security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h@6474c204b198
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * pkix_revocationchecker.h
6 *
7 * RevocationChecker Object Type Definition
8 *
9 */
11 #ifndef _PKIX_REVOCATIONCHECKER_H
12 #define _PKIX_REVOCATIONCHECKER_H
14 #include "pkixt.h"
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
20 /* NOTE: nbio logistic removed. Will be replaced later. */
22 /*
23 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
24 * this is a method dependent flag.
25 */
27 /*
28 * Whether or not to use a method for revocation testing.
29 * If set to "do not test", then all other flags are ignored.
30 */
31 #define PKIX_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0x00L
32 #define PKIX_REV_M_TEST_USING_THIS_METHOD 0x01L
34 /*
35 * Whether or not NSS is allowed to attempt to fetch fresh information
36 * from the network.
37 * (Although fetching will never happen if fresh information for the
38 * method is already locally available.)
39 */
40 #define PKIX_REV_M_ALLOW_NETWORK_FETCHING 0x00L
41 #define PKIX_REV_M_FORBID_NETWORK_FETCHING 0x02L
43 /*
44 * Example for an implicit default source:
45 * The globally configured default OCSP responder.
46 * IGNORE means:
47 * ignore the implicit default source, whether it's configured or not.
48 * ALLOW means:
49 * if an implicit default source is configured,
50 * then it overrides any available or missing source in the cert.
51 * if no implicit default source is configured,
52 * then we continue to use what's available (or not available)
53 * in the certs.
54 */
55 #define PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0x00L
56 #define PKIX_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 0x04L /* OCSP only */
58 /*
59 * Defines the behavior if no fresh information is available,
60 * fetching from the network is allowed, but the source of revocation
61 * information is unknown (even after considering implicit sources,
62 * if allowed by other flags).
63 * SKIPT_TEST means:
64 * We ignore that no fresh information is available and
65 * skip this test.
66 * REQUIRE_INFO means:
67 * We still require that fresh information is available.
68 * Other flags define what happens on missing fresh info.
69 */
71 #define PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0x00L
72 #define PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 0x08L
74 /*
75 * Defines the behavior if we are unable to obtain fresh information.
76 * INGORE means:
77 * Return "cert status unknown"
78 * FAIL means:
79 * Return "cert revoked".
80 */
82 #define PKIX_REV_M_IGNORE_MISSING_FRESH_INFO 0x00L
83 #define PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO 0x10L
85 /*
86 * What should happen if we were able to find fresh information using
87 * this method, and the data indicated the cert is good?
88 * STOP_TESTING means:
89 * Our success is sufficient, do not continue testing
90 * other methods.
91 * CONTINUE_TESTING means:
92 * We will continue and test the next allowed
93 * specified method.
94 */
96 #define PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO 0x00L
97 #define PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 0x20L
99 /*
100 * All Flags are prefixed by PKIX_REV_MI_, where _MI_ indicates
101 * this is a method independent flag.
102 */
104 /*
105 * This defines the order to checking.
106 * EACH_METHOD_SEPARATELY means:
107 * Do all tests related to a particular allowed method
108 * (both local information and network fetching) in a single step.
109 * Only after testing for a particular method is done,
110 * then switching to the next method will happen.
111 * ALL_LOCAL_INFORMATION_FIRST means:
112 * Start by testing the information for all allowed methods
113 * which are already locally available. Only after that is done
114 * consider to fetch from the network (as allowed by other flags).
115 */
116 #define PKIX_REV_MI_TEST_EACH_METHOD_SEPARATELY 0x00L
117 #define PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 0x01L
119 /*
120 * Use this flag to specify that it's necessary that fresh information
121 * is available for at least one of the allowed methods, but it's
122 * irrelevant which of the mechanisms succeeded.
123 * NO_OVERALL_INFO_REQUIREMENT means:
124 * We strictly follow the requirements for each individual method.
125 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
126 * After the individual tests have been executed, we must have
127 * been able to find fresh information using at least one method.
128 * If we were unable to find fresh info, it's a failure.
129 */
130 #define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0x00L
131 #define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L
133 /* Defines check time for the cert, revocation methods lists and
134 * flags for leaf and chain certs revocation tests. */
135 struct PKIX_RevocationCheckerStruct {
136 PKIX_List *leafMethodList;
137 PKIX_List *chainMethodList;
138 PKIX_UInt32 leafMethodListFlags;
139 PKIX_UInt32 chainMethodListFlags;
140 };
142 /* see source file for function documentation */
144 PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext);
146 #ifdef __cplusplus
147 }
148 #endif
150 #endif /* _PKIX_REVOCATIONCHECKER_H */
