This repository has been archived by the owner on Mar 11, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
lib.h
163 lines (148 loc) · 5.56 KB
/
lib.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#pragma once
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
/**
* Sets the output BIO for the library to use for logging info
* messages. Extra information is written to the BIO when revocation
* checks are performed. If not set, no logs are written.
*
* @param bio the output BIO for the library to use,
* may be NULL if no output is desired
*/
void X509CRC_set_info_BIO(BIO* bio);
/**
* Sets the output BIO for the library to use for logging error
* messages. Any error messages are written to the BIO when revocation
* checks are performed. If not set, no logs are written.
*
* @param bio the output BIO for the library to use,
* may be NULL if no output is desired
*/
void X509CRC_set_err_BIO(BIO* bio);
/**
* Returns the message string corresponding to a libx509crc error code.
*
* @param err the error code to lookup
* @return the corresponding message string. NULL if the error code
* cannot be matched.
*/
const char* X509CRC_err_to_str(int err);
/**
* \brief Internal library function used to for info log messages.
*
* Prints out a timestamp to the info BIO (if set) then returns
* the info BIO so the caller and print a custom message. Usually
* used for OpenSSL calls like OCSP_RESPONSE_print() which require
* a BIO.
*
* @returns the info BIO to write to. Should not be closed.
*/
BIO* X509CRC_log_info_bio();
/**
* \brief Internal library function used to for info log messages.
*
* Prints out an info log message with a timestamp to the info BIO
* based on the passed format string and arguments.
*
* @param fmt the format string to use
* @param args the values to be printed
*/
#define X509CRC_log_info(fmt, args...) BIO_printf(X509CRC_log_info_bio(), fmt, args)
/**
* \brief Internal library function used to for error log messages.
*
* Prints out an error log message with a timestamp to the error BIO
* with an error message.
*
* @param err the x509crc error code (check errs.h)
*
* @see X509CRC_err_to_str
*/
void X509CRC_log_error(int err);
/**
* Performs an OCSP revocation check on the SSL connection.
* The Must Staple extension must not be set on the certificate.
*
* @param ssl the SSL context to perform the revocation check on
* @param next_update a pointer to the next update time given in the OCSP
* response. If not desired, NULL may be passed. Otherwise, the
* returned ASN1_TIME pointer must be freed.
*
* @returns 0 on passed, 1 if revoked, > 1 is the error code (check errs.h)
*/
int validate_ocsp(SSL *ssl, ASN1_TIME** next_update);
/**
* Performs an OCSP revocation check based on an X509 certification
* and chain. The Must Staple extension must not be set on the certificate.
*
* @param cert the certificate to perform the revocation check on
* @param chain the certificate chain to use. The first element is expected
* to be the specified cert and the second is expected to be the issuer
* @param store the X509_STORE to use to verify the OCSP response
* @param next_update a pointer to the next update time given in the OCSP
* response. If not desired, NULL may be passed. Otherwise, the
* returned ASN1_TIME pointer must be freed.
*
* @returns 0 on passed, 1 if revoked, > 1 is the error code (check errs.h)
*/
int validate_ocsp_by_cert(X509 *cert, STACK_OF(X509) *chain, X509_STORE *store, ASN1_TIME** next_update);
/**
* Callback to perform an OCSP Stapling revocation check on the SSL
* connection.
*
* @param ssl the SSL context to perform the revocation check on
* @param arg part of the callback signature, used to pass back any error
* code or the revocation status. NULL may be passed in if getting
* back the value is not desired.
*
* @returns 1 on passed, 0 if revoked, -1 on error. Check the value of
* arg to get the revocation status or error code (check errs.h).
*/
int validate_ocsp_stapling(SSL *ssl, void *arg);
/**
* Performs a CRL revocation check on the SSL connection.
*
* @param ssl the SSL context to perform the revocation check on
* @param next_update a pointer to the next update time listed in the CRL.
* If not desired, NULL may be passed. Otherwise, the returned
* ASN1_TIME pointer must be freed.
*
* @returns 0 on passed, 1 if revoked, > 1 on error (check errs.h)
*/
int validate_crl(SSL *ssl, ASN1_TIME** next_update);
/**
* Performs a CRL revocation check based on an X509 certification
* and chain.
*
* @param cert the certificate to perform the revocation check on
* @param chain the certificate chain to use. The first element is expected
* to be the specified cert and the second is expected to be the issuer
* @param store the X509_STORE to use to verify the CRL
* @param next_update a pointer to the next update time listed in the CRL.
* If not desired, NULL may be passed. Otherwise, the returned
* ASN1_TIME pointer must be freed.
*
* @returns 0 on passed, 1 if revoked, >1 on error (check errs.h)
*/
int validate_crl_by_cert(X509 *cert, STACK_OF(X509) *chain, X509_STORE *store, ASN1_TIME** next_update);
/**
* Determines if the Must Staple TLS extension is set.
*
* @returns 1 if the Must Staple extension is set, 0 otherwise
*/
int must_staple(X509 *cert);
/**
* Determines if an OCSP revocation check can be performed on the
* specified certificate.
*
* @returns 1 if the check is possible, 0 otherwise
*/
int can_check_ocsp(X509 *cert);
/**
* Determines if an CRL revocation check can be performed on the
* specified certificate.
*
* @returns 1 if the check is possible, 0 otherwise
*/
int can_check_crl(X509 *cert);