1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certhigh/ocspi.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,164 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * ocspi.h - NSS internal interfaces to OCSP code
1.9 + */
1.10 +
1.11 +#ifndef _OCSPI_H_
1.12 +#define _OCSPI_H_
1.13 +
1.14 +SECStatus OCSP_InitGlobal(void);
1.15 +SECStatus OCSP_ShutdownGlobal(void);
1.16 +
1.17 +ocspResponseData *
1.18 +ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
1.19 +
1.20 +ocspSignature *
1.21 +ocsp_GetResponseSignature(CERTOCSPResponse *response);
1.22 +
1.23 +SECItem *
1.24 +ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
1.25 + SECItem *fill, const SECItem *src);
1.26 +
1.27 +PRBool
1.28 +ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
1.29 +
1.30 +CERTCertificate *
1.31 +ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
1.32 + ocspSignature *signature, CERTCertificate *issuer);
1.33 +
1.34 +SECStatus
1.35 +ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
1.36 + ocspSignature *signature,
1.37 + SECItem *tbsResponseDataDER,
1.38 + void *pwArg);
1.39 +
1.40 +CERTOCSPRequest *
1.41 +cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
1.42 + CERTCertificate *singleCert,
1.43 + PRTime time,
1.44 + PRBool addServiceLocator,
1.45 + CERTCertificate *signerCert);
1.46 +
1.47 +typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
1.48 +
1.49 +SECStatus
1.50 +ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
1.51 + PRTime time,
1.52 + PRBool ignoreOcspFailureMode,
1.53 + SECStatus *rvOcsp,
1.54 + SECErrorCodes *missingResponseError,
1.55 + OCSPFreshness *freshness);
1.56 +
1.57 +/*
1.58 + * FUNCTION: cert_ProcessOCSPResponse
1.59 + * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
1.60 + * In addition it can update the OCSP cache (using information
1.61 + * available internally to this function).
1.62 + * INPUTS:
1.63 + * CERTCertDBHandle *handle
1.64 + * certificate DB of the cert that is being checked
1.65 + * CERTOCSPResponse *response
1.66 + * the OCSP response we want to retrieve status from.
1.67 + * CERTOCSPCertID *certID
1.68 + * the ID we want to look for from the response.
1.69 + * CERTCertificate *signerCert
1.70 + * the certificate that was used to sign the OCSP response.
1.71 + * must be obtained via a call to CERT_VerifyOCSPResponseSignature.
1.72 + * PRTime time
1.73 + * The time at which we're checking the status for.
1.74 + * PRBool *certIDWasConsumed
1.75 + * In and Out parameter.
1.76 + * If certIDWasConsumed is NULL on input,
1.77 + * this function might produce a deep copy of cert ID
1.78 + * for storing it in the cache.
1.79 + * If out value is true, ownership of parameter certID was
1.80 + * transferred to the OCSP cache.
1.81 + * SECStatus *cacheUpdateStatus
1.82 + * This optional out parameter will contain the result
1.83 + * of the cache update operation (if requested).
1.84 + * RETURN:
1.85 + * The return value is not influenced by the cache operation,
1.86 + * it matches the documentation for CERT_CheckOCSPStatus
1.87 + */
1.88 +
1.89 +SECStatus
1.90 +cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
1.91 + CERTOCSPResponse *response,
1.92 + CERTOCSPCertID *certID,
1.93 + CERTCertificate *signerCert,
1.94 + PRTime time,
1.95 + PRBool *certIDWasConsumed,
1.96 + SECStatus *cacheUpdateStatus);
1.97 +
1.98 +/*
1.99 + * FUNCTION: cert_RememberOCSPProcessingFailure
1.100 + * If an application notices a failure during OCSP processing,
1.101 + * it should finally call this function. The failure will be recorded
1.102 + * in the OCSP cache in order to avoid repetitive failures.
1.103 + * INPUTS:
1.104 + * CERTOCSPCertID *certID
1.105 + * the ID that was used for the failed OCSP processing
1.106 + * PRBool *certIDWasConsumed
1.107 + * Out parameter, if set to true, ownership of parameter certID was
1.108 + * transferred to the OCSP cache.
1.109 + * RETURN:
1.110 + * Status of the cache update operation.
1.111 + */
1.112 +
1.113 +SECStatus
1.114 +cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
1.115 + PRBool *certIDWasConsumed);
1.116 +
1.117 +/*
1.118 + * FUNCTION: ocsp_GetResponderLocation
1.119 + * Check ocspx context for user-designated responder URI first. If not
1.120 + * found, checks cert AIA extension.
1.121 + * INPUTS:
1.122 + * CERTCertDBHandle *handle
1.123 + * certificate DB of the cert that is being checked
1.124 + * CERTCertificate *cert
1.125 + * The certificate being examined.
1.126 + * PRBool *certIDWasConsumed
1.127 + * Out parameter, if set to true, URI of default responder is
1.128 + * returned.
1.129 + * RETURN:
1.130 + * Responder URI.
1.131 + */
1.132 +char *
1.133 +ocsp_GetResponderLocation(CERTCertDBHandle *handle,
1.134 + CERTCertificate *cert,
1.135 + PRBool canUseDefaultLocation,
1.136 + PRBool *isDefault);
1.137 +
1.138 +/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
1.139 + * The function checks the global ocsp settings and
1.140 + * tells how to treat an ocsp response fetching failure.
1.141 + * RETURNS:
1.142 + * if PR_TRUE is returned, then treat fetching as a
1.143 + * revoked cert status.
1.144 + */
1.145 +PRBool
1.146 +ocsp_FetchingFailureIsVerificationFailure(void);
1.147 +
1.148 +size_t
1.149 +ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
1.150 +
1.151 +SECStatus
1.152 +ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
1.153 + CERTOCSPResponse *response,
1.154 + CERTOCSPCertID *certID,
1.155 + CERTCertificate *signerCert,
1.156 + PRTime time,
1.157 + CERTOCSPSingleResponse **pSingleResponse);
1.158 +
1.159 +SECStatus
1.160 +ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
1.161 +
1.162 +void
1.163 +ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
1.164 + CERTOCSPSingleResponse *single,
1.165 + PRBool *certIDWasConsumed);
1.166 +
1.167 +#endif /* _OCSPI_H_ */
