ocspi.h (5990B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * ocspi.h - NSS internal interfaces to OCSP code 6 */ 7 8 #ifndef _OCSPI_H_ 9 #define _OCSPI_H_ 10 11 SECStatus OCSP_InitGlobal(void); 12 SECStatus OCSP_ShutdownGlobal(void); 13 14 ocspResponseData * 15 ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER); 16 17 ocspSignature * 18 ocsp_GetResponseSignature(CERTOCSPResponse *response); 19 20 SECItem * 21 ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, 22 SECItem *fill, const SECItem *src); 23 24 PRBool 25 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert); 26 27 CERTCertificate * 28 ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, 29 ocspSignature *signature, CERTCertificate *issuer); 30 31 SECStatus 32 ocsp_VerifyResponseSignature(CERTCertificate *signerCert, 33 ocspSignature *signature, 34 SECItem *tbsResponseDataDER, 35 void *pwArg); 36 37 CERTOCSPRequest * 38 cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, 39 CERTCertificate *singleCert, 40 PRTime time, 41 PRBool addServiceLocator, 42 CERTCertificate *signerCert); 43 44 typedef enum { ocspMissing, 45 ocspFresh, 46 ocspStale } OCSPFreshness; 47 48 SECStatus 49 ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, 50 PRTime time, 51 PRBool ignoreOcspFailureMode, 52 SECStatus *rvOcsp, 53 SECErrorCodes *missingResponseError, 54 OCSPFreshness *freshness); 55 56 /* 57 * FUNCTION: cert_ProcessOCSPResponse 58 * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID. 59 * In addition it can update the OCSP cache (using information 60 * available internally to this function). 61 * INPUTS: 62 * CERTCertDBHandle *handle 63 * certificate DB of the cert that is being checked 64 * CERTOCSPResponse *response 65 * the OCSP response we want to retrieve status from. 66 * CERTOCSPCertID *certID 67 * the ID we want to look for from the response. 68 * CERTCertificate *signerCert 69 * the certificate that was used to sign the OCSP response. 70 * must be obtained via a call to CERT_VerifyOCSPResponseSignature. 71 * PRTime time 72 * The time at which we're checking the status for. 73 * PRBool *certIDWasConsumed 74 * In and Out parameter. 75 * If certIDWasConsumed is NULL on input, 76 * this function might produce a deep copy of cert ID 77 * for storing it in the cache. 78 * If out value is true, ownership of parameter certID was 79 * transferred to the OCSP cache. 80 * SECStatus *cacheUpdateStatus 81 * This optional out parameter will contain the result 82 * of the cache update operation (if requested). 83 * RETURN: 84 * The return value is not influenced by the cache operation, 85 * it matches the documentation for CERT_CheckOCSPStatus 86 */ 87 88 SECStatus 89 cert_ProcessOCSPResponse(CERTCertDBHandle *handle, 90 CERTOCSPResponse *response, 91 CERTOCSPCertID *certID, 92 CERTCertificate *signerCert, 93 PRTime time, 94 PRBool *certIDWasConsumed, 95 SECStatus *cacheUpdateStatus); 96 97 /* 98 * FUNCTION: cert_RememberOCSPProcessingFailure 99 * If an application notices a failure during OCSP processing, 100 * it should finally call this function. The failure will be recorded 101 * in the OCSP cache in order to avoid repetitive failures. 102 * INPUTS: 103 * CERTOCSPCertID *certID 104 * the ID that was used for the failed OCSP processing 105 * PRBool *certIDWasConsumed 106 * Out parameter, if set to true, ownership of parameter certID was 107 * transferred to the OCSP cache. 108 * RETURN: 109 * Status of the cache update operation. 110 */ 111 112 SECStatus 113 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, 114 PRBool *certIDWasConsumed); 115 116 /* 117 * FUNCTION: ocsp_GetResponderLocation 118 * Check ocspx context for user-designated responder URI first. If not 119 * found, checks cert AIA extension. 120 * INPUTS: 121 * CERTCertDBHandle *handle 122 * certificate DB of the cert that is being checked 123 * CERTCertificate *cert 124 * The certificate being examined. 125 * PRBool *certIDWasConsumed 126 * Out parameter, if set to true, URI of default responder is 127 * returned. 128 * RETURN: 129 * Responder URI. 130 */ 131 char * 132 ocsp_GetResponderLocation(CERTCertDBHandle *handle, 133 CERTCertificate *cert, 134 PRBool canUseDefaultLocation, 135 PRBool *isDefault); 136 137 /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure 138 * The function checks the global ocsp settings and 139 * tells how to treat an ocsp response fetching failure. 140 * RETURNS: 141 * if PR_TRUE is returned, then treat fetching as a 142 * revoked cert status. 143 */ 144 PRBool 145 ocsp_FetchingFailureIsVerificationFailure(void); 146 147 size_t 148 ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf); 149 150 SECStatus 151 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 152 CERTOCSPResponse *response, 153 CERTOCSPCertID *certID, 154 CERTCertificate *signerCert, 155 PRTime time, 156 CERTOCSPSingleResponse **pSingleResponse); 157 158 SECStatus 159 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time); 160 161 void 162 ocsp_CacheSingleResponse(CERTOCSPCertID *certID, 163 CERTOCSPSingleResponse *single, 164 PRBool *certIDWasConsumed); 165 166 #endif /* _OCSPI_H_ */