michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: /*
michael@0:  * pkix_revocationchecker.h
michael@0:  *
michael@0:  * RevocationChecker Object Type Definition
michael@0:  *
michael@0:  */
michael@0: 
michael@0: #ifndef _PKIX_REVOCATIONCHECKER_H
michael@0: #define _PKIX_REVOCATIONCHECKER_H
michael@0: 
michael@0: #include "pkixt.h"
michael@0: 
michael@0: #ifdef __cplusplus
michael@0: extern "C" {
michael@0: #endif
michael@0: 
michael@0: /* NOTE: nbio logistic removed. Will be replaced later. */
michael@0: 
michael@0: /*
michael@0:  * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
michael@0:  * this is a method dependent flag.
michael@0:  */
michael@0: 
michael@0: /*
michael@0:  * Whether or not to use a method for revocation testing.
michael@0:  * If set to "do not test", then all other flags are ignored.
michael@0:  */
michael@0: #define PKIX_REV_M_DO_NOT_TEST_USING_THIS_METHOD     0x00L
michael@0: #define PKIX_REV_M_TEST_USING_THIS_METHOD            0x01L
michael@0: 
michael@0: /*
michael@0:  * Whether or not NSS is allowed to attempt to fetch fresh information
michael@0:  *         from the network.
michael@0:  * (Although fetching will never happen if fresh information for the
michael@0:  *           method is already locally available.)
michael@0:  */
michael@0: #define PKIX_REV_M_ALLOW_NETWORK_FETCHING            0x00L
michael@0: #define PKIX_REV_M_FORBID_NETWORK_FETCHING           0x02L
michael@0: 
michael@0: /*
michael@0:  * Example for an implicit default source:
michael@0:  *         The globally configured default OCSP responder.
michael@0:  * IGNORE means:
michael@0:  *        ignore the implicit default source, whether it's configured or not.
michael@0:  * ALLOW means:
michael@0:  *       if an implicit default source is configured, 
michael@0:  *          then it overrides any available or missing source in the cert.
michael@0:  *       if no implicit default source is configured,
michael@0:  *          then we continue to use what's available (or not available) 
michael@0:  *          in the certs.
michael@0:  */ 
michael@0: #define PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE     0x00L
michael@0: #define PKIX_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE    0x04L /* OCSP only */
michael@0: 
michael@0: /*
michael@0:  * Defines the behavior if no fresh information is available,
michael@0:  *   fetching from the network is allowed, but the source of revocation
michael@0:  *   information is unknown (even after considering implicit sources,
michael@0:  *   if allowed by other flags).
michael@0:  * SKIPT_TEST means:
michael@0:  *          We ignore that no fresh information is available and 
michael@0:  *          skip this test.
michael@0:  * REQUIRE_INFO means:
michael@0:  *          We still require that fresh information is available.
michael@0:  *          Other flags define what happens on missing fresh info.
michael@0:  */
michael@0: 
michael@0: #define PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE       0x00L
michael@0: #define PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE    0x08L
michael@0: 
michael@0: /*
michael@0:  * Defines the behavior if we are unable to obtain fresh information.
michael@0:  * INGORE means:
michael@0:  *      Return "cert status unknown"
michael@0:  * FAIL means:
michael@0:  *      Return "cert revoked".
michael@0:  */
michael@0: 
michael@0: #define PKIX_REV_M_IGNORE_MISSING_FRESH_INFO         0x00L
michael@0: #define PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO        0x10L
michael@0: 
michael@0: /*
michael@0:  * What should happen if we were able to find fresh information using
michael@0:  * this method, and the data indicated the cert is good?
michael@0:  * STOP_TESTING means:
michael@0:  *              Our success is sufficient, do not continue testing
michael@0:  *              other methods.
michael@0:  * CONTINUE_TESTING means:
michael@0:  *                  We will continue and test the next allowed
michael@0:  *                  specified method.
michael@0:  */
michael@0: 
michael@0: #define PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO        0x00L
michael@0: #define PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO    0x20L
michael@0: 
michael@0: /*
michael@0:  * All Flags are prefixed by PKIX_REV_MI_, where _MI_ indicates
michael@0:  * this is a method independent flag.
michael@0:  */
michael@0: 
michael@0: /*
michael@0:  * This defines the order to checking.
michael@0:  * EACH_METHOD_SEPARATELY means:
michael@0:  *      Do all tests related to a particular allowed method
michael@0:  *      (both local information and network fetching) in a single step.
michael@0:  *      Only after testing for a particular method is done,
michael@0:  *      then switching to the next method will happen.
michael@0:  * ALL_LOCAL_INFORMATION_FIRST means:
michael@0:  *      Start by testing the information for all allowed methods
michael@0:  *      which are already locally available. Only after that is done
michael@0:  *      consider to fetch from the network (as allowed by other flags).
michael@0:  */
michael@0: #define PKIX_REV_MI_TEST_EACH_METHOD_SEPARATELY       0x00L
michael@0: #define PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST  0x01L
michael@0: 
michael@0: /*
michael@0:  * Use this flag to specify that it's necessary that fresh information
michael@0:  * is available for at least one of the allowed methods, but it's
michael@0:  * irrelevant which of the mechanisms succeeded.
michael@0:  * NO_OVERALL_INFO_REQUIREMENT means:
michael@0:  *     We strictly follow the requirements for each individual method.
michael@0:  * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
michael@0:  *     After the individual tests have been executed, we must have
michael@0:  *     been able to find fresh information using at least one method.
michael@0:  *     If we were unable to find fresh info, it's a failure.
michael@0:  */
michael@0: #define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0x00L
michael@0: #define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L
michael@0: 
michael@0: /* Defines check time for the cert, revocation methods lists and
michael@0:  * flags for leaf and chain certs revocation tests. */
michael@0: struct PKIX_RevocationCheckerStruct {
michael@0:     PKIX_List *leafMethodList;
michael@0:     PKIX_List *chainMethodList;
michael@0:     PKIX_UInt32 leafMethodListFlags;
michael@0:     PKIX_UInt32 chainMethodListFlags;
michael@0: };
michael@0: 
michael@0: /* see source file for function documentation */
michael@0: 
michael@0: PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext);
michael@0: 
michael@0: #ifdef __cplusplus
michael@0: }
michael@0: #endif
michael@0: 
michael@0: #endif /* _PKIX_REVOCATIONCHECKER_H */