The Tor Browser: security/nss/lib/pki/nsspki.h@6474c204b198 (annotated)

security/nss/lib/pki/nsspki.h@6474c204b198 (annotated)

security/nss/lib/pki/nsspki.h

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef NSSPKI_H
 #define NSSPKI_H
 /*
  * nsspki.h
  *
  * This file prototypes the methods of the top-level PKI objects.
  */
 #ifndef NSSDEVT_H
 #include "nssdevt.h"
 #endif /* NSSDEVT_H */
 #ifndef NSSPKIT_H
 #include "nsspkit.h"
 #endif /* NSSPKIT_H */
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 PR_BEGIN_EXTERN_C
 /*
  * A note about interfaces
  *
  * Although these APIs are specified in C, a language which does
  * not have fancy support for abstract interfaces, this library
  * was designed from an object-oriented perspective.  It may be
  * useful to consider the standard interfaces which went into
  * the writing of these APIs.
  *
  * Basic operations on all objects:
  *  Destroy -- free a pointer to an object
  *  DeleteStoredObject -- delete an object permanently
  *
  * Public Key cryptographic operations:
  *  Encrypt
  *  Verify
  *  VerifyRecover
  *  Wrap
  *  Derive
  *
  * Private Key cryptographic operations:
  *  IsStillPresent
  *  Decrypt
  *  Sign
  *  SignRecover
  *  Unwrap
  *  Derive
  *
  * Symmetric Key cryptographic operations:
  *  IsStillPresent
  *  Encrypt
  *  Decrypt
  *  Sign
  *  SignRecover
  *  Verify
  *  VerifyRecover
  *  Wrap
  *  Unwrap
  *  Derive
  *
  */
 /*
  * NSSCertificate
  *
  * These things can do crypto ops like public keys, except that the trust,
  * usage, and other constraints are checked.  These objects are "high-level,"
  * so trust, usages, etc. are in the form we throw around (client auth,
  * email signing, etc.).  Remember that theoretically another implementation
  * (think PGP) could be beneath this object.
  */
 /*
  * NSSCertificate_Destroy
  *
  * Free a pointer to a certificate object.
  */
 NSS_EXTERN PRStatus
 NSSCertificate_Destroy
 (
   NSSCertificate *c
 );
 /*
  * NSSCertificate_DeleteStoredObject
  *
  * Permanently remove this certificate from storage.  If this is the
  * only (remaining) certificate corresponding to a private key,
  * public key, and/or other object; then that object (those objects)
  * are deleted too.
  */
 NSS_EXTERN PRStatus
 NSSCertificate_DeleteStoredObject
 (
   NSSCertificate *c,
   NSSCallback *uhh
 );
 /*
  * NSSCertificate_Validate
  *
  * Verify that this certificate is trusted, for the specified usage(s),
  * at the specified time, {word word} the specified policies.
  */
 NSS_EXTERN PRStatus
 NSSCertificate_Validate
 (
   NSSCertificate *c,
   NSSTime *timeOpt, /* NULL for "now" */
   NSSUsage *usage,
   NSSPolicies *policiesOpt /* NULL for none */
 );
 /*
  * NSSCertificate_ValidateCompletely
  *
  * Verify that this certificate is trusted.  The difference between
  * this and the previous call is that NSSCertificate_Validate merely
  * returns success or failure with an appropriate error stack.
  * However, there may be (and often are) multiple problems with a
  * certificate.  This routine returns an array of errors, specifying
  * every problem.
  */
 /*
  * Return value must be an array of objects, each of which has
  * an NSSError, and any corresponding certificate (in the chain)
  * and/or policy.
  */
 NSS_EXTERN void ** /* void *[] */
 NSSCertificate_ValidateCompletely
 (
   NSSCertificate *c,
   NSSTime *timeOpt, /* NULL for "now" */
   NSSUsage *usage,
   NSSPolicies *policiesOpt, /* NULL for none */
   void **rvOpt, /* NULL for allocate */
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt /* NULL for heap */
 );
 /*
  * NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
  *
  * Returns PR_SUCCESS if the certificate is valid for at least something.
  */
 NSS_EXTERN PRStatus
 NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
 (
   NSSCertificate *c,
   NSSTime **notBeforeOutOpt,
   NSSTime **notAfterOutOpt,
   void *allowedUsages,
   void *disallowedUsages,
   void *allowedPolicies,
   void *disallowedPolicies,
   /* more args.. work on this fgmr */
   NSSArena *arenaOpt
 );
 /*
  * NSSCertificate_Encode
  *
  */
 NSS_EXTERN NSSDER *
 NSSCertificate_Encode
 (
   NSSCertificate *c,
   NSSDER *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCertificate_BuildChain
  *
  * This routine returns NSSCertificate *'s for each certificate
  * in the "chain" starting from the specified one up to and
  * including the root.  The zeroth element in the array is the
  * specified ("leaf") certificate.
  *
  * If statusOpt is supplied, and is returned as PR_FAILURE, possible
  * error values are:
  *
  * NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND - the chain is incomplete
  *
  */
 extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
 NSS_EXTERN NSSCertificate **
 NSSCertificate_BuildChain
 (
   NSSCertificate *c,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt,
   PRStatus *statusOpt,
   NSSTrustDomain *td,
   NSSCryptoContext *cc
 );
 /*
  * NSSCertificate_GetTrustDomain
  *
  */
 NSS_EXTERN NSSTrustDomain *
 NSSCertificate_GetTrustDomain
 (
   NSSCertificate *c
 );
 /*
  * NSSCertificate_GetToken
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSToken *
 NSSCertificate_GetToken
 (
   NSSCertificate *c,
   PRStatus *statusOpt
 );
 /*
  * NSSCertificate_GetSlot
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSSlot *
 NSSCertificate_GetSlot
 (
   NSSCertificate *c,
   PRStatus *statusOpt
 );
 /*
  * NSSCertificate_GetModule
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSModule *
 NSSCertificate_GetModule
 (
   NSSCertificate *c,
   PRStatus *statusOpt
 );
 /*
  * NSSCertificate_Encrypt
  *
  * Encrypt a single chunk of data with the public key corresponding to
  * this certificate.
  */
 NSS_EXTERN NSSItem *
 NSSCertificate_Encrypt
 (
   NSSCertificate *c,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCertificate_Verify
  *
  */
 NSS_EXTERN PRStatus
 NSSCertificate_Verify
 (
   NSSCertificate *c,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSItem *signature,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh
 );
 /*
  * NSSCertificate_VerifyRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCertificate_VerifyRecover
 (
   NSSCertificate *c,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *signature,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCertificate_WrapSymmetricKey
  *
  * This method tries very hard to to succeed, even in situations
  * involving sensitive keys and multiple modules.
  * { relyea: want to add verbiage? }
  */
 NSS_EXTERN NSSItem *
 NSSCertificate_WrapSymmetricKey
 (
   NSSCertificate *c,
   NSSAlgorithmAndParameters *apOpt,
   NSSSymmetricKey *keyToWrap,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCertificate_CreateCryptoContext
  *
  * Create a crypto context, in this certificate's trust domain, with this
  * as the distinguished certificate.
  */
 NSS_EXTERN NSSCryptoContext *
 NSSCertificate_CreateCryptoContext
 (
   NSSCertificate *c,
   NSSAlgorithmAndParameters *apOpt,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh
 );
 /*
  * NSSCertificate_GetPublicKey
  *
  * Returns the public key corresponding to this certificate.
  */
 NSS_EXTERN NSSPublicKey *
 NSSCertificate_GetPublicKey
 (
   NSSCertificate *c
 );
 /*
  * NSSCertificate_FindPrivateKey
  *
  * Finds and returns the private key corresponding to this certificate,
  * if it is available.
  *
  * { Should this hang off of NSSUserCertificate? }
  */
 NSS_EXTERN NSSPrivateKey *
 NSSCertificate_FindPrivateKey
 (
   NSSCertificate *c,
   NSSCallback *uhh
 );
 /*
  * NSSCertificate_IsPrivateKeyAvailable
  *
  * Returns success if the private key corresponding to this certificate
  * is available to be used.
  *
  * { Should *this* hang off of NSSUserCertificate?? }
  */
 NSS_EXTERN PRBool
 NSSCertificate_IsPrivateKeyAvailable
 (
   NSSCertificate *c,
   NSSCallback *uhh,
   PRStatus *statusOpt
 );
 /*
  * If we make NSSUserCertificate not a typedef of NSSCertificate,
  * then we'll need implementations of the following:
  *
  *  NSSUserCertificate_Destroy
  *  NSSUserCertificate_DeleteStoredObject
  *  NSSUserCertificate_Validate
  *  NSSUserCertificate_ValidateCompletely
  *  NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies
  *  NSSUserCertificate_Encode
  *  NSSUserCertificate_BuildChain
  *  NSSUserCertificate_GetTrustDomain
  *  NSSUserCertificate_GetToken
  *  NSSUserCertificate_GetSlot
  *  NSSUserCertificate_GetModule
  *  NSSUserCertificate_GetCryptoContext
  *  NSSUserCertificate_GetPublicKey
  */
 /*
  * NSSUserCertificate_IsStillPresent
  *
  * Verify that if this certificate lives on a token, that the token
  * is still present and the certificate still exists.  This is a
  * lightweight call which should be used whenever it should be
  * verified that the user hasn't perhaps popped out his or her
  * token and strolled away.
  */
 NSS_EXTERN PRBool
 NSSUserCertificate_IsStillPresent
 (
   NSSUserCertificate *uc,
   PRStatus *statusOpt
 );
 /*
  * NSSUserCertificate_Decrypt
  *
  * Decrypt a single chunk of data with the private key corresponding
  * to this certificate.
  */
 NSS_EXTERN NSSItem *
 NSSUserCertificate_Decrypt
 (
   NSSUserCertificate *uc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSUserCertificate_Sign
  *
  */
 NSS_EXTERN NSSItem *
 NSSUserCertificate_Sign
 (
   NSSUserCertificate *uc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSUserCertificate_SignRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSUserCertificate_SignRecover
 (
   NSSUserCertificate *uc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSUserCertificate_UnwrapSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSUserCertificate_UnwrapSymmetricKey
 (
   NSSUserCertificate *uc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *wrappedKey,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSUserCertificate_DeriveSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSUserCertificate_DeriveSymmetricKey
 (
   NSSUserCertificate *uc, /* provides private key */
   NSSCertificate *c, /* provides public key */
   NSSAlgorithmAndParameters *apOpt,
   NSSOID *target,
   PRUint32 keySizeOpt, /* zero for best allowed */
   NSSOperations operations,
   NSSCallback *uhh
 );
 /* filter-certs function(s) */
 /**
  ** fgmr -- trust objects
  **/
 /*
  * NSSPrivateKey
  *
  */
 /*
  * NSSPrivateKey_Destroy
  *
  * Free a pointer to a private key object.
  */
 NSS_EXTERN PRStatus
 NSSPrivateKey_Destroy
 (
   NSSPrivateKey *vk
 );
 /*
  * NSSPrivateKey_DeleteStoredObject
  *
  * Permanently remove this object, and any related objects (such as the
  * certificates corresponding to this key).
  */
 NSS_EXTERN PRStatus
 NSSPrivateKey_DeleteStoredObject
 (
   NSSPrivateKey *vk,
   NSSCallback *uhh
 );
 /*
  * NSSPrivateKey_GetSignatureLength
  *
  */
 NSS_EXTERN PRUint32
 NSSPrivateKey_GetSignatureLength
 (
   NSSPrivateKey *vk
 );
 /*
  * NSSPrivateKey_GetPrivateModulusLength
  *
  */
 NSS_EXTERN PRUint32
 NSSPrivateKey_GetPrivateModulusLength
 (
   NSSPrivateKey *vk
 );
 /*
  * NSSPrivateKey_IsStillPresent
  *
  */
 NSS_EXTERN PRBool
 NSSPrivateKey_IsStillPresent
 (
   NSSPrivateKey *vk,
   PRStatus *statusOpt
 );
 /*
  * NSSPrivateKey_Encode
  *
  */
 NSS_EXTERN NSSItem *
 NSSPrivateKey_Encode
 (
   NSSPrivateKey *vk,
   NSSAlgorithmAndParameters *ap,
   NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPrivateKey_GetTrustDomain
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSTrustDomain *
 NSSPrivateKey_GetTrustDomain
 (
   NSSPrivateKey *vk,
   PRStatus *statusOpt
 );
 /*
  * NSSPrivateKey_GetToken
  *
  */
 NSS_EXTERN NSSToken *
 NSSPrivateKey_GetToken
 (
   NSSPrivateKey *vk
 );
 /*
  * NSSPrivateKey_GetSlot
  *
  */
 NSS_EXTERN NSSSlot *
 NSSPrivateKey_GetSlot
 (
   NSSPrivateKey *vk
 );
 /*
  * NSSPrivateKey_GetModule
  *
  */
 NSS_EXTERN NSSModule *
 NSSPrivateKey_GetModule
 (
   NSSPrivateKey *vk
 );
 /*
  * NSSPrivateKey_Decrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSPrivateKey_Decrypt
 (
   NSSPrivateKey *vk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *encryptedData,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPrivateKey_Sign
  *
  */
 NSS_EXTERN NSSItem *
 NSSPrivateKey_Sign
 (
   NSSPrivateKey *vk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPrivateKey_SignRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSPrivateKey_SignRecover
 (
   NSSPrivateKey *vk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPrivateKey_UnwrapSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSPrivateKey_UnwrapSymmetricKey
 (
   NSSPrivateKey *vk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *wrappedKey,
   NSSCallback *uhh
 );
 /*
  * NSSPrivateKey_DeriveSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSPrivateKey_DeriveSymmetricKey
 (
   NSSPrivateKey *vk,
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSOID *target,
   PRUint32 keySizeOpt, /* zero for best allowed */
   NSSOperations operations,
   NSSCallback *uhh
 );
 /*
  * NSSPrivateKey_FindPublicKey
  *
  */
 NSS_EXTERN NSSPublicKey *
 NSSPrivateKey_FindPublicKey
 (
   NSSPrivateKey *vk
   /* { don't need the callback here, right? } */
 );
 /*
  * NSSPrivateKey_CreateCryptoContext
  *
  * Create a crypto context, in this key's trust domain,
  * with this as the distinguished private key.
  */
 NSS_EXTERN NSSCryptoContext *
 NSSPrivateKey_CreateCryptoContext
 (
   NSSPrivateKey *vk,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhh
 );
 /*
  * NSSPrivateKey_FindCertificates
  *
  * Note that there may be more than one certificate for this
  * private key.  { FilterCertificates function to further
  * reduce the list. }
  */
 NSS_EXTERN NSSCertificate **
 NSSPrivateKey_FindCertificates
 (
   NSSPrivateKey *vk,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSPrivateKey_FindBestCertificate
  *
  * The parameters for this function will depend on what the users
  * need.  This is just a starting point.
  */
 NSS_EXTERN NSSCertificate *
 NSSPrivateKey_FindBestCertificate
 (
   NSSPrivateKey *vk,
   NSSTime *timeOpt,
   NSSUsage *usageOpt,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSPublicKey
  *
  * Once you generate, find, or derive one of these, you can use it
  * to perform (simple) cryptographic operations.  Though there may
  * be certificates associated with these public keys, they are not
  * verified.
  */
 /*
  * NSSPublicKey_Destroy
  *
  * Free a pointer to a public key object.
  */
 NSS_EXTERN PRStatus
 NSSPublicKey_Destroy
 (
   NSSPublicKey *bk
 );
 /*
  * NSSPublicKey_DeleteStoredObject
  *
  * Permanently remove this object, and any related objects (such as the
  * corresponding private keys and certificates).
  */
 NSS_EXTERN PRStatus
 NSSPublicKey_DeleteStoredObject
 (
   NSSPublicKey *bk,
   NSSCallback *uhh
 );
 /*
  * NSSPublicKey_Encode
  *
  */
 NSS_EXTERN NSSItem *
 NSSPublicKey_Encode
 (
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *ap,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPublicKey_GetTrustDomain
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSTrustDomain *
 NSSPublicKey_GetTrustDomain
 (
   NSSPublicKey *bk,
   PRStatus *statusOpt
 );
 /*
  * NSSPublicKey_GetToken
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSToken *
 NSSPublicKey_GetToken
 (
   NSSPublicKey *bk,
   PRStatus *statusOpt
 );
 /*
  * NSSPublicKey_GetSlot
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSSlot *
 NSSPublicKey_GetSlot
 (
   NSSPublicKey *bk,
   PRStatus *statusOpt
 );
 /*
  * NSSPublicKey_GetModule
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSModule *
 NSSPublicKey_GetModule
 (
   NSSPublicKey *bk,
   PRStatus *statusOpt
 );
 /*
  * NSSPublicKey_Encrypt
  *
  * Encrypt a single chunk of data with the public key corresponding to
  * this certificate.
  */
 NSS_EXTERN NSSItem *
 NSSPublicKey_Encrypt
 (
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPublicKey_Verify
  *
  */
 NSS_EXTERN PRStatus
 NSSPublicKey_Verify
 (
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSItem *signature,
   NSSCallback *uhh
 );
 /*
  * NSSPublicKey_VerifyRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSPublicKey_VerifyRecover
 (
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *signature,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPublicKey_WrapSymmetricKey
  *
  */
 NSS_EXTERN NSSItem *
 NSSPublicKey_WrapSymmetricKey
 (
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSSymmetricKey *keyToWrap,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSPublicKey_CreateCryptoContext
  *
  * Create a crypto context, in this key's trust domain, with this
  * as the distinguished public key.
  */
 NSS_EXTERN NSSCryptoContext *
 NSSPublicKey_CreateCryptoContext
 (
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhh
 );
 /*
  * NSSPublicKey_FindCertificates
  *
  * Note that there may be more than one certificate for this
  * public key.  The current implementation may not find every
  * last certificate available for this public key: that would
  * involve trolling e.g. huge ldap databases, which will be
  * grossly inefficient and not generally useful.
  * { FilterCertificates function to further reduce the list }
  */
 NSS_EXTERN NSSCertificate **
 NSSPublicKey_FindCertificates
 (
   NSSPublicKey *bk,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSPrivateKey_FindBestCertificate
  *
  * The parameters for this function will depend on what the users
  * need.  This is just a starting point.
  */
 NSS_EXTERN NSSCertificate *
 NSSPublicKey_FindBestCertificate
 (
   NSSPublicKey *bk,
   NSSTime *timeOpt,
   NSSUsage *usageOpt,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSPublicKey_FindPrivateKey
  *
  */
 NSS_EXTERN NSSPrivateKey *
 NSSPublicKey_FindPrivateKey
 (
   NSSPublicKey *bk,
   NSSCallback *uhh
 );
 /*
  * NSSSymmetricKey
  *
  */
 /*
  * NSSSymmetricKey_Destroy
  *
  * Free a pointer to a symmetric key object.
  */
 NSS_EXTERN PRStatus
 NSSSymmetricKey_Destroy
 (
   NSSSymmetricKey *mk
 );
 /*
  * NSSSymmetricKey_DeleteStoredObject
  *
  * Permanently remove this object.
  */
 NSS_EXTERN PRStatus
 NSSSymmetricKey_DeleteStoredObject
 (
   NSSSymmetricKey *mk,
   NSSCallback *uhh
 );
 /*
  * NSSSymmetricKey_GetKeyLength
  *
  */
 NSS_EXTERN PRUint32
 NSSSymmetricKey_GetKeyLength
 (
   NSSSymmetricKey *mk
 );
 /*
  * NSSSymmetricKey_GetKeyStrength
  *
  */
 NSS_EXTERN PRUint32
 NSSSymmetricKey_GetKeyStrength
 (
   NSSSymmetricKey *mk
 );
 /*
  * NSSSymmetricKey_IsStillPresent
  *
  */
 NSS_EXTERN PRStatus
 NSSSymmetricKey_IsStillPresent
 (
   NSSSymmetricKey *mk
 );
 /*
  * NSSSymmetricKey_GetTrustDomain
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSTrustDomain *
 NSSSymmetricKey_GetTrustDomain
 (
   NSSSymmetricKey *mk,
   PRStatus *statusOpt
 );
 /*
  * NSSSymmetricKey_GetToken
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSToken *
 NSSSymmetricKey_GetToken
 (
   NSSSymmetricKey *mk,
   PRStatus *statusOpt
 );
 /*
  * NSSSymmetricKey_GetSlot
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSSlot *
 NSSSymmetricKey_GetSlot
 (
   NSSSymmetricKey *mk,
   PRStatus *statusOpt
 );
 /*
  * NSSSymmetricKey_GetModule
  *
  * There doesn't have to be one.
  */
 NSS_EXTERN NSSModule *
 NSSSymmetricKey_GetModule
 (
   NSSSymmetricKey *mk,
   PRStatus *statusOpt
 );
 /*
  * NSSSymmetricKey_Encrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_Encrypt
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_Decrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_Decrypt
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *encryptedData,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_Sign
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_Sign
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_SignRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_SignRecover
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_Verify
  *
  */
 NSS_EXTERN PRStatus
 NSSSymmetricKey_Verify
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSItem *signature,
   NSSCallback *uhh
 );
 /*
  * NSSSymmetricKey_VerifyRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_VerifyRecover
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *signature,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_WrapSymmetricKey
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_WrapSymmetricKey
 (
   NSSSymmetricKey *wrappingKey,
   NSSAlgorithmAndParameters *apOpt,
   NSSSymmetricKey *keyToWrap,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_WrapPrivateKey
  *
  */
 NSS_EXTERN NSSItem *
 NSSSymmetricKey_WrapPrivateKey
 (
   NSSSymmetricKey *wrappingKey,
   NSSAlgorithmAndParameters *apOpt,
   NSSPrivateKey *keyToWrap,
   NSSCallback *uhh,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSSymmetricKey_UnwrapSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSSymmetricKey_UnwrapSymmetricKey
 (
   NSSSymmetricKey *wrappingKey,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *wrappedKey,
   NSSOID *target,
   PRUint32 keySizeOpt,
   NSSOperations operations,
   NSSCallback *uhh
 );
 /*
  * NSSSymmetricKey_UnwrapPrivateKey
  *
  */
 NSS_EXTERN NSSPrivateKey *
 NSSSymmetricKey_UnwrapPrivateKey
 (
   NSSSymmetricKey *wrappingKey,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *wrappedKey,
   NSSUTF8 *labelOpt,
   NSSItem *keyIDOpt,
   PRBool persistant,
   PRBool sensitive,
   NSSToken *destinationOpt,
   NSSCallback *uhh
 );
 /*
  * NSSSymmetricKey_DeriveSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSSymmetricKey_DeriveSymmetricKey
 (
   NSSSymmetricKey *originalKey,
   NSSAlgorithmAndParameters *apOpt,
   NSSOID *target,
   PRUint32 keySizeOpt,
   NSSOperations operations,
   NSSCallback *uhh
 );
 /*
  * NSSSymmetricKey_CreateCryptoContext
  *
  * Create a crypto context, in this key's trust domain,
  * with this as the distinguished symmetric key.
  */
 NSS_EXTERN NSSCryptoContext *
 NSSSymmetricKey_CreateCryptoContext
 (
   NSSSymmetricKey *mk,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhh
 );
 /*
  * NSSTrustDomain
  *
  */
 /*
  * NSSTrustDomain_Create
  *
  * This creates a trust domain, optionally with an initial cryptoki
  * module.  If the module name is not null, the module is loaded if
  * needed (using the uriOpt argument), and initialized with the
  * opaqueOpt argument.  If mumble mumble priority settings, then
  * module-specification objects in the module can cause the loading
  * and initialization of further modules.
  *
  * The uriOpt is defined to take a URI.  At present, we only
  * support file: URLs pointing to platform-native shared libraries.
  * However, by specifying this as a URI, this keeps open the
  * possibility of supporting other, possibly remote, resources.
  *
  * The "reserved" arguments is held for when we figure out the
  * module priority stuff.
  */
 NSS_EXTERN NSSTrustDomain *
 NSSTrustDomain_Create
 (
   NSSUTF8 *moduleOpt,
   NSSUTF8 *uriOpt,
   NSSUTF8 *opaqueOpt,
   void *reserved
 );
 /*
  * NSSTrustDomain_Destroy
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_Destroy
 (
   NSSTrustDomain *td
 );
 /*
  * NSSTrustDomain_SetDefaultCallback
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_SetDefaultCallback
 (
   NSSTrustDomain *td,
   NSSCallback *newCallback,
   NSSCallback **oldCallbackOpt
 );
 /*
  * NSSTrustDomain_GetDefaultCallback
  *
  */
 NSS_EXTERN NSSCallback *
 NSSTrustDomain_GetDefaultCallback
 (
   NSSTrustDomain *td,
   PRStatus *statusOpt
 );
 /*
  * Default policies?
  * Default usage?
  * Default time, for completeness?
  */
 /*
  * NSSTrustDomain_LoadModule
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_LoadModule
 (
   NSSTrustDomain *td,
   NSSUTF8 *moduleOpt,
   NSSUTF8 *uriOpt,
   NSSUTF8 *opaqueOpt,
   void *reserved
 );
 /*
  * NSSTrustDomain_AddModule
  * NSSTrustDomain_AddSlot
  * NSSTrustDomain_UnloadModule
  * Managing modules, slots, tokens; priorities;
  * Traversing all of the above
  * this needs more work
  */
 /*
  * NSSTrustDomain_DisableToken
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_DisableToken
 (
   NSSTrustDomain *td,
   NSSToken *token,
   NSSError why
 );
 /*
  * NSSTrustDomain_EnableToken
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_EnableToken
 (
   NSSTrustDomain *td,
   NSSToken *token
 );
 /*
  * NSSTrustDomain_IsTokenEnabled
  *
  * If disabled, "why" is always on the error stack.
  * The optional argument is just for convenience.
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_IsTokenEnabled
 (
   NSSTrustDomain *td,
   NSSToken *token,
   NSSError *whyOpt
 );
 /*
  * NSSTrustDomain_FindSlotByName
  *
  */
 NSS_EXTERN NSSSlot *
 NSSTrustDomain_FindSlotByName
 (
   NSSTrustDomain *td,
   NSSUTF8 *slotName
 );
 /*
  * NSSTrustDomain_FindTokenByName
  *
  */
 NSS_EXTERN NSSToken *
 NSSTrustDomain_FindTokenByName
 (
   NSSTrustDomain *td,
   NSSUTF8 *tokenName
 );
 /*
  * NSSTrustDomain_FindTokenBySlotName
  *
  */
 NSS_EXTERN NSSToken *
 NSSTrustDomain_FindTokenBySlotName
 (
   NSSTrustDomain *td,
   NSSUTF8 *slotName
 );
 /*
  * NSSTrustDomain_FindBestTokenForAlgorithm
  *
  */
 NSS_EXTERN NSSToken *
 NSSTrustDomain_FindTokenForAlgorithm
 (
   NSSTrustDomain *td,
   NSSOID *algorithm
 );
 /*
  * NSSTrustDomain_FindBestTokenForAlgorithms
  *
  */
 NSS_EXTERN NSSToken *
 NSSTrustDomain_FindBestTokenForAlgorithms
 (
   NSSTrustDomain *td,
   NSSOID *algorithms[], /* may be null-terminated */
   PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
 );
 /*
  * NSSTrustDomain_Login
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_Login
 (
   NSSTrustDomain *td,
   NSSCallback *uhhOpt
 );
 /*
  * NSSTrustDomain_Logout
  *
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_Logout
 (
   NSSTrustDomain *td
 );
 /* Importing things */
 /*
  * NSSTrustDomain_ImportCertificate
  *
  * The implementation will pull some data out of the certificate
  * (e.g. e-mail address) for use in pkcs#11 object attributes.
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_ImportCertificate
 (
   NSSTrustDomain *td,
   NSSCertificate *c
 );
 /*
  * NSSTrustDomain_ImportPKIXCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_ImportPKIXCertificate
 (
   NSSTrustDomain *td,
   /* declared as a struct until these "data types" are defined */
   struct NSSPKIXCertificateStr *pc
 );
 /*
  * NSSTrustDomain_ImportEncodedCertificate
  *
  * Imports any type of certificate we support.
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_ImportEncodedCertificate
 (
   NSSTrustDomain *td,
   NSSBER *ber
 );
 /*
  * NSSTrustDomain_ImportEncodedCertificateChain
  *
  * If you just want the leaf, pass in a maximum of one.
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_ImportEncodedCertificateChain
 (
   NSSTrustDomain *td,
   NSSBER *ber,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_ImportEncodedPrivateKey
  *
  */
 NSS_EXTERN NSSPrivateKey *
 NSSTrustDomain_ImportEncodedPrivateKey
 (
   NSSTrustDomain *td,
   NSSBER *ber,
   NSSItem *passwordOpt, /* NULL will cause a callback */
   NSSCallback *uhhOpt,
   NSSToken *destination
 );
 /*
  * NSSTrustDomain_ImportEncodedPublicKey
  *
  */
 NSS_EXTERN NSSPublicKey *
 NSSTrustDomain_ImportEncodedPublicKey
 (
   NSSTrustDomain *td,
   NSSBER *ber
 );
 /* Other importations: S/MIME capabilities */
 /*
  * NSSTrustDomain_FindBestCertificateByNickname
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindBestCertificateByNickname
 (
   NSSTrustDomain *td,
   const NSSUTF8 *name,
   NSSTime *timeOpt, /* NULL for "now" */
   NSSUsage *usage,
   NSSPolicies *policiesOpt /* NULL for none */
 );
 /*
  * NSSTrustDomain_FindCertificatesByNickname
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindCertificatesByNickname
 (
   NSSTrustDomain *td,
   NSSUTF8 *name,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
 (
   NSSTrustDomain *td,
   NSSDER *issuer,
   NSSDER *serialNumber
 );
 /*
  * NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber
  *
  * Theoretically, this should never happen.  However, some companies
  * we know have issued duplicate certificates with the same issuer
  * and serial number.  Do we just ignore them?  I'm thinking yes.
  */
 /*
  * NSSTrustDomain_FindBestCertificateBySubject
  *
  * This does not search through alternate names hidden in extensions.
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindBestCertificateBySubject
 (
   NSSTrustDomain *td,
   NSSDER /*NSSUTF8*/ *subject,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSTrustDomain_FindCertificatesBySubject
  *
  * This does not search through alternate names hidden in extensions.
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindCertificatesBySubject
 (
   NSSTrustDomain *td,
   NSSDER /*NSSUTF8*/ *subject,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_FindBestCertificateByNameComponents
  *
  * This call does try several tricks, including a pseudo pkcs#11
  * attribute for the ldap module to try as a query.  Eventually
  * this call falls back to a traversal if that's what's required.
  * It will search through alternate names hidden in extensions.
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindBestCertificateByNameComponents
 (
   NSSTrustDomain *td,
   NSSUTF8 *nameComponents,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSTrustDomain_FindCertificatesByNameComponents
  *
  * This call, too, tries several tricks.  It will stop on the first
  * attempt that generates results, so it won't e.g. traverse the
  * entire ldap database.
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindCertificatesByNameComponents
 (
   NSSTrustDomain *td,
   NSSUTF8 *nameComponents,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_FindCertificateByEncodedCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindCertificateByEncodedCertificate
 (
   NSSTrustDomain *td,
   NSSBER *encodedCertificate
 );
 /*
  * NSSTrustDomain_FindBestCertificateByEmail
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindCertificateByEmail
 (
   NSSTrustDomain *td,
   NSSASCII7 *email,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSTrustDomain_FindCertificatesByEmail
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindCertificatesByEmail
 (
   NSSTrustDomain *td,
   NSSASCII7 *email,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_FindCertificateByOCSPHash
  *
  * There can be only one.
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindCertificateByOCSPHash
 (
   NSSTrustDomain *td,
   NSSItem *hash
 );
 /*
  * NSSTrustDomain_TraverseCertificates
  *
  * This function descends from one in older versions of NSS which
  * traverses the certs in the permanent database.  That function
  * was used to implement selection routines, but was directly
  * available too.  Trust domains are going to contain a lot more
  * certs now (e.g., an ldap server), so we'd really like to
  * discourage traversal.  Thus for now, this is commented out.
  * If it's needed, let's look at the situation more closely to
  * find out what the actual requirements are.
  */
 /* For now, adding this function.  This may only be for debugging
  * purposes.
  * Perhaps some equivalent function, on a specified token, will be
  * needed in a "friend" header file?
  */
 NSS_EXTERN PRStatus *
 NSSTrustDomain_TraverseCertificates
 (
   NSSTrustDomain *td,
   PRStatus (*callback)(NSSCertificate *c, void *arg),
   void *arg
 );
 /*
  * NSSTrustDomain_FindBestUserCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindBestUserCertificate
 (
   NSSTrustDomain *td,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSTrustDomain_FindUserCertificates
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindUserCertificates
 (
   NSSTrustDomain *td,
   NSSTime *timeOpt,
   NSSUsage *usageOpt,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
 (
   NSSTrustDomain *td,
   NSSUTF8 *sslHostOpt,
   NSSDER *rootCAsOpt[], /* null pointer for none */
   PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSTrustDomain_FindUserCertificatesForSSLClientAuth
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindUserCertificatesForSSLClientAuth
 (
   NSSTrustDomain *td,
   NSSUTF8 *sslHostOpt,
   NSSDER *rootCAsOpt[], /* null pointer for none */
   PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt
 );
 /*
  * NSSTrustDomain_FindBestUserCertificateForEmailSigning
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSTrustDomain_FindBestUserCertificateForEmailSigning
 (
   NSSTrustDomain *td,
   NSSASCII7 *signerOpt,
   NSSASCII7 *recipientOpt,
   /* anything more here? */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSTrustDomain_FindUserCertificatesForEmailSigning
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSTrustDomain_FindUserCertificatesForEmailSigning
 (
   NSSTrustDomain *td,
   NSSASCII7 *signerOpt,
   NSSASCII7 *recipientOpt,
   /* anything more here? */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt
 );
 /*
  * Here is where we'd add more Find[Best]UserCertificate[s]For<usage>
  * routines.
  */
 /* Private Keys */
 /*
  * NSSTrustDomain_GenerateKeyPair
  *
  * Creates persistant objects.  If you want session objects, use
  * NSSCryptoContext_GenerateKeyPair.  The destination token is where
  * the keys are stored.  If that token can do the required math, then
  * that's where the keys are generated too.  Otherwise, the keys are
  * generated elsewhere and moved to that token.
  */
 NSS_EXTERN PRStatus
 NSSTrustDomain_GenerateKeyPair
 (
   NSSTrustDomain *td,
   NSSAlgorithmAndParameters *ap,
   NSSPrivateKey **pvkOpt,
   NSSPublicKey **pbkOpt,
   PRBool privateKeyIsSensitive,
   NSSToken *destination,
   NSSCallback *uhhOpt
 );
 /*
  * NSSTrustDomain_TraversePrivateKeys
  *
  *
  * NSS_EXTERN PRStatus *
  * NSSTrustDomain_TraversePrivateKeys
  * (
  *   NSSTrustDomain *td,
  *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
  *   void *arg
  * );
  */
 /* Symmetric Keys */
 /*
  * NSSTrustDomain_GenerateSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSTrustDomain_GenerateSymmetricKey
 (
   NSSTrustDomain *td,
   NSSAlgorithmAndParameters *ap,
   PRUint32 keysize,
   NSSToken *destination,
   NSSCallback *uhhOpt
 );
 /*
  * NSSTrustDomain_GenerateSymmetricKeyFromPassword
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSTrustDomain_GenerateSymmetricKeyFromPassword
 (
   NSSTrustDomain *td,
   NSSAlgorithmAndParameters *ap,
   NSSUTF8 *passwordOpt, /* if null, prompt */
   NSSToken *destinationOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSTrustDomain_FindSymmetricKeyByAlgorithm
  *
  * Is this still needed?
  *
  * NSS_EXTERN NSSSymmetricKey *
  * NSSTrustDomain_FindSymmetricKeyByAlgorithm
  * (
  *   NSSTrustDomain *td,
  *   NSSOID *algorithm,
  *   NSSCallback *uhhOpt
  * );
  */
 /*
  * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
 (
   NSSTrustDomain *td,
   NSSOID *algorithm,
   NSSItem *keyID,
   NSSCallback *uhhOpt
 );
 /*
  * NSSTrustDomain_TraverseSymmetricKeys
  *
  *
  * NSS_EXTERN PRStatus *
  * NSSTrustDomain_TraverseSymmetricKeys
  * (
  *   NSSTrustDomain *td,
  *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
  *   void *arg
  * );
  */
 /*
  * NSSTrustDomain_CreateCryptoContext
  *
  * If a callback object is specified, it becomes the for the crypto
  * context; otherwise, this trust domain's default (if any) is
  * inherited.
  */
 NSS_EXTERN NSSCryptoContext *
 NSSTrustDomain_CreateCryptoContext
 (
   NSSTrustDomain *td,
   NSSCallback *uhhOpt
 );
 /*
  * NSSTrustDomain_CreateCryptoContextForAlgorithm
  *
  */
 NSS_EXTERN NSSCryptoContext *
 NSSTrustDomain_CreateCryptoContextForAlgorithm
 (
   NSSTrustDomain *td,
   NSSOID *algorithm
 );
 /*
  * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
  *
  */
 NSS_EXTERN NSSCryptoContext *
 NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
 (
   NSSTrustDomain *td,
   NSSAlgorithmAndParameters *ap
 );
 /* find/traverse other objects, e.g. s/mime profiles */
 /*
  * NSSCryptoContext
  *
  * A crypto context is sort of a short-term snapshot of a trust domain,
  * used for the life of "one crypto operation."  You can also think of
  * it as a "temporary database."
  *
  * Just about all of the things you can do with a trust domain -- importing
  * or creating certs, keys, etc. -- can be done with a crypto context.
  * The difference is that the objects will be temporary ("session") objects.
  *
  * Also, if the context was created for a key, cert, and/or algorithm; or
  * if such objects have been "associated" with the context, then the context
  * can do everything the keys can, like crypto operations.
  *
  * And finally, because it keeps the state of the crypto operations, it
  * can do streaming crypto ops.
  */
 /*
  * NSSTrustDomain_Destroy
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_Destroy
 (
   NSSCryptoContext *cc
 );
 /* establishing a default callback */
 /*
  * NSSCryptoContext_SetDefaultCallback
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_SetDefaultCallback
 (
   NSSCryptoContext *cc,
   NSSCallback *newCallback,
   NSSCallback **oldCallbackOpt
 );
 /*
  * NSSCryptoContext_GetDefaultCallback
  *
  */
 NSS_EXTERN NSSCallback *
 NSSCryptoContext_GetDefaultCallback
 (
   NSSCryptoContext *cc,
   PRStatus *statusOpt
 );
 /*
  * NSSCryptoContext_GetTrustDomain
  *
  */
 NSS_EXTERN NSSTrustDomain *
 NSSCryptoContext_GetTrustDomain
 (
   NSSCryptoContext *cc
 );
 /* AddModule, etc: should we allow "temporary" changes here? */
 /* DisableToken, etc: ditto */
 /* Ordering of tokens? */
 /* Finding slots+token etc. */
 /* login+logout */
 /* Importing things */
 /*
  * NSSCryptoContext_FindOrImportCertificate
  *
  * If the certificate store already contains this DER cert, return the
  * address of the matching NSSCertificate that is already in the store,
  * and bump its reference count.
  *
  * If this DER cert is NOT already in the store, then add the new
  * NSSCertificate to the store and bump its reference count,
  * then return its address.
  *
  * if this DER cert is not in the store and cannot be added to it,
  * return NULL;
  *
  * Record the associated crypto context in the certificate.
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindOrImportCertificate (
   NSSCryptoContext *cc,
   NSSCertificate *c
 );
 /*
  * NSSCryptoContext_ImportPKIXCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_ImportPKIXCertificate
 (
   NSSCryptoContext *cc,
   struct NSSPKIXCertificateStr *pc
 );
 /*
  * NSSCryptoContext_ImportEncodedCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_ImportEncodedCertificate
 (
   NSSCryptoContext *cc,
   NSSBER *ber
 );
 /*
  * NSSCryptoContext_ImportEncodedPKIXCertificateChain
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_ImportEncodedPKIXCertificateChain
 (
   NSSCryptoContext *cc,
   NSSBER *ber
 );
 /* Other importations: S/MIME capabilities
  */
 /*
  * NSSCryptoContext_FindBestCertificateByNickname
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestCertificateByNickname
 (
   NSSCryptoContext *cc,
   const NSSUTF8 *name,
   NSSTime *timeOpt, /* NULL for "now" */
   NSSUsage *usage,
   NSSPolicies *policiesOpt /* NULL for none */
 );
 /*
  * NSSCryptoContext_FindCertificatesByNickname
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSCryptoContext_FindCertificatesByNickname
 (
   NSSCryptoContext *cc,
   NSSUTF8 *name,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
 (
   NSSCryptoContext *cc,
   NSSDER *issuer,
   NSSDER *serialNumber
 );
 /*
  * NSSCryptoContext_FindBestCertificateBySubject
  *
  * This does not search through alternate names hidden in extensions.
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestCertificateBySubject
 (
   NSSCryptoContext *cc,
   NSSDER /*NSSUTF8*/ *subject,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSCryptoContext_FindCertificatesBySubject
  *
  * This does not search through alternate names hidden in extensions.
  */
 NSS_EXTERN NSSCertificate **
 NSSCryptoContext_FindCertificatesBySubject
 (
   NSSCryptoContext *cc,
   NSSDER /*NSSUTF8*/ *subject,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FindBestCertificateByNameComponents
  *
  * This call does try several tricks, including a pseudo pkcs#11
  * attribute for the ldap module to try as a query.  Eventually
  * this call falls back to a traversal if that's what's required.
  * It will search through alternate names hidden in extensions.
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestCertificateByNameComponents
 (
   NSSCryptoContext *cc,
   NSSUTF8 *nameComponents,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSCryptoContext_FindCertificatesByNameComponents
  *
  * This call, too, tries several tricks.  It will stop on the first
  * attempt that generates results, so it won't e.g. traverse the
  * entire ldap database.
  */
 NSS_EXTERN NSSCertificate **
 NSSCryptoContext_FindCertificatesByNameComponents
 (
   NSSCryptoContext *cc,
   NSSUTF8 *nameComponents,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FindCertificateByEncodedCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindCertificateByEncodedCertificate
 (
   NSSCryptoContext *cc,
   NSSBER *encodedCertificate
 );
 /*
  * NSSCryptoContext_FindBestCertificateByEmail
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestCertificateByEmail
 (
   NSSCryptoContext *cc,
   NSSASCII7 *email,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSCryptoContext_FindCertificatesByEmail
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSCryptoContext_FindCertificatesByEmail
 (
   NSSCryptoContext *cc,
   NSSASCII7 *email,
   NSSCertificate *rvOpt[],
   PRUint32 maximumOpt, /* 0 for no max */
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FindCertificateByOCSPHash
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindCertificateByOCSPHash
 (
   NSSCryptoContext *cc,
   NSSItem *hash
 );
 /*
  * NSSCryptoContext_TraverseCertificates
  *
  *
  * NSS_EXTERN PRStatus *
  * NSSCryptoContext_TraverseCertificates
  * (
  *   NSSCryptoContext *cc,
  *   PRStatus (*callback)(NSSCertificate *c, void *arg),
  *   void *arg
  * );
  */
 /*
  * NSSCryptoContext_FindBestUserCertificate
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestUserCertificate
 (
   NSSCryptoContext *cc,
   NSSTime *timeOpt,
   NSSUsage *usage,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSCryptoContext_FindUserCertificates
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSCryptoContext_FindUserCertificates
 (
   NSSCryptoContext *cc,
   NSSTime *timeOpt,
   NSSUsage *usageOpt,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
 (
   NSSCryptoContext *cc,
   NSSUTF8 *sslHostOpt,
   NSSDER *rootCAsOpt[], /* null pointer for none */
   PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSCryptoContext_FindUserCertificatesForSSLClientAuth
  *
  */
 NSS_EXTERN NSSCertificate **
 NSSCryptoContext_FindUserCertificatesForSSLClientAuth
 (
   NSSCryptoContext *cc,
   NSSUTF8 *sslHostOpt,
   NSSDER *rootCAsOpt[], /* null pointer for none */
   PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FindBestUserCertificateForEmailSigning
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindBestUserCertificateForEmailSigning
 (
   NSSCryptoContext *cc,
   NSSASCII7 *signerOpt,
   NSSASCII7 *recipientOpt,
   /* anything more here? */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt
 );
 /*
  * NSSCryptoContext_FindUserCertificatesForEmailSigning
  *
  */
 NSS_EXTERN NSSCertificate *
 NSSCryptoContext_FindUserCertificatesForEmailSigning
 (
   NSSCryptoContext *cc,
   NSSASCII7 *signerOpt, /* fgmr or a more general name? */
   NSSASCII7 *recipientOpt,
   /* anything more here? */
   NSSAlgorithmAndParameters *apOpt,
   NSSPolicies *policiesOpt,
   NSSCertificate **rvOpt,
   PRUint32 rvLimit, /* zero for no limit */
   NSSArena *arenaOpt
 );
 /* Private Keys */
 /*
  * NSSCryptoContext_GenerateKeyPair
  *
  * Creates session objects.  If you want persistant objects, use
  * NSSTrustDomain_GenerateKeyPair.  The destination token is where
  * the keys are stored.  If that token can do the required math, then
  * that's where the keys are generated too.  Otherwise, the keys are
  * generated elsewhere and moved to that token.
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_GenerateKeyPair
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *ap,
   NSSPrivateKey **pvkOpt,
   NSSPublicKey **pbkOpt,
   PRBool privateKeyIsSensitive,
   NSSToken *destination,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_TraversePrivateKeys
  *
  *
  * NSS_EXTERN PRStatus *
  * NSSCryptoContext_TraversePrivateKeys
  * (
  *   NSSCryptoContext *cc,
  *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
  *   void *arg
  * );
  */
 /* Symmetric Keys */
 /*
  * NSSCryptoContext_GenerateSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSCryptoContext_GenerateSymmetricKey
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *ap,
   PRUint32 keysize,
   NSSToken *destination,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_GenerateSymmetricKeyFromPassword
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSCryptoContext_GenerateSymmetricKeyFromPassword
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *ap,
   NSSUTF8 *passwordOpt, /* if null, prompt */
   NSSToken *destinationOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_FindSymmetricKeyByAlgorithm
  *
  *
  * NSS_EXTERN NSSSymmetricKey *
  * NSSCryptoContext_FindSymmetricKeyByType
  * (
  *   NSSCryptoContext *cc,
  *   NSSOID *type,
  *   NSSCallback *uhhOpt
  * );
  */
 /*
  * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
 (
   NSSCryptoContext *cc,
   NSSOID *algorithm,
   NSSItem *keyID,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_TraverseSymmetricKeys
  *
  *
  * NSS_EXTERN PRStatus *
  * NSSCryptoContext_TraverseSymmetricKeys
  * (
  *   NSSCryptoContext *cc,
  *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
  *   void *arg
  * );
  */
 /* Crypto ops on distinguished keys */
 /*
  * NSSCryptoContext_Decrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_Decrypt
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *encryptedData,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_BeginDecrypt
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginDecrypt
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueDecrypt
  *
  */
 /*
  * NSSItem semantics:
  *
  *   If rvOpt is NULL, a new NSSItem and buffer are allocated.
  *   If rvOpt is not null, but the buffer pointer is null,
  *     then rvOpt is returned but a new buffer is allocated.
  *     In this case, if the length value is not zero, then
  *     no more than that much space will be allocated.
  *   If rvOpt is not null and the buffer pointer is not null,
  *     then that buffer is re-used.  No more than the buffer
  *     length value will be used; if it's not enough, an
  *     error is returned.  If less is used, the number is
  *     adjusted downwards.
  *
  *  Note that although this is short of some ideal "Item"
  *  definition, we can usually tell how big these buffers
  *  have to be.
  *
  *  Feedback is requested; and earlier is better than later.
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_ContinueDecrypt
 (
   NSSCryptoContext *cc,
   NSSItem *data,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FinishDecrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_FinishDecrypt
 (
   NSSCryptoContext *cc,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_Sign
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_Sign
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_BeginSign
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginSign
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueSign
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_ContinueSign
 (
   NSSCryptoContext *cc,
   NSSItem *data
 );
 /*
  * NSSCryptoContext_FinishSign
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_FinishSign
 (
   NSSCryptoContext *cc,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_SignRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_SignRecover
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_BeginSignRecover
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginSignRecover
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueSignRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_ContinueSignRecover
 (
   NSSCryptoContext *cc,
   NSSItem *data,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FinishSignRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_FinishSignRecover
 (
   NSSCryptoContext *cc,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_UnwrapSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSCryptoContext_UnwrapSymmetricKey
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *wrappedKey,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_DeriveSymmetricKey
  *
  */
 NSS_EXTERN NSSSymmetricKey *
 NSSCryptoContext_DeriveSymmetricKey
 (
   NSSCryptoContext *cc,
   NSSPublicKey *bk,
   NSSAlgorithmAndParameters *apOpt,
   NSSOID *target,
   PRUint32 keySizeOpt, /* zero for best allowed */
   NSSOperations operations,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_Encrypt
  *
  * Encrypt a single chunk of data with the distinguished public key
  * of this crypto context.
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_Encrypt
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_BeginEncrypt
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginEncrypt
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueEncrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_ContinueEncrypt
 (
   NSSCryptoContext *cc,
   NSSItem *data,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FinishEncrypt
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_FinishEncrypt
 (
   NSSCryptoContext *cc,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_Verify
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_Verify
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSItem *signature,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_BeginVerify
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginVerify
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *signature,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueVerify
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_ContinueVerify
 (
   NSSCryptoContext *cc,
   NSSItem *data
 );
 /*
  * NSSCryptoContext_FinishVerify
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_FinishVerify
 (
   NSSCryptoContext *cc
 );
 /*
  * NSSCryptoContext_VerifyRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_VerifyRecover
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *signature,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_BeginVerifyRecover
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginVerifyRecover
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueVerifyRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_ContinueVerifyRecover
 (
   NSSCryptoContext *cc,
   NSSItem *data,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_FinishVerifyRecover
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_FinishVerifyRecover
 (
   NSSCryptoContext *cc,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_WrapSymmetricKey
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_WrapSymmetricKey
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSSymmetricKey *keyToWrap,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_Digest
  *
  * Digest a single chunk of data with the distinguished digest key
  * of this crypto context.
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_Digest
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *data,
   NSSCallback *uhhOpt,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * NSSCryptoContext_BeginDigest
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_BeginDigest
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSCallback *uhhOpt
 );
 /*
  * NSSCryptoContext_ContinueDigest
  *
  */
 NSS_EXTERN PRStatus
 NSSCryptoContext_ContinueDigest
 (
   NSSCryptoContext *cc,
   NSSAlgorithmAndParameters *apOpt,
   NSSItem *item
 );
 /*
  * NSSCryptoContext_FinishDigest
  *
  */
 NSS_EXTERN NSSItem *
 NSSCryptoContext_FinishDigest
 (
   NSSCryptoContext *cc,
   NSSItem *rvOpt,
   NSSArena *arenaOpt
 );
 /*
  * tbd: Combination ops
  */
 /*
  * NSSCryptoContext_Clone
  *
  */
 NSS_EXTERN NSSCryptoContext *
 NSSCryptoContext_Clone
 (
   NSSCryptoContext *cc
 );
 /*
  * NSSCryptoContext_Save
  * NSSCryptoContext_Restore
  *
  * We need to be able to save and restore the state of contexts.
  * Perhaps a mark-and-release mechanism would be better?
  */
 /*
  * ..._SignTBSCertificate
  *
  * This requires feedback from the cert server team.
  */
 /*
  * PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c);
  * PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted);
  *
  * These will be helper functions which get the trust object for a cert,
  * and then call the corresponding function(s) on it.
  *
  * PKIX trust objects will have methods to manipulate the low-level trust
  * bits (which are based on key usage and extended key usage), and also the
  * conceptual high-level usages (e.g. ssl client auth, email encryption, etc.)
  *
  * Other types of trust objects (if any) might have different low-level
  * representations, but hopefully high-level concepts would map.
  *
  * Only these high-level general routines would be promoted to the
  * general certificate level here.  Hence the {xxx} above would be things
  * like "EmailSigning."
  *
  *
  * NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c);
  * PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t);
  *
  * I want to hold off on any general trust object until we've investigated
  * other models more thoroughly.
  */
 PR_END_EXTERN_C
 #endif /* NSSPKI_H */

The Tor Browser / annotate

security/nss/lib/pki/nsspki.h@6474c204b198 (annotated)

security/nss/lib/pki/nsspki.h