Hi,
I write a code that can be used for OCSP extension of Japan GPKI .
This can be integrated into current OCSP implementation in 0.9.7
beta 3.
If you want to compile and make this work, you have to
add the NID_* for the local defined extensions in object.txt in
crypto directory and add X509V3 method as well.
and call
OCSP_ONEREQ_add1_ext_i2d(one,NID_JGPKI_subscriberCert,subscriberCert,1,1)
Since my lack of understanding in the published GPKI spec, I am
not sure how the multiple values are inserted into several extensions
. ( one value in multiple exntensions or multiple values in one
extension...)
Anyway, if you like it, please drop me a line.
-Kiyoshi
Kiyoshi Watanabe
Tokyo, Japan
/* v3_gpki.c */
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/ocsp.h>
#include <openssl/x509v3.h>
/* OCSP extensions for JP GPKI Bridge CA Interoperability Specification */
typedef struct ASN1_INTEGER_NAME_st {
long intnum;
const char *lname;
const char *sname;
} ASN1_INTEGER_NAME;
static int i2r_X509_print(X509V3_EXT_METHOD *method, X509 *x, BIO *out, int indent);
static int i2r_X509_CRL_print(X509V3_EXT_METHOD *method, X509_CRL *x, BIO *out, int
indent);
static int i2r_certPathStatus_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO
*out, int indent);
static int i2r_ASN1_OBJECT_print(X509V3_EXT_METHOD *method, ASN1_OBJECT *obj, BIO
*out, int indent);
static int i2r_ASN1_INTEGER_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO
*out, int indent);
static ASN1_INTEGER_NAME jgpki_status_reason_codes[] = {
{0, "The path has successfully been build and validated", "Good"},
{101, "The path has not been build successfully", "invalidPathBuild"},
{202, "The invalid signature has been found in the path", "invalidSignature"},
{203, "The revoked certificate has been found in the path", "revokedCertificate"},
{204, "The invalid policy has been found in the path", "invalidPolicy"},
{205, "The invalid constraint result has been found in the path",
"invalidConstraint"},
{206, "The unknown certificate via OCSP has been found in the path",
"unknownCertificate"},
{901, "The server rejects the request", "rejectRequest"},
{902, "Request Timeout ", "requestTimeout"},
{-1, NULL, NULL}
};
X509V3_EXT_METHOD v3_ocspreq_jgpki_subscriber_cert = {
NID_JGPKI_subscriberCert, 0, ASN1_ITEM_ref(X509),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_X509_print,
0,
NULL
};
/*
X509V3_EXT_METHOD v3_ocspreq_jgpki_intermediate_certs = {
NID_JGPKI_intermediateCerts, 0, ASN1_ITEM_ref(X509),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_X509_print,
0,
NULL
};
*/
X509V3_EXT_METHOD v3_ocspreq_jgpki_trust_anchor_cert = {
NID_JGPKI_trustAnchorCert, 0, ASN1_ITEM_ref(X509),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_X509_print,
0,
NULL
};
X509V3_EXT_METHOD v3_ocspreq_jgpki_required_policy = {
NID_JGPKI_requiredPolicy, 0, ASN1_ITEM_ref(ASN1_OBJECT),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_ASN1_OBJECT_print,
0,
NULL
};
X509V3_EXT_METHOD v3_ocspreq_jgpki_require_explicit_policy = {
NID_JGPKI_requireExplicitPolicy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_ASN1_INTEGER_print,
0,
NULL
};
X509V3_EXT_METHOD v3_ocspreq_jgpki_inhibit_policy_mapping = {
NID_JGPKI_inhibitPolicyMapping, 0, ASN1_ITEM_ref(ASN1_INTEGER),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_ASN1_INTEGER_print,
0,
NULL
};
X509V3_EXT_METHOD v3_ocspreq_jgpki_response_formant = {
NID_JGPKI_responseFormat, 0, ASN1_ITEM_ref(ASN1_INTEGER),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_ASN1_INTEGER_print,
0,
NULL
};
X509V3_EXT_METHOD v3_ocspres_jgpki_cert_path_status = {
NID_JGPKI_certPathStatus, 0, ASN1_ITEM_ref(ASN1_INTEGER),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_certPathStatus_print,
0,
jgpki_status_reason_codes
};
/*
X509V3_EXT_METHOD v3_ocspres_jgpki_cert_path = {
NID_JGPKI_certPath, 0, ASN1_ITEM_ref(X509),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_X509_print,
0,
NULL
};
*/
/*
X509V3_EXT_METHOD v3_ocspres_jgpki_revocation_list = {
NID_JGPKI_revocationList, 0, ASN1_ITEM_ref(X509_CRL),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_X509_CRL_print,
0,
NULL
};
*/
/*
X509V3_EXT_METHOD v3_ocspres_jgpki_ocsp_response = {
NID_JGPKI_OCSPResponse, 0, ASN1_ITEM_ref(OCSP_RESPONSE),
0,0,0,0,
0,0,
0,0,
0,
0,
NULL
};
*/
/*
X509V3_EXT_METHOD v3_ocspres_jgpki_mapped_policy = {
NID_JGPKI_mappedPolicy, 0, ASN1_ITEM_ref(ASN1_OBJECT),
0,0,0,0,
0,0,
0,0,
(X509V3_EXT_I2R)i2r_ASN1_OBJECT_print,
0,
NULL
};
*/
static int i2r_X509_print(X509V3_EXT_METHOD *method, X509 *x, BIO *out, int indent)
{
return X509_print(out,x);
}
static int i2r_X509_CRL_print(X509V3_EXT_METHOD *method, X509_CRL *x, BIO *out, int
indent)
{
return X509_CRL_print(out,x);
}
static int i2r_certPathStatus_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO
*out, int indent)
{
long l;
ASN1_INTEGER_NAME *rc;
l = ASN1_INTEGER_get(num);
for(rc=method->usr_data; rc->lname; rc++){
if(rc->intnum == l){
BIO_printf(out, "%*s%d:%s", indent, "", rc->intnum, rc->sname);
goto end;
}
}
BIO_printf(out,"%*s%d: Unknown reason code is specified",indent, "",l);
end:
return 1;
}
static int i2r_ASN1_OBJECT_print(X509V3_EXT_METHOD *method, ASN1_OBJECT *obj, BIO
*out, int indent)
{
char objbuf[80];
OBJ_obj2txt(objbuf, 80, obj, 1);
BIO_printf(out, "%*s%s:(%s)", indent, "", "OBJECT", objbuf);
return 1;
}
static int i2r_ASN1_INTEGER_print(X509V3_EXT_METHOD *method, ASN1_INTEGER *num, BIO
*out, int indent)
{
char *s, *nm;
s = i2s_ASN1_INTEGER(NULL, num);
nm = "INTEGER";
BIO_printf(out, "%*s%s:%s", indent, "", nm, s);
OPENSSL_free(s);
return 1;
}
