMPROMISE 2 52# define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 53# define OCSP_REVOKED_STATUS_SUPERSEDED 4 54# define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 55# define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 56# define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 57# define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 58# define OCSP_REVOKED_STATUS_AACOMPROMISE 10 59 60 61# ifndef OPENSSL_NO_OCSP 62 63# include <openssl/x509.h> 64# include <openssl/x509v3.h> 65# include <openssl/safestack.h> 66# include <openssl/ocsperr.h> 67 68# ifdef __cplusplus 69extern "C" { 70# endif 71 72/* Various flags and values */ 73 74# define OCSP_DEFAULT_NONCE_LENGTH 16 75 76# define OCSP_NOCERTS 0x1 77# define OCSP_NOINTERN 0x2 78# define OCSP_NOSIGS 0x4 79# define OCSP_NOCHAIN 0x8 80# define OCSP_NOVERIFY 0x10 81# define OCSP_NOEXPLICIT 0x20 82# define OCSP_NOCASIGN 0x40 83# define OCSP_NODELEGATED 0x80 84# define OCSP_NOCHECKS 0x100 85# define OCSP_TRUSTOTHER 0x200 86# define OCSP_RESPID_KEY 0x400 87# define OCSP_NOTIME 0x800 88# define OCSP_PARTIAL_CHAIN 0x1000 89 90typedef struct ocsp_cert_id_st OCSP_CERTID; 91typedef struct ocsp_one_request_st OCSP_ONEREQ; 92typedef struct ocsp_req_info_st OCSP_REQINFO; 93typedef struct ocsp_signature_st OCSP_SIGNATURE; 94typedef struct ocsp_request_st OCSP_REQUEST; 95 96{- 97 generate_stack_macros("OCSP_CERTID") 98 .generate_stack_macros("OCSP_ONEREQ"); 99-} 100 101# define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 102# define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 103# define OCSP_RESPONSE_STATUS_INTERNALERROR 2 104# define OCSP_RESPONSE_STATUS_TRYLATER 3 105# define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 106# define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 107 108typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES; 109 110# define V_OCSP_RESPID_NAME 0 111# define V_OCSP_RESPID_KEY 1 112 113{- 114 generate_stack_macros("OCSP_RESPID"); 115-} 116 117typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; 118 119# define V_OCSP_CERTSTATUS_GOOD 0 120# define V_OCSP_CERTSTATUS_REVOKED 1 121# define V_OCSP_CERTSTATUS_UNKNOWN 2 122 123typedef struct ocsp_cert_status_st OCSP_CERTSTATUS; 124typedef struct ocsp_single_response_st OCSP_SINGLERESP; 125 126{- 127 generate_stack_macros("OCSP_SINGLERESP"); 128-} 129 130typedef struct ocsp_response_data_st OCSP_RESPDATA; 131 132typedef struct ocsp_basic_response_st OCSP_BASICRESP; 133 134typedef struct ocsp_crl_id_st OCSP_CRLID; 135typedef struct ocsp_service_locator_st OCSP_SERVICELOC; 136 137# define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" 138# define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" 139 140# define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p) 141 142# define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p) 143 144# define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \ 145 (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST, \ 146 bp,(char **)(x),cb,NULL) 147 148# define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) (OCSP_RESPONSE *)PEM_ASN1_read_bio(\ 149 (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE, \ 150 bp,(char **)(x),cb,NULL) 151 152# define PEM_write_bio_OCSP_REQUEST(bp,o) \ 153 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\ 154 bp,(char *)(o), NULL,NULL,0,NULL,NULL) 155 156# define PEM_write_bio_OCSP_RESPONSE(bp,o) \ 157 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\ 158 bp,(char *)(o), NULL,NULL,0,NULL,NULL) 159 160# define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o) 161 162# define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o) 163 164# define ASN1_BIT_STRING_digest(data,type,md,len) \ 165 ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len) 166 167# define OCSP_CERTSTATUS_dup(cs)\ 168 (OCSP_CERTSTATUS*)ASN1_dup((i2d_of_void *)i2d_OCSP_CERTSTATUS,\ 169 (d2i_of_void *)d2i_OCSP_CERTSTATUS,(char *)(cs)) 170 171DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID) 172 173OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, 174 const OCSP_REQUEST *req, int buf_size); 175OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); 176 177# ifndef OPENSSL_NO_DEPRECATED_3_0 178typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; 179# define OCSP_REQ_CTX_new(io, buf_size) \ 180 OSSL_HTTP_REQ_CTX_new(io, io, buf_size) 181# define OCSP_REQ_CTX_free OSSL_HTTP_REQ_CTX_free 182# define OCSP_REQ_CTX_http(rctx, op, path) \ 183 (OSSL_HTTP_REQ_CTX_set_expected(rctx, NULL, 1 /* asn1 */, 0, 0) && \ 184 OSSL_HTTP_REQ_CTX_set_request_line(rctx, strcmp(op, "POST") == 0, \ 185 NULL, NULL, path)) 186# define OCSP_REQ_CTX_add1_header OSSL_HTTP_REQ_CTX_add1_header 187# define OCSP_REQ_CTX_i2d(r, it, req) \ 188 OSSL_HTTP_REQ_CTX_set1_req(r, "application/ocsp-request", it, req) 189# define OCSP_REQ_CTX_set1_req(r, req) \ 190 OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req)) 191# define OCSP_REQ_CTX_nbio OSSL_HTTP_REQ_CTX_nbio 192# define OCSP_REQ_CTX_nbio_d2i OSSL_HTTP_REQ_CTX_nbio_d2i 193# define OCSP_sendreq_nbio(p, r) \ 194 OSSL_HTTP_REQ_CTX_nbio_d2i(r, (ASN1_VALUE **)(p), \ 195 ASN1_ITEM_rptr(OCSP_RESPONSE)) 196# define OCSP_REQ_CTX_get0_mem_bio OSSL_HTTP_REQ_CTX_get0_mem_bio 197# define OCSP_set_max_response_length OSSL_HTTP_REQ_CTX_set_max_response_length 198# endif 199 200OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, 201 const X509 *issuer); 202 203OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 204 const X509_NAME *issuerName, 205 const ASN1_BIT_STRING *issuerKey, 206 const ASN1_INTEGER *serialNumber); 207 208OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); 209 210int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); 211int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); 212int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs); 213int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); 214 215int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm); 216int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); 217 218int OCSP_request_sign(OCSP_REQUEST *req, 219 X509 *signer, 220 EVP_PKEY *key, 221 const EVP_MD *dgst, 222 STACK_OF(X509) *certs, unsigned long flags); 223 224int OCSP_response_status(OCSP_RESPONSE *resp); 225OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); 226 227const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); 228const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); 229const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); 230int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, 231 STACK_OF(X509) *extra_certs); 232 233int OCSP_resp_count(OCSP_BASICRESP *bs); 234OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); 235const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs); 236const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); 237int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, 238 const ASN1_OCTET_STRING **pid, 239 const X509_NAME **pname); 240int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, 241 ASN1_OCTET_STRING **pid, 242 X509_NAME **pname); 243 244int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); 245int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, 246 ASN1_GENERALIZEDTIME **revtime, 247 ASN1_GENERALIZEDTIME **thisupd, 248 ASN1_GENERALIZEDTIME **nextupd); 249int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, 250 int *reason, 251 ASN1_GENERALIZEDTIME **revtime, 252 ASN1_GENERALIZEDTIME **thisupd, 253 ASN1_GENERALIZEDTIME **nextupd); 254int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, 255 ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); 256 257int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, 258 X509_STORE *store, unsigned long flags); 259 260# define OCSP_parse_url(url, host, port, path, ssl) \ 261 OSSL_HTTP_parse_url(url, ssl, NULL, host, port, NULL, path, NULL, NULL) 262 263int OCSP_id_issuer_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b); 264int OCSP_id_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b); 265 266int OCSP_request_onereq_count(OCSP_REQUEST *req); 267OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i); 268OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); 269int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, 270 ASN1_OCTET_STRING **pikeyHash, 271 ASN1_INTEGER **pserial, OCSP_CERTID *cid); 272int OCSP_request_is_signed(OCSP_REQUEST *req); 273OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); 274OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, 275 OCSP_CERTID *cid, 276 int status, int reason, 277 ASN1_TIME *revtime, 278 ASN1_TIME *thisupd, 279 ASN1_TIME *nextupd); 280int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); 281int OCSP_basic_sign(OCSP_BASICRESP *brsp, 282 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, 283 STACK_OF(X509) *certs, unsigned long flags); 284int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, 285 X509 *signer, EVP_MD_CTX *ctx, 286 STACK_OF(X509) *certs, unsigned long flags); 287int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); 288int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, 289 OSSL_LIB_CTX *libctx, const char *propq); 290int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert); 291int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx, 292 const char *propq); 293int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); 294 295X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim); 296 297X509_EXTENSION *OCSP_accept_responses_new(char **oids); 298 299X509_EXTENSION *OCSP_archive_cutoff_new(char *tim); 300 301X509_EXTENSION *OCSP_url_svcloc_new(const X509_NAME *issuer, const char **urls); 302 303int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x); 304int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos); 305int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj, 306 int lastpos); 307int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos); 308X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc); 309X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc); 310void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, 311 int *idx); 312int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, 313 unsigned long flags); 314int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc); 315 316int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x); 317int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos); 318int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, int lastpos); 319int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos); 320X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc); 321X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc); 322void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx); 323int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, 324 unsigned long flags); 325int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc); 326 327int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x); 328int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos); 329int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj, 330 int lastpos); 331int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, 332 int lastpos); 333X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc); 334X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc); 335void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, 336 int *idx); 337int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, 338 int crit, unsigned long flags); 339int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc); 340 341int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x); 342int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos); 343int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj, 344 int lastpos); 345int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, 346 int lastpos); 347X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc); 348X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc); 349void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, 350 int *idx); 351int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, 352 int crit, unsigned long flags); 353int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc); 354const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x); 355 356DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP) 357DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS) 358DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO) 359DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP) 360DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA) 361DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) 362DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE) 363DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES) 364DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ) 365DECLARE_ASN1_FUNCTIONS(OCSP_CERTID) 366DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST) 367DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE) 368DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO) 369DECLARE_ASN1_FUNCTIONS(OCSP_CRLID) 370DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC) 371 372const char *OCSP_response_status_str(long s); 373const char *OCSP_cert_status_str(long s); 374const char *OCSP_crl_reason_str(long s); 375 376int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); 377int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); 378 379int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 380 X509_STORE *st, unsigned long flags); 381 382 383# ifdef __cplusplus 384} 385# endif 386# endif /* !defined(OPENSSL_NO_OCSP) */ 387#endif 388