RSA BSAFE Cert-C

OCSP_RESPONDER Struct Reference

Data Fields

profile	This input parameter specifies the type of OCSP responder to which the Cert-C OCSP Revocation Status service provider will make requests. It specifies the particular OCSP profile that is implemented by the responder. This is required in case there are differences between responder behaviors. If the responder type is not known or no vender-specific behaviors are required for the service provider to operate correctly, then the `REVOKE_OCSP_PROFILE_GENERIC` profile should be used. profile can be one of the following: `REVOKE_OCSP_PROFILE_GENERIC` `REVOKE_OCSP_PROFILE_RSAKCA` `REVOKE_OCSP_PROFILE_VALICERT` `REVOKE_OCSP_PROFILE_VERISIGN`
flags	This input parameter specifies a set of flags used by the service provider to modify how a request should be created or how a response should be interpreted. These flags can affect runtime performance and the size of the request data. Set flags to `0` (zero) if to use the service provider's default set of behaviors. The following is the current set of flags available: `OCSP_RESPONDER_FLAG_DISABLE_NONCES` is used to disable automatic generation and checking of nonces. Use this flag to minimize the size of the request only if it is known that the responder to whom the service provider is sending a request does not support checking of nonces. Note: RSA Security does not recommend disabling the use of nonces when they are available. To do so could make OCSP transactions subject to replay attacks. `OCSP_RESPONDER_FLAG_APPLY_TOLERANCE` is used to handle the sensitivity to differences between the responder’s clock and the client’s clock; a difference as small as one second can cause the provider to return a status of `CERT_REVOCATION_UNKNOWN` even when the responder provides a definitive status in its response. This is most apparent when the responder sets the response’s thisUpdate field (or the nextUpdate field) to the current time and the client also specifies `PF_VALIDATION_TIME_NOW` for the time. `OCSP_RESPONDER_FLAG_DISABLE_CERT_SEND` is used to disable sending the signing certificate when the service provider sends signed requests to the responder. This flag should not be specified when the `OCSP_RESPONDER_FLAG_ENABLE_CHAIN_SEND` flag is specified. `OCSP_RESPONDER_FLAG_ENABLE_CHAIN_SEND` is used to enable sending of the entire signing certificate chain when the service provider sends signed requests to the responder. This flag should not be specified when the `OCSP_RESPONDER_FLAG_DISABLE_CERT_SEND` flag is specified. `OCSP_RESPONDER_FLAG_RESPONDER_NOCHECK` allows the application to specify how to handle revocation checking of the certificate that signed the response (the responder certificate). RFC 2560, section 4.2.2.2.1, discusses this issue and presents several possible methods of handling these situations. If the responder certificate contains the id-pkix-ocsp-nocheck extension then Cert-C does not check the certificate’s validity and, assuming other checks are satisfied, the status contained in the response is returned to the application. If the responder certificate does not have this extension then the application must specify whether or not to trust the responder certificate. If the "nocheck" flag is set, the responder certificate revocation status check is skipped and the status contained in the response is returned to the application. If the "nocheck" flag is not set and the responder certificate is not in trustedList, then the signer cannot be validated, and the application receives a status of `CERT_REVOCATION_UNKNOWN`, with a `CRE_ERROR` evidence type indicating `E_PATH_NOT_FOUND`.
transport	This input parameter specifies transport information to be used by the Cert-C OCSP Revocation Status service provider when making requests to the OCSP responder. transport is a TRANSPORT_INFO structure. To specify a locally configured OCSP responder, The destList member of TRANSPORT_INFO must contain only one destination. When the certificate to be checked specifies the responder in its `serviceLocator` AIA field, destList can be used to list one or more URLs. destList must contain a list of `ITEM`s. If unused, it must be set to `(LIST_OBJ)0`. These `ITEM`s each contain a string that specifies the URL of an OCSP responder. For example, you might specify a destination URL as follows: http://proxy.ocspresp.mycompany.com:181 When non-transparent proxies exist between the OCSP client and responder `TRANSPORT_INFO`'s proxyList can contain one or more URLs to specify the proxies' locations. `TRANSPORT_INFO`'s proxyList member is optional. If unused, it must be set to `(LIST_OBJ)0`. Any `ITEM`s contained in this `LIST_OBJ` specify URLs of proxies, of the same protocol, that exist between the application and the OCSP auto-responder. For example, you might specify a proxy URL as follows: http://proxy.mysompany.com:8080 Currently, HTTP is the only transport protocol supported by this service provider.
digestAlgorithm	This input parameter is the algorithm used to hash certificate information to create the certificate identifier that is sent to the responder. This parameter should be set to one of the following values as the responder implementation might restrict the choice of algorithms beyond this set: `DAI_SHA1` `DAI_MD5` The current version of the Valicert OCSP responder (specified when profile is set to `REVOKE_OCSP_PROFILE_VALICERT`) requires the use of `DAI_SHA1`.
signer	This input parameter is an OCSP_SIGNER structure that contains information used to sign the OCSP request.
responderCert	This optional input parameter is a CERT_OBJ that contains the responder's certificate. This certificate is used to identify the expected signer of OCSP responses. It is also used to designate a locally configured (trusted) responder that has no affiliation with the trust chain of the CA that issued the certificate to be validated. The responder's certificate might need to be known by the service provider at initialization time in cases where the responder does not send its own certificate with the response data. If specified, this certificate becomes the trusted signer for OCSP responses. If not specified, this parameter should be set to (CERT_OBJ)0.
responderCAs	This input parameter is a LIST_OBJ that contains a list of certificates for CAs that use this responder. Responders often service requests on behalf of multiple CAs, therefore, using a LIST_OBJ enables multiple CA names to be accommodated by a single OCSP_RESPONDER entry. responderCAs can be set to contain CA certificates thathave the same `subjectNames` as the `issuerName` of the certificates to be checked. The OCSP protocol, RFC 2560, requires that client software use information in the end-entity's issuer's certificate to identify the certificate whose status is being checked. This field additionally serves the purpose of holding these issuers' certificates.
timeTolerance	This input parameter is the tolerance in seconds for the comparison time. Within some deployments there may be significant differences in the computer clock time between clients and the server. It may not always be practical to maintain highly accurate clock time synchronization between the server and clients. To allow the client to have some control over the transaction validity time, the timeTolerance can be set to allow a time-margin factor over that set by the server. timeTolerance is set to zero by default and, if increased, should be set to as small a value as possible to help ensure that the certificate has not already been revoked within the transaction validity timeframe. Very long transaction validity times are a security model vulnerability. Be sure to set values for the client side timeTolerance value to agree with the security goals of the deployment. To apply a time tolerance, the application must set the `OCSP_RESPONDER_FLAG_APPLY_TOLERANCE` flag and a value for this parameter. The value of timeTolerance must be set to a positive or zero value of seconds. Applications written with the Cert-C 2.0 API are fully compatible with the Cert-C 2.5 API and only need to be recompiled, although they will not be taking advantage of this new feature unless they are re-coded.
extraRequestExtensions	This optional input parameter is an `EXTENSIONS_OBJ` of type `OCSP_REQUEST_EXTENSIONS_OBJ`. It contains extensions to be included in every request. If this parameter is not used, then it must be set to `(EXTENSIONS_OBJ)0`. If the application requires additional extensions they can be specified in this parameter. Note: The service provider always includes an `id-pkix-ocsp-response` extension, and unless overridden by the `OCSP_RESPONDER_FLAG_DISABLE_NONCES` flag, the service provider always supplies an `id-pkix-ocsp-nonce` extension. It is not recommended for the application to supply its own nonce in this object.
dbName	This optional input parameter points to the name of a database service provider instance to which the Cert-C OCSP Revocation Status service provider will bind at initialization-time. This database service provider must be registered prior to Cert-C OCSP Revocation Status service provider initialization. The Cert-C OCSP Revocation Status service provider uses this database service provider to store any additional certificates that the responder may send back in its responses. These additional certificates are used to assist the requester in validating the responders' signed responses. If a database service provider instance is not required for this purpose, then the value should be set to `(char )0`. The application should also bind this registered database service provider instance to `CERT_PATH_CTX`'s database* handle. This handle is used in calls to C_CheckCertRevocation(). If the application's `CERT_PATH_CTX`'s pathOptions field is set to require a certificate chain to be built, it needs to locate the required intermediate certificates, stored in this database service provider instance, to do so. If these certificates cannot be located, then the signature verification will fail and cause the Cert- C OCSP Revocation Status service provider to ignore status checking information sent from this OCSP responder.

#include <ocsp.h>

00431 typedef struct {
00432   unsigned int    profile;                /* one of REVOKE_OCSP_PROFILE_*            */
00433   unsigned int    flags;                  /* bitfield of OCSP_RESPONDER_FLAG_*       */
00434   TRANSPORT_INFO  transport;              /* responder loc & optional proxy info     */
00435   int             digestAlgorithm;        /* alg used to digest request data         */
00436   OCSP_SIGNER     signer;                 /* request signing info for this responder */
00437   CERT_OBJ        responderCert;          /* cert of this responder                  */
00438   LIST_OBJ        responderCAs;           /* CAs for which this responder is used    */
00439   UINT4           timeTolerance;          /* thisUpdate, nextUpdate comparison tolerance */
00440   EXTENSIONS_OBJ  extraRequestExtensions; /* optional extensions for request         */
00441   char           *dbName;                 /* db for returned-in-band certs           */
00442 } OCSP_RESPONDER;