ts.h 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660
  1. /* $OpenBSD: ts.h,v 1.23 2023/11/19 15:46:10 tb Exp $ */
  2. /* Written by Zoltan Glozik ([email protected]) for the OpenSSL
  3. * project 2002, 2003, 2004.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * [email protected].
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. *
  53. * This product includes cryptographic software written by Eric Young
  54. * ([email protected]). This product includes software written by Tim
  55. * Hudson ([email protected]).
  56. *
  57. */
  58. #ifndef HEADER_TS_H
  59. #define HEADER_TS_H
  60. #include <openssl/opensslconf.h>
  61. #ifndef OPENSSL_NO_BUFFER
  62. #include <openssl/buffer.h>
  63. #endif
  64. #ifndef OPENSSL_NO_EVP
  65. #include <openssl/evp.h>
  66. #endif
  67. #ifndef OPENSSL_NO_BIO
  68. #include <openssl/bio.h>
  69. #endif
  70. #include <openssl/stack.h>
  71. #include <openssl/asn1.h>
  72. #include <openssl/safestack.h>
  73. #ifndef OPENSSL_NO_RSA
  74. #include <openssl/rsa.h>
  75. #endif
  76. #ifndef OPENSSL_NO_DSA
  77. #include <openssl/dsa.h>
  78. #endif
  79. #ifndef OPENSSL_NO_DH
  80. #include <openssl/dh.h>
  81. #endif
  82. #ifdef __cplusplus
  83. extern "C" {
  84. #endif
  85. #include <openssl/x509.h>
  86. #include <openssl/x509v3.h>
  87. typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
  88. typedef struct TS_req_st TS_REQ;
  89. typedef struct TS_accuracy_st TS_ACCURACY;
  90. typedef struct TS_tst_info_st TS_TST_INFO;
  91. /* Possible values for status. */
  92. #define TS_STATUS_GRANTED 0
  93. #define TS_STATUS_GRANTED_WITH_MODS 1
  94. #define TS_STATUS_REJECTION 2
  95. #define TS_STATUS_WAITING 3
  96. #define TS_STATUS_REVOCATION_WARNING 4
  97. #define TS_STATUS_REVOCATION_NOTIFICATION 5
  98. /* Possible values for failure_info. */
  99. #define TS_INFO_BAD_ALG 0
  100. #define TS_INFO_BAD_REQUEST 2
  101. #define TS_INFO_BAD_DATA_FORMAT 5
  102. #define TS_INFO_TIME_NOT_AVAILABLE 14
  103. #define TS_INFO_UNACCEPTED_POLICY 15
  104. #define TS_INFO_UNACCEPTED_EXTENSION 16
  105. #define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
  106. #define TS_INFO_SYSTEM_FAILURE 25
  107. typedef struct TS_status_info_st TS_STATUS_INFO;
  108. DECLARE_STACK_OF(ASN1_UTF8STRING)
  109. typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
  110. typedef struct ESS_cert_id ESS_CERT_ID;
  111. DECLARE_STACK_OF(ESS_CERT_ID)
  112. typedef struct ESS_signing_cert ESS_SIGNING_CERT;
  113. typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
  114. DECLARE_STACK_OF(ESS_CERT_ID_V2)
  115. typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
  116. typedef struct TS_resp_st TS_RESP;
  117. TS_REQ *TS_REQ_new(void);
  118. void TS_REQ_free(TS_REQ *a);
  119. int i2d_TS_REQ(const TS_REQ *a, unsigned char **pp);
  120. TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **pp, long length);
  121. TS_REQ *TS_REQ_dup(TS_REQ *a);
  122. TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a);
  123. int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a);
  124. TS_REQ *d2i_TS_REQ_bio(BIO *fp, TS_REQ **a);
  125. int i2d_TS_REQ_bio(BIO *fp, TS_REQ *a);
  126. TS_MSG_IMPRINT *TS_MSG_IMPRINT_new(void);
  127. void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a);
  128. int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp);
  129. TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a,
  130. const unsigned char **pp, long length);
  131. TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a);
  132. TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a);
  133. int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a);
  134. TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT **a);
  135. int i2d_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT *a);
  136. TS_RESP *TS_RESP_new(void);
  137. void TS_RESP_free(TS_RESP *a);
  138. int i2d_TS_RESP(const TS_RESP *a, unsigned char **pp);
  139. TS_RESP *d2i_TS_RESP(TS_RESP **a, const unsigned char **pp, long length);
  140. TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token);
  141. TS_RESP *TS_RESP_dup(TS_RESP *a);
  142. TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a);
  143. int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a);
  144. TS_RESP *d2i_TS_RESP_bio(BIO *fp, TS_RESP **a);
  145. int i2d_TS_RESP_bio(BIO *fp, TS_RESP *a);
  146. TS_STATUS_INFO *TS_STATUS_INFO_new(void);
  147. void TS_STATUS_INFO_free(TS_STATUS_INFO *a);
  148. int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp);
  149. TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a,
  150. const unsigned char **pp, long length);
  151. TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a);
  152. TS_TST_INFO *TS_TST_INFO_new(void);
  153. void TS_TST_INFO_free(TS_TST_INFO *a);
  154. int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp);
  155. TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp,
  156. long length);
  157. TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a);
  158. TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a);
  159. int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a);
  160. TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO **a);
  161. int i2d_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO *a);
  162. TS_ACCURACY *TS_ACCURACY_new(void);
  163. void TS_ACCURACY_free(TS_ACCURACY *a);
  164. int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp);
  165. TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp,
  166. long length);
  167. TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a);
  168. ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
  169. void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
  170. int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a,
  171. unsigned char **pp);
  172. ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
  173. const unsigned char **pp, long length);
  174. ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
  175. ESS_CERT_ID *ESS_CERT_ID_new(void);
  176. void ESS_CERT_ID_free(ESS_CERT_ID *a);
  177. int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
  178. ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
  179. long length);
  180. ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
  181. ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
  182. void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
  183. int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a,
  184. unsigned char **pp);
  185. ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
  186. const unsigned char **pp, long length);
  187. ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
  188. int TS_REQ_set_version(TS_REQ *a, long version);
  189. long TS_REQ_get_version(const TS_REQ *a);
  190. int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint);
  191. TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a);
  192. int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg);
  193. X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a);
  194. int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len);
  195. ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a);
  196. int TS_REQ_set_policy_id(TS_REQ *a, const ASN1_OBJECT *policy);
  197. ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a);
  198. int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce);
  199. const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a);
  200. int TS_REQ_set_cert_req(TS_REQ *a, int cert_req);
  201. int TS_REQ_get_cert_req(const TS_REQ *a);
  202. STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a);
  203. void TS_REQ_ext_free(TS_REQ *a);
  204. int TS_REQ_get_ext_count(TS_REQ *a);
  205. int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos);
  206. int TS_REQ_get_ext_by_OBJ(TS_REQ *a, const ASN1_OBJECT *obj, int lastpos);
  207. int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos);
  208. X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc);
  209. X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc);
  210. int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc);
  211. void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx);
  212. /* Function declarations for TS_REQ defined in ts/ts_req_print.c */
  213. int TS_REQ_print_bio(BIO *bio, TS_REQ *a);
  214. /* Function declarations for TS_RESP defined in ts/ts_rsp_utils.c */
  215. int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info);
  216. TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a);
  217. const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si);
  218. const STACK_OF(ASN1_UTF8STRING) *
  219. TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);
  220. const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si);
  221. int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);
  222. /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
  223. void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info);
  224. PKCS7 *TS_RESP_get_token(TS_RESP *a);
  225. TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a);
  226. int TS_TST_INFO_set_version(TS_TST_INFO *a, long version);
  227. long TS_TST_INFO_get_version(const TS_TST_INFO *a);
  228. int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy_id);
  229. ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a);
  230. int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint);
  231. TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a);
  232. int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial);
  233. const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a);
  234. int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime);
  235. const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a);
  236. int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy);
  237. TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a);
  238. int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds);
  239. const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a);
  240. int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis);
  241. const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a);
  242. int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros);
  243. const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a);
  244. int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering);
  245. int TS_TST_INFO_get_ordering(const TS_TST_INFO *a);
  246. int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce);
  247. const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a);
  248. int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa);
  249. GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a);
  250. STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a);
  251. void TS_TST_INFO_ext_free(TS_TST_INFO *a);
  252. int TS_TST_INFO_get_ext_count(TS_TST_INFO *a);
  253. int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos);
  254. int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, const ASN1_OBJECT *obj,
  255. int lastpos);
  256. int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos);
  257. X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc);
  258. X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc);
  259. int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc);
  260. void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx);
  261. /* Declarations related to response generation, defined in ts/ts_rsp_sign.c. */
  262. /* Optional flags for response generation. */
  263. /* Don't include the TSA name in response. */
  264. #define TS_TSA_NAME 0x01
  265. /* Set ordering to true in response. */
  266. #define TS_ORDERING 0x02
  267. /*
  268. * Include the signer certificate and the other specified certificates in
  269. * the ESS signing certificate attribute beside the PKCS7 signed data.
  270. * Only the signer certificates is included by default.
  271. */
  272. #define TS_ESS_CERT_ID_CHAIN 0x04
  273. /* Forward declaration. */
  274. struct TS_resp_ctx;
  275. /* This must return a unique number less than 160 bits long. */
  276. typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *);
  277. /* This must return the seconds and microseconds since Jan 1, 1970 in
  278. the sec and usec variables allocated by the caller.
  279. Return non-zero for success and zero for failure. */
  280. typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, time_t *sec, long *usec);
  281. /* This must process the given extension.
  282. * It can modify the TS_TST_INFO object of the context.
  283. * Return values: !0 (processed), 0 (error, it must set the
  284. * status info/failure info of the response).
  285. */
  286. typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
  287. typedef struct TS_resp_ctx TS_RESP_CTX;
  288. DECLARE_STACK_OF(EVP_MD)
  289. /* Creates a response context that can be used for generating responses. */
  290. TS_RESP_CTX *TS_RESP_CTX_new(void);
  291. void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
  292. /* This parameter must be set. */
  293. int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer);
  294. /* This parameter must be set. */
  295. int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key);
  296. /* This parameter must be set. */
  297. int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy);
  298. /* No additional certs are included in the response by default. */
  299. int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs);
  300. /* Adds a new acceptable policy, only the default policy
  301. is accepted by default. */
  302. int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy);
  303. /* Adds a new acceptable message digest. Note that no message digests
  304. are accepted by default. The md argument is shared with the caller. */
  305. int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md);
  306. /* Accuracy is not included by default. */
  307. int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
  308. int secs, int millis, int micros);
  309. /* Clock precision digits, i.e. the number of decimal digits:
  310. '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
  311. int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
  312. unsigned clock_precision_digits);
  313. /* At most we accept usec precision. */
  314. #define TS_MAX_CLOCK_PRECISION_DIGITS 6
  315. /* No flags are set by default. */
  316. void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
  317. /* Default callback always returns a constant. */
  318. void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
  319. /* Default callback uses gettimeofday() and gmtime(). */
  320. void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
  321. /* Default callback rejects all extensions. The extension callback is called
  322. * when the TS_TST_INFO object is already set up and not signed yet. */
  323. /* FIXME: extension handling is not tested yet. */
  324. void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
  325. TS_extension_cb cb, void *data);
  326. /* The following methods can be used in the callbacks. */
  327. int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
  328. int status, const char *text);
  329. /* Sets the status info only if it is still TS_STATUS_GRANTED. */
  330. int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
  331. int status, const char *text);
  332. int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure);
  333. /* The get methods below can be used in the extension callback. */
  334. TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx);
  335. TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx);
  336. /*
  337. * Creates the signed TS_TST_INFO and puts it in TS_RESP.
  338. * In case of errors it sets the status info properly.
  339. * Returns NULL only in case of memory allocation/fatal error.
  340. */
  341. TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio);
  342. /*
  343. * Declarations related to response verification,
  344. * they are defined in ts/ts_rsp_verify.c.
  345. */
  346. int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
  347. X509_STORE *store, X509 **signer_out);
  348. /* Context structure for the generic verify method. */
  349. /* Verify the signer's certificate and the signature of the response. */
  350. #define TS_VFY_SIGNATURE (1u << 0)
  351. /* Verify the version number of the response. */
  352. #define TS_VFY_VERSION (1u << 1)
  353. /* Verify if the policy supplied by the user matches the policy of the TSA. */
  354. #define TS_VFY_POLICY (1u << 2)
  355. /* Verify the message imprint provided by the user. This flag should not be
  356. specified with TS_VFY_DATA. */
  357. #define TS_VFY_IMPRINT (1u << 3)
  358. /* Verify the message imprint computed by the verify method from the user
  359. provided data and the MD algorithm of the response. This flag should not be
  360. specified with TS_VFY_IMPRINT. */
  361. #define TS_VFY_DATA (1u << 4)
  362. /* Verify the nonce value. */
  363. #define TS_VFY_NONCE (1u << 5)
  364. /* Verify if the TSA name field matches the signer certificate. */
  365. #define TS_VFY_SIGNER (1u << 6)
  366. /* Verify if the TSA name field equals to the user provided name. */
  367. #define TS_VFY_TSA_NAME (1u << 7)
  368. /* You can use the following convenience constants. */
  369. #define TS_VFY_ALL_IMPRINT (TS_VFY_SIGNATURE \
  370. | TS_VFY_VERSION \
  371. | TS_VFY_POLICY \
  372. | TS_VFY_IMPRINT \
  373. | TS_VFY_NONCE \
  374. | TS_VFY_SIGNER \
  375. | TS_VFY_TSA_NAME)
  376. #define TS_VFY_ALL_DATA (TS_VFY_SIGNATURE \
  377. | TS_VFY_VERSION \
  378. | TS_VFY_POLICY \
  379. | TS_VFY_DATA \
  380. | TS_VFY_NONCE \
  381. | TS_VFY_SIGNER \
  382. | TS_VFY_TSA_NAME)
  383. typedef struct TS_verify_ctx TS_VERIFY_CTX;
  384. int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
  385. int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
  386. /*
  387. * Declarations related to response verification context,
  388. * they are defined in ts/ts_verify_ctx.c.
  389. */
  390. /* Set all fields to zero. */
  391. TS_VERIFY_CTX *TS_VERIFY_CTX_new(void);
  392. void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
  393. void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
  394. int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
  395. int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
  396. BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio);
  397. X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store);
  398. /* R$ special */
  399. #define TS_VERIFY_CTS_set_certs TS_VERIFY_CTX_set_certs
  400. STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
  401. STACK_OF(X509) *certs);
  402. unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
  403. unsigned char *imprint, long imprint_len);
  404. /*
  405. * If ctx is NULL, it allocates and returns a new object, otherwise
  406. * it returns ctx. It initialises all the members as follows:
  407. * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
  408. * certs = NULL
  409. * store = NULL
  410. * policy = policy from the request or NULL if absent (in this case
  411. * TS_VFY_POLICY is cleared from flags as well)
  412. * md_alg = MD algorithm from request
  413. * imprint, imprint_len = imprint from request
  414. * data = NULL
  415. * nonce, nonce_len = nonce from the request or NULL if absent (in this case
  416. * TS_VFY_NONCE is cleared from flags as well)
  417. * tsa_name = NULL
  418. * Important: after calling this method TS_VFY_SIGNATURE should be added!
  419. */
  420. TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx);
  421. /* Function declarations for TS_RESP defined in ts/ts_rsp_print.c */
  422. int TS_RESP_print_bio(BIO *bio, TS_RESP *a);
  423. int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a);
  424. int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a);
  425. /* Common utility functions defined in ts/ts_lib.c */
  426. int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num);
  427. int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj);
  428. int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions);
  429. int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg);
  430. int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg);
  431. /* Function declarations for handling configuration options,
  432. defined in ts/ts_conf.c */
  433. X509 *TS_CONF_load_cert(const char *file);
  434. STACK_OF(X509) *TS_CONF_load_certs(const char *file);
  435. EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass);
  436. const char *TS_CONF_get_tsa_section(CONF *conf, const char *section);
  437. int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
  438. TS_RESP_CTX *ctx);
  439. int TS_CONF_set_signer_cert(CONF *conf, const char *section,
  440. const char *cert, TS_RESP_CTX *ctx);
  441. int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
  442. TS_RESP_CTX *ctx);
  443. int TS_CONF_set_signer_key(CONF *conf, const char *section,
  444. const char *key, const char *pass, TS_RESP_CTX *ctx);
  445. int TS_CONF_set_def_policy(CONF *conf, const char *section,
  446. const char *policy, TS_RESP_CTX *ctx);
  447. int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
  448. int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx);
  449. int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx);
  450. int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
  451. TS_RESP_CTX *ctx);
  452. int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx);
  453. int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx);
  454. int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
  455. TS_RESP_CTX *ctx);
  456. void ERR_load_TS_strings(void);
  457. /* Error codes for the TS functions. */
  458. /* Function codes. */
  459. #define TS_F_D2I_TS_RESP 147
  460. #define TS_F_DEF_SERIAL_CB 110
  461. #define TS_F_DEF_TIME_CB 111
  462. #define TS_F_ESS_ADD_SIGNING_CERT 112
  463. #define TS_F_ESS_CERT_ID_NEW_INIT 113
  464. #define TS_F_ESS_SIGNING_CERT_NEW_INIT 114
  465. #define TS_F_INT_TS_RESP_VERIFY_TOKEN 149
  466. #define TS_F_PKCS7_TO_TS_TST_INFO 148
  467. #define TS_F_TS_ACCURACY_SET_MICROS 115
  468. #define TS_F_TS_ACCURACY_SET_MILLIS 116
  469. #define TS_F_TS_ACCURACY_SET_SECONDS 117
  470. #define TS_F_TS_CHECK_IMPRINTS 100
  471. #define TS_F_TS_CHECK_NONCES 101
  472. #define TS_F_TS_CHECK_POLICY 102
  473. #define TS_F_TS_CHECK_SIGNING_CERTS 103
  474. #define TS_F_TS_CHECK_STATUS_INFO 104
  475. #define TS_F_TS_COMPUTE_IMPRINT 145
  476. #define TS_F_TS_CONF_SET_DEFAULT_ENGINE 146
  477. #define TS_F_TS_GET_STATUS_TEXT 105
  478. #define TS_F_TS_MSG_IMPRINT_SET_ALGO 118
  479. #define TS_F_TS_REQ_SET_MSG_IMPRINT 119
  480. #define TS_F_TS_REQ_SET_NONCE 120
  481. #define TS_F_TS_REQ_SET_POLICY_ID 121
  482. #define TS_F_TS_RESP_CREATE_RESPONSE 122
  483. #define TS_F_TS_RESP_CREATE_TST_INFO 123
  484. #define TS_F_TS_RESP_CTX_ADD_FAILURE_INFO 124
  485. #define TS_F_TS_RESP_CTX_ADD_MD 125
  486. #define TS_F_TS_RESP_CTX_ADD_POLICY 126
  487. #define TS_F_TS_RESP_CTX_NEW 127
  488. #define TS_F_TS_RESP_CTX_SET_ACCURACY 128
  489. #define TS_F_TS_RESP_CTX_SET_CERTS 129
  490. #define TS_F_TS_RESP_CTX_SET_DEF_POLICY 130
  491. #define TS_F_TS_RESP_CTX_SET_SIGNER_CERT 131
  492. #define TS_F_TS_RESP_CTX_SET_STATUS_INFO 132
  493. #define TS_F_TS_RESP_GET_POLICY 133
  494. #define TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION 134
  495. #define TS_F_TS_RESP_SET_STATUS_INFO 135
  496. #define TS_F_TS_RESP_SET_TST_INFO 150
  497. #define TS_F_TS_RESP_SIGN 136
  498. #define TS_F_TS_RESP_VERIFY_SIGNATURE 106
  499. #define TS_F_TS_RESP_VERIFY_TOKEN 107
  500. #define TS_F_TS_TST_INFO_SET_ACCURACY 137
  501. #define TS_F_TS_TST_INFO_SET_MSG_IMPRINT 138
  502. #define TS_F_TS_TST_INFO_SET_NONCE 139
  503. #define TS_F_TS_TST_INFO_SET_POLICY_ID 140
  504. #define TS_F_TS_TST_INFO_SET_SERIAL 141
  505. #define TS_F_TS_TST_INFO_SET_TIME 142
  506. #define TS_F_TS_TST_INFO_SET_TSA 143
  507. #define TS_F_TS_VERIFY 108
  508. #define TS_F_TS_VERIFY_CERT 109
  509. #define TS_F_TS_VERIFY_CTX_NEW 144
  510. /* Reason codes. */
  511. #define TS_R_BAD_PKCS7_TYPE 132
  512. #define TS_R_BAD_TYPE 133
  513. #define TS_R_CERTIFICATE_VERIFY_ERROR 100
  514. #define TS_R_COULD_NOT_SET_ENGINE 127
  515. #define TS_R_COULD_NOT_SET_TIME 115
  516. #define TS_R_D2I_TS_RESP_INT_FAILED 128
  517. #define TS_R_DETACHED_CONTENT 134
  518. #define TS_R_ESS_ADD_SIGNING_CERT_ERROR 116
  519. #define TS_R_ESS_SIGNING_CERTIFICATE_ERROR 101
  520. #define TS_R_INVALID_NULL_POINTER 102
  521. #define TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE 117
  522. #define TS_R_MESSAGE_IMPRINT_MISMATCH 103
  523. #define TS_R_NONCE_MISMATCH 104
  524. #define TS_R_NONCE_NOT_RETURNED 105
  525. #define TS_R_NO_CONTENT 106
  526. #define TS_R_NO_TIME_STAMP_TOKEN 107
  527. #define TS_R_PKCS7_ADD_SIGNATURE_ERROR 118
  528. #define TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR 119
  529. #define TS_R_PKCS7_TO_TS_TST_INFO_FAILED 129
  530. #define TS_R_POLICY_MISMATCH 108
  531. #define TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 120
  532. #define TS_R_RESPONSE_SETUP_ERROR 121
  533. #define TS_R_SIGNATURE_FAILURE 109
  534. #define TS_R_THERE_MUST_BE_ONE_SIGNER 110
  535. #define TS_R_TIME_SYSCALL_ERROR 122
  536. #define TS_R_TOKEN_NOT_PRESENT 130
  537. #define TS_R_TOKEN_PRESENT 131
  538. #define TS_R_TSA_NAME_MISMATCH 111
  539. #define TS_R_TSA_UNTRUSTED 112
  540. #define TS_R_TST_INFO_SETUP_ERROR 123
  541. #define TS_R_TS_DATASIGN 124
  542. #define TS_R_UNACCEPTABLE_POLICY 125
  543. #define TS_R_UNSUPPORTED_MD_ALGORITHM 126
  544. #define TS_R_UNSUPPORTED_VERSION 113
  545. #define TS_R_WRONG_CONTENT_TYPE 114
  546. #ifdef __cplusplus
  547. }
  548. #endif
  549. #endif