1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,150 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * pkix_revocationchecker.h
1.9 + *
1.10 + * RevocationChecker Object Type Definition
1.11 + *
1.12 + */
1.13 +
1.14 +#ifndef _PKIX_REVOCATIONCHECKER_H
1.15 +#define _PKIX_REVOCATIONCHECKER_H
1.16 +
1.17 +#include "pkixt.h"
1.18 +
1.19 +#ifdef __cplusplus
1.20 +extern "C" {
1.21 +#endif
1.22 +
1.23 +/* NOTE: nbio logistic removed. Will be replaced later. */
1.24 +
1.25 +/*
1.26 + * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1.27 + * this is a method dependent flag.
1.28 + */
1.29 +
1.30 +/*
1.31 + * Whether or not to use a method for revocation testing.
1.32 + * If set to "do not test", then all other flags are ignored.
1.33 + */
1.34 +#define PKIX_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0x00L
1.35 +#define PKIX_REV_M_TEST_USING_THIS_METHOD 0x01L
1.36 +
1.37 +/*
1.38 + * Whether or not NSS is allowed to attempt to fetch fresh information
1.39 + * from the network.
1.40 + * (Although fetching will never happen if fresh information for the
1.41 + * method is already locally available.)
1.42 + */
1.43 +#define PKIX_REV_M_ALLOW_NETWORK_FETCHING 0x00L
1.44 +#define PKIX_REV_M_FORBID_NETWORK_FETCHING 0x02L
1.45 +
1.46 +/*
1.47 + * Example for an implicit default source:
1.48 + * The globally configured default OCSP responder.
1.49 + * IGNORE means:
1.50 + * ignore the implicit default source, whether it's configured or not.
1.51 + * ALLOW means:
1.52 + * if an implicit default source is configured,
1.53 + * then it overrides any available or missing source in the cert.
1.54 + * if no implicit default source is configured,
1.55 + * then we continue to use what's available (or not available)
1.56 + * in the certs.
1.57 + */
1.58 +#define PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0x00L
1.59 +#define PKIX_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 0x04L /* OCSP only */
1.60 +
1.61 +/*
1.62 + * Defines the behavior if no fresh information is available,
1.63 + * fetching from the network is allowed, but the source of revocation
1.64 + * information is unknown (even after considering implicit sources,
1.65 + * if allowed by other flags).
1.66 + * SKIPT_TEST means:
1.67 + * We ignore that no fresh information is available and
1.68 + * skip this test.
1.69 + * REQUIRE_INFO means:
1.70 + * We still require that fresh information is available.
1.71 + * Other flags define what happens on missing fresh info.
1.72 + */
1.73 +
1.74 +#define PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0x00L
1.75 +#define PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 0x08L
1.76 +
1.77 +/*
1.78 + * Defines the behavior if we are unable to obtain fresh information.
1.79 + * INGORE means:
1.80 + * Return "cert status unknown"
1.81 + * FAIL means:
1.82 + * Return "cert revoked".
1.83 + */
1.84 +
1.85 +#define PKIX_REV_M_IGNORE_MISSING_FRESH_INFO 0x00L
1.86 +#define PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO 0x10L
1.87 +
1.88 +/*
1.89 + * What should happen if we were able to find fresh information using
1.90 + * this method, and the data indicated the cert is good?
1.91 + * STOP_TESTING means:
1.92 + * Our success is sufficient, do not continue testing
1.93 + * other methods.
1.94 + * CONTINUE_TESTING means:
1.95 + * We will continue and test the next allowed
1.96 + * specified method.
1.97 + */
1.98 +
1.99 +#define PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO 0x00L
1.100 +#define PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 0x20L
1.101 +
1.102 +/*
1.103 + * All Flags are prefixed by PKIX_REV_MI_, where _MI_ indicates
1.104 + * this is a method independent flag.
1.105 + */
1.106 +
1.107 +/*
1.108 + * This defines the order to checking.
1.109 + * EACH_METHOD_SEPARATELY means:
1.110 + * Do all tests related to a particular allowed method
1.111 + * (both local information and network fetching) in a single step.
1.112 + * Only after testing for a particular method is done,
1.113 + * then switching to the next method will happen.
1.114 + * ALL_LOCAL_INFORMATION_FIRST means:
1.115 + * Start by testing the information for all allowed methods
1.116 + * which are already locally available. Only after that is done
1.117 + * consider to fetch from the network (as allowed by other flags).
1.118 + */
1.119 +#define PKIX_REV_MI_TEST_EACH_METHOD_SEPARATELY 0x00L
1.120 +#define PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 0x01L
1.121 +
1.122 +/*
1.123 + * Use this flag to specify that it's necessary that fresh information
1.124 + * is available for at least one of the allowed methods, but it's
1.125 + * irrelevant which of the mechanisms succeeded.
1.126 + * NO_OVERALL_INFO_REQUIREMENT means:
1.127 + * We strictly follow the requirements for each individual method.
1.128 + * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1.129 + * After the individual tests have been executed, we must have
1.130 + * been able to find fresh information using at least one method.
1.131 + * If we were unable to find fresh info, it's a failure.
1.132 + */
1.133 +#define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0x00L
1.134 +#define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L
1.135 +
1.136 +/* Defines check time for the cert, revocation methods lists and
1.137 + * flags for leaf and chain certs revocation tests. */
1.138 +struct PKIX_RevocationCheckerStruct {
1.139 + PKIX_List *leafMethodList;
1.140 + PKIX_List *chainMethodList;
1.141 + PKIX_UInt32 leafMethodListFlags;
1.142 + PKIX_UInt32 chainMethodListFlags;
1.143 +};
1.144 +
1.145 +/* see source file for function documentation */
1.146 +
1.147 +PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext);
1.148 +
1.149 +#ifdef __cplusplus
1.150 +}
1.151 +#endif
1.152 +
1.153 +#endif /* _PKIX_REVOCATIONCHECKER_H */
