include/gnutls/ocsp.h

0001 /*
0002  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
0003  *
0004  * Author: Simon Josefsson
0005  *
0006  * This file is part of GnuTLS.
0007  *
0008  * The GnuTLS is free software; you can redistribute it and/or
0009  * modify it under the terms of the GNU Lesser General Public License
0010  * as published by the Free Software Foundation; either version 2.1 of
0011  * the License, or (at your option) any later version.
0012  *
0013  * This library is distributed in the hope that it will be useful, but
0014  * WITHOUT ANY WARRANTY; without even the implied warranty of
0015  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
0016  * Lesser General Public License for more details.
0017  *
0018  * You should have received a copy of the GNU Lesser General Public License
0019  * along with this program.  If not, see <https://www.gnu.org/licenses/>
0020  *
0021  */
0022
0023 /* Online Certificate Status Protocol - RFC 2560
0024  */
0025
0026 #ifndef GNUTLS_OCSP_H
0027 #define GNUTLS_OCSP_H
0028
0029 #include <gnutls/gnutls.h>
0030 #include <gnutls/x509.h>
0031
0032 #ifdef __cplusplus
0033 extern "C" {
0034 #endif
0035
0036 #define GNUTLS_OCSP_NONCE "1.3.6.1.5.5.7.48.1.2"
0037
0038 /**
0039  * gnutls_ocsp_print_formats_t:
0040  * @GNUTLS_OCSP_PRINT_FULL: Full information about OCSP request/response.
0041  * @GNUTLS_OCSP_PRINT_COMPACT: More compact information about OCSP request/response.
0042  *
0043  * Enumeration of different OCSP printing variants.
0044  */
0045 typedef enum gnutls_ocsp_print_formats_t {
0046     GNUTLS_OCSP_PRINT_FULL = 0,
0047     GNUTLS_OCSP_PRINT_COMPACT = 1
0048 } gnutls_ocsp_print_formats_t;
0049
0050 /**
0051  * gnutls_ocsp_resp_status_t:
0052  * @GNUTLS_OCSP_RESP_SUCCESSFUL: Response has valid confirmations.
0053  * @GNUTLS_OCSP_RESP_MALFORMEDREQUEST: Illegal confirmation request
0054  * @GNUTLS_OCSP_RESP_INTERNALERROR: Internal error in issuer
0055  * @GNUTLS_OCSP_RESP_TRYLATER: Try again later
0056  * @GNUTLS_OCSP_RESP_SIGREQUIRED: Must sign the request
0057  * @GNUTLS_OCSP_RESP_UNAUTHORIZED: Request unauthorized
0058  *
0059  * Enumeration of different OCSP response status codes.
0060  */
0061 typedef enum gnutls_ocsp_resp_status_t {
0062     GNUTLS_OCSP_RESP_SUCCESSFUL = 0,
0063     GNUTLS_OCSP_RESP_MALFORMEDREQUEST = 1,
0064     GNUTLS_OCSP_RESP_INTERNALERROR = 2,
0065     GNUTLS_OCSP_RESP_TRYLATER = 3,
0066     GNUTLS_OCSP_RESP_SIGREQUIRED = 5,
0067     GNUTLS_OCSP_RESP_UNAUTHORIZED = 6
0068 } gnutls_ocsp_resp_status_t;
0069
0070 /**
0071  * gnutls_ocsp_cert_status_t:
0072  * @GNUTLS_OCSP_CERT_GOOD: Positive response to status inquiry.
0073  * @GNUTLS_OCSP_CERT_REVOKED: Certificate has been revoked.
0074  * @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
0075  *   certificate.
0076  *
0077  * Enumeration of different OCSP response certificate status codes.
0078  */
0079 typedef enum gnutls_ocsp_cert_status_t {
0080     GNUTLS_OCSP_CERT_GOOD = 0,
0081     GNUTLS_OCSP_CERT_REVOKED = 1,
0082     GNUTLS_OCSP_CERT_UNKNOWN = 2
0083 } gnutls_ocsp_cert_status_t;
0084
0085 /**
0086  * gnutls_x509_crl_reason_t:
0087  * @GNUTLS_X509_CRLREASON_UNSPECIFIED: Unspecified reason.
0088  * @GNUTLS_X509_CRLREASON_KEYCOMPROMISE: Private key compromised.
0089  * @GNUTLS_X509_CRLREASON_CACOMPROMISE: CA compromised.
0090  * @GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: Affiliation has changed.
0091  * @GNUTLS_X509_CRLREASON_SUPERSEDED: Certificate superseded.
0092  * @GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: Operation has ceased.
0093  * @GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: Certificate is on hold.
0094  * @GNUTLS_X509_CRLREASON_REMOVEFROMCRL: Will be removed from delta CRL.
0095  * @GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: Privilege withdrawn.
0096  * @GNUTLS_X509_CRLREASON_AACOMPROMISE: AA compromised.
0097  *
0098  * Enumeration of different reason codes.  Note that this
0099  * corresponds to the CRLReason ASN.1 enumeration type, and not the
0100  * ReasonFlags ASN.1 bit string.
0101  */
0102 typedef enum gnutls_x509_crl_reason_t {
0103     GNUTLS_X509_CRLREASON_UNSPECIFIED = 0,
0104     GNUTLS_X509_CRLREASON_KEYCOMPROMISE = 1,
0105     GNUTLS_X509_CRLREASON_CACOMPROMISE = 2,
0106     GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED = 3,
0107     GNUTLS_X509_CRLREASON_SUPERSEDED = 4,
0108     GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION = 5,
0109     GNUTLS_X509_CRLREASON_CERTIFICATEHOLD = 6,
0110     GNUTLS_X509_CRLREASON_REMOVEFROMCRL = 8,
0111     GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN = 9,
0112     GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
0113 } gnutls_x509_crl_reason_t;
0114
0115 /* When adding a verify failure reason update:
0116  * _gnutls_ocsp_verify_status_to_str()
0117  */
0118 /**
0119  * gnutls_ocsp_verify_reason_t:
0120  * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.
0121  * @GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR: Signer keyusage bits incorrect.
0122  * @GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER: Signer is not trusted.
0123  * @GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM: Signature using insecure algorithm.
0124  * @GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE: Signature mismatch.
0125  * @GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED: Signer cert is not yet activated.
0126  * @GNUTLS_OCSP_VERIFY_CERT_EXPIRED: Signer cert has expired.
0127  *
0128  * Enumeration of OCSP verify status codes, used by
0129  * gnutls_ocsp_resp_verify() and gnutls_ocsp_resp_verify_direct().
0130  */
0131 typedef enum gnutls_ocsp_verify_reason_t {
0132     GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND = 1,
0133     GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR = 2,
0134     GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER = 4,
0135     GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM = 8,
0136     GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE = 16,
0137     GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED = 32,
0138     GNUTLS_OCSP_VERIFY_CERT_EXPIRED = 64
0139 } gnutls_ocsp_verify_reason_t;
0140
0141 struct gnutls_ocsp_req_int;
0142 typedef struct gnutls_ocsp_req_int *gnutls_ocsp_req_t;
0143 typedef const struct gnutls_ocsp_req_int *gnutls_ocsp_req_const_t;
0144
0145 int gnutls_ocsp_req_init(gnutls_ocsp_req_t *req);
0146 void gnutls_ocsp_req_deinit(gnutls_ocsp_req_t req);
0147
0148 int gnutls_ocsp_req_import(gnutls_ocsp_req_t req, const gnutls_datum_t *data);
0149 int gnutls_ocsp_req_export(gnutls_ocsp_req_const_t req, gnutls_datum_t *data);
0150 int gnutls_ocsp_req_print(gnutls_ocsp_req_const_t req,
0151               gnutls_ocsp_print_formats_t format,
0152               gnutls_datum_t *out);
0153
0154 int gnutls_ocsp_req_get_version(gnutls_ocsp_req_const_t req);
0155
0156 int gnutls_ocsp_req_get_cert_id(gnutls_ocsp_req_const_t req, unsigned indx,
0157                 gnutls_digest_algorithm_t *digest,
0158                 gnutls_datum_t *issuer_name_hash,
0159                 gnutls_datum_t *issuer_key_hash,
0160                 gnutls_datum_t *serial_number);
0161 int gnutls_ocsp_req_add_cert_id(gnutls_ocsp_req_t req,
0162                 gnutls_digest_algorithm_t digest,
0163                 const gnutls_datum_t *issuer_name_hash,
0164                 const gnutls_datum_t *issuer_key_hash,
0165                 const gnutls_datum_t *serial_number);
0166 int gnutls_ocsp_req_add_cert(gnutls_ocsp_req_t req,
0167                  gnutls_digest_algorithm_t digest,
0168                  gnutls_x509_crt_t issuer, gnutls_x509_crt_t cert);
0169
0170 int gnutls_ocsp_req_get_extension(gnutls_ocsp_req_const_t req, unsigned indx,
0171                   gnutls_datum_t *oid, unsigned int *critical,
0172                   gnutls_datum_t *data);
0173 int gnutls_ocsp_req_set_extension(gnutls_ocsp_req_t req, const char *oid,
0174                   unsigned int critical,
0175                   const gnutls_datum_t *data);
0176
0177 int gnutls_ocsp_req_get_nonce(gnutls_ocsp_req_const_t req,
0178                   unsigned int *critical, gnutls_datum_t *nonce);
0179 int gnutls_ocsp_req_set_nonce(gnutls_ocsp_req_t req, unsigned int critical,
0180                   const gnutls_datum_t *nonce);
0181 int gnutls_ocsp_req_randomize_nonce(gnutls_ocsp_req_t req);
0182
0183 struct gnutls_ocsp_resp_int;
0184 typedef struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_t;
0185 typedef const struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_const_t;
0186
0187 int gnutls_ocsp_resp_init(gnutls_ocsp_resp_t *resp);
0188 void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp);
0189
0190 int gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp,
0191                 const gnutls_datum_t *data);
0192 int gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp,
0193                  const gnutls_datum_t *data,
0194                  gnutls_x509_crt_fmt_t fmt);
0195 int gnutls_ocsp_resp_export(gnutls_ocsp_resp_const_t resp,
0196                 gnutls_datum_t *data);
0197 int gnutls_ocsp_resp_export2(gnutls_ocsp_resp_const_t resp,
0198                  gnutls_datum_t *data, gnutls_x509_crt_fmt_t fmt);
0199 int gnutls_ocsp_resp_print(gnutls_ocsp_resp_const_t resp,
0200                gnutls_ocsp_print_formats_t format,
0201                gnutls_datum_t *out);
0202
0203 int gnutls_ocsp_resp_get_status(gnutls_ocsp_resp_const_t resp);
0204 int gnutls_ocsp_resp_get_response(gnutls_ocsp_resp_const_t resp,
0205                   gnutls_datum_t *response_type_oid,
0206                   gnutls_datum_t *response);
0207
0208 int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_const_t resp);
0209 int gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_const_t resp,
0210                    gnutls_datum_t *dn);
0211 int gnutls_ocsp_resp_get_responder2(gnutls_ocsp_resp_const_t resp,
0212                     gnutls_datum_t *dn, unsigned flags);
0213
0214 /* the raw key ID of the responder */
0215 #define GNUTLS_OCSP_RESP_ID_KEY 1
0216 /* the raw DN of the responder */
0217 #define GNUTLS_OCSP_RESP_ID_DN 2
0218 int gnutls_ocsp_resp_get_responder_raw_id(gnutls_ocsp_resp_const_t resp,
0219                       unsigned type, gnutls_datum_t *raw);
0220
0221 time_t gnutls_ocsp_resp_get_produced(gnutls_ocsp_resp_const_t resp);
0222 int gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_const_t resp, unsigned indx,
0223                 gnutls_digest_algorithm_t *digest,
0224                 gnutls_datum_t *issuer_name_hash,
0225                 gnutls_datum_t *issuer_key_hash,
0226                 gnutls_datum_t *serial_number,
0227                 unsigned int *cert_status, time_t *this_update,
0228                 time_t *next_update, time_t *revocation_time,
0229                 unsigned int *revocation_reason);
0230 int gnutls_ocsp_resp_get_extension(gnutls_ocsp_resp_const_t resp, unsigned indx,
0231                    gnutls_datum_t *oid, unsigned int *critical,
0232                    gnutls_datum_t *data);
0233 int gnutls_ocsp_resp_get_nonce(gnutls_ocsp_resp_const_t resp,
0234                    unsigned int *critical, gnutls_datum_t *nonce);
0235 int gnutls_ocsp_resp_get_signature_algorithm(gnutls_ocsp_resp_const_t resp);
0236 int gnutls_ocsp_resp_get_signature(gnutls_ocsp_resp_const_t resp,
0237                    gnutls_datum_t *sig);
0238 int gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_const_t resp,
0239                    gnutls_x509_crt_t **certs, size_t *ncerts);
0240
0241 int gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_const_t resp,
0242                    gnutls_x509_crt_t issuer,
0243                    unsigned int *verify, unsigned int flags);
0244 int gnutls_ocsp_resp_verify(gnutls_ocsp_resp_const_t resp,
0245                 gnutls_x509_trust_list_t trustlist,
0246                 unsigned int *verify, unsigned int flags);
0247
0248 int gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_const_t resp, unsigned int indx,
0249                    gnutls_x509_crt_t crt);
0250
0251 int gnutls_ocsp_resp_list_import2(gnutls_ocsp_resp_t **ocsps,
0252                   unsigned int *size,
0253                   const gnutls_datum_t *resp_data,
0254                   gnutls_x509_crt_fmt_t format,
0255                   unsigned int flags);
0256
0257 #ifdef __cplusplus
0258 }
0259 #endif
0260
0261 #endif /* GNUTLS_OCSP_H */