2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
4 * Author: Simon Josefsson
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Online Certificate Status Protocol - RFC 2560
29 #include <gnutls/gnutls.h>
30 #include <gnutls/x509.h>
38 #define GNUTLS_OCSP_NONCE "1.3.6.1.5.5.7.48.1.2"
41 * gnutls_ocsp_print_formats_t:
42 * @GNUTLS_OCSP_PRINT_FULL: Full information about OCSP request/response.
43 * @GNUTLS_OCSP_PRINT_COMPACT: More compact information about OCSP request/response.
45 * Enumeration of different OCSP printing variants.
47 typedef enum gnutls_ocsp_print_formats_t
{
48 GNUTLS_OCSP_PRINT_FULL
= 0,
49 GNUTLS_OCSP_PRINT_COMPACT
= 1,
50 } gnutls_ocsp_print_formats_t
;
53 * gnutls_ocsp_resp_status_t:
54 * @GNUTLS_OCSP_RESP_SUCCESSFUL: Response has valid confirmations.
55 * @GNUTLS_OCSP_RESP_MALFORMEDREQUEST: Illegal confirmation request
56 * @GNUTLS_OCSP_RESP_INTERNALERROR: Internal error in issuer
57 * @GNUTLS_OCSP_RESP_TRYLATER: Try again later
58 * @GNUTLS_OCSP_RESP_SIGREQUIRED: Must sign the request
59 * @GNUTLS_OCSP_RESP_UNAUTHORIZED: Request unauthorized
61 * Enumeration of different OCSP response status codes.
63 typedef enum gnutls_ocsp_resp_status_t
{
64 GNUTLS_OCSP_RESP_SUCCESSFUL
= 0,
65 GNUTLS_OCSP_RESP_MALFORMEDREQUEST
= 1,
66 GNUTLS_OCSP_RESP_INTERNALERROR
= 2,
67 GNUTLS_OCSP_RESP_TRYLATER
= 3,
68 GNUTLS_OCSP_RESP_SIGREQUIRED
= 5,
69 GNUTLS_OCSP_RESP_UNAUTHORIZED
= 6
70 } gnutls_ocsp_resp_status_t
;
73 * gnutls_ocsp_cert_status_t:
74 * @GNUTLS_OCSP_CERT_GOOD: Positive response to status inquiry.
75 * @GNUTLS_OCSP_CERT_REVOKED: Certificate has been revoked.
76 * @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
79 * Enumeration of different OCSP response certificate status codes.
81 typedef enum gnutls_ocsp_cert_status_t
{
82 GNUTLS_OCSP_CERT_GOOD
= 0,
83 GNUTLS_OCSP_CERT_REVOKED
= 1,
84 GNUTLS_OCSP_CERT_UNKNOWN
= 2
85 } gnutls_ocsp_cert_status_t
;
88 * gnutls_x509_crl_reason_t:
89 * @GNUTLS_X509_CRLREASON_UNSPECIFIED: Unspecified reason.
90 * @GNUTLS_X509_CRLREASON_KEYCOMPROMISE: Private key compromised.
91 * @GNUTLS_X509_CRLREASON_CACOMPROMISE: CA compromised.
92 * @GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: Affiliation has changed.
93 * @GNUTLS_X509_CRLREASON_SUPERSEDED: Certificate superseded.
94 * @GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: Operation has ceased.
95 * @GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: Certificate is on hold.
96 * @GNUTLS_X509_CRLREASON_REMOVEFROMCRL: Will be removed from delta CRL.
97 * @GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: Privilege withdrawn.
98 * @GNUTLS_X509_CRLREASON_AACOMPROMISE: AA compromised.
100 * Enumeration of different reason codes. Note that this
101 * corresponds to the CRLReason ASN.1 enumeration type, and not the
102 * ReasonFlags ASN.1 bit string.
104 typedef enum gnutls_x509_crl_reason_t
{
105 GNUTLS_X509_CRLREASON_UNSPECIFIED
= 0,
106 GNUTLS_X509_CRLREASON_KEYCOMPROMISE
= 1,
107 GNUTLS_X509_CRLREASON_CACOMPROMISE
= 2,
108 GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED
= 3,
109 GNUTLS_X509_CRLREASON_SUPERSEDED
= 4,
110 GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION
= 5,
111 GNUTLS_X509_CRLREASON_CERTIFICATEHOLD
= 6,
112 GNUTLS_X509_CRLREASON_REMOVEFROMCRL
= 8,
113 GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN
= 9,
114 GNUTLS_X509_CRLREASON_AACOMPROMISE
= 10
115 } gnutls_x509_crl_reason_t
;
118 * gnutls_ocsp_verify_reason_t:
119 * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.
120 * @GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR: Signer keyusage bits incorrect.
121 * @GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER: Signer is not trusted.
122 * @GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM: Signature using insecure algorithm.
123 * @GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE: Signature mismatch.
124 * @GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED: Signer cert is not yet activated.
125 * @GNUTLS_OCSP_VERIFY_CERT_EXPIRED: Signer cert has expired.
127 * Enumeration of OCSP verify status codes, used by
128 * gnutls_ocsp_resp_verify() and gnutls_ocsp_resp_verify_direct().
130 typedef enum gnutls_ocsp_verify_reason_t
{
131 GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND
= 1,
132 GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR
= 2,
133 GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER
= 4,
134 GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM
= 8,
135 GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE
= 16,
136 GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED
= 32,
137 GNUTLS_OCSP_VERIFY_CERT_EXPIRED
= 64
138 } gnutls_ocsp_verify_reason_t
;
140 struct gnutls_ocsp_req_int
;
141 typedef struct gnutls_ocsp_req_int
*gnutls_ocsp_req_t
;
143 int gnutls_ocsp_req_init(gnutls_ocsp_req_t
* req
);
144 void gnutls_ocsp_req_deinit(gnutls_ocsp_req_t req
);
146 int gnutls_ocsp_req_import(gnutls_ocsp_req_t req
,
147 const gnutls_datum_t
* data
);
148 int gnutls_ocsp_req_export(gnutls_ocsp_req_t req
, gnutls_datum_t
* data
);
149 int gnutls_ocsp_req_print(gnutls_ocsp_req_t req
,
150 gnutls_ocsp_print_formats_t format
,
151 gnutls_datum_t
* out
);
153 int gnutls_ocsp_req_get_version(gnutls_ocsp_req_t req
);
155 int gnutls_ocsp_req_get_cert_id(gnutls_ocsp_req_t req
,
157 gnutls_digest_algorithm_t
* digest
,
158 gnutls_datum_t
* issuer_name_hash
,
159 gnutls_datum_t
* issuer_key_hash
,
160 gnutls_datum_t
* serial_number
);
161 int gnutls_ocsp_req_add_cert_id(gnutls_ocsp_req_t req
,
162 gnutls_digest_algorithm_t digest
,
163 const gnutls_datum_t
*
165 const gnutls_datum_t
*
167 const gnutls_datum_t
* serial_number
);
168 int gnutls_ocsp_req_add_cert(gnutls_ocsp_req_t req
,
169 gnutls_digest_algorithm_t digest
,
170 gnutls_x509_crt_t issuer
,
171 gnutls_x509_crt_t cert
);
173 int gnutls_ocsp_req_get_extension(gnutls_ocsp_req_t req
,
175 gnutls_datum_t
* oid
,
176 unsigned int *critical
,
177 gnutls_datum_t
* data
);
178 int gnutls_ocsp_req_set_extension(gnutls_ocsp_req_t req
,
180 unsigned int critical
,
181 const gnutls_datum_t
* data
);
183 int gnutls_ocsp_req_get_nonce(gnutls_ocsp_req_t req
,
184 unsigned int *critical
,
185 gnutls_datum_t
* nonce
);
186 int gnutls_ocsp_req_set_nonce(gnutls_ocsp_req_t req
,
187 unsigned int critical
,
188 const gnutls_datum_t
* nonce
);
189 int gnutls_ocsp_req_randomize_nonce(gnutls_ocsp_req_t req
);
191 struct gnutls_ocsp_resp_int
;
192 typedef struct gnutls_ocsp_resp_int
*gnutls_ocsp_resp_t
;
194 int gnutls_ocsp_resp_init(gnutls_ocsp_resp_t
* resp
);
195 void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp
);
197 int gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp
,
198 const gnutls_datum_t
* data
);
199 int gnutls_ocsp_resp_export(gnutls_ocsp_resp_t resp
,
200 gnutls_datum_t
* data
);
201 int gnutls_ocsp_resp_print(gnutls_ocsp_resp_t resp
,
202 gnutls_ocsp_print_formats_t format
,
203 gnutls_datum_t
* out
);
205 int gnutls_ocsp_resp_get_status(gnutls_ocsp_resp_t resp
);
206 int gnutls_ocsp_resp_get_response(gnutls_ocsp_resp_t resp
,
209 gnutls_datum_t
* response
);
211 int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_t resp
);
212 int gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_t resp
,
213 gnutls_datum_t
* dn
);
214 time_t gnutls_ocsp_resp_get_produced(gnutls_ocsp_resp_t resp
);
215 int gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp
,
217 gnutls_digest_algorithm_t
* digest
,
218 gnutls_datum_t
* issuer_name_hash
,
219 gnutls_datum_t
* issuer_key_hash
,
220 gnutls_datum_t
* serial_number
,
221 unsigned int *cert_status
,
222 time_t * this_update
,
223 time_t * next_update
,
224 time_t * revocation_time
,
225 unsigned int *revocation_reason
);
226 int gnutls_ocsp_resp_get_extension(gnutls_ocsp_resp_t resp
,
228 gnutls_datum_t
* oid
,
229 unsigned int *critical
,
230 gnutls_datum_t
* data
);
231 int gnutls_ocsp_resp_get_nonce(gnutls_ocsp_resp_t resp
,
232 unsigned int *critical
,
233 gnutls_datum_t
* nonce
);
234 int gnutls_ocsp_resp_get_signature_algorithm(gnutls_ocsp_resp_t resp
);
235 int gnutls_ocsp_resp_get_signature(gnutls_ocsp_resp_t resp
,
236 gnutls_datum_t
* sig
);
237 int gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_t resp
,
238 gnutls_x509_crt_t
** certs
,
241 int gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp
,
242 gnutls_x509_crt_t issuer
,
243 unsigned int *verify
,
245 int gnutls_ocsp_resp_verify(gnutls_ocsp_resp_t resp
,
246 gnutls_x509_trust_list_t trustlist
,
247 unsigned int *verify
, unsigned int flags
);
249 int gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp
,
250 unsigned int indx
, gnutls_x509_crt_t crt
);
257 #endif /* GNUTLS_OCSP_H */