andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* andre@0: * ocspi.h - NSS internal interfaces to OCSP code andre@0: */ andre@0: andre@0: #ifndef _OCSPI_H_ andre@0: #define _OCSPI_H_ andre@0: andre@0: SECStatus OCSP_InitGlobal(void); andre@0: SECStatus OCSP_ShutdownGlobal(void); andre@0: andre@0: ocspResponseData * andre@0: ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER); andre@0: andre@0: ocspSignature * andre@0: ocsp_GetResponseSignature(CERTOCSPResponse *response); andre@0: andre@0: SECItem * andre@0: ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, andre@0: SECItem *fill, const SECItem *src); andre@0: andre@0: PRBool andre@0: ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert); andre@0: andre@0: CERTCertificate * andre@0: ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, andre@0: ocspSignature *signature, CERTCertificate *issuer); andre@0: andre@0: SECStatus andre@0: ocsp_VerifyResponseSignature(CERTCertificate *signerCert, andre@0: ocspSignature *signature, andre@0: SECItem *tbsResponseDataDER, andre@0: void *pwArg); andre@0: andre@0: CERTOCSPRequest * andre@0: cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, andre@0: CERTCertificate *singleCert, andre@0: PRTime time, andre@0: PRBool addServiceLocator, andre@0: CERTCertificate *signerCert); andre@0: andre@0: typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness; andre@0: andre@0: SECStatus andre@0: ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, andre@0: PRTime time, andre@0: PRBool ignoreOcspFailureMode, andre@0: SECStatus *rvOcsp, andre@0: SECErrorCodes *missingResponseError, andre@0: OCSPFreshness *freshness); andre@0: andre@0: /* andre@0: * FUNCTION: cert_ProcessOCSPResponse andre@0: * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID. andre@0: * In addition it can update the OCSP cache (using information andre@0: * available internally to this function). andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * certificate DB of the cert that is being checked andre@0: * CERTOCSPResponse *response andre@0: * the OCSP response we want to retrieve status from. andre@0: * CERTOCSPCertID *certID andre@0: * the ID we want to look for from the response. andre@0: * CERTCertificate *signerCert andre@0: * the certificate that was used to sign the OCSP response. andre@0: * must be obtained via a call to CERT_VerifyOCSPResponseSignature. andre@0: * PRTime time andre@0: * The time at which we're checking the status for. andre@0: * PRBool *certIDWasConsumed andre@0: * In and Out parameter. andre@0: * If certIDWasConsumed is NULL on input, andre@0: * this function might produce a deep copy of cert ID andre@0: * for storing it in the cache. andre@0: * If out value is true, ownership of parameter certID was andre@0: * transferred to the OCSP cache. andre@0: * SECStatus *cacheUpdateStatus andre@0: * This optional out parameter will contain the result andre@0: * of the cache update operation (if requested). andre@0: * RETURN: andre@0: * The return value is not influenced by the cache operation, andre@0: * it matches the documentation for CERT_CheckOCSPStatus andre@0: */ andre@0: andre@0: SECStatus andre@0: cert_ProcessOCSPResponse(CERTCertDBHandle *handle, andre@0: CERTOCSPResponse *response, andre@0: CERTOCSPCertID *certID, andre@0: CERTCertificate *signerCert, andre@0: PRTime time, andre@0: PRBool *certIDWasConsumed, andre@0: SECStatus *cacheUpdateStatus); andre@0: andre@0: /* andre@0: * FUNCTION: cert_RememberOCSPProcessingFailure andre@0: * If an application notices a failure during OCSP processing, andre@0: * it should finally call this function. The failure will be recorded andre@0: * in the OCSP cache in order to avoid repetitive failures. andre@0: * INPUTS: andre@0: * CERTOCSPCertID *certID andre@0: * the ID that was used for the failed OCSP processing andre@0: * PRBool *certIDWasConsumed andre@0: * Out parameter, if set to true, ownership of parameter certID was andre@0: * transferred to the OCSP cache. andre@0: * RETURN: andre@0: * Status of the cache update operation. andre@0: */ andre@0: andre@0: SECStatus andre@0: cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, andre@0: PRBool *certIDWasConsumed); andre@0: andre@0: /* andre@0: * FUNCTION: ocsp_GetResponderLocation andre@0: * Check ocspx context for user-designated responder URI first. If not andre@0: * found, checks cert AIA extension. andre@0: * INPUTS: andre@0: * CERTCertDBHandle *handle andre@0: * certificate DB of the cert that is being checked andre@0: * CERTCertificate *cert andre@0: * The certificate being examined. andre@0: * PRBool *certIDWasConsumed andre@0: * Out parameter, if set to true, URI of default responder is andre@0: * returned. andre@0: * RETURN: andre@0: * Responder URI. andre@0: */ andre@0: char * andre@0: ocsp_GetResponderLocation(CERTCertDBHandle *handle, andre@0: CERTCertificate *cert, andre@0: PRBool canUseDefaultLocation, andre@0: PRBool *isDefault); andre@0: andre@0: /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure andre@0: * The function checks the global ocsp settings and andre@0: * tells how to treat an ocsp response fetching failure. andre@0: * RETURNS: andre@0: * if PR_TRUE is returned, then treat fetching as a andre@0: * revoked cert status. andre@0: */ andre@0: PRBool andre@0: ocsp_FetchingFailureIsVerificationFailure(void); andre@0: andre@0: size_t andre@0: ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf); andre@0: andre@0: SECStatus andre@0: ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, andre@0: CERTOCSPResponse *response, andre@0: CERTOCSPCertID *certID, andre@0: CERTCertificate *signerCert, andre@0: PRTime time, andre@0: CERTOCSPSingleResponse **pSingleResponse); andre@0: andre@0: SECStatus andre@0: ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time); andre@0: andre@0: void andre@0: ocsp_CacheSingleResponse(CERTOCSPCertID *certID, andre@0: CERTOCSPSingleResponse *single, andre@0: PRBool *certIDWasConsumed); andre@0: andre@0: #endif /* _OCSPI_H_ */