Security-57336.1.9.tar.gz

[apple/security.git] / OSX / libsecurity_ocspd / common / ocspResponse.h

/*
 * Copyright (c) 2004,2011,2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * ocspResponse.h - OCSP Response class
 */

#ifndef _OCSP_RESPONSE_H_
#define _OCSP_RESPONSE_H_

#include <security_ocspd/ocspExtensions.h>
#include <Security/ocspTemplates.h>
#include <Security/certextensions.h>
#include <Security/SecAsn1Coder.h>
#include <CoreFoundation/CoreFoundation.h>

/* used to indicate "I don't know the CRLReason" */
#define CrlReason_NONE          ((CE_CrlReason)-1)

/*
 * CertIDs can be represented differently by two peers even though they refer to
 * the same cert. Client can use SHA1 hash and server can use MD5, for example.
 * So all of our code which creates a CertID based on known, existing subject and
 * issuer certs uses one of these "smart" certIDs which can encode itself and also
 * compare against any form of existing SecAsn1OCSPCertID.
 */
class OCSPClientCertID
{
        NOCOPY(OCSPClientCertID);
public:
        /*
         * Basic constructor given issuer's public key and name, and subject's
         * serial number.
         */
        OCSPClientCertID(
                const CSSM_DATA                 &issuerName,
                const CSSM_DATA                 &issuerPubKey,
                const CSSM_DATA                 &subjectSerial);

        ~OCSPClientCertID();

        /*
         * DER encode.
         */
        const CSSM_DATA *encode();

        /*
         * Does this object refer to the same cert as specified SecAsn1OCSPCertID?
         * This is the main purpose of this class's existence; this function works
         * even if specified SecAsn1OCSPCertID uses a different hash algorithm
         * than we do, since we keep copies of our basic components.
         *
         * Returns true if compare successful.
         */
        bool compareToExist(
                const SecAsn1OCSPCertID &exist);

        /*
         * Convenience function, like compareToExist, with a raw encoded CertID.
         */
        bool compareToExist(
                const CSSM_DATA &exist);

private:
        CSSM_DATA mIssuerName;
        CSSM_DATA mIssuerPubKey;
        CSSM_DATA mSubjectSerial;
        CSSM_DATA mEncoded;
};

/*
 * Object representing one SecAsn1OCSPSingleResponse, i.e., the portion of
 * an OCSP response associated with a single CertID. These are created and
 * vended solely by an OCSPResponse object. The client which gets them from
 * an OCSPResponse (via singleResponse()) must delete the object when finished
 * with it.
 */
class OCSPSingleResponse
{
        NOCOPY(OCSPSingleResponse);
public:
        /* only OCSPResponse creates these */
        ~OCSPSingleResponse();
        friend class OCSPResponse;
protected:

        OCSPSingleResponse(
                SecAsn1OCSPSingleResponse       *resp);
public:
                SecAsn1OCSPCertStatusTag        certStatus()    { return mCertStatus; }
                CFAbsoluteTime                          thisUpdate()    { return mThisUpdate; }
                CFAbsoluteTime                          nextUpdate()    { return mNextUpdate; }
                CFAbsoluteTime                          revokedTime()   { return mRevokedTime; }
                CE_CrlReason                            crlReason()             { return mCrlReason; }

                /* Extension accessors - all are optional */

                /* CRL Reference */
                const CSSM_DATA                         *crlUrl();
                const CSSM_DATA                         *crlNum();
                CFAbsoluteTime                          crlTime();                      /* may be NULL_TIME */

                /* archive cutoff */
                CFAbsoluteTime                          archiveCutoff();

                /* service locator not implemented yet */
private:
                SecAsn1CoderRef                         mCoder;
                SecAsn1OCSPCertStatusTag        mCertStatus;
                CFAbsoluteTime                          mThisUpdate;
                CFAbsoluteTime                          mNextUpdate;            /* may be NULL_TIME */
                CFAbsoluteTime                          mRevokedTime;           /* != NULL_TIME for CS_Revoked */
                CE_CrlReason                            mCrlReason;
                OCSPExtensions                          *mExtensions;
};

/*
 * OCSPResponse maintains its own temporal validity status based on the values of
 * all of the enclosed SingleResponses' thisUpdate and (optional) nextUpdate
 * fields, in addition to a default time-to-live (TTL) value passed to
 * OCSPResponse's constructor.
 *
 * First, all of the thisUpdate fields are checked during OCSPResponse's constructor.
 * if any of these are later than the current time, the entire response is considered
 * invalid and the constructor throws a CssmError(CSSMERR_APPLETP_OCSP_BAD_RESPONSE).
 * Subsequent to construction, all thisUpdate fields are ignored.
 *
 * The NextUpdate times are handled as follows.
 *
 * 1. An OCSPResponse's latestNextUpdate is defined as the latest of all of the
 *    nextUpdate fields in its SingleResponses. This is evaluated during construction.
 *
 * 2. An OCSPResponse's latestNextUpdate is NULL_TIME if none of its SingleResponses
 *    contain any nextUpdate (this field is in fact optional).
 *
 * 3. The caller of OCSPResponse's constructor passes in a default time-to-live
 *    (TTL) in seconds; call this defaultTTL. Call the time at which the
 *    constructor is called, PLUS defaultTTL, "defaultExpire".
 *
 * -- If the OCSPResponse's latestNextUpdate is NULL_TIME then expireTime() returns
 *    defaultExpire.
 *
 * -- Otherwise, expireTime() returns the lesser of (latestNextUpdate,
 *    defaultExpire).
 *
 * Note that this mechanism is used by both the TP's in-core cache and ocspd's
 * on-disk cache; the two have different default TTLs values but the mechanism
 * for calcuating expireTime() is identical.
 */
class OCSPResponse
{
        NOCOPY(OCSPResponse)
public:
        /* only constructor, from DER encoded data */
        OCSPResponse(
                const CSSM_DATA &resp,
                CFTimeInterval defaultTTL);             // default time-to-live in seconds

        ~OCSPResponse();

        /*
         * Info obtained during decode (which is don\ 1e immediately during constructor)
         */
        SecAsn1OCSPResponseStatus       responseStatus();
        const CSSM_DATA                         *nonce();                       /* NULL means not present */
        CFAbsoluteTime                          producedAt();           /* should always work */
        CSSM_RETURN                                     sigStatus();
        uint32                                          numSignerCerts();
        const CSSM_DATA                         *signerCert(uint32 dex);

        /*
         * Obtain a OCSPSingleResponse for a given CertID.
         */
        OCSPSingleResponse                      *singleResponseFor(OCSPClientCertID &certID);
        OCSPSingleResponse                      *singleResponseFor(const CSSM_DATA &matchCertID);

        CFAbsoluteTime                          expireTime()            { return mExpireTime; }

        /*
         * Access to decoded data.
         */
        const SecAsn1OCSPResponseData   &responseData()         { return mResponseData; }
        const SecAsn1OCSPBasicResponse  &basicResponse()        { return mBasicResponse; }
        const SecAsn1OCSPResponderID    &responderID()          { return mResponderId; }
        SecAsn1OCSPResponderIDTag               responderIDTag()        { return mResponderIdTag; }

        const CSSM_DATA                                 *encResponderName();

private:
        bool                                            calculateValidity(CFTimeInterval defaultTTL);

        SecAsn1CoderRef                         mCoder;
        CFAbsoluteTime                          mLatestNextUpdate;
        CFAbsoluteTime                          mExpireTime;
        CSSM_DATA                                       mEncResponderName;      // encoded ResponderId.byName,
                                                                                                        // if responder is in that format,
                                                                                                        // lazily evaluated
        /*
         * Fields we decode - all in mCoder's memory space
         */
        SecAsn1OCSPResponse                     mTopResp;
        SecAsn1OCSPBasicResponse        mBasicResponse;
        SecAsn1OCSPResponseData         mResponseData;
        SecAsn1OCSPResponderID          mResponderId;           // we have to decode
        SecAsn1OCSPResponderIDTag       mResponderIdTag;        // IDs previous field
        OCSPExtensions                          *mExtensions;
};
#endif  /* _OCSP_RESPONSE_H_ */