附錄B（規范性附錄） 采用ASN.1定義的OCSP

OCSP DEFINITIONS EXPLICIT TAGS::= 
BEGIN
IMPORTS
      -- Directory Authentication Framework (X.509)
         Certificate, AlgorithmIdentifier, CRLReason
         FROM AuthenticationFramework { joint-iso-itu-t ds(5)
         module(1) authenticationFramework(7) 3 }
      -- PKIX Certificate Extensions
         AuthorityInfoAccessSyntax
         FROM PKIX1Implicit88 {iso(1) identified-organization(3)
         dod(6) internet(1) security(5) mechanisms(5) pkix(7)
         id-mod(0) id-pkix1-implicit-88(2)}
         Name, GeneralName, CertificateSerialNumber, Extensions,
         id-kp, id-ad-ocsp
          FROM PKIX1Explicit88 {iso(1) identified-organization(3)
          dod(6) internet(1) security(5) mechanisms(5) pkix(7)
          id-mod(0) id-pkix1-explicit-88(1)}
       -- Cryptographic Message Syntax (CMS)
          IssuerAndSerialNumber
          FROM { iso(1) member-body(2) us(840) rsadsi(113549)
          pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14)}
OCSPRequest     ::=     SEQUENCE {
          tbsRequest                  TBSRequest,
       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
TBSRequest      ::=     SEQUENCE {
        version             [0] EXPLICIT Version DEFAULT v1,
        requestorName       [1] EXPLICIT GeneralName OPTIONAL,
        requestList             SEQUENCE OF Request,
        requestExtensions     [2] EXPLICIT Extensions OPTIONAL }
Signature       ::=     SEQUENCE {
        signatureAlgorithm   AlgorithmIdentifier,
        signature            BIT STRING,
        certs                [0] EXPLICIT Certificates OPTIONAL }
Version  ::=  INTEGER  {  v1(0), v2(1) }
Request ::=     SEQUENCE {
        reqCert                    ReqCert,
        singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
Certificates    ::=     SEQUENCE SIZE(1..MAX) of Certificate
ReqCert  ::= CHOICE {
        certID                     CertID,
        fullCert              [0] FullCertificate,
        certIdWithSignature    [1] CertIdWithSignature }
CertID ::= SEQUENCE {
        hashAlgorithm            AlgorithmIdentifier,
        issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
        issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
        serialNumber        CertificateSerialNumber }
        FullCertificate ::= CHOICE {
        certificate      [0]  Certificate,
        attributeCert    [1]  AttributeCertificate }
        CertIdWithSignature ::= SEQUENCE {
        issuerandSerialNumber    IssuerandSerialNumber,
        tbsCertificateHash       BIT STRING,
        certsignature            CertSignature
        }
        CertSignature ::= SEQUENCE {
        signatureAlgorithm        AlgorithmIdentifier,
        signatureValue            BIT STRING
        }
OCSPResponse ::= SEQUENCE {
        responseStatus             OCSPResponseStatus,
        responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED {
        successful             (0),     --Response has valid confirmations
        malformedRequest       (1),     --Illegal confirmation request
        internalError          (2),     --Internal error in issuer
        tryLater               (3),     --Try again later
                               (4)，    -- is not used
        sigRequired            (5),     --Must sign the request
        unauthorized           (6),     --Request unauthorized
        badCRL                 (8)，    --Error in CRL processing
        }
ResponseBytes ::=       SEQUENCE {
        responseType   OBJECT IDENTIFIER,
        response       OCTET STRING }
BasicOCSPResponse       ::= SEQUENCE {
      tbsResponseData          ResponseData,
      signatureAlgorithm        AlgorithmIdentifier,
      signature                BIT STRING,
      certs                [0] EXPLICIT Certificates OPTIONAL }
ResponseData ::= SEQUENCE {
      version              [0] EXPLICIT Version DEFAULT v1,
      responderID              ResponderID,
      producedAt               GeneralizedTime,
      responses                SEQUENCE OF SingleResponse,
      responseExtensions    [1] EXPLICIT Extensions OPTIONAL }
ResponderID ::= CHOICE {
      byName   [1] Name,
      byKey    [2] KeyHash }
KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
      --(excluding the tag, length and number of unused
      -- bits fields)
SingleResponse ::= SEQUENCE {
      reqCert                      ReqCert,
      -- MUST be identical to the same field from the request
      certStatus                   CertStatus,
      thisUpdate                   GeneralizedTime,
      nextUpdate              [0]  EXPLICIT GeneralizedTime OPTIONAL,
      singleExtensions [1]     EXPLICIT Extensions OPTIONAL }
CertStatus ::= CHOICE {
      good               [0]     IMPLICIT NULL,
      revoked            [1]     IMPLICIT RevokedInfo,
      unknown            [2]     IMPLICIT UnknownInfo }
RevokedInfo ::= SEQUENCE {
       revocationTime              GeneralizedTime,
       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
UnknownInfo ::= NULL -- this can be replaced with an enumeration
ArchiveCutoff ::= GeneralizedTime
AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
ServiceLocator ::= SEQUENCE {
      issuer    Name,
      locator   AuthorityInfoAccessSyntax }
CrlLocator ::= CRLDistributionPoints
 -- Object Identifiers
id-kp-OCSPSigning           OBJECT IDENTIFIER ::= { id-kp 9 }
id-pkix-ocsp                 OBJECT IDENTIFIER ::= { id-ad-ocsp }
id-pkix-ocsp-basic           OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
id-pkix-ocsp-crl-locator     OBJECT IDENTIFIER ::= { id-pkix-ocsp X }
END