The Tor Browser: security/nss/lib/certdb/certt.h@b8a032363ba2 (annotated)

security/nss/lib/certdb/certt.h@b8a032363ba2 (annotated)

security/nss/lib/certdb/certt.h

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * certt.h - public data structures for the certificate library
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
 #include "secoidt.h"
 #include "plarena.h"
 #include "prcvar.h"
 #include "nssilock.h"
 #include "prio.h"
 #include "prmon.h"
 /* Stan data types */
 struct NSSCertificateStr;
 struct NSSTrustDomainStr;
 /* Non-opaque objects */
 typedef struct CERTAVAStr                        CERTAVA;
 typedef struct CERTAttributeStr                  CERTAttribute;
 typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
 typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
 typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
 typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
 typedef struct CERTCertExtensionStr              CERTCertExtension;
 typedef struct CERTCertKeyStr                    CERTCertKey;
 typedef struct CERTCertListStr                   CERTCertList;
 typedef struct CERTCertListNodeStr               CERTCertListNode;
 typedef struct CERTCertNicknamesStr              CERTCertNicknames;
 typedef struct CERTCertTrustStr                  CERTCertTrust;
 typedef struct CERTCertificateStr                CERTCertificate;
 typedef struct CERTCertificateListStr            CERTCertificateList;
 typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
 typedef struct CERTCrlStr                        CERTCrl;
 typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints;
 typedef struct CERTCrlEntryStr                   CERTCrlEntry;
 typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
 typedef struct CERTCrlKeyStr                     CERTCrlKey;
 typedef struct CERTCrlNodeStr                    CERTCrlNode;
 typedef struct CERTDERCertsStr                   CERTDERCerts;
 typedef struct CERTDistNamesStr                  CERTDistNames;
 typedef struct CERTGeneralNameStr                CERTGeneralName;
 typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
 typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
 typedef struct CERTNameStr                       CERTName;
 typedef struct CERTNameConstraintStr             CERTNameConstraint;
 typedef struct CERTNameConstraintsStr            CERTNameConstraints;
 typedef struct CERTOKDomainNameStr               CERTOKDomainName;
 typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
 typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
 typedef struct CERTRDNStr                        CERTRDN;
 typedef struct CERTSignedCrlStr                  CERTSignedCrl;
 typedef struct CERTSignedDataStr                 CERTSignedData;
 typedef struct CERTStatusConfigStr               CERTStatusConfig;
 typedef struct CERTSubjectListStr                CERTSubjectList;
 typedef struct CERTSubjectNodeStr                CERTSubjectNode;
 typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
 typedef struct CERTValidityStr                   CERTValidity;
 typedef struct CERTVerifyLogStr                  CERTVerifyLog;
 typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
 typedef struct CRLDistributionPointStr           CRLDistributionPoint;
 /* CRL extensions type */
 typedef unsigned long CERTCrlNumber;
 /*
 ** An X.500 AVA object
 */
 struct CERTAVAStr {
     SECItem type;
     SECItem value;
 };
 /*
 ** An X.500 RDN object
 */
 struct CERTRDNStr {
     CERTAVA **avas;
 };
 /*
 ** An X.500 name object
 */
 struct CERTNameStr {
     PLArenaPool *arena;
     CERTRDN **rdns;
 };
 /*
 ** An X.509 validity object
 */
 struct CERTValidityStr {
     PLArenaPool *arena;
     SECItem notBefore;
     SECItem notAfter;
 };
 /*
  * A serial number and issuer name, which is used as a database key
  */
 struct CERTCertKeyStr {
     SECItem serialNumber;
     SECItem derIssuer;
 };
 /*
 ** A signed data object. Used to implement the "signed" macro used
 ** in the X.500 specs.
 */
 struct CERTSignedDataStr {
     SECItem data;
     SECAlgorithmID signatureAlgorithm;
     SECItem signature;
 };
 /*
 ** An X.509 subject-public-key-info object
 */
 struct CERTSubjectPublicKeyInfoStr {
     PLArenaPool *arena;
     SECAlgorithmID algorithm;
     SECItem subjectPublicKey;
 };
 struct CERTPublicKeyAndChallengeStr {
     SECItem spki;
     SECItem challenge;
 };
 struct CERTCertTrustStr {
     unsigned int sslFlags;
     unsigned int emailFlags;
     unsigned int objectSigningFlags;
 };
 /*
  * defined the types of trust that exist
  */
 typedef enum SECTrustTypeEnum {
     trustSSL = 0,
     trustEmail = 1,
     trustObjectSigning = 2,
     trustTypeNone = 3
 } SECTrustType;
 #define SEC_GET_TRUST_FLAGS(trust,type) \
         (((type)==trustSSL)?((trust)->sslFlags): \
 	 (((type)==trustEmail)?((trust)->emailFlags): \
 	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
 /*
 ** An X.509.3 certificate extension
 */
 struct CERTCertExtensionStr {
     SECItem id;
     SECItem critical;
     SECItem value;
 };
 struct CERTSubjectNodeStr {
     struct CERTSubjectNodeStr *next;
     struct CERTSubjectNodeStr *prev;
     SECItem certKey;
     SECItem keyID;
 };
 struct CERTSubjectListStr {
     PLArenaPool *arena;
     int ncerts;
     char *emailAddr;
     CERTSubjectNode *head;
     CERTSubjectNode *tail; /* do we need tail? */
     void *entry;
 };
 /*
 ** An X.509 certificate object (the unsigned form)
 */
 struct CERTCertificateStr {
     /* the arena is used to allocate any data structures that have the same
      * lifetime as the cert.  This is all stuff that hangs off of the cert
      * structure, and is all freed at the same time.  I is used when the
      * cert is decoded, destroyed, and at some times when it changes
      * state
      */
     PLArenaPool *arena;
     /* The following fields are static after the cert has been decoded */
     char *subjectName;
     char *issuerName;
     CERTSignedData signatureWrap;	/* XXX */
     SECItem derCert;			/* original DER for the cert */
     SECItem derIssuer;			/* DER for issuer name */
     SECItem derSubject;			/* DER for subject name */
     SECItem derPublicKey;		/* DER for the public key */
     SECItem certKey;			/* database key for this cert */
     SECItem version;
     SECItem serialNumber;
     SECAlgorithmID signature;
     CERTName issuer;
     CERTValidity validity;
     CERTName subject;
     CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
     SECItem issuerID;
     SECItem subjectID;
     CERTCertExtension **extensions;
     char *emailAddr;
     CERTCertDBHandle *dbhandle;
     SECItem subjectKeyID;	/* x509v3 subject key identifier */
     PRBool keyIDGenerated;	/* was the keyid generated? */
     unsigned int keyUsage;	/* what uses are allowed for this cert */
     unsigned int rawKeyUsage;	/* value of the key usage extension */
     PRBool keyUsagePresent;	/* was the key usage extension present */
     PRUint32 nsCertType;	/* value of the ns cert type extension */
 				/* must be 32-bit for PR_ATOMIC_SET */
     /* these values can be set by the application to bypass certain checks
      * or to keep the cert in memory for an entire session.
      * XXX - need an api to set these
      */
     PRBool keepSession;			/* keep this cert for entire session*/
     PRBool timeOK;			/* is the bad validity time ok? */
     CERTOKDomainName *domainOK;		/* these domain names are ok */
     /*
      * these values can change when the cert changes state.  These state
      * changes include transitions from temp to perm or vice-versa, and
      * changes of trust flags
      */
     PRBool isperm;
     PRBool istemp;
     char *nickname;
     char *dbnickname;
     struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
     CERTCertTrust *trust;
     /* the reference count is modified whenever someone looks up, dups
      * or destroys a certificate
      */
     int referenceCount;
     /* The subject list is a list of all certs with the same subject name.
      * It can be modified any time a cert is added or deleted from either
      * the in-memory(temporary) or on-disk(permanent) database.
      */
     CERTSubjectList *subjectList;
     /* these belong in the static section, but are here to maintain
      * the structure's integrity
      */
     CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
     PRBool isRoot;              /* cert is the end of a chain */
     /* these fields are used by client GUI code to keep track of ssl sockets
      * that are blocked waiting on GUI feedback related to this cert.
      * XXX - these should be moved into some sort of application specific
      *       data structure.  They are only used by the browser right now.
      */
     union {
         void* apointer; /* was struct SECSocketNode* authsocketlist */
         struct {
             unsigned int hasUnsupportedCriticalExt :1;
             /* add any new option bits needed here */
         } bits;
     } options;
     int series; /* was int authsocketcount; record the series of the pkcs11ID */
     /* This is PKCS #11 stuff. */
     PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
     CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
     PRBool ownSlot;		/*true if the cert owns the slot reference */
 };
 #define SEC_CERTIFICATE_VERSION_1		0	/* default created */
 #define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
 #define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
 #define SEC_CRL_VERSION_1		0	/* default */
 #define SEC_CRL_VERSION_2		1	/* v2 extensions */
 /*
  * used to identify class of cert in mime stream code
  */
 #define SEC_CERT_CLASS_CA	1
 #define SEC_CERT_CLASS_SERVER	2
 #define SEC_CERT_CLASS_USER	3
 #define SEC_CERT_CLASS_EMAIL	4
 struct CERTDERCertsStr {
     PLArenaPool *arena;
     int numcerts;
     SECItem *rawCerts;
 };
 /*
 ** A PKCS ? Attribute
 ** XXX this is duplicated through out the code, it *should* be moved
 ** to a central location.  Where would be appropriate?
 */
 struct CERTAttributeStr {
     SECItem attrType;
     SECItem **attrValue;
 };
 /*
 ** A PKCS#10 certificate-request object (the unsigned form)
 */
 struct CERTCertificateRequestStr {
     PLArenaPool *arena;
     SECItem version;
     CERTName subject;
     CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
     CERTAttribute **attributes;
 };
 #define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
 /*
 ** A certificate list object.
 */
 struct CERTCertificateListStr {
     SECItem *certs;
     int len;					/* number of certs */
     PLArenaPool *arena;
 };
 struct CERTCertListNodeStr {
     PRCList links;
     CERTCertificate *cert;
     void *appData;
 };
 struct CERTCertListStr {
     PRCList list;
     PLArenaPool *arena;
 };
 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
 #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
 struct CERTCrlEntryStr {
     SECItem serialNumber;
     SECItem revocationDate;
     CERTCertExtension **extensions;
 };
 struct CERTCrlStr {
     PLArenaPool *arena;
     SECItem version;
     SECAlgorithmID signatureAlg;
     SECItem derName;
     CERTName name;
     SECItem lastUpdate;
     SECItem nextUpdate;				/* optional for x.509 CRL  */
     CERTCrlEntry **entries;
     CERTCertExtension **extensions;
     /* can't add anything there for binary backwards compatibility reasons */
 };
 struct CERTCrlKeyStr {
     SECItem derName;
     SECItem dummy;			/* The decoder can not skip a primitive,
 					   this serves as a place holder for the
 					   decoder to finish its task only
 					*/
 };
 struct CERTSignedCrlStr {
     PLArenaPool *arena;
     CERTCrl crl;
     void *reserved1;
     PRBool reserved2;
     PRBool isperm;
     PRBool istemp;
     int referenceCount;
     CERTCertDBHandle *dbhandle;
     CERTSignedData signatureWrap;	/* XXX */
     char *url;
     SECItem *derCrl;
     PK11SlotInfo *slot;
     CK_OBJECT_HANDLE pkcs11ID;
     void* opaque; /* do not touch */
 };
 struct CERTCrlHeadNodeStr {
     PLArenaPool *arena;
     CERTCertDBHandle *dbhandle;
     CERTCrlNode *first;
     CERTCrlNode *last;
 };
 struct CERTCrlNodeStr {
     CERTCrlNode *next;
     int 	type;
     CERTSignedCrl *crl;
 };
 /*
  * Array of X.500 Distinguished Names
  */
 struct CERTDistNamesStr {
     PLArenaPool *arena;
     int nnames;
     SECItem  *names;
     void *head; /* private */
 };
 #define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
 #define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
 #define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
 #define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
 #define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
 #define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
 #define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
 #define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
 #define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
 #define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
 #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
 			  NS_CERT_TYPE_SSL_SERVER | \
 			  NS_CERT_TYPE_EMAIL | \
 			  NS_CERT_TYPE_OBJECT_SIGNING )
 #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
 			 NS_CERT_TYPE_EMAIL_CA | \
 			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
 			 EXT_KEY_USAGE_STATUS_RESPONDER )
 typedef enum SECCertUsageEnum {
     certUsageSSLClient = 0,
     certUsageSSLServer = 1,
     certUsageSSLServerWithStepUp = 2,
     certUsageSSLCA = 3,
     certUsageEmailSigner = 4,
     certUsageEmailRecipient = 5,
     certUsageObjectSigner = 6,
     certUsageUserCertImport = 7,
     certUsageVerifyCA = 8,
     certUsageProtectedObjectSigner = 9,
     certUsageStatusResponder = 10,
     certUsageAnyCA = 11
 } SECCertUsage;
 typedef PRInt64 SECCertificateUsage;
 #define certificateUsageCheckAllUsages         (0x0000)
 #define certificateUsageSSLClient              (0x0001)
 #define certificateUsageSSLServer              (0x0002)
 #define certificateUsageSSLServerWithStepUp    (0x0004)
 #define certificateUsageSSLCA                  (0x0008)
 #define certificateUsageEmailSigner            (0x0010)
 #define certificateUsageEmailRecipient         (0x0020)
 #define certificateUsageObjectSigner           (0x0040)
 #define certificateUsageUserCertImport         (0x0080)
 #define certificateUsageVerifyCA               (0x0100)
 #define certificateUsageProtectedObjectSigner  (0x0200)
 #define certificateUsageStatusResponder        (0x0400)
 #define certificateUsageAnyCA                  (0x0800)
 #define certificateUsageHighest certificateUsageAnyCA
 /*
  * Does the cert belong to the user, a peer, or a CA.
  */
 typedef enum CERTCertOwnerEnum {
     certOwnerUser = 0,
     certOwnerPeer = 1,
     certOwnerCA = 2
 } CERTCertOwner;
 /*
  * This enum represents the state of validity times of a certificate
  */
 typedef enum SECCertTimeValidityEnum {
     secCertTimeValid = 0,
     secCertTimeExpired = 1,
     secCertTimeNotValidYet = 2,
     secCertTimeUndetermined = 3 /* validity could not be decoded from the
                                    cert, most likely because it was NULL */
 } SECCertTimeValidity;
 /*
  * This is used as return status in functions that compare the validity
  * periods of two certificates A and B, currently only
  * CERT_CompareValidityTimes.
  */
 typedef enum CERTCompareValidityStatusEnum
 {
     certValidityUndetermined = 0, /* the function is unable to select one cert
                                      over another */
     certValidityChooseB = 1,      /* cert B should be preferred */
     certValidityEqual = 2,        /* both certs have the same validity period */
     certValidityChooseA = 3       /* cert A should be preferred */
 } CERTCompareValidityStatus;
 /*
  * Interface for getting certificate nickname strings out of the database
  */
 /* these are values for the what argument below */
 #define SEC_CERT_NICKNAMES_ALL		1
 #define SEC_CERT_NICKNAMES_USER		2
 #define SEC_CERT_NICKNAMES_SERVER	3
 #define SEC_CERT_NICKNAMES_CA		4
 struct CERTCertNicknamesStr {
     PLArenaPool *arena;
     void *head;
     int numnicknames;
     char **nicknames;
     int what;
     int totallen;
 };
 struct CERTIssuerAndSNStr {
     SECItem derIssuer;
     CERTName issuer;
     SECItem serialNumber;
 };
 /* X.509 v3 Key Usage Extension flags */
 #define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
 #define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
 #define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
 #define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
 #define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
 #define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
 #define KU_CRL_SIGN			(0x02)  /* bit 6 */
 #define KU_ENCIPHER_ONLY		(0x01)  /* bit 7 */
 #define KU_ALL				(KU_DIGITAL_SIGNATURE | \
 					 KU_NON_REPUDIATION | \
 					 KU_KEY_ENCIPHERMENT | \
 					 KU_DATA_ENCIPHERMENT | \
 					 KU_KEY_AGREEMENT | \
 					 KU_KEY_CERT_SIGN | \
 					 KU_CRL_SIGN | \
 					 KU_ENCIPHER_ONLY)
 /* This value will not occur in certs.  It is used internally for the case
  * when either digital signature or non-repudiation is the correct value.
  */
 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
 /* This value will not occur in certs.  It is used internally for the case
  * when the key type is not know ahead of time and either key agreement or
  * key encipherment are the correct value based on key type
  */
 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
 /* internal bits that do not match bits in the x509v3 spec, but are used
  * for similar purposes
  */
 #define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
 /*
  * x.509 v3 Basic Constraints Extension
  * If isCA is false, the pathLenConstraint is ignored.
  * Otherwise, the following pathLenConstraint values will apply:
  *	< 0 - there is no limit to the certificate path
  *	0   - CA can issues end-entity certificates only
  *	> 0 - the number of certificates in the certificate path is
  *	      limited to this number
  */
 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
 struct CERTBasicConstraintsStr {
     PRBool isCA;			/* on if is CA */
     int pathLenConstraint;		/* maximum number of certificates that can be
 					   in the cert path.  Only applies to a CA
 					   certificate; otherwise, it's ignored.
 					 */
 };
 /* Maximum length of a certificate chain */
 #define CERT_MAX_CERT_CHAIN 20
 #define CERT_MAX_SERIAL_NUMBER_BYTES  20    /* from RFC 3280 */
 #define CERT_MAX_DN_BYTES             4096  /* arbitrary */
 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
 #define RF_UNUSED			(0x80)	/* bit 0 */
 #define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
 #define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
 #define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
 #define RF_SUPERSEDED			(0x08)  /* bit 4 */
 #define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
 #define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
 /* enum for CRL Entry Reason Code */
 typedef enum CERTCRLEntryReasonCodeEnum {
     crlEntryReasonUnspecified = 0,
     crlEntryReasonKeyCompromise = 1,
     crlEntryReasonCaCompromise = 2,
     crlEntryReasonAffiliationChanged = 3,
     crlEntryReasonSuperseded = 4,
     crlEntryReasonCessationOfOperation = 5,
     crlEntryReasoncertificatedHold = 6,
     crlEntryReasonRemoveFromCRL = 8,
     crlEntryReasonPrivilegeWithdrawn = 9,
     crlEntryReasonAaCompromise = 10
 } CERTCRLEntryReasonCode;
 /* If we needed to extract the general name field, use this */
 /* General Name types */
 typedef enum CERTGeneralNameTypeEnum {
     certOtherName = 1,
     certRFC822Name = 2,
     certDNSName = 3,
     certX400Address = 4,
     certDirectoryName = 5,
     certEDIPartyName = 6,
     certURI = 7,
     certIPAddress = 8,
     certRegisterID = 9
 } CERTGeneralNameType;
 typedef struct OtherNameStr {
     SECItem          name;
     SECItem          oid;
 }OtherName;
 struct CERTGeneralNameStr {
     CERTGeneralNameType type;		/* name type */
     union {
 	CERTName directoryName;         /* distinguish name */
 	OtherName  OthName;		/* Other Name */
 	SECItem other;                  /* the rest of the name forms */
     }name;
     SECItem derDirectoryName;		/* this is saved to simplify directory name
 					   comparison */
     PRCList l;
 };
 struct CERTGeneralNameListStr {
     PLArenaPool *arena;
     CERTGeneralName *name;
     int refCount;
     int len;
     PZLock *lock;
 };
 struct CERTNameConstraintStr {
     CERTGeneralName  name;
     SECItem          DERName;
     SECItem          min;
     SECItem          max;
     PRCList          l;
 };
 struct CERTNameConstraintsStr {
     CERTNameConstraint  *permited;
     CERTNameConstraint  *excluded;
     SECItem             **DERPermited;
     SECItem             **DERExcluded;
 };
 /* Private Key Usage Period extension struct. */
 struct CERTPrivKeyUsagePeriodStr {
     SECItem notBefore;
     SECItem notAfter;
     PLArenaPool *arena;
 };
 /* X.509 v3 Authority Key Identifier extension.  For the authority certificate
    issuer field, we only support URI now.
  */
 struct CERTAuthKeyIDStr {
     SECItem keyID;			/* unique key identifier */
     CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
     SECItem authCertSerialNumber;	/* CA's certificate serial number */
     SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
 					   the authCertIssuer field. It is used
 					   by the encoding engine. It should be
 					   used as a read only field by the caller.
 					*/
 };
 /* x.509 v3 CRL Distributeion Point */
 /*
  * defined the types of CRL Distribution points
  */
 typedef enum DistributionPointTypesEnum {
     generalName = 1,			/* only support this for now */
     relativeDistinguishedName = 2
 } DistributionPointTypes;
 struct CRLDistributionPointStr {
     DistributionPointTypes distPointType;
     union {
 	CERTGeneralName *fullName;
 	CERTRDN relativeName;
     } distPoint;
     SECItem reasons;
     CERTGeneralName *crlIssuer;
     /* Reserved for internal use only*/
     SECItem derDistPoint;
     SECItem derRelativeName;
     SECItem **derCrlIssuer;
     SECItem **derFullName;
     SECItem bitsmap;
 };
 struct CERTCrlDistributionPointsStr {
     CRLDistributionPoint **distPoints;
 };
 /*
  * This structure is used to keep a log of errors when verifying
  * a cert chain.  This allows multiple errors to be reported all at
  * once.
  */
 struct CERTVerifyLogNodeStr {
     CERTCertificate *cert;	/* what cert had the error */
     long error;			/* what error was it? */
     unsigned int depth;		/* how far up the chain are we */
     void *arg;			/* error specific argument */
     struct CERTVerifyLogNodeStr *next; /* next in the list */
     struct CERTVerifyLogNodeStr *prev; /* next in the list */
 };
 struct CERTVerifyLogStr {
     PLArenaPool *arena;
     unsigned int count;
     struct CERTVerifyLogNodeStr *head;
     struct CERTVerifyLogNodeStr *tail;
 };
 struct CERTOKDomainNameStr {
     CERTOKDomainName *next;
     char              name[1]; /* actual length may be longer. */
 };
 typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
 						    CERTCertificate *cert,
 						    PRTime time,
 						    void *pwArg);
 typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
 struct CERTStatusConfigStr {
     CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
     CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
     void *statusContext;		/* cx specific to checking protocol */
 };
 struct CERTAuthInfoAccessStr {
     SECItem method;
     SECItem derLocation;
     CERTGeneralName *location;		/* decoded location */
 };
 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
 /* callback to return database name based on version number */
 typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
 /*
  * types of cert packages that we can decode
  */
 typedef enum CERTPackageTypeEnum {
     certPackageNone = 0,
     certPackageCert = 1,
     certPackagePKCS7 = 2,
     certPackageNSCertSeq = 3,
     certPackageNSCertWrap = 4
 } CERTPackageType;
 /*
  * these types are for the PKIX Certificate Policies extension
  */
 typedef struct {
     SECOidTag oid;
     SECItem qualifierID;
     SECItem qualifierValue;
 } CERTPolicyQualifier;
 typedef struct {
     SECOidTag oid;
     SECItem policyID;
     CERTPolicyQualifier **policyQualifiers;
 } CERTPolicyInfo;
 typedef struct {
     PLArenaPool *arena;
     CERTPolicyInfo **policyInfos;
 } CERTCertificatePolicies;
 typedef struct {
     SECItem organization;
     SECItem **noticeNumbers;
 } CERTNoticeReference;
 typedef struct {
     PLArenaPool *arena;
     CERTNoticeReference noticeReference;
     SECItem derNoticeReference;
     SECItem displayText;
 } CERTUserNotice;
 typedef struct {
     PLArenaPool *arena;
     SECItem **oids;
 } CERTOidSequence;
 /*
  * these types are for the PKIX Policy Mappings extension
  */
 typedef struct {
     SECItem issuerDomainPolicy;
     SECItem subjectDomainPolicy;
 } CERTPolicyMap;
 typedef struct {
     PLArenaPool *arena;
     CERTPolicyMap **policyMaps;
 } CERTCertificatePolicyMappings;
 /*
  * these types are for the PKIX inhibitAnyPolicy extension
  */
 typedef struct {
     SECItem inhibitAnySkipCerts;
 } CERTCertificateInhibitAny;
 /*
  * these types are for the PKIX Policy Constraints extension
  */
 typedef struct {
     SECItem explicitPolicySkipCerts;
     SECItem inhibitMappingSkipCerts;
 } CERTCertificatePolicyConstraints;
 /*
  * These types are for the validate chain callback param.
  *
  * CERTChainVerifyCallback is an application-supplied callback that can be used
  * to augment libpkix's certificate chain validation with additional
  * application-specific checks. It may be called multiple times if there are
  * multiple potentially-valid paths for the certificate being validated. This
  * callback is called before revocation checking is done on the certificates in
  * the given chain.
  *
  * - isValidChainArg contains the application-provided opaque argument
  * - currentChain is the currently validated chain. It is ordered with the leaf
  *   certificate at the head and the trust anchor at the tail.
  *
  * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
  * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
  * return SECSuccess if the chain is unacceptable, to indicate that the given
  * chain is bad and path building should continue. It should return SECFailure
  * to indicate an fatal error that will cause path validation to fail
  * immediately.
  */
 typedef SECStatus (*CERTChainVerifyCallbackFunc)
                                              (void *isChainValidArg,
                                               const CERTCertList *currentChain,
                                               PRBool *chainOK);
 /*
  * Note: If extending this structure, it will be necessary to change the
  * associated CERTValParamInType
  */
 typedef struct {
     CERTChainVerifyCallbackFunc isChainValid;
     void *isChainValidArg;
 } CERTChainVerifyCallback;
 /*
  * these types are for the CERT_PKIX* Verification functions
  * These are all optional parameters.
  */
 typedef enum {
    cert_pi_end             = 0, /* SPECIAL: signifies end of array of
 				 * CERTValParam* */
    cert_pi_nbioContext     = 1, /* specify a non-blocking IO context used to
 			         * resume a session. If this argument is
 				 * specified, no other arguments should be.
 				 * Specified in value.pointer.p. If the
 				 * operation completes the context will be
 				 * freed. */
    cert_pi_nbioAbort       = 2, /* specify a non-blocking IO context for an
 				 * existing operation which the caller wants
 			         * to abort. If this argument is
 				 * specified, no other arguments should be.
 				 * Specified in value.pointer.p. If the
 			         * operation succeeds the context will be
 				 * freed. */
    cert_pi_certList        = 3, /* specify the chain to validate against. If
 				 * this value is given, then the path
 				 * construction step in the validation is
 				 * skipped. Specified in value.pointer.chain */
    cert_pi_policyOID       = 4, /* validate certificate for policy OID.
 				 * Specified in value.array.oids. Cert must
 				 * be good for at least one OID in order
 				 * to validate. Default is that the user is not
 				 * concerned about certificate policy. */
    cert_pi_policyFlags     = 5, /* flags for each policy specified in policyOID.
 				 * Specified in value.scalar.ul. Policy flags
 				 * apply to all specified oids.
 				 * Use CERT_POLICY_FLAG_* macros below. If not
 				 * specified policy flags default to 0 */
    cert_pi_keyusage        = 6, /* specify what the keyusages the certificate
 				 * will be evaluated against, specified in
 				 * value.scalar.ui. The cert must validate for
 				 * at least one of the specified key usages.
 				 * Values match the KU_  bit flags defined
 				 * in this file. Default is derived from
 				 * the 'usages' function argument */
    cert_pi_extendedKeyusage= 7, /* specify what the required extended key
 				 * usage of the certificate. Specified as
 				 * an array of oidTags in value.array.oids.
 				 * The cert must validate for at least one
 				 * of the specified extended key usages.
 				 * If not specified, no extended key usages
 				 * will be checked. */
    cert_pi_date            = 8, /* validate certificate is valid as of date
 				 * specified in value.scalar.time. A special
 				 * value '0' indicates 'now'. default is '0' */
    cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
 				 * See CERT_REV_FLAG_* macros below
 				 * Set in value.pointer.revocation */
    cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
 				 * Set in value.scalar.ui */
    cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to
 				 * validate against.
 				 * The default set of trusted roots, these are
 				 * root CA certs from libnssckbi.so or CA
 				 * certs trusted by user, are used in any of
 				 * the following cases:
 				 *      * when the parameter is not set.
 				 *      * when the list of trust anchors is empty.
 				 * Note that this handling can be further altered by altering the
 				 * cert_pi_useOnlyTrustAnchors flag
 				 * Specified in value.pointer.chain */
    cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
 				 * In NSS 3.12.1 or later. Default is off.
 				 * Value is in value.scalar.b */
    cert_pi_chainVerifyCallback = 13,
                                 /* The callback container for doing extra
                                  * validation on the currently calculated chain.
                                  * Value is in value.pointer.chainVerifyCallback */
    cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
 				 * certificates other than the ones passed in via cert_pi_trustAnchors.
 				 * If false, then the certificates specified via cert_pi_trustAnchors
 				 * will be combined with the pre-existing trusted roots, but only for
 				 * the certificate validation being performed.
 				 * If no value has been supplied via cert_pi_trustAnchors, this has no
 				 * effect.
 				 * The default value is true, meaning if this is not supplied, only
 				 * trust anchors supplied via cert_pi_trustAnchors are trusted.
 				 * Specified in value.scalar.b */
    cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
 				 *  can increase in future releases */
 } CERTValParamInType;
 /*
  * for all out parameters:
  *  out parameters are only returned if the caller asks for them in
  *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
  *  array itself. The pkix verify function will allocate and other arrays
  *  pointers, or objects. The Caller is responsible for freeing those results.
  * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
  */
 typedef enum {
    cert_po_end             = 0, /* SPECIAL: signifies end of array of
 				 * CERTValParam* */
    cert_po_nbioContext     = 1, /* Return a nonblocking context. If no
 				 * non-blocking context is specified, then
 				 * blocking IO will be used.
 				 * Returned in value.pointer.p. The context is
 				 * freed after an abort or a complete operation.
 				 * This value is only returned on SECWouldBlock.
 				 */
    cert_po_trustAnchor     = 2, /* Return the trust anchor for the chain that
 				 * was validated. Returned in
 				 * value.pointer.cert, this value is only
 				 * returned on SECSuccess. */
    cert_po_certList        = 3, /* Return the entire chain that was validated.
 				 * Returned in value.pointer.certList. If no
 				 * chain could be constructed, this value
 				 * would be NULL. */
    cert_po_policyOID       = 4, /* Return the policies that were found to be
 				 * valid. Returned in value.array.oids as an
 				 * array. This is only returned on
 				 * SECSuccess. */
    cert_po_errorLog        = 5, /* Return a log of problems with the chain.
 				 * Returned in value.pointer.log  */
    cert_po_usages          = 6, /* Return what usages the certificate is valid
 				   for. Returned in value.scalar.usages */
    cert_po_keyUsage        = 7, /* Return what key usages the certificate
 				 * is valid for.
 				 * Returned in value.scalar.usage */
    cert_po_extendedKeyusage= 8, /* Return what extended key usages the
 				 * certificate is valid for.
 				 * Returned in value.array.oids */
    cert_po_max                  /* SPECIAL: signifies maximum allowed value,
 				 *  can increase in future releases */
 } CERTValParamOutType;
 typedef enum {
     cert_revocation_method_crl = 0,
     cert_revocation_method_ocsp,
     cert_revocation_method_count
 } CERTRevocationMethodIndex;
 /*
  * The following flags are supposed to be used to control bits in
  * each integer contained in the array pointed to be:
  *     CERTRevocationTests.cert_rev_flags_per_method
  * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
  * this is a method dependent flag.
  */
 /*
  * Whether or not to use a method for revocation testing.
  * If set to "do not test", then all other flags are ignored.
  */
 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD     0UL
 #define CERT_REV_M_TEST_USING_THIS_METHOD            1UL
 /*
  * Whether or not NSS is allowed to attempt to fetch fresh information
  *         from the network.
  * (Although fetching will never happen if fresh information for the
  *           method is already locally available.)
  */
 #define CERT_REV_M_ALLOW_NETWORK_FETCHING            0UL
 #define CERT_REV_M_FORBID_NETWORK_FETCHING           2UL
 /*
  * Example for an implicit default source:
  *         The globally configured default OCSP responder.
  * IGNORE means:
  *        ignore the implicit default source, whether it's configured or not.
  * ALLOW means:
  *       if an implicit default source is configured,
  *          then it overrides any available or missing source in the cert.
  *       if no implicit default source is configured,
  *          then we continue to use what's available (or not available)
  *          in the certs.
  */
 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE     0UL
 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE    4UL
 /*
  * Defines the behavior if no fresh information is available,
  *   fetching from the network is allowed, but the source of revocation
  *   information is unknown (even after considering implicit sources,
  *   if allowed by other flags).
  * SKIPT_TEST means:
  *          We ignore that no fresh information is available and
  *          skip this test.
  * REQUIRE_INFO means:
  *          We still require that fresh information is available.
  *          Other flags define what happens on missing fresh info.
  */
 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE       0UL
 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE    8UL
 /*
  * Defines the behavior if we are unable to obtain fresh information.
  * INGORE means:
  *      Return "cert status unknown"
  * FAIL means:
  *      Return "cert revoked".
  */
 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO         0UL
 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO        16UL
 /*
  * What should happen if we were able to find fresh information using
  * this method, and the data indicated the cert is good?
  * STOP_TESTING means:
  *              Our success is sufficient, do not continue testing
  *              other methods.
  * CONTINUE_TESTING means:
  *                  We will continue and test the next allowed
  *                  specified method.
  */
 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO        0UL
 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO    32UL
 /* When this flag is used, libpkix will never attempt to use the GET HTTP
  * method for OCSP requests; it will always use POST.
  */
 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
 /*
  * The following flags are supposed to be used to control bits in
  *     CERTRevocationTests.cert_rev_method_independent_flags
  * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
  * this is a method independent flag.
  */
 /*
  * This defines the order to checking.
  * EACH_METHOD_SEPARATELY means:
  *      Do all tests related to a particular allowed method
  *      (both local information and network fetching) in a single step.
  *      Only after testing for a particular method is done,
  *      then switching to the next method will happen.
  * ALL_LOCAL_INFORMATION_FIRST means:
  *      Start by testing the information for all allowed methods
  *      which are already locally available. Only after that is done
  *      consider to fetch from the network (as allowed by other flags).
  */
 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY       0UL
 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST  1UL
 /*
  * Use this flag to specify that it's necessary that fresh information
  * is available for at least one of the allowed methods, but it's
  * irrelevant which of the mechanisms succeeded.
  * NO_OVERALL_INFO_REQUIREMENT means:
  *     We strictly follow the requirements for each individual method.
  * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
  *     After the individual tests have been executed, we must have
  *     been able to find fresh information using at least one method.
  *     If we were unable to find fresh info, it's a failure.
  *     This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
  *     flag on all methods.
  */
 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0UL
 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
 typedef struct {
     /*
      * The size of the array that cert_rev_flags_per_method points to,
      * meaning, the number of methods that are known and defined
      * by the caller.
      */
     PRUint32 number_of_defined_methods;
     /*
      * A pointer to an array of integers.
      * Each integer defines revocation checking for a single method,
      *      by having individual CERT_REV_M_* bits set or not set.
      * The meaning of index numbers into this array are defined by
      *     enum CERTRevocationMethodIndex
      * The size of the array must be specified by the caller in the separate
      *     variable number_of_defined_methods.
      * The size of the array may be smaller than
      *     cert_revocation_method_count, it can happen if a caller
      *     is not yet aware of the latest revocation methods
      *     (or does not want to use them).
      */
     PRUint64 *cert_rev_flags_per_method;
     /*
      * How many preferred methods are specified?
      * This is equivalent to the size of the array that
      *      preferred_revocation_methods points to.
      * It's allowed to set this value to zero,
      *      then NSS will decide which methods to prefer.
      */
     PRUint32 number_of_preferred_methods;
     /* Array that may specify an optional order of preferred methods.
      * Each array entry shall contain a method identifier as defined
      *   by CERTRevocationMethodIndex.
      * The entry at index [0] specifies the method with highest preferrence.
      * These methods will be tested first for locally available information.
      * Methods allowed for downloading will be attempted in the same order.
      */
     CERTRevocationMethodIndex *preferred_methods;
     /*
      * An integer which defines certain aspects of revocation checking
      * (independent of individual methods) by having individual
      * CERT_REV_MI_* bits set or not set.
      */
     PRUint64 cert_rev_method_independent_flags;
 } CERTRevocationTests;
 typedef struct {
     CERTRevocationTests leafTests;
     CERTRevocationTests chainTests;
 } CERTRevocationFlags;
 typedef struct CERTValParamInValueStr {
     union {
         PRBool   b;
         PRInt32  i;
         PRUint32 ui;
         PRInt64  l;
         PRUint64 ul;
         PRTime time;
     } scalar;
     union {
         const void*    p;
         const char*    s;
         const CERTCertificate* cert;
         const CERTCertList *chain;
         const CERTRevocationFlags *revocation;
         const CERTChainVerifyCallback *chainVerifyCallback;
     } pointer;
     union {
         const PRInt32  *pi;
         const PRUint32 *pui;
         const PRInt64  *pl;
         const PRUint64 *pul;
         const SECOidTag *oids;
     } array;
     int arraySize;
 } CERTValParamInValue;
 typedef struct CERTValParamOutValueStr {
     union {
         PRBool   b;
         PRInt32  i;
         PRUint32 ui;
         PRInt64  l;
         PRUint64 ul;
         SECCertificateUsage usages;
     } scalar;
     union {
         void*    p;
         char*    s;
         CERTVerifyLog *log;
         CERTCertificate* cert;
         CERTCertList *chain;
     } pointer;
     union {
         void 	  *p;
         SECOidTag *oids;
     } array;
     int arraySize;
 } CERTValParamOutValue;
 typedef struct {
     CERTValParamInType type;
     CERTValParamInValue value;
 } CERTValInParam;
 typedef struct {
     CERTValParamOutType type;
     CERTValParamOutValue value;
 } CERTValOutParam;
 /*
  * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
  */
 typedef enum CertStrictnessLevels {
     CERT_N2A_READABLE   =  0, /* maximum human readability */
     CERT_N2A_STRICT     = 10, /* strict RFC compliance    */
     CERT_N2A_INVERTIBLE = 20  /* maximum invertibility,
                                  all DirectoryStrings encoded in hex */
 } CertStrictnessLevel;
 /*
  * policy flag defines
  */
 #define CERT_POLICY_FLAG_NO_MAPPING    1
 #define CERT_POLICY_FLAG_EXPLICIT      2
 #define CERT_POLICY_FLAG_NO_ANY        4
 /*
  * CertStore flags
  */
 #define CERT_ENABLE_LDAP_FETCH          1
 #define CERT_ENABLE_HTTP_FETCH          2
 /* This functin pointer type may be used for any function that takes
  * a CERTCertificate * and returns an allocated string, which must be
  * freed by a call to PORT_Free.
  */
 typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
 #include "secasn1t.h"	/* way down here because I expect template stuff to
 			 * move out of here anyway */
 SEC_BEGIN_PROTOS
 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
 extern const SEC_ASN1Template CERT_CertificateTemplate[];
 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
 extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
 extern const SEC_ASN1Template CERT_ValidityTemplate[];
 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
 extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
 extern const SEC_ASN1Template CERT_NameTemplate[];
 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
 extern const SEC_ASN1Template CERT_RDNTemplate[];
 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
 extern const SEC_ASN1Template CERT_CrlTemplate[];
 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
 /*
 ** XXX should the attribute stuff be centralized for all of ns/security?
 */
 extern const SEC_ASN1Template CERT_AttributeTemplate[];
 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
 /* These functions simply return the address of the above-declared templates.
 ** This is necessary for Windows DLLs.  Sigh.
 */
 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
 SEC_END_PROTOS
 #endif /* _CERTT_H_ */

The Tor Browser / annotate

security/nss/lib/certdb/certt.h@b8a032363ba2 (annotated)

security/nss/lib/certdb/certt.h