tor-browser

ocsp.h (28871B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
* Interface to the OCSP implementation.
*/

#ifndef _OCSP_H_
#define _OCSP_H_

#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "keythi.h"
#include "certt.h"
#include "ocspt.h"

/************************************************************************/
SEC_BEGIN_PROTOS

/*
* This function registers the HttpClient with whose functions the
* HttpClientFcn structure has been populated as the default Http
* client.
*
* The function table must be a global object.
* The caller must ensure that NSS will be able to call
* the registered functions for the lifetime of the process.
*/
extern SECStatus
SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);

/*
* This function obtains the HttpClient which has been registered
* by an earlier call to SEC_RegisterDefaultHttpClient.
*/
extern const SEC_HttpClientFcn *
SEC_GetRegisteredHttpClient(void);

/*
* Sets parameters that control NSS' internal OCSP cache.
* maxCacheEntries, special varlues are:
*   -1 disable cache
*   0 unlimited cache entries
* minimumSecondsToNextFetchAttempt:
*   whenever an OCSP request was attempted or completed over the network,
*   wait at least this number of seconds before trying to fetch again.
* maximumSecondsToNextFetchAttempt:
*   this is the maximum age of a cached response we allow, until we try
*   to fetch an updated response, even if the OCSP responder expects
*   that newer information update will not be available yet.
*/
extern SECStatus
CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
                      PRUint32 minimumSecondsToNextFetchAttempt,
                      PRUint32 maximumSecondsToNextFetchAttempt);

/*
* Set the desired behaviour on OCSP failures.
* See definition of ocspFailureMode for allowed choices.
*/
extern SECStatus
CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode);

/*
* Configure the maximum time NSS will wait for an OCSP response.
*/
extern SECStatus
CERT_SetOCSPTimeout(PRUint32 seconds);

/*
* Removes all items currently stored in the OCSP cache.
*/
extern SECStatus
CERT_ClearOCSPCache(void);

/*
* FUNCTION: CERT_EnableOCSPChecking
*   Turns on OCSP checking for the given certificate database.
* INPUTS:
*   CERTCertDBHandle *handle
*     Certificate database for which OCSP checking will be enabled.
* RETURN:
*   Returns SECFailure if an error occurred (likely only problem
*   allocating memory); SECSuccess otherwise.
*/
extern SECStatus
CERT_EnableOCSPChecking(CERTCertDBHandle *handle);

/*
* FUNCTION: CERT_DisableOCSPChecking
*   Turns off OCSP checking for the given certificate database.
*   This routine disables OCSP checking.  Though it will return
*   SECFailure if OCSP checking is not enabled, it is "safe" to
*   call it that way and just ignore the return value, if it is
*   easier to just call it than to "remember" whether it is enabled.
* INPUTS:
*   CERTCertDBHandle *handle
*     Certificate database for which OCSP checking will be disabled.
* RETURN:
*   Returns SECFailure if an error occurred (usually means that OCSP
*   checking was not enabled or status contexts were not initialized --
*   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
*/
extern SECStatus
CERT_DisableOCSPChecking(CERTCertDBHandle *handle);

/*
* FUNCTION: CERT_SetOCSPDefaultResponder
*   Specify the location and cert of the default responder.
*   If OCSP checking is already enabled *and* use of a default responder
*   is also already enabled, all OCSP checking from now on will go directly
*   to the specified responder.  If OCSP checking is not enabled, or if
*   it is but use of a default responder is not enabled, the information
*   will be recorded and take effect whenever both are enabled.
* INPUTS:
*   CERTCertDBHandle *handle
*     Cert database on which OCSP checking should use the default responder.
*   const char *url
*     The location of the default responder (e.g. "http://foo.com:80/ocsp")
*     Note that the location will not be tested until the first attempt
*     to send a request there.
*   const char *name
*     The nickname of the cert to trust (expected) to sign the OCSP responses.
*     If the corresponding cert cannot be found, SECFailure is returned.
* RETURN:
*   Returns SECFailure if an error occurred; SECSuccess otherwise.
*   The most likely error is that the cert for "name" could not be found
*   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
*   bad database, etc.).
*/
extern SECStatus
CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
                            const char *url, const char *name);

/*
* FUNCTION: CERT_EnableOCSPDefaultResponder
*   Turns on use of a default responder when OCSP checking.
*   If OCSP checking is already enabled, this will make subsequent checks
*   go directly to the default responder.  (The location of the responder
*   and the nickname of the responder cert must already be specified.)
*   If OCSP checking is not enabled, this will be recorded and take effect
*   whenever it is enabled.
* INPUTS:
*   CERTCertDBHandle *handle
*     Cert database on which OCSP checking should use the default responder.
* RETURN:
*   Returns SECFailure if an error occurred; SECSuccess otherwise.
*   No errors are especially likely unless the caller did not previously
*   perform a successful call to SetOCSPDefaultResponder (in which case
*   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
*/
extern SECStatus
CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);

/*
* FUNCTION: CERT_DisableOCSPDefaultResponder
*   Turns off use of a default responder when OCSP checking.
*   (Does nothing if use of a default responder is not enabled.)
* INPUTS:
*   CERTCertDBHandle *handle
*     Cert database on which OCSP checking should stop using a default
*     responder.
* RETURN:
*   Returns SECFailure if an error occurred; SECSuccess otherwise.
*   Errors very unlikely (like random memory corruption...).
*/
extern SECStatus
CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);

/* If forcePost is set, OCSP requests will only be sent using the HTTP POST
* method. When forcePost is not set, OCSP requests will be sent using the
* HTTP GET method, with a fallback to POST when we fail to receive a response
* and/or when we receive an uncacheable response like "Unknown."
*
* The default is to use GET and fallback to POST.
*/
extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);

/*
* -------------------------------------------------------
* The Functions above are those expected to be used by a client
* providing OCSP status checking along with every cert verification.
* The functions below are for OCSP testing, debugging, or clients
* or servers performing more specialized OCSP tasks.
* -------------------------------------------------------
*/

/*
* FUNCTION: CERT_CreateOCSPRequest
*   Creates a CERTOCSPRequest, requesting the status of the certs in
*   the given list.
* INPUTS:
*   CERTCertList *certList
*     A list of certs for which status will be requested.
*     Note that all of these certificates should have the same issuer,
*     or it's expected the response will be signed by a trusted responder.
*     If the certs need to be broken up into multiple requests, that
*     must be handled by the caller (and thus by having multiple calls
*     to this routine), who knows about where the request(s) are being
*     sent and whether there are any trusted responders in place.
*   PRTime time
*     Indicates the time for which the certificate status is to be
*     determined -- this may be used in the search for the cert's issuer
*     but has no effect on the request itself.
*   PRBool addServiceLocator
*     If true, the Service Locator extension should be added to the
*     single request(s) for each cert.
*   CERTCertificate *signerCert
*     If non-NULL, means sign the request using this cert.  Otherwise,
*     do not sign.
*     XXX note that request signing is not yet supported; see comment in code
* RETURN:
*   A pointer to a CERTOCSPRequest structure containing an OCSP request
*   for the cert list.  On error, null is returned, with an error set
*   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
*   (The issuer is needed to create a request for the certificate.)
*   Other errors are low-level problems (no memory, bad database, etc.).
*/
extern CERTOCSPRequest *
CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
                      PRBool addServiceLocator,
                      CERTCertificate *signerCert);

/*
* FUNCTION: CERT_AddOCSPAcceptableResponses
*   Add the AcceptableResponses extension to an OCSP Request.
* INPUTS:
*   CERTOCSPRequest *request
*     The request to which the extension should be added.
*   SECOidTag responseType0, ...
*     A list (of one or more) of SECOidTag -- each of the response types
*     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
*     (This marks the end of the list, and it must be specified because a
*     client conforming to the OCSP standard is required to handle the basic
*     response type.)  The OIDs are not checked in any way.
* RETURN:
*   SECSuccess if the extension is added; SECFailure if anything goes wrong.
*   All errors are internal or low-level problems (e.g. no memory).
*/
extern SECStatus
CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
                               SECOidTag responseType0, ...);

/*
* FUNCTION: CERT_EncodeOCSPRequest
*   DER encodes an OCSP Request, possibly adding a signature as well.
*   XXX Signing is not yet supported, however; see comments in code.
* INPUTS:
*   PLArenaPool *arena
*     The return value is allocated from here.
*     If a NULL is passed in, allocation is done from the heap instead.
*   CERTOCSPRequest *request
*     The request to be encoded.
*   void *pwArg
*     Pointer to argument for password prompting, if needed.  (Definitely
*     not needed if not signing.)
* RETURN:
*   Returns a NULL on error and a pointer to the SECItem with the
*   encoded value otherwise.  Any error is likely to be low-level
*   (e.g. no memory).
*/
extern SECItem *
CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
                      void *pwArg);

/*
* FUNCTION: CERT_DecodeOCSPRequest
*   Decode a DER encoded OCSP Request.
* INPUTS:
*   SECItem *src
*     Pointer to a SECItem holding DER encoded OCSP Request.
* RETURN:
*   Returns a pointer to a CERTOCSPRequest containing the decoded request.
*   On error, returns NULL.  Most likely error is trouble decoding
*   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
*/
extern CERTOCSPRequest *
CERT_DecodeOCSPRequest(const SECItem *src);

/*
* FUNCTION: CERT_DestroyOCSPRequest
*   Frees an OCSP Request structure.
* INPUTS:
*   CERTOCSPRequest *request
*     Pointer to CERTOCSPRequest to be freed.
* RETURN:
*   No return value; no errors.
*/
extern void
CERT_DestroyOCSPRequest(CERTOCSPRequest *request);

/*
* FUNCTION: CERT_DecodeOCSPResponse
*   Decode a DER encoded OCSP Response.
* INPUTS:
*   SECItem *src
*     Pointer to a SECItem holding DER encoded OCSP Response.
* RETURN:
*   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
*   the caller is responsible for destroying it.  Or NULL if error (either
*   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
*   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
*   or a low-level or internal error occurred).
*/
extern CERTOCSPResponse *
CERT_DecodeOCSPResponse(const SECItem *src);

/*
* FUNCTION: CERT_DestroyOCSPResponse
*   Frees an OCSP Response structure.
* INPUTS:
*   CERTOCSPResponse *request
*     Pointer to CERTOCSPResponse to be freed.
* RETURN:
*   No return value; no errors.
*/
extern void
CERT_DestroyOCSPResponse(CERTOCSPResponse *response);

/*
* FUNCTION: CERT_GetEncodedOCSPResponse
*   Creates and sends a request to an OCSP responder, then reads and
*   returns the (encoded) response.
* INPUTS:
*   PLArenaPool *arena
*     Pointer to arena from which return value will be allocated.
*     If NULL, result will be allocated from the heap (and thus should
*     be freed via SECITEM_FreeItem).
*   CERTCertList *certList
*     A list of certs for which status will be requested.
*     Note that all of these certificates should have the same issuer,
*     or it's expected the response will be signed by a trusted responder.
*     If the certs need to be broken up into multiple requests, that
*     must be handled by the caller (and thus by having multiple calls
*     to this routine), who knows about where the request(s) are being
*     sent and whether there are any trusted responders in place.
*   const char *location
*     The location of the OCSP responder (a URL).
*   PRTime time
*     Indicates the time for which the certificate status is to be
*     determined -- this may be used in the search for the cert's issuer
*     but has no other bearing on the operation.
*   PRBool addServiceLocator
*     If true, the Service Locator extension should be added to the
*     single request(s) for each cert.
*   CERTCertificate *signerCert
*     If non-NULL, means sign the request using this cert.  Otherwise,
*     do not sign.
*   void *pwArg
*     Pointer to argument for password prompting, if needed.  (Definitely
*     not needed if not signing.)
* OUTPUTS:
*   CERTOCSPRequest **pRequest
*     Pointer in which to store the OCSP request created for the given
*     list of certificates.  It is only filled in if the entire operation
*     is successful and the pointer is not null -- and in that case the
*     caller is then reponsible for destroying it.
* RETURN:
*   Returns a pointer to the SECItem holding the response.
*   On error, returns null with error set describing the reason:
*	SEC_ERROR_UNKNOWN_ISSUER
*	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
*	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
*   Other errors are low-level problems (no memory, bad database, etc.).
*/
extern SECItem *
CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
                           const char *location, PRTime time,
                           PRBool addServiceLocator,
                           CERTCertificate *signerCert, void *pwArg,
                           CERTOCSPRequest **pRequest);

/*
* FUNCTION: CERT_VerifyOCSPResponseSignature
*   Check the signature on an OCSP Response.  Will also perform a
*   verification of the signer's certificate.  Note, however, that a
*   successful verification does not make any statement about the
*   signer's *authority* to provide status for the certificate(s),
*   that must be checked individually for each certificate.
* INPUTS:
*   CERTOCSPResponse *response
*     Pointer to response structure with signature to be checked.
*   CERTCertDBHandle *handle
*     Pointer to CERTCertDBHandle for certificate DB to use for verification.
*   void *pwArg
*     Pointer to argument for password prompting, if needed.
*   CERTCertificate *issuerCert
*     Issuer of the certificate that generated the OCSP request.
* OUTPUTS:
*   CERTCertificate **pSignerCert
*     Pointer in which to store signer's certificate; only filled-in if
*     non-null.
* RETURN:
*   Returns SECSuccess when signature is valid, anything else means invalid.
*   Possible errors set:
*	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
*	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
*	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
*	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
*   Other errors are any of the many possible failures in cert verification
*   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
*   verifying the signer's cert, or low-level problems (no memory, etc.)
*/
extern SECStatus
CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
                                CERTCertDBHandle *handle, void *pwArg,
                                CERTCertificate **pSignerCert,
                                CERTCertificate *issuerCert);

/*
* FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
*   Get the value of the URI of the OCSP responder for the given cert.
*   This is found in the (optional) Authority Information Access extension
*   in the cert.
* INPUTS:
*   CERTCertificate *cert
*     The certificate being examined.
* RETURN:
*   char *
*     A copy of the URI for the OCSP method, if found.  If either the
*     extension is not present or it does not contain an entry for OCSP,
*     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
*     Any other error will also result in a NULL being returned.
*
*     This result should be freed (via PORT_Free) when no longer in use.
*/
extern char *
CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert);

/*
* FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack
*   This function serves two purposes.
*   1) It registers the address of a callback function that will be
*   called for certs that have no OCSP AIA extension, to see if the
*   callback wishes to supply an alternative URL for such an OCSP inquiry.
*   2) It outputs the previously registered function's address to the
*   address supplied by the caller, unless that is NULL.
*   The registered callback function returns NULL, or an allocated string
*   that may be subsequently freed by calling PORT_Free().
* RETURN:
*   SECSuccess or SECFailure (if the library is not yet intialized)
*/
extern SECStatus
CERT_RegisterAlternateOCSPAIAInfoCallBack(
   CERT_StringFromCertFcn newCallback,
   CERT_StringFromCertFcn *oldCallback);

/*
* FUNCTION: CERT_ParseURL
*   Parse a URI into hostname, port, and path.  The scheme in the URI must
*   be "http".
* INPUTS:
*   const char *url
*     The URI to be parsed
* OUTPUTS:
*   char **pHostname
*     Pointer to store the hostname obtained from the URI.
*     This result should be freed (via PORT_Free) when no longer in use.
*   PRUint16 *pPort
*     Pointer to store the port number obtained from the URI.
*   char **pPath
*     Pointer to store the path obtained from the URI.
*     This result should be freed (via PORT_Free) when no longer in use.
* RETURN:
*   Returns SECSuccess when parsing was successful. Returns SECFailure when
*   problems were encountered.
*/
extern SECStatus
CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath);

/*
* FUNCTION: CERT_CheckOCSPStatus
*   Checks the status of a certificate via OCSP.  Will only check status for
*   a certificate that has an AIA (Authority Information Access) extension
*   for OCSP *or* when a "default responder" is specified and enabled.
*   (If no AIA extension for OCSP and no default responder in place, the
*   cert is considered to have a good status and SECSuccess is returned.)
* INPUTS:
*   CERTCertDBHandle *handle
*     certificate DB of the cert that is being checked
*   CERTCertificate *cert
*     the certificate being checked
*   XXX in the long term also need a boolean parameter that specifies
*	whether to check the cert chain, as well; for now we check only
*	the leaf (the specified certificate)
*   PRTime time
*     time for which status is to be determined
*   void *pwArg
*     argument for password prompting, if needed
* RETURN:
*   Returns SECSuccess if an approved OCSP responder "knows" the cert
*   *and* returns a non-revoked status for it; SECFailure otherwise,
*   with an error set describing the reason:
*
*	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
*	SEC_ERROR_OCSP_FUTURE_RESPONSE
*	SEC_ERROR_OCSP_MALFORMED_REQUEST
*	SEC_ERROR_OCSP_MALFORMED_RESPONSE
*	SEC_ERROR_OCSP_OLD_RESPONSE
*	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
*	SEC_ERROR_OCSP_SERVER_ERROR
*	SEC_ERROR_OCSP_TRY_SERVER_LATER
*	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
*	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
*	SEC_ERROR_OCSP_UNKNOWN_CERT
*	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
*	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
*
*	SEC_ERROR_BAD_SIGNATURE
*	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
*	SEC_ERROR_INVALID_TIME
*	SEC_ERROR_REVOKED_CERTIFICATE
*	SEC_ERROR_UNKNOWN_ISSUER
*	SEC_ERROR_UNKNOWN_SIGNER
*
*   Other errors are any of the many possible failures in cert verification
*   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
*   verifying the signer's cert, or low-level problems (error allocating
*   memory, error performing ASN.1 decoding, etc.).
*/
extern SECStatus
CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
                    PRTime time, void *pwArg);

/*
* FUNCTION: CERT_CacheOCSPResponseFromSideChannel
*   First, this function checks the OCSP cache to see if a good response
*   for the given certificate already exists. If it does, then the function
*   returns successfully.
*
*   If not, then it validates that the given OCSP response is a valid,
*   good response for the given certificate and inserts it into the
*   cache.
*
*   This function is intended for use when OCSP responses are provided via a
*   side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension).
*
* INPUTS:
*   CERTCertDBHandle *handle
*     certificate DB of the cert that is being checked
*   CERTCertificate *cert
*     the certificate being checked
*   PRTime time
*     time for which status is to be determined
*   SECItem *encodedResponse
*     the DER encoded bytes of the OCSP response
*   void *pwArg
*     argument for password prompting, if needed
* RETURN:
*   SECSuccess if the cert was found in the cache, or if the OCSP response was
*   found to be valid and inserted into the cache. SECFailure otherwise.
*/
extern SECStatus
CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
                                     CERTCertificate *cert,
                                     PRTime time,
                                     const SECItem *encodedResponse,
                                     void *pwArg);

/*
* FUNCTION: CERT_GetOCSPStatusForCertID
*  Returns the OCSP status contained in the passed in parameter response
*  that corresponds to the certID passed in.
* INPUTS:
*  CERTCertDBHandle *handle
*    certificate DB of the cert that is being checked
*  CERTOCSPResponse *response
*    the OCSP response we want to retrieve status from.
*  CERTOCSPCertID *certID
*    the ID we want to look for from the response.
*  CERTCertificate *signerCert
*    the certificate that was used to sign the OCSP response.
*    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
*  PRTime time
*    The time at which we're checking the status for.
*  RETURN:
*    Return values are the same as those for CERT_CheckOCSPStatus
*/
extern SECStatus
CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
                           CERTOCSPResponse *response,
                           CERTOCSPCertID *certID,
                           CERTCertificate *signerCert,
                           PRTime time);

/*
* FUNCTION CERT_GetOCSPResponseStatus
*   Returns the response status for the response passed.
* INPUTS:
*   CERTOCSPResponse *response
*     The response to query for status
*  RETURN:
*    Returns SECSuccess if the response has a successful status value.
*    Otherwise it returns SECFailure and sets one of the following error
*    codes via PORT_SetError
*        SEC_ERROR_OCSP_MALFORMED_REQUEST
*        SEC_ERROR_OCSP_SERVER_ERROR
*        SEC_ERROR_OCSP_TRY_SERVER_LATER
*        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
*        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
*        SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
*/
extern SECStatus
CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);

/*
* FUNCTION CERT_CreateOCSPCertID
*  Returns the OCSP certID for the certificate passed in.
* INPUTS:
*  CERTCertificate *cert
*    The certificate for which to create the certID for.
*  PRTime time
*    The time at which the id is requested for.  This is used
*    to determine the appropriate issuer for the cert since
*    the issuing CA may be an older expired certificate.
*  RETURN:
*    A new copy of a CERTOCSPCertID*.  The memory for this certID
*    should be freed by calling CERT_DestroyOCSPCertID when the
*    certID is no longer necessary.
*/
extern CERTOCSPCertID *
CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);

/*
* FUNCTION: CERT_DestroyOCSPCertID
*  Frees the memory associated with the certID passed in.
* INPUTS:
*  CERTOCSPCertID* certID
*    The certID that the caller no longer needs and wants to
*    free the associated memory.
* RETURN:
*  SECSuccess if freeing the memory was successful.  Returns
*  SECFailure if the memory passed in was not allocated with
*  a call to CERT_CreateOCSPCertID.
*/
extern SECStatus
CERT_DestroyOCSPCertID(CERTOCSPCertID *certID);

extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
                                 CERTOCSPCertID *id,
                                 PRTime thisUpdate,
                                 const PRTime *nextUpdate);

extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
                                    CERTOCSPCertID *id,
                                    PRTime thisUpdate,
                                    const PRTime *nextUpdate);

extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseRevoked(
   PLArenaPool *arena,
   CERTOCSPCertID *id,
   PRTime thisUpdate,
   const PRTime *nextUpdate,
   PRTime revocationTime,
   const CERTCRLEntryReasonCode *revocationReason);

extern SECItem *
CERT_CreateEncodedOCSPSuccessResponse(
   PLArenaPool *arena,
   CERTCertificate *responderCert,
   CERTOCSPResponderIDType responderIDType,
   PRTime producedAt,
   CERTOCSPSingleResponse **responses,
   void *wincx);

/*
* FUNCTION: CERT_CreateEncodedOCSPErrorResponse
*  Creates an encoded OCSP response with an error response status.
* INPUTS:
*  PLArenaPool *arena
*    The return value is allocated from here.
*    If a NULL is passed in, allocation is done from the heap instead.
*  int error
*    An NSS error code indicating an error response status. The error
*    code is mapped to an OCSP response status as follows:
*        SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest
*        SEC_ERROR_OCSP_SERVER_ERROR -> internalError
*        SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater
*        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired
*        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized
*    where the OCSP response status is an enumerated type defined in
*    RFC 2560:
*    OCSPResponseStatus ::= ENUMERATED {
*        successful           (0),     --Response has valid confirmations
*        malformedRequest     (1),     --Illegal confirmation request
*        internalError        (2),     --Internal error in issuer
*        tryLater             (3),     --Try again later
*                                      --(4) is not used
*        sigRequired          (5),     --Must sign the request
*        unauthorized         (6)      --Request unauthorized
*    }
* RETURN:
*   Returns a pointer to the SECItem holding the response.
*   On error, returns null with error set describing the reason:
*	SEC_ERROR_INVALID_ARGS
*   Other errors are low-level problems (no memory, bad database, etc.).
*/
extern SECItem *
CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);

/* Sends an OCSP request using the HTTP POST method to the location addressed
* by the URL in |location| parameter. The request body will be
* |encodedRequest|, which must be a valid encoded OCSP request. On success,
* the server's response is returned and the caller must free it using
* SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of
* the HTTP response is done.
*
* If a default HTTP client has been registered with
* SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an
* internal HTTP client is used.
*/
SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
                             const SECItem *encodedRequest);

/************************************************************************/
SEC_END_PROTOS

#endif /* _OCSP_H_ */