xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/ocsp_verify_result.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_OCSP_VERIFY_RESULT_H_
6 #define BSSL_PKI_OCSP_VERIFY_RESULT_H_
7 
8 #include <openssl/base.h>
9 
10 #include "ocsp_revocation_status.h"
11 
12 namespace bssl {
13 
14 // The result of OCSP verification. This always contains a ResponseStatus, which
15 // describes whether or not an OCSP response was provided, and response level
16 // errors. It optionally contains an OCSPRevocationStatus when |response_status
17 // = PROVIDED|. For example, a stapled OCSP response matching the certificate,
18 // and indicating a non-revoked status, will have |response_status = PROVIDED|
19 // and |revocation_status = GOOD|. This is populated as part of the certificate
20 // verification process, and should not be modified at other layers.
21 struct OPENSSL_EXPORT OCSPVerifyResult {
22   OCSPVerifyResult();
23   OCSPVerifyResult(const OCSPVerifyResult &);
24   ~OCSPVerifyResult();
25 
26   bool operator==(const OCSPVerifyResult &other) const;
27 
28   // This value is histogrammed, so do not re-order or change values, and add
29   // new values at the end.
30   enum ResponseStatus {
31     // OCSP verification was not checked on this connection.
32     NOT_CHECKED = 0,
33 
34     // No OCSPResponse was stapled.
35     MISSING = 1,
36 
37     // An up-to-date OCSP response was stapled and matched the certificate.
38     PROVIDED = 2,
39 
40     // The stapled OCSP response did not have a SUCCESSFUL status.
41     ERROR_RESPONSE = 3,
42 
43     // The OCSPResponseData field producedAt was outside the certificate
44     // validity period.
45     BAD_PRODUCED_AT = 4,
46 
47     // At least one OCSPSingleResponse was stapled, but none matched the
48     // certificate.
49     NO_MATCHING_RESPONSE = 5,
50 
51     // A matching OCSPSingleResponse was stapled, but was either expired or not
52     // yet valid.
53     INVALID_DATE = 6,
54 
55     // The OCSPResponse structure could not be parsed.
56     PARSE_RESPONSE_ERROR = 7,
57 
58     // The OCSPResponseData structure could not be parsed.
59     PARSE_RESPONSE_DATA_ERROR = 8,
60 
61     // Unhandled critical extension in either OCSPResponseData or
62     // OCSPSingleResponse
63     UNHANDLED_CRITICAL_EXTENSION = 9,
64     RESPONSE_STATUS_MAX = UNHANDLED_CRITICAL_EXTENSION
65   };
66 
67   ResponseStatus response_status = NOT_CHECKED;
68 
69   // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >
70   // GOOD). Only valid if |response_status| = PROVIDED.
71   OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;
72 };
73 
74 }  // namespace bssl
75 
76 #endif  // BSSL_PKI_OCSP_VERIFY_RESULT_H_
77