security/nss/lib/certhigh/ocspt.h@6474c204b198
security/nss/lib/certhigh/ocspt.h
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 /*
6 * Public header for exported OCSP types.
7 */
9 #ifndef _OCSPT_H_
10 #define _OCSPT_H_
12 /*
13 * The following are all opaque types. If someone needs to get at
14 * a field within, then we need to fix the API. Try very hard not
15 * make the type available to them.
16 */
17 typedef struct CERTOCSPRequestStr CERTOCSPRequest;
18 typedef struct CERTOCSPResponseStr CERTOCSPResponse;
20 /*
21 * XXX I think only those first two above should need to be exported,
22 * but until I know for certain I am leaving the rest of these here, too.
23 */
24 typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
25 typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
27 /*
28 * This interface is described in terms of an HttpClient which
29 * supports at least a specified set of functions. (An implementer may
30 * provide HttpClients with additional functionality accessible only to
31 * users with a particular implementation in mind.) The basic behavior
32 * is provided by defining a set of functions, listed in an
33 * SEC_HttpServerFcnStruct. If the implementor of a SpecificHttpClient
34 * registers his SpecificHttpClient as the default HttpClient, then his
35 * functions will be called by the user of an HttpClient, such as an
36 * OCSPChecker.
37 *
38 * The implementer of a specific HttpClient (e.g., the NSS-provided
39 * DefaultHttpClient), populates an SEC_HttpClientFcnStruct, uses it to
40 * register his client, and waits for his functions to be called.
41 *
42 * For future expandability, the SEC_HttpClientFcnStruct is defined as a
43 * union, with the version field acting as a selector. The proposed
44 * initial version of the structure is given following the definition
45 * of the union. The HttpClientState structure is implementation-
46 * dependent, and should be opaque to the user.
47 */
49 typedef void * SEC_HTTP_SERVER_SESSION;
50 typedef void * SEC_HTTP_REQUEST_SESSION;
52 /*
53 * This function creates a SEC_HTTP_SERVER_SESSION object. The implementer of a
54 * specific HttpClient will allocate the necessary space, when this
55 * function is called, and will free it when the corresponding FreeFcn
56 * is called. The SEC_HTTP_SERVER_SESSION object is passed, as an opaque object,
57 * to subsequent calls.
58 *
59 * If the function returns SECSuccess, the returned SEC_HTTP_SERVER_SESSION
60 * must be cleaned up with a call to SEC_HttpServer_FreeSession,
61 * after processing is finished.
62 */
63 typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)(
64 const char *host,
65 PRUint16 portnum,
66 SEC_HTTP_SERVER_SESSION *pSession);
68 /*
69 * This function is called to allow the implementation to attempt to keep
70 * the connection alive. Depending on the underlying platform, it might
71 * immediately return SECSuccess without having performed any operations.
72 * (If a connection has not been kept alive, a subsequent call to
73 * SEC_HttpRequest_TrySendAndReceiveFcn should reopen the connection
74 * automatically.)
75 *
76 * If the connection uses nonblocking I/O, this function may return
77 * SECWouldBlock and store a nonzero value at "pPollDesc". In that case
78 * the caller may wait on the poll descriptor, and should call this function
79 * again until SECSuccess (and a zero value at "pPollDesc") is obtained.
80 */
81 typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)(
82 SEC_HTTP_SERVER_SESSION session,
83 PRPollDesc **pPollDesc);
85 /*
86 * This function frees the client SEC_HTTP_SERVER_SESSION object, closes all
87 * SEC_HTTP_REQUEST_SESSIONs created for that server, discards all partial results,
88 * frees any memory that was allocated by the client, and invalidates any
89 * response pointers that might have been returned by prior server or request
90 * functions.
91 */
92 typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)(
93 SEC_HTTP_SERVER_SESSION session);
95 /*
96 * This function creates a SEC_HTTP_REQUEST_SESSION object. The implementer of a
97 * specific HttpClient will allocate the necessary space, when this
98 * function is called, and will free it when the corresponding FreeFcn
99 * is called. The SEC_HTTP_REQUEST_SESSION object is passed, as an opaque object,
100 * to subsequent calls.
101 *
102 * An implementation that does not support the requested protocol variant
103 * (usually "http", but could eventually allow "https") or request method
104 * should return SECFailure.
105 *
106 * Timeout values may include the constants PR_INTERVAL_NO_TIMEOUT (wait
107 * forever) or PR_INTERVAL_NO_WAIT (nonblocking I/O).
108 *
109 * If the function returns SECSuccess, the returned SEC_HTTP_REQUEST_SESSION
110 * must be cleaned up with a call to SEC_HttpRequest_FreeSession,
111 * after processing is finished.
112 */
113 typedef SECStatus (*SEC_HttpRequest_CreateFcn)(
114 SEC_HTTP_SERVER_SESSION session,
115 const char *http_protocol_variant, /* usually "http" */
116 const char *path_and_query_string,
117 const char *http_request_method,
118 const PRIntervalTime timeout,
119 SEC_HTTP_REQUEST_SESSION *pRequest);
121 /*
122 * This function sets data to be sent to the server for an HTTP request
123 * of http_request_method == POST. If a particular implementation
124 * supports it, the details for the POST request can be set by calling
125 * this function, prior to activating the request with TrySendAndReceiveFcn.
126 *
127 * An implementation that does not support the POST method should
128 * implement a SetPostDataFcn function that returns immediately.
129 *
130 * Setting http_content_type is optional, the parameter may
131 * by NULL or the empty string.
132 */
133 typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)(
134 SEC_HTTP_REQUEST_SESSION request,
135 const char *http_data,
136 const PRUint32 http_data_len,
137 const char *http_content_type);
139 /*
140 * This function sets an additional HTTP protocol request header.
141 * If a particular implementation supports it, one or multiple headers
142 * can be added to the request by calling this function once or multiple
143 * times, prior to activating the request with TryFcn.
144 *
145 * An implementation that does not support setting additional headers
146 * should implement an AddRequestHeaderFcn function that returns immediately.
147 */
148 typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
149 SEC_HTTP_REQUEST_SESSION request,
150 const char *http_header_name,
151 const char *http_header_value);
153 /*
154 * This function initiates or continues an HTTP request. After
155 * parameters have been set with the Create function and, optionally,
156 * modified or enhanced with the AddParams function, this call creates
157 * the socket connection and initiates the communication.
158 *
159 * If a timeout value of zero is specified, indicating non-blocking
160 * I/O, the client creates a non-blocking socket, and returns a status
161 * of SECWouldBlock and a non-NULL PRPollDesc if the operation is not
162 * complete. In that case all other return parameters are undefined.
163 * The caller is expected to repeat the call, possibly after using
164 * PRPoll to determine that a completion has occurred, until a return
165 * value of SECSuccess (and a NULL value for pPollDesc) or a return
166 * value of SECFailure (indicating failure on the network level)
167 * is obtained.
168 *
169 * http_response_data_len is both input and output parameter.
170 * If a pointer to a PRUint32 is supplied, the http client is
171 * expected to check the given integer value and always set an out
172 * value, even on failure.
173 * An input value of zero means, the caller will accept any response len.
174 * A different input value indicates the maximum response value acceptable
175 * to the caller.
176 * If data is successfully read and the size is acceptable to the caller,
177 * the function will return SECSuccess and set http_response_data_len to
178 * the size of the block returned in http_response_data.
179 * If the data read from the http server is larger than the acceptable
180 * size, the function will return SECFailure.
181 * http_response_data_len will be set to a value different from zero to
182 * indicate the reason of the failure.
183 * An out value of "0" means, the failure was unrelated to the
184 * acceptable size.
185 * An out value of "1" means, the result data is larger than the
186 * accpeptable size, but the real size is not yet known to the http client
187 * implementation and it stopped retrieving it,
188 * Any other out value combined with a return value of SECFailure
189 * will indicate the actual size of the server data.
190 *
191 * The caller is permitted to provide NULL values for any of the
192 * http_response arguments, indicating the caller is not interested in
193 * those values. If the caller does provide an address, the HttpClient
194 * stores at that address a pointer to the corresponding argument, at
195 * the completion of the operation.
196 *
197 * All returned pointers will be owned by the the HttpClient
198 * implementation and will remain valid until the call to
199 * SEC_HttpRequest_FreeFcn.
200 */
201 typedef SECStatus (*SEC_HttpRequest_TrySendAndReceiveFcn)(
202 SEC_HTTP_REQUEST_SESSION request,
203 PRPollDesc **pPollDesc,
204 PRUint16 *http_response_code,
205 const char **http_response_content_type,
206 const char **http_response_headers,
207 const char **http_response_data,
208 PRUint32 *http_response_data_len);
210 /*
211 * Calling CancelFcn asks for premature termination of the request.
212 *
213 * Future calls to SEC_HttpRequest_TrySendAndReceive should
214 * by avoided, but in this case the HttpClient implementation
215 * is expected to return immediately with SECFailure.
216 *
217 * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn
218 * is still necessary to free resources.
219 */
220 typedef SECStatus (*SEC_HttpRequest_CancelFcn)(
221 SEC_HTTP_REQUEST_SESSION request);
223 /*
224 * Before calling this function, it must be assured the request
225 * has been completed, i.e. either SEC_HttpRequest_TrySendAndReceiveFcn has
226 * returned SECSuccess, or the request has been canceled with
227 * a call to SEC_HttpRequest_CancelFcn.
228 *
229 * This function frees the client state object, closes all sockets,
230 * discards all partial results, frees any memory that was allocated
231 * by the client, and invalidates all response pointers that might
232 * have been returned by SEC_HttpRequest_TrySendAndReceiveFcn
233 */
234 typedef SECStatus (*SEC_HttpRequest_FreeFcn)(
235 SEC_HTTP_REQUEST_SESSION request);
237 typedef struct SEC_HttpClientFcnV1Struct {
238 SEC_HttpServer_CreateSessionFcn createSessionFcn;
239 SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn;
240 SEC_HttpServer_FreeSessionFcn freeSessionFcn;
241 SEC_HttpRequest_CreateFcn createFcn;
242 SEC_HttpRequest_SetPostDataFcn setPostDataFcn;
243 SEC_HttpRequest_AddHeaderFcn addHeaderFcn;
244 SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn;
245 SEC_HttpRequest_CancelFcn cancelFcn;
246 SEC_HttpRequest_FreeFcn freeFcn;
247 } SEC_HttpClientFcnV1;
249 typedef struct SEC_HttpClientFcnStruct {
250 PRInt16 version;
251 union {
252 SEC_HttpClientFcnV1 ftable1;
253 /* SEC_HttpClientFcnV2 ftable2; */
254 /* ... */
255 } fcnTable;
256 } SEC_HttpClientFcn;
258 /*
259 * ocspMode_FailureIsVerificationFailure:
260 * This is the classic behaviour of NSS.
261 * Any OCSP failure is a verification failure (classic mode, default).
262 * Without a good response, OCSP networking will be retried each time
263 * it is required for verifying a cert.
264 *
265 * ocspMode_FailureIsNotAVerificationFailure:
266 * If we fail to obtain a valid OCSP response, consider the
267 * cert as good.
268 * Failed OCSP attempts might get cached and not retried until
269 * minimumSecondsToNextFetchAttempt.
270 * If we are able to obtain a valid response, the cert
271 * will be considered good, if either status is "good"
272 * or the cert was not yet revoked at verification time.
273 *
274 * Additional failure modes might be added in the future.
275 */
276 typedef enum {
277 ocspMode_FailureIsVerificationFailure = 0,
278 ocspMode_FailureIsNotAVerificationFailure = 1
279 } SEC_OcspFailureMode;
281 /*
282 * A ResponderID identifies the responder -- or more correctly, the
283 * signer of the response. The ASN.1 definition of a ResponderID is:
284 *
285 * ResponderID ::= CHOICE {
286 * byName [1] EXPLICIT Name,
287 * byKey [2] EXPLICIT KeyHash }
288 *
289 * Because it is CHOICE, the type of identification used and the
290 * identification itself are actually encoded together. To represent
291 * this same information internally, we explicitly define a type and
292 * save it, along with the value, into a data structure.
293 */
295 typedef enum {
296 ocspResponderID_other = -1, /* unknown kind of responderID */
297 ocspResponderID_byName = 1,
298 ocspResponderID_byKey = 2
299 } CERTOCSPResponderIDType;
301 #endif /* _OCSPT_H_ */
