1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * certt.h - public data structures for the certificate library 6 */ 7 #ifndef _CERTT_H_ 8 #define _CERTT_H_ 9 10 #include "prclist.h" 11 #include "pkcs11t.h" 12 #include "seccomon.h" 13 #include "secmodt.h" 14 #include "secoidt.h" 15 #include "plarena.h" 16 #include "prcvar.h" 17 #include "nssilock.h" 18 #include "prio.h" 19 #include "prmon.h" 20 21 /* Stan data types */ 22 struct NSSCertificateStr; 23 struct NSSTrustDomainStr; 24 25 /* Non-opaque objects */ 26 typedef struct CERTAVAStr CERTAVA; 27 typedef struct CERTAttributeStr CERTAttribute; 28 typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess; 29 typedef struct CERTAuthKeyIDStr CERTAuthKeyID; 30 typedef struct CERTBasicConstraintsStr CERTBasicConstraints; 31 typedef struct NSSTrustDomainStr CERTCertDBHandle; 32 typedef struct CERTCertExtensionStr CERTCertExtension; 33 typedef struct CERTCertKeyStr CERTCertKey; 34 typedef struct CERTCertListStr CERTCertList; 35 typedef struct CERTCertListNodeStr CERTCertListNode; 36 typedef struct CERTCertNicknamesStr CERTCertNicknames; 37 typedef struct CERTCertTrustStr CERTCertTrust; 38 typedef struct CERTCertDistrustStr CERTCertDistrust; 39 typedef struct CERTCertificateStr CERTCertificate; 40 typedef struct CERTCertificateListStr CERTCertificateList; 41 typedef struct CERTCertificateRequestStr CERTCertificateRequest; 42 typedef struct CERTCrlStr CERTCrl; 43 typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints; 44 typedef struct CERTCrlEntryStr CERTCrlEntry; 45 typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode; 46 typedef struct CERTCrlKeyStr CERTCrlKey; 47 typedef struct CERTCrlNodeStr CERTCrlNode; 48 typedef struct CERTDERCertsStr CERTDERCerts; 49 typedef struct CERTDistNamesStr CERTDistNames; 50 typedef struct CERTGeneralNameStr CERTGeneralName; 51 typedef struct CERTGeneralNameListStr CERTGeneralNameList; 52 typedef struct CERTIssuerAndSNStr CERTIssuerAndSN; 53 typedef struct CERTNameStr CERTName; 54 typedef struct CERTNameConstraintStr CERTNameConstraint; 55 typedef struct CERTNameConstraintsStr CERTNameConstraints; 56 typedef struct CERTOKDomainNameStr CERTOKDomainName; 57 typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod; 58 typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge; 59 typedef struct CERTRDNStr CERTRDN; 60 typedef struct CERTSignedCrlStr CERTSignedCrl; 61 typedef struct CERTSignedDataStr CERTSignedData; 62 typedef struct CERTStatusConfigStr CERTStatusConfig; 63 typedef struct CERTSubjectListStr CERTSubjectList; 64 typedef struct CERTSubjectNodeStr CERTSubjectNode; 65 typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; 66 typedef struct CERTValidityStr CERTValidity; 67 typedef struct CERTVerifyLogStr CERTVerifyLog; 68 typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode; 69 typedef struct CRLDistributionPointStr CRLDistributionPoint; 70 71 /* CRL extensions type */ 72 typedef unsigned long CERTCrlNumber; 73 74 /* 75 ** An X.500 AVA object 76 */ 77 struct CERTAVAStr { 78 SECItem type; 79 SECItem value; 80 }; 81 82 /* 83 ** An X.500 RDN object 84 */ 85 struct CERTRDNStr { 86 CERTAVA **avas; 87 }; 88 89 /* 90 ** An X.500 name object 91 */ 92 struct CERTNameStr { 93 PLArenaPool *arena; 94 CERTRDN **rdns; 95 }; 96 97 /* 98 ** An X.509 validity object 99 */ 100 struct CERTValidityStr { 101 PLArenaPool *arena; 102 SECItem notBefore; 103 SECItem notAfter; 104 }; 105 106 /* 107 * A serial number and issuer name, which is used as a database key 108 */ 109 struct CERTCertKeyStr { 110 SECItem serialNumber; 111 SECItem derIssuer; 112 }; 113 114 /* 115 ** A signed data object. Used to implement the "signed" macro used 116 ** in the X.500 specs. 117 */ 118 struct CERTSignedDataStr { 119 SECItem data; 120 SECAlgorithmID signatureAlgorithm; 121 SECItem signature; 122 }; 123 124 /* 125 ** An X.509 subject-public-key-info object 126 */ 127 struct CERTSubjectPublicKeyInfoStr { 128 PLArenaPool *arena; 129 SECAlgorithmID algorithm; 130 SECItem subjectPublicKey; 131 }; 132 133 struct CERTPublicKeyAndChallengeStr { 134 SECItem spki; 135 SECItem challenge; 136 }; 137 138 struct CERTCertTrustStr { 139 unsigned int sslFlags; 140 unsigned int emailFlags; 141 unsigned int objectSigningFlags; 142 }; 143 144 /* 145 * Distrust dates for specific certificate usages. 146 * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be 147 * compatible with the format of certdata.txt, other date fields in certs and 148 * existing functions to read these dates. Clients should check the distrust 149 * date in certificates to avoid trusting a CA for service they have ceased to 150 * support */ 151 struct CERTCertDistrustStr { 152 SECItem serverDistrustAfter; 153 SECItem emailDistrustAfter; 154 }; 155 156 /* 157 * defined the types of trust that exist 158 */ 159 typedef enum SECTrustTypeEnum { 160 trustSSL = 0, 161 trustEmail = 1, 162 trustObjectSigning = 2, 163 trustTypeNone = 3 164 } SECTrustType; 165 166 #define SEC_GET_TRUST_FLAGS(trust, type) \ 167 (((type) == trustSSL) \ 168 ? ((trust)->sslFlags) \ 169 : (((type) == trustEmail) ? ((trust)->emailFlags) \ 170 : (((type) == trustObjectSigning) \ 171 ? ((trust)->objectSigningFlags) \ 172 : 0))) 173 174 /* 175 ** An X.509.3 certificate extension 176 */ 177 struct CERTCertExtensionStr { 178 SECItem id; 179 SECItem critical; 180 SECItem value; 181 }; 182 183 struct CERTSubjectNodeStr { 184 struct CERTSubjectNodeStr *next; 185 struct CERTSubjectNodeStr *prev; 186 SECItem certKey; 187 SECItem keyID; 188 }; 189 190 struct CERTSubjectListStr { 191 PLArenaPool *arena; 192 int ncerts; 193 char *emailAddr; 194 CERTSubjectNode *head; 195 CERTSubjectNode *tail; /* do we need tail? */ 196 void *entry; 197 }; 198 199 /* 200 ** An X.509 certificate object (the unsigned form) 201 */ 202 struct CERTCertificateStr { 203 /* the arena is used to allocate any data structures that have the same 204 * lifetime as the cert. This is all stuff that hangs off of the cert 205 * structure, and is all freed at the same time. It is used when the 206 * cert is decoded, destroyed, and at some times when it changes 207 * state 208 */ 209 PLArenaPool *arena; 210 211 /* The following fields are static after the cert has been decoded */ 212 char *subjectName; 213 char *issuerName; 214 CERTSignedData signatureWrap; /* XXX */ 215 SECItem derCert; /* original DER for the cert */ 216 SECItem derIssuer; /* DER for issuer name */ 217 SECItem derSubject; /* DER for subject name */ 218 SECItem derPublicKey; /* DER for the public key */ 219 SECItem certKey; /* database key for this cert */ 220 SECItem version; 221 SECItem serialNumber; 222 SECAlgorithmID signature; 223 CERTName issuer; 224 CERTValidity validity; 225 CERTName subject; 226 CERTSubjectPublicKeyInfo subjectPublicKeyInfo; 227 SECItem issuerID; 228 SECItem subjectID; 229 CERTCertExtension **extensions; 230 char *emailAddr; 231 CERTCertDBHandle *dbhandle; 232 SECItem subjectKeyID; /* x509v3 subject key identifier */ 233 PRBool keyIDGenerated; /* was the keyid generated? */ 234 unsigned int keyUsage; /* what uses are allowed for this cert */ 235 unsigned int rawKeyUsage; /* value of the key usage extension */ 236 PRBool keyUsagePresent; /* was the key usage extension present */ 237 PRUint32 nsCertType; /* value of the ns cert type extension */ 238 /* must be 32-bit for PR_ATOMIC_SET */ 239 240 /* these values can be set by the application to bypass certain checks 241 * or to keep the cert in memory for an entire session. 242 * XXX - need an api to set these 243 */ 244 PRBool keepSession; /* keep this cert for entire session*/ 245 PRBool timeOK; /* is the bad validity time ok? */ 246 CERTOKDomainName *domainOK; /* these domain names are ok */ 247 248 /* 249 * these values can change when the cert changes state. These state 250 * changes include transitions from temp to perm or vice-versa, and 251 * changes of trust flags 252 */ 253 PRBool isperm; 254 PRBool istemp; 255 char *nickname; 256 char *dbnickname; 257 struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */ 258 CERTCertTrust *trust; 259 260 /* the reference count is modified whenever someone looks up, dups 261 * or destroys a certificate 262 */ 263 int referenceCount; 264 265 /* The subject list is a list of all certs with the same subject name. 266 * It can be modified any time a cert is added or deleted from either 267 * the in-memory(temporary) or on-disk(permanent) database. 268 */ 269 CERTSubjectList *subjectList; 270 271 /* these belong in the static section, but are here to maintain 272 * the structure's integrity 273 */ 274 CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */ 275 PRBool isRoot; /* cert is the end of a chain */ 276 277 /* these fields are used by client GUI code to keep track of ssl sockets 278 * that are blocked waiting on GUI feedback related to this cert. 279 * XXX - these should be moved into some sort of application specific 280 * data structure. They are only used by the browser right now. 281 */ 282 union { 283 void *apointer; /* was struct SECSocketNode* authsocketlist */ 284 struct { 285 unsigned int hasUnsupportedCriticalExt : 1; 286 /* add any new option bits needed here */ 287 } bits; 288 } options; 289 int series; /* was int authsocketcount; record the series of the pkcs11ID */ 290 291 /* This is PKCS #11 stuff. */ 292 PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ 293 CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ 294 PRBool ownSlot; /*true if the cert owns the slot reference */ 295 /* These fields are used in nssckbi/builtins CAs. */ 296 CERTCertDistrust *distrust; 297 }; 298 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ 299 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ 300 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ 301 302 #define SEC_CRL_VERSION_1 0 /* default */ 303 #define SEC_CRL_VERSION_2 1 /* v2 extensions */ 304 305 /* 306 * used to identify class of cert in mime stream code 307 */ 308 #define SEC_CERT_CLASS_CA 1 309 #define SEC_CERT_CLASS_SERVER 2 310 #define SEC_CERT_CLASS_USER 3 311 #define SEC_CERT_CLASS_EMAIL 4 312 313 struct CERTDERCertsStr { 314 PLArenaPool *arena; 315 int numcerts; 316 SECItem *rawCerts; 317 }; 318 319 /* 320 ** A PKCS ? Attribute 321 ** XXX this is duplicated through out the code, it *should* be moved 322 ** to a central location. Where would be appropriate? 323 */ 324 struct CERTAttributeStr { 325 SECItem attrType; 326 SECItem **attrValue; 327 }; 328 329 /* 330 ** A PKCS#10 certificate-request object (the unsigned form) 331 */ 332 struct CERTCertificateRequestStr { 333 PLArenaPool *arena; 334 SECItem version; 335 CERTName subject; 336 CERTSubjectPublicKeyInfo subjectPublicKeyInfo; 337 CERTAttribute **attributes; 338 }; 339 #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */ 340 341 /* 342 ** A certificate list object. 343 */ 344 struct CERTCertificateListStr { 345 SECItem *certs; 346 int len; /* number of certs */ 347 PLArenaPool *arena; 348 }; 349 350 struct CERTCertListNodeStr { 351 PRCList links; 352 CERTCertificate *cert; 353 void *appData; 354 }; 355 356 struct CERTCertListStr { 357 PRCList list; 358 PLArenaPool *arena; 359 }; 360 361 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list)) 362 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) 363 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next) 364 #define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list)) 365 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l) 366 367 struct CERTCrlEntryStr { 368 SECItem serialNumber; 369 SECItem revocationDate; 370 CERTCertExtension **extensions; 371 }; 372 373 struct CERTCrlStr { 374 PLArenaPool *arena; 375 SECItem version; 376 SECAlgorithmID signatureAlg; 377 SECItem derName; 378 CERTName name; 379 SECItem lastUpdate; 380 SECItem nextUpdate; /* optional for x.509 CRL */ 381 CERTCrlEntry **entries; 382 CERTCertExtension **extensions; 383 /* can't add anything there for binary backwards compatibility reasons */ 384 }; 385 386 struct CERTCrlKeyStr { 387 SECItem derName; 388 SECItem dummy; /* The decoder can not skip a primitive, 389 this serves as a place holder for the 390 decoder to finish its task only 391 */ 392 }; 393 394 struct CERTSignedCrlStr { 395 PLArenaPool *arena; 396 CERTCrl crl; 397 void *reserved1; 398 PRBool reserved2; 399 PRBool isperm; 400 PRBool istemp; 401 int referenceCount; 402 CERTCertDBHandle *dbhandle; 403 CERTSignedData signatureWrap; /* XXX */ 404 char *url; 405 SECItem *derCrl; 406 PK11SlotInfo *slot; 407 CK_OBJECT_HANDLE pkcs11ID; 408 void *opaque; /* do not touch */ 409 }; 410 411 struct CERTCrlHeadNodeStr { 412 PLArenaPool *arena; 413 CERTCertDBHandle *dbhandle; 414 CERTCrlNode *first; 415 CERTCrlNode *last; 416 }; 417 418 struct CERTCrlNodeStr { 419 CERTCrlNode *next; 420 int type; 421 CERTSignedCrl *crl; 422 }; 423 424 /* 425 * Array of X.500 Distinguished Names 426 */ 427 struct CERTDistNamesStr { 428 PLArenaPool *arena; 429 int nnames; 430 SECItem *names; 431 void *head; /* private */ 432 }; 433 434 /* 435 * NS_CERT_TYPE defines are used in two areas: 436 * 1) The old NSS Cert Type Extension, which is a certificate extension in the 437 * actual cert. It was created before the x509 Extended Key Usage Extension, 438 * which has now taken over it's function. This field is only 8 bits wide 439 * 2) The nsCertType entry in the CERTCertificate structure. This field is 440 * 32 bits wide. 441 * Any entries in this table greater than 0x80 will not be able to be encoded 442 * in an NSS Cert Type Extension, but can still be represented internally in 443 * the nsCertType field. 444 */ 445 #define NS_CERT_TYPE_IPSEC_CA (0x200) /* outside the NS Cert Type Extenstion */ 446 #define NS_CERT_TYPE_IPSEC (0x100) /* outside the NS Cert Type Extenstion */ 447 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ 448 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ 449 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ 450 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ 451 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ 452 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ 453 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ 454 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ 455 456 #define EXT_KEY_USAGE_TIME_STAMP (0x8000) 457 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000) 458 459 #define NS_CERT_TYPE_APP \ 460 (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ 461 NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING) 462 463 #define NS_CERT_TYPE_CA \ 464 (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \ 465 NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \ 466 NS_CERT_TYPE_IPSEC_CA) 467 typedef enum SECCertUsageEnum { 468 certUsageSSLClient = 0, 469 certUsageSSLServer = 1, 470 certUsageSSLServerWithStepUp = 2, 471 certUsageSSLCA = 3, 472 certUsageEmailSigner = 4, 473 certUsageEmailRecipient = 5, 474 certUsageObjectSigner = 6, 475 certUsageUserCertImport = 7, 476 certUsageVerifyCA = 8, 477 certUsageProtectedObjectSigner = 9, 478 certUsageStatusResponder = 10, 479 certUsageAnyCA = 11, 480 certUsageIPsec = 12 481 } SECCertUsage; 482 483 typedef PRInt64 SECCertificateUsage; 484 485 #define certificateUsageCheckAllUsages (0x0000) 486 #define certificateUsageSSLClient (0x0001) 487 #define certificateUsageSSLServer (0x0002) 488 #define certificateUsageSSLServerWithStepUp (0x0004) 489 #define certificateUsageSSLCA (0x0008) 490 #define certificateUsageEmailSigner (0x0010) 491 #define certificateUsageEmailRecipient (0x0020) 492 #define certificateUsageObjectSigner (0x0040) 493 #define certificateUsageUserCertImport (0x0080) 494 #define certificateUsageVerifyCA (0x0100) 495 #define certificateUsageProtectedObjectSigner (0x0200) 496 #define certificateUsageStatusResponder (0x0400) 497 #define certificateUsageAnyCA (0x0800) 498 #define certificateUsageIPsec (0x1000) 499 500 #define certificateUsageHighest certificateUsageIPsec 501 502 /* 503 * Does the cert belong to the user, a peer, or a CA. 504 */ 505 typedef enum CERTCertOwnerEnum { 506 certOwnerUser = 0, 507 certOwnerPeer = 1, 508 certOwnerCA = 2 509 } CERTCertOwner; 510 511 /* 512 * This enum represents the state of validity times of a certificate 513 */ 514 typedef enum SECCertTimeValidityEnum { 515 secCertTimeValid = 0, 516 secCertTimeExpired = 1, 517 secCertTimeNotValidYet = 2, 518 secCertTimeUndetermined = 3 /* validity could not be decoded from the 519 cert, most likely because it was NULL */ 520 } SECCertTimeValidity; 521 522 /* 523 * This is used as return status in functions that compare the validity 524 * periods of two certificates A and B, currently only 525 * CERT_CompareValidityTimes. 526 */ 527 528 typedef enum CERTCompareValidityStatusEnum { 529 certValidityUndetermined = 0, /* the function is unable to select one cert 530 over another */ 531 certValidityChooseB = 1, /* cert B should be preferred */ 532 certValidityEqual = 2, /* both certs have the same validity period */ 533 certValidityChooseA = 3 /* cert A should be preferred */ 534 } CERTCompareValidityStatus; 535 536 /* 537 * Interface for getting certificate nickname strings out of the database 538 */ 539 540 /* these are values for the what argument below */ 541 #define SEC_CERT_NICKNAMES_ALL 1 542 #define SEC_CERT_NICKNAMES_USER 2 543 #define SEC_CERT_NICKNAMES_SERVER 3 544 #define SEC_CERT_NICKNAMES_CA 4 545 546 struct CERTCertNicknamesStr { 547 PLArenaPool *arena; 548 void *head; 549 int numnicknames; 550 char **nicknames; 551 int what; 552 int totallen; 553 }; 554 555 struct CERTIssuerAndSNStr { 556 SECItem derIssuer; 557 CERTName issuer; 558 SECItem serialNumber; 559 }; 560 561 /* X.509 v3 Key Usage Extension flags */ 562 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ 563 #define KU_NON_REPUDIATION (0x40) /* bit 1 */ 564 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ 565 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ 566 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ 567 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ 568 #define KU_CRL_SIGN (0x02) /* bit 6 */ 569 #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */ 570 #define KU_ALL \ 571 (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \ 572 KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN | \ 573 KU_CRL_SIGN | KU_ENCIPHER_ONLY) 574 575 /* This value will not occur in certs. It is used internally for the case 576 * when either digital signature or non-repudiation is the correct value. 577 */ 578 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000) 579 580 /* This value will not occur in certs. It is used internally for the case 581 * when the key type is not know ahead of time and either key agreement or 582 * key encipherment are the correct value based on key type 583 */ 584 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000) 585 586 /* internal bits that do not match bits in the x509v3 spec, but are used 587 * for similar purposes 588 */ 589 #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/ 590 /* 591 * x.509 v3 Basic Constraints Extension 592 * If isCA is false, the pathLenConstraint is ignored. 593 * Otherwise, the following pathLenConstraint values will apply: 594 * < 0 - there is no limit to the certificate path 595 * 0 - CA can issues end-entity certificates only 596 * > 0 - the number of certificates in the certificate path is 597 * limited to this number 598 */ 599 #define CERT_UNLIMITED_PATH_CONSTRAINT -2 600 601 struct CERTBasicConstraintsStr { 602 PRBool isCA; /* on if is CA */ 603 int pathLenConstraint; /* maximum number of certificates that can be 604 in the cert path. Only applies to a CA 605 certificate; otherwise, it's ignored. 606 */ 607 }; 608 609 /* Maximum length of a certificate chain */ 610 #define CERT_MAX_CERT_CHAIN 20 611 612 #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */ 613 #define CERT_MAX_DN_BYTES 4096 /* arbitrary */ 614 615 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */ 616 #define RF_UNUSED (0x80) /* bit 0 */ 617 #define RF_KEY_COMPROMISE (0x40) /* bit 1 */ 618 #define RF_CA_COMPROMISE (0x20) /* bit 2 */ 619 #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */ 620 #define RF_SUPERSEDED (0x08) /* bit 4 */ 621 #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */ 622 #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */ 623 624 /* enum for CRL Entry Reason Code */ 625 typedef enum CERTCRLEntryReasonCodeEnum { 626 crlEntryReasonUnspecified = 0, 627 crlEntryReasonKeyCompromise = 1, 628 crlEntryReasonCaCompromise = 2, 629 crlEntryReasonAffiliationChanged = 3, 630 crlEntryReasonSuperseded = 4, 631 crlEntryReasonCessationOfOperation = 5, 632 crlEntryReasoncertificatedHold = 6, 633 crlEntryReasonRemoveFromCRL = 8, 634 crlEntryReasonPrivilegeWithdrawn = 9, 635 crlEntryReasonAaCompromise = 10 636 } CERTCRLEntryReasonCode; 637 638 /* If we needed to extract the general name field, use this */ 639 /* General Name types */ 640 typedef enum CERTGeneralNameTypeEnum { 641 certOtherName = 1, 642 certRFC822Name = 2, 643 certDNSName = 3, 644 certX400Address = 4, 645 certDirectoryName = 5, 646 certEDIPartyName = 6, 647 certURI = 7, 648 certIPAddress = 8, 649 certRegisterID = 9 650 } CERTGeneralNameType; 651 652 typedef struct OtherNameStr { 653 SECItem name; 654 SECItem oid; 655 } OtherName; 656 657 struct CERTGeneralNameStr { 658 CERTGeneralNameType type; /* name type */ 659 union { 660 CERTName directoryName; /* distinguish name */ 661 OtherName OthName; /* Other Name */ 662 SECItem other; /* the rest of the name forms */ 663 } name; 664 SECItem derDirectoryName; /* this is saved to simplify directory name 665 comparison */ 666 PRCList l; 667 }; 668 669 struct CERTGeneralNameListStr { 670 PLArenaPool *arena; 671 CERTGeneralName *name; 672 int refCount; 673 int len; 674 PZLock *lock; 675 }; 676 677 struct CERTNameConstraintStr { 678 CERTGeneralName name; 679 SECItem DERName; 680 SECItem min; 681 SECItem max; 682 PRCList l; 683 }; 684 685 struct CERTNameConstraintsStr { 686 CERTNameConstraint *permited; 687 CERTNameConstraint *excluded; 688 SECItem **DERPermited; 689 SECItem **DERExcluded; 690 }; 691 692 /* Private Key Usage Period extension struct. */ 693 struct CERTPrivKeyUsagePeriodStr { 694 SECItem notBefore; 695 SECItem notAfter; 696 PLArenaPool *arena; 697 }; 698 699 /* X.509 v3 Authority Key Identifier extension. For the authority certificate 700 issuer field, we only support URI now. 701 */ 702 struct CERTAuthKeyIDStr { 703 SECItem keyID; /* unique key identifier */ 704 CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */ 705 SECItem authCertSerialNumber; /* CA's certificate serial number */ 706 SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of 707 the authCertIssuer field. It is used 708 by the encoding engine. It should be 709 used as a read only field by the caller. 710 */ 711 }; 712 713 /* x.509 v3 CRL Distributeion Point */ 714 715 /* 716 * defined the types of CRL Distribution points 717 */ 718 typedef enum DistributionPointTypesEnum { 719 generalName = 1, /* only support this for now */ 720 relativeDistinguishedName = 2 721 } DistributionPointTypes; 722 723 struct CRLDistributionPointStr { 724 DistributionPointTypes distPointType; 725 union { 726 CERTGeneralName *fullName; 727 CERTRDN relativeName; 728 } distPoint; 729 SECItem reasons; 730 CERTGeneralName *crlIssuer; 731 732 /* Reserved for internal use only*/ 733 SECItem derDistPoint; 734 SECItem derRelativeName; 735 SECItem **derCrlIssuer; 736 SECItem **derFullName; 737 SECItem bitsmap; 738 }; 739 740 struct CERTCrlDistributionPointsStr { 741 CRLDistributionPoint **distPoints; 742 }; 743 744 /* 745 * This structure is used to keep a log of errors when verifying 746 * a cert chain. This allows multiple errors to be reported all at 747 * once. 748 */ 749 struct CERTVerifyLogNodeStr { 750 CERTCertificate *cert; /* what cert had the error */ 751 long error; /* what error was it? */ 752 unsigned int depth; /* how far up the chain are we */ 753 void *arg; /* error specific argument */ 754 struct CERTVerifyLogNodeStr *next; /* next in the list */ 755 struct CERTVerifyLogNodeStr *prev; /* next in the list */ 756 }; 757 758 struct CERTVerifyLogStr { 759 PLArenaPool *arena; 760 unsigned int count; 761 struct CERTVerifyLogNodeStr *head; 762 struct CERTVerifyLogNodeStr *tail; 763 }; 764 765 struct CERTOKDomainNameStr { 766 CERTOKDomainName *next; 767 char *name; 768 }; 769 770 typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle, 771 CERTCertificate *cert, 772 PRTime time, void *pwArg); 773 774 typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle); 775 776 struct CERTStatusConfigStr { 777 CERTStatusChecker statusChecker; /* NULL means no checking enabled */ 778 CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */ 779 void *statusContext; /* cx specific to checking protocol */ 780 }; 781 782 struct CERTAuthInfoAccessStr { 783 SECItem method; 784 SECItem derLocation; 785 CERTGeneralName *location; /* decoded location */ 786 }; 787 788 /* This is the typedef for the callback passed to CERT_OpenCertDB() */ 789 /* callback to return database name based on version number */ 790 typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion); 791 792 /* 793 * types of cert packages that we can decode 794 */ 795 typedef enum CERTPackageTypeEnum { 796 certPackageNone = 0, 797 certPackageCert = 1, 798 certPackagePKCS7 = 2, 799 certPackageNSCertSeq = 3, 800 certPackageNSCertWrap = 4 801 } CERTPackageType; 802 803 /* 804 * these types are for the PKIX Certificate Policies extension 805 */ 806 typedef struct { 807 SECOidTag oid; 808 SECItem qualifierID; 809 SECItem qualifierValue; 810 } CERTPolicyQualifier; 811 812 typedef struct { 813 SECOidTag oid; 814 SECItem policyID; 815 CERTPolicyQualifier **policyQualifiers; 816 } CERTPolicyInfo; 817 818 typedef struct { 819 PLArenaPool *arena; 820 CERTPolicyInfo **policyInfos; 821 } CERTCertificatePolicies; 822 823 typedef struct { 824 SECItem organization; 825 SECItem **noticeNumbers; 826 } CERTNoticeReference; 827 828 typedef struct { 829 PLArenaPool *arena; 830 CERTNoticeReference noticeReference; 831 SECItem derNoticeReference; 832 SECItem displayText; 833 } CERTUserNotice; 834 835 typedef struct { 836 PLArenaPool *arena; 837 SECItem **oids; 838 } CERTOidSequence; 839 840 /* 841 * these types are for the PKIX Policy Mappings extension 842 */ 843 typedef struct { 844 SECItem issuerDomainPolicy; 845 SECItem subjectDomainPolicy; 846 } CERTPolicyMap; 847 848 typedef struct { 849 PLArenaPool *arena; 850 CERTPolicyMap **policyMaps; 851 } CERTCertificatePolicyMappings; 852 853 /* 854 * these types are for the PKIX inhibitAnyPolicy extension 855 */ 856 typedef struct { 857 SECItem inhibitAnySkipCerts; 858 } CERTCertificateInhibitAny; 859 860 /* 861 * these types are for the PKIX Policy Constraints extension 862 */ 863 typedef struct { 864 SECItem explicitPolicySkipCerts; 865 SECItem inhibitMappingSkipCerts; 866 } CERTCertificatePolicyConstraints; 867 868 /* 869 * These types are for the validate chain callback param. 870 * 871 * CERTChainVerifyCallback is an application-supplied callback that can be used 872 * to augment libpkix's certificate chain validation with additional 873 * application-specific checks. It may be called multiple times if there are 874 * multiple potentially-valid paths for the certificate being validated. This 875 * callback is called before revocation checking is done on the certificates in 876 * the given chain. 877 * 878 * - isValidChainArg contains the application-provided opaque argument 879 * - currentChain is the currently validated chain. It is ordered with the leaf 880 * certificate at the head and the trust anchor at the tail. 881 * 882 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the 883 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and 884 * return SECSuccess if the chain is unacceptable, to indicate that the given 885 * chain is bad and path building should continue. It should return SECFailure 886 * to indicate an fatal error that will cause path validation to fail 887 * immediately. 888 */ 889 typedef SECStatus (*CERTChainVerifyCallbackFunc)( 890 void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK); 891 892 /* 893 * Note: If extending this structure, it will be necessary to change the 894 * associated CERTValParamInType 895 */ 896 typedef struct { 897 CERTChainVerifyCallbackFunc isChainValid; 898 void *isChainValidArg; 899 } CERTChainVerifyCallback; 900 901 /* 902 * these types are for the CERT_PKIX* Verification functions 903 * These are all optional parameters. 904 */ 905 906 typedef enum { 907 cert_pi_end = 0, /* SPECIAL: signifies end of array of 908 * CERTValParam* */ 909 cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to 910 * resume a session. If this argument is 911 * specified, no other arguments should be. 912 * Specified in value.pointer.p. If the 913 * operation completes the context will be 914 * freed. */ 915 cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an 916 * existing operation which the caller wants 917 * to abort. If this argument is 918 * specified, no other arguments should be. 919 * Specified in value.pointer.p. If the 920 * operation succeeds the context will be 921 * freed. */ 922 cert_pi_certList = 3, /* specify the chain to validate against. If 923 * this value is given, then the path 924 * construction step in the validation is 925 * skipped. Specified in value.pointer.chain */ 926 cert_pi_policyOID = 4, /* validate certificate for policy OID. 927 * Specified in value.array.oids. Cert must 928 * be good for at least one OID in order 929 * to validate. Default is that the user is not 930 * concerned about certificate policy. */ 931 cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID. 932 * Specified in value.scalar.ul. Policy flags 933 * apply to all specified oids. 934 * Use CERT_POLICY_FLAG_* macros below. If not 935 * specified policy flags default to 0 */ 936 cert_pi_keyusage = 6, /* specify what the keyusages the certificate 937 * will be evaluated against, specified in 938 * value.scalar.ui. The cert must validate for 939 * at least one of the specified key usages. 940 * Values match the KU_ bit flags defined 941 * in this file. Default is derived from 942 * the 'usages' function argument */ 943 cert_pi_extendedKeyusage = 7, /* specify what the required extended key 944 * usage of the certificate. Specified as 945 * an array of oidTags in value.array.oids. 946 * The cert must validate for at least one 947 * of the specified extended key usages. 948 * If not specified, no extended key usages 949 * will be checked. */ 950 cert_pi_date = 8, /* validate certificate is valid as of date 951 * specified in value.scalar.time. A special 952 * value '0' indicates 'now'. default is '0' */ 953 cert_pi_revocationFlags = 9, /* Specify what revocation checking to do. 954 * See CERT_REV_FLAG_* macros below 955 * Set in value.pointer.revocation */ 956 cert_pi_certStores = 10, /* Bitmask of Cert Store flags (see below) 957 * Set in value.scalar.ui */ 958 cert_pi_trustAnchors = 959 11, /* Specify the list of trusted roots to 960 * validate against. 961 * The default set of trusted roots, these are 962 * root CA certs from libnssckbi.so or CA 963 * certs trusted by user, are used in any of 964 * the following cases: 965 * * when the parameter is not set. 966 * * when the list of trust anchors is 967 * empty. 968 * Note that this handling can be further 969 * altered by altering the 970 * cert_pi_useOnlyTrustAnchors flag 971 * Specified in value.pointer.chain */ 972 cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension. 973 * In NSS 3.12.1 or later. Default is off. 974 * Value is in value.scalar.b */ 975 cert_pi_chainVerifyCallback = 13, 976 /* The callback container for doing extra 977 * validation on the currently calculated chain. 978 * Value is in value.pointer.chainVerifyCallback */ 979 cert_pi_useOnlyTrustAnchors = 14, 980 /* If true, disables trusting any 981 * certificates other than the ones passed in via cert_pi_trustAnchors. 982 * If false, then the certificates specified via cert_pi_trustAnchors 983 * will be combined with the pre-existing trusted roots, but only 984 * for the certificate validation being performed. 985 * If no value has been supplied via cert_pi_trustAnchors, this has 986 * no effect. 987 * The default value is true, meaning if this is not supplied, only 988 * trust anchors supplied via cert_pi_trustAnchors are trusted. 989 * Specified in value.scalar.b */ 990 cert_pi_max /* SPECIAL: signifies maximum allowed value, 991 * can increase in future releases */ 992 } CERTValParamInType; 993 994 /* 995 * for all out parameters: 996 * out parameters are only returned if the caller asks for them in 997 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam 998 * array itself. The pkix verify function will allocate and other arrays 999 * pointers, or objects. The Caller is responsible for freeing those results. 1000 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned. 1001 */ 1002 typedef enum { 1003 cert_po_end = 0, /* SPECIAL: signifies end of array of 1004 * CERTValParam* */ 1005 cert_po_nbioContext = 1, /* Return a nonblocking context. If no 1006 * non-blocking context is specified, then 1007 * blocking IO will be used. 1008 * Returned in value.pointer.p. The context is 1009 * freed after an abort or a complete operation. 1010 * This value is only returned on SECWouldBlock. 1011 */ 1012 cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that 1013 * was validated. Returned in 1014 * value.pointer.cert, this value is only 1015 * returned on SECSuccess. */ 1016 cert_po_certList = 3, /* Return the entire chain that was validated. 1017 * Returned in value.pointer.certList. If no 1018 * chain could be constructed, this value 1019 * would be NULL. */ 1020 cert_po_policyOID = 4, /* Return the policies that were found to be 1021 * valid. Returned in value.array.oids as an 1022 * array. This is only returned on 1023 * SECSuccess. */ 1024 cert_po_errorLog = 5, /* Return a log of problems with the chain. 1025 * Returned in value.pointer.log */ 1026 cert_po_usages = 6, /* Return what usages the certificate is valid 1027 for. Returned in value.scalar.usages */ 1028 cert_po_keyUsage = 7, /* Return what key usages the certificate 1029 * is valid for. 1030 * Returned in value.scalar.usage */ 1031 cert_po_extendedKeyusage = 8, /* Return what extended key usages the 1032 * certificate is valid for. 1033 * Returned in value.array.oids */ 1034 cert_po_max /* SPECIAL: signifies maximum allowed value, 1035 * can increase in future releases */ 1036 1037 } CERTValParamOutType; 1038 1039 typedef enum { 1040 cert_revocation_method_crl = 0, 1041 cert_revocation_method_ocsp, 1042 cert_revocation_method_count 1043 } CERTRevocationMethodIndex; 1044 1045 /* 1046 * The following flags are supposed to be used to control bits in 1047 * each integer contained in the array pointed to be: 1048 * CERTRevocationTests.cert_rev_flags_per_method 1049 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates 1050 * this is a method dependent flag. 1051 */ 1052 1053 /* 1054 * Whether or not to use a method for revocation testing. 1055 * If set to "do not test", then all other flags are ignored. 1056 */ 1057 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL 1058 #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL 1059 1060 /* 1061 * Whether or not NSS is allowed to attempt to fetch fresh information 1062 * from the network. 1063 * (Although fetching will never happen if fresh information for the 1064 * method is already locally available.) 1065 */ 1066 #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL 1067 #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL 1068 1069 /* 1070 * Example for an implicit default source: 1071 * The globally configured default OCSP responder. 1072 * IGNORE means: 1073 * ignore the implicit default source, whether it's configured or not. 1074 * ALLOW means: 1075 * if an implicit default source is configured, 1076 * then it overrides any available or missing source in the cert. 1077 * if no implicit default source is configured, 1078 * then we continue to use what's available (or not available) 1079 * in the certs. 1080 */ 1081 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL 1082 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL 1083 1084 /* 1085 * Defines the behavior if no fresh information is available, 1086 * fetching from the network is allowed, but the source of revocation 1087 * information is unknown (even after considering implicit sources, 1088 * if allowed by other flags). 1089 * SKIPT_TEST means: 1090 * We ignore that no fresh information is available and 1091 * skip this test. 1092 * REQUIRE_INFO means: 1093 * We still require that fresh information is available. 1094 * Other flags define what happens on missing fresh info. 1095 */ 1096 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL 1097 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL 1098 1099 /* 1100 * Defines the behavior if we are unable to obtain fresh information. 1101 * INGORE means: 1102 * Return "cert status unknown" 1103 * FAIL means: 1104 * Return "cert revoked". 1105 */ 1106 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL 1107 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL 1108 1109 /* 1110 * What should happen if we were able to find fresh information using 1111 * this method, and the data indicated the cert is good? 1112 * STOP_TESTING means: 1113 * Our success is sufficient, do not continue testing 1114 * other methods. 1115 * CONTINUE_TESTING means: 1116 * We will continue and test the next allowed 1117 * specified method. 1118 */ 1119 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL 1120 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL 1121 1122 /* When this flag is used, libpkix will never attempt to use the GET HTTP 1123 * method for OCSP requests; it will always use POST. 1124 */ 1125 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL 1126 1127 /* 1128 * The following flags are supposed to be used to control bits in 1129 * CERTRevocationTests.cert_rev_method_independent_flags 1130 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates 1131 * this is a method independent flag. 1132 */ 1133 1134 /* 1135 * This defines the order to checking. 1136 * EACH_METHOD_SEPARATELY means: 1137 * Do all tests related to a particular allowed method 1138 * (both local information and network fetching) in a single step. 1139 * Only after testing for a particular method is done, 1140 * then switching to the next method will happen. 1141 * ALL_LOCAL_INFORMATION_FIRST means: 1142 * Start by testing the information for all allowed methods 1143 * which are already locally available. Only after that is done 1144 * consider to fetch from the network (as allowed by other flags). 1145 */ 1146 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL 1147 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL 1148 1149 /* 1150 * Use this flag to specify that it's necessary that fresh information 1151 * is available for at least one of the allowed methods, but it's 1152 * irrelevant which of the mechanisms succeeded. 1153 * NO_OVERALL_INFO_REQUIREMENT means: 1154 * We strictly follow the requirements for each individual method. 1155 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: 1156 * After the individual tests have been executed, we must have 1157 * been able to find fresh information using at least one method. 1158 * If we were unable to find fresh info, it's a failure. 1159 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 1160 * flag on all methods. 1161 */ 1162 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL 1163 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL 1164 1165 typedef struct { 1166 /* 1167 * The size of the array that cert_rev_flags_per_method points to, 1168 * meaning, the number of methods that are known and defined 1169 * by the caller. 1170 */ 1171 PRUint32 number_of_defined_methods; 1172 1173 /* 1174 * A pointer to an array of integers. 1175 * Each integer defines revocation checking for a single method, 1176 * by having individual CERT_REV_M_* bits set or not set. 1177 * The meaning of index numbers into this array are defined by 1178 * enum CERTRevocationMethodIndex 1179 * The size of the array must be specified by the caller in the separate 1180 * variable number_of_defined_methods. 1181 * The size of the array may be smaller than 1182 * cert_revocation_method_count, it can happen if a caller 1183 * is not yet aware of the latest revocation methods 1184 * (or does not want to use them). 1185 */ 1186 PRUint64 *cert_rev_flags_per_method; 1187 1188 /* 1189 * How many preferred methods are specified? 1190 * This is equivalent to the size of the array that 1191 * preferred_methods points to. 1192 * It's allowed to set this value to zero, 1193 * then NSS will decide which methods to prefer. 1194 */ 1195 PRUint32 number_of_preferred_methods; 1196 1197 /* Array that may specify an optional order of preferred methods. 1198 * Each array entry shall contain a method identifier as defined 1199 * by CERTRevocationMethodIndex. 1200 * The entry at index [0] specifies the method with highest preference. 1201 * These methods will be tested first for locally available information. 1202 * Methods allowed for downloading will be attempted in the same order. 1203 */ 1204 CERTRevocationMethodIndex *preferred_methods; 1205 1206 /* 1207 * An integer which defines certain aspects of revocation checking 1208 * (independent of individual methods) by having individual 1209 * CERT_REV_MI_* bits set or not set. 1210 */ 1211 PRUint64 cert_rev_method_independent_flags; 1212 } CERTRevocationTests; 1213 1214 typedef struct { 1215 CERTRevocationTests leafTests; 1216 CERTRevocationTests chainTests; 1217 } CERTRevocationFlags; 1218 1219 typedef struct CERTValParamInValueStr { 1220 union { 1221 PRBool b; 1222 PRInt32 i; 1223 PRUint32 ui; 1224 PRInt64 l; 1225 PRUint64 ul; 1226 PRTime time; 1227 } scalar; 1228 union { 1229 const void *p; 1230 const char *s; 1231 const CERTCertificate *cert; 1232 const CERTCertList *chain; 1233 const CERTRevocationFlags *revocation; 1234 const CERTChainVerifyCallback *chainVerifyCallback; 1235 } pointer; 1236 union { 1237 const PRInt32 *pi; 1238 const PRUint32 *pui; 1239 const PRInt64 *pl; 1240 const PRUint64 *pul; 1241 const SECOidTag *oids; 1242 } array; 1243 int arraySize; 1244 } CERTValParamInValue; 1245 1246 typedef struct CERTValParamOutValueStr { 1247 union { 1248 PRBool b; 1249 PRInt32 i; 1250 PRUint32 ui; 1251 PRInt64 l; 1252 PRUint64 ul; 1253 SECCertificateUsage usages; 1254 } scalar; 1255 union { 1256 void *p; 1257 char *s; 1258 CERTVerifyLog *log; 1259 CERTCertificate *cert; 1260 CERTCertList *chain; 1261 } pointer; 1262 union { 1263 void *p; 1264 SECOidTag *oids; 1265 } array; 1266 int arraySize; 1267 } CERTValParamOutValue; 1268 1269 typedef struct { 1270 CERTValParamInType type; 1271 CERTValParamInValue value; 1272 } CERTValInParam; 1273 1274 typedef struct { 1275 CERTValParamOutType type; 1276 CERTValParamOutValue value; 1277 } CERTValOutParam; 1278 1279 /* 1280 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible 1281 */ 1282 typedef enum CertStrictnessLevels { 1283 CERT_N2A_READABLE = 0, /* maximum human readability */ 1284 CERT_N2A_STRICT = 10, /* strict RFC compliance */ 1285 CERT_N2A_INVERTIBLE = 20 /* maximum invertibility, 1286 all DirectoryStrings encoded in hex */ 1287 } CertStrictnessLevel; 1288 1289 /* 1290 * policy flag defines 1291 */ 1292 #define CERT_POLICY_FLAG_NO_MAPPING 1 1293 #define CERT_POLICY_FLAG_EXPLICIT 2 1294 #define CERT_POLICY_FLAG_NO_ANY 4 1295 1296 /* 1297 * CertStore flags 1298 */ 1299 #define CERT_ENABLE_LDAP_FETCH 1 1300 #define CERT_ENABLE_HTTP_FETCH 2 1301 1302 /* This functin pointer type may be used for any function that takes 1303 * a CERTCertificate * and returns an allocated string, which must be 1304 * freed by a call to PORT_Free. 1305 */ 1306 typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert); 1307 1308 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ 1309 1310 #include "secasn1t.h" /* way down here because I expect template stuff to 1311 * move out of here anyway */ 1312 1313 SEC_BEGIN_PROTOS 1314 1315 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[]; 1316 extern const SEC_ASN1Template CERT_CertificateTemplate[]; 1317 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[]; 1318 extern const SEC_ASN1Template CERT_CertExtensionTemplate[]; 1319 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[]; 1320 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[]; 1321 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[]; 1322 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[]; 1323 extern const SEC_ASN1Template CERT_ValidityTemplate[]; 1324 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[]; 1325 extern const SEC_ASN1Template SEC_CertSequenceTemplate[]; 1326 1327 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[]; 1328 extern const SEC_ASN1Template CERT_NameTemplate[]; 1329 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[]; 1330 extern const SEC_ASN1Template CERT_RDNTemplate[]; 1331 extern const SEC_ASN1Template CERT_SignedDataTemplate[]; 1332 extern const SEC_ASN1Template CERT_CrlTemplate[]; 1333 extern const SEC_ASN1Template CERT_SignedCrlTemplate[]; 1334 1335 /* 1336 ** XXX should the attribute stuff be centralized for all of ns/security? 1337 */ 1338 extern const SEC_ASN1Template CERT_AttributeTemplate[]; 1339 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[]; 1340 1341 /* These functions simply return the address of the above-declared templates. 1342 ** This is necessary for Windows DLLs. Sigh. 1343 */ 1344 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate) 1345 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate) 1346 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate) 1347 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate) 1348 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate) 1349 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate) 1350 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate) 1351 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate) 1352 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate) 1353 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate) 1354 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate) 1355 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate) 1356 1357 SEC_END_PROTOS 1358 1359 #endif /* _CERTT_H_ */ 1360