Security-59754.41.1.tar.gz

[apple/security.git] / OSX / libsecurity_ocspd / client / ocspdClient.h

/*
 * Copyright (c) 2000,2002,2011,2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/* 
 * ocspdClient.h - Client interface to OCSP helper daemon
 */
 
#ifndef _OCSPD_CLIENT_H_
#define _OCSPD_CLIENT_H_

#include <Security/cssmtype.h>
#include <Security/SecTrustSettings.h>
#include <security_utilities/alloc.h>

#ifdef  __cplusplus
extern "C" {
#endif

#pragma mark ----- OCSP routines -----

/*
 * Normal OCSP request. Depending on contents of encoded SecAsn1OCSPToolRequest,
 * this optionally performs cache lookup, local responder OCSP, and normal
 * OCSP, in that order. If OCSP response is fetched from the net the netFetch
 * outParam is true on return. 
 */
CSSM_RETURN ocspdFetch(
        Allocator                       &alloc,
        const CSSM_DATA         &ocspdReq,              // DER-encoded SecAsn1OCSPDRequests
        CSSM_DATA                       &ocspdResp);    // DER-encoded kSecAsn1OCSPDReplies
                                                                                // mallocd via alloc and RETURNED

/* 
 * Flush all OCSP responses associated with specifed CertID from cache. 
 */
CSSM_RETURN ocspdCacheFlush(
        const CSSM_DATA         &certID);
        
/* 
 * Flush stale entries from cache. 
 */
CSSM_RETURN ocspdCacheFlushStale();

#pragma mark ----- CRL/Cert routines -----
/* 
 * fetch a certificate from the net. 
 */
CSSM_RETURN ocspdCertFetch(
        Allocator                       &alloc,
        const CSSM_DATA         &certURL,
        CSSM_DATA                       &certData);             // mallocd via alloc and RETURNED

/* 
 * fetch a CRL from the net with optional cache lookup and/or store.
 * VerifyTime argument only used for cache lookup; it must be in 
 * CSSM_TIMESTRING format. 
 * crlIssuer is optional, and is only specified when the client knows
 * that the issuer of the CRL is the same as the issuer of the cert
 * being verified. 
 */
CSSM_RETURN ocspdCRLFetch(
        Allocator                       &alloc,
        const CSSM_DATA         &crlURL,
        const CSSM_DATA         *crlIssuer,             // optional
        bool                            cacheReadEnable,
        bool                            cacheWriteEnable,
        CSSM_TIMESTRING         verifyTime,
        CSSM_DATA                       &crlData);              // mallocd via alloc and RETURNED

/*
 * fetch CRL revocation status, given a certificate's serial number and
 * its issuers, along with an identifier for the CRL (either its issuer name
 * or distribution point URL)
 *
 * This may return one of the following result codes:
 *
 * CSSM_OK (valid CRL was found for this issuer, serial number is not on it)
 * CSSMERR_TP_CERT_REVOKED (valid CRL was found, serial number is revoked)
 * CSSMERR_APPLETP_NETWORK_FAILURE (crl not available, download in progress)
 * CSSMERR_APPLETP_CRL_NOT_FOUND (crl not available, and not in progress)
 *
 * The first three error codes can be considered definitive answers (with the
 * NETWORK_FAILURE case indicating a possible retry later if required); the
 * last error requires a subsequent call to ocspdCRLFetch to either retrieve
 * the CRL from the on-disk cache or initiate a download of the CRL.
 *
 * Note: CSSMERR_TP_INTERNAL_ERROR can also be returned if there is a problem
 * with the provided arguments, or an error communicating with ocspd.
 */
CSSM_RETURN ocspdCRLStatus(
        const CSSM_DATA         &serialNumber,
        const CSSM_DATA         &certIssuers,
        const CSSM_DATA         *crlIssuer,             // optional if URL is supplied
        const CSSM_DATA         *crlURL);               // optional if issuer is supplied

/* 
 * Refresh the CRL cache. 
 */
CSSM_RETURN ocspdCRLRefresh(
        unsigned                        staleDays,
        unsigned                        expireOverlapSeconds,
        bool                            purgeAll,
        bool                            fullCryptoVerify);

/* 
 * Flush all CRLs obtained from specified URL from cache. Called by client when 
 * *it* detects a bad CRL. 
 */
CSSM_RETURN ocspdCRLFlush(
        const CSSM_DATA         &crlURL);
        
/*
 * Obtain TrustSettings. 
 */
OSStatus ocspdTrustSettingsRead(
        Allocator                               &alloc,
        SecTrustSettingsDomain  domain,
        CSSM_DATA                               &trustSettings);                // mallocd via alloc and RETURNED

/*
 * Write TrustSettings to disk. Results in authentication dialog.
 */
OSStatus ocspdTrustSettingsWrite(
        SecTrustSettingsDomain  domain,
        const CSSM_DATA                 &authBlob,
        const CSSM_DATA                 &trustSettings);

#ifdef  __cplusplus
}
#endif

#endif  /* _OCSPD_CLIENT_H_ */