| OLD | NEW |
|---|
| (Empty) |
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 4 /* | |
| 5 * This file defines functions associated with the PKIX_RevocationChecker | |
| 6 * type. | |
| 7 * | |
| 8 */ | |
| 9 | |
| 10 #ifndef _PKIX_REVCHECKER_H | |
| 11 #define _PKIX_REVCHECKER_H | |
| 12 | |
| 13 #include "pkixt.h" | |
| 14 #include "pkix_pl_pki.h" | |
| 15 | |
| 16 #ifdef __cplusplus | |
| 17 extern "C" { | |
| 18 #endif | |
| 19 | |
| 20 /* General | |
| 21 * | |
| 22 * Please refer to the libpkix Programmer's Guide for detailed information | |
| 23 * about how to use the libpkix library. Certain key warnings and notices from | |
| 24 * that document are repeated here for emphasis. | |
| 25 * | |
| 26 * All identifiers in this file (and all public identifiers defined in | |
| 27 * libpkix) begin with "PKIX_". Private identifiers only intended for use | |
| 28 * within the library begin with "pkix_". | |
| 29 * | |
| 30 * A function returns NULL upon success, and a PKIX_Error pointer upon failure. | |
| 31 * | |
| 32 * Unless otherwise noted, for all accessor (gettor) functions that return a | |
| 33 * PKIX_PL_Object pointer, callers should assume that this pointer refers to a | |
| 34 * shared object. Therefore, the caller should treat this shared object as | |
| 35 * read-only and should not modify this shared object. When done using the | |
| 36 * shared object, the caller should release the reference to the object by | |
| 37 * using the PKIX_PL_Object_DecRef function. | |
| 38 * | |
| 39 * While a function is executing, if its arguments (or anything referred to by | |
| 40 * its arguments) are modified, free'd, or destroyed, the function's behavior | |
| 41 * is undefined. | |
| 42 * | |
| 43 */ | |
| 44 | |
| 45 /* PKIX_RevocationChecker | |
| 46 * | |
| 47 * PKIX_RevocationChecker provides a standard way of revocation checking. | |
| 48 * Caller should configure two set of tests(represented at lists of | |
| 49 * RevocationMethod objects) to be performed on the leaf and on the rest of | |
| 50 * the chain certificates. | |
| 51 * | |
| 52 * PKIX_RevocationMethods provide a standard way for the caller to insert | |
| 53 * their own custom revocation checks to verify the revocation status of | |
| 54 * certificates. This may be useful in many scenarios, including when the | |
| 55 * caller wishes to use their own revocation checking mechanism instead of (or | |
| 56 * in addition to) the default revocation checking mechanism provided by | |
| 57 * libpkix, which uses CRLs and OCSP. | |
| 58 * | |
| 59 * Once the caller has created the RevocationMethod object(s), the caller | |
| 60 * then specifies the RevocationMethod object(s) in a RevocationCheck object | |
| 61 * and sets it into a ProcessingParams. | |
| 62 */ | |
| 63 | |
| 64 /* | |
| 65 * FUNCTION: PKIX_RevocationChecker_Create | |
| 66 * DESCRIPTION: | |
| 67 * | |
| 68 * Creates a revocation checker object with the given flags. Revocation will | |
| 69 * be checked at the current date. | |
| 70 * | |
| 71 * PARAMETERS: | |
| 72 * "leafMethodListFlags" | |
| 73 * Defines a set of method independent flags that will be used to check | |
| 74 * revocation of the leaf cert in the chain. | |
| 75 * "chainMethodListFlags" | |
| 76 * Defines a set of method independent flags that will be used to check | |
| 77 * revocation of the remaining certs in the chain. | |
| 78 * "pChecker" | |
| 79 * The return address of created checker. | |
| 80 * "plContext" | |
| 81 * Platform-specific context pointer. | |
| 82 * THREAD SAFETY: | |
| 83 * Thread Safe | |
| 84 * | |
| 85 * Multiple threads must be able to safely call this function without | |
| 86 * worrying about conflicts, even if they're operating on the same objects. | |
| 87 * RETURNS: | |
| 88 * Returns NULL if the function succeeds. | |
| 89 * Returns a RevocationChecker Error if the function fails in a non-fatal way. | |
| 90 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
| 91 */ | |
| 92 PKIX_Error * | |
| 93 PKIX_RevocationChecker_Create( | |
| 94 PKIX_UInt32 leafMethodListFlags, | |
| 95 PKIX_UInt32 chainMethodListFlags, | |
| 96 PKIX_RevocationChecker **pChecker, | |
| 97 void *plContext); | |
| 98 | |
| 99 /* | |
| 100 * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod | |
| 101 * DESCRIPTION: | |
| 102 * | |
| 103 * Creates revocation method object with given parameters and adds it | |
| 104 * to revocation checker method list. | |
| 105 * | |
| 106 * PARAMETERS: | |
| 107 * "revChecker" | |
| 108 * Address of revocation checker structure. | |
| 109 * "procParams" | |
| 110 * Address of ProcessingParams used to initialize the checker. | |
| 111 * Must be non-NULL. | |
| 112 * "methodType" | |
| 113 * Type of the method. Currently only two types are | |
| 114 * supported: crl and ocsp. (See PKIX_RevocationMethodType enum). | |
| 115 * "methodFlags" | |
| 116 * Set of flags for the method. | |
| 117 * "methodPriority" | |
| 118 * Method priority. (0 corresponds to the highest priority) | |
| 119 * "verificationFn" | |
| 120 * User call back function that will perform validation of fetched | |
| 121 * revocation information(new crl or ocsp response) | |
| 122 * "isLeafMethod" | |
| 123 * Boolean flag that if set to true indicates that the method should | |
| 124 * should be used for leaf cert revocation test(false for chain set | |
| 125 * methods). | |
| 126 * "plContext" | |
| 127 * Platform-specific context pointer. | |
| 128 * THREAD SAFETY: | |
| 129 * Thread Safe | |
| 130 * | |
| 131 * Multiple threads must be able to safely call this function without | |
| 132 * worrying about conflicts, even if they're operating on the same objects. | |
| 133 * RETURNS: | |
| 134 * Returns NULL if the function succeeds. | |
| 135 * Returns a RevocationChecker Error if the function fails in a non-fatal way. | |
| 136 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
| 137 */ | |
| 138 PKIX_Error * | |
| 139 PKIX_RevocationChecker_CreateAndAddMethod( | |
| 140 PKIX_RevocationChecker *revChecker, | |
| 141 PKIX_ProcessingParams *params, | |
| 142 PKIX_RevocationMethodType methodType, | |
| 143 PKIX_UInt32 methodFlags, | |
| 144 PKIX_UInt32 methodPriority, | |
| 145 PKIX_PL_VerifyCallback verificationFn, | |
| 146 PKIX_Boolean isLeafMethod, | |
| 147 void *plContext); | |
| 148 | |
| 149 /* | |
| 150 * FUNCTION: PKIX_RevocationChecker_Check | |
| 151 * DESCRIPTION: | |
| 152 * | |
| 153 * Verifies revocation status of the certificate. Issuer cert is given to | |
| 154 * be used in verification of revocation information. Performed verification | |
| 155 * check depends on configured revocation methods(ocsp, crl. See | |
| 156 * PKIX_RevocationChecker_CreateAndAddMethod function) and a point of chain | |
| 157 * building process at which PKIX_RevocationChecker_Check was invoked. | |
| 158 * For security reasons, the cert status is checked only against cached | |
| 159 * revocation information during chain building stage(no trust anchor yes has | |
| 160 * been found). The fresh revocation information fetching is done only at chain | |
| 161 * verification stage after trust anchor was identified. | |
| 162 * | |
| 163 * PARAMETERS: | |
| 164 * "cert" | |
| 165 * Address of Cert whose revocation status is to be determined. | |
| 166 * Must be non-NULL. | |
| 167 * "issuer" | |
| 168 * Issuer cert that potentially holds public key that will be used | |
| 169 * to verify revocation info. | |
| 170 * "revChecker" | |
| 171 * Address of revocation checker structure. | |
| 172 * "procParams" | |
| 173 * Address of ProcessingParams used to initialize the checker. | |
| 174 * Must be non-NULL. | |
| 175 * "chainVerificationState" | |
| 176 * Need to be set to true, if the check was called during chain verification | |
| 177 * as an opposite to chain building. | |
| 178 * "testingLeafCert" | |
| 179 * Set to true if verifying revocation status of a leaf cert. | |
| 180 * "revStatus" | |
| 181 * Address of the returned revocation status of the cert. | |
| 182 * "pResultCode" | |
| 183 * Address where revocation status will be stored. Must be non-NULL. | |
| 184 * "pNBIOContext" | |
| 185 * Address at which platform-dependent non-blocking I/O context is stored. | |
| 186 * Must be non-NULL. | |
| 187 * "plContext" | |
| 188 * Platform-specific context pointer. | |
| 189 * THREAD SAFETY: | |
| 190 * Thread Safe | |
| 191 * | |
| 192 * Multiple threads must be able to safely call this function without | |
| 193 * worrying about conflicts, even if they're operating on the same objects. | |
| 194 * RETURNS: | |
| 195 * Returns NULL if the function succeeds. | |
| 196 * Returns a RevocationChecker Error if the function fails in a non-fatal way. | |
| 197 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
| 198 */ | |
| 199 PKIX_Error * | |
| 200 PKIX_RevocationChecker_Check(PKIX_PL_Cert *cert, | |
| 201 PKIX_PL_Cert *issuer, | |
| 202 PKIX_RevocationChecker *revChecker, | |
| 203 PKIX_ProcessingParams *procParams, | |
| 204 PKIX_Boolean chainVerificationState, | |
| 205 PKIX_Boolean testingLeafCert, | |
| 206 PKIX_RevocationStatus *revStatus, | |
| 207 PKIX_UInt32 *pReasonCode, | |
| 208 void **pNbioContext, | |
| 209 void *plContext); | |
| 210 | |
| 211 #ifdef __cplusplus | |
| 212 } | |
| 213 #endif | |
| 214 | |
| 215 #endif /* _PKIX_REVCHECKER_H */ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2078763002:
Delete bundled copy of NSS and replace with README. (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss@master