andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: /* andre@0: * Interface to the OCSP implementation. andre@0: */ andre@0: andre@0: #ifndef _OCSP_H_ andre@0: #define _OCSP_H_ andre@0: andre@0: andre@0: #include "plarena.h" andre@0: #include "seccomon.h" andre@0: #include "secoidt.h" andre@0: #include "keyt.h" andre@0: #include "certt.h" andre@0: #include "ocspt.h" andre@0: andre@0: andre@0: /************************************************************************/ andre@0: SEC_BEGIN_PROTOS andre@0: andre@0: /* andre@0: * This function registers the HttpClient with whose functions the andre@0: * HttpClientFcn structure has been populated as the default Http andre@0: * client. andre@0: * andre@0: * The function table must be a global object. andre@0: * The caller must ensure that NSS will be able to call andre@0: * the registered functions for the lifetime of the process. andre@0: */ andre@0: extern SECStatus andre@0: SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable); andre@0: andre@0: /* andre@0: * This function obtains the HttpClient which has been registered andre@0: * by an earlier call to SEC_RegisterDefaultHttpClient. andre@0: */ andre@0: extern const SEC_HttpClientFcn * andre@0: SEC_GetRegisteredHttpClient(void); andre@0: andre@0: /* andre@0: * Sets parameters that control NSS' internal OCSP cache. andre@0: * maxCacheEntries, special varlues are: andre@0: * -1 disable cache andre@0: * 0 unlimited cache entries andre@0: * minimumSecondsToNextFetchAttempt: andre@0: * whenever an OCSP request was attempted or completed over the network, andre@0: * wait at least this number of seconds before trying to fetch again. andre@0: * maximumSecondsToNextFetchAttempt: andre@0: * this is the maximum age of a cached response we allow, until we try andre@0: * to fetch an updated response, even if the OCSP responder expects andre@0: * that newer information update will not be available yet. andre@0: */ andre@0: extern SECStatus andre@0: CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, andre@0: PRUint32 minimumSecondsToNextFetchAttempt, andre@0: PRUint32 maximumSecondsToNextFetchAttempt); andre@0: andre@0: /* andre@0: * Set the desired behaviour on OCSP failures. andre@0: * See definition of ocspFailureMode for allowed choices. andre@0: */ andre@0: extern SECStatus andre@0: CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode); andre@0: andre@0: /* andre@0: * Configure the maximum time NSS will wait for an OCSP response. andre@0: */ andre@0: extern SECStatus andre@0: CERT_SetOCSPTimeout(PRUint32 seconds); andre@0: andre@0: /* andre@0: * Removes all items currently stored in the OCSP cache. andre@0: */ andre@0: extern SECStatus andre@0: CERT_ClearOCSPCache(void); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_EnableOCSPChecking andre@0: * Turns on OCSP checking for the given certificate database. andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * Certificate database for which OCSP checking will be enabled. andre@0: * RETURN: andre@0: * Returns SECFailure if an error occurred (likely only problem andre@0: * allocating memory); SECSuccess otherwise. andre@0: */ andre@0: extern SECStatus andre@0: CERT_EnableOCSPChecking(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DisableOCSPChecking andre@0: * Turns off OCSP checking for the given certificate database. andre@0: * This routine disables OCSP checking. Though it will return andre@0: * SECFailure if OCSP checking is not enabled, it is "safe" to andre@0: * call it that way and just ignore the return value, if it is andre@0: * easier to just call it than to "remember" whether it is enabled. andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * Certificate database for which OCSP checking will be disabled. andre@0: * RETURN: andre@0: * Returns SECFailure if an error occurred (usually means that OCSP andre@0: * checking was not enabled or status contexts were not initialized -- andre@0: * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. andre@0: */ andre@0: extern SECStatus andre@0: CERT_DisableOCSPChecking(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_SetOCSPDefaultResponder andre@0: * Specify the location and cert of the default responder. andre@0: * If OCSP checking is already enabled *and* use of a default responder andre@0: * is also already enabled, all OCSP checking from now on will go directly andre@0: * to the specified responder. If OCSP checking is not enabled, or if andre@0: * it is but use of a default responder is not enabled, the information andre@0: * will be recorded and take effect whenever both are enabled. andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * Cert database on which OCSP checking should use the default responder. andre@0: * const char *url andre@0: * The location of the default responder (e.g. "http://foo.com:80/ocsp") andre@0: * Note that the location will not be tested until the first attempt andre@0: * to send a request there. andre@0: * const char *name andre@0: * The nickname of the cert to trust (expected) to sign the OCSP responses. andre@0: * If the corresponding cert cannot be found, SECFailure is returned. andre@0: * RETURN: andre@0: * Returns SECFailure if an error occurred; SECSuccess otherwise. andre@0: * The most likely error is that the cert for "name" could not be found andre@0: * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, andre@0: * bad database, etc.). andre@0: */ andre@0: extern SECStatus andre@0: CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, andre@0: const char *url, const char *name); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_EnableOCSPDefaultResponder andre@0: * Turns on use of a default responder when OCSP checking. andre@0: * If OCSP checking is already enabled, this will make subsequent checks andre@0: * go directly to the default responder. (The location of the responder andre@0: * and the nickname of the responder cert must already be specified.) andre@0: * If OCSP checking is not enabled, this will be recorded and take effect andre@0: * whenever it is enabled. andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * Cert database on which OCSP checking should use the default responder. andre@0: * RETURN: andre@0: * Returns SECFailure if an error occurred; SECSuccess otherwise. andre@0: * No errors are especially likely unless the caller did not previously andre@0: * perform a successful call to SetOCSPDefaultResponder (in which case andre@0: * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). andre@0: */ andre@0: extern SECStatus andre@0: CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DisableOCSPDefaultResponder andre@0: * Turns off use of a default responder when OCSP checking. andre@0: * (Does nothing if use of a default responder is not enabled.) andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * Cert database on which OCSP checking should stop using a default andre@0: * responder. andre@0: * RETURN: andre@0: * Returns SECFailure if an error occurred; SECSuccess otherwise. andre@0: * Errors very unlikely (like random memory corruption...). andre@0: */ andre@0: extern SECStatus andre@0: CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle); andre@0: andre@0: /* If forcePost is set, OCSP requests will only be sent using the HTTP POST andre@0: * method. When forcePost is not set, OCSP requests will be sent using the andre@0: * HTTP GET method, with a fallback to POST when we fail to receive a response andre@0: * and/or when we receive an uncacheable response like "Unknown." andre@0: * andre@0: * The default is to use GET and fallback to POST. andre@0: */ andre@0: extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); andre@0: andre@0: /* andre@0: * ------------------------------------------------------- andre@0: * The Functions above are those expected to be used by a client andre@0: * providing OCSP status checking along with every cert verification. andre@0: * The functions below are for OCSP testing, debugging, or clients andre@0: * or servers performing more specialized OCSP tasks. andre@0: * ------------------------------------------------------- andre@0: */ andre@0: andre@0: /* andre@0: * FUNCTION: CERT_CreateOCSPRequest andre@0: * Creates a CERTOCSPRequest, requesting the status of the certs in andre@0: * the given list. andre@0: * INPUTS: andre@0: * CERTCertList *certList andre@0: * A list of certs for which status will be requested. andre@0: * Note that all of these certificates should have the same issuer, andre@0: * or it's expected the response will be signed by a trusted responder. andre@0: * If the certs need to be broken up into multiple requests, that andre@0: * must be handled by the caller (and thus by having multiple calls andre@0: * to this routine), who knows about where the request(s) are being andre@0: * sent and whether there are any trusted responders in place. andre@0: * PRTime time andre@0: * Indicates the time for which the certificate status is to be andre@0: * determined -- this may be used in the search for the cert's issuer andre@0: * but has no effect on the request itself. andre@0: * PRBool addServiceLocator andre@0: * If true, the Service Locator extension should be added to the andre@0: * single request(s) for each cert. andre@0: * CERTCertificate *signerCert andre@0: * If non-NULL, means sign the request using this cert. Otherwise, andre@0: * do not sign. andre@0: * XXX note that request signing is not yet supported; see comment in code andre@0: * RETURN: andre@0: * A pointer to a CERTOCSPRequest structure containing an OCSP request andre@0: * for the cert list. On error, null is returned, with an error set andre@0: * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. andre@0: * (The issuer is needed to create a request for the certificate.) andre@0: * Other errors are low-level problems (no memory, bad database, etc.). andre@0: */ andre@0: extern CERTOCSPRequest * andre@0: CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, andre@0: PRBool addServiceLocator, andre@0: CERTCertificate *signerCert); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_AddOCSPAcceptableResponses andre@0: * Add the AcceptableResponses extension to an OCSP Request. andre@0: * INPUTS: andre@0: * CERTOCSPRequest *request andre@0: * The request to which the extension should be added. andre@0: * SECOidTag responseType0, ... andre@0: * A list (of one or more) of SECOidTag -- each of the response types andre@0: * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. andre@0: * (This marks the end of the list, and it must be specified because a andre@0: * client conforming to the OCSP standard is required to handle the basic andre@0: * response type.) The OIDs are not checked in any way. andre@0: * RETURN: andre@0: * SECSuccess if the extension is added; SECFailure if anything goes wrong. andre@0: * All errors are internal or low-level problems (e.g. no memory). andre@0: */ andre@0: extern SECStatus andre@0: CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, andre@0: SECOidTag responseType0, ...); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_EncodeOCSPRequest andre@0: * DER encodes an OCSP Request, possibly adding a signature as well. andre@0: * XXX Signing is not yet supported, however; see comments in code. andre@0: * INPUTS: andre@0: * PLArenaPool *arena andre@0: * The return value is allocated from here. andre@0: * If a NULL is passed in, allocation is done from the heap instead. andre@0: * CERTOCSPRequest *request andre@0: * The request to be encoded. andre@0: * void *pwArg andre@0: * Pointer to argument for password prompting, if needed. (Definitely andre@0: * not needed if not signing.) andre@0: * RETURN: andre@0: * Returns a NULL on error and a pointer to the SECItem with the andre@0: * encoded value otherwise. Any error is likely to be low-level andre@0: * (e.g. no memory). andre@0: */ andre@0: extern SECItem * andre@0: CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, andre@0: void *pwArg); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DecodeOCSPRequest andre@0: * Decode a DER encoded OCSP Request. andre@0: * INPUTS: andre@0: * SECItem *src andre@0: * Pointer to a SECItem holding DER encoded OCSP Request. andre@0: * RETURN: andre@0: * Returns a pointer to a CERTOCSPRequest containing the decoded request. andre@0: * On error, returns NULL. Most likely error is trouble decoding andre@0: * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). andre@0: */ andre@0: extern CERTOCSPRequest * andre@0: CERT_DecodeOCSPRequest(const SECItem *src); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DestroyOCSPRequest andre@0: * Frees an OCSP Request structure. andre@0: * INPUTS: andre@0: * CERTOCSPRequest *request andre@0: * Pointer to CERTOCSPRequest to be freed. andre@0: * RETURN: andre@0: * No return value; no errors. andre@0: */ andre@0: extern void andre@0: CERT_DestroyOCSPRequest(CERTOCSPRequest *request); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DecodeOCSPResponse andre@0: * Decode a DER encoded OCSP Response. andre@0: * INPUTS: andre@0: * SECItem *src andre@0: * Pointer to a SECItem holding DER encoded OCSP Response. andre@0: * RETURN: andre@0: * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); andre@0: * the caller is responsible for destroying it. Or NULL if error (either andre@0: * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), andre@0: * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), andre@0: * or a low-level or internal error occurred). andre@0: */ andre@0: extern CERTOCSPResponse * andre@0: CERT_DecodeOCSPResponse(const SECItem *src); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DestroyOCSPResponse andre@0: * Frees an OCSP Response structure. andre@0: * INPUTS: andre@0: * CERTOCSPResponse *request andre@0: * Pointer to CERTOCSPResponse to be freed. andre@0: * RETURN: andre@0: * No return value; no errors. andre@0: */ andre@0: extern void andre@0: CERT_DestroyOCSPResponse(CERTOCSPResponse *response); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_GetEncodedOCSPResponse andre@0: * Creates and sends a request to an OCSP responder, then reads and andre@0: * returns the (encoded) response. andre@0: * INPUTS: andre@0: * PLArenaPool *arena andre@0: * Pointer to arena from which return value will be allocated. andre@0: * If NULL, result will be allocated from the heap (and thus should andre@0: * be freed via SECITEM_FreeItem). andre@0: * CERTCertList *certList andre@0: * A list of certs for which status will be requested. andre@0: * Note that all of these certificates should have the same issuer, andre@0: * or it's expected the response will be signed by a trusted responder. andre@0: * If the certs need to be broken up into multiple requests, that andre@0: * must be handled by the caller (and thus by having multiple calls andre@0: * to this routine), who knows about where the request(s) are being andre@0: * sent and whether there are any trusted responders in place. andre@0: * const char *location andre@0: * The location of the OCSP responder (a URL). andre@0: * PRTime time andre@0: * Indicates the time for which the certificate status is to be andre@0: * determined -- this may be used in the search for the cert's issuer andre@0: * but has no other bearing on the operation. andre@0: * PRBool addServiceLocator andre@0: * If true, the Service Locator extension should be added to the andre@0: * single request(s) for each cert. andre@0: * CERTCertificate *signerCert andre@0: * If non-NULL, means sign the request using this cert. Otherwise, andre@0: * do not sign. andre@0: * void *pwArg andre@0: * Pointer to argument for password prompting, if needed. (Definitely andre@0: * not needed if not signing.) andre@0: * OUTPUTS: andre@0: * CERTOCSPRequest **pRequest andre@0: * Pointer in which to store the OCSP request created for the given andre@0: * list of certificates. It is only filled in if the entire operation andre@0: * is successful and the pointer is not null -- and in that case the andre@0: * caller is then reponsible for destroying it. andre@0: * RETURN: andre@0: * Returns a pointer to the SECItem holding the response. andre@0: * On error, returns null with error set describing the reason: andre@0: * SEC_ERROR_UNKNOWN_ISSUER andre@0: * SEC_ERROR_CERT_BAD_ACCESS_LOCATION andre@0: * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE andre@0: * Other errors are low-level problems (no memory, bad database, etc.). andre@0: */ andre@0: extern SECItem * andre@0: CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, andre@0: const char *location, PRTime time, andre@0: PRBool addServiceLocator, andre@0: CERTCertificate *signerCert, void *pwArg, andre@0: CERTOCSPRequest **pRequest); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_VerifyOCSPResponseSignature andre@0: * Check the signature on an OCSP Response. Will also perform a andre@0: * verification of the signer's certificate. Note, however, that a andre@0: * successful verification does not make any statement about the andre@0: * signer's *authority* to provide status for the certificate(s), andre@0: * that must be checked individually for each certificate. andre@0: * INPUTS: andre@0: * CERTOCSPResponse *response andre@0: * Pointer to response structure with signature to be checked. andre@0: * CERTCertDBHandle *handle andre@0: * Pointer to CERTCertDBHandle for certificate DB to use for verification. andre@0: * void *pwArg andre@0: * Pointer to argument for password prompting, if needed. andre@0: * CERTCertificate *issuerCert andre@0: * Issuer of the certificate that generated the OCSP request. andre@0: * OUTPUTS: andre@0: * CERTCertificate **pSignerCert andre@0: * Pointer in which to store signer's certificate; only filled-in if andre@0: * non-null. andre@0: * RETURN: andre@0: * Returns SECSuccess when signature is valid, anything else means invalid. andre@0: * Possible errors set: andre@0: * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID andre@0: * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time andre@0: * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found andre@0: * SEC_ERROR_BAD_SIGNATURE - the signature did not verify andre@0: * Other errors are any of the many possible failures in cert verification andre@0: * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when andre@0: * verifying the signer's cert, or low-level problems (no memory, etc.) andre@0: */ andre@0: extern SECStatus andre@0: CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, andre@0: CERTCertDBHandle *handle, void *pwArg, andre@0: CERTCertificate **pSignerCert, andre@0: CERTCertificate *issuerCert); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation andre@0: * Get the value of the URI of the OCSP responder for the given cert. andre@0: * This is found in the (optional) Authority Information Access extension andre@0: * in the cert. andre@0: * INPUTS: andre@0: * CERTCertificate *cert andre@0: * The certificate being examined. andre@0: * RETURN: andre@0: * char * andre@0: * A copy of the URI for the OCSP method, if found. If either the andre@0: * extension is not present or it does not contain an entry for OCSP, andre@0: * SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned. andre@0: * Any other error will also result in a NULL being returned. andre@0: * andre@0: * This result should be freed (via PORT_Free) when no longer in use. andre@0: */ andre@0: extern char * andre@0: CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack andre@0: * This function serves two purposes. andre@0: * 1) It registers the address of a callback function that will be andre@0: * called for certs that have no OCSP AIA extension, to see if the andre@0: * callback wishes to supply an alternative URL for such an OCSP inquiry. andre@0: * 2) It outputs the previously registered function's address to the andre@0: * address supplied by the caller, unless that is NULL. andre@0: * The registered callback function returns NULL, or an allocated string andre@0: * that may be subsequently freed by calling PORT_Free(). andre@0: * RETURN: andre@0: * SECSuccess or SECFailure (if the library is not yet intialized) andre@0: */ andre@0: extern SECStatus andre@0: CERT_RegisterAlternateOCSPAIAInfoCallBack( andre@0: CERT_StringFromCertFcn newCallback, andre@0: CERT_StringFromCertFcn * oldCallback); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_ParseURL andre@0: * Parse a URI into hostname, port, and path. The scheme in the URI must andre@0: * be "http". andre@0: * INPUTS: andre@0: * const char *url andre@0: * The URI to be parsed andre@0: * OUTPUTS: andre@0: * char **pHostname andre@0: * Pointer to store the hostname obtained from the URI. andre@0: * This result should be freed (via PORT_Free) when no longer in use. andre@0: * PRUint16 *pPort andre@0: * Pointer to store the port number obtained from the URI. andre@0: * char **pPath andre@0: * Pointer to store the path obtained from the URI. andre@0: * This result should be freed (via PORT_Free) when no longer in use. andre@0: * RETURN: andre@0: * Returns SECSuccess when parsing was successful. Returns SECFailure when andre@0: * problems were encountered. andre@0: */ andre@0: extern SECStatus andre@0: CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_CheckOCSPStatus andre@0: * Checks the status of a certificate via OCSP. Will only check status for andre@0: * a certificate that has an AIA (Authority Information Access) extension andre@0: * for OCSP *or* when a "default responder" is specified and enabled. andre@0: * (If no AIA extension for OCSP and no default responder in place, the andre@0: * cert is considered to have a good status and SECSuccess is returned.) andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * certificate DB of the cert that is being checked andre@0: * CERTCertificate *cert andre@0: * the certificate being checked andre@0: * XXX in the long term also need a boolean parameter that specifies andre@0: * whether to check the cert chain, as well; for now we check only andre@0: * the leaf (the specified certificate) andre@0: * PRTime time andre@0: * time for which status is to be determined andre@0: * void *pwArg andre@0: * argument for password prompting, if needed andre@0: * RETURN: andre@0: * Returns SECSuccess if an approved OCSP responder "knows" the cert andre@0: * *and* returns a non-revoked status for it; SECFailure otherwise, andre@0: * with an error set describing the reason: andre@0: * andre@0: * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE andre@0: * SEC_ERROR_OCSP_FUTURE_RESPONSE andre@0: * SEC_ERROR_OCSP_MALFORMED_REQUEST andre@0: * SEC_ERROR_OCSP_MALFORMED_RESPONSE andre@0: * SEC_ERROR_OCSP_OLD_RESPONSE andre@0: * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG andre@0: * SEC_ERROR_OCSP_SERVER_ERROR andre@0: * SEC_ERROR_OCSP_TRY_SERVER_LATER andre@0: * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST andre@0: * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE andre@0: * SEC_ERROR_OCSP_UNKNOWN_CERT andre@0: * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS andre@0: * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE andre@0: * andre@0: * SEC_ERROR_BAD_SIGNATURE andre@0: * SEC_ERROR_CERT_BAD_ACCESS_LOCATION andre@0: * SEC_ERROR_INVALID_TIME andre@0: * SEC_ERROR_REVOKED_CERTIFICATE andre@0: * SEC_ERROR_UNKNOWN_ISSUER andre@0: * SEC_ERROR_UNKNOWN_SIGNER andre@0: * andre@0: * Other errors are any of the many possible failures in cert verification andre@0: * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when andre@0: * verifying the signer's cert, or low-level problems (error allocating andre@0: * memory, error performing ASN.1 decoding, etc.). andre@0: */ andre@0: extern SECStatus andre@0: CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRTime time, void *pwArg); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_CacheOCSPResponseFromSideChannel andre@0: * First, this function checks the OCSP cache to see if a good response andre@0: * for the given certificate already exists. If it does, then the function andre@0: * returns successfully. andre@0: * andre@0: * If not, then it validates that the given OCSP response is a valid, andre@0: * good response for the given certificate and inserts it into the andre@0: * cache. andre@0: * andre@0: * This function is intended for use when OCSP responses are provided via a andre@0: * side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension). andre@0: * andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * certificate DB of the cert that is being checked andre@0: * CERTCertificate *cert andre@0: * the certificate being checked andre@0: * PRTime time andre@0: * time for which status is to be determined andre@0: * SECItem *encodedResponse andre@0: * the DER encoded bytes of the OCSP response andre@0: * void *pwArg andre@0: * argument for password prompting, if needed andre@0: * RETURN: andre@0: * SECSuccess if the cert was found in the cache, or if the OCSP response was andre@0: * found to be valid and inserted into the cache. SECFailure otherwise. andre@0: */ andre@0: extern SECStatus andre@0: CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, andre@0: CERTCertificate *cert, andre@0: PRTime time, andre@0: const SECItem *encodedResponse, andre@0: void *pwArg); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_GetOCSPStatusForCertID andre@0: * Returns the OCSP status contained in the passed in parameter response andre@0: * that corresponds to the certID passed in. andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * certificate DB of the cert that is being checked andre@0: * CERTOCSPResponse *response andre@0: * the OCSP response we want to retrieve status from. andre@0: * CERTOCSPCertID *certID andre@0: * the ID we want to look for from the response. andre@0: * CERTCertificate *signerCert andre@0: * the certificate that was used to sign the OCSP response. andre@0: * must be obtained via a call to CERT_VerifyOCSPResponseSignature. andre@0: * PRTime time andre@0: * The time at which we're checking the status for. andre@0: * RETURN: andre@0: * Return values are the same as those for CERT_CheckOCSPStatus andre@0: */ andre@0: extern SECStatus andre@0: CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, andre@0: CERTOCSPResponse *response, andre@0: CERTOCSPCertID *certID, andre@0: CERTCertificate *signerCert, andre@0: PRTime time); andre@0: andre@0: /* andre@0: * FUNCTION CERT_GetOCSPResponseStatus andre@0: * Returns the response status for the response passed. andre@0: * INPUTS: andre@0: * CERTOCSPResponse *response andre@0: * The response to query for status andre@0: * RETURN: andre@0: * Returns SECSuccess if the response has a successful status value. andre@0: * Otherwise it returns SECFailure and sets one of the following error andre@0: * codes via PORT_SetError andre@0: * SEC_ERROR_OCSP_MALFORMED_REQUEST andre@0: * SEC_ERROR_OCSP_SERVER_ERROR andre@0: * SEC_ERROR_OCSP_TRY_SERVER_LATER andre@0: * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG andre@0: * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST andre@0: * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS andre@0: */ andre@0: extern SECStatus andre@0: CERT_GetOCSPResponseStatus(CERTOCSPResponse *response); andre@0: andre@0: /* andre@0: * FUNCTION CERT_CreateOCSPCertID andre@0: * Returns the OCSP certID for the certificate passed in. andre@0: * INPUTS: andre@0: * CERTCertificate *cert andre@0: * The certificate for which to create the certID for. andre@0: * PRTime time andre@0: * The time at which the id is requested for. This is used andre@0: * to determine the appropriate issuer for the cert since andre@0: * the issuing CA may be an older expired certificate. andre@0: * RETURN: andre@0: * A new copy of a CERTOCSPCertID*. The memory for this certID andre@0: * should be freed by calling CERT_DestroyOCSPCertID when the andre@0: * certID is no longer necessary. andre@0: */ andre@0: extern CERTOCSPCertID* andre@0: CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_DestroyOCSPCertID andre@0: * Frees the memory associated with the certID passed in. andre@0: * INPUTS: andre@0: * CERTOCSPCertID* certID andre@0: * The certID that the caller no longer needs and wants to andre@0: * free the associated memory. andre@0: * RETURN: andre@0: * SECSuccess if freeing the memory was successful. Returns andre@0: * SECFailure if the memory passed in was not allocated with andre@0: * a call to CERT_CreateOCSPCertID. andre@0: */ andre@0: extern SECStatus andre@0: CERT_DestroyOCSPCertID(CERTOCSPCertID* certID); andre@0: andre@0: andre@0: extern CERTOCSPSingleResponse* andre@0: CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, andre@0: CERTOCSPCertID *id, andre@0: PRTime thisUpdate, andre@0: const PRTime *nextUpdate); andre@0: andre@0: extern CERTOCSPSingleResponse* andre@0: CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, andre@0: CERTOCSPCertID *id, andre@0: PRTime thisUpdate, andre@0: const PRTime *nextUpdate); andre@0: andre@0: extern CERTOCSPSingleResponse* andre@0: CERT_CreateOCSPSingleResponseRevoked( andre@0: PLArenaPool *arena, andre@0: CERTOCSPCertID *id, andre@0: PRTime thisUpdate, andre@0: const PRTime *nextUpdate, andre@0: PRTime revocationTime, andre@0: const CERTCRLEntryReasonCode* revocationReason); andre@0: andre@0: extern SECItem* andre@0: CERT_CreateEncodedOCSPSuccessResponse( andre@0: PLArenaPool *arena, andre@0: CERTCertificate *responderCert, andre@0: CERTOCSPResponderIDType responderIDType, andre@0: PRTime producedAt, andre@0: CERTOCSPSingleResponse **responses, andre@0: void *wincx); andre@0: andre@0: /* andre@0: * FUNCTION: CERT_CreateEncodedOCSPErrorResponse andre@0: * Creates an encoded OCSP response with an error response status. andre@0: * INPUTS: andre@0: * PLArenaPool *arena andre@0: * The return value is allocated from here. andre@0: * If a NULL is passed in, allocation is done from the heap instead. andre@0: * int error andre@0: * An NSS error code indicating an error response status. The error andre@0: * code is mapped to an OCSP response status as follows: andre@0: * SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest andre@0: * SEC_ERROR_OCSP_SERVER_ERROR -> internalError andre@0: * SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater andre@0: * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired andre@0: * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized andre@0: * where the OCSP response status is an enumerated type defined in andre@0: * RFC 2560: andre@0: * OCSPResponseStatus ::= ENUMERATED { andre@0: * successful (0), --Response has valid confirmations andre@0: * malformedRequest (1), --Illegal confirmation request andre@0: * internalError (2), --Internal error in issuer andre@0: * tryLater (3), --Try again later andre@0: * --(4) is not used andre@0: * sigRequired (5), --Must sign the request andre@0: * unauthorized (6) --Request unauthorized andre@0: * } andre@0: * RETURN: andre@0: * Returns a pointer to the SECItem holding the response. andre@0: * On error, returns null with error set describing the reason: andre@0: * SEC_ERROR_INVALID_ARGS andre@0: * Other errors are low-level problems (no memory, bad database, etc.). andre@0: */ andre@0: extern SECItem* andre@0: CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); andre@0: andre@0: /* Sends an OCSP request using the HTTP POST method to the location addressed andre@0: * by the URL in |location| parameter. The request body will be andre@0: * |encodedRequest|, which must be a valid encoded OCSP request. On success, andre@0: * the server's response is returned and the caller must free it using andre@0: * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of andre@0: * the HTTP response is done. andre@0: * andre@0: * If a default HTTP client has been registered with andre@0: * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an andre@0: * internal HTTP client is used. andre@0: */ andre@0: SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, andre@0: const SECItem *encodedRequest); andre@0: andre@0: /************************************************************************/ andre@0: SEC_END_PROTOS andre@0: andre@0: #endif /* _OCSP_H_ */