summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certhigh/ocspi.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/certhigh/ocspi.h')
-rw-r--r--security/nss/lib/certhigh/ocspi.h166
1 files changed, 166 insertions, 0 deletions
diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h
new file mode 100644
index 0000000000..c946d9f51c
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspi.h
@@ -0,0 +1,166 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * ocspi.h - NSS internal interfaces to OCSP code
+ */
+
+#ifndef _OCSPI_H_
+#define _OCSPI_H_
+
+SECStatus OCSP_InitGlobal(void);
+SECStatus OCSP_ShutdownGlobal(void);
+
+ocspResponseData *
+ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
+
+ocspSignature *
+ocsp_GetResponseSignature(CERTOCSPResponse *response);
+
+SECItem *
+ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
+ SECItem *fill, const SECItem *src);
+
+PRBool
+ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
+
+CERTCertificate *
+ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
+ ocspSignature *signature, CERTCertificate *issuer);
+
+SECStatus
+ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
+ ocspSignature *signature,
+ SECItem *tbsResponseDataDER,
+ void *pwArg);
+
+CERTOCSPRequest *
+cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
+ PRTime time,
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert);
+
+typedef enum { ocspMissing,
+ ocspFresh,
+ ocspStale } OCSPFreshness;
+
+SECStatus
+ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+ PRTime time,
+ PRBool ignoreOcspFailureMode,
+ SECStatus *rvOcsp,
+ SECErrorCodes *missingResponseError,
+ OCSPFreshness *freshness);
+
+/*
+ * FUNCTION: cert_ProcessOCSPResponse
+ * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
+ * In addition it can update the OCSP cache (using information
+ * available internally to this function).
+ * INPUTS:
+ * CERTCertDBHandle *handle
+ * certificate DB of the cert that is being checked
+ * CERTOCSPResponse *response
+ * the OCSP response we want to retrieve status from.
+ * CERTOCSPCertID *certID
+ * the ID we want to look for from the response.
+ * CERTCertificate *signerCert
+ * the certificate that was used to sign the OCSP response.
+ * must be obtained via a call to CERT_VerifyOCSPResponseSignature.
+ * PRTime time
+ * The time at which we're checking the status for.
+ * PRBool *certIDWasConsumed
+ * In and Out parameter.
+ * If certIDWasConsumed is NULL on input,
+ * this function might produce a deep copy of cert ID
+ * for storing it in the cache.
+ * If out value is true, ownership of parameter certID was
+ * transferred to the OCSP cache.
+ * SECStatus *cacheUpdateStatus
+ * This optional out parameter will contain the result
+ * of the cache update operation (if requested).
+ * RETURN:
+ * The return value is not influenced by the cache operation,
+ * it matches the documentation for CERT_CheckOCSPStatus
+ */
+
+SECStatus
+cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ PRBool *certIDWasConsumed,
+ SECStatus *cacheUpdateStatus);
+
+/*
+ * FUNCTION: cert_RememberOCSPProcessingFailure
+ * If an application notices a failure during OCSP processing,
+ * it should finally call this function. The failure will be recorded
+ * in the OCSP cache in order to avoid repetitive failures.
+ * INPUTS:
+ * CERTOCSPCertID *certID
+ * the ID that was used for the failed OCSP processing
+ * PRBool *certIDWasConsumed
+ * Out parameter, if set to true, ownership of parameter certID was
+ * transferred to the OCSP cache.
+ * RETURN:
+ * Status of the cache update operation.
+ */
+
+SECStatus
+cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
+ PRBool *certIDWasConsumed);
+
+/*
+ * FUNCTION: ocsp_GetResponderLocation
+ * Check ocspx context for user-designated responder URI first. If not
+ * found, checks cert AIA extension.
+ * INPUTS:
+ * CERTCertDBHandle *handle
+ * certificate DB of the cert that is being checked
+ * CERTCertificate *cert
+ * The certificate being examined.
+ * PRBool *certIDWasConsumed
+ * Out parameter, if set to true, URI of default responder is
+ * returned.
+ * RETURN:
+ * Responder URI.
+ */
+char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle,
+ CERTCertificate *cert,
+ PRBool canUseDefaultLocation,
+ PRBool *isDefault);
+
+/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
+ * The function checks the global ocsp settings and
+ * tells how to treat an ocsp response fetching failure.
+ * RETURNS:
+ * if PR_TRUE is returned, then treat fetching as a
+ * revoked cert status.
+ */
+PRBool
+ocsp_FetchingFailureIsVerificationFailure(void);
+
+size_t
+ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
+
+SECStatus
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ CERTOCSPSingleResponse **pSingleResponse);
+
+SECStatus
+ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
+
+void
+ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
+ CERTOCSPSingleResponse *single,
+ PRBool *certIDWasConsumed);
+
+#endif /* _OCSPI_H_ */