security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h

   1 /* This Source Code Form is subject to the terms of the Mozilla Public
   2  * License, v. 2.0. If a copy of the MPL was not distributed with this
   3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   4
   5 // Implements generating OCSP responses of various types. Used by the
   6 // programs in tlsserver/cmd.
   7
   8 #ifndef OCSPCommon_h
   9 #define OCSPCommon_h
  10
  11 #include "ScopedNSSTypes.h"
  12 #include "certt.h"
  13 #include "mozpkix/test/pkixtestutil.h"
  14 #include "seccomon.h"
  15
  16 enum OCSPResponseType {
  17   ORTNull = 0,
  18   ORTGood,               // the certificate is good
  19   ORTRevoked,            // the certificate has been revoked
  20   ORTRevokedOld,         // same, but the response is old
  21   ORTUnknown,            // the responder doesn't know if the cert is good
  22   ORTUnknownOld,         // same, but the response is old
  23   ORTGoodOtherCert,      // the response references a different certificate
  24   ORTGoodOtherCA,        // the wrong CA has signed the response
  25   ORTExpired,            // the signature on the response has expired
  26   ORTExpiredFreshCA,     // fresh signature, but old validity period
  27   ORTNone,               // no stapled response
  28   ORTEmpty,              // an empty stapled response
  29   ORTMalformed,          // the response from the responder was malformed
  30   ORTSrverr,             // the response indicates there was a server error
  31   ORTTryLater,           // the responder replied with "try again later"
  32   ORTNeedsSig,           // the response needs a signature
  33   ORTUnauthorized,       // the responder is not authorized for this certificate
  34   ORTBadSignature,       // the response has a signature that does not verify
  35   ORTSkipResponseBytes,  // the response does not include responseBytes
  36   ORTCriticalExtension,  // the response includes a critical extension
  37   ORTNoncriticalExtension,  // the response includes an extension that is not
  38                             // critical
  39   ORTEmptyExtensions,  // the response includes a SEQUENCE OF Extension that is
  40                        // empty
  41   ORTDelegatedIncluded,      // the response is signed by an included delegated
  42                              // responder
  43   ORTDelegatedIncludedLast,  // same, but multiple other certificates are
  44                              // included
  45   ORTDelegatedMissing,  // the response is signed by a not included delegated
  46                         // responder
  47   ORTDelegatedMissingMultiple,   // same, but multiple other certificates are
  48                                  // included
  49   ORTLongValidityAlmostExpired,  // a good response, but that was generated a
  50                                  // almost a year ago
  51   ORTAncientAlmostExpired,  // a good response, with a validity of almost two
  52                             // years almost expiring
  53 };
  54
  55 struct OCSPHost {
  56   const char* mHostName;
  57   OCSPResponseType mORT;
  58   const char* mAdditionalCertName;  // useful for ORTGoodOtherCert, etc.
  59   const char* mServerCertName;
  60 };
  61
  62 SECItemArray* GetOCSPResponseForType(
  63     OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert,
  64     const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName,
  65     time_t aThisUpdateSkew,
  66     mozilla::pkix::test::ByteString* aSignedCertificateTimestamps = nullptr);
  67
  68 #endif  // OCSPCommon_h