gnunet-android

GNUnet for Android
Log | Files | Refs | README

ocsp.h (4740B)

      1 // Copyright 2016 The Chromium Authors
      2 //
      3 // Licensed under the Apache License, Version 2.0 (the "License");
      4 // you may not use this file except in compliance with the License.
      5 // You may obtain a copy of the License at
      6 //
      7 //     https://www.apache.org/licenses/LICENSE-2.0
      8 //
      9 // Unless required by applicable law or agreed to in writing, software
     10 // distributed under the License is distributed on an "AS IS" BASIS,
     11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     12 // See the License for the specific language governing permissions and
     13 // limitations under the License.
     14 
     15 #if !defined(OPENSSL_HEADER_BSSL_PKI_OCSP_H_)  && defined(__cplusplus)
     16 #define OPENSSL_HEADER_BSSL_PKI_OCSP_H_
     17 
     18 #include <openssl/base.h>   // IWYU pragma: export
     19 #include <string_view>
     20 #include <optional>
     21 
     22 BSSL_NAMESPACE_BEGIN
     23 
     24 // The revocation status indicated by an OCSP verification.  This value is
     25 // histogrammed in Chrome, so do not re-order or change values, and add new
     26 // values at the end.
     27 enum class OCSPRevocationStatus {
     28   GOOD = 0,
     29   REVOKED = 1,
     30   UNKNOWN = 2,
     31   MAX_VALUE = UNKNOWN
     32 };
     33 
     34 // The result of OCSP verification. This always contains a ResponseStatus, which
     35 // describes whether or not an OCSP response was provided, and response level
     36 // errors. It optionally contains an OCSPRevocationStatus when |response_status
     37 // = PROVIDED|. For example, a stapled OCSP response matching the certificate,
     38 // and indicating a non-revoked status, will have |response_status = PROVIDED|
     39 // and |revocation_status = GOOD|.
     40 struct OPENSSL_EXPORT OCSPVerifyResult {
     41   bool operator==(const OCSPVerifyResult &other) const {
     42     if (response_status != other.response_status) {
     43       return false;
     44     }
     45 
     46     if (response_status == PROVIDED) {
     47       // |revocation_status| is only defined when |response_status| is PROVIDED.
     48       return revocation_status == other.revocation_status;
     49     }
     50     return true;
     51   }
     52 
     53   // This value is histogrammed in Chrome, so do not re-order or change values,
     54   // and add new values at the end.
     55   enum ResponseStatus {
     56     // OCSP verification was not checked on this connection.
     57     NOT_CHECKED = 0,
     58 
     59     // No OCSPResponse was stapled.
     60     MISSING = 1,
     61 
     62     // An up-to-date OCSP response was stapled and matched the certificate.
     63     PROVIDED = 2,
     64 
     65     // The stapled OCSP response did not have a SUCCESSFUL status.
     66     ERROR_RESPONSE = 3,
     67 
     68     // The OCSPResponseData field producedAt was outside the certificate
     69     // validity period.
     70     BAD_PRODUCED_AT = 4,
     71 
     72     // At least one OCSPSingleResponse was stapled, but none matched the
     73     // certificate.
     74     NO_MATCHING_RESPONSE = 5,
     75 
     76     // A matching OCSPSingleResponse was stapled, but was either expired or not
     77     // yet valid.
     78     INVALID_DATE = 6,
     79 
     80     // The OCSPResponse structure could not be parsed.
     81     PARSE_RESPONSE_ERROR = 7,
     82 
     83     // The OCSPResponseData structure could not be parsed.
     84     PARSE_RESPONSE_DATA_ERROR = 8,
     85 
     86     // Unhandled critical extension in either OCSPResponseData or
     87     // OCSPSingleResponse
     88     UNHANDLED_CRITICAL_EXTENSION = 9,
     89     RESPONSE_STATUS_MAX = UNHANDLED_CRITICAL_EXTENSION
     90   };
     91 
     92   ResponseStatus response_status = NOT_CHECKED;
     93 
     94   // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >
     95   // GOOD). Only valid if |response_status| = PROVIDED.
     96   OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;
     97 };
     98 
     99 // Checks the revocation status of the certificate |certificate_der| by using
    100 // the DER-encoded |raw_response|.
    101 //
    102 // Returns GOOD if the OCSP response indicates the certificate is not revoked,
    103 // REVOKED if it indicates it is revoked, or UNKNOWN for all other cases.
    104 //
    105 //  * |raw_response|: A DER encoded OCSPResponse.
    106 //  * |certificate_der|: The certificate being checked for revocation.
    107 //  * |issuer_certificate_der|: The certificate that signed |certificate_der|.
    108 //        The caller must have already performed path verification.
    109 //  * |verify_time_epoch_seconds|: The time as the difference in seconds from
    110 //        the POSIX epoch to use when checking revocation status.
    111 //  * |max_age_seconds|: The maximum age in seconds for a CRL, implemented as
    112 //        time since the |thisUpdate| field in the CRL TBSCertList. Responses
    113 //        older than |max_age_seconds| will be considered invalid.
    114 //  * |response_details|: Additional details about failures.
    115 [[nodiscard]] OPENSSL_EXPORT OCSPRevocationStatus CheckOCSP(
    116     std::string_view raw_response, std::string_view certificate_der,
    117     std::string_view issuer_certificate_der, int64_t verify_time_epoch_seconds,
    118     std::optional<int64_t> max_age_seconds,
    119     OCSPVerifyResult::ResponseStatus *response_details);
    120 
    121 BSSL_NAMESPACE_END
    122 
    123 #endif  // OPENSSL_HEADER_BSSL_PKI_OCSP_H_ && __cplusplus