lib/includes/gnutls/ocsp.h

   1 /*
   2  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Simon Josefsson
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 /* Online Certificate Status Protocol - RFC 2560
  24  */
  25
  26 #ifndef GNUTLS_OCSP_H
  27 #define GNUTLS_OCSP_H
  28
  29 #include <gnutls/gnutls.h>
  30 #include <gnutls/x509.h>
  31
  32 #ifdef __cplusplus
  33 extern "C"
  34 {
  35 #endif
  36
  37 #define GNUTLS_OCSP_NONCE "1.3.6.1.5.5.7.48.1.2"
  38
  39 /**
  40  * gnutls_ocsp_print_formats_t:
  41  * @GNUTLS_OCSP_PRINT_FULL: Full information about OCSP request/response.
  42  * @GNUTLS_OCSP_PRINT_COMPACT: More compact information about OCSP request/response.
  43  *
  44  * Enumeration of different OCSP printing variants.
  45  */
  46 typedef enum gnutls_ocsp_print_formats_t
  47   {
  48     GNUTLS_OCSP_PRINT_FULL = 0,
  49     GNUTLS_OCSP_PRINT_COMPACT = 1,
  50   } gnutls_ocsp_print_formats_t;
  51
  52 /**
  53  * gnutls_ocsp_resp_status_t:
  54  * @GNUTLS_OCSP_RESP_SUCCESSFUL: Response has valid confirmations.
  55  * @GNUTLS_OCSP_RESP_MALFORMEDREQUEST: Illegal confirmation request
  56  * @GNUTLS_OCSP_RESP_INTERNALERROR: Internal error in issuer
  57  * @GNUTLS_OCSP_RESP_TRYLATER: Try again later
  58  * @GNUTLS_OCSP_RESP_SIGREQUIRED: Must sign the request
  59  * @GNUTLS_OCSP_RESP_UNAUTHORIZED: Request unauthorized
  60  *
  61  * Enumeration of different OCSP response status codes.
  62  */
  63 typedef enum gnutls_ocsp_resp_status_t
  64   {
  65     GNUTLS_OCSP_RESP_SUCCESSFUL = 0,
  66     GNUTLS_OCSP_RESP_MALFORMEDREQUEST = 1,
  67     GNUTLS_OCSP_RESP_INTERNALERROR = 2,
  68     GNUTLS_OCSP_RESP_TRYLATER = 3,
  69     GNUTLS_OCSP_RESP_SIGREQUIRED = 5,
  70     GNUTLS_OCSP_RESP_UNAUTHORIZED = 6
  71   } gnutls_ocsp_resp_status_t;
  72
  73 /**
  74  * gnutls_ocsp_cert_status_t:
  75  * @GNUTLS_OCSP_CERT_GOOD: Positive response to status inquiry.
  76  * @GNUTLS_OCSP_CERT_REVOKED: Certificate has been revoked.
  77  * @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
  78  *   certificate.
  79  *
  80  * Enumeration of different OCSP response certificate status codes.
  81  */
  82 typedef enum gnutls_ocsp_cert_status_t
  83   {
  84     GNUTLS_OCSP_CERT_GOOD = 0,
  85     GNUTLS_OCSP_CERT_REVOKED = 1,
  86     GNUTLS_OCSP_CERT_UNKNOWN = 2
  87   } gnutls_ocsp_cert_status_t;
  88
  89 /**
  90  * gnutls_x509_crl_reason_t:
  91  * @GNUTLS_X509_CRLREASON_UNSPECIFIED: Unspecified reason.
  92  * @GNUTLS_X509_CRLREASON_KEYCOMPROMISE: Private key compromised.
  93  * @GNUTLS_X509_CRLREASON_CACOMPROMISE: CA compromised.
  94  * @GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: Affiliation has changed.
  95  * @GNUTLS_X509_CRLREASON_SUPERSEDED: Certificate superseded.
  96  * @GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: Operation has ceased.
  97  * @GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: Certificate is on hold.
  98  * @GNUTLS_X509_CRLREASON_REMOVEFROMCRL: Will be removed from delta CRL.
  99  * @GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: Privilege withdrawn.
 100  * @GNUTLS_X509_CRLREASON_AACOMPROMISE: AA compromised.
 101  *
 102  * Enumeration of different reason codes.  Note that this
 103  * corresponds to the CRLReason ASN.1 enumeration type, and not the
 104  * ReasonFlags ASN.1 bit string.
 105  */
 106 typedef enum gnutls_x509_crl_reason_t
 107   {
 108     GNUTLS_X509_CRLREASON_UNSPECIFIED = 0,
 109     GNUTLS_X509_CRLREASON_KEYCOMPROMISE = 1,
 110     GNUTLS_X509_CRLREASON_CACOMPROMISE = 2,
 111     GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED = 3,
 112     GNUTLS_X509_CRLREASON_SUPERSEDED = 4,
 113     GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION = 5,
 114     GNUTLS_X509_CRLREASON_CERTIFICATEHOLD = 6,
 115     GNUTLS_X509_CRLREASON_REMOVEFROMCRL = 8,
 116     GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN = 9,
 117     GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
 118   } gnutls_x509_crl_reason_t;
 119
 120 /**
 121  * gnutls_ocsp_verify_reason_t:
 122  * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.
 123  * @GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR: Signer keyusage bits incorrect.
 124  * @GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER: Signer is not trusted.
 125  * @GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM: Signature using insecure algorithm.
 126  * @GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE: Signature mismatch.
 127  * @GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED: Signer cert is not yet activated.
 128  * @GNUTLS_OCSP_VERIFY_CERT_EXPIRED: Signer cert has expired.
 129  *
 130  * Enumeration of OCSP verify status codes, used by
 131  * gnutls_ocsp_resp_verify() and gnutls_ocsp_resp_verify_direct().
 132  */
 133 typedef enum gnutls_ocsp_verify_reason_t
 134   {
 135     GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND = 1,
 136     GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR = 2,
 137     GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER = 4,
 138     GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM = 8,
 139     GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE = 16,
 140     GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED = 32,
 141     GNUTLS_OCSP_VERIFY_CERT_EXPIRED = 64
 142   } gnutls_ocsp_verify_reason_t;
 143
 144   struct gnutls_ocsp_req_int;
 145   typedef struct gnutls_ocsp_req_int *gnutls_ocsp_req_t;
 146
 147   int gnutls_ocsp_req_init (gnutls_ocsp_req_t * req);
 148   void gnutls_ocsp_req_deinit (gnutls_ocsp_req_t req);
 149
 150   int gnutls_ocsp_req_import (gnutls_ocsp_req_t req,
 151                               const gnutls_datum_t * data);
 152   int gnutls_ocsp_req_export (gnutls_ocsp_req_t req, gnutls_datum_t * data);
 153   int gnutls_ocsp_req_print (gnutls_ocsp_req_t req,
 154                              gnutls_ocsp_print_formats_t format,
 155                              gnutls_datum_t * out);
 156
 157   int gnutls_ocsp_req_get_version (gnutls_ocsp_req_t req);
 158
 159   int gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_t req,
 160                                    unsigned indx,
 161                                    gnutls_digest_algorithm_t *digest,
 162                                    gnutls_datum_t *issuer_name_hash,
 163                                    gnutls_datum_t *issuer_key_hash,
 164                                    gnutls_datum_t *serial_number);
 165   int gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t req,
 166                                    gnutls_digest_algorithm_t digest,
 167                                    const gnutls_datum_t *issuer_name_hash,
 168                                    const gnutls_datum_t *issuer_key_hash,
 169                                    const gnutls_datum_t *serial_number);
 170   int gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t req,
 171                                 gnutls_digest_algorithm_t digest,
 172                                 gnutls_x509_crt_t issuer,
 173                                 gnutls_x509_crt_t cert);
 174
 175   int gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t req,
 176                                      unsigned indx,
 177                                      gnutls_datum_t *oid,
 178                                      unsigned int *critical,
 179                                      gnutls_datum_t *data);
 180   int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req,
 181                                      const char *oid,
 182                                      unsigned int critical,
 183                                      const gnutls_datum_t *data);
 184
 185   int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
 186                                  unsigned int *critical,
 187                                  gnutls_datum_t *nonce);
 188   int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req,
 189                                  unsigned int critical,
 190                                  const gnutls_datum_t *nonce);
 191   int gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t req);
 192
 193   struct gnutls_ocsp_resp_int;
 194   typedef struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_t;
 195
 196   int gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * resp);
 197   void gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t resp);
 198
 199   int gnutls_ocsp_resp_import (gnutls_ocsp_resp_t resp,
 200                                const gnutls_datum_t * data);
 201   int gnutls_ocsp_resp_export (gnutls_ocsp_resp_t resp,
 202                                gnutls_datum_t * data);
 203   int gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp,
 204                               gnutls_ocsp_print_formats_t format,
 205                               gnutls_datum_t * out);
 206
 207   int gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t resp);
 208   int gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t resp,
 209                                      gnutls_datum_t *response_type_oid,
 210                                      gnutls_datum_t *response);
 211
 212   int gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t resp);
 213   int gnutls_ocsp_resp_get_responder (gnutls_ocsp_resp_t resp,
 214                                       gnutls_datum_t *dn);
 215   time_t gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t resp);
 216   int gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t resp,
 217                                    unsigned indx,
 218                                    gnutls_digest_algorithm_t *digest,
 219                                    gnutls_datum_t *issuer_name_hash,
 220                                    gnutls_datum_t *issuer_key_hash,
 221                                    gnutls_datum_t *serial_number,
 222                                    unsigned int *cert_status,
 223                                    time_t *this_update,
 224                                    time_t *next_update,
 225                                    time_t *revocation_time,
 226                                    unsigned int *revocation_reason);
 227   int gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t resp,
 228                                       unsigned indx,
 229                                       gnutls_datum_t *oid,
 230                                       unsigned int *critical,
 231                                       gnutls_datum_t *data);
 232   int gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp,
 233                                   unsigned int *critical,
 234                                   gnutls_datum_t *nonce);
 235   int gnutls_ocsp_resp_get_signature_algorithm (gnutls_ocsp_resp_t resp);
 236   int gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t resp,
 237                                       gnutls_datum_t *sig);
 238   int gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t resp,
 239                                   gnutls_x509_crt_t ** certs,
 240                                   size_t *ncerts);
 241
 242   int gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp,
 243                                       gnutls_x509_crt_t issuer,
 244                                       unsigned int *verify,
 245                                       unsigned int flags);
 246   int gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
 247                                gnutls_x509_trust_list_t trustlist,
 248                                unsigned int *verify,
 249                                unsigned int flags);
 250
 251   int gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp,
 252                                   unsigned int indx,
 253                                   gnutls_x509_crt_t crt);
 254
 255 #ifdef __cplusplus
 256 }
 257 #endif
 258
 259 #endif /* GNUTLS_OCSP_H */