1 /*
2  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3  *
4  * Author: Simon Josefsson
5  *
6  * This file is part of GnuTLS.
7  *
8  * The GnuTLS is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public License
10  * as published by the Free Software Foundation; either version 2.1 of
11  * the License, or (at your option) any later version.
12  *
13  * This library is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public License
19  * along with this program.  If not, see <https://www.gnu.org/licenses/>
20  *
21  */
22 
23 /* Online Certificate Status Protocol - RFC 2560
24  */
25 
26 #ifndef GNUTLS_OCSP_H
27 #define GNUTLS_OCSP_H
28 
29 #include <gnutls/gnutls.h>
30 #include <gnutls/x509.h>
31 
32 /* *INDENT-OFF* */
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 /* *INDENT-ON* */
37 
38 #define GNUTLS_OCSP_NONCE "1.3.6.1.5.5.7.48.1.2"
39 
40 /**
41  * gnutls_ocsp_print_formats_t:
42  * @GNUTLS_OCSP_PRINT_FULL: Full information about OCSP request/response.
43  * @GNUTLS_OCSP_PRINT_COMPACT: More compact information about OCSP request/response.
44  *
45  * Enumeration of different OCSP printing variants.
46  */
47 typedef enum gnutls_ocsp_print_formats_t {
48 	GNUTLS_OCSP_PRINT_FULL = 0,
49 	GNUTLS_OCSP_PRINT_COMPACT = 1
50 } gnutls_ocsp_print_formats_t;
51 
52 /**
53  * gnutls_ocsp_resp_status_t:
54  * @GNUTLS_OCSP_RESP_SUCCESSFUL: Response has valid confirmations.
55  * @GNUTLS_OCSP_RESP_MALFORMEDREQUEST: Illegal confirmation request
56  * @GNUTLS_OCSP_RESP_INTERNALERROR: Internal error in issuer
57  * @GNUTLS_OCSP_RESP_TRYLATER: Try again later
58  * @GNUTLS_OCSP_RESP_SIGREQUIRED: Must sign the request
59  * @GNUTLS_OCSP_RESP_UNAUTHORIZED: Request unauthorized
60  *
61  * Enumeration of different OCSP response status codes.
62  */
63 typedef enum gnutls_ocsp_resp_status_t {
64 	GNUTLS_OCSP_RESP_SUCCESSFUL = 0,
65 	GNUTLS_OCSP_RESP_MALFORMEDREQUEST = 1,
66 	GNUTLS_OCSP_RESP_INTERNALERROR = 2,
67 	GNUTLS_OCSP_RESP_TRYLATER = 3,
68 	GNUTLS_OCSP_RESP_SIGREQUIRED = 5,
69 	GNUTLS_OCSP_RESP_UNAUTHORIZED = 6
70 } gnutls_ocsp_resp_status_t;
71 
72 /**
73  * gnutls_ocsp_cert_status_t:
74  * @GNUTLS_OCSP_CERT_GOOD: Positive response to status inquiry.
75  * @GNUTLS_OCSP_CERT_REVOKED: Certificate has been revoked.
76  * @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
77  *   certificate.
78  *
79  * Enumeration of different OCSP response certificate status codes.
80  */
81 typedef enum gnutls_ocsp_cert_status_t {
82 	GNUTLS_OCSP_CERT_GOOD = 0,
83 	GNUTLS_OCSP_CERT_REVOKED = 1,
84 	GNUTLS_OCSP_CERT_UNKNOWN = 2
85 } gnutls_ocsp_cert_status_t;
86 
87 /**
88  * gnutls_x509_crl_reason_t:
89  * @GNUTLS_X509_CRLREASON_UNSPECIFIED: Unspecified reason.
90  * @GNUTLS_X509_CRLREASON_KEYCOMPROMISE: Private key compromised.
91  * @GNUTLS_X509_CRLREASON_CACOMPROMISE: CA compromised.
92  * @GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: Affiliation has changed.
93  * @GNUTLS_X509_CRLREASON_SUPERSEDED: Certificate superseded.
94  * @GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: Operation has ceased.
95  * @GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: Certificate is on hold.
96  * @GNUTLS_X509_CRLREASON_REMOVEFROMCRL: Will be removed from delta CRL.
97  * @GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: Privilege withdrawn.
98  * @GNUTLS_X509_CRLREASON_AACOMPROMISE: AA compromised.
99  *
100  * Enumeration of different reason codes.  Note that this
101  * corresponds to the CRLReason ASN.1 enumeration type, and not the
102  * ReasonFlags ASN.1 bit string.
103  */
104 typedef enum gnutls_x509_crl_reason_t {
105 	GNUTLS_X509_CRLREASON_UNSPECIFIED = 0,
106 	GNUTLS_X509_CRLREASON_KEYCOMPROMISE = 1,
107 	GNUTLS_X509_CRLREASON_CACOMPROMISE = 2,
108 	GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED = 3,
109 	GNUTLS_X509_CRLREASON_SUPERSEDED = 4,
110 	GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION = 5,
111 	GNUTLS_X509_CRLREASON_CERTIFICATEHOLD = 6,
112 	GNUTLS_X509_CRLREASON_REMOVEFROMCRL = 8,
113 	GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN = 9,
114 	GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
115 } gnutls_x509_crl_reason_t;
116 
117 /* When adding a verify failure reason update:
118  * _gnutls_ocsp_verify_status_to_str()
119  */
120 /**
121  * gnutls_ocsp_verify_reason_t:
122  * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.
123  * @GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR: Signer keyusage bits incorrect.
124  * @GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER: Signer is not trusted.
125  * @GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM: Signature using insecure algorithm.
126  * @GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE: Signature mismatch.
127  * @GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED: Signer cert is not yet activated.
128  * @GNUTLS_OCSP_VERIFY_CERT_EXPIRED: Signer cert has expired.
129  *
130  * Enumeration of OCSP verify status codes, used by
131  * gnutls_ocsp_resp_verify() and gnutls_ocsp_resp_verify_direct().
132  */
133 typedef enum gnutls_ocsp_verify_reason_t {
134 	GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND = 1,
135 	GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR = 2,
136 	GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER = 4,
137 	GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM = 8,
138 	GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE = 16,
139 	GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED = 32,
140 	GNUTLS_OCSP_VERIFY_CERT_EXPIRED = 64
141 } gnutls_ocsp_verify_reason_t;
142 
143 struct gnutls_ocsp_req_int;
144 typedef struct gnutls_ocsp_req_int *gnutls_ocsp_req_t;
145 typedef const struct gnutls_ocsp_req_int *gnutls_ocsp_req_const_t;
146 
147 int gnutls_ocsp_req_init(gnutls_ocsp_req_t * req);
148 void gnutls_ocsp_req_deinit(gnutls_ocsp_req_t req);
149 
150 int gnutls_ocsp_req_import(gnutls_ocsp_req_t req,
151 			   const gnutls_datum_t * data);
152 int gnutls_ocsp_req_export(gnutls_ocsp_req_const_t req, gnutls_datum_t * data);
153 int gnutls_ocsp_req_print(gnutls_ocsp_req_const_t req,
154 			  gnutls_ocsp_print_formats_t format,
155 			  gnutls_datum_t * out);
156 
157 int gnutls_ocsp_req_get_version(gnutls_ocsp_req_const_t req);
158 
159 int gnutls_ocsp_req_get_cert_id(gnutls_ocsp_req_const_t req,
160 				unsigned indx,
161 				gnutls_digest_algorithm_t * digest,
162 				gnutls_datum_t * issuer_name_hash,
163 				gnutls_datum_t * issuer_key_hash,
164 				gnutls_datum_t * serial_number);
165 int gnutls_ocsp_req_add_cert_id(gnutls_ocsp_req_t req,
166 				gnutls_digest_algorithm_t digest,
167 				const gnutls_datum_t *
168 				issuer_name_hash,
169 				const gnutls_datum_t *
170 				issuer_key_hash,
171 				const gnutls_datum_t * serial_number);
172 int gnutls_ocsp_req_add_cert(gnutls_ocsp_req_t req,
173 			     gnutls_digest_algorithm_t digest,
174 			     gnutls_x509_crt_t issuer,
175 			     gnutls_x509_crt_t cert);
176 
177 int gnutls_ocsp_req_get_extension(gnutls_ocsp_req_const_t req,
178 				  unsigned indx,
179 				  gnutls_datum_t * oid,
180 				  unsigned int *critical,
181 				  gnutls_datum_t * data);
182 int gnutls_ocsp_req_set_extension(gnutls_ocsp_req_t req,
183 				  const char *oid,
184 				  unsigned int critical,
185 				  const gnutls_datum_t * data);
186 
187 int gnutls_ocsp_req_get_nonce(gnutls_ocsp_req_const_t req,
188 			      unsigned int *critical,
189 			      gnutls_datum_t * nonce);
190 int gnutls_ocsp_req_set_nonce(gnutls_ocsp_req_t req,
191 			      unsigned int critical,
192 			      const gnutls_datum_t * nonce);
193 int gnutls_ocsp_req_randomize_nonce(gnutls_ocsp_req_t req);
194 
195 struct gnutls_ocsp_resp_int;
196 typedef struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_t;
197 typedef const struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_const_t;
198 
199 int gnutls_ocsp_resp_init(gnutls_ocsp_resp_t * resp);
200 void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp);
201 
202 int gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp,
203 			    const gnutls_datum_t * data);
204 int gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp,
205 			     const gnutls_datum_t * data,
206 			     gnutls_x509_crt_fmt_t fmt);
207 int gnutls_ocsp_resp_export(gnutls_ocsp_resp_const_t resp,
208 			    gnutls_datum_t * data);
209 int gnutls_ocsp_resp_export2(gnutls_ocsp_resp_const_t resp,
210 			     gnutls_datum_t * data,
211 			     gnutls_x509_crt_fmt_t fmt);
212 int gnutls_ocsp_resp_print(gnutls_ocsp_resp_const_t resp,
213 			   gnutls_ocsp_print_formats_t format,
214 			   gnutls_datum_t * out);
215 
216 int gnutls_ocsp_resp_get_status(gnutls_ocsp_resp_const_t resp);
217 int gnutls_ocsp_resp_get_response(gnutls_ocsp_resp_const_t resp,
218 				  gnutls_datum_t *
219 				  response_type_oid,
220 				  gnutls_datum_t * response);
221 
222 int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_const_t resp);
223 int gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_const_t resp,
224 				   gnutls_datum_t * dn);
225 int gnutls_ocsp_resp_get_responder2(gnutls_ocsp_resp_const_t resp,
226 				    gnutls_datum_t * dn,
227 				    unsigned flags);
228 
229 /* the raw key ID of the responder */
230 #define GNUTLS_OCSP_RESP_ID_KEY 1
231 /* the raw DN of the responder */
232 #define GNUTLS_OCSP_RESP_ID_DN 2
233 int
234 gnutls_ocsp_resp_get_responder_raw_id(gnutls_ocsp_resp_const_t resp,
235 				      unsigned type,
236 				      gnutls_datum_t * raw);
237 
238 time_t gnutls_ocsp_resp_get_produced(gnutls_ocsp_resp_const_t resp);
239 int gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_const_t resp,
240 				unsigned indx,
241 				gnutls_digest_algorithm_t * digest,
242 				gnutls_datum_t * issuer_name_hash,
243 				gnutls_datum_t * issuer_key_hash,
244 				gnutls_datum_t * serial_number,
245 				unsigned int *cert_status,
246 				time_t * this_update,
247 				time_t * next_update,
248 				time_t * revocation_time,
249 				unsigned int *revocation_reason);
250 int gnutls_ocsp_resp_get_extension(gnutls_ocsp_resp_const_t resp,
251 				   unsigned indx,
252 				   gnutls_datum_t * oid,
253 				   unsigned int *critical,
254 				   gnutls_datum_t * data);
255 int gnutls_ocsp_resp_get_nonce(gnutls_ocsp_resp_const_t resp,
256 			       unsigned int *critical,
257 			       gnutls_datum_t * nonce);
258 int gnutls_ocsp_resp_get_signature_algorithm(gnutls_ocsp_resp_const_t resp);
259 int gnutls_ocsp_resp_get_signature(gnutls_ocsp_resp_const_t resp,
260 				   gnutls_datum_t * sig);
261 int gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_const_t resp,
262 			       gnutls_x509_crt_t ** certs,
263 			       size_t * ncerts);
264 
265 int gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_const_t resp,
266 				   gnutls_x509_crt_t issuer,
267 				   unsigned int *verify,
268 				   unsigned int flags);
269 int gnutls_ocsp_resp_verify(gnutls_ocsp_resp_const_t resp,
270 			    gnutls_x509_trust_list_t trustlist,
271 			    unsigned int *verify, unsigned int flags);
272 
273 int gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_const_t resp,
274 			       unsigned int indx, gnutls_x509_crt_t crt);
275 
276 int
277 gnutls_ocsp_resp_list_import2(gnutls_ocsp_resp_t **ocsps,
278 			     unsigned int *size,
279 			     const gnutls_datum_t *resp_data,
280 			     gnutls_x509_crt_fmt_t format,
281 			     unsigned int flags);
282 
283 /* *INDENT-OFF* */
284 #ifdef __cplusplus
285 }
286 #endif
287 /* *INDENT-ON* */
288 #endif				/* GNUTLS_OCSP_H */
289