lib/certhigh/ocspi.h
author J.C. Jones <jjones@mozilla.com>
Fri, 21 Jun 2019 14:39:01 -0700
branchNSS_3_36_BRANCH
changeset 15182 de60f2b7f0c3fac0537346f1077f03d6d849edc5
parent 11777 58acc839e553dad3763d3632c691a19045fbd6ef
permissions -rw-r--r--
Added tag NSS_3_36_8_RTM for changeset df8917878ea6

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * ocspi.h - NSS internal interfaces to OCSP code
 */

#ifndef _OCSPI_H_
#define _OCSPI_H_

SECStatus OCSP_InitGlobal(void);
SECStatus OCSP_ShutdownGlobal(void);

ocspResponseData *
ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);

ocspSignature *
ocsp_GetResponseSignature(CERTOCSPResponse *response);

SECItem *
ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
                 SECItem *fill, const SECItem *src);

PRBool
ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);

CERTCertificate *
ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
                          ocspSignature *signature, CERTCertificate *issuer);

SECStatus
ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
                             ocspSignature *signature,
                             SECItem *tbsResponseDataDER,
                             void *pwArg);

CERTOCSPRequest *
cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
                                 CERTCertificate *singleCert,
                                 PRTime time,
                                 PRBool addServiceLocator,
                                 CERTCertificate *signerCert);

typedef enum { ocspMissing,
               ocspFresh,
               ocspStale } OCSPFreshness;

SECStatus
ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
                                 PRTime time,
                                 PRBool ignoreOcspFailureMode,
                                 SECStatus *rvOcsp,
                                 SECErrorCodes *missingResponseError,
                                 OCSPFreshness *freshness);

/*
 * FUNCTION: cert_ProcessOCSPResponse
 *  Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
 *  In addition it can update the OCSP cache (using information
 *  available internally to this function).
 * INPUTS:
 *  CERTCertDBHandle *handle
 *    certificate DB of the cert that is being checked
 *  CERTOCSPResponse *response
 *    the OCSP response we want to retrieve status from.
 *  CERTOCSPCertID *certID
 *    the ID we want to look for from the response.
 *  CERTCertificate *signerCert
 *    the certificate that was used to sign the OCSP response.
 *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
 *  PRTime time
 *    The time at which we're checking the status for.
 *  PRBool *certIDWasConsumed
 *    In and Out parameter.
 *    If certIDWasConsumed is NULL on input,
 *    this function might produce a deep copy of cert ID
 *    for storing it in the cache.
 *    If out value is true, ownership of parameter certID was
 *    transferred to the OCSP cache.
 *  SECStatus *cacheUpdateStatus
 *    This optional out parameter will contain the result
 *    of the cache update operation (if requested).
 *  RETURN:
 *    The return value is not influenced by the cache operation,
 *    it matches the documentation for CERT_CheckOCSPStatus
 */

SECStatus
cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
                         CERTOCSPResponse *response,
                         CERTOCSPCertID *certID,
                         CERTCertificate *signerCert,
                         PRTime time,
                         PRBool *certIDWasConsumed,
                         SECStatus *cacheUpdateStatus);

/*
 * FUNCTION: cert_RememberOCSPProcessingFailure
 *  If an application notices a failure during OCSP processing,
 *  it should finally call this function. The failure will be recorded
 *  in the OCSP cache in order to avoid repetitive failures.
 * INPUTS:
 *  CERTOCSPCertID *certID
 *    the ID that was used for the failed OCSP processing
 *  PRBool *certIDWasConsumed
 *    Out parameter, if set to true, ownership of parameter certID was
 *    transferred to the OCSP cache.
 *  RETURN:
 *    Status of the cache update operation.
 */

SECStatus
cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
                                   PRBool *certIDWasConsumed);

/*
 * FUNCTION: ocsp_GetResponderLocation
 *  Check ocspx context for user-designated responder URI first. If not
 *  found, checks cert AIA extension.
 * INPUTS:
 *  CERTCertDBHandle *handle
 *    certificate DB of the cert that is being checked
 *  CERTCertificate *cert
 *     The certificate being examined.
 *  PRBool *certIDWasConsumed
 *    Out parameter, if set to true, URI of default responder is
 *    returned.
 *  RETURN:
 *    Responder URI.
 */
char *
ocsp_GetResponderLocation(CERTCertDBHandle *handle,
                          CERTCertificate *cert,
                          PRBool canUseDefaultLocation,
                          PRBool *isDefault);

/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
 * The function checks the global ocsp settings and
 * tells how to treat an ocsp response fetching failure.
 * RETURNS:
 *   if PR_TRUE is returned, then treat fetching as a
 *   revoked cert status.
 */
PRBool
ocsp_FetchingFailureIsVerificationFailure(void);

size_t
ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);

SECStatus
ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
                                        CERTOCSPResponse *response,
                                        CERTOCSPCertID *certID,
                                        CERTCertificate *signerCert,
                                        PRTime time,
                                        CERTOCSPSingleResponse **pSingleResponse);

SECStatus
ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);

void
ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
                         CERTOCSPSingleResponse *single,
                         PRBool *certIDWasConsumed);

#endif /* _OCSPI_H_ */