/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * Interface to the OCSP implementation. */ #ifndef _OCSP_H_ #define _OCSP_H_ #include "plarena.h" #include "seccomon.h" #include "secoidt.h" #include "keythi.h" #include "certt.h" #include "ocspt.h" /************************************************************************/ SEC_BEGIN_PROTOS /* * This function registers the HttpClient with whose functions the * HttpClientFcn structure has been populated as the default Http * client. * * The function table must be a global object. * The caller must ensure that NSS will be able to call * the registered functions for the lifetime of the process. */ extern SECStatus SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable); /* * This function obtains the HttpClient which has been registered * by an earlier call to SEC_RegisterDefaultHttpClient. */ extern const SEC_HttpClientFcn * SEC_GetRegisteredHttpClient(void); /* * Sets parameters that control NSS' internal OCSP cache. * maxCacheEntries, special varlues are: * -1 disable cache * 0 unlimited cache entries * minimumSecondsToNextFetchAttempt: * whenever an OCSP request was attempted or completed over the network, * wait at least this number of seconds before trying to fetch again. * maximumSecondsToNextFetchAttempt: * this is the maximum age of a cached response we allow, until we try * to fetch an updated response, even if the OCSP responder expects * that newer information update will not be available yet. */ extern SECStatus CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, PRUint32 minimumSecondsToNextFetchAttempt, PRUint32 maximumSecondsToNextFetchAttempt); /* * Set the desired behaviour on OCSP failures. * See definition of ocspFailureMode for allowed choices. */ extern SECStatus CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode); /* * Configure the maximum time NSS will wait for an OCSP response. */ extern SECStatus CERT_SetOCSPTimeout(PRUint32 seconds); /* * Removes all items currently stored in the OCSP cache. */ extern SECStatus CERT_ClearOCSPCache(void); /* * FUNCTION: CERT_EnableOCSPChecking * Turns on OCSP checking for the given certificate database. * INPUTS: * CERTCertDBHandle *handle * Certificate database for which OCSP checking will be enabled. * RETURN: * Returns SECFailure if an error occurred (likely only problem * allocating memory); SECSuccess otherwise. */ extern SECStatus CERT_EnableOCSPChecking(CERTCertDBHandle *handle); /* * FUNCTION: CERT_DisableOCSPChecking * Turns off OCSP checking for the given certificate database. * This routine disables OCSP checking. Though it will return * SECFailure if OCSP checking is not enabled, it is "safe" to * call it that way and just ignore the return value, if it is * easier to just call it than to "remember" whether it is enabled. * INPUTS: * CERTCertDBHandle *handle * Certificate database for which OCSP checking will be disabled. * RETURN: * Returns SECFailure if an error occurred (usually means that OCSP * checking was not enabled or status contexts were not initialized -- * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. */ extern SECStatus CERT_DisableOCSPChecking(CERTCertDBHandle *handle); /* * FUNCTION: CERT_SetOCSPDefaultResponder * Specify the location and cert of the default responder. * If OCSP checking is already enabled *and* use of a default responder * is also already enabled, all OCSP checking from now on will go directly * to the specified responder. If OCSP checking is not enabled, or if * it is but use of a default responder is not enabled, the information * will be recorded and take effect whenever both are enabled. * INPUTS: * CERTCertDBHandle *handle * Cert database on which OCSP checking should use the default responder. * const char *url * The location of the default responder (e.g. "http://foo.com:80/ocsp") * Note that the location will not be tested until the first attempt * to send a request there. * const char *name * The nickname of the cert to trust (expected) to sign the OCSP responses. * If the corresponding cert cannot be found, SECFailure is returned. * RETURN: * Returns SECFailure if an error occurred; SECSuccess otherwise. * The most likely error is that the cert for "name" could not be found * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, * bad database, etc.). */ extern SECStatus CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, const char *url, const char *name); /* * FUNCTION: CERT_EnableOCSPDefaultResponder * Turns on use of a default responder when OCSP checking. * If OCSP checking is already enabled, this will make subsequent checks * go directly to the default responder. (The location of the responder * and the nickname of the responder cert must already be specified.) * If OCSP checking is not enabled, this will be recorded and take effect * whenever it is enabled. * INPUTS: * CERTCertDBHandle *handle * Cert database on which OCSP checking should use the default responder. * RETURN: * Returns SECFailure if an error occurred; SECSuccess otherwise. * No errors are especially likely unless the caller did not previously * perform a successful call to SetOCSPDefaultResponder (in which case * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). */ extern SECStatus CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle); /* * FUNCTION: CERT_DisableOCSPDefaultResponder * Turns off use of a default responder when OCSP checking. * (Does nothing if use of a default responder is not enabled.) * INPUTS: * CERTCertDBHandle *handle * Cert database on which OCSP checking should stop using a default * responder. * RETURN: * Returns SECFailure if an error occurred; SECSuccess otherwise. * Errors very unlikely (like random memory corruption...). */ extern SECStatus CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle); /* If forcePost is set, OCSP requests will only be sent using the HTTP POST * method. When forcePost is not set, OCSP requests will be sent using the * HTTP GET method, with a fallback to POST when we fail to receive a response * and/or when we receive an uncacheable response like "Unknown." * * The default is to use GET and fallback to POST. */ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); /* * ------------------------------------------------------- * The Functions above are those expected to be used by a client * providing OCSP status checking along with every cert verification. * The functions below are for OCSP testing, debugging, or clients * or servers performing more specialized OCSP tasks. * ------------------------------------------------------- */ /* * FUNCTION: CERT_CreateOCSPRequest * Creates a CERTOCSPRequest, requesting the status of the certs in * the given list. * INPUTS: * CERTCertList *certList * A list of certs for which status will be requested. * Note that all of these certificates should have the same issuer, * or it's expected the response will be signed by a trusted responder. * If the certs need to be broken up into multiple requests, that * must be handled by the caller (and thus by having multiple calls * to this routine), who knows about where the request(s) are being * sent and whether there are any trusted responders in place. * PRTime time * Indicates the time for which the certificate status is to be * determined -- this may be used in the search for the cert's issuer * but has no effect on the request itself. * PRBool addServiceLocator * If true, the Service Locator extension should be added to the * single request(s) for each cert. * CERTCertificate *signerCert * If non-NULL, means sign the request using this cert. Otherwise, * do not sign. * XXX note that request signing is not yet supported; see comment in code * RETURN: * A pointer to a CERTOCSPRequest structure containing an OCSP request * for the cert list. On error, null is returned, with an error set * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. * (The issuer is needed to create a request for the certificate.) * Other errors are low-level problems (no memory, bad database, etc.). */ extern CERTOCSPRequest * CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, PRBool addServiceLocator, CERTCertificate *signerCert); /* * FUNCTION: CERT_AddOCSPAcceptableResponses * Add the AcceptableResponses extension to an OCSP Request. * INPUTS: * CERTOCSPRequest *request * The request to which the extension should be added. * SECOidTag responseType0, ... * A list (of one or more) of SECOidTag -- each of the response types * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. * (This marks the end of the list, and it must be specified because a * client conforming to the OCSP standard is required to handle the basic * response type.) The OIDs are not checked in any way. * RETURN: * SECSuccess if the extension is added; SECFailure if anything goes wrong. * All errors are internal or low-level problems (e.g. no memory). */ extern SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, SECOidTag responseType0, ...); /* * FUNCTION: CERT_EncodeOCSPRequest * DER encodes an OCSP Request, possibly adding a signature as well. * XXX Signing is not yet supported, however; see comments in code. * INPUTS: * PLArenaPool *arena * The return value is allocated from here. * If a NULL is passed in, allocation is done from the heap instead. * CERTOCSPRequest *request * The request to be encoded. * void *pwArg * Pointer to argument for password prompting, if needed. (Definitely * not needed if not signing.) * RETURN: * Returns a NULL on error and a pointer to the SECItem with the * encoded value otherwise. Any error is likely to be low-level * (e.g. no memory). */ extern SECItem * CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, void *pwArg); /* * FUNCTION: CERT_DecodeOCSPRequest * Decode a DER encoded OCSP Request. * INPUTS: * SECItem *src * Pointer to a SECItem holding DER encoded OCSP Request. * RETURN: * Returns a pointer to a CERTOCSPRequest containing the decoded request. * On error, returns NULL. Most likely error is trouble decoding * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). */ extern CERTOCSPRequest * CERT_DecodeOCSPRequest(const SECItem *src); /* * FUNCTION: CERT_DestroyOCSPRequest * Frees an OCSP Request structure. * INPUTS: * CERTOCSPRequest *request * Pointer to CERTOCSPRequest to be freed. * RETURN: * No return value; no errors. */ extern void CERT_DestroyOCSPRequest(CERTOCSPRequest *request); /* * FUNCTION: CERT_DecodeOCSPResponse * Decode a DER encoded OCSP Response. * INPUTS: * SECItem *src * Pointer to a SECItem holding DER encoded OCSP Response. * RETURN: * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); * the caller is responsible for destroying it. Or NULL if error (either * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), * or a low-level or internal error occurred). */ extern CERTOCSPResponse * CERT_DecodeOCSPResponse(const SECItem *src); /* * FUNCTION: CERT_DestroyOCSPResponse * Frees an OCSP Response structure. * INPUTS: * CERTOCSPResponse *request * Pointer to CERTOCSPResponse to be freed. * RETURN: * No return value; no errors. */ extern void CERT_DestroyOCSPResponse(CERTOCSPResponse *response); /* * FUNCTION: CERT_GetEncodedOCSPResponse * Creates and sends a request to an OCSP responder, then reads and * returns the (encoded) response. * INPUTS: * PLArenaPool *arena * Pointer to arena from which return value will be allocated. * If NULL, result will be allocated from the heap (and thus should * be freed via SECITEM_FreeItem). * CERTCertList *certList * A list of certs for which status will be requested. * Note that all of these certificates should have the same issuer, * or it's expected the response will be signed by a trusted responder. * If the certs need to be broken up into multiple requests, that * must be handled by the caller (and thus by having multiple calls * to this routine), who knows about where the request(s) are being * sent and whether there are any trusted responders in place. * const char *location * The location of the OCSP responder (a URL). * PRTime time * Indicates the time for which the certificate status is to be * determined -- this may be used in the search for the cert's issuer * but has no other bearing on the operation. * PRBool addServiceLocator * If true, the Service Locator extension should be added to the * single request(s) for each cert. * CERTCertificate *signerCert * If non-NULL, means sign the request using this cert. Otherwise, * do not sign. * void *pwArg * Pointer to argument for password prompting, if needed. (Definitely * not needed if not signing.) * OUTPUTS: * CERTOCSPRequest **pRequest * Pointer in which to store the OCSP request created for the given * list of certificates. It is only filled in if the entire operation * is successful and the pointer is not null -- and in that case the * caller is then reponsible for destroying it. * RETURN: * Returns a pointer to the SECItem holding the response. * On error, returns null with error set describing the reason: * SEC_ERROR_UNKNOWN_ISSUER * SEC_ERROR_CERT_BAD_ACCESS_LOCATION * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE * Other errors are low-level problems (no memory, bad database, etc.). */ extern SECItem * CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, const char *location, PRTime time, PRBool addServiceLocator, CERTCertificate *signerCert, void *pwArg, CERTOCSPRequest **pRequest); /* * FUNCTION: CERT_VerifyOCSPResponseSignature * Check the signature on an OCSP Response. Will also perform a * verification of the signer's certificate. Note, however, that a * successful verification does not make any statement about the * signer's *authority* to provide status for the certificate(s), * that must be checked individually for each certificate. * INPUTS: * CERTOCSPResponse *response * Pointer to response structure with signature to be checked. * CERTCertDBHandle *handle * Pointer to CERTCertDBHandle for certificate DB to use for verification. * void *pwArg * Pointer to argument for password prompting, if needed. * CERTCertificate *issuerCert * Issuer of the certificate that generated the OCSP request. * OUTPUTS: * CERTCertificate **pSignerCert * Pointer in which to store signer's certificate; only filled-in if * non-null. * RETURN: * Returns SECSuccess when signature is valid, anything else means invalid. * Possible errors set: * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found * SEC_ERROR_BAD_SIGNATURE - the signature did not verify * Other errors are any of the many possible failures in cert verification * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when * verifying the signer's cert, or low-level problems (no memory, etc.) */ extern SECStatus CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, CERTCertDBHandle *handle, void *pwArg, CERTCertificate **pSignerCert, CERTCertificate *issuerCert); /* * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation * Get the value of the URI of the OCSP responder for the given cert. * This is found in the (optional) Authority Information Access extension * in the cert. * INPUTS: * CERTCertificate *cert * The certificate being examined. * RETURN: * char * * A copy of the URI for the OCSP method, if found. If either the * extension is not present or it does not contain an entry for OCSP, * SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned. * Any other error will also result in a NULL being returned. * * This result should be freed (via PORT_Free) when no longer in use. */ extern char * CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert); /* * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack * This function serves two purposes. * 1) It registers the address of a callback function that will be * called for certs that have no OCSP AIA extension, to see if the * callback wishes to supply an alternative URL for such an OCSP inquiry. * 2) It outputs the previously registered function's address to the * address supplied by the caller, unless that is NULL. * The registered callback function returns NULL, or an allocated string * that may be subsequently freed by calling PORT_Free(). * RETURN: * SECSuccess or SECFailure (if the library is not yet intialized) */ extern SECStatus CERT_RegisterAlternateOCSPAIAInfoCallBack( CERT_StringFromCertFcn newCallback, CERT_StringFromCertFcn *oldCallback); /* * FUNCTION: CERT_ParseURL * Parse a URI into hostname, port, and path. The scheme in the URI must * be "http". * INPUTS: * const char *url * The URI to be parsed * OUTPUTS: * char **pHostname * Pointer to store the hostname obtained from the URI. * This result should be freed (via PORT_Free) when no longer in use. * PRUint16 *pPort * Pointer to store the port number obtained from the URI. * char **pPath * Pointer to store the path obtained from the URI. * This result should be freed (via PORT_Free) when no longer in use. * RETURN: * Returns SECSuccess when parsing was successful. Returns SECFailure when * problems were encountered. */ extern SECStatus CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath); /* * FUNCTION: CERT_CheckOCSPStatus * Checks the status of a certificate via OCSP. Will only check status for * a certificate that has an AIA (Authority Information Access) extension * for OCSP *or* when a "default responder" is specified and enabled. * (If no AIA extension for OCSP and no default responder in place, the * cert is considered to have a good status and SECSuccess is returned.) * INPUTS: * CERTCertDBHandle *handle * certificate DB of the cert that is being checked * CERTCertificate *cert * the certificate being checked * XXX in the long term also need a boolean parameter that specifies * whether to check the cert chain, as well; for now we check only * the leaf (the specified certificate) * PRTime time * time for which status is to be determined * void *pwArg * argument for password prompting, if needed * RETURN: * Returns SECSuccess if an approved OCSP responder "knows" the cert * *and* returns a non-revoked status for it; SECFailure otherwise, * with an error set describing the reason: * * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE * SEC_ERROR_OCSP_FUTURE_RESPONSE * SEC_ERROR_OCSP_MALFORMED_REQUEST * SEC_ERROR_OCSP_MALFORMED_RESPONSE * SEC_ERROR_OCSP_OLD_RESPONSE * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG * SEC_ERROR_OCSP_SERVER_ERROR * SEC_ERROR_OCSP_TRY_SERVER_LATER * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE * SEC_ERROR_OCSP_UNKNOWN_CERT * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE * * SEC_ERROR_BAD_SIGNATURE * SEC_ERROR_CERT_BAD_ACCESS_LOCATION * SEC_ERROR_INVALID_TIME * SEC_ERROR_REVOKED_CERTIFICATE * SEC_ERROR_UNKNOWN_ISSUER * SEC_ERROR_UNKNOWN_SIGNER * * Other errors are any of the many possible failures in cert verification * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when * verifying the signer's cert, or low-level problems (error allocating * memory, error performing ASN.1 decoding, etc.). */ extern SECStatus CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time, void *pwArg); /* * FUNCTION: CERT_CacheOCSPResponseFromSideChannel * First, this function checks the OCSP cache to see if a good response * for the given certificate already exists. If it does, then the function * returns successfully. * * If not, then it validates that the given OCSP response is a valid, * good response for the given certificate and inserts it into the * cache. * * This function is intended for use when OCSP responses are provided via a * side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension). * * INPUTS: * CERTCertDBHandle *handle * certificate DB of the cert that is being checked * CERTCertificate *cert * the certificate being checked * PRTime time * time for which status is to be determined * SECItem *encodedResponse * the DER encoded bytes of the OCSP response * void *pwArg * argument for password prompting, if needed * RETURN: * SECSuccess if the cert was found in the cache, or if the OCSP response was * found to be valid and inserted into the cache. SECFailure otherwise. */ extern SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time, const SECItem *encodedResponse, void *pwArg); /* * FUNCTION: CERT_GetOCSPStatusForCertID * Returns the OCSP status contained in the passed in parameter response * that corresponds to the certID passed in. * INPUTS: * CERTCertDBHandle *handle * certificate DB of the cert that is being checked * CERTOCSPResponse *response * the OCSP response we want to retrieve status from. * CERTOCSPCertID *certID * the ID we want to look for from the response. * CERTCertificate *signerCert * the certificate that was used to sign the OCSP response. * must be obtained via a call to CERT_VerifyOCSPResponseSignature. * PRTime time * The time at which we're checking the status for. * RETURN: * Return values are the same as those for CERT_CheckOCSPStatus */ extern SECStatus CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, CERTOCSPResponse *response, CERTOCSPCertID *certID, CERTCertificate *signerCert, PRTime time); /* * FUNCTION CERT_GetOCSPResponseStatus * Returns the response status for the response passed. * INPUTS: * CERTOCSPResponse *response * The response to query for status * RETURN: * Returns SECSuccess if the response has a successful status value. * Otherwise it returns SECFailure and sets one of the following error * codes via PORT_SetError * SEC_ERROR_OCSP_MALFORMED_REQUEST * SEC_ERROR_OCSP_SERVER_ERROR * SEC_ERROR_OCSP_TRY_SERVER_LATER * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS */ extern SECStatus CERT_GetOCSPResponseStatus(CERTOCSPResponse *response); /* * FUNCTION CERT_CreateOCSPCertID * Returns the OCSP certID for the certificate passed in. * INPUTS: * CERTCertificate *cert * The certificate for which to create the certID for. * PRTime time * The time at which the id is requested for. This is used * to determine the appropriate issuer for the cert since * the issuing CA may be an older expired certificate. * RETURN: * A new copy of a CERTOCSPCertID*. The memory for this certID * should be freed by calling CERT_DestroyOCSPCertID when the * certID is no longer necessary. */ extern CERTOCSPCertID * CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); /* * FUNCTION: CERT_DestroyOCSPCertID * Frees the memory associated with the certID passed in. * INPUTS: * CERTOCSPCertID* certID * The certID that the caller no longer needs and wants to * free the associated memory. * RETURN: * SECSuccess if freeing the memory was successful. Returns * SECFailure if the memory passed in was not allocated with * a call to CERT_CreateOCSPCertID. */ extern SECStatus CERT_DestroyOCSPCertID(CERTOCSPCertID *certID); extern CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate); extern CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate); extern CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseRevoked( PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate, PRTime revocationTime, const CERTCRLEntryReasonCode *revocationReason); extern SECItem * CERT_CreateEncodedOCSPSuccessResponse( PLArenaPool *arena, CERTCertificate *responderCert, CERTOCSPResponderIDType responderIDType, PRTime producedAt, CERTOCSPSingleResponse **responses, void *wincx); /* * FUNCTION: CERT_CreateEncodedOCSPErrorResponse * Creates an encoded OCSP response with an error response status. * INPUTS: * PLArenaPool *arena * The return value is allocated from here. * If a NULL is passed in, allocation is done from the heap instead. * int error * An NSS error code indicating an error response status. The error * code is mapped to an OCSP response status as follows: * SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest * SEC_ERROR_OCSP_SERVER_ERROR -> internalError * SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized * where the OCSP response status is an enumerated type defined in * RFC 2560: * OCSPResponseStatus ::= ENUMERATED { * successful (0), --Response has valid confirmations * malformedRequest (1), --Illegal confirmation request * internalError (2), --Internal error in issuer * tryLater (3), --Try again later * --(4) is not used * sigRequired (5), --Must sign the request * unauthorized (6) --Request unauthorized * } * RETURN: * Returns a pointer to the SECItem holding the response. * On error, returns null with error set describing the reason: * SEC_ERROR_INVALID_ARGS * Other errors are low-level problems (no memory, bad database, etc.). */ extern SECItem * CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); /* Sends an OCSP request using the HTTP POST method to the location addressed * by the URL in |location| parameter. The request body will be * |encodedRequest|, which must be a valid encoded OCSP request. On success, * the server's response is returned and the caller must free it using * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of * the HTTP response is done. * * If a default HTTP client has been registered with * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an * internal HTTP client is used. */ SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, const SECItem *encodedRequest); /************************************************************************/ SEC_END_PROTOS #endif /* _OCSP_H_ */