OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 | |
5 /* | |
6 * Interface to the OCSP implementation. | |
7 */ | |
8 | |
9 #ifndef _OCSP_H_ | |
10 #define _OCSP_H_ | |
11 | |
12 #include "plarena.h" | |
13 #include "seccomon.h" | |
14 #include "secoidt.h" | |
15 #include "keyt.h" | |
16 #include "certt.h" | |
17 #include "ocspt.h" | |
18 | |
19 /************************************************************************/ | |
20 SEC_BEGIN_PROTOS | |
21 | |
22 /* | |
23 * This function registers the HttpClient with whose functions the | |
24 * HttpClientFcn structure has been populated as the default Http | |
25 * client. | |
26 * | |
27 * The function table must be a global object. | |
28 * The caller must ensure that NSS will be able to call | |
29 * the registered functions for the lifetime of the process. | |
30 */ | |
31 extern SECStatus | |
32 SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable); | |
33 | |
34 /* | |
35 * This function obtains the HttpClient which has been registered | |
36 * by an earlier call to SEC_RegisterDefaultHttpClient. | |
37 */ | |
38 extern const SEC_HttpClientFcn * | |
39 SEC_GetRegisteredHttpClient(void); | |
40 | |
41 /* | |
42 * Sets parameters that control NSS' internal OCSP cache. | |
43 * maxCacheEntries, special varlues are: | |
44 * -1 disable cache | |
45 * 0 unlimited cache entries | |
46 * minimumSecondsToNextFetchAttempt: | |
47 * whenever an OCSP request was attempted or completed over the network, | |
48 * wait at least this number of seconds before trying to fetch again. | |
49 * maximumSecondsToNextFetchAttempt: | |
50 * this is the maximum age of a cached response we allow, until we try | |
51 * to fetch an updated response, even if the OCSP responder expects | |
52 * that newer information update will not be available yet. | |
53 */ | |
54 extern SECStatus | |
55 CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, | |
56 PRUint32 minimumSecondsToNextFetchAttempt, | |
57 PRUint32 maximumSecondsToNextFetchAttempt); | |
58 | |
59 /* | |
60 * Set the desired behaviour on OCSP failures. | |
61 * See definition of ocspFailureMode for allowed choices. | |
62 */ | |
63 extern SECStatus | |
64 CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode); | |
65 | |
66 /* | |
67 * Configure the maximum time NSS will wait for an OCSP response. | |
68 */ | |
69 extern SECStatus | |
70 CERT_SetOCSPTimeout(PRUint32 seconds); | |
71 | |
72 /* | |
73 * Removes all items currently stored in the OCSP cache. | |
74 */ | |
75 extern SECStatus | |
76 CERT_ClearOCSPCache(void); | |
77 | |
78 /* | |
79 * FUNCTION: CERT_EnableOCSPChecking | |
80 * Turns on OCSP checking for the given certificate database. | |
81 * INPUTS: | |
82 * CERTCertDBHandle *handle | |
83 * Certificate database for which OCSP checking will be enabled. | |
84 * RETURN: | |
85 * Returns SECFailure if an error occurred (likely only problem | |
86 * allocating memory); SECSuccess otherwise. | |
87 */ | |
88 extern SECStatus | |
89 CERT_EnableOCSPChecking(CERTCertDBHandle *handle); | |
90 | |
91 /* | |
92 * FUNCTION: CERT_DisableOCSPChecking | |
93 * Turns off OCSP checking for the given certificate database. | |
94 * This routine disables OCSP checking. Though it will return | |
95 * SECFailure if OCSP checking is not enabled, it is "safe" to | |
96 * call it that way and just ignore the return value, if it is | |
97 * easier to just call it than to "remember" whether it is enabled. | |
98 * INPUTS: | |
99 * CERTCertDBHandle *handle | |
100 * Certificate database for which OCSP checking will be disabled. | |
101 * RETURN: | |
102 * Returns SECFailure if an error occurred (usually means that OCSP | |
103 * checking was not enabled or status contexts were not initialized -- | |
104 * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. | |
105 */ | |
106 extern SECStatus | |
107 CERT_DisableOCSPChecking(CERTCertDBHandle *handle); | |
108 | |
109 /* | |
110 * FUNCTION: CERT_SetOCSPDefaultResponder | |
111 * Specify the location and cert of the default responder. | |
112 * If OCSP checking is already enabled *and* use of a default responder | |
113 * is also already enabled, all OCSP checking from now on will go directly | |
114 * to the specified responder. If OCSP checking is not enabled, or if | |
115 * it is but use of a default responder is not enabled, the information | |
116 * will be recorded and take effect whenever both are enabled. | |
117 * INPUTS: | |
118 * CERTCertDBHandle *handle | |
119 * Cert database on which OCSP checking should use the default responder. | |
120 * const char *url | |
121 * The location of the default responder (e.g. "http://foo.com:80/ocsp") | |
122 * Note that the location will not be tested until the first attempt | |
123 * to send a request there. | |
124 * const char *name | |
125 * The nickname of the cert to trust (expected) to sign the OCSP responses. | |
126 * If the corresponding cert cannot be found, SECFailure is returned. | |
127 * RETURN: | |
128 * Returns SECFailure if an error occurred; SECSuccess otherwise. | |
129 * The most likely error is that the cert for "name" could not be found | |
130 * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, | |
131 * bad database, etc.). | |
132 */ | |
133 extern SECStatus | |
134 CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, | |
135 const char *url, const char *name); | |
136 | |
137 /* | |
138 * FUNCTION: CERT_EnableOCSPDefaultResponder | |
139 * Turns on use of a default responder when OCSP checking. | |
140 * If OCSP checking is already enabled, this will make subsequent checks | |
141 * go directly to the default responder. (The location of the responder | |
142 * and the nickname of the responder cert must already be specified.) | |
143 * If OCSP checking is not enabled, this will be recorded and take effect | |
144 * whenever it is enabled. | |
145 * INPUTS: | |
146 * CERTCertDBHandle *handle | |
147 * Cert database on which OCSP checking should use the default responder. | |
148 * RETURN: | |
149 * Returns SECFailure if an error occurred; SECSuccess otherwise. | |
150 * No errors are especially likely unless the caller did not previously | |
151 * perform a successful call to SetOCSPDefaultResponder (in which case | |
152 * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). | |
153 */ | |
154 extern SECStatus | |
155 CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle); | |
156 | |
157 /* | |
158 * FUNCTION: CERT_DisableOCSPDefaultResponder | |
159 * Turns off use of a default responder when OCSP checking. | |
160 * (Does nothing if use of a default responder is not enabled.) | |
161 * INPUTS: | |
162 * CERTCertDBHandle *handle | |
163 * Cert database on which OCSP checking should stop using a default | |
164 * responder. | |
165 * RETURN: | |
166 * Returns SECFailure if an error occurred; SECSuccess otherwise. | |
167 * Errors very unlikely (like random memory corruption...). | |
168 */ | |
169 extern SECStatus | |
170 CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle); | |
171 | |
172 /* If forcePost is set, OCSP requests will only be sent using the HTTP POST | |
173 * method. When forcePost is not set, OCSP requests will be sent using the | |
174 * HTTP GET method, with a fallback to POST when we fail to receive a response | |
175 * and/or when we receive an uncacheable response like "Unknown." | |
176 * | |
177 * The default is to use GET and fallback to POST. | |
178 */ | |
179 extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); | |
180 | |
181 /* | |
182 * ------------------------------------------------------- | |
183 * The Functions above are those expected to be used by a client | |
184 * providing OCSP status checking along with every cert verification. | |
185 * The functions below are for OCSP testing, debugging, or clients | |
186 * or servers performing more specialized OCSP tasks. | |
187 * ------------------------------------------------------- | |
188 */ | |
189 | |
190 /* | |
191 * FUNCTION: CERT_CreateOCSPRequest | |
192 * Creates a CERTOCSPRequest, requesting the status of the certs in | |
193 * the given list. | |
194 * INPUTS: | |
195 * CERTCertList *certList | |
196 * A list of certs for which status will be requested. | |
197 * Note that all of these certificates should have the same issuer, | |
198 * or it's expected the response will be signed by a trusted responder. | |
199 * If the certs need to be broken up into multiple requests, that | |
200 * must be handled by the caller (and thus by having multiple calls | |
201 * to this routine), who knows about where the request(s) are being | |
202 * sent and whether there are any trusted responders in place. | |
203 * PRTime time | |
204 * Indicates the time for which the certificate status is to be | |
205 * determined -- this may be used in the search for the cert's issuer | |
206 * but has no effect on the request itself. | |
207 * PRBool addServiceLocator | |
208 * If true, the Service Locator extension should be added to the | |
209 * single request(s) for each cert. | |
210 * CERTCertificate *signerCert | |
211 * If non-NULL, means sign the request using this cert. Otherwise, | |
212 * do not sign. | |
213 * XXX note that request signing is not yet supported; see comment in code | |
214 * RETURN: | |
215 * A pointer to a CERTOCSPRequest structure containing an OCSP request | |
216 * for the cert list. On error, null is returned, with an error set | |
217 * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. | |
218 * (The issuer is needed to create a request for the certificate.) | |
219 * Other errors are low-level problems (no memory, bad database, etc.). | |
220 */ | |
221 extern CERTOCSPRequest * | |
222 CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, | |
223 PRBool addServiceLocator, | |
224 CERTCertificate *signerCert); | |
225 | |
226 /* | |
227 * FUNCTION: CERT_AddOCSPAcceptableResponses | |
228 * Add the AcceptableResponses extension to an OCSP Request. | |
229 * INPUTS: | |
230 * CERTOCSPRequest *request | |
231 * The request to which the extension should be added. | |
232 * SECOidTag responseType0, ... | |
233 * A list (of one or more) of SECOidTag -- each of the response types | |
234 * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. | |
235 * (This marks the end of the list, and it must be specified because a | |
236 * client conforming to the OCSP standard is required to handle the basic | |
237 * response type.) The OIDs are not checked in any way. | |
238 * RETURN: | |
239 * SECSuccess if the extension is added; SECFailure if anything goes wrong. | |
240 * All errors are internal or low-level problems (e.g. no memory). | |
241 */ | |
242 extern SECStatus | |
243 CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, | |
244 SECOidTag responseType0, ...); | |
245 | |
246 /* | |
247 * FUNCTION: CERT_EncodeOCSPRequest | |
248 * DER encodes an OCSP Request, possibly adding a signature as well. | |
249 * XXX Signing is not yet supported, however; see comments in code. | |
250 * INPUTS: | |
251 * PLArenaPool *arena | |
252 * The return value is allocated from here. | |
253 * If a NULL is passed in, allocation is done from the heap instead. | |
254 * CERTOCSPRequest *request | |
255 * The request to be encoded. | |
256 * void *pwArg | |
257 * Pointer to argument for password prompting, if needed. (Definitely | |
258 * not needed if not signing.) | |
259 * RETURN: | |
260 * Returns a NULL on error and a pointer to the SECItem with the | |
261 * encoded value otherwise. Any error is likely to be low-level | |
262 * (e.g. no memory). | |
263 */ | |
264 extern SECItem * | |
265 CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, | |
266 void *pwArg); | |
267 | |
268 /* | |
269 * FUNCTION: CERT_DecodeOCSPRequest | |
270 * Decode a DER encoded OCSP Request. | |
271 * INPUTS: | |
272 * SECItem *src | |
273 * Pointer to a SECItem holding DER encoded OCSP Request. | |
274 * RETURN: | |
275 * Returns a pointer to a CERTOCSPRequest containing the decoded request. | |
276 * On error, returns NULL. Most likely error is trouble decoding | |
277 * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). | |
278 */ | |
279 extern CERTOCSPRequest * | |
280 CERT_DecodeOCSPRequest(const SECItem *src); | |
281 | |
282 /* | |
283 * FUNCTION: CERT_DestroyOCSPRequest | |
284 * Frees an OCSP Request structure. | |
285 * INPUTS: | |
286 * CERTOCSPRequest *request | |
287 * Pointer to CERTOCSPRequest to be freed. | |
288 * RETURN: | |
289 * No return value; no errors. | |
290 */ | |
291 extern void | |
292 CERT_DestroyOCSPRequest(CERTOCSPRequest *request); | |
293 | |
294 /* | |
295 * FUNCTION: CERT_DecodeOCSPResponse | |
296 * Decode a DER encoded OCSP Response. | |
297 * INPUTS: | |
298 * SECItem *src | |
299 * Pointer to a SECItem holding DER encoded OCSP Response. | |
300 * RETURN: | |
301 * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); | |
302 * the caller is responsible for destroying it. Or NULL if error (either | |
303 * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), | |
304 * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), | |
305 * or a low-level or internal error occurred). | |
306 */ | |
307 extern CERTOCSPResponse * | |
308 CERT_DecodeOCSPResponse(const SECItem *src); | |
309 | |
310 /* | |
311 * FUNCTION: CERT_DestroyOCSPResponse | |
312 * Frees an OCSP Response structure. | |
313 * INPUTS: | |
314 * CERTOCSPResponse *request | |
315 * Pointer to CERTOCSPResponse to be freed. | |
316 * RETURN: | |
317 * No return value; no errors. | |
318 */ | |
319 extern void | |
320 CERT_DestroyOCSPResponse(CERTOCSPResponse *response); | |
321 | |
322 /* | |
323 * FUNCTION: CERT_GetEncodedOCSPResponse | |
324 * Creates and sends a request to an OCSP responder, then reads and | |
325 * returns the (encoded) response. | |
326 * INPUTS: | |
327 * PLArenaPool *arena | |
328 * Pointer to arena from which return value will be allocated. | |
329 * If NULL, result will be allocated from the heap (and thus should | |
330 * be freed via SECITEM_FreeItem). | |
331 * CERTCertList *certList | |
332 * A list of certs for which status will be requested. | |
333 * Note that all of these certificates should have the same issuer, | |
334 * or it's expected the response will be signed by a trusted responder. | |
335 * If the certs need to be broken up into multiple requests, that | |
336 * must be handled by the caller (and thus by having multiple calls | |
337 * to this routine), who knows about where the request(s) are being | |
338 * sent and whether there are any trusted responders in place. | |
339 * const char *location | |
340 * The location of the OCSP responder (a URL). | |
341 * PRTime time | |
342 * Indicates the time for which the certificate status is to be | |
343 * determined -- this may be used in the search for the cert's issuer | |
344 * but has no other bearing on the operation. | |
345 * PRBool addServiceLocator | |
346 * If true, the Service Locator extension should be added to the | |
347 * single request(s) for each cert. | |
348 * CERTCertificate *signerCert | |
349 * If non-NULL, means sign the request using this cert. Otherwise, | |
350 * do not sign. | |
351 * void *pwArg | |
352 * Pointer to argument for password prompting, if needed. (Definitely | |
353 * not needed if not signing.) | |
354 * OUTPUTS: | |
355 * CERTOCSPRequest **pRequest | |
356 * Pointer in which to store the OCSP request created for the given | |
357 * list of certificates. It is only filled in if the entire operation | |
358 * is successful and the pointer is not null -- and in that case the | |
359 * caller is then reponsible for destroying it. | |
360 * RETURN: | |
361 * Returns a pointer to the SECItem holding the response. | |
362 * On error, returns null with error set describing the reason: | |
363 * SEC_ERROR_UNKNOWN_ISSUER | |
364 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION | |
365 * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE | |
366 * Other errors are low-level problems (no memory, bad database, etc.). | |
367 */ | |
368 extern SECItem * | |
369 CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, | |
370 const char *location, PRTime time, | |
371 PRBool addServiceLocator, | |
372 CERTCertificate *signerCert, void *pwArg, | |
373 CERTOCSPRequest **pRequest); | |
374 | |
375 /* | |
376 * FUNCTION: CERT_VerifyOCSPResponseSignature | |
377 * Check the signature on an OCSP Response. Will also perform a | |
378 * verification of the signer's certificate. Note, however, that a | |
379 * successful verification does not make any statement about the | |
380 * signer's *authority* to provide status for the certificate(s), | |
381 * that must be checked individually for each certificate. | |
382 * INPUTS: | |
383 * CERTOCSPResponse *response | |
384 * Pointer to response structure with signature to be checked. | |
385 * CERTCertDBHandle *handle | |
386 * Pointer to CERTCertDBHandle for certificate DB to use for verification. | |
387 * void *pwArg | |
388 * Pointer to argument for password prompting, if needed. | |
389 * CERTCertificate *issuerCert | |
390 * Issuer of the certificate that generated the OCSP request. | |
391 * OUTPUTS: | |
392 * CERTCertificate **pSignerCert | |
393 * Pointer in which to store signer's certificate; only filled-in if | |
394 * non-null. | |
395 * RETURN: | |
396 * Returns SECSuccess when signature is valid, anything else means invalid. | |
397 * Possible errors set: | |
398 * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID | |
399 * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time | |
400 * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found | |
401 * SEC_ERROR_BAD_SIGNATURE - the signature did not verify | |
402 * Other errors are any of the many possible failures in cert verification | |
403 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when | |
404 * verifying the signer's cert, or low-level problems (no memory, etc.) | |
405 */ | |
406 extern SECStatus | |
407 CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, | |
408 CERTCertDBHandle *handle, void *pwArg, | |
409 CERTCertificate **pSignerCert, | |
410 CERTCertificate *issuerCert); | |
411 | |
412 /* | |
413 * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation | |
414 * Get the value of the URI of the OCSP responder for the given cert. | |
415 * This is found in the (optional) Authority Information Access extension | |
416 * in the cert. | |
417 * INPUTS: | |
418 * CERTCertificate *cert | |
419 * The certificate being examined. | |
420 * RETURN: | |
421 * char * | |
422 * A copy of the URI for the OCSP method, if found. If either the | |
423 * extension is not present or it does not contain an entry for OCSP, | |
424 * SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned. | |
425 * Any other error will also result in a NULL being returned. | |
426 * | |
427 * This result should be freed (via PORT_Free) when no longer in use. | |
428 */ | |
429 extern char * | |
430 CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert); | |
431 | |
432 /* | |
433 * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack | |
434 * This function serves two purposes. | |
435 * 1) It registers the address of a callback function that will be | |
436 * called for certs that have no OCSP AIA extension, to see if the | |
437 * callback wishes to supply an alternative URL for such an OCSP inquiry. | |
438 * 2) It outputs the previously registered function's address to the | |
439 * address supplied by the caller, unless that is NULL. | |
440 * The registered callback function returns NULL, or an allocated string | |
441 * that may be subsequently freed by calling PORT_Free(). | |
442 * RETURN: | |
443 * SECSuccess or SECFailure (if the library is not yet intialized) | |
444 */ | |
445 extern SECStatus | |
446 CERT_RegisterAlternateOCSPAIAInfoCallBack( | |
447 CERT_StringFromCertFcn newCallback, | |
448 CERT_StringFromCertFcn *oldCallback); | |
449 | |
450 /* | |
451 * FUNCTION: CERT_ParseURL | |
452 * Parse a URI into hostname, port, and path. The scheme in the URI must | |
453 * be "http". | |
454 * INPUTS: | |
455 * const char *url | |
456 * The URI to be parsed | |
457 * OUTPUTS: | |
458 * char **pHostname | |
459 * Pointer to store the hostname obtained from the URI. | |
460 * This result should be freed (via PORT_Free) when no longer in use. | |
461 * PRUint16 *pPort | |
462 * Pointer to store the port number obtained from the URI. | |
463 * char **pPath | |
464 * Pointer to store the path obtained from the URI. | |
465 * This result should be freed (via PORT_Free) when no longer in use. | |
466 * RETURN: | |
467 * Returns SECSuccess when parsing was successful. Returns SECFailure when | |
468 * problems were encountered. | |
469 */ | |
470 extern SECStatus | |
471 CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath); | |
472 | |
473 /* | |
474 * FUNCTION: CERT_CheckOCSPStatus | |
475 * Checks the status of a certificate via OCSP. Will only check status for | |
476 * a certificate that has an AIA (Authority Information Access) extension | |
477 * for OCSP *or* when a "default responder" is specified and enabled. | |
478 * (If no AIA extension for OCSP and no default responder in place, the | |
479 * cert is considered to have a good status and SECSuccess is returned.) | |
480 * INPUTS: | |
481 * CERTCertDBHandle *handle | |
482 * certificate DB of the cert that is being checked | |
483 * CERTCertificate *cert | |
484 * the certificate being checked | |
485 * XXX in the long term also need a boolean parameter that specifies | |
486 * whether to check the cert chain, as well; for now we check only | |
487 * the leaf (the specified certificate) | |
488 * PRTime time | |
489 * time for which status is to be determined | |
490 * void *pwArg | |
491 * argument for password prompting, if needed | |
492 * RETURN: | |
493 * Returns SECSuccess if an approved OCSP responder "knows" the cert | |
494 * *and* returns a non-revoked status for it; SECFailure otherwise, | |
495 * with an error set describing the reason: | |
496 * | |
497 * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE | |
498 * SEC_ERROR_OCSP_FUTURE_RESPONSE | |
499 * SEC_ERROR_OCSP_MALFORMED_REQUEST | |
500 * SEC_ERROR_OCSP_MALFORMED_RESPONSE | |
501 * SEC_ERROR_OCSP_OLD_RESPONSE | |
502 * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG | |
503 * SEC_ERROR_OCSP_SERVER_ERROR | |
504 * SEC_ERROR_OCSP_TRY_SERVER_LATER | |
505 * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST | |
506 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE | |
507 * SEC_ERROR_OCSP_UNKNOWN_CERT | |
508 * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS | |
509 * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE | |
510 * | |
511 * SEC_ERROR_BAD_SIGNATURE | |
512 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION | |
513 * SEC_ERROR_INVALID_TIME | |
514 * SEC_ERROR_REVOKED_CERTIFICATE | |
515 * SEC_ERROR_UNKNOWN_ISSUER | |
516 * SEC_ERROR_UNKNOWN_SIGNER | |
517 * | |
518 * Other errors are any of the many possible failures in cert verification | |
519 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when | |
520 * verifying the signer's cert, or low-level problems (error allocating | |
521 * memory, error performing ASN.1 decoding, etc.). | |
522 */ | |
523 extern SECStatus | |
524 CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, | |
525 PRTime time, void *pwArg); | |
526 | |
527 /* | |
528 * FUNCTION: CERT_CacheOCSPResponseFromSideChannel | |
529 * First, this function checks the OCSP cache to see if a good response | |
530 * for the given certificate already exists. If it does, then the function | |
531 * returns successfully. | |
532 * | |
533 * If not, then it validates that the given OCSP response is a valid, | |
534 * good response for the given certificate and inserts it into the | |
535 * cache. | |
536 * | |
537 * This function is intended for use when OCSP responses are provided via a | |
538 * side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension). | |
539 * | |
540 * INPUTS: | |
541 * CERTCertDBHandle *handle | |
542 * certificate DB of the cert that is being checked | |
543 * CERTCertificate *cert | |
544 * the certificate being checked | |
545 * PRTime time | |
546 * time for which status is to be determined | |
547 * SECItem *encodedResponse | |
548 * the DER encoded bytes of the OCSP response | |
549 * void *pwArg | |
550 * argument for password prompting, if needed | |
551 * RETURN: | |
552 * SECSuccess if the cert was found in the cache, or if the OCSP response was | |
553 * found to be valid and inserted into the cache. SECFailure otherwise. | |
554 */ | |
555 extern SECStatus | |
556 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, | |
557 CERTCertificate *cert, | |
558 PRTime time, | |
559 const SECItem *encodedResponse, | |
560 void *pwArg); | |
561 | |
562 /* | |
563 * FUNCTION: CERT_GetOCSPStatusForCertID | |
564 * Returns the OCSP status contained in the passed in parameter response | |
565 * that corresponds to the certID passed in. | |
566 * INPUTS: | |
567 * CERTCertDBHandle *handle | |
568 * certificate DB of the cert that is being checked | |
569 * CERTOCSPResponse *response | |
570 * the OCSP response we want to retrieve status from. | |
571 * CERTOCSPCertID *certID | |
572 * the ID we want to look for from the response. | |
573 * CERTCertificate *signerCert | |
574 * the certificate that was used to sign the OCSP response. | |
575 * must be obtained via a call to CERT_VerifyOCSPResponseSignature. | |
576 * PRTime time | |
577 * The time at which we're checking the status for. | |
578 * RETURN: | |
579 * Return values are the same as those for CERT_CheckOCSPStatus | |
580 */ | |
581 extern SECStatus | |
582 CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, | |
583 CERTOCSPResponse *response, | |
584 CERTOCSPCertID *certID, | |
585 CERTCertificate *signerCert, | |
586 PRTime time); | |
587 | |
588 /* | |
589 * FUNCTION CERT_GetOCSPResponseStatus | |
590 * Returns the response status for the response passed. | |
591 * INPUTS: | |
592 * CERTOCSPResponse *response | |
593 * The response to query for status | |
594 * RETURN: | |
595 * Returns SECSuccess if the response has a successful status value. | |
596 * Otherwise it returns SECFailure and sets one of the following error | |
597 * codes via PORT_SetError | |
598 * SEC_ERROR_OCSP_MALFORMED_REQUEST | |
599 * SEC_ERROR_OCSP_SERVER_ERROR | |
600 * SEC_ERROR_OCSP_TRY_SERVER_LATER | |
601 * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG | |
602 * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST | |
603 * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS | |
604 */ | |
605 extern SECStatus | |
606 CERT_GetOCSPResponseStatus(CERTOCSPResponse *response); | |
607 | |
608 /* | |
609 * FUNCTION CERT_CreateOCSPCertID | |
610 * Returns the OCSP certID for the certificate passed in. | |
611 * INPUTS: | |
612 * CERTCertificate *cert | |
613 * The certificate for which to create the certID for. | |
614 * PRTime time | |
615 * The time at which the id is requested for. This is used | |
616 * to determine the appropriate issuer for the cert since | |
617 * the issuing CA may be an older expired certificate. | |
618 * RETURN: | |
619 * A new copy of a CERTOCSPCertID*. The memory for this certID | |
620 * should be freed by calling CERT_DestroyOCSPCertID when the | |
621 * certID is no longer necessary. | |
622 */ | |
623 extern CERTOCSPCertID * | |
624 CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); | |
625 | |
626 /* | |
627 * FUNCTION: CERT_DestroyOCSPCertID | |
628 * Frees the memory associated with the certID passed in. | |
629 * INPUTS: | |
630 * CERTOCSPCertID* certID | |
631 * The certID that the caller no longer needs and wants to | |
632 * free the associated memory. | |
633 * RETURN: | |
634 * SECSuccess if freeing the memory was successful. Returns | |
635 * SECFailure if the memory passed in was not allocated with | |
636 * a call to CERT_CreateOCSPCertID. | |
637 */ | |
638 extern SECStatus | |
639 CERT_DestroyOCSPCertID(CERTOCSPCertID *certID); | |
640 | |
641 extern CERTOCSPSingleResponse * | |
642 CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, | |
643 CERTOCSPCertID *id, | |
644 PRTime thisUpdate, | |
645 const PRTime *nextUpdate); | |
646 | |
647 extern CERTOCSPSingleResponse * | |
648 CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, | |
649 CERTOCSPCertID *id, | |
650 PRTime thisUpdate, | |
651 const PRTime *nextUpdate); | |
652 | |
653 extern CERTOCSPSingleResponse * | |
654 CERT_CreateOCSPSingleResponseRevoked( | |
655 PLArenaPool *arena, | |
656 CERTOCSPCertID *id, | |
657 PRTime thisUpdate, | |
658 const PRTime *nextUpdate, | |
659 PRTime revocationTime, | |
660 const CERTCRLEntryReasonCode *revocationReason); | |
661 | |
662 extern SECItem * | |
663 CERT_CreateEncodedOCSPSuccessResponse( | |
664 PLArenaPool *arena, | |
665 CERTCertificate *responderCert, | |
666 CERTOCSPResponderIDType responderIDType, | |
667 PRTime producedAt, | |
668 CERTOCSPSingleResponse **responses, | |
669 void *wincx); | |
670 | |
671 /* | |
672 * FUNCTION: CERT_CreateEncodedOCSPErrorResponse | |
673 * Creates an encoded OCSP response with an error response status. | |
674 * INPUTS: | |
675 * PLArenaPool *arena | |
676 * The return value is allocated from here. | |
677 * If a NULL is passed in, allocation is done from the heap instead. | |
678 * int error | |
679 * An NSS error code indicating an error response status. The error | |
680 * code is mapped to an OCSP response status as follows: | |
681 * SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest | |
682 * SEC_ERROR_OCSP_SERVER_ERROR -> internalError | |
683 * SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater | |
684 * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired | |
685 * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized | |
686 * where the OCSP response status is an enumerated type defined in | |
687 * RFC 2560: | |
688 * OCSPResponseStatus ::= ENUMERATED { | |
689 * successful (0), --Response has valid confirmations | |
690 * malformedRequest (1), --Illegal confirmation request | |
691 * internalError (2), --Internal error in issuer | |
692 * tryLater (3), --Try again later | |
693 * --(4) is not used | |
694 * sigRequired (5), --Must sign the request | |
695 * unauthorized (6) --Request unauthorized | |
696 * } | |
697 * RETURN: | |
698 * Returns a pointer to the SECItem holding the response. | |
699 * On error, returns null with error set describing the reason: | |
700 * SEC_ERROR_INVALID_ARGS | |
701 * Other errors are low-level problems (no memory, bad database, etc.). | |
702 */ | |
703 extern SECItem * | |
704 CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); | |
705 | |
706 /* Sends an OCSP request using the HTTP POST method to the location addressed | |
707 * by the URL in |location| parameter. The request body will be | |
708 * |encodedRequest|, which must be a valid encoded OCSP request. On success, | |
709 * the server's response is returned and the caller must free it using | |
710 * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of | |
711 * the HTTP response is done. | |
712 * | |
713 * If a default HTTP client has been registered with | |
714 * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an | |
715 * internal HTTP client is used. | |
716 */ | |
717 SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, | |
718 const SECItem *encodedRequest); | |
719 | |
720 /************************************************************************/ | |
721 SEC_END_PROTOS | |
722 | |
723 #endif /* _OCSP_H_ */ | |
OLD | NEW |