2 * Copyright (c) 2009,2012-2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 @header SecOCSPResponse
26 The functions and data types in SecOCSPResponse implement ocsp response
27 decoding and verification.
30 #ifndef _SECURITY_SECOCSPRESPONSE_H_
31 #define _SECURITY_SECOCSPRESPONSE_H_
33 #include <Security/SecAsn1Coder.h>
34 #include <CoreFoundation/CFArray.h>
35 #include <CoreFoundation/CFData.h>
36 #include <CoreFoundation/CFDate.h>
37 #include <securityd/SecOCSPRequest.h>
38 #include <security_asn1/ocspTemplates.h>
39 #include <Security/SecCertificatePath.h>
47 kSecOCSPMalformedRequest
= 1,
48 kSecOCSPInternalError
= 2,
51 kSecOCSPSigRequired
= 5,
52 kSecOCSPUnauthorized
= 6
53 } SecOCSPResponseStatus
;
56 kSecRevocationReasonUnrevoked
= -2,
57 kSecRevocationReasonUndetermined
= -1,
58 kSecRevocationReasonUnspecified
= 0,
59 kSecRevocationReasonKeyCompromise
= 1,
60 kSecRevocationReasonCACompromise
= 2,
61 kSecRevocationReasonAffiliationChanged
= 3,
62 kSecRevocationReasonSuperseded
= 4,
63 kSecRevocationReasonCessationOfOperation
= 5,
64 kSecRevocationReasonCertificateHold
= 6,
65 /* -- value 7 is not used */
66 kSecRevocationReasonRemoveFromCRL
= 8,
67 kSecRevocationReasonPrivilegeWithdrawn
= 9,
68 kSecRevocationReasonAACompromise
= 10
70 typedef int32_t SecRevocationReason
;
74 @typedef SecOCSPResponseRef
75 @abstract Object used for ocsp response decoding.
77 typedef struct __SecOCSPResponse
*SecOCSPResponseRef
;
79 struct __SecOCSPResponse
{
81 SecAsn1CoderRef coder
;
82 SecOCSPResponseStatus responseStatus
;
84 CFAbsoluteTime producedAt
;
85 CFAbsoluteTime latestNextUpdate
;
86 CFAbsoluteTime expireTime
;
87 SecAsn1OCSPBasicResponse basicResponse
;
88 SecAsn1OCSPResponseData responseData
;
89 SecAsn1OCSPResponderIDTag responderIdTag
;
90 SecAsn1OCSPResponderID responderID
;
94 typedef struct __SecOCSPSingleResponse
*SecOCSPSingleResponseRef
;
96 struct __SecOCSPSingleResponse
{
97 SecAsn1OCSPCertStatusTag certStatus
;
98 CFAbsoluteTime thisUpdate
;
99 CFAbsoluteTime nextUpdate
; /* may be NULL_TIME */
100 CFAbsoluteTime revokedTime
; /* != NULL_TIME for certStatus == CS_Revoked */
101 SecRevocationReason crlReason
;
102 CFArrayRef scts
; /* This is parsed from an extension */
106 @function SecOCSPResponseCreate
107 @abstract Returns a SecOCSPResponseRef from a BER encoded ocsp response.
108 @param ocspResponse The BER encoded ocsp response.
109 @result A SecOCSPResponseRef.
111 SecOCSPResponseRef
SecOCSPResponseCreate(CFDataRef ocspResponse
);
113 SecOCSPResponseRef
SecOCSPResponseCreateWithID(CFDataRef ocspResponse
, int64_t responseID
);
115 int64_t SecOCSPResponseGetID(SecOCSPResponseRef ocspResponse
);
117 /* Return true if response is still valid for the given age. */
118 bool SecOCSPResponseCalculateValidity(SecOCSPResponseRef
this,
119 CFTimeInterval maxAge
, CFTimeInterval defaultTTL
, CFAbsoluteTime verifyTime
);
121 CFDataRef
SecOCSPResponseGetData(SecOCSPResponseRef
this);
123 SecOCSPResponseStatus
SecOCSPGetResponseStatus(SecOCSPResponseRef ocspResponse
);
125 CFAbsoluteTime
SecOCSPResponseGetExpirationTime(SecOCSPResponseRef ocspResponse
);
127 CFDataRef
SecOCSPResponseGetNonce(SecOCSPResponseRef ocspResponse
);
129 CFAbsoluteTime
SecOCSPResponseProducedAt(SecOCSPResponseRef ocspResponse
);
132 @function SecOCSPResponseCopySigners
133 @abstract Returns an array of signers.
134 @param ocspResponse A SecOCSPResponseRef.
135 @result The passed in SecOCSPResponseRef is deallocated
137 CFArrayRef
SecOCSPResponseCopySigners(SecOCSPResponseRef ocspResponse
);
140 @function SecOCSPResponseFinalize
141 @abstract Frees a SecOCSPResponseRef.
142 @param ocspResponse The BER encoded ocsp response.
144 void SecOCSPResponseFinalize(SecOCSPResponseRef ocspResponse
);
146 SecOCSPSingleResponseRef
SecOCSPResponseCopySingleResponse(
147 SecOCSPResponseRef ocspResponse
, SecOCSPRequestRef request
);
149 /* DefaultTTL is how long past the thisUpdate time we trust a response without a nextUpdate field. */
150 bool SecOCSPSingleResponseCalculateValidity(SecOCSPSingleResponseRef
this, CFAbsoluteTime defaultTTL
, CFAbsoluteTime verifyTime
);
152 /* Find the eventual SCTs from the single response extensions */
153 CFArrayRef
SecOCSPSingleResponseCopySCTs(SecOCSPSingleResponseRef
this);
155 void SecOCSPSingleResponseDestroy(SecOCSPSingleResponseRef
this);
157 /* Returns the SecCertificatePathRef who's leaf signed this ocspResponse if
158 we can find one and NULL if we can't find a valid signer. The issuerPath
159 contains the cert chain from the anchor to the certificate that issued the
160 leaf certificate for which this ocspResponse is supposed to be valid. */
161 SecCertificateRef
SecOCSPResponseCopySigner(SecOCSPResponseRef
this,
162 SecCertificateRef issuerPath
);
166 #endif /* !_SECURITY_SECOCSPRESPONSE_H_ */
projects / apple / security.git / blob