1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 * ocspi.h - NSS internal interfaces to OCSP code
11 SECStatus OCSP_InitGlobal(void);
12 SECStatus OCSP_ShutdownGlobal(void);
15 ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
18 ocsp_GetResponseSignature(CERTOCSPResponse *response);
21 ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
22 SECItem *fill, const SECItem *src);
25 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
28 ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
29 ocspSignature *signature, CERTCertificate *issuer);
32 ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
33 ocspSignature *signature,
34 SECItem *tbsResponseDataDER,
38 cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
39 CERTCertificate *singleCert,
41 PRBool addServiceLocator,
42 CERTCertificate *signerCert);
45 ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
47 PRBool ignoreOcspFailureMode,
49 SECErrorCodes *missingResponseError);
52 * FUNCTION: cert_ProcessOCSPResponse
53 * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
54 * In addition it can update the OCSP cache (using information
55 * available internally to this function).
57 * CERTCertDBHandle *handle
58 * certificate DB of the cert that is being checked
59 * CERTOCSPResponse *response
60 * the OCSP response we want to retrieve status from.
61 * CERTOCSPCertID *certID
62 * the ID we want to look for from the response.
63 * CERTCertificate *signerCert
64 * the certificate that was used to sign the OCSP response.
65 * must be obtained via a call to CERT_VerifyOCSPResponseSignature.
67 * The time at which we're checking the status for.
68 * PRBool *certIDWasConsumed
69 * In and Out parameter.
70 * If certIDWasConsumed is NULL on input,
71 * this function might produce a deep copy of cert ID
72 * for storing it in the cache.
73 * If out value is true, ownership of parameter certID was
74 * transferred to the OCSP cache.
75 * SECStatus *cacheUpdateStatus
76 * This optional out parameter will contain the result
77 * of the cache update operation (if requested).
79 * The return value is not influenced by the cache operation,
80 * it matches the documentation for CERT_CheckOCSPStatus
84 cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
85 CERTOCSPResponse *response,
86 CERTOCSPCertID *certID,
87 CERTCertificate *signerCert,
89 PRBool *certIDWasConsumed,
90 SECStatus *cacheUpdateStatus);
93 * FUNCTION: cert_RememberOCSPProcessingFailure
94 * If an application notices a failure during OCSP processing,
95 * it should finally call this function. The failure will be recorded
96 * in the OCSP cache in order to avoid repetitive failures.
98 * CERTOCSPCertID *certID
99 * the ID that was used for the failed OCSP processing
100 * PRBool *certIDWasConsumed
101 * Out parameter, if set to true, ownership of parameter certID was
102 * transferred to the OCSP cache.
104 * Status of the cache update operation.
108 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
109 PRBool *certIDWasConsumed);
112 * FUNCTION: ocsp_GetResponderLocation
113 * Check ocspx context for user-designated responder URI first. If not
114 * found, checks cert AIA extension.
116 * CERTCertDBHandle *handle
117 * certificate DB of the cert that is being checked
118 * CERTCertificate *cert
119 * The certificate being examined.
120 * PRBool *certIDWasConsumed
121 * Out parameter, if set to true, URI of default responder is
127 ocsp_GetResponderLocation(CERTCertDBHandle *handle,
128 CERTCertificate *cert,
129 PRBool canUseDefaultLocation,
132 /* FUNCTION: ocsp_FetchingFailureIsVerificationFailure
133 * The function checks the global ocsp settings and
134 * tells how to treat an ocsp response fetching failure.
136 * if PR_TRUE is returned, then treat fetching as a
137 * revoked cert status.
140 ocsp_FetchingFailureIsVerificationFailure(void);
142 #endif /* _OCSPI_H_ */