michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* michael@0: * Interface to the OCSP implementation. michael@0: */ michael@0: michael@0: #ifndef _OCSP_H_ michael@0: #define _OCSP_H_ michael@0: michael@0: michael@0: #include "plarena.h" michael@0: #include "seccomon.h" michael@0: #include "secoidt.h" michael@0: #include "keyt.h" michael@0: #include "certt.h" michael@0: #include "ocspt.h" michael@0: michael@0: michael@0: /************************************************************************/ michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: /* michael@0: * This function registers the HttpClient with whose functions the michael@0: * HttpClientFcn structure has been populated as the default Http michael@0: * client. michael@0: * michael@0: * The function table must be a global object. michael@0: * The caller must ensure that NSS will be able to call michael@0: * the registered functions for the lifetime of the process. michael@0: */ michael@0: extern SECStatus michael@0: SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable); michael@0: michael@0: /* michael@0: * This function obtains the HttpClient which has been registered michael@0: * by an earlier call to SEC_RegisterDefaultHttpClient. michael@0: */ michael@0: extern const SEC_HttpClientFcn * michael@0: SEC_GetRegisteredHttpClient(void); michael@0: michael@0: /* michael@0: * Sets parameters that control NSS' internal OCSP cache. michael@0: * maxCacheEntries, special varlues are: michael@0: * -1 disable cache michael@0: * 0 unlimited cache entries michael@0: * minimumSecondsToNextFetchAttempt: michael@0: * whenever an OCSP request was attempted or completed over the network, michael@0: * wait at least this number of seconds before trying to fetch again. michael@0: * maximumSecondsToNextFetchAttempt: michael@0: * this is the maximum age of a cached response we allow, until we try michael@0: * to fetch an updated response, even if the OCSP responder expects michael@0: * that newer information update will not be available yet. michael@0: */ michael@0: extern SECStatus michael@0: CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, michael@0: PRUint32 minimumSecondsToNextFetchAttempt, michael@0: PRUint32 maximumSecondsToNextFetchAttempt); michael@0: michael@0: /* michael@0: * Set the desired behaviour on OCSP failures. michael@0: * See definition of ocspFailureMode for allowed choices. michael@0: */ michael@0: extern SECStatus michael@0: CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode); michael@0: michael@0: /* michael@0: * Configure the maximum time NSS will wait for an OCSP response. michael@0: */ michael@0: extern SECStatus michael@0: CERT_SetOCSPTimeout(PRUint32 seconds); michael@0: michael@0: /* michael@0: * Removes all items currently stored in the OCSP cache. michael@0: */ michael@0: extern SECStatus michael@0: CERT_ClearOCSPCache(void); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_EnableOCSPChecking michael@0: * Turns on OCSP checking for the given certificate database. michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * Certificate database for which OCSP checking will be enabled. michael@0: * RETURN: michael@0: * Returns SECFailure if an error occurred (likely only problem michael@0: * allocating memory); SECSuccess otherwise. michael@0: */ michael@0: extern SECStatus michael@0: CERT_EnableOCSPChecking(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DisableOCSPChecking michael@0: * Turns off OCSP checking for the given certificate database. michael@0: * This routine disables OCSP checking. Though it will return michael@0: * SECFailure if OCSP checking is not enabled, it is "safe" to michael@0: * call it that way and just ignore the return value, if it is michael@0: * easier to just call it than to "remember" whether it is enabled. michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * Certificate database for which OCSP checking will be disabled. michael@0: * RETURN: michael@0: * Returns SECFailure if an error occurred (usually means that OCSP michael@0: * checking was not enabled or status contexts were not initialized -- michael@0: * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. michael@0: */ michael@0: extern SECStatus michael@0: CERT_DisableOCSPChecking(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_SetOCSPDefaultResponder michael@0: * Specify the location and cert of the default responder. michael@0: * If OCSP checking is already enabled *and* use of a default responder michael@0: * is also already enabled, all OCSP checking from now on will go directly michael@0: * to the specified responder. If OCSP checking is not enabled, or if michael@0: * it is but use of a default responder is not enabled, the information michael@0: * will be recorded and take effect whenever both are enabled. michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * Cert database on which OCSP checking should use the default responder. michael@0: * const char *url michael@0: * The location of the default responder (e.g. "http://foo.com:80/ocsp") michael@0: * Note that the location will not be tested until the first attempt michael@0: * to send a request there. michael@0: * const char *name michael@0: * The nickname of the cert to trust (expected) to sign the OCSP responses. michael@0: * If the corresponding cert cannot be found, SECFailure is returned. michael@0: * RETURN: michael@0: * Returns SECFailure if an error occurred; SECSuccess otherwise. michael@0: * The most likely error is that the cert for "name" could not be found michael@0: * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, michael@0: * bad database, etc.). michael@0: */ michael@0: extern SECStatus michael@0: CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, michael@0: const char *url, const char *name); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_EnableOCSPDefaultResponder michael@0: * Turns on use of a default responder when OCSP checking. michael@0: * If OCSP checking is already enabled, this will make subsequent checks michael@0: * go directly to the default responder. (The location of the responder michael@0: * and the nickname of the responder cert must already be specified.) michael@0: * If OCSP checking is not enabled, this will be recorded and take effect michael@0: * whenever it is enabled. michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * Cert database on which OCSP checking should use the default responder. michael@0: * RETURN: michael@0: * Returns SECFailure if an error occurred; SECSuccess otherwise. michael@0: * No errors are especially likely unless the caller did not previously michael@0: * perform a successful call to SetOCSPDefaultResponder (in which case michael@0: * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). michael@0: */ michael@0: extern SECStatus michael@0: CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DisableOCSPDefaultResponder michael@0: * Turns off use of a default responder when OCSP checking. michael@0: * (Does nothing if use of a default responder is not enabled.) michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * Cert database on which OCSP checking should stop using a default michael@0: * responder. michael@0: * RETURN: michael@0: * Returns SECFailure if an error occurred; SECSuccess otherwise. michael@0: * Errors very unlikely (like random memory corruption...). michael@0: */ michael@0: extern SECStatus michael@0: CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle); michael@0: michael@0: /* If forcePost is set, OCSP requests will only be sent using the HTTP POST michael@0: * method. When forcePost is not set, OCSP requests will be sent using the michael@0: * HTTP GET method, with a fallback to POST when we fail to receive a response michael@0: * and/or when we receive an uncacheable response like "Unknown." michael@0: * michael@0: * The default is to use GET and fallback to POST. michael@0: */ michael@0: extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); michael@0: michael@0: /* michael@0: * ------------------------------------------------------- michael@0: * The Functions above are those expected to be used by a client michael@0: * providing OCSP status checking along with every cert verification. michael@0: * The functions below are for OCSP testing, debugging, or clients michael@0: * or servers performing more specialized OCSP tasks. michael@0: * ------------------------------------------------------- michael@0: */ michael@0: michael@0: /* michael@0: * FUNCTION: CERT_CreateOCSPRequest michael@0: * Creates a CERTOCSPRequest, requesting the status of the certs in michael@0: * the given list. michael@0: * INPUTS: michael@0: * CERTCertList *certList michael@0: * A list of certs for which status will be requested. michael@0: * Note that all of these certificates should have the same issuer, michael@0: * or it's expected the response will be signed by a trusted responder. michael@0: * If the certs need to be broken up into multiple requests, that michael@0: * must be handled by the caller (and thus by having multiple calls michael@0: * to this routine), who knows about where the request(s) are being michael@0: * sent and whether there are any trusted responders in place. michael@0: * PRTime time michael@0: * Indicates the time for which the certificate status is to be michael@0: * determined -- this may be used in the search for the cert's issuer michael@0: * but has no effect on the request itself. michael@0: * PRBool addServiceLocator michael@0: * If true, the Service Locator extension should be added to the michael@0: * single request(s) for each cert. michael@0: * CERTCertificate *signerCert michael@0: * If non-NULL, means sign the request using this cert. Otherwise, michael@0: * do not sign. michael@0: * XXX note that request signing is not yet supported; see comment in code michael@0: * RETURN: michael@0: * A pointer to a CERTOCSPRequest structure containing an OCSP request michael@0: * for the cert list. On error, null is returned, with an error set michael@0: * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. michael@0: * (The issuer is needed to create a request for the certificate.) michael@0: * Other errors are low-level problems (no memory, bad database, etc.). michael@0: */ michael@0: extern CERTOCSPRequest * michael@0: CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, michael@0: PRBool addServiceLocator, michael@0: CERTCertificate *signerCert); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_AddOCSPAcceptableResponses michael@0: * Add the AcceptableResponses extension to an OCSP Request. michael@0: * INPUTS: michael@0: * CERTOCSPRequest *request michael@0: * The request to which the extension should be added. michael@0: * SECOidTag responseType0, ... michael@0: * A list (of one or more) of SECOidTag -- each of the response types michael@0: * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. michael@0: * (This marks the end of the list, and it must be specified because a michael@0: * client conforming to the OCSP standard is required to handle the basic michael@0: * response type.) The OIDs are not checked in any way. michael@0: * RETURN: michael@0: * SECSuccess if the extension is added; SECFailure if anything goes wrong. michael@0: * All errors are internal or low-level problems (e.g. no memory). michael@0: */ michael@0: extern SECStatus michael@0: CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, michael@0: SECOidTag responseType0, ...); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_EncodeOCSPRequest michael@0: * DER encodes an OCSP Request, possibly adding a signature as well. michael@0: * XXX Signing is not yet supported, however; see comments in code. michael@0: * INPUTS: michael@0: * PLArenaPool *arena michael@0: * The return value is allocated from here. michael@0: * If a NULL is passed in, allocation is done from the heap instead. michael@0: * CERTOCSPRequest *request michael@0: * The request to be encoded. michael@0: * void *pwArg michael@0: * Pointer to argument for password prompting, if needed. (Definitely michael@0: * not needed if not signing.) michael@0: * RETURN: michael@0: * Returns a NULL on error and a pointer to the SECItem with the michael@0: * encoded value otherwise. Any error is likely to be low-level michael@0: * (e.g. no memory). michael@0: */ michael@0: extern SECItem * michael@0: CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, michael@0: void *pwArg); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DecodeOCSPRequest michael@0: * Decode a DER encoded OCSP Request. michael@0: * INPUTS: michael@0: * SECItem *src michael@0: * Pointer to a SECItem holding DER encoded OCSP Request. michael@0: * RETURN: michael@0: * Returns a pointer to a CERTOCSPRequest containing the decoded request. michael@0: * On error, returns NULL. Most likely error is trouble decoding michael@0: * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). michael@0: */ michael@0: extern CERTOCSPRequest * michael@0: CERT_DecodeOCSPRequest(const SECItem *src); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DestroyOCSPRequest michael@0: * Frees an OCSP Request structure. michael@0: * INPUTS: michael@0: * CERTOCSPRequest *request michael@0: * Pointer to CERTOCSPRequest to be freed. michael@0: * RETURN: michael@0: * No return value; no errors. michael@0: */ michael@0: extern void michael@0: CERT_DestroyOCSPRequest(CERTOCSPRequest *request); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DecodeOCSPResponse michael@0: * Decode a DER encoded OCSP Response. michael@0: * INPUTS: michael@0: * SECItem *src michael@0: * Pointer to a SECItem holding DER encoded OCSP Response. michael@0: * RETURN: michael@0: * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); michael@0: * the caller is responsible for destroying it. Or NULL if error (either michael@0: * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), michael@0: * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), michael@0: * or a low-level or internal error occurred). michael@0: */ michael@0: extern CERTOCSPResponse * michael@0: CERT_DecodeOCSPResponse(const SECItem *src); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DestroyOCSPResponse michael@0: * Frees an OCSP Response structure. michael@0: * INPUTS: michael@0: * CERTOCSPResponse *request michael@0: * Pointer to CERTOCSPResponse to be freed. michael@0: * RETURN: michael@0: * No return value; no errors. michael@0: */ michael@0: extern void michael@0: CERT_DestroyOCSPResponse(CERTOCSPResponse *response); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_GetEncodedOCSPResponse michael@0: * Creates and sends a request to an OCSP responder, then reads and michael@0: * returns the (encoded) response. michael@0: * INPUTS: michael@0: * PLArenaPool *arena michael@0: * Pointer to arena from which return value will be allocated. michael@0: * If NULL, result will be allocated from the heap (and thus should michael@0: * be freed via SECITEM_FreeItem). michael@0: * CERTCertList *certList michael@0: * A list of certs for which status will be requested. michael@0: * Note that all of these certificates should have the same issuer, michael@0: * or it's expected the response will be signed by a trusted responder. michael@0: * If the certs need to be broken up into multiple requests, that michael@0: * must be handled by the caller (and thus by having multiple calls michael@0: * to this routine), who knows about where the request(s) are being michael@0: * sent and whether there are any trusted responders in place. michael@0: * const char *location michael@0: * The location of the OCSP responder (a URL). michael@0: * PRTime time michael@0: * Indicates the time for which the certificate status is to be michael@0: * determined -- this may be used in the search for the cert's issuer michael@0: * but has no other bearing on the operation. michael@0: * PRBool addServiceLocator michael@0: * If true, the Service Locator extension should be added to the michael@0: * single request(s) for each cert. michael@0: * CERTCertificate *signerCert michael@0: * If non-NULL, means sign the request using this cert. Otherwise, michael@0: * do not sign. michael@0: * void *pwArg michael@0: * Pointer to argument for password prompting, if needed. (Definitely michael@0: * not needed if not signing.) michael@0: * OUTPUTS: michael@0: * CERTOCSPRequest **pRequest michael@0: * Pointer in which to store the OCSP request created for the given michael@0: * list of certificates. It is only filled in if the entire operation michael@0: * is successful and the pointer is not null -- and in that case the michael@0: * caller is then reponsible for destroying it. michael@0: * RETURN: michael@0: * Returns a pointer to the SECItem holding the response. michael@0: * On error, returns null with error set describing the reason: michael@0: * SEC_ERROR_UNKNOWN_ISSUER michael@0: * SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE michael@0: * Other errors are low-level problems (no memory, bad database, etc.). michael@0: */ michael@0: extern SECItem * michael@0: CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, michael@0: const char *location, PRTime time, michael@0: PRBool addServiceLocator, michael@0: CERTCertificate *signerCert, void *pwArg, michael@0: CERTOCSPRequest **pRequest); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_VerifyOCSPResponseSignature michael@0: * Check the signature on an OCSP Response. Will also perform a michael@0: * verification of the signer's certificate. Note, however, that a michael@0: * successful verification does not make any statement about the michael@0: * signer's *authority* to provide status for the certificate(s), michael@0: * that must be checked individually for each certificate. michael@0: * INPUTS: michael@0: * CERTOCSPResponse *response michael@0: * Pointer to response structure with signature to be checked. michael@0: * CERTCertDBHandle *handle michael@0: * Pointer to CERTCertDBHandle for certificate DB to use for verification. michael@0: * void *pwArg michael@0: * Pointer to argument for password prompting, if needed. michael@0: * CERTCertificate *issuerCert michael@0: * Issuer of the certificate that generated the OCSP request. michael@0: * OUTPUTS: michael@0: * CERTCertificate **pSignerCert michael@0: * Pointer in which to store signer's certificate; only filled-in if michael@0: * non-null. michael@0: * RETURN: michael@0: * Returns SECSuccess when signature is valid, anything else means invalid. michael@0: * Possible errors set: michael@0: * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID michael@0: * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time michael@0: * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found michael@0: * SEC_ERROR_BAD_SIGNATURE - the signature did not verify michael@0: * Other errors are any of the many possible failures in cert verification michael@0: * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when michael@0: * verifying the signer's cert, or low-level problems (no memory, etc.) michael@0: */ michael@0: extern SECStatus michael@0: CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, michael@0: CERTCertDBHandle *handle, void *pwArg, michael@0: CERTCertificate **pSignerCert, michael@0: CERTCertificate *issuerCert); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation michael@0: * Get the value of the URI of the OCSP responder for the given cert. michael@0: * This is found in the (optional) Authority Information Access extension michael@0: * in the cert. michael@0: * INPUTS: michael@0: * CERTCertificate *cert michael@0: * The certificate being examined. michael@0: * RETURN: michael@0: * char * michael@0: * A copy of the URI for the OCSP method, if found. If either the michael@0: * extension is not present or it does not contain an entry for OCSP, michael@0: * SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned. michael@0: * Any other error will also result in a NULL being returned. michael@0: * michael@0: * This result should be freed (via PORT_Free) when no longer in use. michael@0: */ michael@0: extern char * michael@0: CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack michael@0: * This function serves two purposes. michael@0: * 1) It registers the address of a callback function that will be michael@0: * called for certs that have no OCSP AIA extension, to see if the michael@0: * callback wishes to supply an alternative URL for such an OCSP inquiry. michael@0: * 2) It outputs the previously registered function's address to the michael@0: * address supplied by the caller, unless that is NULL. michael@0: * The registered callback function returns NULL, or an allocated string michael@0: * that may be subsequently freed by calling PORT_Free(). michael@0: * RETURN: michael@0: * SECSuccess or SECFailure (if the library is not yet intialized) michael@0: */ michael@0: extern SECStatus michael@0: CERT_RegisterAlternateOCSPAIAInfoCallBack( michael@0: CERT_StringFromCertFcn newCallback, michael@0: CERT_StringFromCertFcn * oldCallback); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_ParseURL michael@0: * Parse a URI into hostname, port, and path. The scheme in the URI must michael@0: * be "http". michael@0: * INPUTS: michael@0: * const char *url michael@0: * The URI to be parsed michael@0: * OUTPUTS: michael@0: * char **pHostname michael@0: * Pointer to store the hostname obtained from the URI. michael@0: * This result should be freed (via PORT_Free) when no longer in use. michael@0: * PRUint16 *pPort michael@0: * Pointer to store the port number obtained from the URI. michael@0: * char **pPath michael@0: * Pointer to store the path obtained from the URI. michael@0: * This result should be freed (via PORT_Free) when no longer in use. michael@0: * RETURN: michael@0: * Returns SECSuccess when parsing was successful. Returns SECFailure when michael@0: * problems were encountered. michael@0: */ michael@0: extern SECStatus michael@0: CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_CheckOCSPStatus michael@0: * Checks the status of a certificate via OCSP. Will only check status for michael@0: * a certificate that has an AIA (Authority Information Access) extension michael@0: * for OCSP *or* when a "default responder" is specified and enabled. michael@0: * (If no AIA extension for OCSP and no default responder in place, the michael@0: * cert is considered to have a good status and SECSuccess is returned.) michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * certificate DB of the cert that is being checked michael@0: * CERTCertificate *cert michael@0: * the certificate being checked michael@0: * XXX in the long term also need a boolean parameter that specifies michael@0: * whether to check the cert chain, as well; for now we check only michael@0: * the leaf (the specified certificate) michael@0: * PRTime time michael@0: * time for which status is to be determined michael@0: * void *pwArg michael@0: * argument for password prompting, if needed michael@0: * RETURN: michael@0: * Returns SECSuccess if an approved OCSP responder "knows" the cert michael@0: * *and* returns a non-revoked status for it; SECFailure otherwise, michael@0: * with an error set describing the reason: michael@0: * michael@0: * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE michael@0: * SEC_ERROR_OCSP_FUTURE_RESPONSE michael@0: * SEC_ERROR_OCSP_MALFORMED_REQUEST michael@0: * SEC_ERROR_OCSP_MALFORMED_RESPONSE michael@0: * SEC_ERROR_OCSP_OLD_RESPONSE michael@0: * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG michael@0: * SEC_ERROR_OCSP_SERVER_ERROR michael@0: * SEC_ERROR_OCSP_TRY_SERVER_LATER michael@0: * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST michael@0: * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE michael@0: * SEC_ERROR_OCSP_UNKNOWN_CERT michael@0: * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS michael@0: * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE michael@0: * michael@0: * SEC_ERROR_BAD_SIGNATURE michael@0: * SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: * SEC_ERROR_INVALID_TIME michael@0: * SEC_ERROR_REVOKED_CERTIFICATE michael@0: * SEC_ERROR_UNKNOWN_ISSUER michael@0: * SEC_ERROR_UNKNOWN_SIGNER michael@0: * michael@0: * Other errors are any of the many possible failures in cert verification michael@0: * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when michael@0: * verifying the signer's cert, or low-level problems (error allocating michael@0: * memory, error performing ASN.1 decoding, etc.). michael@0: */ michael@0: extern SECStatus michael@0: CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRTime time, void *pwArg); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_CacheOCSPResponseFromSideChannel michael@0: * First, this function checks the OCSP cache to see if a good response michael@0: * for the given certificate already exists. If it does, then the function michael@0: * returns successfully. michael@0: * michael@0: * If not, then it validates that the given OCSP response is a valid, michael@0: * good response for the given certificate and inserts it into the michael@0: * cache. michael@0: * michael@0: * This function is intended for use when OCSP responses are provided via a michael@0: * side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension). michael@0: * michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * certificate DB of the cert that is being checked michael@0: * CERTCertificate *cert michael@0: * the certificate being checked michael@0: * PRTime time michael@0: * time for which status is to be determined michael@0: * SECItem *encodedResponse michael@0: * the DER encoded bytes of the OCSP response michael@0: * void *pwArg michael@0: * argument for password prompting, if needed michael@0: * RETURN: michael@0: * SECSuccess if the cert was found in the cache, or if the OCSP response was michael@0: * found to be valid and inserted into the cache. SECFailure otherwise. michael@0: */ michael@0: extern SECStatus michael@0: CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, michael@0: CERTCertificate *cert, michael@0: PRTime time, michael@0: const SECItem *encodedResponse, michael@0: void *pwArg); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_GetOCSPStatusForCertID michael@0: * Returns the OCSP status contained in the passed in parameter response michael@0: * that corresponds to the certID passed in. michael@0: * INPUTS: michael@0: * CERTCertDBHandle *handle michael@0: * certificate DB of the cert that is being checked michael@0: * CERTOCSPResponse *response michael@0: * the OCSP response we want to retrieve status from. michael@0: * CERTOCSPCertID *certID michael@0: * the ID we want to look for from the response. michael@0: * CERTCertificate *signerCert michael@0: * the certificate that was used to sign the OCSP response. michael@0: * must be obtained via a call to CERT_VerifyOCSPResponseSignature. michael@0: * PRTime time michael@0: * The time at which we're checking the status for. michael@0: * RETURN: michael@0: * Return values are the same as those for CERT_CheckOCSPStatus michael@0: */ michael@0: extern SECStatus michael@0: CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, michael@0: CERTOCSPResponse *response, michael@0: CERTOCSPCertID *certID, michael@0: CERTCertificate *signerCert, michael@0: PRTime time); michael@0: michael@0: /* michael@0: * FUNCTION CERT_GetOCSPResponseStatus michael@0: * Returns the response status for the response passed. michael@0: * INPUTS: michael@0: * CERTOCSPResponse *response michael@0: * The response to query for status michael@0: * RETURN: michael@0: * Returns SECSuccess if the response has a successful status value. michael@0: * Otherwise it returns SECFailure and sets one of the following error michael@0: * codes via PORT_SetError michael@0: * SEC_ERROR_OCSP_MALFORMED_REQUEST michael@0: * SEC_ERROR_OCSP_SERVER_ERROR michael@0: * SEC_ERROR_OCSP_TRY_SERVER_LATER michael@0: * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG michael@0: * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST michael@0: * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS michael@0: */ michael@0: extern SECStatus michael@0: CERT_GetOCSPResponseStatus(CERTOCSPResponse *response); michael@0: michael@0: /* michael@0: * FUNCTION CERT_CreateOCSPCertID michael@0: * Returns the OCSP certID for the certificate passed in. michael@0: * INPUTS: michael@0: * CERTCertificate *cert michael@0: * The certificate for which to create the certID for. michael@0: * PRTime time michael@0: * The time at which the id is requested for. This is used michael@0: * to determine the appropriate issuer for the cert since michael@0: * the issuing CA may be an older expired certificate. michael@0: * RETURN: michael@0: * A new copy of a CERTOCSPCertID*. The memory for this certID michael@0: * should be freed by calling CERT_DestroyOCSPCertID when the michael@0: * certID is no longer necessary. michael@0: */ michael@0: extern CERTOCSPCertID* michael@0: CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_DestroyOCSPCertID michael@0: * Frees the memory associated with the certID passed in. michael@0: * INPUTS: michael@0: * CERTOCSPCertID* certID michael@0: * The certID that the caller no longer needs and wants to michael@0: * free the associated memory. michael@0: * RETURN: michael@0: * SECSuccess if freeing the memory was successful. Returns michael@0: * SECFailure if the memory passed in was not allocated with michael@0: * a call to CERT_CreateOCSPCertID. michael@0: */ michael@0: extern SECStatus michael@0: CERT_DestroyOCSPCertID(CERTOCSPCertID* certID); michael@0: michael@0: michael@0: extern CERTOCSPSingleResponse* michael@0: CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, michael@0: CERTOCSPCertID *id, michael@0: PRTime thisUpdate, michael@0: const PRTime *nextUpdate); michael@0: michael@0: extern CERTOCSPSingleResponse* michael@0: CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, michael@0: CERTOCSPCertID *id, michael@0: PRTime thisUpdate, michael@0: const PRTime *nextUpdate); michael@0: michael@0: extern CERTOCSPSingleResponse* michael@0: CERT_CreateOCSPSingleResponseRevoked( michael@0: PLArenaPool *arena, michael@0: CERTOCSPCertID *id, michael@0: PRTime thisUpdate, michael@0: const PRTime *nextUpdate, michael@0: PRTime revocationTime, michael@0: const CERTCRLEntryReasonCode* revocationReason); michael@0: michael@0: extern SECItem* michael@0: CERT_CreateEncodedOCSPSuccessResponse( michael@0: PLArenaPool *arena, michael@0: CERTCertificate *responderCert, michael@0: CERTOCSPResponderIDType responderIDType, michael@0: PRTime producedAt, michael@0: CERTOCSPSingleResponse **responses, michael@0: void *wincx); michael@0: michael@0: /* michael@0: * FUNCTION: CERT_CreateEncodedOCSPErrorResponse michael@0: * Creates an encoded OCSP response with an error response status. michael@0: * INPUTS: michael@0: * PLArenaPool *arena michael@0: * The return value is allocated from here. michael@0: * If a NULL is passed in, allocation is done from the heap instead. michael@0: * int error michael@0: * An NSS error code indicating an error response status. The error michael@0: * code is mapped to an OCSP response status as follows: michael@0: * SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest michael@0: * SEC_ERROR_OCSP_SERVER_ERROR -> internalError michael@0: * SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater michael@0: * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired michael@0: * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized michael@0: * where the OCSP response status is an enumerated type defined in michael@0: * RFC 2560: michael@0: * OCSPResponseStatus ::= ENUMERATED { michael@0: * successful (0), --Response has valid confirmations michael@0: * malformedRequest (1), --Illegal confirmation request michael@0: * internalError (2), --Internal error in issuer michael@0: * tryLater (3), --Try again later michael@0: * --(4) is not used michael@0: * sigRequired (5), --Must sign the request michael@0: * unauthorized (6) --Request unauthorized michael@0: * } michael@0: * RETURN: michael@0: * Returns a pointer to the SECItem holding the response. michael@0: * On error, returns null with error set describing the reason: michael@0: * SEC_ERROR_INVALID_ARGS michael@0: * Other errors are low-level problems (no memory, bad database, etc.). michael@0: */ michael@0: extern SECItem* michael@0: CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); michael@0: michael@0: /* Sends an OCSP request using the HTTP POST method to the location addressed michael@0: * by the URL in |location| parameter. The request body will be michael@0: * |encodedRequest|, which must be a valid encoded OCSP request. On success, michael@0: * the server's response is returned and the caller must free it using michael@0: * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of michael@0: * the HTTP response is done. michael@0: * michael@0: * If a default HTTP client has been registered with michael@0: * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an michael@0: * internal HTTP client is used. michael@0: */ michael@0: SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, michael@0: const SECItem *encodedRequest); michael@0: michael@0: /************************************************************************/ michael@0: SEC_END_PROTOS michael@0: michael@0: #endif /* _OCSP_H_ */