/* * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #ifndef AWSLC_OCSP_H #define AWSLC_OCSP_H #include #include #include #include #if defined(__cplusplus) extern "C" { #endif // Various OCSP flags and values // The following constants are OCSP reason codes identify the reason for the // certificate revocation. // // CRLReason ::= ENUMERATED { // unspecified (0), // keyCompromise (1), // cACompromise (2), // affiliationChanged (3), // superseded (4), // cessationOfOperation (5), // -- value 7 is not used // certificateHold (6), // removeFromCRL (8), // privilegeWithdrawn (9), // aACompromise (10) } // // Reason Code RFC: https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1 // // Note: OCSP_REVOKED_STATUS_NOSTATUS is defined by OpenSSL and is not defined // within the RFC. #define OCSP_REVOKED_STATUS_NOSTATUS -1 #define OCSP_REVOKED_STATUS_UNSPECIFIED 0 #define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 #define OCSP_REVOKED_STATUS_CACOMPROMISE 2 #define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 #define OCSP_REVOKED_STATUS_SUPERSEDED 4 #define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 #define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 #define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 #define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 #define OCSP_REVOKED_STATUS_AACOMPROMISE 10 // OCSP_NOCERTS is for |OCSP_request_sign| and |OCSP_basic_sign|. Setting // this excludes certificates request/response and ignores the |certs| // parameter. Certificates are optional. #define OCSP_NOCERTS 0x1 // OCSP_NOINTERN is for |OCSP_basic_verify| and |OCSP_request_verify|. // Certificates included within |bs| or |req| will be included in the // search for the signing certificate by default, unless |OCSP_NOINTERN| is set. #define OCSP_NOINTERN 0x2 // OCSP_NOCHAIN is for |OCSP_basic_verify| and |OCSP_request_verify|. // For |OCSP_basic_verify|, certificates in both |certs| and in |bs| are // considered as certificates for the construction of the validation path for // the signer certificate by default, unless |OCSP_NOCHAIN| is set. // For |OCSP_request_verify|, certificates in |req| are considered as // certificates for the construction of the validation path for the signer // certificate by default, unless |OCSP_NOCHAIN| is set. #define OCSP_NOCHAIN 0x8 // OCSP_NOVERIFY is for |OCSP_basic_verify| and |OCSP_request_verify|. When // setting this flag, the signature on the OCSP response/request will still be // verified, but additionally verification of the signer certificate will be // skipped. #define OCSP_NOVERIFY 0x10 // OCSP_NOEXPLICIT is for |OCSP_basic_verify|. We will check for explicit trust // for OCSP signing in the root CA certificate, unless the flags contain // |OCSP_NOEXPLICIT|. #define OCSP_NOEXPLICIT 0x20 // OCSP_TRUSTOTHER is for |OCSP_basic_verify| and |OCSP_request_verify|. When // set, all certificates within |certs| are implicitly trusted. #define OCSP_TRUSTOTHER 0x200 // OCSP_RESPID_KEY is for |OCSP_basic_sign|. By default, the OCSP responder is // identified by name and included in the response. Setting this changes the // default identifier to be the hash of the issuer's public key instead. #define OCSP_RESPID_KEY 0x400 // OCSP_NOTIME is for |OCSP_basic_sign|. Setting this excludes the default // behavior of setting the |producedAt| time field in |resp| against the current // time and leaves it empty. #define OCSP_NOTIME 0x800 typedef struct ocsp_cert_id_st OCSP_CERTID; typedef struct ocsp_one_request_st OCSP_ONEREQ; typedef struct ocsp_req_info_st OCSP_REQINFO; typedef struct ocsp_signature_st OCSP_SIGNATURE; typedef struct ocsp_request_st OCSP_REQUEST; typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES; typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; typedef struct ocsp_cert_status_st OCSP_CERTSTATUS; typedef struct ocsp_single_response_st OCSP_SINGLERESP; typedef struct ocsp_response_data_st OCSP_RESPDATA; typedef struct ocsp_response_st OCSP_RESPONSE; typedef struct ocsp_responder_id_st OCSP_RESPID; typedef struct ocsp_basic_response_st OCSP_BASICRESP; DEFINE_STACK_OF(OCSP_CERTID) DEFINE_STACK_OF(OCSP_ONEREQ) DEFINE_STACK_OF(OCSP_RESPID) DEFINE_STACK_OF(OCSP_SINGLERESP) DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP) DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE) DECLARE_ASN1_FUNCTIONS(OCSP_CERTID) DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST) DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP) // d2i_OCSP_REQUEST_bio parses a DER-encoded OCSP request from |bp|, converts it // into an |OCSP_REQUEST|, and writes the result in |preq|. OPENSSL_EXPORT OCSP_REQUEST *d2i_OCSP_REQUEST_bio(BIO *bp, OCSP_REQUEST **preq); // d2i_OCSP_RESPONSE_bio parses a DER-encoded OCSP response from |bp|, converts // it into an |OCSP_RESPONSE|, and writes the result in |presp|. OPENSSL_EXPORT OCSP_RESPONSE *d2i_OCSP_RESPONSE_bio(BIO *bp, OCSP_RESPONSE **presp); // i2d_OCSP_RESPONSE_bio marshals |presp| as a DER-encoded OCSP response and // writes the result to |bp|. OPENSSL_EXPORT int i2d_OCSP_RESPONSE_bio(BIO *bp, OCSP_RESPONSE *presp); // i2d_OCSP_REQUEST_bio marshals |preq| as a DER-encoded OCSP request and // writes the result to |bp|. OPENSSL_EXPORT int i2d_OCSP_REQUEST_bio(BIO *bp, OCSP_REQUEST *preq); // OCSP_CERTID_dup allocates a new |OCSP_CERTID| and sets it equal to the state // of |id|. It returns the new |OCSP_CERTID| or NULL on error. OPENSSL_EXPORT OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id); // OCSP_sendreq_bio is a blocking OCSP request handler which is a special case // of non-blocking I/O. // |OCSP_sendreq_bio| combines |OCSP_sendreq_new| with as many calls of // |OCSP_sendreq_nbio| as needed and then |OCSP_REQ_CTX_free|, with a response // header maximum line length of 4k. It waits indefinitely on a response, if // |BIO_should_retry| is true and the |BIO| persists. // // WARNING: This is retained only for compatibility. This does not support // setting a timeout or adding your own HTTP headers. // Use |OCSP_sendreq_nbio| and handle the timeout accordingly to the |BIO| type. // You can also use |OCSP_REQ_CTX_add1_header| to add your own HTTP headers. OPENSSL_EXPORT OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); // OCSP_sendreq_new returns an |OCSP_REQ_CTX| structure using the responder io, // the URL path, the |OCSP_REQUEST| req to be sent, and with a response header // maximum line length of maxline. If maxline is zero or less, a default value // of 4k is used. The |OCSP_REQUEST| req may be set to NULL and provided later // if required. OPENSSL_EXPORT OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, int maxline); // OCSP_sendreq_nbio attempts to send the request prepared in |rctx| and to // gather the response via HTTP, using the |BIO| io and path that were given // when calling |OCSP_sendreq_new|. OPENSSL_EXPORT int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); // OCSP_REQ_CTX_new creates a new |OCSP_REQ_CTX|. |OCSP_REQ_CTX| is used to // contain the information to send the OCSP request and gather the response // over HTTP. OPENSSL_EXPORT OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline); // OCSP_REQ_CTX_free frees the memory allocated by |OCSP_REQ_CTX|. OPENSSL_EXPORT void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); // OCSP_set_max_response_length sets the maximum response length for an OCSP // request over HTTP to |len|. If a custom max response length is needed, this // should be set before |OCSP_REQ_CTX| is sent out to retrieve the OCSP // response. OPENSSL_EXPORT void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len); // OCSP_REQ_CTX_http adds the HTTP request line to the context. OPENSSL_EXPORT int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path); // OCSP_REQ_CTX_set1_req finalizes the HTTP request context. It is needed if // an ASN.1-encoded request should be sent. OPENSSL_EXPORT int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); // OCSP_REQ_CTX_add1_header adds header name with value |value| to the // context |rctx|. It can be called more than once to add multiple header // lines. OPENSSL_EXPORT int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, const char *value); // OCSP_REQ_CTX_i2d parses the ASN.1 contents of |rctx| into the der format. int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, ASN1_VALUE *val); // OCSP_request_add0_id adds |cid| to |req|. Returns the new |OCSP_ONEREQ| // pointer allocated on the stack within |req|. This is useful if we want to // add extensions. // WARNING: This allocates a new |OCSP_ONEREQ| and assigns the pointer to |cid| // to it. It then adds the newly allocated |OCSP_ONEREQ| to the stack within // |req|. |req| now takes ownership of |cid|, and also maintains ownership of // the pointer to |OCSP_ONEREQ|. OPENSSL_EXPORT OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); // OCSP_onereq_get0_id returns the certificate identifier // associated with an OCSP request OPENSSL_EXPORT OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); // OCSP_request_add1_nonce adds a nonce of value |val| and length |len| to // |req|. If |val| is NULL, a random nonce is generated and used. If |len| is // zero or negative, a default length of 16 bytes will be used. // If |val| is non-NULL, |len| must equal the length of |val|. This is different // from OpenSSL, which allows a default length for |len| to be used. Mis-usage // of the default length could result in a read overflow, so we disallow it. OPENSSL_EXPORT int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); // OCSP_basic_add1_nonce is identical to |OCSP_request_add1_nonce|, but adds the // nonce to |resp| instead (the response). OPENSSL_EXPORT int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); // OCSP_check_nonce checks nonce existence and equality in |req| and |bs|. If // there is parsing issue with |req| or |bs|, it will be determined that a // nonce does not exist within |req| or |bs|. // // Return value reflects result: // OCSP_NONCE_EQUAL (1: nonces present and equal.) // OCSP_NONCE_BOTH_ABSENT (2: nonces both absent.) // OCSP_NONCE_RESPONSE_ONLY (3: nonce present in |bs| only.) // OCSP_NONCE_NOT_EQUAL (0: parameters are NULL or nonces are both present // but not equal.) // OCSP_NONCE_REQUEST_ONLY (-1: nonce in |req| only.) // // For most responders, clients can check "return > 0". // If an OCSP responder doesn't handle nonces, "return != 0" may be necessary. // "return == 0" will always be an error. The error can mean that NULL // parameter was passed into the function, or that the nonces are both present, // but aren't equal. OPENSSL_EXPORT int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs); // OCSP_copy_nonce copies the nonce value (if any) from |req| to |resp|. Returns // 1 on success and 0 on failure. If the optional nonce value does not exist in // |req|, we return 2 instead. // // Note: |OCSP_copy_nonce| allows for multiple OCSP nonces to exist and appends // the new nonce to the end of the extension list. This causes issues with // |OCSP_check_nonce|, since it looks for the first one in the list. The old // nonce extension should be deleted prior to calling |OCSP_copy_nonce|. OPENSSL_EXPORT int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); // OCSP_request_set1_name sets |requestorName| from an |X509_NAME| structure. OPENSSL_EXPORT int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm); // OCSP_request_add1_cert adds a certificate to an |OCSP_REQUEST|. OPENSSL_EXPORT int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); // OCSP_request_is_signed checks if the optional signature exists for |req|. OPENSSL_EXPORT int OCSP_request_is_signed(OCSP_REQUEST *req); // OCSP_request_onereq_count returns the number of |OCSP_ONEREQ|s in |req|. OPENSSL_EXPORT int OCSP_request_onereq_count(OCSP_REQUEST *req); // OCSP_request_onereq_get0 returns the |OCSP_ONEREQ| in |req| at index |i| or // NULL if |i| is out of bounds. OPENSSL_EXPORT OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i); // OCSP_request_sign signs the OCSP request |req| using |key| and |dgst|. |key| // MUST be the private key of |signer|. One or more optional certificates can be // added to |resp| with |certs|. This function will fail if a signature in |req| // already exists. // // Note: 1. The OCSP requester is identified by the subject name from |signer| // and included in |req|. // 2. All certificates in |certs| are added to |req| by default. Setting // |OCSP_NOCERTS| excludes certificates from being added in |req| and // ignores the |certs| parameter. OPENSSL_EXPORT int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); // OCSP_response_status returns response status from |OCSP_RESPONSE|. OPENSSL_EXPORT int OCSP_response_status(OCSP_RESPONSE *resp); // OCSP_response_get1_basic returns |OCSP_BASICRESP| from |OCSP_RESPONSE|. OPENSSL_EXPORT OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); // OCSP_resp_count returns the number of |OCSP_SINGLERESP| responses present // in |bs|. OPENSSL_EXPORT int OCSP_resp_count(OCSP_BASICRESP *bs); // OCSP_resp_get0 returns the |OCSP_SINGLERESP| at the |idx| within |bs|. OPENSSL_EXPORT OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, size_t idx); // OCSP_single_get0_status returns the status of |single|. // // Note: 1. |reason| value is allowed to be null. // 2. Time values passed into function are allowed to be NULL if // certificate fields are empty. // 3. |revtime| and |reason| values only set if the certificate status is // revoked. OPENSSL_EXPORT int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd); // OCSP_resp_find returns the index of the |OCSP_SINGLERESP| in |bs| which // matches |id| if found, or -1 if not found. OPENSSL_EXPORT int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); // OCSP_resp_find_status looks up a cert id and extract the update time and // revocation status of certificate sent back from OCSP responder if found. // Returns 1 on success. // // Note: 1. Revocation status code is passed into |*status| parameter. Status // code will not be passed if |*status| is NULL. OPENSSL_EXPORT int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd); // OCSP_check_validity checks the validity of |thisUpdate| and |nextUpdate| // fields from an |OCSP_SINGLERESP|. // // Note: 1. It is possible that the request will take a few seconds to process // and/or the local system time isn't exactly the same as the OCSP // responder's time. Therefore, to avoid rejecting otherwise valid time // we allow the times to be within |drift_num_seconds| of the current // time. // 2. Also, to avoid accepting very old responses without a // |nextUpdate| field, an optional |max_age_seconds| parameter // specifies the maximum age the |thisUpdate| field can be. // |max_age_seconds| should be the number of seconds relative to // |thisUpdate|. You can also set |max_age_seconds| to "-1", if the // maximum age should not be checked. // 3. |thisUpdate| should be within the range of: (current time - // max_age_seconds) < |thisUpdate| < (current time + // drift_num_seconds). // |nextUpdate| should be in the future: (current time + // drift_num_seconds) < |nextUpdate|. // 4. |thisUpdate| and |nextUpdate| are defined in the RFC: // https://datatracker.ietf.org/doc/html/rfc6960#section-2.4 OPENSSL_EXPORT int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisUpdate, ASN1_GENERALIZEDTIME *nextUpdate, long drift_num_seconds, long max_age_seconds); // OCSP_basic_verify verifies a basic response message. It checks that |bs| is // correctly signed and that the signer certificate can be validated. // Returns 1 if the response is valid, 0 if the signature cannot be verified, // or -1 on fatal errors such as malloc failure. // // Note: 1. Checks that OCSP response CAN be verified, but does not imply // anything about the corresponding certificate's revocation status. // 2. |OCSP_resp_find_status| should be used to check if the OCSP // response's cert status is |V_OCSP_CERTSTATUS_GOOD|. // |OCSP_check_validity| should also be used to validate that the OCSP // response's timestamps are correct. OPENSSL_EXPORT int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); // OCSP_request_verify verifies the OCSP request message, |req|, with |st|. // OCSP request signatures are optional according to RFC6960, but one can check // that |req| is correctly signed and that the signer certificate can be // validated if a signature exists. This returns 1 if |req| is valid or returns // 0 if |req|'s signature is non-existent or cannot be verified. OPENSSL_EXPORT int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); // OCSP_cert_id_new creates and returns a new |OCSP_CERTID| using |dgst|, // |issuerName|, |issuerKey|, and |serialNumber| as its contents. OPENSSL_EXPORT OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName, const ASN1_BIT_STRING *issuerKey, const ASN1_INTEGER *serialNumber); // OCSP_cert_to_id returns a |OCSP_CERTID| converted from a certificate and its // issuer. // // Note: 1. If |subject| is NULL, we get the subject name from the issuer and // set the serial number to NULL. // 2. OpenSSL's legacy OCSP code decided to make SHA-1 as default hash // algorithm when the |dgst| is set as NULL. We keep this to maintain // backwards compatibility, but strongly advise to set a digest when // using this function. Even though this is not used cryptographically, // there is the possibility of a response being returned with a forced // issuer name when using SHA-1 (assuming a preimage attack, which is // beyond the scope of how SHA-1 is currently vulnerable). OPENSSL_EXPORT OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, const X509 *issuer); // OCSP_parse_url parses an OCSP responder URL and returns its component parts. // |url| argument must be a null-terminated string containing the URL to be // parsed. The other arguments are pointers to variables that will be set to the // parsed components of the URL. When |OCSP_parse_url| returns 1, these // arguments will allocate new memory with a copy of value. It is the caller's // responsibility to free these. // // |phost|: A pointer to a char pointer that will be set to the host component // of the URL. If the URL does not contain a host component, this will // be set to an empty string. // |pport|: A pointer to an int that will be set to the port number specified // in the URL, or to the default port (80 for HTTP, 443 for HTTPS) // if no port number is specified. // |ppath|: A pointer to a char pointer that will be set to the path component // of the URL. If the URL does not contain a path component, this // will be set to "/". // |pssl|: A pointer to an int that will be set to 1 if the URL specifies the // HTTPS protocol, or 0 if HTTP. // // Note: |OCSP_parse_url| does not perform any validation of the URL or its // components beyond basic parsing. It is the responsibility of the // caller to ensure that the URL is well-formed and valid. OPENSSL_EXPORT int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, int *pssl); // OCSP_id_issuer_cmp compares the issuers' name and key hash of |a| and |b|. It // returns 0 on equal. OPENSSL_EXPORT int OCSP_id_issuer_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b); // OCSP_id_cmp calls |OCSP_id_issuer_cmp| and additionally compares the // |serialNumber| of |a| and |b|. It returns 0 on equal. OPENSSL_EXPORT int OCSP_id_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b); // OCSP_id_get0_info returns the issuer name hash, hash OID, issuer key hash, // and the serial number contained in |cid|. If any of the values are not // required, the corresponding parameter can be set to NULL. OPENSSL_EXPORT int OCSP_id_get0_info(ASN1_OCTET_STRING **nameHash, ASN1_OBJECT **algor, ASN1_OCTET_STRING **keyHash, ASN1_INTEGER **serial, OCSP_CERTID *cid); // OCSP_basic_add1_cert adds |cert| to the |resp|. OPENSSL_EXPORT int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); // OCSP_basic_add1_status creates and returns an |OCSP_SINGLERESP| with |cid|, // |status|, |this_update| and |next_update|. The newly created // |OCSP_SINGLERESP| is pushed onto the internal |OCSP_SINGLERESP| stack in // |resp|. |status| should be a value defined by |V_OCSP_CERTSTATUS_*|. // // 1. If |status| has the value |V_OCSP_CERTSTATUS_REVOKED|, |revoked_reason| // should be a valid |OCSP_REVOKED_STATUS_*| value and |revoked_time| cannot be // empty. // 2. If |status| has the value of either |V_OCSP_CERTSTATUS_GOOD| or // |V_OCSP_CERTSTATUS_UNKNOWN|, |revoked_reason| and |revoked_time| are ignored. OPENSSL_EXPORT OCSP_SINGLERESP *OCSP_basic_add1_status( OCSP_BASICRESP *resp, OCSP_CERTID *cid, int status, int revoked_reason, ASN1_TIME *revoked_time, ASN1_TIME *this_update, ASN1_TIME *next_update); // OCSP_basic_sign signs the OCSP response |resp| using |key| and |dgst|. |key| // MUST be the private key of |signer|. One or more optional certificates can be // added to |resp| with |certs|. // // Note: 1. By default, the OCSP responder is identified by the subject name // from |signer| and included in |resp|. Users can set // |OCSP_RESPID_KEY| with |flags|, if they wish for the responder to // be identified by the hash of |signer|'s public key instead. // 2. All certificates in |certs| are added to |resp| by default. Setting // |OCSP_NOCERTS| excludes certificates from being added in |resp| and // ignores the |certs| parameter. // 3. The |producedAt| time field is set to the current time by default. // Setting |OCSP_NOTIME| excludes setting the |producedAt| time field // in |resp| and leaves it empty. OPENSSL_EXPORT int OCSP_basic_sign(OCSP_BASICRESP *resp, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); // OCSP_response_create creates an |OCSP_RESPONSE| and encodes an optional |bs| // within it. OPENSSL_EXPORT OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); // OCSP_SINGLERESP_get0_id returns the |OCSP_CERTID| within |x|. OPENSSL_EXPORT const OCSP_CERTID *OCSP_SINGLERESP_get0_id( const OCSP_SINGLERESP *x); // OCSP_response_status_str returns the OCSP response status of |status_code| as // a string. OPENSSL_EXPORT const char *OCSP_response_status_str(long status_code); // OCSP_cert_status_str returns the OCSP cert status of |status_code| as // a string. OPENSSL_EXPORT const char *OCSP_cert_status_str(long status_code); // OCSP_crl_reason_str returns the OCSP CRL reason of |status_code| as a string. // |OCSP_resp_find_status| can be used to retrieve the reason status code // if an OCSP response is revoked. OPENSSL_EXPORT const char *OCSP_crl_reason_str(long status_code); // OCSP_REQUEST_print prints the contents of an OCSP request to |bp|. |flags| is // used to configure printing of the |req|'s extensions (See // |X509V3_extensions_print| for more information). // This is typically used for debugging or diagnostic purposes. OPENSSL_EXPORT int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *req, unsigned long flags); // OCSP_RESPONSE_print prints the contents of an OCSP response to |bp|. |flags| // is used to configure printing of the |resp|'s extensions (See // |X509V3_extensions_print| for more information). // This is typically used for debugging or diagnostic purposes. OPENSSL_EXPORT int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *resp, unsigned long flags); // OCSP_BASICRESP_get_ext_by_NID returns the index of an extension |bs| by its // NID. Returns -1 if not found. OPENSSL_EXPORT int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *bs, int nid, int lastpos); // OCSP_BASICRESP_get_ext returns the |X509_EXTENSION| in |bs| at index |loc|, // or NULL if |loc| is out of bounds. OPENSSL_EXPORT X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *bs, int loc); // OCSP |X509_EXTENSION| Functions // OCSP_BASICRESP_delete_ext removes the extension in |x| at index |loc| and // returns the removed extension, or NULL if |loc| was out of bounds. If an // extension was returned, the caller must release it with // |X509_EXTENSION_free|. OPENSSL_EXPORT X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc); // OCSP_SINGLERESP_add_ext adds a copy of |ex| to the extension list in // |*sresp|. It returns 1 on success and 0 on error. The new extension is // inserted at index |loc|, shifting extensions to the right. If |loc| is -1 or // out of bounds, the new extension is appended to the list. OPENSSL_EXPORT int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *sresp, X509_EXTENSION *ex, int loc); // OCSP_SINGLERESP_get_ext_count returns the number of |X509_EXTENSION|s in // |sresp|. OPENSSL_EXPORT int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *sresp); // OCSP_SINGLERESP_get_ext returns the |X509_EXTENSION| in |sresp| // at index |loc|, or NULL if |loc| is out of bounds. OPENSSL_EXPORT X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *sresp, int loc); // OCSP no-op flags [Deprecated]. // OCSP_NOSIGS does nothing. In OpenSSL, this skips signature verification in // |OCSP_basic_verify| and |OCSP_request_verify|. #define OCSP_NOSIGS 0 // OCSP_NOCASIGN does nothing. It's a legacy OCSP flag deprecated since OpenSSL // 1.0.1g. #define OCSP_NOCASIGN 0 // OCSP_NODELEGATED does nothing. It's a legacy OCSP flag deprecated since // OpenSSL 1.0.1g. #define OCSP_NODELEGATED 0 // OCSP_NOCHECKS does nothing. In OpenSSL, this disables verifying that the // signer certificate has met the OCSP issuer criteria or any potential // delegation in |OCSP_basic_verify|. #define OCSP_NOCHECKS 0 #if defined(__cplusplus) } // extern C #endif #if !defined(BORINGSSL_NO_CXX) extern "C++" { BSSL_NAMESPACE_BEGIN BORINGSSL_MAKE_DELETER(OCSP_REQUEST, OCSP_REQUEST_free) BORINGSSL_MAKE_DELETER(OCSP_REQ_CTX, OCSP_REQ_CTX_free) BORINGSSL_MAKE_DELETER(OCSP_RESPONSE, OCSP_RESPONSE_free) BORINGSSL_MAKE_DELETER(OCSP_BASICRESP, OCSP_BASICRESP_free) BORINGSSL_MAKE_DELETER(OCSP_CERTID, OCSP_CERTID_free) BORINGSSL_MAKE_DELETER(OCSP_SINGLERESP, OCSP_SINGLERESP_free) BSSL_NAMESPACE_END } // extern C++ #endif // !BORINGSSL_NO_CXX #define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 #define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 #define OCSP_RESPONSE_STATUS_INTERNALERROR 2 #define OCSP_RESPONSE_STATUS_TRYLATER 3 #define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 #define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 #define V_OCSP_RESPID_NAME 0 #define V_OCSP_RESPID_KEY 1 #define V_OCSP_CERTSTATUS_GOOD 0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 #define OCSP_NONCE_EQUAL 1 #define OCSP_NONCE_BOTH_ABSENT 2 #define OCSP_NONCE_RESPONSE_ONLY 3 #define OCSP_NONCE_NOT_EQUAL 0 #define OCSP_NONCE_REQUEST_ONLY -1 #define OCSP_R_CERTIFICATE_VERIFY_ERROR 101 #define OCSP_R_DIGEST_ERR 102 #define OCSP_R_MISSING_OCSPSIGNING_USAGE 103 #define OCSP_R_NOT_BASIC_RESPONSE 104 #define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105 #define OCSP_R_NO_RESPONSE_DATA 108 #define OCSP_R_NO_REVOKED_TIME 109 #define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111 #define OCSP_R_ROOT_CA_NOT_TRUSTED 112 #define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115 #define OCSP_R_SIGNATURE_FAILURE 117 #define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118 #define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119 #define OCSP_R_UNKNOWN_NID 120 #define OCSP_R_ERROR_PARSING_URL 121 #define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122 #define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123 #define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124 #define OCSP_R_STATUS_EXPIRED 125 #define OCSP_R_STATUS_NOT_YET_VALID 126 #define OCSP_R_STATUS_TOO_OLD 127 #define OCSP_R_REQUEST_NOT_SIGNED 128 #define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129 #define OCSP_R_NO_SIGNER_KEY 130 #define OCSP_R_OCSP_REQUEST_DUPLICATE_SIGNATURE 131 #define OCSP_R_UNKNOWN_FIELD_VALUE 132 #endif // AWSLC_OCSP_H