--- /dev/null
+/*
+ * Copyright (c) 2004,2011,2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * ocspResponse.h - OCSP Response class
+ */
+
+#ifndef _OCSP_RESPONSE_H_
+#define _OCSP_RESPONSE_H_
+
+#include <security_ocspd/ocspExtensions.h>
+#include <Security/ocspTemplates.h>
+#include <Security/certextensions.h>
+#include <Security/SecAsn1Coder.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+/* used to indicate "I don't know the CRLReason" */
+#define CrlReason_NONE ((CE_CrlReason)-1)
+
+/*
+ * CertIDs can be represented differently by two peers even though they refer to
+ * the same cert. Client can use SHA1 hash and server can use MD5, for example.
+ * So all of our code which creates a CertID based on known, existing subject and
+ * issuer certs uses one of these "smart" certIDs which can encode itself and also
+ * compare against any form of existing SecAsn1OCSPCertID.
+ */
+class OCSPClientCertID
+{
+ NOCOPY(OCSPClientCertID);
+public:
+ /*
+ * Basic constructor given issuer's public key and name, and subject's
+ * serial number.
+ */
+ OCSPClientCertID(
+ const CSSM_DATA &issuerName,
+ const CSSM_DATA &issuerPubKey,
+ const CSSM_DATA &subjectSerial);
+
+ ~OCSPClientCertID();
+
+ /*
+ * DER encode.
+ */
+ const CSSM_DATA *encode();
+
+ /*
+ * Does this object refer to the same cert as specified SecAsn1OCSPCertID?
+ * This is the main purpose of this class's existence; this function works
+ * even if specified SecAsn1OCSPCertID uses a different hash algorithm
+ * than we do, since we keep copies of our basic components.
+ *
+ * Returns true if compare successful.
+ */
+ bool compareToExist(
+ const SecAsn1OCSPCertID &exist);
+
+ /*
+ * Convenience function, like compareToExist, with a raw encoded CertID.
+ */
+ bool compareToExist(
+ const CSSM_DATA &exist);
+
+private:
+ CSSM_DATA mIssuerName;
+ CSSM_DATA mIssuerPubKey;
+ CSSM_DATA mSubjectSerial;
+ CSSM_DATA mEncoded;
+};
+
+/*
+ * Object representing one SecAsn1OCSPSingleResponse, i.e., the portion of
+ * an OCSP response associated with a single CertID. These are created and
+ * vended solely by an OCSPResponse object. The client which gets them from
+ * an OCSPResponse (via singleResponse()) must delete the object when finished
+ * with it.
+ */
+class OCSPSingleResponse
+{
+ NOCOPY(OCSPSingleResponse);
+public:
+ /* only OCSPResponse creates these */
+ ~OCSPSingleResponse();
+ friend class OCSPResponse;
+protected:
+
+ OCSPSingleResponse(
+ SecAsn1OCSPSingleResponse *resp);
+public:
+ SecAsn1OCSPCertStatusTag certStatus() { return mCertStatus; }
+ CFAbsoluteTime thisUpdate() { return mThisUpdate; }
+ CFAbsoluteTime nextUpdate() { return mNextUpdate; }
+ CFAbsoluteTime revokedTime() { return mRevokedTime; }
+ CE_CrlReason crlReason() { return mCrlReason; }
+
+ /* Extension accessors - all are optional */
+
+ /* CRL Reference */
+ const CSSM_DATA *crlUrl();
+ const CSSM_DATA *crlNum();
+ CFAbsoluteTime crlTime(); /* may be NULL_TIME */
+
+ /* archive cutoff */
+ CFAbsoluteTime archiveCutoff();
+
+ /* service locator not implemented yet */
+private:
+ SecAsn1CoderRef mCoder;
+ SecAsn1OCSPCertStatusTag mCertStatus;
+ CFAbsoluteTime mThisUpdate;
+ CFAbsoluteTime mNextUpdate; /* may be NULL_TIME */
+ CFAbsoluteTime mRevokedTime; /* != NULL_TIME for CS_Revoked */
+ CE_CrlReason mCrlReason;
+ OCSPExtensions *mExtensions;
+};
+
+/*
+ * OCSPResponse maintains its own temporal validity status based on the values of
+ * all of the enclosed SingleResponses' thisUpdate and (optional) nextUpdate
+ * fields, in addition to a default time-to-live (TTL) value passed to
+ * OCSPResponse's constructor.
+ *
+ * First, all of the thisUpdate fields are checked during OCSPResponse's constructor.
+ * if any of these are later than the current time, the entire response is considered
+ * invalid and the constructor throws a CssmError(CSSMERR_APPLETP_OCSP_BAD_RESPONSE).
+ * Subsequent to construction, all thisUpdate fields are ignored.
+ *
+ * The NextUpdate times are handled as follows.
+ *
+ * 1. An OCSPResponse's latestNextUpdate is defined as the latest of all of the
+ * nextUpdate fields in its SingleResponses. This is evaluated during construction.
+ *
+ * 2. An OCSPResponse's latestNextUpdate is NULL_TIME if none of its SingleResponses
+ * contain any nextUpdate (this field is in fact optional).
+ *
+ * 3. The caller of OCSPResponse's constructor passes in a default time-to-live
+ * (TTL) in seconds; call this defaultTTL. Call the time at which the
+ * constructor is called, PLUS defaultTTL, "defaultExpire".
+ *
+ * -- If the OCSPResponse's latestNextUpdate is NULL_TIME then expireTime() returns
+ * defaultExpire.
+ *
+ * -- Otherwise, expireTime() returns the lesser of (latestNextUpdate,
+ * defaultExpire).
+ *
+ * Note that this mechanism is used by both the TP's in-core cache and ocspd's
+ * on-disk cache; the two have different default TTLs values but the mechanism
+ * for calcuating expireTime() is identical.
+ */
+class OCSPResponse
+{
+ NOCOPY(OCSPResponse)
+public:
+ /* only constructor, from DER encoded data */
+ OCSPResponse(
+ const CSSM_DATA &resp,
+ CFTimeInterval defaultTTL); // default time-to-live in seconds
+
+ ~OCSPResponse();
+
+ /*
+ * Info obtained during decode (which is don\ 1e immediately during constructor)
+ */
+ SecAsn1OCSPResponseStatus responseStatus();
+ const CSSM_DATA *nonce(); /* NULL means not present */
+ CFAbsoluteTime producedAt(); /* should always work */
+ CSSM_RETURN sigStatus();
+ uint32 numSignerCerts();
+ const CSSM_DATA *signerCert(uint32 dex);
+
+ /*
+ * Obtain a OCSPSingleResponse for a given CertID.
+ */
+ OCSPSingleResponse *singleResponseFor(OCSPClientCertID &certID);
+ OCSPSingleResponse *singleResponseFor(const CSSM_DATA &matchCertID);
+
+ CFAbsoluteTime expireTime() { return mExpireTime; }
+
+ /*
+ * Access to decoded data.
+ */
+ const SecAsn1OCSPResponseData &responseData() { return mResponseData; }
+ const SecAsn1OCSPBasicResponse &basicResponse() { return mBasicResponse; }
+ const SecAsn1OCSPResponderID &responderID() { return mResponderId; }
+ SecAsn1OCSPResponderIDTag responderIDTag() { return mResponderIdTag; }
+
+ const CSSM_DATA *encResponderName();
+
+private:
+ bool calculateValidity(CFTimeInterval defaultTTL);
+
+ SecAsn1CoderRef mCoder;
+ CFAbsoluteTime mLatestNextUpdate;
+ CFAbsoluteTime mExpireTime;
+ CSSM_DATA mEncResponderName; // encoded ResponderId.byName,
+ // if responder is in that format,
+ // lazily evaluated
+ /*
+ * Fields we decode - all in mCoder's memory space
+ */
+ SecAsn1OCSPResponse mTopResp;
+ SecAsn1OCSPBasicResponse mBasicResponse;
+ SecAsn1OCSPResponseData mResponseData;
+ SecAsn1OCSPResponderID mResponderId; // we have to decode
+ SecAsn1OCSPResponderIDTag mResponderIdTag; // IDs previous field
+ OCSPExtensions *mExtensions;
+};
+#endif /* _OCSP_RESPONSE_H_ */
+
projects / apple / security.git / blobdiff