OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 /* | 4 /* |
5 * pkix_revocationchecker.h | 5 * pkix_revocationchecker.h |
6 * | 6 * |
7 * RevocationChecker Object Type Definition | 7 * RevocationChecker Object Type Definition |
8 * | 8 * |
9 */ | 9 */ |
10 | 10 |
(...skipping 10 matching lines...) Expand all Loading... |
21 | 21 |
22 /* | 22 /* |
23 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates | 23 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates |
24 * this is a method dependent flag. | 24 * this is a method dependent flag. |
25 */ | 25 */ |
26 | 26 |
27 /* | 27 /* |
28 * Whether or not to use a method for revocation testing. | 28 * Whether or not to use a method for revocation testing. |
29 * If set to "do not test", then all other flags are ignored. | 29 * If set to "do not test", then all other flags are ignored. |
30 */ | 30 */ |
31 #define PKIX_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0x00L | 31 #define PKIX_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0x00L |
32 #define PKIX_REV_M_TEST_USING_THIS_METHOD 0x01L | 32 #define PKIX_REV_M_TEST_USING_THIS_METHOD 0x01L |
33 | 33 |
34 /* | 34 /* |
35 * Whether or not NSS is allowed to attempt to fetch fresh information | 35 * Whether or not NSS is allowed to attempt to fetch fresh information |
36 * from the network. | 36 * from the network. |
37 * (Although fetching will never happen if fresh information for the | 37 * (Although fetching will never happen if fresh information for the |
38 * method is already locally available.) | 38 * method is already locally available.) |
39 */ | 39 */ |
40 #define PKIX_REV_M_ALLOW_NETWORK_FETCHING 0x00L | 40 #define PKIX_REV_M_ALLOW_NETWORK_FETCHING 0x00L |
41 #define PKIX_REV_M_FORBID_NETWORK_FETCHING 0x02L | 41 #define PKIX_REV_M_FORBID_NETWORK_FETCHING 0x02L |
42 | 42 |
43 /* | 43 /* |
44 * Example for an implicit default source: | 44 * Example for an implicit default source: |
45 * The globally configured default OCSP responder. | 45 * The globally configured default OCSP responder. |
46 * IGNORE means: | 46 * IGNORE means: |
47 * ignore the implicit default source, whether it's configured or not. | 47 * ignore the implicit default source, whether it's configured or not. |
48 * ALLOW means: | 48 * ALLOW means: |
49 * if an implicit default source is configured, | 49 * if an implicit default source is configured, |
50 * then it overrides any available or missing source in the cert. | 50 * then it overrides any available or missing source in the cert. |
51 * if no implicit default source is configured, | 51 * if no implicit default source is configured, |
52 * then we continue to use what's available (or not available) | 52 * then we continue to use what's available (or not available) |
53 * in the certs. | 53 * in the certs. |
54 */ | 54 */ |
55 #define PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0x00L | 55 #define PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0x00L |
56 #define PKIX_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 0x04L /* OCSP only */ | 56 #define PKIX_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 0x04L /* OCSP only */ |
57 | 57 |
58 /* | 58 /* |
59 * Defines the behavior if no fresh information is available, | 59 * Defines the behavior if no fresh information is available, |
60 * fetching from the network is allowed, but the source of revocation | 60 * fetching from the network is allowed, but the source of revocation |
61 * information is unknown (even after considering implicit sources, | 61 * information is unknown (even after considering implicit sources, |
62 * if allowed by other flags). | 62 * if allowed by other flags). |
63 * SKIPT_TEST means: | 63 * SKIPT_TEST means: |
64 * We ignore that no fresh information is available and | 64 * We ignore that no fresh information is available and |
65 * skip this test. | 65 * skip this test. |
66 * REQUIRE_INFO means: | 66 * REQUIRE_INFO means: |
67 * We still require that fresh information is available. | 67 * We still require that fresh information is available. |
68 * Other flags define what happens on missing fresh info. | 68 * Other flags define what happens on missing fresh info. |
69 */ | 69 */ |
70 | 70 |
71 #define PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0x00L | 71 #define PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0x00L |
72 #define PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 0x08L | 72 #define PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 0x08L |
73 | 73 |
74 /* | 74 /* |
75 * Defines the behavior if we are unable to obtain fresh information. | 75 * Defines the behavior if we are unable to obtain fresh information. |
76 * INGORE means: | 76 * INGORE means: |
77 * Return "cert status unknown" | 77 * Return "cert status unknown" |
78 * FAIL means: | 78 * FAIL means: |
79 * Return "cert revoked". | 79 * Return "cert revoked". |
80 */ | 80 */ |
81 | 81 |
82 #define PKIX_REV_M_IGNORE_MISSING_FRESH_INFO 0x00L | 82 #define PKIX_REV_M_IGNORE_MISSING_FRESH_INFO 0x00L |
83 #define PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO 0x10L | 83 #define PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO 0x10L |
84 | 84 |
85 /* | 85 /* |
86 * What should happen if we were able to find fresh information using | 86 * What should happen if we were able to find fresh information using |
87 * this method, and the data indicated the cert is good? | 87 * this method, and the data indicated the cert is good? |
88 * STOP_TESTING means: | 88 * STOP_TESTING means: |
89 * Our success is sufficient, do not continue testing | 89 * Our success is sufficient, do not continue testing |
90 * other methods. | 90 * other methods. |
91 * CONTINUE_TESTING means: | 91 * CONTINUE_TESTING means: |
92 * We will continue and test the next allowed | 92 * We will continue and test the next allowed |
93 * specified method. | 93 * specified method. |
94 */ | 94 */ |
95 | 95 |
96 #define PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO 0x00L | 96 #define PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO 0x00L |
97 #define PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 0x20L | 97 #define PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 0x20L |
98 | 98 |
99 /* | 99 /* |
100 * All Flags are prefixed by PKIX_REV_MI_, where _MI_ indicates | 100 * All Flags are prefixed by PKIX_REV_MI_, where _MI_ indicates |
101 * this is a method independent flag. | 101 * this is a method independent flag. |
102 */ | 102 */ |
103 | 103 |
104 /* | 104 /* |
105 * This defines the order to checking. | 105 * This defines the order to checking. |
106 * EACH_METHOD_SEPARATELY means: | 106 * EACH_METHOD_SEPARATELY means: |
107 * Do all tests related to a particular allowed method | 107 * Do all tests related to a particular allowed method |
108 * (both local information and network fetching) in a single step. | 108 * (both local information and network fetching) in a single step. |
109 * Only after testing for a particular method is done, | 109 * Only after testing for a particular method is done, |
110 * then switching to the next method will happen. | 110 * then switching to the next method will happen. |
111 * ALL_LOCAL_INFORMATION_FIRST means: | 111 * ALL_LOCAL_INFORMATION_FIRST means: |
112 * Start by testing the information for all allowed methods | 112 * Start by testing the information for all allowed methods |
113 * which are already locally available. Only after that is done | 113 * which are already locally available. Only after that is done |
114 * consider to fetch from the network (as allowed by other flags). | 114 * consider to fetch from the network (as allowed by other flags). |
115 */ | 115 */ |
116 #define PKIX_REV_MI_TEST_EACH_METHOD_SEPARATELY 0x00L | 116 #define PKIX_REV_MI_TEST_EACH_METHOD_SEPARATELY 0x00L |
117 #define PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 0x01L | 117 #define PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 0x01L |
118 | 118 |
119 /* | 119 /* |
120 * Use this flag to specify that it's necessary that fresh information | 120 * Use this flag to specify that it's necessary that fresh information |
121 * is available for at least one of the allowed methods, but it's | 121 * is available for at least one of the allowed methods, but it's |
122 * irrelevant which of the mechanisms succeeded. | 122 * irrelevant which of the mechanisms succeeded. |
123 * NO_OVERALL_INFO_REQUIREMENT means: | 123 * NO_OVERALL_INFO_REQUIREMENT means: |
124 * We strictly follow the requirements for each individual method. | 124 * We strictly follow the requirements for each individual method. |
125 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: | 125 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: |
126 * After the individual tests have been executed, we must have | 126 * After the individual tests have been executed, we must have |
127 * been able to find fresh information using at least one method. | 127 * been able to find fresh information using at least one method. |
128 * If we were unable to find fresh info, it's a failure. | 128 * If we were unable to find fresh info, it's a failure. |
129 */ | 129 */ |
130 #define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0x00L | 130 #define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0x00L |
131 #define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L | 131 #define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L |
132 | 132 |
133 /* Defines check time for the cert, revocation methods lists and | 133 /* Defines check time for the cert, revocation methods lists and |
134 * flags for leaf and chain certs revocation tests. */ | 134 * flags for leaf and chain certs revocation tests. */ |
135 struct PKIX_RevocationCheckerStruct { | 135 struct PKIX_RevocationCheckerStruct { |
136 PKIX_List *leafMethodList; | 136 PKIX_List *leafMethodList; |
137 PKIX_List *chainMethodList; | 137 PKIX_List *chainMethodList; |
138 PKIX_UInt32 leafMethodListFlags; | 138 PKIX_UInt32 leafMethodListFlags; |
139 PKIX_UInt32 chainMethodListFlags; | 139 PKIX_UInt32 chainMethodListFlags; |
140 }; | 140 }; |
141 | 141 |
142 /* see source file for function documentation */ | 142 /* see source file for function documentation */ |
143 | 143 |
144 PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext); | 144 PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext); |
145 | 145 |
146 #ifdef __cplusplus | 146 #ifdef __cplusplus |
147 } | 147 } |
148 #endif | 148 #endif |
149 | 149 |
150 #endif /* _PKIX_REVOCATIONCHECKER_H */ | 150 #endif /* _PKIX_REVOCATIONCHECKER_H */ |
OLD | NEW |