1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
-- From rfc2560
-- $Id: ocsp.asn1,v 1.4 2006/12/30 12:38:44 lha Exp $
OCSP DEFINITIONS EXPLICIT TAGS::=
BEGIN
IMPORTS
Certificate, AlgorithmIdentifier, CRLReason,
Name, GeneralName, CertificateSerialNumber, Extensions
FROM rfc2459;
OCSPVersion ::= INTEGER { ocsp-v1(0) }
OCSPCertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT -- OCSPRevokedInfo -- SEQUENCE {
revocationTime GeneralizedTime,
revocationReason[0] EXPLICIT CRLReason OPTIONAL
},
unknown [2] IMPLICIT NULL }
OCSPCertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of Issuer's DN
issuerKeyHash OCTET STRING, -- Hash of Issuers public key
serialNumber CertificateSerialNumber }
OCSPSingleResponse ::= SEQUENCE {
certID OCSPCertID,
certStatus OCSPCertStatus,
thisUpdate GeneralizedTime,
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
singleExtensions [1] EXPLICIT Extensions OPTIONAL }
OCSPInnerRequest ::= SEQUENCE {
reqCert OCSPCertID,
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
OCSPTBSRequest ::= SEQUENCE {
version [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
requestorName [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF OCSPInnerRequest,
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
OCSPSignature ::= SEQUENCE {
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
OCSPRequest ::= SEQUENCE {
tbsRequest OCSPTBSRequest,
optionalSignature [0] EXPLICIT OCSPSignature OPTIONAL }
OCSPResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
internalError (2), --Internal error in issuer
tryLater (3), --Try again later
--(4) is not used
sigRequired (5), --Must sign the request
unauthorized (6) --Request unauthorized
}
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT OCSPResponseBytes OPTIONAL }
OCSPKeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
--(excluding the tag and length fields)
OCSPResponderID ::= CHOICE {
byName [1] Name,
byKey [2] OCSPKeyHash }
OCSPResponseData ::= SEQUENCE {
version [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
responderID OCSPResponderID,
producedAt GeneralizedTime,
responses SEQUENCE OF OCSPSingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
OCSPBasicOCSPResponse ::= SEQUENCE {
tbsResponseData OCSPResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-- ArchiveCutoff ::= GeneralizedTime
-- AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
-- Object Identifiers
id-pkix-ocsp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) pkix-ad(48) 1
}
id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
-- id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
-- id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
-- id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
-- id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
-- id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
END
|