OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * ocspi.h - NSS internal interfaces to OCSP code | |
6 */ | |
7 | |
8 #ifndef _OCSPI_H_ | |
9 #define _OCSPI_H_ | |
10 | |
11 SECStatus OCSP_InitGlobal(void); | |
12 SECStatus OCSP_ShutdownGlobal(void); | |
13 | |
14 ocspResponseData * | |
15 ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER); | |
16 | |
17 ocspSignature * | |
18 ocsp_GetResponseSignature(CERTOCSPResponse *response); | |
19 | |
20 SECItem * | |
21 ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, | |
22 SECItem *fill, const SECItem *src); | |
23 | |
24 PRBool | |
25 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert)
; | |
26 | |
27 CERTCertificate * | |
28 ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, | |
29 ocspSignature *signature, CERTCertificate *issuer); | |
30 | |
31 SECStatus | |
32 ocsp_VerifyResponseSignature(CERTCertificate *signerCert, | |
33 ocspSignature *signature, | |
34 SECItem *tbsResponseDataDER, | |
35 void *pwArg); | |
36 | |
37 CERTOCSPRequest * | |
38 cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, | |
39 CERTCertificate *singleCert, | |
40 PRTime time, | |
41 PRBool addServiceLocator, | |
42 CERTCertificate *signerCert); | |
43 | |
44 typedef enum { ocspMissing, | |
45 ocspFresh, | |
46 ocspStale } OCSPFreshness; | |
47 | |
48 SECStatus | |
49 ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, | |
50 PRTime time, | |
51 PRBool ignoreOcspFailureMode, | |
52 SECStatus *rvOcsp, | |
53 SECErrorCodes *missingResponseError, | |
54 OCSPFreshness *freshness); | |
55 | |
56 /* | |
57 * FUNCTION: cert_ProcessOCSPResponse | |
58 * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID. | |
59 * In addition it can update the OCSP cache (using information | |
60 * available internally to this function). | |
61 * INPUTS: | |
62 * CERTCertDBHandle *handle | |
63 * certificate DB of the cert that is being checked | |
64 * CERTOCSPResponse *response | |
65 * the OCSP response we want to retrieve status from. | |
66 * CERTOCSPCertID *certID | |
67 * the ID we want to look for from the response. | |
68 * CERTCertificate *signerCert | |
69 * the certificate that was used to sign the OCSP response. | |
70 * must be obtained via a call to CERT_VerifyOCSPResponseSignature. | |
71 * PRTime time | |
72 * The time at which we're checking the status for. | |
73 * PRBool *certIDWasConsumed | |
74 * In and Out parameter. | |
75 * If certIDWasConsumed is NULL on input, | |
76 * this function might produce a deep copy of cert ID | |
77 * for storing it in the cache. | |
78 * If out value is true, ownership of parameter certID was | |
79 * transferred to the OCSP cache. | |
80 * SECStatus *cacheUpdateStatus | |
81 * This optional out parameter will contain the result | |
82 * of the cache update operation (if requested). | |
83 * RETURN: | |
84 * The return value is not influenced by the cache operation, | |
85 * it matches the documentation for CERT_CheckOCSPStatus | |
86 */ | |
87 | |
88 SECStatus | |
89 cert_ProcessOCSPResponse(CERTCertDBHandle *handle, | |
90 CERTOCSPResponse *response, | |
91 CERTOCSPCertID *certID, | |
92 CERTCertificate *signerCert, | |
93 PRTime time, | |
94 PRBool *certIDWasConsumed, | |
95 SECStatus *cacheUpdateStatus); | |
96 | |
97 /* | |
98 * FUNCTION: cert_RememberOCSPProcessingFailure | |
99 * If an application notices a failure during OCSP processing, | |
100 * it should finally call this function. The failure will be recorded | |
101 * in the OCSP cache in order to avoid repetitive failures. | |
102 * INPUTS: | |
103 * CERTOCSPCertID *certID | |
104 * the ID that was used for the failed OCSP processing | |
105 * PRBool *certIDWasConsumed | |
106 * Out parameter, if set to true, ownership of parameter certID was | |
107 * transferred to the OCSP cache. | |
108 * RETURN: | |
109 * Status of the cache update operation. | |
110 */ | |
111 | |
112 SECStatus | |
113 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, | |
114 PRBool *certIDWasConsumed); | |
115 | |
116 /* | |
117 * FUNCTION: ocsp_GetResponderLocation | |
118 * Check ocspx context for user-designated responder URI first. If not | |
119 * found, checks cert AIA extension. | |
120 * INPUTS: | |
121 * CERTCertDBHandle *handle | |
122 * certificate DB of the cert that is being checked | |
123 * CERTCertificate *cert | |
124 * The certificate being examined. | |
125 * PRBool *certIDWasConsumed | |
126 * Out parameter, if set to true, URI of default responder is | |
127 * returned. | |
128 * RETURN: | |
129 * Responder URI. | |
130 */ | |
131 char * | |
132 ocsp_GetResponderLocation(CERTCertDBHandle *handle, | |
133 CERTCertificate *cert, | |
134 PRBool canUseDefaultLocation, | |
135 PRBool *isDefault); | |
136 | |
137 /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure | |
138 * The function checks the global ocsp settings and | |
139 * tells how to treat an ocsp response fetching failure. | |
140 * RETURNS: | |
141 * if PR_TRUE is returned, then treat fetching as a | |
142 * revoked cert status. | |
143 */ | |
144 PRBool | |
145 ocsp_FetchingFailureIsVerificationFailure(void); | |
146 | |
147 size_t | |
148 ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf); | |
149 | |
150 SECStatus | |
151 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, | |
152 CERTOCSPResponse *response, | |
153 CERTOCSPCertID *certID, | |
154 CERTCertificate *signerCert, | |
155 PRTime time, | |
156 CERTOCSPSingleResponse **pSingleResponse
); | |
157 | |
158 SECStatus | |
159 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time); | |
160 | |
161 void | |
162 ocsp_CacheSingleResponse(CERTOCSPCertID *certID, | |
163 CERTOCSPSingleResponse *single, | |
164 PRBool *certIDWasConsumed); | |
165 | |
166 #endif /* _OCSPI_H_ */ | |
OLD | NEW |