andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public
andre@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
andre@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
andre@0: /*
andre@0:  * ocspi.h - NSS internal interfaces to OCSP code
andre@0:  */
andre@0: 
andre@0: #ifndef _OCSPI_H_
andre@0: #define _OCSPI_H_
andre@0: 
andre@0: SECStatus OCSP_InitGlobal(void);
andre@0: SECStatus OCSP_ShutdownGlobal(void);
andre@0: 
andre@0: ocspResponseData *
andre@0: ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
andre@0: 
andre@0: ocspSignature *
andre@0: ocsp_GetResponseSignature(CERTOCSPResponse *response);
andre@0: 
andre@0: SECItem *
andre@0: ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
andre@0:                  SECItem *fill, const SECItem *src);
andre@0: 
andre@0: PRBool
andre@0: ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
andre@0: 
andre@0: CERTCertificate *
andre@0: ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
andre@0:                           ocspSignature *signature, CERTCertificate *issuer);
andre@0: 
andre@0: SECStatus
andre@0: ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
andre@0:                              ocspSignature *signature,
andre@0:                              SECItem *tbsResponseDataDER,
andre@0:                              void *pwArg);
andre@0: 
andre@0: CERTOCSPRequest *
andre@0: cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, 
andre@0:                                  CERTCertificate *singleCert, 
andre@0:                                  PRTime time,
andre@0:                                  PRBool addServiceLocator,
andre@0:                                  CERTCertificate *signerCert);
andre@0: 
andre@0: typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
andre@0: 
andre@0: SECStatus
andre@0: ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
andre@0:                                  PRTime time,
andre@0:                                  PRBool ignoreOcspFailureMode,
andre@0:                                  SECStatus *rvOcsp,
andre@0:                                  SECErrorCodes *missingResponseError,
andre@0:                                  OCSPFreshness *freshness);
andre@0: 
andre@0: /*
andre@0:  * FUNCTION: cert_ProcessOCSPResponse
andre@0:  *  Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
andre@0:  *  In addition it can update the OCSP cache (using information
andre@0:  *  available internally to this function).
andre@0:  * INPUTS:
andre@0:  *  CERTCertDBHandle *handle
andre@0:  *    certificate DB of the cert that is being checked
andre@0:  *  CERTOCSPResponse *response
andre@0:  *    the OCSP response we want to retrieve status from.
andre@0:  *  CERTOCSPCertID *certID
andre@0:  *    the ID we want to look for from the response.
andre@0:  *  CERTCertificate *signerCert
andre@0:  *    the certificate that was used to sign the OCSP response.
andre@0:  *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
andre@0:  *  PRTime time
andre@0:  *    The time at which we're checking the status for.
andre@0:  *  PRBool *certIDWasConsumed
andre@0:  *    In and Out parameter.
andre@0:  *    If certIDWasConsumed is NULL on input,
andre@0:  *    this function might produce a deep copy of cert ID
andre@0:  *    for storing it in the cache.
andre@0:  *    If out value is true, ownership of parameter certID was
andre@0:  *    transferred to the OCSP cache.
andre@0:  *  SECStatus *cacheUpdateStatus
andre@0:  *    This optional out parameter will contain the result
andre@0:  *    of the cache update operation (if requested).
andre@0:  *  RETURN:
andre@0:  *    The return value is not influenced by the cache operation,
andre@0:  *    it matches the documentation for CERT_CheckOCSPStatus
andre@0:  */
andre@0: 
andre@0: SECStatus
andre@0: cert_ProcessOCSPResponse(CERTCertDBHandle *handle, 
andre@0:                          CERTOCSPResponse *response, 
andre@0:                          CERTOCSPCertID   *certID,
andre@0:                          CERTCertificate  *signerCert,
andre@0:                          PRTime            time,
andre@0:                          PRBool           *certIDWasConsumed,
andre@0:                          SECStatus        *cacheUpdateStatus);
andre@0: 
andre@0: /*
andre@0:  * FUNCTION: cert_RememberOCSPProcessingFailure
andre@0:  *  If an application notices a failure during OCSP processing,
andre@0:  *  it should finally call this function. The failure will be recorded
andre@0:  *  in the OCSP cache in order to avoid repetitive failures.
andre@0:  * INPUTS:
andre@0:  *  CERTOCSPCertID *certID
andre@0:  *    the ID that was used for the failed OCSP processing
andre@0:  *  PRBool *certIDWasConsumed
andre@0:  *    Out parameter, if set to true, ownership of parameter certID was
andre@0:  *    transferred to the OCSP cache.
andre@0:  *  RETURN:
andre@0:  *    Status of the cache update operation.
andre@0:  */
andre@0: 
andre@0: SECStatus
andre@0: cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
andre@0:                                    PRBool         *certIDWasConsumed);
andre@0: 
andre@0: /*
andre@0:  * FUNCTION: ocsp_GetResponderLocation
andre@0:  *  Check ocspx context for user-designated responder URI first. If not
andre@0:  *  found, checks cert AIA extension.
andre@0:  * INPUTS:
andre@0:  *  CERTCertDBHandle *handle
andre@0:  *    certificate DB of the cert that is being checked
andre@0:  *  CERTCertificate *cert
andre@0:  *     The certificate being examined.
andre@0:  *  PRBool *certIDWasConsumed
andre@0:  *    Out parameter, if set to true, URI of default responder is
andre@0:  *    returned.
andre@0:  *  RETURN:
andre@0:  *    Responder URI.
andre@0:  */
andre@0: char *
andre@0: ocsp_GetResponderLocation(CERTCertDBHandle *handle,
andre@0:                           CERTCertificate *cert,
andre@0:                           PRBool canUseDefaultLocation,
andre@0:                           PRBool *isDefault);
andre@0: 
andre@0: /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
andre@0:  * The function checks the global ocsp settings and
andre@0:  * tells how to treat an ocsp response fetching failure.
andre@0:  * RETURNS:
andre@0:  *   if PR_TRUE is returned, then treat fetching as a
andre@0:  *   revoked cert status.
andre@0:  */
andre@0: PRBool
andre@0: ocsp_FetchingFailureIsVerificationFailure(void);
andre@0: 
andre@0: size_t
andre@0: ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
andre@0: 
andre@0: SECStatus
andre@0: ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
andre@0:                                         CERTOCSPResponse *response, 
andre@0:                                         CERTOCSPCertID   *certID,
andre@0:                                         CERTCertificate  *signerCert,
andre@0:                                         PRTime            time,
andre@0:                                         CERTOCSPSingleResponse **pSingleResponse);
andre@0: 
andre@0: SECStatus
andre@0: ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
andre@0: 
andre@0: void
andre@0: ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
andre@0: 			 CERTOCSPSingleResponse *single,
andre@0: 			 PRBool *certIDWasConsumed);
andre@0: 
andre@0: #endif /* _OCSPI_H_ */