Update NSPR to 4.12 and NSS to 3.23 on iOS

nss/lib/certhigh/ocsp.h

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Interface to the OCSP implementation.
  */
 
 #ifndef _OCSP_H_
 #define _OCSP_H_
 
-
 #include "plarena.h"
 #include "seccomon.h"
 #include "secoidt.h"
 #include "keyt.h"
 #include "certt.h"
 #include "ocspt.h"
 
-
 /************************************************************************/
 SEC_BEGIN_PROTOS
 
 /*
  * This function registers the HttpClient with whose functions the
  * HttpClientFcn structure has been populated as the default Http
  * client.
  *
  * The function table must be a global object.
  * The caller must ensure that NSS will be able to call
@@ skipping 96 matching lines @@
  *     The nickname of the cert to trust (expected) to sign the OCSP responses.
  *     If the corresponding cert cannot be found, SECFailure is returned.
  * RETURN:
  *   Returns SECFailure if an error occurred; SECSuccess otherwise.
  *   The most likely error is that the cert for "name" could not be found
  *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
  *   bad database, etc.).
  */
 extern SECStatus
 CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
-                             const char *url, const char *name);
+                             const char *url, const char *name);
 
 /*
  * FUNCTION: CERT_EnableOCSPDefaultResponder
  *   Turns on use of a default responder when OCSP checking.
  *   If OCSP checking is already enabled, this will make subsequent checks
  *   go directly to the default responder.  (The location of the responder
  *   and the nickname of the responder cert must already be specified.)
  *   If OCSP checking is not enabled, this will be recorded and take effect
  *   whenever it is enabled.
  * INPUTS:
@@ skipping 19 matching lines @@
  * RETURN:
  *   Returns SECFailure if an error occurred; SECSuccess otherwise.
  *   Errors very unlikely (like random memory corruption...).
  */
 extern SECStatus
 CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
 
 /* If forcePost is set, OCSP requests will only be sent using the HTTP POST
  * method. When forcePost is not set, OCSP requests will be sent using the
  * HTTP GET method, with a fallback to POST when we fail to receive a response
- * and/or when we receive an uncacheable response like "Unknown." 
+ * and/or when we receive an uncacheable response like "Unknown."
  *
  * The default is to use GET and fallback to POST.
  */
 extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
 
 /*
  * -------------------------------------------------------
  * The Functions above are those expected to be used by a client
  * providing OCSP status checking along with every cert verification.
  * The functions below are for OCSP testing, debugging, or clients
  * or servers performing more specialized OCSP tasks.
  * -------------------------------------------------------
  */
 
 /*
  * FUNCTION: CERT_CreateOCSPRequest
- *   Creates a CERTOCSPRequest, requesting the status of the certs in 
+ *   Creates a CERTOCSPRequest, requesting the status of the certs in
  *   the given list.
  * INPUTS:
  *   CERTCertList *certList
  *     A list of certs for which status will be requested.
  *     Note that all of these certificates should have the same issuer,
  *     or it's expected the response will be signed by a trusted responder.
  *     If the certs need to be broken up into multiple requests, that
  *     must be handled by the caller (and thus by having multiple calls
  *     to this routine), who knows about where the request(s) are being
  *     sent and whether there are any trusted responders in place.
  *   PRTime time
- *     Indicates the time for which the certificate status is to be 
+ *     Indicates the time for which the certificate status is to be
  *     determined -- this may be used in the search for the cert's issuer
  *     but has no effect on the request itself.
  *   PRBool addServiceLocator
  *     If true, the Service Locator extension should be added to the
  *     single request(s) for each cert.
  *   CERTCertificate *signerCert
  *     If non-NULL, means sign the request using this cert.  Otherwise,
  *     do not sign.
  *     XXX note that request signing is not yet supported; see comment in code
  * RETURN:
  *   A pointer to a CERTOCSPRequest structure containing an OCSP request
  *   for the cert list.  On error, null is returned, with an error set
  *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
  *   (The issuer is needed to create a request for the certificate.)
  *   Other errors are low-level problems (no memory, bad database, etc.).
  */
 extern CERTOCSPRequest *
-CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, 
-                       PRBool addServiceLocator,
-                       CERTCertificate *signerCert);
+CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
+                       PRBool addServiceLocator,
+                       CERTCertificate *signerCert);
 
 /*
  * FUNCTION: CERT_AddOCSPAcceptableResponses
  *   Add the AcceptableResponses extension to an OCSP Request.
  * INPUTS:
  *   CERTOCSPRequest *request
  *     The request to which the extension should be added.
  *   SECOidTag responseType0, ...
  *     A list (of one or more) of SECOidTag -- each of the response types
  *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
  *     (This marks the end of the list, and it must be specified because a
  *     client conforming to the OCSP standard is required to handle the basic
  *     response type.)  The OIDs are not checked in any way.
  * RETURN:
  *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
  *   All errors are internal or low-level problems (e.g. no memory).
  */
 extern SECStatus
 CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
-                                SECOidTag responseType0, ...);
+                                SECOidTag responseType0, ...);
 
-/* 
+/*
  * FUNCTION: CERT_EncodeOCSPRequest
  *   DER encodes an OCSP Request, possibly adding a signature as well.
  *   XXX Signing is not yet supported, however; see comments in code.
- * INPUTS: 
+ * INPUTS:
  *   PLArenaPool *arena
  *     The return value is allocated from here.
  *     If a NULL is passed in, allocation is done from the heap instead.
  *   CERTOCSPRequest *request
  *     The request to be encoded.
  *   void *pwArg
  *     Pointer to argument for password prompting, if needed.  (Definitely
  *     not needed if not signing.)
  * RETURN:
  *   Returns a NULL on error and a pointer to the SECItem with the
  *   encoded value otherwise.  Any error is likely to be low-level
  *   (e.g. no memory).
  */
 extern SECItem *
-CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, 
-                       void *pwArg);
+CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
+                       void *pwArg);
 
 /*
  * FUNCTION: CERT_DecodeOCSPRequest
  *   Decode a DER encoded OCSP Request.
  * INPUTS:
  *   SECItem *src
  *     Pointer to a SECItem holding DER encoded OCSP Request.
  * RETURN:
  *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
  *   On error, returns NULL.  Most likely error is trouble decoding
@@ skipping 55 matching lines @@
  *     A list of certs for which status will be requested.
  *     Note that all of these certificates should have the same issuer,
  *     or it's expected the response will be signed by a trusted responder.
  *     If the certs need to be broken up into multiple requests, that
  *     must be handled by the caller (and thus by having multiple calls
  *     to this routine), who knows about where the request(s) are being
  *     sent and whether there are any trusted responders in place.
  *   const char *location
  *     The location of the OCSP responder (a URL).
  *   PRTime time
- *     Indicates the time for which the certificate status is to be 
+ *     Indicates the time for which the certificate status is to be
  *     determined -- this may be used in the search for the cert's issuer
  *     but has no other bearing on the operation.
  *   PRBool addServiceLocator
  *     If true, the Service Locator extension should be added to the
  *     single request(s) for each cert.
  *   CERTCertificate *signerCert
  *     If non-NULL, means sign the request using this cert.  Otherwise,
  *     do not sign.
  *   void *pwArg
  *     Pointer to argument for password prompting, if needed.  (Definitely
  *     not needed if not signing.)
  * OUTPUTS:
  *   CERTOCSPRequest **pRequest
  *     Pointer in which to store the OCSP request created for the given
  *     list of certificates.  It is only filled in if the entire operation
  *     is successful and the pointer is not null -- and in that case the
  *     caller is then reponsible for destroying it.
  * RETURN:
  *   Returns a pointer to the SECItem holding the response.
  *   On error, returns null with error set describing the reason:
  *      SEC_ERROR_UNKNOWN_ISSUER
  *      SEC_ERROR_CERT_BAD_ACCESS_LOCATION
  *      SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
  *   Other errors are low-level problems (no memory, bad database, etc.).
  */
 extern SECItem *
 CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
-                            const char *location, PRTime time,
-                            PRBool addServiceLocator,
-                            CERTCertificate *signerCert, void *pwArg,
-                            CERTOCSPRequest **pRequest);
+                            const char *location, PRTime time,
+                            PRBool addServiceLocator,
+                            CERTCertificate *signerCert, void *pwArg,
+                            CERTOCSPRequest **pRequest);
 
 /*
  * FUNCTION: CERT_VerifyOCSPResponseSignature
  *   Check the signature on an OCSP Response.  Will also perform a
  *   verification of the signer's certificate.  Note, however, that a
  *   successful verification does not make any statement about the
  *   signer's *authority* to provide status for the certificate(s),
  *   that must be checked individually for each certificate.
  * INPUTS:
  *   CERTOCSPResponse *response
@@ skipping 13 matching lines @@
  *   Possible errors set:
  *      SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
  *      SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
  *      SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
  *      SEC_ERROR_BAD_SIGNATURE - the signature did not verify
  *   Other errors are any of the many possible failures in cert verification
  *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
  *   verifying the signer's cert, or low-level problems (no memory, etc.)
  */
 extern SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,    
-                                 CERTCertDBHandle *handle, void *pwArg,
-                                 CERTCertificate **pSignerCert,
-                                 CERTCertificate *issuerCert);
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
+                                 CERTCertDBHandle *handle, void *pwArg,
+                                 CERTCertificate **pSignerCert,
+                                 CERTCertificate *issuerCert);
 
 /*
  * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
  *   Get the value of the URI of the OCSP responder for the given cert.
  *   This is found in the (optional) Authority Information Access extension
  *   in the cert.
  * INPUTS:
  *   CERTCertificate *cert
  *     The certificate being examined.
  * RETURN:
  *   char *
  *     A copy of the URI for the OCSP method, if found.  If either the
  *     extension is not present or it does not contain an entry for OCSP,
  *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
  *     Any other error will also result in a NULL being returned.
- *     
+ *
  *     This result should be freed (via PORT_Free) when no longer in use.
  */
 extern char *
 CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert);
 
 /*
  * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack
- *   This function serves two purposes.  
- *   1) It registers the address of a callback function that will be 
- *   called for certs that have no OCSP AIA extension, to see if the 
+ *   This function serves two purposes.
+ *   1) It registers the address of a callback function that will be
+ *   called for certs that have no OCSP AIA extension, to see if the
  *   callback wishes to supply an alternative URL for such an OCSP inquiry.
- *   2) It outputs the previously registered function's address to the 
+ *   2) It outputs the previously registered function's address to the
  *   address supplied by the caller, unless that is NULL.
- *   The registered callback function returns NULL, or an allocated string 
+ *   The registered callback function returns NULL, or an allocated string
  *   that may be subsequently freed by calling PORT_Free().
  * RETURN:
  *   SECSuccess or SECFailure (if the library is not yet intialized)
  */
 extern SECStatus
 CERT_RegisterAlternateOCSPAIAInfoCallBack(
-                        CERT_StringFromCertFcn   newCallback,
-                        CERT_StringFromCertFcn * oldCallback);
+    CERT_StringFromCertFcn newCallback,
+    CERT_StringFromCertFcn *oldCallback);
 
 /*
  * FUNCTION: CERT_ParseURL
  *   Parse a URI into hostname, port, and path.  The scheme in the URI must
  *   be "http".
  * INPUTS:
  *   const char *url
  *     The URI to be parsed
  * OUTPUTS:
  *   char **pHostname
@@ skipping 53 matching lines @@
  *      SEC_ERROR_CERT_BAD_ACCESS_LOCATION
  *      SEC_ERROR_INVALID_TIME
  *      SEC_ERROR_REVOKED_CERTIFICATE
  *      SEC_ERROR_UNKNOWN_ISSUER
  *      SEC_ERROR_UNKNOWN_SIGNER
  *
  *   Other errors are any of the many possible failures in cert verification
  *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
  *   verifying the signer's cert, or low-level problems (error allocating
  *   memory, error performing ASN.1 decoding, etc.).
- */    
-extern SECStatus 
+ */
+extern SECStatus
 CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
-                     PRTime time, void *pwArg);
+                     PRTime time, void *pwArg);
 
 /*
  * FUNCTION: CERT_CacheOCSPResponseFromSideChannel
  *   First, this function checks the OCSP cache to see if a good response
  *   for the given certificate already exists. If it does, then the function
  *   returns successfully.
  *
  *   If not, then it validates that the given OCSP response is a valid,
  *   good response for the given certificate and inserts it into the
  *   cache.
@@ skipping 11 matching lines @@
  *   SECItem *encodedResponse
  *     the DER encoded bytes of the OCSP response
  *   void *pwArg
  *     argument for password prompting, if needed
  * RETURN:
  *   SECSuccess if the cert was found in the cache, or if the OCSP response was
  *   found to be valid and inserted into the cache. SECFailure otherwise.
  */
 extern SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
-                                      CERTCertificate *cert,
-                                      PRTime time,
-                                      const SECItem *encodedResponse,
-                                      void *pwArg);
+                                      CERTCertificate *cert,
+                                      PRTime time,
+                                      const SECItem *encodedResponse,
+                                      void *pwArg);
 
 /*
  * FUNCTION: CERT_GetOCSPStatusForCertID
  *  Returns the OCSP status contained in the passed in parameter response
  *  that corresponds to the certID passed in.
  * INPUTS:
  *  CERTCertDBHandle *handle
  *    certificate DB of the cert that is being checked
  *  CERTOCSPResponse *response
  *    the OCSP response we want to retrieve status from.
  *  CERTOCSPCertID *certID
  *    the ID we want to look for from the response.
  *  CERTCertificate *signerCert
  *    the certificate that was used to sign the OCSP response.
  *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
  *  PRTime time
  *    The time at which we're checking the status for.
  *  RETURN:
  *    Return values are the same as those for CERT_CheckOCSPStatus
  */
 extern SECStatus
-CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
-                            CERTOCSPResponse *response,
-                            CERTOCSPCertID   *certID,
-                            CERTCertificate  *signerCert,
-                            PRTime            time);
+CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
+                            CERTOCSPResponse *response,
+                            CERTOCSPCertID *certID,
+                            CERTCertificate *signerCert,
+                            PRTime time);
 
 /*
  * FUNCTION CERT_GetOCSPResponseStatus
  *   Returns the response status for the response passed.
  * INPUTS:
  *   CERTOCSPResponse *response
  *     The response to query for status
  *  RETURN:
  *    Returns SECSuccess if the response has a successful status value.
  *    Otherwise it returns SECFailure and sets one of the following error
@@ skipping 13 matching lines @@
  *  Returns the OCSP certID for the certificate passed in.
  * INPUTS:
  *  CERTCertificate *cert
  *    The certificate for which to create the certID for.
  *  PRTime time
  *    The time at which the id is requested for.  This is used
  *    to determine the appropriate issuer for the cert since
  *    the issuing CA may be an older expired certificate.
  *  RETURN:
  *    A new copy of a CERTOCSPCertID*.  The memory for this certID
- *    should be freed by calling CERT_DestroyOCSPCertID when the 
+ *    should be freed by calling CERT_DestroyOCSPCertID when the
  *    certID is no longer necessary.
  */
-extern CERTOCSPCertID*
+extern CERTOCSPCertID *
 CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);
 
 /*
  * FUNCTION: CERT_DestroyOCSPCertID
  *  Frees the memory associated with the certID passed in.
  * INPUTS:
  *  CERTOCSPCertID* certID
- *    The certID that the caller no longer needs and wants to 
+ *    The certID that the caller no longer needs and wants to
  *    free the associated memory.
  * RETURN:
  *  SECSuccess if freeing the memory was successful.  Returns
  *  SECFailure if the memory passed in was not allocated with
  *  a call to CERT_CreateOCSPCertID.
  */
 extern SECStatus
-CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
+CERT_DestroyOCSPCertID(CERTOCSPCertID *certID);
 
-
-extern CERTOCSPSingleResponse*
+extern CERTOCSPSingleResponse *
 CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
                                   CERTOCSPCertID *id,
                                   PRTime thisUpdate,
                                   const PRTime *nextUpdate);
 
-extern CERTOCSPSingleResponse*
+extern CERTOCSPSingleResponse *
 CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
                                      CERTOCSPCertID *id,
                                      PRTime thisUpdate,
                                      const PRTime *nextUpdate);
 
-extern CERTOCSPSingleResponse*
+extern CERTOCSPSingleResponse *
 CERT_CreateOCSPSingleResponseRevoked(
     PLArenaPool *arena,
     CERTOCSPCertID *id,
     PRTime thisUpdate,
     const PRTime *nextUpdate,
     PRTime revocationTime,
-    const CERTCRLEntryReasonCode* revocationReason);
+    const CERTCRLEntryReasonCode *revocationReason);
 
-extern SECItem*
+extern SECItem *
 CERT_CreateEncodedOCSPSuccessResponse(
     PLArenaPool *arena,
     CERTCertificate *responderCert,
     CERTOCSPResponderIDType responderIDType,
     PRTime producedAt,
     CERTOCSPSingleResponse **responses,
     void *wincx);
 
 /*
  * FUNCTION: CERT_CreateEncodedOCSPErrorResponse
@@ skipping 20 matching lines @@
  *                                      --(4) is not used
  *        sigRequired          (5),     --Must sign the request
  *        unauthorized         (6)      --Request unauthorized
  *    }
  * RETURN:
  *   Returns a pointer to the SECItem holding the response.
  *   On error, returns null with error set describing the reason:
  *      SEC_ERROR_INVALID_ARGS
  *   Other errors are low-level problems (no memory, bad database, etc.).
  */
-extern SECItem*
+extern SECItem *
 CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
 
 /* Sends an OCSP request using the HTTP POST method to the location addressed
  * by the URL in |location| parameter. The request body will be
  * |encodedRequest|, which must be a valid encoded OCSP request. On success,
  * the server's response is returned and the caller must free it using
  * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of
  * the HTTP response is done.
  *
  * If a default HTTP client has been registered with
  * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an
  * internal HTTP client is used.
  */
-SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
+SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
                               const SECItem *encodedRequest);
 
 /************************************************************************/
 SEC_END_PROTOS
 
 #endif /* _OCSP_H_ */