/src/boringssl/include/openssl/pki/ocsp.h
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 2016 The Chromium Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #if !defined(OPENSSL_HEADER_BSSL_PKI_OCSP_H_) && defined(__cplusplus) |
16 | | #define OPENSSL_HEADER_BSSL_PKI_OCSP_H_ |
17 | | |
18 | | #include <openssl/base.h> // IWYU pragma: export |
19 | | #include <string_view> |
20 | | #include <optional> |
21 | | |
22 | | BSSL_NAMESPACE_BEGIN |
23 | | |
24 | | // The revocation status indicated by an OCSP verification. This value is |
25 | | // histogrammed in Chrome, so do not re-order or change values, and add new |
26 | | // values at the end. |
27 | | enum class OCSPRevocationStatus { |
28 | | GOOD = 0, |
29 | | REVOKED = 1, |
30 | | UNKNOWN = 2, |
31 | | MAX_VALUE = UNKNOWN |
32 | | }; |
33 | | |
34 | | // The result of OCSP verification. This always contains a ResponseStatus, which |
35 | | // describes whether or not an OCSP response was provided, and response level |
36 | | // errors. It optionally contains an OCSPRevocationStatus when |response_status |
37 | | // = PROVIDED|. For example, a stapled OCSP response matching the certificate, |
38 | | // and indicating a non-revoked status, will have |response_status = PROVIDED| |
39 | | // and |revocation_status = GOOD|. |
40 | | struct OPENSSL_EXPORT OCSPVerifyResult { |
41 | 0 | bool operator==(const OCSPVerifyResult &other) const { |
42 | 0 | if (response_status != other.response_status) { |
43 | 0 | return false; |
44 | 0 | } |
45 | 0 |
|
46 | 0 | if (response_status == PROVIDED) { |
47 | 0 | // |revocation_status| is only defined when |response_status| is PROVIDED. |
48 | 0 | return revocation_status == other.revocation_status; |
49 | 0 | } |
50 | 0 | return true; |
51 | 0 | } |
52 | | |
53 | | // This value is histogrammed in Chrome, so do not re-order or change values, |
54 | | // and add new values at the end. |
55 | | enum ResponseStatus { |
56 | | // OCSP verification was not checked on this connection. |
57 | | NOT_CHECKED = 0, |
58 | | |
59 | | // No OCSPResponse was stapled. |
60 | | MISSING = 1, |
61 | | |
62 | | // An up-to-date OCSP response was stapled and matched the certificate. |
63 | | PROVIDED = 2, |
64 | | |
65 | | // The stapled OCSP response did not have a SUCCESSFUL status. |
66 | | ERROR_RESPONSE = 3, |
67 | | |
68 | | // The OCSPResponseData field producedAt was outside the certificate |
69 | | // validity period. |
70 | | BAD_PRODUCED_AT = 4, |
71 | | |
72 | | // At least one OCSPSingleResponse was stapled, but none matched the |
73 | | // certificate. |
74 | | NO_MATCHING_RESPONSE = 5, |
75 | | |
76 | | // A matching OCSPSingleResponse was stapled, but was either expired or not |
77 | | // yet valid. |
78 | | INVALID_DATE = 6, |
79 | | |
80 | | // The OCSPResponse structure could not be parsed. |
81 | | PARSE_RESPONSE_ERROR = 7, |
82 | | |
83 | | // The OCSPResponseData structure could not be parsed. |
84 | | PARSE_RESPONSE_DATA_ERROR = 8, |
85 | | |
86 | | // Unhandled critical extension in either OCSPResponseData or |
87 | | // OCSPSingleResponse |
88 | | UNHANDLED_CRITICAL_EXTENSION = 9, |
89 | | RESPONSE_STATUS_MAX = UNHANDLED_CRITICAL_EXTENSION |
90 | | }; |
91 | | |
92 | | ResponseStatus response_status = NOT_CHECKED; |
93 | | |
94 | | // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN > |
95 | | // GOOD). Only valid if |response_status| = PROVIDED. |
96 | | OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN; |
97 | | }; |
98 | | |
99 | | // Checks the revocation status of the certificate |certificate_der| by using |
100 | | // the DER-encoded |raw_response|. |
101 | | // |
102 | | // Returns GOOD if the OCSP response indicates the certificate is not revoked, |
103 | | // REVOKED if it indicates it is revoked, or UNKNOWN for all other cases. |
104 | | // |
105 | | // * |raw_response|: A DER encoded OCSPResponse. |
106 | | // * |certificate_der|: The certificate being checked for revocation. |
107 | | // * |issuer_certificate_der|: The certificate that signed |certificate_der|. |
108 | | // The caller must have already performed path verification. |
109 | | // * |verify_time_epoch_seconds|: The time as the difference in seconds from |
110 | | // the POSIX epoch to use when checking revocation status. |
111 | | // * |max_age_seconds|: The maximum age in seconds for a CRL, implemented as |
112 | | // time since the |thisUpdate| field in the CRL TBSCertList. Responses |
113 | | // older than |max_age_seconds| will be considered invalid. |
114 | | // * |response_details|: Additional details about failures. |
115 | | [[nodiscard]] OPENSSL_EXPORT OCSPRevocationStatus CheckOCSP( |
116 | | std::string_view raw_response, std::string_view certificate_der, |
117 | | std::string_view issuer_certificate_der, int64_t verify_time_epoch_seconds, |
118 | | std::optional<int64_t> max_age_seconds, |
119 | | OCSPVerifyResult::ResponseStatus *response_details); |
120 | | |
121 | | BSSL_NAMESPACE_END |
122 | | |
123 | | #endif // OPENSSL_HEADER_BSSL_PKI_OCSP_H_ && __cplusplus |