Hi, I write a code that can be used for OCSP extension of Japan GPKI . This can be integrated into current OCSP implementation in 0.9.7 beta 3. If you want to compile and make this work, you have to add the NID_* for the local defined extensions in object.txt in crypto directory and add X509V3 method as well. and call OCSP_ONEREQ_add1_ext_i2d(one,NID_JGPKI_subscriberCert,subscriberCert,1,1) Since my lack of understanding in the published GPKI spec, I am not sure how the multiple values are inserted into several extensions . ( one value in multiple exntensions or multiple values in one extension...) Anyway, if you like it, please drop me a line. -Kiyoshi Kiyoshi Watanabe Tokyo, Japan
/* v3_gpki.c */ #include <stdio.h> #include "cryptlib.h" #include <openssl/conf.h> #include <openssl/asn1.h> #include <openssl/ocsp.h> #include <openssl/x509v3.h> /* OCSP extensions for JP GPKI Bridge CA Interoperability Specification */ typedef struct ASN1_INTEGER_NAME_st { long intnum; const char *lname; const char *sname; } ASN1_INTEGER_NAME; static int i2r_X509_print(X509V3_EXT_METHOD *method, X509 *x, BIO *out, int indent); static int i2r_X509_CRL_print(X509V3_EXT_METHOD *method, X509_CRL *x, BIO *out, int indent); static int i2r_certPathStatus_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO *out, int indent); static int i2r_ASN1_OBJECT_print(X509V3_EXT_METHOD *method, ASN1_OBJECT *obj, BIO *out, int indent); static int i2r_ASN1_INTEGER_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO *out, int indent); static ASN1_INTEGER_NAME jgpki_status_reason_codes[] = { {0, "The path has successfully been build and validated", "Good"}, {101, "The path has not been build successfully", "invalidPathBuild"}, {202, "The invalid signature has been found in the path", "invalidSignature"}, {203, "The revoked certificate has been found in the path", "revokedCertificate"}, {204, "The invalid policy has been found in the path", "invalidPolicy"}, {205, "The invalid constraint result has been found in the path", "invalidConstraint"}, {206, "The unknown certificate via OCSP has been found in the path", "unknownCertificate"}, {901, "The server rejects the request", "rejectRequest"}, {902, "Request Timeout ", "requestTimeout"}, {-1, NULL, NULL} }; X509V3_EXT_METHOD v3_ocspreq_jgpki_subscriber_cert = { NID_JGPKI_subscriberCert, 0, ASN1_ITEM_ref(X509), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_X509_print, 0, NULL }; /* X509V3_EXT_METHOD v3_ocspreq_jgpki_intermediate_certs = { NID_JGPKI_intermediateCerts, 0, ASN1_ITEM_ref(X509), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_X509_print, 0, NULL }; */ X509V3_EXT_METHOD v3_ocspreq_jgpki_trust_anchor_cert = { NID_JGPKI_trustAnchorCert, 0, ASN1_ITEM_ref(X509), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_X509_print, 0, NULL }; X509V3_EXT_METHOD v3_ocspreq_jgpki_required_policy = { NID_JGPKI_requiredPolicy, 0, ASN1_ITEM_ref(ASN1_OBJECT), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_ASN1_OBJECT_print, 0, NULL }; X509V3_EXT_METHOD v3_ocspreq_jgpki_require_explicit_policy = { NID_JGPKI_requireExplicitPolicy, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_ASN1_INTEGER_print, 0, NULL }; X509V3_EXT_METHOD v3_ocspreq_jgpki_inhibit_policy_mapping = { NID_JGPKI_inhibitPolicyMapping, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_ASN1_INTEGER_print, 0, NULL }; X509V3_EXT_METHOD v3_ocspreq_jgpki_response_formant = { NID_JGPKI_responseFormat, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_ASN1_INTEGER_print, 0, NULL }; X509V3_EXT_METHOD v3_ocspres_jgpki_cert_path_status = { NID_JGPKI_certPathStatus, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_certPathStatus_print, 0, jgpki_status_reason_codes }; /* X509V3_EXT_METHOD v3_ocspres_jgpki_cert_path = { NID_JGPKI_certPath, 0, ASN1_ITEM_ref(X509), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_X509_print, 0, NULL }; */ /* X509V3_EXT_METHOD v3_ocspres_jgpki_revocation_list = { NID_JGPKI_revocationList, 0, ASN1_ITEM_ref(X509_CRL), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_X509_CRL_print, 0, NULL }; */ /* X509V3_EXT_METHOD v3_ocspres_jgpki_ocsp_response = { NID_JGPKI_OCSPResponse, 0, ASN1_ITEM_ref(OCSP_RESPONSE), 0,0,0,0, 0,0, 0,0, 0, 0, NULL }; */ /* X509V3_EXT_METHOD v3_ocspres_jgpki_mapped_policy = { NID_JGPKI_mappedPolicy, 0, ASN1_ITEM_ref(ASN1_OBJECT), 0,0,0,0, 0,0, 0,0, (X509V3_EXT_I2R)i2r_ASN1_OBJECT_print, 0, NULL }; */ static int i2r_X509_print(X509V3_EXT_METHOD *method, X509 *x, BIO *out, int indent) { return X509_print(out,x); } static int i2r_X509_CRL_print(X509V3_EXT_METHOD *method, X509_CRL *x, BIO *out, int indent) { return X509_CRL_print(out,x); } static int i2r_certPathStatus_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO *out, int indent) { long l; ASN1_INTEGER_NAME *rc; l = ASN1_INTEGER_get(num); for(rc=method->usr_data; rc->lname; rc++){ if(rc->intnum == l){ BIO_printf(out, "%*s%d:%s", indent, "", rc->intnum, rc->sname); goto end; } } BIO_printf(out,"%*s%d: Unknown reason code is specified",indent, "",l); end: return 1; } static int i2r_ASN1_OBJECT_print(X509V3_EXT_METHOD *method, ASN1_OBJECT *obj, BIO *out, int indent) { char objbuf[80]; OBJ_obj2txt(objbuf, 80, obj, 1); BIO_printf(out, "%*s%s:(%s)", indent, "", "OBJECT", objbuf); return 1; } static int i2r_ASN1_INTEGER_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO *out, int indent) { char *s, *nm; s = i2s_ASN1_INTEGER(NULL, num); nm = "INTEGER"; BIO_printf(out, "%*s%s:%s", indent, "", nm, s); OPENSSL_free(s); return 1; }