OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * pkix_revocationchecker.h | |
6 * | |
7 * RevocationChecker Object Type Definition | |
8 * | |
9 */ | |
10 | |
11 #ifndef _PKIX_REVOCATIONCHECKER_H | |
12 #define _PKIX_REVOCATIONCHECKER_H | |
13 | |
14 #include "pkixt.h" | |
15 #include "certt.h" | |
16 | |
17 #ifdef __cplusplus | |
18 extern "C" { | |
19 #endif | |
20 | |
21 /* NOTE: nbio logistic removed. Will be replaced later. */ | |
22 | |
23 /* | |
24 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates | |
25 * this is a method dependent flag. | |
26 */ | |
27 | |
28 /* | |
29 * Whether or not to use a method for revocation testing. | |
30 * If set to "do not test", then all other flags are ignored. | |
31 */ | |
32 #define PKIX_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0x00L | |
33 #define PKIX_REV_M_TEST_USING_THIS_METHOD 0x01L | |
34 | |
35 /* | |
36 * Whether or not NSS is allowed to attempt to fetch fresh information | |
37 * from the network. | |
38 * (Although fetching will never happen if fresh information for the | |
39 * method is already locally available.) | |
40 */ | |
41 #define PKIX_REV_M_ALLOW_NETWORK_FETCHING 0x00L | |
42 #define PKIX_REV_M_FORBID_NETWORK_FETCHING 0x02L | |
43 | |
44 /* | |
45 * Example for an implicit default source: | |
46 * The globally configured default OCSP responder. | |
47 * IGNORE means: | |
48 * ignore the implicit default source, whether it's configured or not. | |
49 * ALLOW means: | |
50 * if an implicit default source is configured, | |
51 * then it overrides any available or missing source in the cert. | |
52 * if no implicit default source is configured, | |
53 * then we continue to use what's available (or not available) | |
54 * in the certs. | |
55 */ | |
56 #define PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0x00L | |
57 #define PKIX_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 0x04L /* OCSP only */ | |
58 | |
59 /* | |
60 * Defines the behavior if no fresh information is available, | |
61 * fetching from the network is allowed, but the source of revocation | |
62 * information is unknown (even after considering implicit sources, | |
63 * if allowed by other flags). | |
64 * SKIPT_TEST means: | |
65 * We ignore that no fresh information is available and | |
66 * skip this test. | |
67 * REQUIRE_INFO means: | |
68 * We still require that fresh information is available. | |
69 * Other flags define what happens on missing fresh info. | |
70 */ | |
71 | |
72 #define PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0x00L | |
73 #define PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 0x08L | |
74 | |
75 /* | |
76 * Defines the behavior if we are unable to obtain fresh information. | |
77 * INGORE means: | |
78 * Return "cert status unknown" | |
79 * FAIL means: | |
80 * Return "cert revoked". | |
81 */ | |
82 | |
83 #define PKIX_REV_M_IGNORE_MISSING_FRESH_INFO 0x00L | |
84 #define PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO 0x10L | |
85 | |
86 /* | |
87 * What should happen if we were able to find fresh information using | |
88 * this method, and the data indicated the cert is good? | |
89 * STOP_TESTING means: | |
90 * Our success is sufficient, do not continue testing | |
91 * other methods. | |
92 * CONTINUE_TESTING means: | |
93 * We will continue and test the next allowed | |
94 * specified method. | |
95 */ | |
96 | |
97 #define PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO 0x00L | |
98 #define PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 0x20L | |
99 | |
100 /* | |
101 * All Flags are prefixed by PKIX_REV_MI_, where _MI_ indicates | |
102 * this is a method independent flag. | |
103 */ | |
104 | |
105 /* | |
106 * This defines the order to checking. | |
107 * EACH_METHOD_SEPARATELY means: | |
108 * Do all tests related to a particular allowed method | |
109 * (both local information and network fetching) in a single step. | |
110 * Only after testing for a particular method is done, | |
111 * then switching to the next method will happen. | |
112 * ALL_LOCAL_INFORMATION_FIRST means: | |
113 * Start by testing the information for all allowed methods | |
114 * which are already locally available. Only after that is done | |
115 * consider to fetch from the network (as allowed by other flags). | |
116 */ | |
117 #define PKIX_REV_MI_TEST_EACH_METHOD_SEPARATELY 0x00L | |
118 #define PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 0x01L | |
119 | |
120 /* | |
121 * Use this flag to specify that it's necessary that fresh information | |
122 * is available for at least one of the allowed methods, but it's | |
123 * irrelevant which of the mechanisms succeeded. | |
124 * NO_OVERALL_INFO_REQUIREMENT means: | |
125 * We strictly follow the requirements for each individual method. | |
126 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: | |
127 * After the individual tests have been executed, we must have | |
128 * been able to find fresh information using at least one method. | |
129 * If we were unable to find fresh info, it's a failure. | |
130 */ | |
131 #define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0x00L | |
132 #define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L | |
133 | |
134 /* Defines check time for the cert, revocation methods lists and | |
135 * flags for leaf and chain certs revocation tests. */ | |
136 struct PKIX_RevocationCheckerStruct { | |
137 PKIX_List *leafMethodList; | |
138 PKIX_List *chainMethodList; | |
139 PKIX_UInt32 leafMethodListFlags; | |
140 PKIX_UInt32 chainMethodListFlags; | |
141 }; | |
142 | |
143 /* see source file for function documentation */ | |
144 | |
145 PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext); | |
146 | |
147 #ifdef __cplusplus | |
148 } | |
149 #endif | |
150 | |
151 #endif /* _PKIX_REVOCATIONCHECKER_H */ | |
OLD | NEW |