New function and options to check OCSP response validity.

[openssl.git] / crypto / ocsp / ocsp.h

diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index 55628206582b8526ee1fbeb590ea87d66fc996b3..bccdf77b4f2373b0418392d0659d465dedb2fa26 100644 (file)
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -378,23 +378,23 @@ typedef struct ocsp_service_locator_st
                (unsigned char *)o)
 
 #define OCSP_REQUEST_sign(o,pkey,md) \
-       ASN1_item_sign(&OCSP_REQINFO_it,\
+       ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
                o->optionalSignature->signatureAlgorithm,NULL,\
                o->optionalSignature->signature,o->tbsRequest,pkey,md)
 
 #define OCSP_BASICRESP_sign(o,pkey,md,d) \
-       ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL,\
+       ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
                o->signature,o->tbsResponseData,pkey,md)
 
-#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(&OCSP_REQINFO_it,\
+#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
         a->optionalSignature->signatureAlgorithm,\
        a->optionalSignature->signature,a->tbsRequest,r)
 
-#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(&OCSP_RESPDATA_it,\
+#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
 
 #define ASN1_BIT_STRING_digest(data,type,md,len) \
-       ASN1_item_digest(&ASN1_BIT_STRING_it,type,data,md,len)
+       ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
 
 #define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
                (char *(*)())d2i_OCSP_CERTID,(char *)(cid))
@@ -444,6 +444,9 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                                ASN1_GENERALIZEDTIME **revtime,
                                ASN1_GENERALIZEDTIME **thisupd,
                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+                       ASN1_GENERALIZEDTIME *nextupd,
+                       long sec, long maxsec);
 
 int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
 
@@ -569,6 +572,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_OCSP_CHECK_DELEGATED                     106
 #define OCSP_F_OCSP_CHECK_IDS                           107
 #define OCSP_F_OCSP_CHECK_ISSUER                        108
+#define OCSP_F_OCSP_CHECK_VALIDITY                      115
 #define OCSP_F_OCSP_MATCH_ISSUERID                      109
 #define OCSP_F_OCSP_PARSE_URL                           114
 #define OCSP_F_OCSP_REQUEST_SIGN                        110
@@ -580,8 +584,11 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_BAD_DATA                                         100
 #define OCSP_R_CERTIFICATE_VERIFY_ERROR                         101
 #define OCSP_R_DIGEST_ERR                               102
+#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD                122
+#define OCSP_R_ERROR_IN_THISUPDATE_FIELD                123
 #define OCSP_R_ERROR_PARSING_URL                        121
 #define OCSP_R_MISSING_OCSPSIGNING_USAGE                103
+#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE             124
 #define OCSP_R_NOT_BASIC_RESPONSE                       104
 #define OCSP_R_NO_CERTIFICATES_IN_CHAIN                         105
 #define OCSP_R_NO_CONTENT                               106
@@ -597,6 +604,9 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_SERVER_WRITE_ERROR                       116
 #define OCSP_R_SIGNATURE_FAILURE                        117
 #define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND             118
+#define OCSP_R_STATUS_EXPIRED                           125
+#define OCSP_R_STATUS_NOT_YET_VALID                     126
+#define OCSP_R_STATUS_TOO_OLD                           127
 #define OCSP_R_UNKNOWN_MESSAGE_DIGEST                   119
 #define OCSP_R_UNKNOWN_NID                              120