2 * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * ocspResponse.h - OCSP Response class
28 #ifndef _OCSP_RESPONSE_H_
29 #define _OCSP_RESPONSE_H_
31 #include <security_ocspd/ocspExtensions.h>
32 #include <Security/ocspTemplates.h>
33 #include <Security/certextensions.h>
34 #include <Security/SecAsn1Coder.h>
35 #include <CoreFoundation/CoreFoundation.h>
37 /* used to indicate "I don't know the CRLReason" */
38 #define CrlReason_NONE ((CE_CrlReason)-1)
41 * CertIDs can be represented differently by two peers even though they refer to
42 * the same cert. Client can use SHA1 hash and server can use MD5, for example.
43 * So all of our code which creates a CertID based on known, existing subject and
44 * issuer certs uses one of these "smart" certIDs which can encode itself and also
45 * compare against any form of existing SecAsn1OCSPCertID.
47 class OCSPClientCertID
49 NOCOPY(OCSPClientCertID
);
52 * Basic constructor given issuer's public key and name, and subject's
56 const CSSM_DATA
&issuerName
,
57 const CSSM_DATA
&issuerPubKey
,
58 const CSSM_DATA
&subjectSerial
);
65 const CSSM_DATA
*encode();
68 * Does this object refer to the same cert as specified SecAsn1OCSPCertID?
69 * This is the main purpose of this class's existence; this function works
70 * even if specified SecAsn1OCSPCertID uses a different hash algorithm
71 * than we do, since we keep copies of our basic components.
73 * Returns true if compare successful.
76 const SecAsn1OCSPCertID
&exist
);
79 * Convenience function, like compareToExist, with a raw encoded CertID.
82 const CSSM_DATA
&exist
);
85 CSSM_DATA mIssuerName
;
86 CSSM_DATA mIssuerPubKey
;
87 CSSM_DATA mSubjectSerial
;
92 * Object representing one SecAsn1OCSPSingleResponse, i.e., the portion of
93 * an OCSP response associated with a single CertID. These are created and
94 * vended solely by an OCSPResponse object. The client which gets them from
95 * an OCSPResponse (via singleResponse()) must delete the object when finished
98 class OCSPSingleResponse
100 NOCOPY(OCSPSingleResponse
);
102 /* only OCSPResponse creates these */
103 ~OCSPSingleResponse();
104 friend class OCSPResponse
;
108 SecAsn1OCSPSingleResponse
*resp
);
110 SecAsn1OCSPCertStatusTag
certStatus() { return mCertStatus
; }
111 CFAbsoluteTime
thisUpdate() { return mThisUpdate
; }
112 CFAbsoluteTime
nextUpdate() { return mNextUpdate
; }
113 CFAbsoluteTime
revokedTime() { return mRevokedTime
; }
114 CE_CrlReason
crlReason() { return mCrlReason
; }
116 /* Extension accessors - all are optional */
119 const CSSM_DATA
*crlUrl();
120 const CSSM_DATA
*crlNum();
121 CFAbsoluteTime
crlTime(); /* may be NULL_TIME */
124 CFAbsoluteTime
archiveCutoff();
126 /* service locator not implemented yet */
128 SecAsn1CoderRef mCoder
;
129 SecAsn1OCSPCertStatusTag mCertStatus
;
130 CFAbsoluteTime mThisUpdate
;
131 CFAbsoluteTime mNextUpdate
; /* may be NULL_TIME */
132 CFAbsoluteTime mRevokedTime
; /* != NULL_TIME for CS_Revoked */
133 CE_CrlReason mCrlReason
;
134 OCSPExtensions
*mExtensions
;
138 * OCSPResponse maintains its own temporal validity status based on the values of
139 * all of the enclosed SingleResponses' thisUpdate and (optional) nextUpdate
140 * fields, in addition to a default time-to-live (TTL) value passed to
141 * OCSPResponse's constructor.
143 * First, all of the thisUpdate fields are checked during OCSPResponse's constructor.
144 * if any of these are later than the current time, the entire response is considered
145 * invalid and the constructor throws a CssmError(CSSMERR_APPLETP_OCSP_BAD_RESPONSE).
146 * Subsequent to construction, all thisUpdate fields are ignored.
148 * The NextUpdate times are handled as follows.
150 * 1. An OCSPResponse's latestNextUpdate is defined as the latest of all of the
151 * nextUpdate fields in its SingleResponses. This is evaluated during construction.
153 * 2. An OCSPResponse's latestNextUpdate is NULL_TIME if none of its SingleResponses
154 * contain any nextUpdate (this field is in fact optional).
156 * 3. The caller of OCSPResponse's constructor passes in a default time-to-live
157 * (TTL) in seconds; call this defaultTTL. Call the time at which the
158 * constructor is called, PLUS defaultTTL, "defaultExpire".
160 * -- If the OCSPResponse's latestNextUpdate is NULL_TIME then expireTime() returns
163 * -- Otherwise, expireTime() returns the lesser of (latestNextUpdate,
166 * Note that this mechanism is used by both the TP's in-core cache and ocspd's
167 * on-disk cache; the two have different default TTLs values but the mechanism
168 * for calcuating expireTime() is identical.
174 /* only constructor, from DER encoded data */
176 const CSSM_DATA
&resp
,
177 CFTimeInterval defaultTTL
); // default time-to-live in seconds
182 * Info obtained during decode (which is don\ 1e immediately during constructor)
184 SecAsn1OCSPResponseStatus
responseStatus();
185 const CSSM_DATA
*nonce(); /* NULL means not present */
186 CFAbsoluteTime
producedAt(); /* should always work */
187 CSSM_RETURN
sigStatus();
188 uint32
numSignerCerts();
189 const CSSM_DATA
*signerCert(uint32 dex
);
192 * Obtain a OCSPSingleResponse for a given CertID.
194 OCSPSingleResponse
*singleResponseFor(OCSPClientCertID
&certID
);
195 OCSPSingleResponse
*singleResponseFor(const CSSM_DATA
&matchCertID
);
197 CFAbsoluteTime
expireTime() { return mExpireTime
; }
200 * Access to decoded data.
202 const SecAsn1OCSPResponseData
&responseData() { return mResponseData
; }
203 const SecAsn1OCSPBasicResponse
&basicResponse() { return mBasicResponse
; }
204 const SecAsn1OCSPResponderID
&responderID() { return mResponderId
; }
205 SecAsn1OCSPResponderIDTag
responderIDTag() { return mResponderIdTag
; }
207 const CSSM_DATA
*encResponderName();
210 bool calculateValidity(CFTimeInterval defaultTTL
);
212 SecAsn1CoderRef mCoder
;
213 CFAbsoluteTime mLatestNextUpdate
;
214 CFAbsoluteTime mExpireTime
;
215 CSSM_DATA mEncResponderName
; // encoded ResponderId.byName,
216 // if responder is in that format,
219 * Fields we decode - all in mCoder's memory space
221 SecAsn1OCSPResponse mTopResp
;
222 SecAsn1OCSPBasicResponse mBasicResponse
;
223 SecAsn1OCSPResponseData mResponseData
;
224 SecAsn1OCSPResponderID mResponderId
; // we have to decode
225 SecAsn1OCSPResponderIDTag mResponderIdTag
; // IDs previous field
226 OCSPExtensions
*mExtensions
;
228 #endif /* _OCSP_RESPONSE_H_ */