[ocsp] Centralise test for whether or not an OCSP check is required
[ipxe.git] / src / include / ipxe / ocsp.h
1 #ifndef _IPXE_OCSP_H
2 #define _IPXE_OCSP_H
3
4 /** @file
5 *
6 * Online Certificate Status Protocol
7 *
8 */
9
10 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
11
12 #include <stdarg.h>
13 #include <time.h>
14 #include <ipxe/asn1.h>
15 #include <ipxe/x509.h>
16 #include <ipxe/refcnt.h>
17
18 /** OCSP algorithm identifier */
19 #define OCSP_ALGORITHM_IDENTIFIER( ... ) \
20 ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \
21 ASN1_NULL, 0x00
22
23 /* OCSP response statuses */
24 #define OCSP_STATUS_SUCCESSFUL 0x00
25 #define OCSP_STATUS_MALFORMED_REQUEST 0x01
26 #define OCSP_STATUS_INTERNAL_ERROR 0x02
27 #define OCSP_STATUS_TRY_LATER 0x03
28 #define OCSP_STATUS_SIG_REQUIRED 0x05
29 #define OCSP_STATUS_UNAUTHORIZED 0x06
30
31 struct ocsp_check;
32
33 /** An OCSP request */
34 struct ocsp_request {
35 /** Request builder */
36 struct asn1_builder builder;
37 /** Certificate ID */
38 struct asn1_cursor cert_id;
39 };
40
41 /** An OCSP responder */
42 struct ocsp_responder {
43 /**
44 * Check if certificate is the responder's certificate
45 *
46 * @v ocsp OCSP check
47 * @v cert Certificate
48 * @ret difference Difference as returned by memcmp()
49 */
50 int ( * compare ) ( struct ocsp_check *ocsp,
51 struct x509_certificate *cert );
52 /** Responder ID */
53 struct asn1_cursor id;
54 };
55
56 /** An OCSP response */
57 struct ocsp_response {
58 /** Raw response */
59 void *data;
60 /** Raw tbsResponseData */
61 struct asn1_cursor tbs;
62 /** Responder */
63 struct ocsp_responder responder;
64 /** Time at which status is known to be correct */
65 time_t this_update;
66 /** Time at which newer status information will be available */
67 time_t next_update;
68 /** Signature algorithm */
69 struct asn1_algorithm *algorithm;
70 /** Signature value */
71 struct asn1_bit_string signature;
72 /** Signing certificate */
73 struct x509_certificate *signer;
74 };
75
76 /** An OCSP check */
77 struct ocsp_check {
78 /** Reference count */
79 struct refcnt refcnt;
80 /** Certificate being checked */
81 struct x509_certificate *cert;
82 /** Issuing certificate */
83 struct x509_certificate *issuer;
84 /** URI string */
85 char *uri_string;
86 /** Request */
87 struct ocsp_request request;
88 /** Response */
89 struct ocsp_response response;
90 };
91
92 /**
93 * Get reference to OCSP check
94 *
95 * @v ocsp OCSP check
96 * @ret ocsp OCSP check
97 */
98 static inline __attribute__ (( always_inline )) struct ocsp_check *
99 ocsp_get ( struct ocsp_check *ocsp ) {
100 ref_get ( &ocsp->refcnt );
101 return ocsp;
102 }
103
104 /**
105 * Drop reference to OCSP check
106 *
107 * @v ocsp OCSP check
108 */
109 static inline __attribute__ (( always_inline )) void
110 ocsp_put ( struct ocsp_check *ocsp ) {
111 ref_put ( &ocsp->refcnt );
112 }
113
114 /**
115 * Check if X.509 certificate requires an OCSP check
116 *
117 * @v cert X.509 certificate
118 * @ret ocsp_required An OCSP check is required
119 */
120 static inline int ocsp_required ( struct x509_certificate *cert ) {
121
122 /* An OCSP check is required if an OCSP URI exists but the
123 * OCSP status is not (yet) good.
124 */
125 return ( cert->extensions.auth_info.ocsp.uri.len &&
126 ( ! cert->extensions.auth_info.ocsp.good ) );
127 }
128
129 extern int ocsp_check ( struct x509_certificate *cert,
130 struct x509_certificate *issuer,
131 struct ocsp_check **ocsp );
132 extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,
133 size_t len );
134 extern int ocsp_validate ( struct ocsp_check *check, time_t time );
135
136 #endif /* _IPXE_OCSP_H */