Mercurial > trustbridge > nss-cmake-static
comparison nss/lib/libpkix/include/pkix_revchecker.h @ 0:1e5118fa0cb1
This is NSS with a Cmake Buildsyste
To compile a static NSS library for Windows we've used the
Chromium-NSS fork and added a Cmake buildsystem to compile
it statically for Windows. See README.chromium for chromium
changes and README.trustbridge for our modifications.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Mon, 28 Jul 2014 10:47:06 +0200 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:1e5118fa0cb1 |
|---|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 4 /* | |
| 5 * This file defines functions associated with the PKIX_RevocationChecker | |
| 6 * type. | |
| 7 * | |
| 8 */ | |
| 9 | |
| 10 #ifndef _PKIX_REVCHECKER_H | |
| 11 #define _PKIX_REVCHECKER_H | |
| 12 | |
| 13 #include "pkixt.h" | |
| 14 #include "pkix_pl_pki.h" | |
| 15 | |
| 16 #ifdef __cplusplus | |
| 17 extern "C" { | |
| 18 #endif | |
| 19 | |
| 20 /* General | |
| 21 * | |
| 22 * Please refer to the libpkix Programmer's Guide for detailed information | |
| 23 * about how to use the libpkix library. Certain key warnings and notices from | |
| 24 * that document are repeated here for emphasis. | |
| 25 * | |
| 26 * All identifiers in this file (and all public identifiers defined in | |
| 27 * libpkix) begin with "PKIX_". Private identifiers only intended for use | |
| 28 * within the library begin with "pkix_". | |
| 29 * | |
| 30 * A function returns NULL upon success, and a PKIX_Error pointer upon failure. | |
| 31 * | |
| 32 * Unless otherwise noted, for all accessor (gettor) functions that return a | |
| 33 * PKIX_PL_Object pointer, callers should assume that this pointer refers to a | |
| 34 * shared object. Therefore, the caller should treat this shared object as | |
| 35 * read-only and should not modify this shared object. When done using the | |
| 36 * shared object, the caller should release the reference to the object by | |
| 37 * using the PKIX_PL_Object_DecRef function. | |
| 38 * | |
| 39 * While a function is executing, if its arguments (or anything referred to by | |
| 40 * its arguments) are modified, free'd, or destroyed, the function's behavior | |
| 41 * is undefined. | |
| 42 * | |
| 43 */ | |
| 44 | |
| 45 /* PKIX_RevocationChecker | |
| 46 * | |
| 47 * PKIX_RevocationChecker provides a standard way of revocation checking. | |
| 48 * Caller should configure two set of tests(represented at lists of | |
| 49 * RevocationMethod objects) to be performed on the leaf and on the rest of | |
| 50 * the chain certificates. | |
| 51 * | |
| 52 * PKIX_RevocationMethods provide a standard way for the caller to insert | |
| 53 * their own custom revocation checks to verify the revocation status of | |
| 54 * certificates. This may be useful in many scenarios, including when the | |
| 55 * caller wishes to use their own revocation checking mechanism instead of (or | |
| 56 * in addition to) the default revocation checking mechanism provided by | |
| 57 * libpkix, which uses CRLs and OCSP. | |
| 58 * | |
| 59 * Once the caller has created the RevocationMethod object(s), the caller | |
| 60 * then specifies the RevocationMethod object(s) in a RevocationCheck object | |
| 61 * and sets it into a ProcessingParams. | |
| 62 */ | |
| 63 | |
| 64 /* | |
| 65 * FUNCTION: PKIX_RevocationChecker_Create | |
| 66 * DESCRIPTION: | |
| 67 * | |
| 68 * Creates revocation checker object with a given flags. | |
| 69 * | |
| 70 * PARAMETERS: | |
| 71 * "revDate" | |
| 72 * Revocation will be checked at this date. Current date is taken if the | |
| 73 * parameter is not specified. | |
| 74 * "leafMethodListFlags" | |
| 75 * Defines a set of method independent flags that will be used to check | |
| 76 * revocation of the leaf cert in the chain. | |
| 77 * "chainMethodListFlags" | |
| 78 * Defines a set of method independent flags that will be used to check | |
| 79 * revocation of the remaining certs in the chain. | |
| 80 * "pChecker" | |
| 81 * The return address of created checker. | |
| 82 * "plContext" | |
| 83 * Platform-specific context pointer. | |
| 84 * THREAD SAFETY: | |
| 85 * Thread Safe | |
| 86 * | |
| 87 * Multiple threads must be able to safely call this function without | |
| 88 * worrying about conflicts, even if they're operating on the same objects. | |
| 89 * RETURNS: | |
| 90 * Returns NULL if the function succeeds. | |
| 91 * Returns a RevocationChecker Error if the function fails in a non-fatal way. | |
| 92 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
| 93 */ | |
| 94 PKIX_Error * | |
| 95 PKIX_RevocationChecker_Create( | |
| 96 PKIX_UInt32 leafMethodListFlags, | |
| 97 PKIX_UInt32 chainMethodListFlags, | |
| 98 PKIX_RevocationChecker **pChecker, | |
| 99 void *plContext); | |
| 100 | |
| 101 /* | |
| 102 * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod | |
| 103 * DESCRIPTION: | |
| 104 * | |
| 105 * Creates revocation method object with given parameters and adds it | |
| 106 * to revocation checker method list. | |
| 107 * | |
| 108 * PARAMETERS: | |
| 109 * "revChecker" | |
| 110 * Address of revocation checker structure. | |
| 111 * "procParams" | |
| 112 * Address of ProcessingParams used to initialize the checker. | |
| 113 * Must be non-NULL. | |
| 114 * "methodType" | |
| 115 * Type of the method. Currently only two types are | |
| 116 * supported: crl and ocsp. (See PKIX_RevocationMethodType enum). | |
| 117 * "methodFlags" | |
| 118 * Set of flags for the method. | |
| 119 * "methodPriority" | |
| 120 * Method priority. (0 corresponds to a highest priority) | |
| 121 * "verificationFn" | |
| 122 * User call back function that will perform validation of fetched | |
| 123 * revocation information(new crl or ocsp response) | |
| 124 * "isLeafMethod" | |
| 125 * Boolean flag that if set to true indicates that the method should | |
| 126 * should be used for leaf cert revocation test(false for chain set | |
| 127 * methods). | |
| 128 * "plContext" | |
| 129 * Platform-specific context pointer. | |
| 130 * THREAD SAFETY: | |
| 131 * Thread Safe | |
| 132 * | |
| 133 * Multiple threads must be able to safely call this function without | |
| 134 * worrying about conflicts, even if they're operating on the same objects. | |
| 135 * RETURNS: | |
| 136 * Returns NULL if the function succeeds. | |
| 137 * Returns a RevocationChecker Error if the function fails in a non-fatal way. | |
| 138 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
| 139 */ | |
| 140 PKIX_Error * | |
| 141 PKIX_RevocationChecker_CreateAndAddMethod( | |
| 142 PKIX_RevocationChecker *revChecker, | |
| 143 PKIX_ProcessingParams *params, | |
| 144 PKIX_RevocationMethodType methodType, | |
| 145 PKIX_UInt32 methodFlags, | |
| 146 PKIX_UInt32 mathodPriority, | |
| 147 PKIX_PL_VerifyCallback verificationFn, | |
| 148 PKIX_Boolean isLeafMethod, | |
| 149 void *plContext); | |
| 150 | |
| 151 /* | |
| 152 * FUNCTION: PKIX_RevocationChecker_Check | |
| 153 * DESCRIPTION: | |
| 154 * | |
| 155 * Verifies revocation status of the certificate. Issuer cert is given to | |
| 156 * be used in verification of revocation information. Performed verification | |
| 157 * check depends on configured revocation methods(ocsp, crl. See | |
| 158 * PKIX_RevocationChecker_CreateAndAddMethod function) and a point of chain | |
| 159 * building process at which PKIX_RevocationChecker_Check was invoked. | |
| 160 * For security reasons, the cert status is checked only against cached | |
| 161 * revocation information during chain building stage(no trust anchor yes has | |
| 162 * been found). The fresh revocation information fetching is done only at chain | |
| 163 * verification stage after trust anchor was identified. | |
| 164 * | |
| 165 * PARAMETERS: | |
| 166 * "cert" | |
| 167 * Address of Cert whose revocation status is to be determined. | |
| 168 * Must be non-NULL. | |
| 169 * "issuer" | |
| 170 * Issuer cert that potentially holds public key that will be used | |
| 171 * to verify revocation info. | |
| 172 * "revChecker" | |
| 173 * Address of revocation checker structure. | |
| 174 * "procParams" | |
| 175 * Address of ProcessingParams used to initialize the checker. | |
| 176 * Must be non-NULL. | |
| 177 * "chainVerificationState" | |
| 178 * Need to be set to true, if the check was called during chain verification | |
| 179 * as an opposite to chain building. | |
| 180 * "testingLeafCert" | |
| 181 * Set to true if verifying revocation status of a leaf cert. | |
| 182 * "revStatus" | |
| 183 * Address of the returned revocation status of the cert. | |
| 184 * "pResultCode" | |
| 185 * Address where revocation status will be stored. Must be non-NULL. | |
| 186 * "pNBIOContext" | |
| 187 * Address at which platform-dependent non-blocking I/O context is stored. | |
| 188 * Must be non-NULL. | |
| 189 * "plContext" | |
| 190 * Platform-specific context pointer. | |
| 191 * THREAD SAFETY: | |
| 192 * Thread Safe | |
| 193 * | |
| 194 * Multiple threads must be able to safely call this function without | |
| 195 * worrying about conflicts, even if they're operating on the same objects. | |
| 196 * RETURNS: | |
| 197 * Returns NULL if the function succeeds. | |
| 198 * Returns a RevocationChecker Error if the function fails in a non-fatal way. | |
| 199 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
| 200 */ | |
| 201 PKIX_Error * | |
| 202 PKIX_RevocationChecker_Check(PKIX_PL_Cert *cert, | |
| 203 PKIX_PL_Cert *issuer, | |
| 204 PKIX_RevocationChecker *revChecker, | |
| 205 PKIX_ProcessingParams *procParams, | |
| 206 PKIX_Boolean chainVerificationState, | |
| 207 PKIX_Boolean testingLeafCert, | |
| 208 PKIX_RevocationStatus *revStatus, | |
| 209 PKIX_UInt32 *pReasonCode, | |
| 210 void **pNbioContext, | |
| 211 void *plContext); | |
| 212 | |
| 213 #ifdef __cplusplus | |
| 214 } | |
| 215 #endif | |
| 216 | |
| 217 #endif /* _PKIX_REVCHECKER_H */ |