Back to index

lightning-sunbird  0.9+nobinonly
ocsp.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 
00037 /*
00038  * Interface to the OCSP implementation.
00039  *
00040  * $Id: ocsp.h,v 1.6.28.1 2006/02/03 18:16:45 kaie%kuix.de Exp $
00041  */
00042 
00043 #ifndef _OCSP_H_
00044 #define _OCSP_H_
00045 
00046 
00047 #include "plarena.h"
00048 #include "seccomon.h"
00049 #include "secoidt.h"
00050 #include "keyt.h"
00051 #include "certt.h"
00052 #include "ocspt.h"
00053 
00054 
00055 /************************************************************************/
00056 SEC_BEGIN_PROTOS
00057 
00058 /*
00059  * This function registers the HttpClient with whose functions the
00060  * HttpClientFcn structure have been populated as the default Http
00061  * client.
00062  *
00063  * The function table must be a global object.
00064  * The caller must ensure that NSS will be able to call
00065  * the registered functions for the lifetime of the process.
00066  */
00067 extern SECStatus
00068 SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);
00069 
00070 /*
00071  * FUNCTION: CERT_EnableOCSPChecking
00072  *   Turns on OCSP checking for the given certificate database.
00073  * INPUTS:
00074  *   CERTCertDBHandle *handle
00075  *     Certificate database for which OCSP checking will be enabled.
00076  * RETURN:
00077  *   Returns SECFailure if an error occurred (likely only problem
00078  *   allocating memory); SECSuccess otherwise.
00079  */
00080 extern SECStatus
00081 CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
00082 
00083 /*
00084  * FUNCTION: CERT_DisableOCSPChecking
00085  *   Turns off OCSP checking for the given certificate database.
00086  *   This routine disables OCSP checking.  Though it will return
00087  *   SECFailure if OCSP checking is not enabled, it is "safe" to
00088  *   call it that way and just ignore the return value, if it is
00089  *   easier to just call it than to "remember" whether it is enabled.
00090  * INPUTS:
00091  *   CERTCertDBHandle *handle
00092  *     Certificate database for which OCSP checking will be disabled.
00093  * RETURN:
00094  *   Returns SECFailure if an error occurred (usually means that OCSP
00095  *   checking was not enabled or status contexts were not initialized --
00096  *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
00097  */
00098 extern SECStatus
00099 CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
00100 
00101 /*
00102  * FUNCTION: CERT_SetOCSPDefaultResponder
00103  *   Specify the location and cert of the default responder.
00104  *   If OCSP checking is already enabled *and* use of a default responder
00105  *   is also already enabled, all OCSP checking from now on will go directly
00106  *   to the specified responder.  If OCSP checking is not enabled, or if
00107  *   it is but use of a default responder is not enabled, the information
00108  *   will be recorded and take effect whenever both are enabled.
00109  * INPUTS:
00110  *   CERTCertDBHandle *handle
00111  *     Cert database on which OCSP checking should use the default responder.
00112  *   char *url
00113  *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
00114  *     Note that the location will not be tested until the first attempt
00115  *     to send a request there.
00116  *   char *name
00117  *     The nickname of the cert to trust (expected) to sign the OCSP responses.
00118  *     If the corresponding cert cannot be found, SECFailure is returned.
00119  * RETURN:
00120  *   Returns SECFailure if an error occurred; SECSuccess otherwise.
00121  *   The most likely error is that the cert for "name" could not be found
00122  *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
00123  *   bad database, etc.).
00124  */
00125 extern SECStatus
00126 CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
00127                           const char *url, const char *name);
00128 
00129 /*
00130  * FUNCTION: CERT_EnableOCSPDefaultResponder
00131  *   Turns on use of a default responder when OCSP checking.
00132  *   If OCSP checking is already enabled, this will make subsequent checks
00133  *   go directly to the default responder.  (The location of the responder
00134  *   and the nickname of the responder cert must already be specified.)
00135  *   If OCSP checking is not enabled, this will be recorded and take effect
00136  *   whenever it is enabled.
00137  * INPUTS:
00138  *   CERTCertDBHandle *handle
00139  *     Cert database on which OCSP checking should use the default responder.
00140  * RETURN:
00141  *   Returns SECFailure if an error occurred; SECSuccess otherwise.
00142  *   No errors are especially likely unless the caller did not previously
00143  *   perform a successful call to SetOCSPDefaultResponder (in which case
00144  *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
00145  */
00146 extern SECStatus
00147 CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
00148 
00149 /*
00150  * FUNCTION: CERT_DisableOCSPDefaultResponder
00151  *   Turns off use of a default responder when OCSP checking.
00152  *   (Does nothing if use of a default responder is not enabled.)
00153  * INPUTS:
00154  *   CERTCertDBHandle *handle
00155  *     Cert database on which OCSP checking should stop using a default
00156  *     responder.
00157  * RETURN:
00158  *   Returns SECFailure if an error occurred; SECSuccess otherwise.
00159  *   Errors very unlikely (like random memory corruption...).
00160  */
00161 extern SECStatus
00162 CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
00163 
00164 /*
00165  * -------------------------------------------------------
00166  * The Functions above are those expected to be used by a client
00167  * providing OCSP status checking along with every cert verification.
00168  * The functions below are for OCSP testing, debugging, or clients
00169  * or servers performing more specialized OCSP tasks.
00170  * -------------------------------------------------------
00171  */
00172 
00173 /*
00174  * FUNCTION: CERT_CreateOCSPRequest
00175  *   Creates a CERTOCSPRequest, requesting the status of the certs in 
00176  *   the given list.
00177  * INPUTS:
00178  *   CERTCertList *certList
00179  *     A list of certs for which status will be requested.
00180  *     Note that all of these certificates should have the same issuer,
00181  *     or it's expected the response will be signed by a trusted responder.
00182  *     If the certs need to be broken up into multiple requests, that
00183  *     must be handled by the caller (and thus by having multiple calls
00184  *     to this routine), who knows about where the request(s) are being
00185  *     sent and whether there are any trusted responders in place.
00186  *   int64 time
00187  *     Indicates the time for which the certificate status is to be 
00188  *     determined -- this may be used in the search for the cert's issuer
00189  *     but has no effect on the request itself.
00190  *   PRBool addServiceLocator
00191  *     If true, the Service Locator extension should be added to the
00192  *     single request(s) for each cert.
00193  *   CERTCertificate *signerCert
00194  *     If non-NULL, means sign the request using this cert.  Otherwise,
00195  *     do not sign.
00196  *     XXX note that request signing is not yet supported; see comment in code
00197  * RETURN:
00198  *   A pointer to a CERTOCSPRequest structure containing an OCSP request
00199  *   for the cert list.  On error, null is returned, with an error set
00200  *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
00201  *   (The issuer is needed to create a request for the certificate.)
00202  *   Other errors are low-level problems (no memory, bad database, etc.).
00203  */
00204 extern CERTOCSPRequest *
00205 CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
00206                      PRBool addServiceLocator,
00207                      CERTCertificate *signerCert);
00208 
00209 /*
00210  * FUNCTION: CERT_AddOCSPAcceptableResponses
00211  *   Add the AcceptableResponses extension to an OCSP Request.
00212  * INPUTS:
00213  *   CERTOCSPRequest *request
00214  *     The request to which the extension should be added.
00215  *   SECOidTag responseType0, ...
00216  *     A list (of one or more) of SECOidTag -- each of the response types
00217  *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
00218  *     (This marks the end of the list, and it must be specified because a
00219  *     client conforming to the OCSP standard is required to handle the basic
00220  *     response type.)  The OIDs are not checked in any way.
00221  * RETURN:
00222  *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
00223  *   All errors are internal or low-level problems (e.g. no memory).
00224  */
00225 extern SECStatus
00226 CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
00227                             SECOidTag responseType0, ...);
00228 
00229 /* 
00230  * FUNCTION: CERT_EncodeOCSPRequest
00231  *   DER encodes an OCSP Request, possibly adding a signature as well.
00232  *   XXX Signing is not yet supported, however; see comments in code.
00233  * INPUTS: 
00234  *   PRArenaPool *arena
00235  *     The return value is allocated from here.
00236  *     If a NULL is passed in, allocation is done from the heap instead.
00237  *   CERTOCSPRequest *request
00238  *     The request to be encoded.
00239  *   void *pwArg
00240  *     Pointer to argument for password prompting, if needed.  (Definitely
00241  *     not needed if not signing.)
00242  * RETURN:
00243  *   Returns a NULL on error and a pointer to the SECItem with the
00244  *   encoded value otherwise.  Any error is likely to be low-level
00245  *   (e.g. no memory).
00246  */
00247 extern SECItem *
00248 CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
00249                      void *pwArg);
00250 
00251 /*
00252  * FUNCTION: CERT_DecodeOCSPRequest
00253  *   Decode a DER encoded OCSP Request.
00254  * INPUTS:
00255  *   SECItem *src
00256  *     Pointer to a SECItem holding DER encoded OCSP Request.
00257  * RETURN:
00258  *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
00259  *   On error, returns NULL.  Most likely error is trouble decoding
00260  *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
00261  */
00262 extern CERTOCSPRequest *
00263 CERT_DecodeOCSPRequest(SECItem *src);
00264 
00265 /*
00266  * FUNCTION: CERT_DestroyOCSPRequest
00267  *   Frees an OCSP Request structure.
00268  * INPUTS:
00269  *   CERTOCSPRequest *request
00270  *     Pointer to CERTOCSPRequest to be freed.
00271  * RETURN:
00272  *   No return value; no errors.
00273  */
00274 extern void
00275 CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
00276 
00277 /*
00278  * FUNCTION: CERT_DecodeOCSPResponse
00279  *   Decode a DER encoded OCSP Response.
00280  * INPUTS:
00281  *   SECItem *src
00282  *     Pointer to a SECItem holding DER encoded OCSP Response.
00283  * RETURN:
00284  *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
00285  *   the caller is responsible for destroying it.  Or NULL if error (either
00286  *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
00287  *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
00288  *   or a low-level or internal error occurred).
00289  */
00290 extern CERTOCSPResponse *
00291 CERT_DecodeOCSPResponse(SECItem *src);
00292 
00293 /*
00294  * FUNCTION: CERT_DestroyOCSPResponse
00295  *   Frees an OCSP Response structure.
00296  * INPUTS:
00297  *   CERTOCSPResponse *request
00298  *     Pointer to CERTOCSPResponse to be freed.
00299  * RETURN:
00300  *   No return value; no errors.
00301  */
00302 extern void
00303 CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
00304 
00305 /*
00306  * FUNCTION: CERT_GetEncodedOCSPResponse
00307  *   Creates and sends a request to an OCSP responder, then reads and
00308  *   returns the (encoded) response.
00309  * INPUTS:
00310  *   PRArenaPool *arena
00311  *     Pointer to arena from which return value will be allocated.
00312  *     If NULL, result will be allocated from the heap (and thus should
00313  *     be freed via SECITEM_FreeItem).
00314  *   CERTCertList *certList
00315  *     A list of certs for which status will be requested.
00316  *     Note that all of these certificates should have the same issuer,
00317  *     or it's expected the response will be signed by a trusted responder.
00318  *     If the certs need to be broken up into multiple requests, that
00319  *     must be handled by the caller (and thus by having multiple calls
00320  *     to this routine), who knows about where the request(s) are being
00321  *     sent and whether there are any trusted responders in place.
00322  *   char *location
00323  *     The location of the OCSP responder (a URL).
00324  *   int64 time
00325  *     Indicates the time for which the certificate status is to be 
00326  *     determined -- this may be used in the search for the cert's issuer
00327  *     but has no other bearing on the operation.
00328  *   PRBool addServiceLocator
00329  *     If true, the Service Locator extension should be added to the
00330  *     single request(s) for each cert.
00331  *   CERTCertificate *signerCert
00332  *     If non-NULL, means sign the request using this cert.  Otherwise,
00333  *     do not sign.
00334  *   void *pwArg
00335  *     Pointer to argument for password prompting, if needed.  (Definitely
00336  *     not needed if not signing.)
00337  * OUTPUTS:
00338  *   CERTOCSPRequest **pRequest
00339  *     Pointer in which to store the OCSP request created for the given
00340  *     list of certificates.  It is only filled in if the entire operation
00341  *     is successful and the pointer is not null -- and in that case the
00342  *     caller is then reponsible for destroying it.
00343  * RETURN:
00344  *   Returns a pointer to the SECItem holding the response.
00345  *   On error, returns null with error set describing the reason:
00346  *     SEC_ERROR_UNKNOWN_ISSUER
00347  *     SEC_ERROR_CERT_BAD_ACCESS_LOCATION
00348  *     SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
00349  *   Other errors are low-level problems (no memory, bad database, etc.).
00350  */
00351 extern SECItem *
00352 CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
00353                          char *location, int64 time,
00354                          PRBool addServiceLocator,
00355                          CERTCertificate *signerCert, void *pwArg,
00356                          CERTOCSPRequest **pRequest);
00357 
00358 /*
00359  * FUNCTION: CERT_VerifyOCSPResponseSignature
00360  *   Check the signature on an OCSP Response.  Will also perform a
00361  *   verification of the signer's certificate.  Note, however, that a
00362  *   successful verification does not make any statement about the
00363  *   signer's *authority* to provide status for the certificate(s),
00364  *   that must be checked individually for each certificate.
00365  * INPUTS:
00366  *   CERTOCSPResponse *response
00367  *     Pointer to response structure with signature to be checked.
00368  *   CERTCertDBHandle *handle
00369  *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
00370  *   void *pwArg
00371  *     Pointer to argument for password prompting, if needed.
00372  *   CERTCertificate *issuerCert
00373  *     Issuer of the certificate that generated the OCSP request.
00374  * OUTPUTS:
00375  *   CERTCertificate **pSignerCert
00376  *     Pointer in which to store signer's certificate; only filled-in if
00377  *     non-null.
00378  * RETURN:
00379  *   Returns SECSuccess when signature is valid, anything else means invalid.
00380  *   Possible errors set:
00381  *     SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
00382  *     SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
00383  *     SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
00384  *     SEC_ERROR_BAD_SIGNATURE - the signature did not verify
00385  *   Other errors are any of the many possible failures in cert verification
00386  *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
00387  *   verifying the signer's cert, or low-level problems (no memory, etc.)
00388  */
00389 extern SECStatus
00390 CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,   
00391                              CERTCertDBHandle *handle, void *pwArg,
00392                              CERTCertificate **pSignerCert,
00393                              CERTCertificate *issuerCert);
00394 
00395 /*
00396  * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
00397  *   Get the value of the URI of the OCSP responder for the given cert.
00398  *   This is found in the (optional) Authority Information Access extension
00399  *   in the cert.
00400  * INPUTS:
00401  *   CERTCertificate *cert
00402  *     The certificate being examined.
00403  * RETURN:
00404  *   char *
00405  *     A copy of the URI for the OCSP method, if found.  If either the
00406  *     extension is not present or it does not contain an entry for OCSP,
00407  *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
00408  *     Any other error will also result in a NULL being returned.
00409  *     
00410  *     This result should be freed (via PORT_Free) when no longer in use.
00411  */
00412 extern char *
00413 CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
00414 
00415 /*
00416  * FUNCTION: CERT_CheckOCSPStatus
00417  *   Checks the status of a certificate via OCSP.  Will only check status for
00418  *   a certificate that has an AIA (Authority Information Access) extension
00419  *   for OCSP *or* when a "default responder" is specified and enabled.
00420  *   (If no AIA extension for OCSP and no default responder in place, the
00421  *   cert is considered to have a good status and SECSuccess is returned.)
00422  * INPUTS:
00423  *   CERTCertDBHandle *handle
00424  *     certificate DB of the cert that is being checked
00425  *   CERTCertificate *cert
00426  *     the certificate being checked
00427  *   XXX in the long term also need a boolean parameter that specifies
00428  *     whether to check the cert chain, as well; for now we check only
00429  *     the leaf (the specified certificate)
00430  *   int64 time
00431  *     time for which status is to be determined
00432  *   void *pwArg
00433  *     argument for password prompting, if needed
00434  * RETURN:
00435  *   Returns SECSuccess if an approved OCSP responder "knows" the cert
00436  *   *and* returns a non-revoked status for it; SECFailure otherwise,
00437  *   with an error set describing the reason:
00438  *
00439  *     SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
00440  *     SEC_ERROR_OCSP_FUTURE_RESPONSE
00441  *     SEC_ERROR_OCSP_MALFORMED_REQUEST
00442  *     SEC_ERROR_OCSP_MALFORMED_RESPONSE
00443  *     SEC_ERROR_OCSP_OLD_RESPONSE
00444  *     SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
00445  *     SEC_ERROR_OCSP_SERVER_ERROR
00446  *     SEC_ERROR_OCSP_TRY_SERVER_LATER
00447  *     SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
00448  *     SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
00449  *     SEC_ERROR_OCSP_UNKNOWN_CERT
00450  *     SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
00451  *     SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
00452  *
00453  *     SEC_ERROR_BAD_SIGNATURE
00454  *     SEC_ERROR_CERT_BAD_ACCESS_LOCATION
00455  *     SEC_ERROR_INVALID_TIME
00456  *     SEC_ERROR_REVOKED_CERTIFICATE
00457  *     SEC_ERROR_UNKNOWN_ISSUER
00458  *     SEC_ERROR_UNKNOWN_SIGNER
00459  *
00460  *   Other errors are any of the many possible failures in cert verification
00461  *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
00462  *   verifying the signer's cert, or low-level problems (error allocating
00463  *   memory, error performing ASN.1 decoding, etc.).
00464  */    
00465 extern SECStatus 
00466 CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
00467                    int64 time, void *pwArg);
00468 /*
00469  * FUNCTION: CERT_GetOCSPStatusForCertID
00470  *  Returns the OCSP status contained in the passed in paramter response
00471  *  that corresponds to the certID passed in.
00472  * INPUTS:
00473  *  CERTCertDBHandle *handle
00474  *    certificate DB of the cert that is being checked
00475  *  CERTOCSPResponse *response
00476  *    the OCSP response we want to retrieve status from.
00477  *  CERTOCSPCertID *certID
00478  *    the ID we want to look for from the response.
00479  *  CERTCertificate *signerCert
00480  *    the certificate that was used to sign the OCSP response.
00481  *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
00482  *  int64 time
00483  *    The time at which we're checking the status for.
00484  *  RETURN:
00485  *    Return values are the same as those for CERT_CheckOCSPStatus
00486  */
00487 extern SECStatus
00488 CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
00489                          CERTOCSPResponse *response,
00490                          CERTOCSPCertID   *certID,
00491                          CERTCertificate  *signerCert,
00492                             int64             time);
00493 
00494 /*
00495  * FUNCTION CERT_GetOCSPResponseStatus
00496  *   Returns the response status for the response passed.
00497  * INPUTS:
00498  *   CERTOCSPResponse *response
00499  *     The response to query for status
00500  *  RETURN:
00501  *    Returns SECSuccess if the response has a successful status value.
00502  *    Otherwise it returns SECFailure and sets one of the following error
00503  *    codes via PORT_SetError
00504  *        SEC_ERROR_OCSP_MALFORMED_REQUEST
00505  *        SEC_ERROR_OCSP_SERVER_ERROR
00506  *        SEC_ERROR_OCSP_TRY_SERVER_LATER
00507  *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
00508  *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
00509  *        SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
00510  */
00511 extern SECStatus
00512 CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
00513 
00514 /*
00515  * FUNCTION CERT_CreateOCSPCertID
00516  *  Returns the OCSP certID for the certificate passed in.
00517  * INPUTS:
00518  *  CERTCertificate *cert
00519  *    The certificate for which to create the certID for.
00520  *  int64 time
00521  *    The time at which the id is requested for.  This is used
00522  *    to determine the appropriate issuer for the cert since
00523  *    the issuing CA may be an older expired certificate.
00524  *  RETURN:
00525  *    A new copy of a CERTOCSPCertID*.  The memory for this certID
00526  *    should be freed by calling CERT_DestroyOCSPCertID when the 
00527  *    certID is no longer necessary.
00528  */
00529 extern CERTOCSPCertID*
00530 CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time);
00531 
00532 /*
00533  * FUNCTION: CERT_DestroyOCSPCertID
00534  *  Frees the memory associated with the certID passed in.
00535  * INPUTS:
00536  *  CERTOCSPCertID* certID
00537  *    The certID that the caller no longer needs and wants to 
00538  *    free the associated memory.
00539  * RETURN:
00540  *  SECSuccess if freeing the memory was successful.  Returns
00541  *  SECFailure if the memory passed in was not allocated with
00542  *  a call to CERT_CreateOCSPCertID.
00543  */
00544 extern SECStatus
00545 CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
00546 /************************************************************************/
00547 SEC_END_PROTOS
00548 
00549 #endif /* _OCSP_H_ */