PageRenderTime 35ms CodeModel.GetById 16ms app.highlight 12ms RepoModel.GetById 1ms app.codeStats 0ms

/gecko_api/include/ocsp.h

http://firefox-mac-pdf.googlecode.com/
C++ Header | 610 lines | 82 code | 33 blank | 495 comment | 0 complexity | a38f5b626afd0430c2fe405718744d31 MD5 | raw file
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is the Netscape security libraries.
 15 *
 16 * The Initial Developer of the Original Code is
 17 * Netscape Communications Corporation.
 18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *
 23 * Alternatively, the contents of this file may be used under the terms of
 24 * either the GNU General Public License Version 2 or later (the "GPL"), or
 25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 26 * in which case the provisions of the GPL or the LGPL are applicable instead
 27 * of those above. If you wish to allow use of your version of this file only
 28 * under the terms of either the GPL or the LGPL, and not to allow others to
 29 * use your version of this file under the terms of the MPL, indicate your
 30 * decision by deleting the provisions above and replace them with the notice
 31 * and other provisions required by the GPL or the LGPL. If you do not delete
 32 * the provisions above, a recipient may use your version of this file under
 33 * the terms of any one of the MPL, the GPL or the LGPL.
 34 *
 35 * ***** END LICENSE BLOCK ***** */
 36
 37/*
 38 * Interface to the OCSP implementation.
 39 *
 40 * $Id: ocsp.h,v 1.11 2007/05/25 07:28:32 alexei.volkov.bugs%sun.com Exp $
 41 */
 42
 43#ifndef _OCSP_H_
 44#define _OCSP_H_
 45
 46
 47#include "plarena.h"
 48#include "seccomon.h"
 49#include "secoidt.h"
 50#include "keyt.h"
 51#include "certt.h"
 52#include "ocspt.h"
 53
 54
 55/************************************************************************/
 56SEC_BEGIN_PROTOS
 57
 58/*
 59 * This function registers the HttpClient with whose functions the
 60 * HttpClientFcn structure has been populated as the default Http
 61 * client.
 62 *
 63 * The function table must be a global object.
 64 * The caller must ensure that NSS will be able to call
 65 * the registered functions for the lifetime of the process.
 66 */
 67extern SECStatus
 68SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);
 69
 70/*
 71 * This function obtains the HttpClient which has been registered
 72 * by an earlier call to SEC_RegisterDefaultHttpClient.
 73 */
 74extern const SEC_HttpClientFcn *
 75SEC_GetRegisteredHttpClient(void);
 76
 77/*
 78 * Sets parameters that control NSS' internal OCSP cache.
 79 * maxCacheEntries, special varlues are:
 80 *   -1 disable cache
 81 *   0 unlimited cache entries
 82 * minimumSecondsToNextFetchAttempt:
 83 *   whenever an OCSP request was attempted or completed over the network,
 84 *   wait at least this number of seconds before trying to fetch again.
 85 * maximumSecondsToNextFetchAttempt:
 86 *   this is the maximum age of a cached response we allow, until we try
 87 *   to fetch an updated response, even if the OCSP responder expects
 88 *   that newer information update will not be available yet.
 89 */
 90extern SECStatus
 91CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
 92                       PRUint32 minimumSecondsToNextFetchAttempt,
 93                       PRUint32 maximumSecondsToNextFetchAttempt);
 94
 95/*
 96 * Set the desired behaviour on OCSP failures.
 97 * See definition of ocspFailureMode for allowed choices.
 98 */
 99extern SECStatus
100CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode);
101
102/*
103 * Removes all items currently stored in the OCSP cache.
104 */
105extern SECStatus
106CERT_ClearOCSPCache(void);
107
108/*
109 * FUNCTION: CERT_EnableOCSPChecking
110 *   Turns on OCSP checking for the given certificate database.
111 * INPUTS:
112 *   CERTCertDBHandle *handle
113 *     Certificate database for which OCSP checking will be enabled.
114 * RETURN:
115 *   Returns SECFailure if an error occurred (likely only problem
116 *   allocating memory); SECSuccess otherwise.
117 */
118extern SECStatus
119CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
120
121/*
122 * FUNCTION: CERT_DisableOCSPChecking
123 *   Turns off OCSP checking for the given certificate database.
124 *   This routine disables OCSP checking.  Though it will return
125 *   SECFailure if OCSP checking is not enabled, it is "safe" to
126 *   call it that way and just ignore the return value, if it is
127 *   easier to just call it than to "remember" whether it is enabled.
128 * INPUTS:
129 *   CERTCertDBHandle *handle
130 *     Certificate database for which OCSP checking will be disabled.
131 * RETURN:
132 *   Returns SECFailure if an error occurred (usually means that OCSP
133 *   checking was not enabled or status contexts were not initialized --
134 *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
135 */
136extern SECStatus
137CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
138
139/*
140 * FUNCTION: CERT_SetOCSPDefaultResponder
141 *   Specify the location and cert of the default responder.
142 *   If OCSP checking is already enabled *and* use of a default responder
143 *   is also already enabled, all OCSP checking from now on will go directly
144 *   to the specified responder.  If OCSP checking is not enabled, or if
145 *   it is but use of a default responder is not enabled, the information
146 *   will be recorded and take effect whenever both are enabled.
147 * INPUTS:
148 *   CERTCertDBHandle *handle
149 *     Cert database on which OCSP checking should use the default responder.
150 *   char *url
151 *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
152 *     Note that the location will not be tested until the first attempt
153 *     to send a request there.
154 *   char *name
155 *     The nickname of the cert to trust (expected) to sign the OCSP responses.
156 *     If the corresponding cert cannot be found, SECFailure is returned.
157 * RETURN:
158 *   Returns SECFailure if an error occurred; SECSuccess otherwise.
159 *   The most likely error is that the cert for "name" could not be found
160 *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
161 *   bad database, etc.).
162 */
163extern SECStatus
164CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
165			     const char *url, const char *name);
166
167/*
168 * FUNCTION: CERT_EnableOCSPDefaultResponder
169 *   Turns on use of a default responder when OCSP checking.
170 *   If OCSP checking is already enabled, this will make subsequent checks
171 *   go directly to the default responder.  (The location of the responder
172 *   and the nickname of the responder cert must already be specified.)
173 *   If OCSP checking is not enabled, this will be recorded and take effect
174 *   whenever it is enabled.
175 * INPUTS:
176 *   CERTCertDBHandle *handle
177 *     Cert database on which OCSP checking should use the default responder.
178 * RETURN:
179 *   Returns SECFailure if an error occurred; SECSuccess otherwise.
180 *   No errors are especially likely unless the caller did not previously
181 *   perform a successful call to SetOCSPDefaultResponder (in which case
182 *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
183 */
184extern SECStatus
185CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
186
187/*
188 * FUNCTION: CERT_DisableOCSPDefaultResponder
189 *   Turns off use of a default responder when OCSP checking.
190 *   (Does nothing if use of a default responder is not enabled.)
191 * INPUTS:
192 *   CERTCertDBHandle *handle
193 *     Cert database on which OCSP checking should stop using a default
194 *     responder.
195 * RETURN:
196 *   Returns SECFailure if an error occurred; SECSuccess otherwise.
197 *   Errors very unlikely (like random memory corruption...).
198 */
199extern SECStatus
200CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
201
202/*
203 * -------------------------------------------------------
204 * The Functions above are those expected to be used by a client
205 * providing OCSP status checking along with every cert verification.
206 * The functions below are for OCSP testing, debugging, or clients
207 * or servers performing more specialized OCSP tasks.
208 * -------------------------------------------------------
209 */
210
211/*
212 * FUNCTION: CERT_CreateOCSPRequest
213 *   Creates a CERTOCSPRequest, requesting the status of the certs in 
214 *   the given list.
215 * INPUTS:
216 *   CERTCertList *certList
217 *     A list of certs for which status will be requested.
218 *     Note that all of these certificates should have the same issuer,
219 *     or it's expected the response will be signed by a trusted responder.
220 *     If the certs need to be broken up into multiple requests, that
221 *     must be handled by the caller (and thus by having multiple calls
222 *     to this routine), who knows about where the request(s) are being
223 *     sent and whether there are any trusted responders in place.
224 *   int64 time
225 *     Indicates the time for which the certificate status is to be 
226 *     determined -- this may be used in the search for the cert's issuer
227 *     but has no effect on the request itself.
228 *   PRBool addServiceLocator
229 *     If true, the Service Locator extension should be added to the
230 *     single request(s) for each cert.
231 *   CERTCertificate *signerCert
232 *     If non-NULL, means sign the request using this cert.  Otherwise,
233 *     do not sign.
234 *     XXX note that request signing is not yet supported; see comment in code
235 * RETURN:
236 *   A pointer to a CERTOCSPRequest structure containing an OCSP request
237 *   for the cert list.  On error, null is returned, with an error set
238 *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
239 *   (The issuer is needed to create a request for the certificate.)
240 *   Other errors are low-level problems (no memory, bad database, etc.).
241 */
242extern CERTOCSPRequest *
243CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
244		       PRBool addServiceLocator,
245		       CERTCertificate *signerCert);
246
247/*
248 * FUNCTION: CERT_AddOCSPAcceptableResponses
249 *   Add the AcceptableResponses extension to an OCSP Request.
250 * INPUTS:
251 *   CERTOCSPRequest *request
252 *     The request to which the extension should be added.
253 *   SECOidTag responseType0, ...
254 *     A list (of one or more) of SECOidTag -- each of the response types
255 *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
256 *     (This marks the end of the list, and it must be specified because a
257 *     client conforming to the OCSP standard is required to handle the basic
258 *     response type.)  The OIDs are not checked in any way.
259 * RETURN:
260 *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
261 *   All errors are internal or low-level problems (e.g. no memory).
262 */
263extern SECStatus
264CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
265				SECOidTag responseType0, ...);
266
267/* 
268 * FUNCTION: CERT_EncodeOCSPRequest
269 *   DER encodes an OCSP Request, possibly adding a signature as well.
270 *   XXX Signing is not yet supported, however; see comments in code.
271 * INPUTS: 
272 *   PRArenaPool *arena
273 *     The return value is allocated from here.
274 *     If a NULL is passed in, allocation is done from the heap instead.
275 *   CERTOCSPRequest *request
276 *     The request to be encoded.
277 *   void *pwArg
278 *     Pointer to argument for password prompting, if needed.  (Definitely
279 *     not needed if not signing.)
280 * RETURN:
281 *   Returns a NULL on error and a pointer to the SECItem with the
282 *   encoded value otherwise.  Any error is likely to be low-level
283 *   (e.g. no memory).
284 */
285extern SECItem *
286CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
287		       void *pwArg);
288
289/*
290 * FUNCTION: CERT_DecodeOCSPRequest
291 *   Decode a DER encoded OCSP Request.
292 * INPUTS:
293 *   SECItem *src
294 *     Pointer to a SECItem holding DER encoded OCSP Request.
295 * RETURN:
296 *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
297 *   On error, returns NULL.  Most likely error is trouble decoding
298 *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
299 */
300extern CERTOCSPRequest *
301CERT_DecodeOCSPRequest(SECItem *src);
302
303/*
304 * FUNCTION: CERT_DestroyOCSPRequest
305 *   Frees an OCSP Request structure.
306 * INPUTS:
307 *   CERTOCSPRequest *request
308 *     Pointer to CERTOCSPRequest to be freed.
309 * RETURN:
310 *   No return value; no errors.
311 */
312extern void
313CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
314
315/*
316 * FUNCTION: CERT_DecodeOCSPResponse
317 *   Decode a DER encoded OCSP Response.
318 * INPUTS:
319 *   SECItem *src
320 *     Pointer to a SECItem holding DER encoded OCSP Response.
321 * RETURN:
322 *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
323 *   the caller is responsible for destroying it.  Or NULL if error (either
324 *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
325 *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
326 *   or a low-level or internal error occurred).
327 */
328extern CERTOCSPResponse *
329CERT_DecodeOCSPResponse(SECItem *src);
330
331/*
332 * FUNCTION: CERT_DestroyOCSPResponse
333 *   Frees an OCSP Response structure.
334 * INPUTS:
335 *   CERTOCSPResponse *request
336 *     Pointer to CERTOCSPResponse to be freed.
337 * RETURN:
338 *   No return value; no errors.
339 */
340extern void
341CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
342
343/*
344 * FUNCTION: CERT_GetEncodedOCSPResponse
345 *   Creates and sends a request to an OCSP responder, then reads and
346 *   returns the (encoded) response.
347 * INPUTS:
348 *   PRArenaPool *arena
349 *     Pointer to arena from which return value will be allocated.
350 *     If NULL, result will be allocated from the heap (and thus should
351 *     be freed via SECITEM_FreeItem).
352 *   CERTCertList *certList
353 *     A list of certs for which status will be requested.
354 *     Note that all of these certificates should have the same issuer,
355 *     or it's expected the response will be signed by a trusted responder.
356 *     If the certs need to be broken up into multiple requests, that
357 *     must be handled by the caller (and thus by having multiple calls
358 *     to this routine), who knows about where the request(s) are being
359 *     sent and whether there are any trusted responders in place.
360 *   char *location
361 *     The location of the OCSP responder (a URL).
362 *   int64 time
363 *     Indicates the time for which the certificate status is to be 
364 *     determined -- this may be used in the search for the cert's issuer
365 *     but has no other bearing on the operation.
366 *   PRBool addServiceLocator
367 *     If true, the Service Locator extension should be added to the
368 *     single request(s) for each cert.
369 *   CERTCertificate *signerCert
370 *     If non-NULL, means sign the request using this cert.  Otherwise,
371 *     do not sign.
372 *   void *pwArg
373 *     Pointer to argument for password prompting, if needed.  (Definitely
374 *     not needed if not signing.)
375 * OUTPUTS:
376 *   CERTOCSPRequest **pRequest
377 *     Pointer in which to store the OCSP request created for the given
378 *     list of certificates.  It is only filled in if the entire operation
379 *     is successful and the pointer is not null -- and in that case the
380 *     caller is then reponsible for destroying it.
381 * RETURN:
382 *   Returns a pointer to the SECItem holding the response.
383 *   On error, returns null with error set describing the reason:
384 *	SEC_ERROR_UNKNOWN_ISSUER
385 *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
386 *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
387 *   Other errors are low-level problems (no memory, bad database, etc.).
388 */
389extern SECItem *
390CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
391			    char *location, int64 time,
392			    PRBool addServiceLocator,
393			    CERTCertificate *signerCert, void *pwArg,
394			    CERTOCSPRequest **pRequest);
395
396/*
397 * FUNCTION: CERT_VerifyOCSPResponseSignature
398 *   Check the signature on an OCSP Response.  Will also perform a
399 *   verification of the signer's certificate.  Note, however, that a
400 *   successful verification does not make any statement about the
401 *   signer's *authority* to provide status for the certificate(s),
402 *   that must be checked individually for each certificate.
403 * INPUTS:
404 *   CERTOCSPResponse *response
405 *     Pointer to response structure with signature to be checked.
406 *   CERTCertDBHandle *handle
407 *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
408 *   void *pwArg
409 *     Pointer to argument for password prompting, if needed.
410 *   CERTCertificate *issuerCert
411 *     Issuer of the certificate that generated the OCSP request.
412 * OUTPUTS:
413 *   CERTCertificate **pSignerCert
414 *     Pointer in which to store signer's certificate; only filled-in if
415 *     non-null.
416 * RETURN:
417 *   Returns SECSuccess when signature is valid, anything else means invalid.
418 *   Possible errors set:
419 *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
420 *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
421 *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
422 *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
423 *   Other errors are any of the many possible failures in cert verification
424 *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
425 *   verifying the signer's cert, or low-level problems (no memory, etc.)
426 */
427extern SECStatus
428CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
429				 CERTCertDBHandle *handle, void *pwArg,
430				 CERTCertificate **pSignerCert,
431				 CERTCertificate *issuerCert);
432
433/*
434 * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
435 *   Get the value of the URI of the OCSP responder for the given cert.
436 *   This is found in the (optional) Authority Information Access extension
437 *   in the cert.
438 * INPUTS:
439 *   CERTCertificate *cert
440 *     The certificate being examined.
441 * RETURN:
442 *   char *
443 *     A copy of the URI for the OCSP method, if found.  If either the
444 *     extension is not present or it does not contain an entry for OCSP,
445 *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
446 *     Any other error will also result in a NULL being returned.
447 *     
448 *     This result should be freed (via PORT_Free) when no longer in use.
449 */
450extern char *
451CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
452
453/*
454 * FUNCTION: CERT_ParseURL
455 *   Parse the URI of a OCSP responder into hostname, port, and path.
456 * INPUTS:
457 *   const char *location
458 *     The URI to be parsed
459 * OUTPUTS:
460 *   char *pHostname
461 *     Pointer to store the hostname obtained from the URI.
462 *     This result should be freed (via PORT_Free) when no longer in use.
463 *   PRUint16 *pPort
464 *     Pointer to store the port number obtained from the URI.
465 *   char *pPath
466 *     Pointer to store the path obtained from the URI.
467 *     This result should be freed (via PORT_Free) when no longer in use.
468 * RETURN:
469 *   Returns SECSuccess when parsing was successful. Anything else means
470 *   problems were encountered.
471 *     
472 */
473extern SECStatus
474CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath);
475
476/*
477 * FUNCTION: CERT_CheckOCSPStatus
478 *   Checks the status of a certificate via OCSP.  Will only check status for
479 *   a certificate that has an AIA (Authority Information Access) extension
480 *   for OCSP *or* when a "default responder" is specified and enabled.
481 *   (If no AIA extension for OCSP and no default responder in place, the
482 *   cert is considered to have a good status and SECSuccess is returned.)
483 * INPUTS:
484 *   CERTCertDBHandle *handle
485 *     certificate DB of the cert that is being checked
486 *   CERTCertificate *cert
487 *     the certificate being checked
488 *   XXX in the long term also need a boolean parameter that specifies
489 *	whether to check the cert chain, as well; for now we check only
490 *	the leaf (the specified certificate)
491 *   int64 time
492 *     time for which status is to be determined
493 *   void *pwArg
494 *     argument for password prompting, if needed
495 * RETURN:
496 *   Returns SECSuccess if an approved OCSP responder "knows" the cert
497 *   *and* returns a non-revoked status for it; SECFailure otherwise,
498 *   with an error set describing the reason:
499 *
500 *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
501 *	SEC_ERROR_OCSP_FUTURE_RESPONSE
502 *	SEC_ERROR_OCSP_MALFORMED_REQUEST
503 *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
504 *	SEC_ERROR_OCSP_OLD_RESPONSE
505 *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
506 *	SEC_ERROR_OCSP_SERVER_ERROR
507 *	SEC_ERROR_OCSP_TRY_SERVER_LATER
508 *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
509 *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
510 *	SEC_ERROR_OCSP_UNKNOWN_CERT
511 *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
512 *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
513 *
514 *	SEC_ERROR_BAD_SIGNATURE
515 *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
516 *	SEC_ERROR_INVALID_TIME
517 *	SEC_ERROR_REVOKED_CERTIFICATE
518 *	SEC_ERROR_UNKNOWN_ISSUER
519 *	SEC_ERROR_UNKNOWN_SIGNER
520 *
521 *   Other errors are any of the many possible failures in cert verification
522 *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
523 *   verifying the signer's cert, or low-level problems (error allocating
524 *   memory, error performing ASN.1 decoding, etc.).
525 */    
526extern SECStatus 
527CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
528		     int64 time, void *pwArg);
529/*
530 * FUNCTION: CERT_GetOCSPStatusForCertID
531 *  Returns the OCSP status contained in the passed in paramter response
532 *  that corresponds to the certID passed in.
533 * INPUTS:
534 *  CERTCertDBHandle *handle
535 *    certificate DB of the cert that is being checked
536 *  CERTOCSPResponse *response
537 *    the OCSP response we want to retrieve status from.
538 *  CERTOCSPCertID *certID
539 *    the ID we want to look for from the response.
540 *  CERTCertificate *signerCert
541 *    the certificate that was used to sign the OCSP response.
542 *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
543 *  int64 time
544 *    The time at which we're checking the status for.
545 *  RETURN:
546 *    Return values are the same as those for CERT_CheckOCSPStatus
547 */
548extern SECStatus
549CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
550			    CERTOCSPResponse *response,
551			    CERTOCSPCertID   *certID,
552			    CERTCertificate  *signerCert,
553                            int64             time);
554
555/*
556 * FUNCTION CERT_GetOCSPResponseStatus
557 *   Returns the response status for the response passed.
558 * INPUTS:
559 *   CERTOCSPResponse *response
560 *     The response to query for status
561 *  RETURN:
562 *    Returns SECSuccess if the response has a successful status value.
563 *    Otherwise it returns SECFailure and sets one of the following error
564 *    codes via PORT_SetError
565 *        SEC_ERROR_OCSP_MALFORMED_REQUEST
566 *        SEC_ERROR_OCSP_SERVER_ERROR
567 *        SEC_ERROR_OCSP_TRY_SERVER_LATER
568 *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
569 *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
570 *        SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
571 */
572extern SECStatus
573CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
574
575/*
576 * FUNCTION CERT_CreateOCSPCertID
577 *  Returns the OCSP certID for the certificate passed in.
578 * INPUTS:
579 *  CERTCertificate *cert
580 *    The certificate for which to create the certID for.
581 *  int64 time
582 *    The time at which the id is requested for.  This is used
583 *    to determine the appropriate issuer for the cert since
584 *    the issuing CA may be an older expired certificate.
585 *  RETURN:
586 *    A new copy of a CERTOCSPCertID*.  The memory for this certID
587 *    should be freed by calling CERT_DestroyOCSPCertID when the 
588 *    certID is no longer necessary.
589 */
590extern CERTOCSPCertID*
591CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time);
592
593/*
594 * FUNCTION: CERT_DestroyOCSPCertID
595 *  Frees the memory associated with the certID passed in.
596 * INPUTS:
597 *  CERTOCSPCertID* certID
598 *    The certID that the caller no longer needs and wants to 
599 *    free the associated memory.
600 * RETURN:
601 *  SECSuccess if freeing the memory was successful.  Returns
602 *  SECFailure if the memory passed in was not allocated with
603 *  a call to CERT_CreateOCSPCertID.
604 */
605extern SECStatus
606CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
607/************************************************************************/
608SEC_END_PROTOS
609
610#endif /* _OCSP_H_ */