1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * certi.h - private data structures for the certificate library 6 */ 7 #ifndef _CERTI_H_ 8 #define _CERTI_H_ 9 10 #include "certt.h" 11 #include "nssrwlkt.h" 12 13 /* 14 #define GLOBAL_RWLOCK 1 15 */ 16 17 #define DPC_RWLOCK 1 18 19 /* all definitions in this file are subject to change */ 20 21 typedef struct OpaqueCRLFieldsStr OpaqueCRLFields; 22 typedef struct CRLEntryCacheStr CRLEntryCache; 23 typedef struct CRLDPCacheStr CRLDPCache; 24 typedef struct CRLIssuerCacheStr CRLIssuerCache; 25 typedef struct CRLCacheStr CRLCache; 26 typedef struct CachedCrlStr CachedCrl; 27 typedef struct NamedCRLCacheStr NamedCRLCache; 28 typedef struct NamedCRLCacheEntryStr NamedCRLCacheEntry; 29 30 struct OpaqueCRLFieldsStr { 31 PRBool partial; 32 PRBool decodingError; 33 PRBool badEntries; 34 PRBool badDER; 35 PRBool badExtensions; 36 PRBool heapDER; 37 }; 38 39 typedef struct PreAllocatorStr PreAllocator; 40 41 struct PreAllocatorStr { 42 PRSize len; 43 void* data; 44 PRSize used; 45 PLArenaPool* arena; 46 PRSize extra; 47 }; 48 49 /* CRL entry cache. 50 This is the same as an entry plus the next/prev pointers for the hash table 51 */ 52 53 struct CRLEntryCacheStr { 54 CERTCrlEntry entry; 55 CRLEntryCache *prev, *next; 56 }; 57 58 #define CRL_CACHE_INVALID_CRLS 0x0001 /* this state will be set \ 59 if we have CRL objects with an invalid DER or signature. Can be \ 60 cleared if the invalid objects are deleted from the token */ 61 #define CRL_CACHE_LAST_FETCH_FAILED 0x0002 /* this state will be set \ 62 if the last CRL fetch encountered an error. Can be cleared if a \ 63 new fetch succeeds */ 64 65 #define CRL_CACHE_OUT_OF_MEMORY 0x0004 /* this state will be set \ 66 if we don't have enough memory to build the hash table of entries */ 67 68 typedef enum { 69 CRL_OriginToken = 0, /* CRL came from PKCS#11 token */ 70 CRL_OriginExplicit = 1 /* CRL was explicitly added to the cache, from RAM */ 71 } CRLOrigin; 72 73 typedef enum { 74 dpcacheNoEntry = 0, /* no entry found for this SN */ 75 dpcacheFoundEntry = 1, /* entry found for this SN */ 76 dpcacheCallerError = 2, /* invalid args */ 77 dpcacheInvalidCacheError = 3, /* CRL in cache may be bad DER */ 78 /* or unverified */ 79 dpcacheEmpty = 4, /* no CRL in cache */ 80 dpcacheLookupError = 5 /* internal error */ 81 } dpcacheStatus; 82 83 struct CachedCrlStr { 84 CERTSignedCrl* crl; 85 CRLOrigin origin; 86 /* hash table of entries. We use a PLHashTable and pre-allocate the 87 required amount of memory in one shot, so that our allocator can 88 simply pass offsets into it when hashing. 89 90 This won't work anymore when we support delta CRLs and iCRLs, because 91 the size of the hash table will vary over time. At that point, the best 92 solution will be to allocate large CRLEntry structures by modifying 93 the DER decoding template. The extra space would be for next/prev 94 pointers. This would allow entries from different CRLs to be mixed in 95 the same hash table. 96 */ 97 PLHashTable* entries; 98 PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */ 99 PRBool sigChecked; /* this CRL signature has already been checked */ 100 PRBool sigValid; /* signature verification status . 101 Only meaningful if checked is PR_TRUE . */ 102 PRBool unbuildable; /* Avoid using assosiated CRL is it fails 103 * a decoding step */ 104 }; 105 106 /* CRL distribution point cache object 107 This is a cache of CRL entries for a given distribution point of an issuer 108 It is built from a collection of one full and 0 or more delta CRLs. 109 */ 110 111 struct CRLDPCacheStr { 112 #ifdef DPC_RWLOCK 113 NSSRWLock* lock; 114 #else 115 PRLock* lock; 116 #endif 117 SECItem* issuerDERCert; /* issuer DER cert. Don't hold a reference 118 to the actual cert so the trust can be 119 updated on the cert automatically. 120 XXX there may be multiple issuer certs, 121 with different validity dates. Also 122 need to deal with SKID/AKID . See 123 bugzilla 217387, 233118 */ 124 125 CERTCertDBHandle* dbHandle; 126 127 SECItem* subject; /* DER of issuer subject */ 128 SECItem* distributionPoint; /* DER of distribution point. This may be 129 NULL when distribution points aren't 130 in use (ie. the CA has a single CRL). 131 Currently not used. */ 132 133 /* array of full CRLs matching this distribution point */ 134 PRUint32 ncrls; /* total number of CRLs in crls */ 135 CachedCrl** crls; /* array of all matching CRLs */ 136 /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several 137 issuers. In the future, we'll need to globally recycle the CRL in a 138 separate list in order to avoid extra lookups, decodes, and copies */ 139 140 /* pointers to good decoded CRLs used to build the cache */ 141 CachedCrl* selected; /* full CRL selected for use in the cache */ 142 #if 0 143 /* for future use */ 144 PRInt32 numdeltas; /* number of delta CRLs used for the cache */ 145 CachedCrl** deltas; /* delta CRLs used for the cache */ 146 #endif 147 /* cache invalidity bitflag */ 148 PRUint16 invalid; /* this state will be set if either 149 CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set. 150 In those cases, all certs are considered to have unknown status. 151 The invalid state can only be cleared during an update if all 152 error states are cleared */ 153 PRBool refresh; /* manual refresh from tokens has been forced */ 154 PRBool mustchoose; /* trigger reselection algorithm, for case when 155 RAM CRL objects are dropped from the cache */ 156 PRTime lastfetch; /* time a CRL token fetch was last performed */ 157 PRTime lastcheck; /* time CRL token objects were last checked for 158 existence */ 159 }; 160 161 /* CRL issuer cache object 162 This object tracks all the distribution point caches for a given issuer. 163 XCRL once we support multiple issuing distribution points, this object 164 will be a hash table. For now, it just holds the single CRL distribution 165 point cache structure. 166 */ 167 168 struct CRLIssuerCacheStr { 169 SECItem* subject; /* DER of issuer subject */ 170 CRLDPCache* dpp; 171 }; 172 173 /* CRL revocation cache object 174 This object tracks all the issuer caches 175 */ 176 177 struct CRLCacheStr { 178 #ifdef GLOBAL_RWLOCK 179 NSSRWLock* lock; 180 #else 181 PRLock* lock; 182 #endif 183 /* hash table of issuer to CRLIssuerCacheStr, 184 indexed by issuer DER subject */ 185 PLHashTable* issuers; 186 }; 187 188 SECStatus InitCRLCache(void); 189 SECStatus ShutdownCRLCache(void); 190 191 /* Returns a pointer to an environment-like string, a series of 192 ** null-terminated strings, terminated by a zero-length string. 193 ** This function is intended to be internal to NSS. 194 */ 195 extern char* cert_GetCertificateEmailAddresses(CERTCertificate* cert); 196 197 /* 198 * These functions are used to map subjectKeyID extension values to certs 199 * and to keep track of the checks for user certificates in each slot 200 */ 201 SECStatus cert_CreateSubjectKeyIDHashTable(void); 202 203 SECStatus cert_AddSubjectKeyIDMapping(SECItem* subjKeyID, 204 CERTCertificate* cert); 205 206 SECStatus cert_UpdateSubjectKeyIDSlotCheck(SECItem* slotid, int series); 207 208 int cert_SubjectKeyIDSlotCheckSeries(SECItem* slotid); 209 210 /* 211 * Call this function to remove an entry from the mapping table. 212 */ 213 SECStatus cert_RemoveSubjectKeyIDMapping(SECItem* subjKeyID); 214 215 SECStatus cert_DestroySubjectKeyIDHashTable(void); 216 217 SECItem* cert_FindDERCertBySubjectKeyID(SECItem* subjKeyID); 218 219 /* return maximum length of AVA value based on its type OID tag. */ 220 extern int cert_AVAOidTagToMaxLen(SECOidTag tag); 221 222 /* Make an AVA, allocated from pool, from OID and DER encoded value */ 223 extern CERTAVA* CERT_CreateAVAFromRaw(PLArenaPool* pool, const SECItem* OID, 224 const SECItem* value); 225 226 /* Make an AVA from binary input specified by SECItem */ 227 extern CERTAVA* CERT_CreateAVAFromSECItem(PLArenaPool* arena, SECOidTag kind, 228 int valueType, SECItem* value); 229 230 /* 231 * get a DPCache object for the given issuer subject and dp 232 * Automatically creates the cache object if it doesn't exist yet. 233 */ 234 SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject, 235 const SECItem* dp, PRTime t, void* wincx, 236 CRLDPCache** dpcache, PRBool* writeLocked); 237 238 /* check if a particular SN is in the CRL cache and return its entry */ 239 dpcacheStatus DPCache_Lookup(CRLDPCache* cache, const SECItem* sn, 240 CERTCrlEntry** returned); 241 242 /* release a DPCache object that was previously acquired */ 243 void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked); 244 245 /* 246 * map Stan errors into NSS errors 247 * This function examines the stan error stack and automatically sets 248 * PORT_SetError(); to the appropriate SEC_ERROR value. 249 */ 250 void CERT_MapStanError(); 251 252 /* Like CERT_VerifyCert, except with an additional argument, flags. The 253 * flags are defined immediately below. 254 */ 255 SECStatus cert_VerifyCertWithFlags(CERTCertDBHandle* handle, 256 CERTCertificate* cert, PRBool checkSig, 257 SECCertUsage certUsage, PRTime t, 258 PRUint32 flags, void* wincx, 259 CERTVerifyLog* log); 260 261 /* Use the default settings. 262 * cert_VerifyCertWithFlags(..., CERT_VERIFYCERT_USE_DEFAULTS, ...) is 263 * equivalent to CERT_VerifyCert(...); 264 */ 265 #define CERT_VERIFYCERT_USE_DEFAULTS 0 266 267 /* Skip all the OCSP checks during certificate verification, regardless of 268 * the global OCSP settings. By default, certificate |cert| will have its 269 * revocation status checked via OCSP according to the global OCSP settings. 270 * 271 * OCSP checking is always skipped when certUsage is certUsageStatusResponder. 272 */ 273 #define CERT_VERIFYCERT_SKIP_OCSP 1 274 275 /* Interface function for libpkix cert validation engine: 276 * cert_verify wrapper. */ 277 SECStatus cert_VerifyCertChainPkix(CERTCertificate* cert, PRBool checkSig, 278 SECCertUsage requiredUsage, PRTime time, 279 void* wincx, CERTVerifyLog* log, 280 PRBool* sigError, PRBool* revoked); 281 282 SECStatus cert_InitLocks(void); 283 284 SECStatus cert_DestroyLocks(void); 285 286 /* 287 * fill in nsCertType field of the cert based on the cert extension 288 */ 289 extern SECStatus cert_GetCertType(CERTCertificate* cert); 290 291 /* 292 * compute and return the value of nsCertType for cert, but do not 293 * update the CERTCertificate. 294 */ 295 extern PRUint32 cert_ComputeCertType(CERTCertificate* cert); 296 297 void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert, 298 long errorCode, unsigned int depth, void* arg); 299 300 /* Insert a DER CRL into the CRL cache, and take ownership of it. 301 * 302 * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument 303 * completely. crl must be freeable by SECITEM_FreeItem. It will be freed 304 * immediately if it is rejected from the CRL cache, or later during cache 305 * updates when a new crl is available, or at shutdown time. 306 * 307 * canonicalizedName represents the source of the CRL, a GeneralName. 308 * The format of the encoding is not restricted, but all callers of 309 * cert_CacheCRLByGeneralName and cert_FindCRLByGeneralName must use 310 * the same encoding. To facilitate X.500 name matching, a canonicalized 311 * encoding of the GeneralName should be used, if available. 312 */ 313 314 SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl, 315 const SECItem* canonicalizedName); 316 317 struct NamedCRLCacheStr { 318 PRLock* lock; 319 PLHashTable* entries; 320 }; 321 322 /* NamedCRLCacheEntryStr is filled in by cert_CacheCRLByGeneralName, 323 * and read by cert_FindCRLByGeneralName */ 324 struct NamedCRLCacheEntryStr { 325 SECItem* canonicalizedName; 326 SECItem* crl; /* DER, kept only if CRL 327 * is successfully cached */ 328 PRBool inCRLCache; 329 PRTime successfulInsertionTime; /* insertion time */ 330 PRTime lastAttemptTime; /* time of last call to 331 cert_CacheCRLByGeneralName with this name */ 332 PRBool badDER; /* ASN.1 error */ 333 PRBool dupe; /* matching DER CRL already in CRL cache */ 334 PRBool unsupported; /* IDP, delta, any other reason */ 335 }; 336 337 typedef enum { 338 certRevocationStatusRevoked = 0, 339 certRevocationStatusValid = 1, 340 certRevocationStatusUnknown = 2 341 } CERTRevocationStatus; 342 343 /* Returns detailed status of the cert(revStatus variable). Tells if 344 * issuer cache has OriginFetchedWithTimeout crl in it. */ 345 SECStatus cert_CheckCertRevocationStatus(CERTCertificate* cert, 346 CERTCertificate* issuer, 347 const SECItem* dp, PRTime t, 348 void* wincx, 349 CERTRevocationStatus* revStatus, 350 CERTCRLEntryReasonCode* revReason); 351 352 SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned); 353 354 /* cert_FindCRLByGeneralName must be called only while the named cache is 355 * acquired, and the entry is only valid until cache is released. 356 */ 357 SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc, 358 const SECItem* canonicalizedName, 359 NamedCRLCacheEntry** retEntry); 360 361 SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc); 362 363 /* This is private for now. Maybe shoule be public. */ 364 CERTGeneralName* cert_GetSubjectAltNameList(const CERTCertificate* cert, 365 PLArenaPool* arena); 366 367 /* Count DNS names and IP addresses in a list of GeneralNames */ 368 PRUint32 cert_CountDNSPatterns(CERTGeneralName* firstName); 369 370 /* 371 * returns the trust status of the leaf certificate based on usage. 372 * If the leaf is explicitly untrusted, this function will fail and 373 * failedFlags will be set to the trust bit value that lead to the failure. 374 * If the leaf is trusted, isTrusted is set to true and the function returns 375 * SECSuccess. This function does not check if the cert is fit for a 376 * particular usage. 377 */ 378 SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, 379 unsigned int* failedFlags, PRBool* isTrusted); 380 381 /* 382 * Acquire the cert temp/perm lock 383 */ 384 void CERT_LockCertTempPerm(const CERTCertificate* cert); 385 386 /* 387 * Release the temp/perm lock 388 */ 389 void CERT_UnlockCertTempPerm(const CERTCertificate* cert); 390 391 /* 392 * Acquire the cert trust lock 393 * There is currently one global lock for all certs, but I'm putting a cert 394 * arg here so that it will be easy to make it per-cert in the future if 395 * that turns out to be necessary. 396 */ 397 void CERT_LockCertTrust(const CERTCertificate* cert); 398 399 /* 400 * Release the cert trust lock 401 */ 402 void CERT_UnlockCertTrust(const CERTCertificate* cert); 403 404 #endif /* _CERTI_H_ */ 405