/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is the PKIX-C library.
 *
 * The Initial Developer of the Original Code is
 * Sun Microsystems, Inc.
 * Portions created by the Initial Developer are
 * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Contributor(s):
 *   Sun Microsystems, Inc.
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
/*
 * This file defines functions associated with the PKIX_RevocationChecker
 * type.
 *
 */

#ifndef _PKIX_REVCHECKER_H
#define _PKIX_REVCHECKER_H

#include "pkixt.h"
#include "pkix_pl_pki.h"

#ifdef __cplusplus
extern "C" {
#endif

/* General
 *
 * Please refer to the libpkix Programmer's Guide for detailed information
 * about how to use the libpkix library. Certain key warnings and notices from
 * that document are repeated here for emphasis.
 *
 * All identifiers in this file (and all public identifiers defined in
 * libpkix) begin with "PKIX_". Private identifiers only intended for use
 * within the library begin with "pkix_".
 *
 * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
 *
 * Unless otherwise noted, for all accessor (gettor) functions that return a
 * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
 * shared object. Therefore, the caller should treat this shared object as
 * read-only and should not modify this shared object. When done using the
 * shared object, the caller should release the reference to the object by
 * using the PKIX_PL_Object_DecRef function.
 *
 * While a function is executing, if its arguments (or anything referred to by
 * its arguments) are modified, free'd, or destroyed, the function's behavior
 * is undefined.
 *
 */

/* PKIX_RevocationChecker
 *
 * PKIX_RevocationChecker provides a standard way of revocation checking.
 * Caller should configure two set of tests(represented at lists of
 * RevocationMethod objects) to be performed on the leaf and on the rest of
 * the chain certificates.
 *
 * PKIX_RevocationMethods provide a standard way for the caller to insert
 * their own custom revocation checks to verify the revocation status of
 * certificates. This may be useful in many scenarios, including when the
 * caller wishes to use their own revocation checking mechanism instead of (or
 * in addition to) the default revocation checking mechanism provided by
 * libpkix, which uses CRLs and OCSP. 
 *
 * Once the caller has created the RevocationMethod object(s), the caller
 * then specifies the RevocationMethod object(s) in a RevocationCheck object
 * and sets it into a ProcessingParams.
 */

/*
 * FUNCTION: PKIX_RevocationChecker_Create
 * DESCRIPTION:
 *
 * Creates revocation checker object with a given flags.
 *
 * PARAMETERS:
 *  "revDate"
 *      Revocation will be checked at this date. Current date is taken if the
 *      parameter is not specified.
 *  "leafMethodListFlags"
 *      Defines a set of method independent flags that will be used to check
 *      revocation of the leaf cert in the chain.
 *  "chainMethodListFlags"
 *      Defines a set of method independent flags that will be used to check
 *      revocation of the remaining certs in the chain.
 *  "pChecker"
 *      The return address of created checker.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Thread Safe
 *
 *  Multiple threads must be able to safely call this function without
 *  worrying about conflicts, even if they're operating on the same objects.
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
PKIX_RevocationChecker_Create(
    PKIX_UInt32 leafMethodListFlags,
    PKIX_UInt32 chainMethodListFlags,
    PKIX_RevocationChecker **pChecker,
    void *plContext);

/*
 * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
 * DESCRIPTION:
 *
 * Creates revocation method object with given parameters and adds it
 * to revocation checker method list.
 *
 * PARAMETERS:
 *  "revChecker"
 *      Address of revocation checker structure.
 *  "procParams"
 *      Address of ProcessingParams used to initialize the checker.
 *      Must be non-NULL.
 *  "methodType"
 *      Type of the method. Currently only two types are
 *      supported: crl and ocsp. (See PKIX_RevocationMethodType enum).
 *  "methodFlags"
 *      Set of flags for the method.
 *  "methodPriority"
 *      Method priority. (0 corresponds to a highest priority)
 *  "verificationFn"
 *      User call back function that will perform validation of fetched
 *      revocation information(new crl or ocsp response)
 *  "isLeafMethod"
 *      Boolean flag that if set to true indicates that the method should
 *      should be used for leaf cert revocation test(false for chain set
 *      methods).
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Thread Safe
 *
 *  Multiple threads must be able to safely call this function without
 *  worrying about conflicts, even if they're operating on the same objects.
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
PKIX_RevocationChecker_CreateAndAddMethod(
    PKIX_RevocationChecker *revChecker,
    PKIX_ProcessingParams *params,
    PKIX_RevocationMethodType methodType,
    PKIX_UInt32 methodFlags,
    PKIX_UInt32 mathodPriority,
    PKIX_PL_VerifyCallback verificationFn,
    PKIX_Boolean isLeafMethod,
    void *plContext);

/*
 * FUNCTION: PKIX_RevocationChecker_Check
 * DESCRIPTION:
 *
 * Verifies revocation status of the certificate. Issuer cert is given to
 * be used in verification of revocation information. Performed verification
 * check depends on configured revocation methods(ocsp, crl. See
 * PKIX_RevocationChecker_CreateAndAddMethod function) and a point of chain
 * building process at which PKIX_RevocationChecker_Check was invoked.
 * For security reasons, the cert status is checked only against cached
 * revocation information during chain building stage(no trust anchor yes has
 * been found). The fresh revocation information fetching is done only at chain
 * verification stage after trust anchor was identified.
 * 
 * PARAMETERS:
 *  "cert"
 *      Address of Cert whose revocation status is to be determined.
 *      Must be non-NULL.
 *  "issuer"
 *      Issuer cert that potentially holds public key that will be used
 *      to verify revocation info.
 *  "revChecker"
 *      Address of revocation checker structure.
 *  "procParams"
 *      Address of ProcessingParams used to initialize the checker.
 *      Must be non-NULL.
 *  "chainVerificationState"
 *     Need to be set to true, if the check was called during chain verification
 *     as an opposite to chain building.
 *  "testingLeafCert"
 *     Set to true if verifying revocation status of a leaf cert.
 *  "revStatus"
 *     Address of the returned revocation status of the cert.
 *  "pResultCode"
 *      Address where revocation status will be stored. Must be non-NULL.
 *  "pNBIOContext"
 *      Address at which platform-dependent non-blocking I/O context is stored.
 *      Must be non-NULL.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Thread Safe
 *
 *  Multiple threads must be able to safely call this function without
 *  worrying about conflicts, even if they're operating on the same objects.
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
PKIX_RevocationChecker_Check(PKIX_PL_Cert *cert,
                             PKIX_PL_Cert *issuer,
                             PKIX_RevocationChecker *revChecker,
                             PKIX_ProcessingParams *procParams,
                             PKIX_Boolean chainVerificationState,
                             PKIX_Boolean testingLeafCert,
                             PKIX_RevocationStatus *revStatus,
                             PKIX_UInt32 *pReasonCode,
                             void **pNbioContext,
                             void *plContext);
    
#ifdef __cplusplus
}
#endif

#endif /* _PKIX_REVCHECKER_H */