--- /dev/null
+/*
+ * Copyright (c) 2003-2006,2008-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * ocspTemplates.h - ASN1 templates OCSP requests and responses.
+ */
+
+#ifndef _OCSP_TEMPLATES_H_
+#define _OCSP_TEMPLATES_H_
+
+#include <Security/X509Templates.h> /* NSS_CertExtension */
+#include <Security/nameTemplates.h> /* NSS_GeneralName and support */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+// MARK: ----- OCSP Request -----
+
+/*
+ * CertID ::= SEQUENCE {
+ * hashAlgorithm AlgorithmIdentifier,
+ * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ * issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+ * serialNumber CertificateSerialNumber } -- i.e., INTEGER
+ */
+typedef struct {
+ SecAsn1AlgId algId;
+ SecAsn1Item issuerNameHash;
+ SecAsn1Item issuerPubKeyHash;
+ SecAsn1Item serialNumber;
+} SecAsn1OCSPCertID;
+
+extern const SecAsn1Template kSecAsn1OCSPCertIDTemplate[];
+
+/*
+ * Request ::= SEQUENCE {
+ * reqCert CertID,
+ * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct {
+ SecAsn1OCSPCertID reqCert;
+ NSS_CertExtension **extensions; // optional
+} SecAsn1OCSPRequest;
+
+extern const SecAsn1Template kSecAsn1OCSPRequestTemplate[];
+
+/*
+ * Signature ::= SEQUENCE {
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signature BIT STRING,
+ * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL}
+ *
+ * Since we wish to avoid knowing anything about the details of the certs,
+ * we declare them here as ASN_ANY, get/set as raw data, and leave it to
+ * the CL to parse them.
+ */
+typedef struct {
+ SecAsn1AlgId algId;
+ SecAsn1Item sig; // length in BITS
+ SecAsn1Item **certs; // OPTIONAL
+} SecAsn1OCSPSignature;
+
+extern const SecAsn1Template kSecAsn1OCSPSignatureTemplate[];
+
+/*
+ * TBSRequest ::= SEQUENCE {
+ * version [0] EXPLICIT Version DEFAULT v1,
+ * requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ * requestList SEQUENCE OF Request,
+ * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct {
+ SecAsn1Item *version; // OPTIONAL
+ NSS_GeneralName *requestorName; // OPTIONAL
+ SecAsn1OCSPRequest **requestList;
+ NSS_CertExtension **requestExtensions; // OPTIONAL
+} SecAsn1OCSPTbsRequest;
+
+extern const SecAsn1Template kSecAsn1OCSPTbsRequestTemplate[];
+
+/*
+ * OCSPRequest ::= SEQUENCE {
+ * tbsRequest TBSRequest,
+ * optionalSignature [0] EXPLICIT Signature OPTIONAL }
+ */
+typedef struct {
+ SecAsn1OCSPTbsRequest tbsRequest;
+ SecAsn1OCSPSignature *signature; // OPTIONAL
+} SecAsn1OCSPSignedRequest;
+
+extern const SecAsn1Template kSecAsn1OCSPSignedRequestTemplate[];
+
+// MARK: ----- OCSP Response -----
+
+/*
+ * CertStatus ::= CHOICE {
+ * good [0] IMPLICIT NULL,
+ * revoked [1] IMPLICIT RevokedInfo,
+ * unknown [2] IMPLICIT UnknownInfo }
+ *
+ * RevokedInfo ::= SEQUENCE {
+ * revocationTime GeneralizedTime,
+ * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
+ *
+ * UnknownInfo ::= NULL -- this can be replaced with an enumeration
+ *
+ * See <Security/certextensions.h> for enum values of CE_CrlReason.
+ */
+typedef struct {
+ SecAsn1Item revocationTime;
+ SecAsn1Item *revocationReason; // OPTIONAL, CE_CrlReason
+} SecAsn1OCSPRevokedInfo;
+
+typedef union {
+ SecAsn1OCSPRevokedInfo *revokedInfo;
+ SecAsn1Item *nullData;
+} SecAsn1OCSPCertStatus;
+
+typedef enum {
+ CS_Good = 0,
+ CS_Revoked = 1,
+ CS_Unknown = 2,
+ CS_NotParsed = 0xff /* Not in protocol: means value not parsed or seen */
+} SecAsn1OCSPCertStatusTag;
+
+extern const SecAsn1Template kSecAsn1OCSPRevokedInfoTemplate[];
+
+/*
+ * Encode/decode CertStatus separately using one of these hree templates.
+ * The result goes into SecAsn1OCSPSingleResponse.certStatus on encode.
+ */
+extern const SecAsn1Template kSecAsn1OCSPCertStatusGoodTemplate[];
+extern const SecAsn1Template kSecAsn1OCSPCertStatusRevokedTemplate[];
+extern const SecAsn1Template kSecAsn1OCSPCertStatusUnknownTemplate[];
+
+/*
+ * SingleResponse ::= SEQUENCE {
+ * certID CertID,
+ * certStatus CertStatus,
+ * thisUpdate GeneralizedTime,
+ * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+ * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct {
+ SecAsn1OCSPCertID certID;
+ SecAsn1Item certStatus; // ASN_ANY here
+ SecAsn1Item thisUpdate; // GeneralizedTime
+ SecAsn1Item *nextUpdate; // GeneralizedTime, OPTIONAL
+ NSS_CertExtension **singleExtensions; // OPTIONAL
+} SecAsn1OCSPSingleResponse;
+
+extern const SecAsn1Template kSecAsn1OCSPSingleResponseTemplate[];
+
+/*
+ * ResponderID ::= CHOICE {
+ * byName EXPLICIT [1] Name,
+ * byKey EXPLICIT [2] KeyHash }
+ *
+ * Since our ASN.1 encoder/decoder can't handle CHOICEs very well, we encode
+ * this separately using one of the following two templates. On encode the
+ * result if this step of the encode goes into SecAsn1OCSPResponseData.responderID,
+ * where it's treated as an ANY_ANY when encoding that struct. The reverse happens
+ * on decode.
+ */
+typedef union {
+ SecAsn1Item byName;
+ SecAsn1Item byKey; // key hash in OCTET STRING
+} SecAsn1OCSPResponderID;
+
+typedef enum {
+ RIT_Name = 1,
+ RIT_Key = 2
+} SecAsn1OCSPResponderIDTag;
+
+extern const SecAsn1Template kSecAsn1OCSPResponderIDAsNameTemplate[];
+extern const SecAsn1Template kSecAsn1OCSPResponderIDAsKeyTemplate[];
+
+/*
+ * ResponseData ::= SEQUENCE {
+ * version [0] EXPLICIT Version DEFAULT v1,
+ * responderID ResponderID,
+ * producedAt GeneralizedTime,
+ * responses SEQUENCE OF SingleResponse,
+ * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct {
+ SecAsn1Item *version; // OPTIONAL
+ SecAsn1Item responderID; // ASN_ANY here, decode/encode separately
+ SecAsn1Item producedAt; // GeneralizedTime
+ SecAsn1OCSPSingleResponse **responses;
+ NSS_CertExtension **responseExtensions; // OPTIONAL
+} SecAsn1OCSPResponseData;
+
+extern const SecAsn1Template kSecAsn1OCSPResponseDataTemplate[];
+
+/*
+ * BasicOCSPResponse ::= SEQUENCE {
+ * tbsResponseData ResponseData,
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signature BIT STRING,
+ * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ *
+ * Since we ALWAYS encode the tbsResponseData in preparation for signing,
+ * we declare it as a raw ASN_ANY in the BasicOCSPResponse.
+ *
+ * Certs are likewise ASN_ANY since we use the CL to parse and create them.
+ */
+typedef struct {
+ SecAsn1Item tbsResponseData;
+ SecAsn1AlgId algId;
+ SecAsn1Item sig; // length in BITS
+ SecAsn1Item **certs; // optional
+} SecAsn1OCSPBasicResponse;
+
+extern const SecAsn1Template kSecAsn1OCSPBasicResponseTemplate[];
+
+/*
+ * ResponseBytes ::= SEQUENCE {
+ * responseType OBJECT IDENTIFIER,
+ * response OCTET STRING }
+ *
+ * The contents of response are actually an encoded SecAsn1OCSPBasicResponse (at
+ * least until another response type is defined).
+ */
+typedef struct {
+ SecAsn1Oid responseType;
+ SecAsn1Item response;
+} SecAsn1OCSPResponseBytes;
+
+extern const SecAsn1Template kSecAsn1OCSPResponseBytesTemplate[];
+
+/*
+ * OCSPResponse ::= SEQUENCE {
+ * responseStatus OCSPResponseStatus, -- an ENUM
+ * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+typedef struct {
+ SecAsn1Item responseStatus; // see enum below
+ SecAsn1OCSPResponseBytes *responseBytes; // optional
+} SecAsn1OCSPResponse;
+
+extern const SecAsn1Template kSecAsn1OCSPResponseTemplate[];
+
+typedef enum {
+ RS_Success = 0,
+ RS_MalformedRequest = 1,
+ RS_InternalError = 2,
+ RS_TryLater = 3,
+ RS_Unused = 4,
+ RS_SigRequired = 5,
+ RS_Unauthorized = 6
+} SecAsn1OCSPResponseStatus;
+
+/*
+ * This is not part of the OCSP protocol; it's used in the communication between
+ * the Apple X.509 TP module and the ocspd server.
+ *
+ * OCSPDRequest ::= SEQUENCE {
+ * cacheWriteDisable :: = EXPLICIT [0] BOOL OPTIONAL; -- cache write disable
+ * -- default FALSE
+ * cacheWriteDisable :: = EXPLICIT [1] BOOL OPTIONAL; -- cache read disable
+ * -- default FALSE
+ * certID ::= OCTET STRING; -- for cache lookup
+ * ocspReq ::= EXPLICIT [2] OCTET STRING OPTIONAL; -- for net fetch
+ * localResp ::= EXPLICIT [3] IA5String OPTIONAL; -- for local responder
+ * urls ::= EXPLICIT [4] SEQUENCE of IA5String OPTIONAL;
+ * -- for normal net fetch
+ * };
+ */
+
+#define OCSPD_REQUEST_VERS 0
+
+typedef struct {
+ SecAsn1Item *cacheWriteDisable;
+ SecAsn1Item *cacheReadDisable;
+ SecAsn1Item certID; // DER encoded SecAsn1OCSPCertID
+ SecAsn1Item *ocspReq; // DER encoded SecAsn1OCSPSignedRequest
+ SecAsn1Item *localRespURI; // local responder URI
+ SecAsn1Item **urls; // normal URIs
+
+} SecAsn1OCSPDRequest;
+
+/*
+ * And this is a sequence of them, packaged up and sent to ocspd in one RPC.
+ */
+typedef struct {
+ SecAsn1Item version; // OCSPD_REQUEST_VERS
+ SecAsn1OCSPDRequest **requests;
+} SecAsn1OCSPDRequests;
+
+extern const SecAsn1Template kSecAsn1OCSPDRequestTemplate[];
+extern const SecAsn1Template kSecAsn1OCSPDRequestsTemplate[];
+
+/*
+ * Unordered set of replies from ocsdp; they map back to individual
+ * SecAsn1OCSPDRequests by the encoded certID (which is obtained from the
+ * SecAsn1OCSPDRequest, NOT from the OCSP response).
+ */
+typedef struct {
+ SecAsn1Item certID; // DER encoded SecAsn1OCSPCertID
+ SecAsn1Item ocspResp; // DER encoded SecAsn1OCSPResponse
+} SecAsn1OCSPDReply;
+
+#define OCSPD_REPLY_VERS 0
+
+typedef struct {
+ SecAsn1Item version; // OCSPD_REPLY_VERS
+ SecAsn1OCSPDReply **replies;
+} SecAsn1OCSPReplies;
+
+extern const SecAsn1Template kSecAsn1OCSPDReplyTemplate[];
+extern const SecAsn1Template kSecAsn1OCSPDRepliesTemplate[];
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _OCSP_TEMPLATES_H_ */
projects / apple / security.git / blobdiff