Mercurial > trustbridge > nss-cmake-static

comparison nss/lib/certhigh/ocspti.h @ 0:1e5118fa0cb1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 28 Jul 2014 10:47:06 +0200
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:1e5118fa0cb1
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 /*
6 * Private header defining OCSP types.
7 */
8
9 #ifndef _OCSPTI_H_
10 #define _OCSPTI_H_
11
12 #include "ocspt.h"
13
14 #include "certt.h"
15 #include "plarena.h"
16 #include "seccomon.h"
17 #include "secoidt.h"
18
19
20 /*
21 * Some notes about naming conventions...
22 *
23 * The public data types all start with "CERTOCSP" (e.g. CERTOCSPRequest).
24 * (Even the public types are opaque, however. Only their names are
25 * "exported".)
26 *
27 * Internal-only data types drop the "CERT" prefix and use only the
28 * lower-case "ocsp" (e.g. ocspTBSRequest), for brevity sake.
29 *
30 * In either case, the base/suffix of the type name usually matches the
31 * name as defined in the OCSP specification. The exceptions to this are:
32 * - When there is overlap between the "OCSP" or "ocsp" prefix and
33 * the name used in the standard. That is, you cannot strip off the
34 * "CERTOCSP" or "ocsp" prefix and necessarily get the name of the
35 * type as it is defined in the standard; the "real" name will be
36 * *either* "OCSPSuffix" or just "Suffix".
37 * - When the name in the standard was a little too generic. (e.g. The
38 * standard defines "Request" but we call it a "SingleRequest".)
39 * In this case a comment above the type definition calls attention
40 * to the difference.
41 *
42 * The definitions laid out in this header file are intended to follow
43 * the same order as the definitions in the OCSP specification itself.
44 * With the OCSP standard in hand, you should be able to move through
45 * this file and follow along. To future modifiers of this file: please
46 * try to keep it that way. The only exceptions are the few cases where
47 * we need to define a type before it is referenced (e.g. enumerations),
48 * whereas in the OCSP specification these are usually defined the other
49 * way around (reference before definition).
50 */
51
52
53 /*
54 * Forward-declarations of internal-only data structures.
55 *
56 * These are in alphabetical order (case-insensitive); please keep it that way!
57 */
58 typedef struct ocspBasicOCSPResponseStr ocspBasicOCSPResponse;
59 typedef struct ocspCertStatusStr ocspCertStatus;
60 typedef struct ocspResponderIDStr ocspResponderID;
61 typedef struct ocspResponseBytesStr ocspResponseBytes;
62 typedef struct ocspResponseDataStr ocspResponseData;
63 typedef struct ocspRevokedInfoStr ocspRevokedInfo;
64 typedef struct ocspServiceLocatorStr ocspServiceLocator;
65 typedef struct ocspSignatureStr ocspSignature;
66 typedef struct ocspSingleRequestStr ocspSingleRequest;
67 typedef struct ocspSingleResponseStr ocspSingleResponse;
68 typedef struct ocspTBSRequestStr ocspTBSRequest;
69
70
71 /*
72 * An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
73 */
74 struct CERTOCSPRequestStr {
75 PLArenaPool *arena; /* local; not part of encoding */
76 ocspTBSRequest *tbsRequest;
77 ocspSignature *optionalSignature;
78 };
79
80 /*
81 * A TBSRequest; when an OCSPRequest is signed, the encoding of this
82 * is what the signature is actually applied to. ("TBS" == To Be Signed)
83 * Whether signed or not, however, this structure will be present, and
84 * is the "meat" of the OCSPRequest.
85 *
86 * Note that the "requestorName" field cannot be encoded/decoded in the
87 * same pass as the entire request -- it needs to be handled with a special
88 * call to convert to/from our internal form of a GeneralName. Thus the
89 * "derRequestorName" field, which is the actual DER-encoded bytes.
90 *
91 * The "extensionHandle" field is used on creation only; it holds
92 * in-progress extensions as they are optionally added to the request.
93 */
94 struct ocspTBSRequestStr {
95 SECItem version; /* an INTEGER */
96 SECItem *derRequestorName; /* encoded GeneralName; see above */
97 CERTGeneralNameList *requestorName; /* local; not part of encoding */
98 ocspSingleRequest **requestList;
99 CERTCertExtension **requestExtensions;
100 void *extensionHandle; /* local; not part of encoding */
101 };
102
103 /*
104 * This is the actual signature information for an OCSPRequest (applied to
105 * the TBSRequest structure) or for a BasicOCSPResponse (applied to a
106 * ResponseData structure).
107 *
108 * Note that the "signature" field itself is a BIT STRING; operations on
109 * it need to keep that in mind, converting the length to bytes as needed
110 * and back again afterward (so that the length is usually expressing bits).
111 *
112 * The "cert" field is the signer's certificate. In the case of a received
113 * signature, it will be filled in when the signature is verified. In the
114 * case of a created signature, it is filled in on creation and will be the
115 * cert used to create the signature when the signing-and-encoding occurs,
116 * as well as the cert (and its chain) to fill in derCerts if requested.
117 *
118 * The extra fields cache information about the signature after we have
119 * attempted a verification. "wasChecked", if true, means the signature
120 * has been checked against the appropriate data and thus that "status"
121 * contains the result of that verification. If "status" is not SECSuccess,
122 * "failureReason" is a copy of the error code that was set at the time;
123 * presumably it tells why the signature verification failed.
124 */
125 struct ocspSignatureStr {
126 SECAlgorithmID signatureAlgorithm;
127 SECItem signature; /* a BIT STRING */
128 SECItem **derCerts; /* a SEQUENCE OF Certificate */
129 CERTCertificate *cert; /* local; not part of encoding */
130 PRBool wasChecked; /* local; not part of encoding */
131 SECStatus status; /* local; not part of encoding */
132 int failureReason; /* local; not part of encoding */
133 };
134
135 /*
136 * An OCSPRequest contains a SEQUENCE OF these, one for each certificate
137 * whose status is being checked.
138 *
139 * Note that in the OCSP specification this is just called "Request",
140 * but since that seemed confusing (vs. an OCSPRequest) and to be more
141 * consistent with the parallel type "SingleResponse", I called it a
142 * "SingleRequest".
143 *
144 * XXX figure out how to get rid of that arena -- there must be a way
145 */
146 struct ocspSingleRequestStr {
147 PLArenaPool *arena; /* just a copy of the response arena,
148 * needed here for extension handling
149 * routines, on creation only */
150 CERTOCSPCertID *reqCert;
151 CERTCertExtension **singleRequestExtensions;
152 };
153
154 /*
155 * A CertID is the means of identifying a certificate, used both in requests
156 * and in responses.
157 *
158 * When in a SingleRequest it specifies the certificate to be checked.
159 * When in a SingleResponse it is the cert whose status is being given.
160 */
161 struct CERTOCSPCertIDStr {
162 SECAlgorithmID hashAlgorithm;
163 SECItem issuerNameHash; /* an OCTET STRING */
164 SECItem issuerKeyHash; /* an OCTET STRING */
165 SECItem serialNumber; /* an INTEGER */
166 SECItem issuerSHA1NameHash; /* keep other hashes around when */
167 SECItem issuerMD5NameHash; /* we have them */
168 SECItem issuerMD2NameHash;
169 SECItem issuerSHA1KeyHash; /* keep other hashes around when */
170 SECItem issuerMD5KeyHash; /* we have them */
171 SECItem issuerMD2KeyHash;
172 PLArenaPool *poolp;
173 };
174
175 /*
176 * This describes the value of the responseStatus field in an OCSPResponse.
177 * The corresponding ASN.1 definition is:
178 *
179 * OCSPResponseStatus ::= ENUMERATED {
180 * successful (0), --Response has valid confirmations
181 * malformedRequest (1), --Illegal confirmation request
182 * internalError (2), --Internal error in issuer
183 * tryLater (3), --Try again later
184 * --(4) is not used
185 * sigRequired (5), --Must sign the request
186 * unauthorized (6), --Request unauthorized
187 * }
188 */
189 typedef enum {
190 ocspResponse_min = 0,
191 ocspResponse_successful = 0,
192 ocspResponse_malformedRequest = 1,
193 ocspResponse_internalError = 2,
194 ocspResponse_tryLater = 3,
195 ocspResponse_unused = 4,
196 ocspResponse_sigRequired = 5,
197 ocspResponse_unauthorized = 6,
198 ocspResponse_max = 6 /* Please update max when adding values.
199 * Remember to also update arrays, e.g.
200 * "responseStatusNames" in ocspclnt.c
201 * and potentially other places. */
202 } ocspResponseStatus;
203
204 /*
205 * An OCSPResponse is what is sent (encoded) by an OCSP responder.
206 *
207 * The field "responseStatus" is the ASN.1 encoded value; the field
208 * "statusValue" is simply that same value translated into our local
209 * type ocspResponseStatus.
210 */
211 struct CERTOCSPResponseStr {
212 PLArenaPool *arena; /* local; not part of encoding */
213 SECItem responseStatus; /* an ENUMERATED, see above */
214 ocspResponseStatus statusValue; /* local; not part of encoding */
215 ocspResponseBytes *responseBytes; /* only when status is successful */
216 };
217
218 /*
219 * A ResponseBytes (despite appearances) is what contains the meat
220 * of a successful response -- but still in encoded form. The type
221 * given as "responseType" tells you how to decode the string.
222 *
223 * We look at the OID and translate it into our local OID representation
224 * "responseTypeTag", and use that value to tell us how to decode the
225 * actual response itself. For now the only kind of OCSP response we
226 * know about is a BasicOCSPResponse. However, the intention in the
227 * OCSP specification is to allow for other response types, so we are
228 * building in that flexibility from the start and thus put a pointer
229 * to that data structure inside of a union. Whenever OCSP adds more
230 * response types, just add them to the union.
231 */
232 struct ocspResponseBytesStr {
233 SECItem responseType; /* an OBJECT IDENTIFIER */
234 SECOidTag responseTypeTag; /* local; not part of encoding */
235 SECItem response; /* an OCTET STRING */
236 union {
237 ocspBasicOCSPResponse *basic; /* when type is id-pkix-ocsp-basic */
238 } decodedResponse; /* local; not part of encoding */
239 };
240
241 /*
242 * A BasicOCSPResponse -- when the responseType in a ResponseBytes is
243 * id-pkix-ocsp-basic, the "response" OCTET STRING above is the DER
244 * encoding of one of these.
245 *
246 * Note that in the OCSP specification, the signature fields are not
247 * part of a separate sub-structure. But since they are the same fields
248 * as we define for the signature in a request, it made sense to share
249 * the C data structure here and in some shared code to operate on them.
250 */
251 struct ocspBasicOCSPResponseStr {
252 SECItem tbsResponseDataDER;
253 ocspResponseData *tbsResponseData; /* "tbs" == To Be Signed */
254 ocspSignature responseSignature;
255 };
256
257 /*
258 * A ResponseData is the part of a BasicOCSPResponse that is signed
259 * (after it is DER encoded). It contains the real details of the response
260 * (a per-certificate status).
261 */
262 struct ocspResponseDataStr {
263 SECItem version; /* an INTEGER */
264 SECItem derResponderID;
265 ocspResponderID *responderID; /* local; not part of encoding */
266 SECItem producedAt; /* a GeneralizedTime */
267 CERTOCSPSingleResponse **responses;
268 CERTCertExtension **responseExtensions;
269 };
270
271 struct ocspResponderIDStr {
272 CERTOCSPResponderIDType responderIDType;/* local; not part of encoding */
273 union {
274 CERTName name; /* when ocspResponderID_byName */
275 SECItem keyHash; /* when ocspResponderID_byKey */
276 SECItem other; /* when ocspResponderID_other */
277 } responderIDValue;
278 };
279
280 /*
281 * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
282 * SingleResponse -- one for each certificate whose status is being supplied.
283 *
284 * XXX figure out how to get rid of that arena -- there must be a way
285 */
286 struct CERTOCSPSingleResponseStr {
287 PLArenaPool *arena; /* just a copy of the response arena,
288 * needed here for extension handling
289 * routines, on creation only */
290 CERTOCSPCertID *certID;
291 SECItem derCertStatus;
292 ocspCertStatus *certStatus; /* local; not part of encoding */
293 SECItem thisUpdate; /* a GeneralizedTime */
294 SECItem *nextUpdate; /* a GeneralizedTime */
295 CERTCertExtension **singleExtensions;
296 };
297
298 /*
299 * A CertStatus is the actual per-certificate status. Its ASN.1 definition:
300 *
301 * CertStatus ::= CHOICE {
302 * good [0] IMPLICIT NULL,
303 * revoked [1] IMPLICIT RevokedInfo,
304 * unknown [2] IMPLICIT UnknownInfo }
305 *
306 * (where for now UnknownInfo is defined to be NULL but in the
307 * future may be replaced with an enumeration).
308 *
309 * Because it is CHOICE, the status value and its associated information
310 * (if any) are actually encoded together. To represent this same
311 * information internally, we explicitly define a type and save it,
312 * along with the value, into a data structure.
313 */
314
315 typedef enum {
316 ocspCertStatus_good, /* cert is not revoked */
317 ocspCertStatus_revoked, /* cert is revoked */
318 ocspCertStatus_unknown, /* cert was unknown to the responder */
319 ocspCertStatus_other /* status was not an expected value */
320 } ocspCertStatusType;
321
322 /*
323 * This is the actual per-certificate status.
324 *
325 * The "goodInfo" and "unknownInfo" items are only place-holders for a NULL.
326 * (Though someday OCSP may replace UnknownInfo with an enumeration that
327 * gives more detailed information.)
328 */
329 struct ocspCertStatusStr {
330 ocspCertStatusType certStatusType; /* local; not part of encoding */
331 union {
332 SECItem *goodInfo; /* when ocspCertStatus_good */
333 ocspRevokedInfo *revokedInfo; /* when ocspCertStatus_revoked */
334 SECItem *unknownInfo; /* when ocspCertStatus_unknown */
335 SECItem *otherInfo; /* when ocspCertStatus_other */
336 } certStatusInfo;
337 };
338
339 /*
340 * A RevokedInfo gives information about a revoked certificate -- when it
341 * was revoked and why.
342 */
343 struct ocspRevokedInfoStr {
344 SECItem revocationTime; /* a GeneralizedTime */
345 SECItem *revocationReason; /* a CRLReason; ignored for now */
346 };
347
348 /*
349 * ServiceLocator can be included as one of the singleRequestExtensions.
350 * When added, it specifies the (name of the) issuer of the cert being
351 * checked, and optionally the value of the AuthorityInfoAccess extension
352 * if the cert has one.
353 */
354 struct ocspServiceLocatorStr {
355 CERTName *issuer;
356 SECItem locator; /* DER encoded authInfoAccess extension from cert */
357 };
358
359 #endif /* _OCSPTI_H_ */
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)