changed license headers to 2.1. Reported by Andreas Metzler.
[gnutls:gnutls.git] / lib / includes / gnutls / ocsp.h
1 /*
2  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3  *
4  * Author: Simon Josefsson
5  *
6  * This file is part of GnuTLS.
7  *
8  * The GnuTLS is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public License
10  * as published by the Free Software Foundation; either version 2.1 of
11  * the License, or (at your option) any later version.
12  *
13  * This library is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public License
19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
20  *
21  */
22
23 /* Online Certificate Status Protocol - RFC 2560
24  */
25
26 #ifndef GNUTLS_OCSP_H
27 #define GNUTLS_OCSP_H
28
29 #include <gnutls/gnutls.h>
30 #include <gnutls/x509.h>
31
32 #ifdef __cplusplus
33 extern "C"
34 {
35 #endif
36
37 #define GNUTLS_OCSP_NONCE "1.3.6.1.5.5.7.48.1.2"
38
39 /**
40  * gnutls_ocsp_print_formats_t:
41  * @GNUTLS_OCSP_PRINT_FULL: Full information about OCSP request/response.
42  * @GNUTLS_OCSP_PRINT_COMPACT: More compact information about OCSP request/response.
43  *
44  * Enumeration of different OCSP printing variants.
45  */
46 typedef enum gnutls_ocsp_print_formats_t
47   {
48     GNUTLS_OCSP_PRINT_FULL = 0,
49     GNUTLS_OCSP_PRINT_COMPACT = 1,
50   } gnutls_ocsp_print_formats_t;
51
52 /**
53  * gnutls_ocsp_resp_status_t:
54  * @GNUTLS_OCSP_RESP_SUCCESSFUL: Response has valid confirmations.
55  * @GNUTLS_OCSP_RESP_MALFORMEDREQUEST: Illegal confirmation request
56  * @GNUTLS_OCSP_RESP_INTERNALERROR: Internal error in issuer
57  * @GNUTLS_OCSP_RESP_TRYLATER: Try again later
58  * @GNUTLS_OCSP_RESP_SIGREQUIRED: Must sign the request
59  * @GNUTLS_OCSP_RESP_UNAUTHORIZED: Request unauthorized
60  *
61  * Enumeration of different OCSP response status codes.
62  */
63 typedef enum gnutls_ocsp_resp_status_t
64   {
65     GNUTLS_OCSP_RESP_SUCCESSFUL = 0,
66     GNUTLS_OCSP_RESP_MALFORMEDREQUEST = 1,
67     GNUTLS_OCSP_RESP_INTERNALERROR = 2,
68     GNUTLS_OCSP_RESP_TRYLATER = 3,
69     GNUTLS_OCSP_RESP_SIGREQUIRED = 5,
70     GNUTLS_OCSP_RESP_UNAUTHORIZED = 6
71   } gnutls_ocsp_resp_status_t;
72
73 /**
74  * gnutls_ocsp_cert_status_t:
75  * @GNUTLS_OCSP_CERT_GOOD: Positive response to status inquiry.
76  * @GNUTLS_OCSP_CERT_REVOKED: Certificate has been revoked.
77  * @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
78  *   certificate.
79  *
80  * Enumeration of different OCSP response certificate status codes.
81  */
82 typedef enum gnutls_ocsp_cert_status_t
83   {
84     GNUTLS_OCSP_CERT_GOOD = 0,
85     GNUTLS_OCSP_CERT_REVOKED = 1,
86     GNUTLS_OCSP_CERT_UNKNOWN = 2
87   } gnutls_ocsp_cert_status_t;
88
89 /**
90  * gnutls_x509_crl_reason_t:
91  * @GNUTLS_X509_CRLREASON_UNSPECIFIED: Unspecified reason.
92  * @GNUTLS_X509_CRLREASON_KEYCOMPROMISE: Private key compromised.
93  * @GNUTLS_X509_CRLREASON_CACOMPROMISE: CA compromised.
94  * @GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: Affiliation has changed.
95  * @GNUTLS_X509_CRLREASON_SUPERSEDED: Certificate superseded.
96  * @GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: Operation has ceased.
97  * @GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: Certificate is on hold.
98  * @GNUTLS_X509_CRLREASON_REMOVEFROMCRL: Will be removed from delta CRL.
99  * @GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: Privilege withdrawn.
100  * @GNUTLS_X509_CRLREASON_AACOMPROMISE: AA compromised.
101  *
102  * Enumeration of different reason codes.  Note that this
103  * corresponds to the CRLReason ASN.1 enumeration type, and not the
104  * ReasonFlags ASN.1 bit string.
105  */
106 typedef enum gnutls_x509_crl_reason_t
107   {
108     GNUTLS_X509_CRLREASON_UNSPECIFIED = 0,
109     GNUTLS_X509_CRLREASON_KEYCOMPROMISE = 1,
110     GNUTLS_X509_CRLREASON_CACOMPROMISE = 2,
111     GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED = 3,
112     GNUTLS_X509_CRLREASON_SUPERSEDED = 4,
113     GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION = 5,
114     GNUTLS_X509_CRLREASON_CERTIFICATEHOLD = 6,
115     GNUTLS_X509_CRLREASON_REMOVEFROMCRL = 8,
116     GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN = 9,
117     GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
118   } gnutls_x509_crl_reason_t;
119
120 /**
121  * gnutls_ocsp_verify_reason_t:
122  * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.
123  * @GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR: Signer keyusage bits incorrect.
124  * @GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER: Signer is not trusted.
125  * @GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM: Signature using insecure algorithm.
126  * @GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE: Signature mismatch.
127  * @GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED: Signer cert is not yet activated.
128  * @GNUTLS_OCSP_VERIFY_CERT_EXPIRED: Signer cert has expired.
129  *
130  * Enumeration of OCSP verify status codes, used by
131  * gnutls_ocsp_resp_verify() and gnutls_ocsp_resp_verify_direct().
132  */
133 typedef enum gnutls_ocsp_verify_reason_t
134   {
135     GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND = 1,
136     GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR = 2,
137     GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER = 4,
138     GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM = 8,
139     GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE = 16,
140     GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED = 32,
141     GNUTLS_OCSP_VERIFY_CERT_EXPIRED = 64
142   } gnutls_ocsp_verify_reason_t;
143
144   struct gnutls_ocsp_req_int;
145   typedef struct gnutls_ocsp_req_int *gnutls_ocsp_req_t;
146
147   int gnutls_ocsp_req_init (gnutls_ocsp_req_t * req);
148   void gnutls_ocsp_req_deinit (gnutls_ocsp_req_t req);
149
150   int gnutls_ocsp_req_import (gnutls_ocsp_req_t req,
151                               const gnutls_datum_t * data);
152   int gnutls_ocsp_req_export (gnutls_ocsp_req_t req, gnutls_datum_t * data);
153   int gnutls_ocsp_req_print (gnutls_ocsp_req_t req,
154                              gnutls_ocsp_print_formats_t format,
155                              gnutls_datum_t * out);
156
157   int gnutls_ocsp_req_get_version (gnutls_ocsp_req_t req);
158
159   int gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_t req,
160                                    unsigned indx,
161                                    gnutls_digest_algorithm_t *digest,
162                                    gnutls_datum_t *issuer_name_hash,
163                                    gnutls_datum_t *issuer_key_hash,
164                                    gnutls_datum_t *serial_number);
165   int gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t req,
166                                    gnutls_digest_algorithm_t digest,
167                                    const gnutls_datum_t *issuer_name_hash,
168                                    const gnutls_datum_t *issuer_key_hash,
169                                    const gnutls_datum_t *serial_number);
170   int gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t req,
171                                 gnutls_digest_algorithm_t digest,
172                                 gnutls_x509_crt_t issuer,
173                                 gnutls_x509_crt_t cert);
174
175   int gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t req,
176                                      unsigned indx,
177                                      gnutls_datum_t *oid,
178                                      unsigned int *critical,
179                                      gnutls_datum_t *data);
180   int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req,
181                                      const char *oid,
182                                      unsigned int critical,
183                                      const gnutls_datum_t *data);
184
185   int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
186                                  unsigned int *critical,
187                                  gnutls_datum_t *nonce);
188   int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req,
189                                  unsigned int critical,
190                                  const gnutls_datum_t *nonce);
191   int gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t req);
192
193   struct gnutls_ocsp_resp_int;
194   typedef struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_t;
195
196   int gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * resp);
197   void gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t resp);
198
199   int gnutls_ocsp_resp_import (gnutls_ocsp_resp_t resp,
200                                const gnutls_datum_t * data);
201   int gnutls_ocsp_resp_export (gnutls_ocsp_resp_t resp,
202                                gnutls_datum_t * data);
203   int gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp,
204                               gnutls_ocsp_print_formats_t format,
205                               gnutls_datum_t * out);
206
207   int gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t resp);
208   int gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t resp,
209                                      gnutls_datum_t *response_type_oid,
210                                      gnutls_datum_t *response);
211
212   int gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t resp);
213   int gnutls_ocsp_resp_get_responder (gnutls_ocsp_resp_t resp,
214                                       gnutls_datum_t *dn);
215   time_t gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t resp);
216   int gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t resp,
217                                    unsigned indx,
218                                    gnutls_digest_algorithm_t *digest,
219                                    gnutls_datum_t *issuer_name_hash,
220                                    gnutls_datum_t *issuer_key_hash,
221                                    gnutls_datum_t *serial_number,
222                                    unsigned int *cert_status,
223                                    time_t *this_update,
224                                    time_t *next_update,
225                                    time_t *revocation_time,
226                                    unsigned int *revocation_reason);
227   int gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t resp,
228                                       unsigned indx,
229                                       gnutls_datum_t *oid,
230                                       unsigned int *critical,
231                                       gnutls_datum_t *data);
232   int gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp,
233                                   unsigned int *critical,
234                                   gnutls_datum_t *nonce);
235   int gnutls_ocsp_resp_get_signature_algorithm (gnutls_ocsp_resp_t resp);
236   int gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t resp,
237                                       gnutls_datum_t *sig);
238   int gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t resp,
239                                   gnutls_x509_crt_t ** certs,
240                                   size_t *ncerts);
241
242   int gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp,
243                                       gnutls_x509_crt_t issuer,
244                                       unsigned int *verify,
245                                       unsigned int flags);
246   int gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
247                                gnutls_x509_trust_list_t trustlist,
248                                unsigned int *verify,
249                                unsigned int flags);
250
251   int gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp,
252                                   unsigned int indx,
253                                   gnutls_x509_crt_t crt);
254
255 #ifdef __cplusplus
256 }
257 #endif
258
259 #endif /* GNUTLS_OCSP_H */