diff options
Diffstat (limited to 'security/nss/lib/certhigh/ocspi.h')
-rw-r--r-- | security/nss/lib/certhigh/ocspi.h | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h new file mode 100644 index 0000000000..c946d9f51c --- /dev/null +++ b/security/nss/lib/certhigh/ocspi.h @@ -0,0 +1,166 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * ocspi.h - NSS internal interfaces to OCSP code + */ + +#ifndef _OCSPI_H_ +#define _OCSPI_H_ + +SECStatus OCSP_InitGlobal(void); +SECStatus OCSP_ShutdownGlobal(void); + +ocspResponseData * +ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER); + +ocspSignature * +ocsp_GetResponseSignature(CERTOCSPResponse *response); + +SECItem * +ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, + SECItem *fill, const SECItem *src); + +PRBool +ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert); + +CERTCertificate * +ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, + ocspSignature *signature, CERTCertificate *issuer); + +SECStatus +ocsp_VerifyResponseSignature(CERTCertificate *signerCert, + ocspSignature *signature, + SECItem *tbsResponseDataDER, + void *pwArg); + +CERTOCSPRequest * +cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, + CERTCertificate *singleCert, + PRTime time, + PRBool addServiceLocator, + CERTCertificate *signerCert); + +typedef enum { ocspMissing, + ocspFresh, + ocspStale } OCSPFreshness; + +SECStatus +ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, + PRTime time, + PRBool ignoreOcspFailureMode, + SECStatus *rvOcsp, + SECErrorCodes *missingResponseError, + OCSPFreshness *freshness); + +/* + * FUNCTION: cert_ProcessOCSPResponse + * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID. + * In addition it can update the OCSP cache (using information + * available internally to this function). + * INPUTS: + * CERTCertDBHandle *handle + * certificate DB of the cert that is being checked + * CERTOCSPResponse *response + * the OCSP response we want to retrieve status from. + * CERTOCSPCertID *certID + * the ID we want to look for from the response. + * CERTCertificate *signerCert + * the certificate that was used to sign the OCSP response. + * must be obtained via a call to CERT_VerifyOCSPResponseSignature. + * PRTime time + * The time at which we're checking the status for. + * PRBool *certIDWasConsumed + * In and Out parameter. + * If certIDWasConsumed is NULL on input, + * this function might produce a deep copy of cert ID + * for storing it in the cache. + * If out value is true, ownership of parameter certID was + * transferred to the OCSP cache. + * SECStatus *cacheUpdateStatus + * This optional out parameter will contain the result + * of the cache update operation (if requested). + * RETURN: + * The return value is not influenced by the cache operation, + * it matches the documentation for CERT_CheckOCSPStatus + */ + +SECStatus +cert_ProcessOCSPResponse(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time, + PRBool *certIDWasConsumed, + SECStatus *cacheUpdateStatus); + +/* + * FUNCTION: cert_RememberOCSPProcessingFailure + * If an application notices a failure during OCSP processing, + * it should finally call this function. The failure will be recorded + * in the OCSP cache in order to avoid repetitive failures. + * INPUTS: + * CERTOCSPCertID *certID + * the ID that was used for the failed OCSP processing + * PRBool *certIDWasConsumed + * Out parameter, if set to true, ownership of parameter certID was + * transferred to the OCSP cache. + * RETURN: + * Status of the cache update operation. + */ + +SECStatus +cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, + PRBool *certIDWasConsumed); + +/* + * FUNCTION: ocsp_GetResponderLocation + * Check ocspx context for user-designated responder URI first. If not + * found, checks cert AIA extension. + * INPUTS: + * CERTCertDBHandle *handle + * certificate DB of the cert that is being checked + * CERTCertificate *cert + * The certificate being examined. + * PRBool *certIDWasConsumed + * Out parameter, if set to true, URI of default responder is + * returned. + * RETURN: + * Responder URI. + */ +char * +ocsp_GetResponderLocation(CERTCertDBHandle *handle, + CERTCertificate *cert, + PRBool canUseDefaultLocation, + PRBool *isDefault); + +/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure + * The function checks the global ocsp settings and + * tells how to treat an ocsp response fetching failure. + * RETURNS: + * if PR_TRUE is returned, then treat fetching as a + * revoked cert status. + */ +PRBool +ocsp_FetchingFailureIsVerificationFailure(void); + +size_t +ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf); + +SECStatus +ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time, + CERTOCSPSingleResponse **pSingleResponse); + +SECStatus +ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time); + +void +ocsp_CacheSingleResponse(CERTOCSPCertID *certID, + CERTOCSPSingleResponse *single, + PRBool *certIDWasConsumed); + +#endif /* _OCSPI_H_ */ |