tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

OCSPCommon.h (3236B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 
      5 // Implements generating OCSP responses of various types. Used by the
      6 // programs in tlsserver/cmd.
      7 
      8 #ifndef OCSPCommon_h
      9 #define OCSPCommon_h
     10 
     11 #include "ScopedNSSTypes.h"
     12 #include "certt.h"
     13 #include "mozpkix/test/pkixtestutil.h"
     14 #include "seccomon.h"
     15 
     16 enum OCSPResponseType {
     17  ORTNull = 0,
     18  ORTGood,               // the certificate is good
     19  ORTRevoked,            // the certificate has been revoked
     20  ORTRevokedOld,         // same, but the response is old
     21  ORTUnknown,            // the responder doesn't know if the cert is good
     22  ORTUnknownOld,         // same, but the response is old
     23  ORTGoodOtherCert,      // the response references a different certificate
     24  ORTGoodOtherCA,        // the wrong CA has signed the response
     25  ORTExpired,            // the signature on the response has expired
     26  ORTExpiredFreshCA,     // fresh signature, but old validity period
     27  ORTNone,               // no stapled response
     28  ORTEmpty,              // an empty stapled response
     29  ORTMalformed,          // the response from the responder was malformed
     30  ORTSrverr,             // the response indicates there was a server error
     31  ORTTryLater,           // the responder replied with "try again later"
     32  ORTNeedsSig,           // the response needs a signature
     33  ORTUnauthorized,       // the responder is not authorized for this certificate
     34  ORTBadSignature,       // the response has a signature that does not verify
     35  ORTSkipResponseBytes,  // the response does not include responseBytes
     36  ORTCriticalExtension,  // the response includes a critical extension
     37  ORTNoncriticalExtension,  // the response includes an extension that is not
     38                            // critical
     39  ORTEmptyExtensions,  // the response includes a SEQUENCE OF Extension that is
     40                       // empty
     41  ORTDelegatedIncluded,      // the response is signed by an included delegated
     42                             // responder
     43  ORTDelegatedIncludedLast,  // same, but multiple other certificates are
     44                             // included
     45  ORTDelegatedMissing,  // the response is signed by a not included delegated
     46                        // responder
     47  ORTDelegatedMissingMultiple,   // same, but multiple other certificates are
     48                                 // included
     49  ORTLongValidityAlmostExpired,  // a good response, but that was generated a
     50                                 // almost a year ago
     51  ORTAncientAlmostExpired,  // a good response, with a validity of almost two
     52                            // years almost expiring
     53 };
     54 
     55 struct OCSPHost {
     56  const char* mHostName;
     57  OCSPResponseType mORT;
     58  const char* mAdditionalCertName;  // useful for ORTGoodOtherCert, etc.
     59  const char* mServerCertName;
     60 };
     61 
     62 SECItemArray* GetOCSPResponseForType(
     63    OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert,
     64    const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName,
     65    time_t aThisUpdateSkew,
     66    mozilla::pkix::test::ByteString* aSignedCertificateTimestamps = nullptr);
     67 
     68 #endif  // OCSPCommon_h