pki/ocsp_verify_result.h - boringssl.git - Git at Google

 // Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef BSSL_PKI_OCSP_VERIFY_RESULT_H_
 #define BSSL_PKI_OCSP_VERIFY_RESULT_H_

 #include <openssl/base.h>

 #include "ocsp_revocation_status.h"

 BSSL_NAMESPACE_BEGIN

 // The result of OCSP verification. This always contains a ResponseStatus, which
 // describes whether or not an OCSP response was provided, and response level
 // errors. It optionally contains an OCSPRevocationStatus when |response_status
 // = PROVIDED|. For example, a stapled OCSP response matching the certificate,
 // and indicating a non-revoked status, will have |response_status = PROVIDED|
 // and |revocation_status = GOOD|. This is populated as part of the certificate
 // verification process, and should not be modified at other layers.
 struct OPENSSL_EXPORT OCSPVerifyResult {
   OCSPVerifyResult();
   OCSPVerifyResult(const OCSPVerifyResult &);
   ~OCSPVerifyResult();

   bool operator==(const OCSPVerifyResult &other) const;

   // This value is histogrammed, so do not re-order or change values, and add
   // new values at the end.
   enum ResponseStatus {
     // OCSP verification was not checked on this connection.
     NOT_CHECKED = 0,

     // No OCSPResponse was stapled.
     MISSING = 1,

     // An up-to-date OCSP response was stapled and matched the certificate.
     PROVIDED = 2,

     // The stapled OCSP response did not have a SUCCESSFUL status.
     ERROR_RESPONSE = 3,

     // The OCSPResponseData field producedAt was outside the certificate
     // validity period.
     BAD_PRODUCED_AT = 4,

     // At least one OCSPSingleResponse was stapled, but none matched the
     // certificate.
     NO_MATCHING_RESPONSE = 5,

     // A matching OCSPSingleResponse was stapled, but was either expired or not
     // yet valid.
     INVALID_DATE = 6,

     // The OCSPResponse structure could not be parsed.
     PARSE_RESPONSE_ERROR = 7,

     // The OCSPResponseData structure could not be parsed.
     PARSE_RESPONSE_DATA_ERROR = 8,

     // Unhandled critical extension in either OCSPResponseData or
     // OCSPSingleResponse
     UNHANDLED_CRITICAL_EXTENSION = 9,
     RESPONSE_STATUS_MAX = UNHANDLED_CRITICAL_EXTENSION
   };

   ResponseStatus response_status = NOT_CHECKED;

   // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >
   // GOOD). Only valid if |response_status| = PROVIDED.
   OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;
 };

 BSSL_NAMESPACE_END

 #endif  // BSSL_PKI_OCSP_VERIFY_RESULT_H_
	// Copyright 2016 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef BSSL_PKI_OCSP_VERIFY_RESULT_H_
	#define BSSL_PKI_OCSP_VERIFY_RESULT_H_

	#include <openssl/base.h>

	#include "ocsp_revocation_status.h"

	BSSL_NAMESPACE_BEGIN

	// The result of OCSP verification. This always contains a ResponseStatus, which
	// describes whether or not an OCSP response was provided, and response level
	// errors. It optionally contains an OCSPRevocationStatus when \|response_status
	// = PROVIDED\|. For example, a stapled OCSP response matching the certificate,
	// and indicating a non-revoked status, will have \|response_status = PROVIDED\|
	// and \|revocation_status = GOOD\|. This is populated as part of the certificate
	// verification process, and should not be modified at other layers.
	struct OPENSSL_EXPORT OCSPVerifyResult {
	OCSPVerifyResult();
	OCSPVerifyResult(const OCSPVerifyResult &);
	~OCSPVerifyResult();

	bool operator==(const OCSPVerifyResult &other) const;

	// This value is histogrammed, so do not re-order or change values, and add
	// new values at the end.
	enum ResponseStatus {
	// OCSP verification was not checked on this connection.
	NOT_CHECKED = 0,

	// No OCSPResponse was stapled.
	MISSING = 1,

	// An up-to-date OCSP response was stapled and matched the certificate.
	PROVIDED = 2,

	// The stapled OCSP response did not have a SUCCESSFUL status.
	ERROR_RESPONSE = 3,

	// The OCSPResponseData field producedAt was outside the certificate
	// validity period.
	BAD_PRODUCED_AT = 4,

	// At least one OCSPSingleResponse was stapled, but none matched the
	// certificate.
	NO_MATCHING_RESPONSE = 5,

	// A matching OCSPSingleResponse was stapled, but was either expired or not
	// yet valid.
	INVALID_DATE = 6,

	// The OCSPResponse structure could not be parsed.
	PARSE_RESPONSE_ERROR = 7,

	// The OCSPResponseData structure could not be parsed.
	PARSE_RESPONSE_DATA_ERROR = 8,

	// Unhandled critical extension in either OCSPResponseData or
	// OCSPSingleResponse
	UNHANDLED_CRITICAL_EXTENSION = 9,
	RESPONSE_STATUS_MAX = UNHANDLED_CRITICAL_EXTENSION
	};

	ResponseStatus response_status = NOT_CHECKED;

	// The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >
	// GOOD). Only valid if \|response_status\| = PROVIDED.
	OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;
	};

	BSSL_NAMESPACE_END

	#endif // BSSL_PKI_OCSP_VERIFY_RESULT_H_