2 * Copyright (c) 2009,2012-2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 @header SecOCSPResponse
26 The functions and data types in SecOCSPResponse implement ocsp response
27 decoding and verification.
30 #ifndef _SECURITY_SECOCSPRESPONSE_H_
31 #define _SECURITY_SECOCSPRESPONSE_H_
33 #include <Security/SecAsn1Coder.h>
34 #include <CoreFoundation/CFArray.h>
35 #include <CoreFoundation/CFData.h>
36 #include <CoreFoundation/CFDate.h>
37 #include <securityd/SecOCSPRequest.h>
38 #include <security_asn1/ocspTemplates.h>
46 kSecOCSPMalformedRequest
= 1,
47 kSecOCSPInternalError
= 2,
50 kSecOCSPSigRequired
= 5,
51 kSecOCSPUnauthorized
= 6
52 } SecOCSPResponseStatus
;
55 kSecRevocationReasonUnrevoked
= -2,
56 kSecRevocationReasonUndetermined
= -1,
57 kSecRevocationReasonUnspecified
= 0,
58 kSecRevocationReasonKeyCompromise
= 1,
59 kSecRevocationReasonCACompromise
= 2,
60 kSecRevocationReasonAffiliationChanged
= 3,
61 kSecRevocationReasonSuperseded
= 4,
62 kSecRevocationReasonCessationOfOperation
= 5,
63 kSecRevocationReasonCertificateHold
= 6,
64 /* -- value 7 is not used */
65 kSecRevocationReasonRemoveFromCRL
= 8,
66 kSecRevocationReasonPrivilegeWithdrawn
= 9,
67 kSecRevocationReasonAACompromise
= 10
69 typedef int32_t SecRevocationReason
;
73 @typedef SecOCSPResponseRef
74 @abstract Object used for ocsp response decoding.
76 typedef struct __SecOCSPResponse
*SecOCSPResponseRef
;
78 struct __SecOCSPResponse
{
80 SecAsn1CoderRef coder
;
81 SecOCSPResponseStatus responseStatus
;
83 CFAbsoluteTime producedAt
;
84 CFAbsoluteTime latestNextUpdate
;
85 CFAbsoluteTime expireTime
;
86 SecAsn1OCSPBasicResponse basicResponse
;
87 SecAsn1OCSPResponseData responseData
;
88 SecAsn1OCSPResponderIDTag responderIdTag
;
89 SecAsn1OCSPResponderID responderID
;
93 typedef struct __SecOCSPSingleResponse
*SecOCSPSingleResponseRef
;
95 struct __SecOCSPSingleResponse
{
96 SecAsn1OCSPCertStatusTag certStatus
;
97 CFAbsoluteTime thisUpdate
;
98 CFAbsoluteTime nextUpdate
; /* may be NULL_TIME */
99 CFAbsoluteTime revokedTime
; /* != NULL_TIME for certStatus == CS_Revoked */
100 SecRevocationReason crlReason
;
101 CFArrayRef scts
; /* This is parsed from an extension */
105 @function SecOCSPResponseCreate
106 @abstract Returns a SecOCSPResponseRef from a BER encoded ocsp response.
107 @param ocspResponse The BER encoded ocsp response.
108 @result A SecOCSPResponseRef.
110 SecOCSPResponseRef
SecOCSPResponseCreate(CFDataRef ocspResponse
);
112 SecOCSPResponseRef
SecOCSPResponseCreateWithID(CFDataRef ocspResponse
, int64_t responseID
);
114 int64_t SecOCSPResponseGetID(SecOCSPResponseRef ocspResponse
);
116 /* Return true if response is still valid for the given age. */
117 bool SecOCSPResponseCalculateValidity(SecOCSPResponseRef
this,
118 CFTimeInterval maxAge
, CFTimeInterval defaultTTL
, CFAbsoluteTime verifyTime
);
120 CFDataRef
SecOCSPResponseGetData(SecOCSPResponseRef
this);
122 SecOCSPResponseStatus
SecOCSPGetResponseStatus(SecOCSPResponseRef ocspResponse
);
124 CFAbsoluteTime
SecOCSPResponseGetExpirationTime(SecOCSPResponseRef ocspResponse
);
126 CFDataRef
SecOCSPResponseGetNonce(SecOCSPResponseRef ocspResponse
);
128 CFAbsoluteTime
SecOCSPResponseProducedAt(SecOCSPResponseRef ocspResponse
);
131 @function SecOCSPResponseCopySigners
132 @abstract Returns an array of signers.
133 @param ocspResponse A SecOCSPResponseRef.
134 @result The passed in SecOCSPResponseRef is deallocated
136 CFArrayRef
SecOCSPResponseCopySigners(SecOCSPResponseRef ocspResponse
);
139 @function SecOCSPResponseFinalize
140 @abstract Frees a SecOCSPResponseRef.
141 @param ocspResponse The BER encoded ocsp response.
143 void SecOCSPResponseFinalize(SecOCSPResponseRef ocspResponse
);
145 SecOCSPSingleResponseRef
SecOCSPResponseCopySingleResponse(
146 SecOCSPResponseRef ocspResponse
, SecOCSPRequestRef request
);
148 /* DefaultTTL is how long past the thisUpdate time we trust a response without a nextUpdate field. */
149 bool SecOCSPSingleResponseCalculateValidity(SecOCSPSingleResponseRef
this, CFAbsoluteTime defaultTTL
, CFAbsoluteTime verifyTime
);
151 /* Find the eventual SCTs from the single response extensions */
152 CFArrayRef
SecOCSPSingleResponseCopySCTs(SecOCSPSingleResponseRef
this);
154 void SecOCSPSingleResponseDestroy(SecOCSPSingleResponseRef
this);
156 /* Returns the SecCertificateRef whose leaf signed this ocspResponse if
157 we can find one and NULL if we can't find a valid signer. The issuerPath
158 contains the cert chain from the anchor to the certificate that issued the
159 leaf certificate for which this ocspResponse is supposed to be valid. */
160 SecCertificateRef
SecOCSPResponseCopySigner(SecOCSPResponseRef
this,
161 SecCertificateRef issuerPath
);
165 #endif /* !_SECURITY_SECOCSPRESPONSE_H_ */