michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: /* michael@0: * This file defines functions associated with the PKIX_RevocationChecker michael@0: * type. michael@0: * michael@0: */ michael@0: michael@0: #ifndef _PKIX_REVCHECKER_H michael@0: #define _PKIX_REVCHECKER_H michael@0: michael@0: #include "pkixt.h" michael@0: #include "pkix_pl_pki.h" michael@0: michael@0: #ifdef __cplusplus michael@0: extern "C" { michael@0: #endif michael@0: michael@0: /* General michael@0: * michael@0: * Please refer to the libpkix Programmer's Guide for detailed information michael@0: * about how to use the libpkix library. Certain key warnings and notices from michael@0: * that document are repeated here for emphasis. michael@0: * michael@0: * All identifiers in this file (and all public identifiers defined in michael@0: * libpkix) begin with "PKIX_". Private identifiers only intended for use michael@0: * within the library begin with "pkix_". michael@0: * michael@0: * A function returns NULL upon success, and a PKIX_Error pointer upon failure. michael@0: * michael@0: * Unless otherwise noted, for all accessor (gettor) functions that return a michael@0: * PKIX_PL_Object pointer, callers should assume that this pointer refers to a michael@0: * shared object. Therefore, the caller should treat this shared object as michael@0: * read-only and should not modify this shared object. When done using the michael@0: * shared object, the caller should release the reference to the object by michael@0: * using the PKIX_PL_Object_DecRef function. michael@0: * michael@0: * While a function is executing, if its arguments (or anything referred to by michael@0: * its arguments) are modified, free'd, or destroyed, the function's behavior michael@0: * is undefined. michael@0: * michael@0: */ michael@0: michael@0: /* PKIX_RevocationChecker michael@0: * michael@0: * PKIX_RevocationChecker provides a standard way of revocation checking. michael@0: * Caller should configure two set of tests(represented at lists of michael@0: * RevocationMethod objects) to be performed on the leaf and on the rest of michael@0: * the chain certificates. michael@0: * michael@0: * PKIX_RevocationMethods provide a standard way for the caller to insert michael@0: * their own custom revocation checks to verify the revocation status of michael@0: * certificates. This may be useful in many scenarios, including when the michael@0: * caller wishes to use their own revocation checking mechanism instead of (or michael@0: * in addition to) the default revocation checking mechanism provided by michael@0: * libpkix, which uses CRLs and OCSP. michael@0: * michael@0: * Once the caller has created the RevocationMethod object(s), the caller michael@0: * then specifies the RevocationMethod object(s) in a RevocationCheck object michael@0: * and sets it into a ProcessingParams. michael@0: */ michael@0: michael@0: /* michael@0: * FUNCTION: PKIX_RevocationChecker_Create michael@0: * DESCRIPTION: michael@0: * michael@0: * Creates revocation checker object with a given flags. michael@0: * michael@0: * PARAMETERS: michael@0: * "revDate" michael@0: * Revocation will be checked at this date. Current date is taken if the michael@0: * parameter is not specified. michael@0: * "leafMethodListFlags" michael@0: * Defines a set of method independent flags that will be used to check michael@0: * revocation of the leaf cert in the chain. michael@0: * "chainMethodListFlags" michael@0: * Defines a set of method independent flags that will be used to check michael@0: * revocation of the remaining certs in the chain. michael@0: * "pChecker" michael@0: * The return address of created checker. michael@0: * "plContext" michael@0: * Platform-specific context pointer. michael@0: * THREAD SAFETY: michael@0: * Thread Safe michael@0: * michael@0: * Multiple threads must be able to safely call this function without michael@0: * worrying about conflicts, even if they're operating on the same objects. michael@0: * RETURNS: michael@0: * Returns NULL if the function succeeds. michael@0: * Returns a RevocationChecker Error if the function fails in a non-fatal way. michael@0: * Returns a Fatal Error if the function fails in an unrecoverable way. michael@0: */ michael@0: PKIX_Error * michael@0: PKIX_RevocationChecker_Create( michael@0: PKIX_UInt32 leafMethodListFlags, michael@0: PKIX_UInt32 chainMethodListFlags, michael@0: PKIX_RevocationChecker **pChecker, michael@0: void *plContext); michael@0: michael@0: /* michael@0: * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod michael@0: * DESCRIPTION: michael@0: * michael@0: * Creates revocation method object with given parameters and adds it michael@0: * to revocation checker method list. michael@0: * michael@0: * PARAMETERS: michael@0: * "revChecker" michael@0: * Address of revocation checker structure. michael@0: * "procParams" michael@0: * Address of ProcessingParams used to initialize the checker. michael@0: * Must be non-NULL. michael@0: * "methodType" michael@0: * Type of the method. Currently only two types are michael@0: * supported: crl and ocsp. (See PKIX_RevocationMethodType enum). michael@0: * "methodFlags" michael@0: * Set of flags for the method. michael@0: * "methodPriority" michael@0: * Method priority. (0 corresponds to a highest priority) michael@0: * "verificationFn" michael@0: * User call back function that will perform validation of fetched michael@0: * revocation information(new crl or ocsp response) michael@0: * "isLeafMethod" michael@0: * Boolean flag that if set to true indicates that the method should michael@0: * should be used for leaf cert revocation test(false for chain set michael@0: * methods). michael@0: * "plContext" michael@0: * Platform-specific context pointer. michael@0: * THREAD SAFETY: michael@0: * Thread Safe michael@0: * michael@0: * Multiple threads must be able to safely call this function without michael@0: * worrying about conflicts, even if they're operating on the same objects. michael@0: * RETURNS: michael@0: * Returns NULL if the function succeeds. michael@0: * Returns a RevocationChecker Error if the function fails in a non-fatal way. michael@0: * Returns a Fatal Error if the function fails in an unrecoverable way. michael@0: */ michael@0: PKIX_Error * michael@0: PKIX_RevocationChecker_CreateAndAddMethod( michael@0: PKIX_RevocationChecker *revChecker, michael@0: PKIX_ProcessingParams *params, michael@0: PKIX_RevocationMethodType methodType, michael@0: PKIX_UInt32 methodFlags, michael@0: PKIX_UInt32 mathodPriority, michael@0: PKIX_PL_VerifyCallback verificationFn, michael@0: PKIX_Boolean isLeafMethod, michael@0: void *plContext); michael@0: michael@0: /* michael@0: * FUNCTION: PKIX_RevocationChecker_Check michael@0: * DESCRIPTION: michael@0: * michael@0: * Verifies revocation status of the certificate. Issuer cert is given to michael@0: * be used in verification of revocation information. Performed verification michael@0: * check depends on configured revocation methods(ocsp, crl. See michael@0: * PKIX_RevocationChecker_CreateAndAddMethod function) and a point of chain michael@0: * building process at which PKIX_RevocationChecker_Check was invoked. michael@0: * For security reasons, the cert status is checked only against cached michael@0: * revocation information during chain building stage(no trust anchor yes has michael@0: * been found). The fresh revocation information fetching is done only at chain michael@0: * verification stage after trust anchor was identified. michael@0: * michael@0: * PARAMETERS: michael@0: * "cert" michael@0: * Address of Cert whose revocation status is to be determined. michael@0: * Must be non-NULL. michael@0: * "issuer" michael@0: * Issuer cert that potentially holds public key that will be used michael@0: * to verify revocation info. michael@0: * "revChecker" michael@0: * Address of revocation checker structure. michael@0: * "procParams" michael@0: * Address of ProcessingParams used to initialize the checker. michael@0: * Must be non-NULL. michael@0: * "chainVerificationState" michael@0: * Need to be set to true, if the check was called during chain verification michael@0: * as an opposite to chain building. michael@0: * "testingLeafCert" michael@0: * Set to true if verifying revocation status of a leaf cert. michael@0: * "revStatus" michael@0: * Address of the returned revocation status of the cert. michael@0: * "pResultCode" michael@0: * Address where revocation status will be stored. Must be non-NULL. michael@0: * "pNBIOContext" michael@0: * Address at which platform-dependent non-blocking I/O context is stored. michael@0: * Must be non-NULL. michael@0: * "plContext" michael@0: * Platform-specific context pointer. michael@0: * THREAD SAFETY: michael@0: * Thread Safe michael@0: * michael@0: * Multiple threads must be able to safely call this function without michael@0: * worrying about conflicts, even if they're operating on the same objects. michael@0: * RETURNS: michael@0: * Returns NULL if the function succeeds. michael@0: * Returns a RevocationChecker Error if the function fails in a non-fatal way. michael@0: * Returns a Fatal Error if the function fails in an unrecoverable way. michael@0: */ michael@0: PKIX_Error * michael@0: PKIX_RevocationChecker_Check(PKIX_PL_Cert *cert, michael@0: PKIX_PL_Cert *issuer, michael@0: PKIX_RevocationChecker *revChecker, michael@0: PKIX_ProcessingParams *procParams, michael@0: PKIX_Boolean chainVerificationState, michael@0: PKIX_Boolean testingLeafCert, michael@0: PKIX_RevocationStatus *revStatus, michael@0: PKIX_UInt32 *pReasonCode, michael@0: void **pNbioContext, michael@0: void *plContext); michael@0: michael@0: #ifdef __cplusplus michael@0: } michael@0: #endif michael@0: michael@0: #endif /* _PKIX_REVCHECKER_H */