michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: /*
michael@0:  * ocspi.h - NSS internal interfaces to OCSP code
michael@0:  */
michael@0: 
michael@0: #ifndef _OCSPI_H_
michael@0: #define _OCSPI_H_
michael@0: 
michael@0: SECStatus OCSP_InitGlobal(void);
michael@0: SECStatus OCSP_ShutdownGlobal(void);
michael@0: 
michael@0: ocspResponseData *
michael@0: ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
michael@0: 
michael@0: ocspSignature *
michael@0: ocsp_GetResponseSignature(CERTOCSPResponse *response);
michael@0: 
michael@0: SECItem *
michael@0: ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
michael@0:                  SECItem *fill, const SECItem *src);
michael@0: 
michael@0: PRBool
michael@0: ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
michael@0: 
michael@0: CERTCertificate *
michael@0: ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
michael@0:                           ocspSignature *signature, CERTCertificate *issuer);
michael@0: 
michael@0: SECStatus
michael@0: ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
michael@0:                              ocspSignature *signature,
michael@0:                              SECItem *tbsResponseDataDER,
michael@0:                              void *pwArg);
michael@0: 
michael@0: CERTOCSPRequest *
michael@0: cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, 
michael@0:                                  CERTCertificate *singleCert, 
michael@0:                                  PRTime time,
michael@0:                                  PRBool addServiceLocator,
michael@0:                                  CERTCertificate *signerCert);
michael@0: 
michael@0: typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
michael@0: 
michael@0: SECStatus
michael@0: ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
michael@0:                                  PRTime time,
michael@0:                                  PRBool ignoreOcspFailureMode,
michael@0:                                  SECStatus *rvOcsp,
michael@0:                                  SECErrorCodes *missingResponseError,
michael@0:                                  OCSPFreshness *freshness);
michael@0: 
michael@0: /*
michael@0:  * FUNCTION: cert_ProcessOCSPResponse
michael@0:  *  Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
michael@0:  *  In addition it can update the OCSP cache (using information
michael@0:  *  available internally to this function).
michael@0:  * INPUTS:
michael@0:  *  CERTCertDBHandle *handle
michael@0:  *    certificate DB of the cert that is being checked
michael@0:  *  CERTOCSPResponse *response
michael@0:  *    the OCSP response we want to retrieve status from.
michael@0:  *  CERTOCSPCertID *certID
michael@0:  *    the ID we want to look for from the response.
michael@0:  *  CERTCertificate *signerCert
michael@0:  *    the certificate that was used to sign the OCSP response.
michael@0:  *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
michael@0:  *  PRTime time
michael@0:  *    The time at which we're checking the status for.
michael@0:  *  PRBool *certIDWasConsumed
michael@0:  *    In and Out parameter.
michael@0:  *    If certIDWasConsumed is NULL on input,
michael@0:  *    this function might produce a deep copy of cert ID
michael@0:  *    for storing it in the cache.
michael@0:  *    If out value is true, ownership of parameter certID was
michael@0:  *    transferred to the OCSP cache.
michael@0:  *  SECStatus *cacheUpdateStatus
michael@0:  *    This optional out parameter will contain the result
michael@0:  *    of the cache update operation (if requested).
michael@0:  *  RETURN:
michael@0:  *    The return value is not influenced by the cache operation,
michael@0:  *    it matches the documentation for CERT_CheckOCSPStatus
michael@0:  */
michael@0: 
michael@0: SECStatus
michael@0: cert_ProcessOCSPResponse(CERTCertDBHandle *handle, 
michael@0:                          CERTOCSPResponse *response, 
michael@0:                          CERTOCSPCertID   *certID,
michael@0:                          CERTCertificate  *signerCert,
michael@0:                          PRTime            time,
michael@0:                          PRBool           *certIDWasConsumed,
michael@0:                          SECStatus        *cacheUpdateStatus);
michael@0: 
michael@0: /*
michael@0:  * FUNCTION: cert_RememberOCSPProcessingFailure
michael@0:  *  If an application notices a failure during OCSP processing,
michael@0:  *  it should finally call this function. The failure will be recorded
michael@0:  *  in the OCSP cache in order to avoid repetitive failures.
michael@0:  * INPUTS:
michael@0:  *  CERTOCSPCertID *certID
michael@0:  *    the ID that was used for the failed OCSP processing
michael@0:  *  PRBool *certIDWasConsumed
michael@0:  *    Out parameter, if set to true, ownership of parameter certID was
michael@0:  *    transferred to the OCSP cache.
michael@0:  *  RETURN:
michael@0:  *    Status of the cache update operation.
michael@0:  */
michael@0: 
michael@0: SECStatus
michael@0: cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
michael@0:                                    PRBool         *certIDWasConsumed);
michael@0: 
michael@0: /*
michael@0:  * FUNCTION: ocsp_GetResponderLocation
michael@0:  *  Check ocspx context for user-designated responder URI first. If not
michael@0:  *  found, checks cert AIA extension.
michael@0:  * INPUTS:
michael@0:  *  CERTCertDBHandle *handle
michael@0:  *    certificate DB of the cert that is being checked
michael@0:  *  CERTCertificate *cert
michael@0:  *     The certificate being examined.
michael@0:  *  PRBool *certIDWasConsumed
michael@0:  *    Out parameter, if set to true, URI of default responder is
michael@0:  *    returned.
michael@0:  *  RETURN:
michael@0:  *    Responder URI.
michael@0:  */
michael@0: char *
michael@0: ocsp_GetResponderLocation(CERTCertDBHandle *handle,
michael@0:                           CERTCertificate *cert,
michael@0:                           PRBool canUseDefaultLocation,
michael@0:                           PRBool *isDefault);
michael@0: 
michael@0: /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
michael@0:  * The function checks the global ocsp settings and
michael@0:  * tells how to treat an ocsp response fetching failure.
michael@0:  * RETURNS:
michael@0:  *   if PR_TRUE is returned, then treat fetching as a
michael@0:  *   revoked cert status.
michael@0:  */
michael@0: PRBool
michael@0: ocsp_FetchingFailureIsVerificationFailure(void);
michael@0: 
michael@0: size_t
michael@0: ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
michael@0: 
michael@0: SECStatus
michael@0: ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
michael@0:                                         CERTOCSPResponse *response, 
michael@0:                                         CERTOCSPCertID   *certID,
michael@0:                                         CERTCertificate  *signerCert,
michael@0:                                         PRTime            time,
michael@0:                                         CERTOCSPSingleResponse **pSingleResponse);
michael@0: 
michael@0: SECStatus
michael@0: ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
michael@0: 
michael@0: void
michael@0: ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
michael@0: 			 CERTOCSPSingleResponse *single,
michael@0: 			 PRBool *certIDWasConsumed);
michael@0: 
michael@0: #endif /* _OCSPI_H_ */