#ifndef _IPXE_OCSP_H
#define _IPXE_OCSP_H

/** @file
 *
 * Online Certificate Status Protocol
 *
 */

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

#include <stdarg.h>
#include <time.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/refcnt.h>
#include <config/crypto.h>

/* Allow OCSP to be disabled completely */
#ifdef OCSP_CHECK
#define OCSP_ENABLED 1
#else
#define OCSP_ENABLED 0
#endif

/** OCSP algorithm identifier */
#define OCSP_ALGORITHM_IDENTIFIER( ... )				\
	ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__,		\
	ASN1_NULL, 0x00

/* OCSP response statuses */
#define OCSP_STATUS_SUCCESSFUL		0x00
#define OCSP_STATUS_MALFORMED_REQUEST	0x01
#define OCSP_STATUS_INTERNAL_ERROR	0x02
#define OCSP_STATUS_TRY_LATER		0x03
#define OCSP_STATUS_SIG_REQUIRED	0x05
#define OCSP_STATUS_UNAUTHORIZED	0x06

struct ocsp_check;

/** An OCSP request */
struct ocsp_request {
	/** Request builder */
	struct asn1_builder builder;
	/** Certificate ID */
	struct asn1_cursor cert_id;
};

/** An OCSP responder */
struct ocsp_responder {
	/**
	 * Check if certificate is the responder's certificate
	 *
	 * @v ocsp		OCSP check
	 * @v cert		Certificate
	 * @ret difference	Difference as returned by memcmp()
	 */
	int ( * compare ) ( struct ocsp_check *ocsp,
			    struct x509_certificate *cert );
	/** Responder ID */
	struct asn1_cursor id;
};

/** An OCSP response */
struct ocsp_response {
	/** Raw response */
	void *data;
	/** Raw tbsResponseData */
	struct asn1_cursor tbs;
	/** Responder */
	struct ocsp_responder responder;
	/** Time at which status is known to be correct */
	time_t this_update;
	/** Time at which newer status information will be available */
	time_t next_update;
	/** Signature algorithm */
	struct asn1_algorithm *algorithm;
	/** Signature value */
	struct asn1_bit_string signature;
	/** Signing certificate */
	struct x509_certificate *signer;
};

/** An OCSP check */
struct ocsp_check {
	/** Reference count */
	struct refcnt refcnt;
	/** Certificate being checked */
	struct x509_certificate *cert;
	/** Issuing certificate */
	struct x509_certificate *issuer;
	/** URI string */
	char *uri_string;
	/** Request */
	struct ocsp_request request;
	/** Response */
	struct ocsp_response response;
};

/**
 * Get reference to OCSP check
 *
 * @v ocsp		OCSP check
 * @ret ocsp		OCSP check
 */
static inline __attribute__ (( always_inline )) struct ocsp_check *
ocsp_get ( struct ocsp_check *ocsp ) {
	ref_get ( &ocsp->refcnt );
	return ocsp;
}

/**
 * Drop reference to OCSP check
 *
 * @v ocsp		OCSP check
 */
static inline __attribute__ (( always_inline )) void
ocsp_put ( struct ocsp_check *ocsp ) {
	ref_put ( &ocsp->refcnt );
}

/**
 * Check if X.509 certificate requires an OCSP check
 *
 * @v cert		X.509 certificate
 * @ret ocsp_required	An OCSP check is required
 */
static inline int ocsp_required ( struct x509_certificate *cert ) {

	/* An OCSP check is never required if OCSP checks are disabled */
	if ( ! OCSP_ENABLED )
		return 0;

	/* An OCSP check is required if an OCSP URI exists but the
	 * OCSP status is not (yet) good.
	 */
	return ( cert->extensions.auth_info.ocsp.uri.len &&
		 ( ! cert->extensions.auth_info.ocsp.good ) );
}

extern int ocsp_check ( struct x509_certificate *cert,
			struct x509_certificate *issuer,
			struct ocsp_check **ocsp );
extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,
			   size_t len );
extern int ocsp_validate ( struct ocsp_check *check, time_t time );

#endif /* _IPXE_OCSP_H */