Source code
Revision control
Copy as Markdown
Other Tools
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
/*
* ocspi.h - NSS internal interfaces to OCSP code
*/
#ifndef _OCSPI_H_
#define _OCSPI_H_
SECStatus OCSP_InitGlobal(void);
SECStatus OCSP_ShutdownGlobal(void);
ocspResponseData *
ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
ocspSignature *
ocsp_GetResponseSignature(CERTOCSPResponse *response);
SECItem *
ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
SECItem *fill, const SECItem *src);
PRBool
ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
CERTCertificate *
ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
ocspSignature *signature, CERTCertificate *issuer);
SECStatus
ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
ocspSignature *signature,
SECItem *tbsResponseDataDER,
void *pwArg);
CERTOCSPRequest *
cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
CERTCertificate *singleCert,
PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert);
typedef enum { ocspMissing,
ocspFresh,
ocspStale } OCSPFreshness;
SECStatus
ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
PRTime time,
PRBool ignoreOcspFailureMode,
SECStatus *rvOcsp,
SECErrorCodes *missingResponseError,
OCSPFreshness *freshness);
/*
* FUNCTION: cert_ProcessOCSPResponse
* Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
* In addition it can update the OCSP cache (using information
* available internally to this function).
* INPUTS:
* CERTCertDBHandle *handle
* certificate DB of the cert that is being checked
* CERTOCSPResponse *response
* the OCSP response we want to retrieve status from.
* CERTOCSPCertID *certID
* the ID we want to look for from the response.
* CERTCertificate *signerCert
* the certificate that was used to sign the OCSP response.
* must be obtained via a call to CERT_VerifyOCSPResponseSignature.
* PRTime time
* The time at which we're checking the status for.
* PRBool *certIDWasConsumed
* In and Out parameter.
* If certIDWasConsumed is NULL on input,
* this function might produce a deep copy of cert ID
* for storing it in the cache.
* If out value is true, ownership of parameter certID was
* transferred to the OCSP cache.
* SECStatus *cacheUpdateStatus
* This optional out parameter will contain the result
* of the cache update operation (if requested).
* RETURN:
* The return value is not influenced by the cache operation,
* it matches the documentation for CERT_CheckOCSPStatus
*/
SECStatus
cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
CERTOCSPResponse *response,
CERTOCSPCertID *certID,
CERTCertificate *signerCert,
PRTime time,
PRBool *certIDWasConsumed,
SECStatus *cacheUpdateStatus);
/*
* FUNCTION: cert_RememberOCSPProcessingFailure
* If an application notices a failure during OCSP processing,
* it should finally call this function. The failure will be recorded
* in the OCSP cache in order to avoid repetitive failures.
* INPUTS:
* CERTOCSPCertID *certID
* the ID that was used for the failed OCSP processing
* PRBool *certIDWasConsumed
* Out parameter, if set to true, ownership of parameter certID was
* transferred to the OCSP cache.
* RETURN:
* Status of the cache update operation.
*/
SECStatus
cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
PRBool *certIDWasConsumed);
/*
* FUNCTION: ocsp_GetResponderLocation
* Check ocspx context for user-designated responder URI first. If not
* found, checks cert AIA extension.
* INPUTS:
* CERTCertDBHandle *handle
* certificate DB of the cert that is being checked
* CERTCertificate *cert
* The certificate being examined.
* PRBool *certIDWasConsumed
* Out parameter, if set to true, URI of default responder is
* returned.
* RETURN:
* Responder URI.
*/
char *
ocsp_GetResponderLocation(CERTCertDBHandle *handle,
CERTCertificate *cert,
PRBool canUseDefaultLocation,
PRBool *isDefault);
/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
* The function checks the global ocsp settings and
* tells how to treat an ocsp response fetching failure.
* RETURNS:
* if PR_TRUE is returned, then treat fetching as a
* revoked cert status.
*/
PRBool
ocsp_FetchingFailureIsVerificationFailure(void);
size_t
ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
SECStatus
ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
CERTOCSPResponse *response,
CERTOCSPCertID *certID,
CERTCertificate *signerCert,
PRTime time,
CERTOCSPSingleResponse **pSingleResponse);
SECStatus
ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
void
ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
CERTOCSPSingleResponse *single,
PRBool *certIDWasConsumed);
#endif /* _OCSPI_H_ */