1/* ocsp.h */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6   This file was transfered to Richard Levitte from CertCo by Kathy
7   Weinhold in mid-spring 2000 to be included in OpenSSL or released
8   as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 *    notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 *    notice, this list of conditions and the following disclaimer in
22 *    the documentation and/or other materials provided with the
23 *    distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 *    software must display the following acknowledgment:
27 *    "This product includes software developed by the OpenSSL Project
28 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 *    endorse or promote products derived from this software without
32 *    prior written permission. For written permission, please contact
33 *    openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 *    nor may "OpenSSL" appear in their names without prior written
37 *    permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 *    acknowledgment:
41 *    "This product includes software developed by the OpenSSL Project
42 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com).  This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/ossl_typ.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70#include <openssl/safestack.h>
71
72#ifdef  __cplusplus
73extern "C" {
74#endif
75
76/* Various flags and values */
77
78#define OCSP_DEFAULT_NONCE_LENGTH	16
79
80#define OCSP_NOCERTS			0x1
81#define OCSP_NOINTERN			0x2
82#define OCSP_NOSIGS			0x4
83#define OCSP_NOCHAIN			0x8
84#define OCSP_NOVERIFY			0x10
85#define OCSP_NOEXPLICIT			0x20
86#define OCSP_NOCASIGN			0x40
87#define OCSP_NODELEGATED		0x80
88#define OCSP_NOCHECKS			0x100
89#define OCSP_TRUSTOTHER			0x200
90#define OCSP_RESPID_KEY			0x400
91#define OCSP_NOTIME			0x800
92
93#ifdef OPENSSL_SYS_WIN32
94  /* Under Win32 these are defined in wincrypt.h */
95#undef OCSP_REQUEST
96#undef X509_NAME
97#undef OCSP_RESPONSE
98#endif
99
100/*   CertID ::= SEQUENCE {
101 *       hashAlgorithm            AlgorithmIdentifier,
102 *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
103 *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
104 *       serialNumber       CertificateSerialNumber }
105 */
106typedef struct ocsp_cert_id_st
107	{
108	X509_ALGOR *hashAlgorithm;
109	ASN1_OCTET_STRING *issuerNameHash;
110	ASN1_OCTET_STRING *issuerKeyHash;
111	ASN1_INTEGER *serialNumber;
112	} OCSP_CERTID;
113
114DECLARE_STACK_OF(OCSP_CERTID)
115
116/*   Request ::=     SEQUENCE {
117 *       reqCert                    CertID,
118 *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
119 */
120typedef struct ocsp_one_request_st
121	{
122	OCSP_CERTID *reqCert;
123	STACK_OF(X509_EXTENSION) *singleRequestExtensions;
124	} OCSP_ONEREQ;
125
126DECLARE_STACK_OF(OCSP_ONEREQ)
127DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
128
129
130/*   TBSRequest      ::=     SEQUENCE {
131 *       version             [0] EXPLICIT Version DEFAULT v1,
132 *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
133 *       requestList             SEQUENCE OF Request,
134 *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
135 */
136typedef struct ocsp_req_info_st
137	{
138	ASN1_INTEGER *version;
139	GENERAL_NAME *requestorName;
140	STACK_OF(OCSP_ONEREQ) *requestList;
141	STACK_OF(X509_EXTENSION) *requestExtensions;
142	} OCSP_REQINFO;
143
144/*   Signature       ::=     SEQUENCE {
145 *       signatureAlgorithm   AlgorithmIdentifier,
146 *       signature            BIT STRING,
147 *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
148 */
149typedef struct ocsp_signature_st
150	{
151	X509_ALGOR *signatureAlgorithm;
152	ASN1_BIT_STRING *signature;
153	STACK_OF(X509) *certs;
154	} OCSP_SIGNATURE;
155
156/*   OCSPRequest     ::=     SEQUENCE {
157 *       tbsRequest                  TBSRequest,
158 *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
159 */
160typedef struct ocsp_request_st
161	{
162	OCSP_REQINFO *tbsRequest;
163	OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
164	} OCSP_REQUEST;
165
166/*   OCSPResponseStatus ::= ENUMERATED {
167 *       successful            (0),      --Response has valid confirmations
168 *       malformedRequest      (1),      --Illegal confirmation request
169 *       internalError         (2),      --Internal error in issuer
170 *       tryLater              (3),      --Try again later
171 *                                       --(4) is not used
172 *       sigRequired           (5),      --Must sign the request
173 *       unauthorized          (6)       --Request unauthorized
174 *   }
175 */
176#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
177#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
178#define OCSP_RESPONSE_STATUS_INTERNALERROR        2
179#define OCSP_RESPONSE_STATUS_TRYLATER             3
180#define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
181#define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
182
183/*   ResponseBytes ::=       SEQUENCE {
184 *       responseType   OBJECT IDENTIFIER,
185 *       response       OCTET STRING }
186 */
187typedef struct ocsp_resp_bytes_st
188	{
189	ASN1_OBJECT *responseType;
190	ASN1_OCTET_STRING *response;
191	} OCSP_RESPBYTES;
192
193/*   OCSPResponse ::= SEQUENCE {
194 *      responseStatus         OCSPResponseStatus,
195 *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
196 */
197struct ocsp_response_st
198	{
199	ASN1_ENUMERATED *responseStatus;
200	OCSP_RESPBYTES  *responseBytes;
201	};
202
203/*   ResponderID ::= CHOICE {
204 *      byName   [1] Name,
205 *      byKey    [2] KeyHash }
206 */
207#define V_OCSP_RESPID_NAME 0
208#define V_OCSP_RESPID_KEY  1
209struct ocsp_responder_id_st
210	{
211	int type;
212	union   {
213		X509_NAME* byName;
214        	ASN1_OCTET_STRING *byKey;
215		} value;
216	};
217
218DECLARE_STACK_OF(OCSP_RESPID)
219DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
220
221/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
222 *                            --(excluding the tag and length fields)
223 */
224
225/*   RevokedInfo ::= SEQUENCE {
226 *       revocationTime              GeneralizedTime,
227 *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
228 */
229typedef struct ocsp_revoked_info_st
230	{
231	ASN1_GENERALIZEDTIME *revocationTime;
232	ASN1_ENUMERATED *revocationReason;
233	} OCSP_REVOKEDINFO;
234
235/*   CertStatus ::= CHOICE {
236 *       good                [0]     IMPLICIT NULL,
237 *       revoked             [1]     IMPLICIT RevokedInfo,
238 *       unknown             [2]     IMPLICIT UnknownInfo }
239 */
240#define V_OCSP_CERTSTATUS_GOOD    0
241#define V_OCSP_CERTSTATUS_REVOKED 1
242#define V_OCSP_CERTSTATUS_UNKNOWN 2
243typedef struct ocsp_cert_status_st
244	{
245	int type;
246	union	{
247		ASN1_NULL *good;
248		OCSP_REVOKEDINFO *revoked;
249		ASN1_NULL *unknown;
250		} value;
251	} OCSP_CERTSTATUS;
252
253/*   SingleResponse ::= SEQUENCE {
254 *      certID                       CertID,
255 *      certStatus                   CertStatus,
256 *      thisUpdate                   GeneralizedTime,
257 *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
258 *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
259 */
260typedef struct ocsp_single_response_st
261	{
262	OCSP_CERTID *certId;
263	OCSP_CERTSTATUS *certStatus;
264	ASN1_GENERALIZEDTIME *thisUpdate;
265	ASN1_GENERALIZEDTIME *nextUpdate;
266	STACK_OF(X509_EXTENSION) *singleExtensions;
267	} OCSP_SINGLERESP;
268
269DECLARE_STACK_OF(OCSP_SINGLERESP)
270DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
271
272/*   ResponseData ::= SEQUENCE {
273 *      version              [0] EXPLICIT Version DEFAULT v1,
274 *      responderID              ResponderID,
275 *      producedAt               GeneralizedTime,
276 *      responses                SEQUENCE OF SingleResponse,
277 *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
278 */
279typedef struct ocsp_response_data_st
280	{
281	ASN1_INTEGER *version;
282	OCSP_RESPID  *responderId;
283	ASN1_GENERALIZEDTIME *producedAt;
284	STACK_OF(OCSP_SINGLERESP) *responses;
285	STACK_OF(X509_EXTENSION) *responseExtensions;
286	} OCSP_RESPDATA;
287
288/*   BasicOCSPResponse       ::= SEQUENCE {
289 *      tbsResponseData      ResponseData,
290 *      signatureAlgorithm   AlgorithmIdentifier,
291 *      signature            BIT STRING,
292 *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
293 */
294  /* Note 1:
295     The value for "signature" is specified in the OCSP rfc2560 as follows:
296     "The value for the signature SHALL be computed on the hash of the DER
297     encoding ResponseData."  This means that you must hash the DER-encoded
298     tbsResponseData, and then run it through a crypto-signing function, which
299     will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
300     a bit odd, but that's the spec.  Also note that the data structures do not
301     leave anywhere to independently specify the algorithm used for the initial
302     hash. So, we look at the signature-specification algorithm, and try to do
303     something intelligent.	-- Kathy Weinhold, CertCo */
304  /* Note 2:
305     It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
306     for interpretation.  I've done tests against another responder, and found
307     that it doesn't do the double hashing that the RFC seems to say one
308     should.  Therefore, all relevant functions take a flag saying which
309     variant should be used.	-- Richard Levitte, OpenSSL team and CeloCom */
310typedef struct ocsp_basic_response_st
311	{
312	OCSP_RESPDATA *tbsResponseData;
313	X509_ALGOR *signatureAlgorithm;
314	ASN1_BIT_STRING *signature;
315	STACK_OF(X509) *certs;
316	} OCSP_BASICRESP;
317
318/*
319 *   CRLReason ::= ENUMERATED {
320 *        unspecified             (0),
321 *        keyCompromise           (1),
322 *        cACompromise            (2),
323 *        affiliationChanged      (3),
324 *        superseded              (4),
325 *        cessationOfOperation    (5),
326 *        certificateHold         (6),
327 *        removeFromCRL           (8) }
328 */
329#define OCSP_REVOKED_STATUS_NOSTATUS               -1
330#define OCSP_REVOKED_STATUS_UNSPECIFIED             0
331#define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
332#define OCSP_REVOKED_STATUS_CACOMPROMISE            2
333#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
334#define OCSP_REVOKED_STATUS_SUPERSEDED              4
335#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
336#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
337#define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
338
339/* CrlID ::= SEQUENCE {
340 *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
341 *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
342 *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
343 */
344typedef struct ocsp_crl_id_st
345        {
346	ASN1_IA5STRING *crlUrl;
347	ASN1_INTEGER *crlNum;
348	ASN1_GENERALIZEDTIME *crlTime;
349        } OCSP_CRLID;
350
351/* ServiceLocator ::= SEQUENCE {
352 *      issuer    Name,
353 *      locator   AuthorityInfoAccessSyntax OPTIONAL }
354 */
355typedef struct ocsp_service_locator_st
356        {
357	X509_NAME* issuer;
358	STACK_OF(ACCESS_DESCRIPTION) *locator;
359        } OCSP_SERVICELOC;
360
361#define PEM_STRING_OCSP_REQUEST	"OCSP REQUEST"
362#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
363
364#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
365
366#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
367
368#define	PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
369     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
370
371#define	PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
372     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
373
374#define PEM_write_bio_OCSP_REQUEST(bp,o) \
375    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
376			bp,(char *)o, NULL,NULL,0,NULL,NULL)
377
378#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
379    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
380			bp,(char *)o, NULL,NULL,0,NULL,NULL)
381
382#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
383
384#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
385
386#define OCSP_REQUEST_sign(o,pkey,md) \
387	ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
388		o->optionalSignature->signatureAlgorithm,NULL,\
389	        o->optionalSignature->signature,o->tbsRequest,pkey,md)
390
391#define OCSP_BASICRESP_sign(o,pkey,md,d) \
392	ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
393		o->signature,o->tbsResponseData,pkey,md)
394
395#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
396        a->optionalSignature->signatureAlgorithm,\
397	a->optionalSignature->signature,a->tbsRequest,r)
398
399#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
400	a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
401
402#define ASN1_BIT_STRING_digest(data,type,md,len) \
403	ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
404
405#define OCSP_CERTSTATUS_dup(cs)\
406                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
407		(char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
408
409OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
410
411OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
412OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
413								int maxline);
414int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
415void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
416int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
417int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
418		const char *name, const char *value);
419
420OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
421
422OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
423			      X509_NAME *issuerName,
424			      ASN1_BIT_STRING* issuerKey,
425			      ASN1_INTEGER *serialNumber);
426
427OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
428
429int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
430int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
431int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
432int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
433
434int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
435int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
436
437int OCSP_request_sign(OCSP_REQUEST   *req,
438		      X509           *signer,
439		      EVP_PKEY       *key,
440		      const EVP_MD   *dgst,
441		      STACK_OF(X509) *certs,
442		      unsigned long flags);
443
444int OCSP_response_status(OCSP_RESPONSE *resp);
445OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
446
447int OCSP_resp_count(OCSP_BASICRESP *bs);
448OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
449int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
450int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
451				ASN1_GENERALIZEDTIME **revtime,
452				ASN1_GENERALIZEDTIME **thisupd,
453				ASN1_GENERALIZEDTIME **nextupd);
454int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
455				int *reason,
456				ASN1_GENERALIZEDTIME **revtime,
457				ASN1_GENERALIZEDTIME **thisupd,
458				ASN1_GENERALIZEDTIME **nextupd);
459int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
460			ASN1_GENERALIZEDTIME *nextupd,
461			long sec, long maxsec);
462
463int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
464
465int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
466
467int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
468int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
469
470int OCSP_request_onereq_count(OCSP_REQUEST *req);
471OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
472OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
473int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
474			ASN1_OCTET_STRING **pikeyHash,
475			ASN1_INTEGER **pserial, OCSP_CERTID *cid);
476int OCSP_request_is_signed(OCSP_REQUEST *req);
477OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
478OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
479						OCSP_CERTID *cid,
480						int status, int reason,
481						ASN1_TIME *revtime,
482					ASN1_TIME *thisupd, ASN1_TIME *nextupd);
483int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
484int OCSP_basic_sign(OCSP_BASICRESP *brsp,
485			X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
486			STACK_OF(X509) *certs, unsigned long flags);
487
488X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
489
490X509_EXTENSION *OCSP_accept_responses_new(char **oids);
491
492X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
493
494X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
495
496int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
497int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
498int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
499int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
500X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
501X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
502void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
503int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
504							unsigned long flags);
505int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
506
507int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
508int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
509int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
510int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
511X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
512X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
513void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
514int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
515							unsigned long flags);
516int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
517
518int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
519int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
520int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
521int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
522X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
523X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
524void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
525int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
526							unsigned long flags);
527int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
528
529int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
530int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
531int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
532int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
533X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
534X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
535void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
536int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
537							unsigned long flags);
538int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
539
540DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
541DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
542DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
543DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
544DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
545DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
546DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
547DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
548DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
549DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
550DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
551DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
552DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
553DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
554DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
555
556const char *OCSP_response_status_str(long s);
557const char *OCSP_cert_status_str(long s);
558const char *OCSP_crl_reason_str(long s);
559
560int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
561int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
562
563int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
564				X509_STORE *st, unsigned long flags);
565
566/* BEGIN ERROR CODES */
567/* The following lines are auto generated by the script mkerr.pl. Any changes
568 * made after this point may be overwritten when the script is next run.
569 */
570void ERR_load_OCSP_strings(void);
571
572/* Error codes for the OCSP functions. */
573
574/* Function codes. */
575#define OCSP_F_ASN1_STRING_ENCODE			 100
576#define OCSP_F_D2I_OCSP_NONCE				 102
577#define OCSP_F_OCSP_BASIC_ADD1_STATUS			 103
578#define OCSP_F_OCSP_BASIC_SIGN				 104
579#define OCSP_F_OCSP_BASIC_VERIFY			 105
580#define OCSP_F_OCSP_CERT_ID_NEW				 101
581#define OCSP_F_OCSP_CHECK_DELEGATED			 106
582#define OCSP_F_OCSP_CHECK_IDS				 107
583#define OCSP_F_OCSP_CHECK_ISSUER			 108
584#define OCSP_F_OCSP_CHECK_VALIDITY			 115
585#define OCSP_F_OCSP_MATCH_ISSUERID			 109
586#define OCSP_F_OCSP_PARSE_URL				 114
587#define OCSP_F_OCSP_REQUEST_SIGN			 110
588#define OCSP_F_OCSP_REQUEST_VERIFY			 116
589#define OCSP_F_OCSP_RESPONSE_GET1_BASIC			 111
590#define OCSP_F_OCSP_SENDREQ_BIO				 112
591#define OCSP_F_OCSP_SENDREQ_NBIO			 117
592#define OCSP_F_PARSE_HTTP_LINE1				 118
593#define OCSP_F_REQUEST_VERIFY				 113
594
595/* Reason codes. */
596#define OCSP_R_BAD_DATA					 100
597#define OCSP_R_CERTIFICATE_VERIFY_ERROR			 101
598#define OCSP_R_DIGEST_ERR				 102
599#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD		 122
600#define OCSP_R_ERROR_IN_THISUPDATE_FIELD		 123
601#define OCSP_R_ERROR_PARSING_URL			 121
602#define OCSP_R_MISSING_OCSPSIGNING_USAGE		 103
603#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE		 124
604#define OCSP_R_NOT_BASIC_RESPONSE			 104
605#define OCSP_R_NO_CERTIFICATES_IN_CHAIN			 105
606#define OCSP_R_NO_CONTENT				 106
607#define OCSP_R_NO_PUBLIC_KEY				 107
608#define OCSP_R_NO_RESPONSE_DATA				 108
609#define OCSP_R_NO_REVOKED_TIME				 109
610#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 110
611#define OCSP_R_REQUEST_NOT_SIGNED			 128
612#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA	 111
613#define OCSP_R_ROOT_CA_NOT_TRUSTED			 112
614#define OCSP_R_SERVER_READ_ERROR			 113
615#define OCSP_R_SERVER_RESPONSE_ERROR			 114
616#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR		 115
617#define OCSP_R_SERVER_WRITE_ERROR			 116
618#define OCSP_R_SIGNATURE_FAILURE			 117
619#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND		 118
620#define OCSP_R_STATUS_EXPIRED				 125
621#define OCSP_R_STATUS_NOT_YET_VALID			 126
622#define OCSP_R_STATUS_TOO_OLD				 127
623#define OCSP_R_UNKNOWN_MESSAGE_DIGEST			 119
624#define OCSP_R_UNKNOWN_NID				 120
625#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE		 129
626
627#ifdef  __cplusplus
628}
629#endif
630#endif
631