The Tor Browser / file revision

security/nss/lib/certhigh/ocspi.h@b8a032363ba2

security/nss/lib/certhigh/ocspi.h

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 /* This Source Code Form is subject to the terms of the Mozilla Public

     2  * License, v. 2.0. If a copy of the MPL was not distributed with this

     3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

     4 /*

     5  * ocspi.h - NSS internal interfaces to OCSP code

     6  */

     7 

     8 #ifndef _OCSPI_H_

     9 #define _OCSPI_H_

    10 

    11 SECStatus OCSP_InitGlobal(void);

    12 SECStatus OCSP_ShutdownGlobal(void);

    13 

    14 ocspResponseData *

    15 ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);

    16 

    17 ocspSignature *

    18 ocsp_GetResponseSignature(CERTOCSPResponse *response);

    19 

    20 SECItem *

    21 ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,

    22                  SECItem *fill, const SECItem *src);

    23 

    24 PRBool

    25 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);

    26 

    27 CERTCertificate *

    28 ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,

    29                           ocspSignature *signature, CERTCertificate *issuer);

    30 

    31 SECStatus

    32 ocsp_VerifyResponseSignature(CERTCertificate *signerCert,

    33                              ocspSignature *signature,

    34                              SECItem *tbsResponseDataDER,

    35                              void *pwArg);

    36 

    37 CERTOCSPRequest *

    38 cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, 

    39                                  CERTCertificate *singleCert, 

    40                                  PRTime time,

    41                                  PRBool addServiceLocator,

    42                                  CERTCertificate *signerCert);

    43 

    44 typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;

    45 

    46 SECStatus

    47 ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,

    48                                  PRTime time,

    49                                  PRBool ignoreOcspFailureMode,

    50                                  SECStatus *rvOcsp,

    51                                  SECErrorCodes *missingResponseError,

    52                                  OCSPFreshness *freshness);

    53 

    54 /*

    55  * FUNCTION: cert_ProcessOCSPResponse

    56  *  Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.

    57  *  In addition it can update the OCSP cache (using information

    58  *  available internally to this function).

    59  * INPUTS:

    60  *  CERTCertDBHandle *handle

    61  *    certificate DB of the cert that is being checked

    62  *  CERTOCSPResponse *response

    63  *    the OCSP response we want to retrieve status from.

    64  *  CERTOCSPCertID *certID

    65  *    the ID we want to look for from the response.

    66  *  CERTCertificate *signerCert

    67  *    the certificate that was used to sign the OCSP response.

    68  *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.

    69  *  PRTime time

    70  *    The time at which we're checking the status for.

    71  *  PRBool *certIDWasConsumed

    72  *    In and Out parameter.

    73  *    If certIDWasConsumed is NULL on input,

    74  *    this function might produce a deep copy of cert ID

    75  *    for storing it in the cache.

    76  *    If out value is true, ownership of parameter certID was

    77  *    transferred to the OCSP cache.

    78  *  SECStatus *cacheUpdateStatus

    79  *    This optional out parameter will contain the result

    80  *    of the cache update operation (if requested).

    81  *  RETURN:

    82  *    The return value is not influenced by the cache operation,

    83  *    it matches the documentation for CERT_CheckOCSPStatus

    84  */

    85 

    86 SECStatus

    87 cert_ProcessOCSPResponse(CERTCertDBHandle *handle, 

    88                          CERTOCSPResponse *response, 

    89                          CERTOCSPCertID   *certID,

    90                          CERTCertificate  *signerCert,

    91                          PRTime            time,

    92                          PRBool           *certIDWasConsumed,

    93                          SECStatus        *cacheUpdateStatus);

    94 

    95 /*

    96  * FUNCTION: cert_RememberOCSPProcessingFailure

    97  *  If an application notices a failure during OCSP processing,

    98  *  it should finally call this function. The failure will be recorded

    99  *  in the OCSP cache in order to avoid repetitive failures.

   100  * INPUTS:

   101  *  CERTOCSPCertID *certID

   102  *    the ID that was used for the failed OCSP processing

   103  *  PRBool *certIDWasConsumed

   104  *    Out parameter, if set to true, ownership of parameter certID was

   105  *    transferred to the OCSP cache.

   106  *  RETURN:

   107  *    Status of the cache update operation.

   108  */

   109 

   110 SECStatus

   111 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,

   112                                    PRBool         *certIDWasConsumed);

   113 

   114 /*

   115  * FUNCTION: ocsp_GetResponderLocation

   116  *  Check ocspx context for user-designated responder URI first. If not

   117  *  found, checks cert AIA extension.

   118  * INPUTS:

   119  *  CERTCertDBHandle *handle

   120  *    certificate DB of the cert that is being checked

   121  *  CERTCertificate *cert

   122  *     The certificate being examined.

   123  *  PRBool *certIDWasConsumed

   124  *    Out parameter, if set to true, URI of default responder is

   125  *    returned.

   126  *  RETURN:

   127  *    Responder URI.

   128  */

   129 char *

   130 ocsp_GetResponderLocation(CERTCertDBHandle *handle,

   131                           CERTCertificate *cert,

   132                           PRBool canUseDefaultLocation,

   133                           PRBool *isDefault);

   134 

   135 /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure

   136  * The function checks the global ocsp settings and

   137  * tells how to treat an ocsp response fetching failure.

   138  * RETURNS:

   139  *   if PR_TRUE is returned, then treat fetching as a

   140  *   revoked cert status.

   141  */

   142 PRBool

   143 ocsp_FetchingFailureIsVerificationFailure(void);

   144 

   145 size_t

   146 ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);

   147 

   148 SECStatus

   149 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 

   150                                         CERTOCSPResponse *response, 

   151                                         CERTOCSPCertID   *certID,

   152                                         CERTCertificate  *signerCert,

   153                                         PRTime            time,

   154                                         CERTOCSPSingleResponse **pSingleResponse);

   155 

   156 SECStatus

   157 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);

   158 

   159 void

   160 ocsp_CacheSingleResponse(CERTOCSPCertID *certID,

   161 			 CERTOCSPSingleResponse *single,

   162 			 PRBool *certIDWasConsumed);

   163 

   164 #endif /* _OCSPI_H_ */

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial