The Tor Browser: comparison security/nss/lib/certdb/certt.h

--1:000000000000
+:e67f0b05e997
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+* certt.h - public data structures for the certificate library
+*/
+#ifndef _CERTT_H_
+#define _CERTT_H_
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secmodt.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+/* Stan data types */
+struct NSSCertificateStr;
+struct NSSTrustDomainStr;
+/* Non-opaque objects */
+typedef struct CERTAVAStr                        CERTAVA;
+typedef struct CERTAttributeStr                  CERTAttribute;
+typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
+typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
+typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
+typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
+typedef struct CERTCertExtensionStr              CERTCertExtension;
+typedef struct CERTCertKeyStr                    CERTCertKey;
+typedef struct CERTCertListStr                   CERTCertList;
+typedef struct CERTCertListNodeStr               CERTCertListNode;
+typedef struct CERTCertNicknamesStr              CERTCertNicknames;
+typedef struct CERTCertTrustStr                  CERTCertTrust;
+typedef struct CERTCertificateStr                CERTCertificate;
+typedef struct CERTCertificateListStr            CERTCertificateList;
+typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
+typedef struct CERTCrlStr                        CERTCrl;
+typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints;
+typedef struct CERTCrlEntryStr                   CERTCrlEntry;
+typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
+typedef struct CERTCrlKeyStr                     CERTCrlKey;
+typedef struct CERTCrlNodeStr                    CERTCrlNode;
+typedef struct CERTDERCertsStr                   CERTDERCerts;
+typedef struct CERTDistNamesStr                  CERTDistNames;
+typedef struct CERTGeneralNameStr                CERTGeneralName;
+typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
+typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
+typedef struct CERTNameStr                       CERTName;
+typedef struct CERTNameConstraintStr             CERTNameConstraint;
+typedef struct CERTNameConstraintsStr            CERTNameConstraints;
+typedef struct CERTOKDomainNameStr               CERTOKDomainName;
+typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
+typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
+typedef struct CERTRDNStr                        CERTRDN;
+typedef struct CERTSignedCrlStr                  CERTSignedCrl;
+typedef struct CERTSignedDataStr                 CERTSignedData;
+typedef struct CERTStatusConfigStr               CERTStatusConfig;
+typedef struct CERTSubjectListStr                CERTSubjectList;
+typedef struct CERTSubjectNodeStr                CERTSubjectNode;
+typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
+typedef struct CERTValidityStr                   CERTValidity;
+typedef struct CERTVerifyLogStr                  CERTVerifyLog;
+typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
+typedef struct CRLDistributionPointStr           CRLDistributionPoint;
+/* CRL extensions type */
+typedef unsigned long CERTCrlNumber;
+/*
+** An X.500 AVA object
+*/
+struct CERTAVAStr {
+SECItem type;
+SECItem value;
+};
+/*
+** An X.500 RDN object
+*/
+struct CERTRDNStr {
+CERTAVA **avas;
+};
+/*
+** An X.500 name object
+*/
+struct CERTNameStr {
+PLArenaPool *arena;
+CERTRDN **rdns;
+};
+/*
+** An X.509 validity object
+*/
+struct CERTValidityStr {
+PLArenaPool *arena;
+SECItem notBefore;
+SECItem notAfter;
+};
+/*
+* A serial number and issuer name, which is used as a database key
+*/
+struct CERTCertKeyStr {
+SECItem serialNumber;
+SECItem derIssuer;
+};
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct CERTSignedDataStr {
+SECItem data;
+SECAlgorithmID signatureAlgorithm;
+SECItem signature;
+};
+/*
+** An X.509 subject-public-key-info object
+*/
+struct CERTSubjectPublicKeyInfoStr {
+PLArenaPool *arena;
+SECAlgorithmID algorithm;
+SECItem subjectPublicKey;
+};
+struct CERTPublicKeyAndChallengeStr {
+SECItem spki;
+SECItem challenge;
+};
+struct CERTCertTrustStr {
+unsigned int sslFlags;
+unsigned int emailFlags;
+unsigned int objectSigningFlags;
+};
+/*
+* defined the types of trust that exist
+*/
+typedef enum SECTrustTypeEnum {
+trustSSL = 0,
+trustEmail = 1,
+trustObjectSigning = 2,
+trustTypeNone = 3
+} SECTrustType;
+#define SEC_GET_TRUST_FLAGS(trust,type) \
+(((type)==trustSSL)?((trust)->sslFlags): \
+	 (((type)==trustEmail)?((trust)->emailFlags): \
+	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
+/*
+** An X.509.3 certificate extension
+*/
+struct CERTCertExtensionStr {
+SECItem id;
+SECItem critical;
+SECItem value;
+};
+struct CERTSubjectNodeStr {
+struct CERTSubjectNodeStr *next;
+struct CERTSubjectNodeStr *prev;
+SECItem certKey;
+SECItem keyID;
+};
+struct CERTSubjectListStr {
+PLArenaPool *arena;
+int ncerts;
+char *emailAddr;
+CERTSubjectNode *head;
+CERTSubjectNode *tail; /* do we need tail? */
+void *entry;
+};
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct CERTCertificateStr {
+/* the arena is used to allocate any data structures that have the same
+* lifetime as the cert.  This is all stuff that hangs off of the cert
+* structure, and is all freed at the same time.  I is used when the
+* cert is decoded, destroyed, and at some times when it changes
+* state
+*/
+PLArenaPool *arena;
+/* The following fields are static after the cert has been decoded */
+char *subjectName;
+char *issuerName;
+CERTSignedData signatureWrap;	/* XXX */
+SECItem derCert;			/* original DER for the cert */
+SECItem derIssuer;			/* DER for issuer name */
+SECItem derSubject;			/* DER for subject name */
+SECItem derPublicKey;		/* DER for the public key */
+SECItem certKey;			/* database key for this cert */
+SECItem version;
+SECItem serialNumber;
+SECAlgorithmID signature;
+CERTName issuer;
+CERTValidity validity;
+CERTName subject;
+CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+SECItem issuerID;
+SECItem subjectID;
+CERTCertExtension **extensions;
+char *emailAddr;
+CERTCertDBHandle *dbhandle;
+SECItem subjectKeyID;	/* x509v3 subject key identifier */
+PRBool keyIDGenerated;	/* was the keyid generated? */
+unsigned int keyUsage;	/* what uses are allowed for this cert */
+unsigned int rawKeyUsage;	/* value of the key usage extension */
+PRBool keyUsagePresent;	/* was the key usage extension present */
+PRUint32 nsCertType;	/* value of the ns cert type extension */
+				/* must be 32-bit for PR_ATOMIC_SET */
+/* these values can be set by the application to bypass certain checks
+* or to keep the cert in memory for an entire session.
+* XXX - need an api to set these
+*/
+PRBool keepSession;			/* keep this cert for entire session*/
+PRBool timeOK;			/* is the bad validity time ok? */
+CERTOKDomainName *domainOK;		/* these domain names are ok */
+/*
+* these values can change when the cert changes state.  These state
+* changes include transitions from temp to perm or vice-versa, and
+* changes of trust flags
+*/
+PRBool isperm;
+PRBool istemp;
+char *nickname;
+char *dbnickname;
+struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
+CERTCertTrust *trust;
+/* the reference count is modified whenever someone looks up, dups
+* or destroys a certificate
+*/
+int referenceCount;
+/* The subject list is a list of all certs with the same subject name.
+* It can be modified any time a cert is added or deleted from either
+* the in-memory(temporary) or on-disk(permanent) database.
+*/
+CERTSubjectList *subjectList;
+/* these belong in the static section, but are here to maintain
+* the structure's integrity
+*/
+CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
+PRBool isRoot;              /* cert is the end of a chain */
+/* these fields are used by client GUI code to keep track of ssl sockets
+* that are blocked waiting on GUI feedback related to this cert.
+* XXX - these should be moved into some sort of application specific
+*       data structure.  They are only used by the browser right now.
+*/
+union {
+void* apointer; /* was struct SECSocketNode* authsocketlist */
+struct {
+unsigned int hasUnsupportedCriticalExt :1;
+/* add any new option bits needed here */
+} bits;
+} options;
+int series; /* was int authsocketcount; record the series of the pkcs11ID */
+/* This is PKCS #11 stuff. */
+PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
+CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
+PRBool ownSlot;		/*true if the cert owns the slot reference */
+};
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+/*
+* used to identify class of cert in mime stream code
+*/
+#define SEC_CERT_CLASS_CA	1
+#define SEC_CERT_CLASS_SERVER	2
+#define SEC_CERT_CLASS_USER	3
+#define SEC_CERT_CLASS_EMAIL	4
+struct CERTDERCertsStr {
+PLArenaPool *arena;
+int numcerts;
+SECItem *rawCerts;
+};
+/*
+** A PKCS ? Attribute
+** XXX this is duplicated through out the code, it *should* be moved
+** to a central location.  Where would be appropriate?
+*/
+struct CERTAttributeStr {
+SECItem attrType;
+SECItem **attrValue;
+};
+/*
+** A PKCS#10 certificate-request object (the unsigned form)
+*/
+struct CERTCertificateRequestStr {
+PLArenaPool *arena;
+SECItem version;
+CERTName subject;
+CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+CERTAttribute **attributes;
+};
+#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
+/*
+** A certificate list object.
+*/
+struct CERTCertificateListStr {
+SECItem *certs;
+int len;					/* number of certs */
+PLArenaPool *arena;
+};
+struct CERTCertListNodeStr {
+PRCList links;
+CERTCertificate *cert;
+void *appData;
+};
+struct CERTCertListStr {
+PRCList list;
+PLArenaPool *arena;
+};
+#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
+#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
+#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
+#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
+struct CERTCrlEntryStr {
+SECItem serialNumber;
+SECItem revocationDate;
+CERTCertExtension **extensions;
+};
+struct CERTCrlStr {
+PLArenaPool *arena;
+SECItem version;
+SECAlgorithmID signatureAlg;
+SECItem derName;
+CERTName name;
+SECItem lastUpdate;
+SECItem nextUpdate;				/* optional for x.509 CRL  */
+CERTCrlEntry **entries;
+CERTCertExtension **extensions;
+/* can't add anything there for binary backwards compatibility reasons */
+};
+struct CERTCrlKeyStr {
+SECItem derName;
+SECItem dummy;			/* The decoder can not skip a primitive,
+					   this serves as a place holder for the
+					   decoder to finish its task only
+					*/
+};
+struct CERTSignedCrlStr {
+PLArenaPool *arena;
+CERTCrl crl;
+void *reserved1;
+PRBool reserved2;
+PRBool isperm;
+PRBool istemp;
+int referenceCount;
+CERTCertDBHandle *dbhandle;
+CERTSignedData signatureWrap;	/* XXX */
+char *url;
+SECItem *derCrl;
+PK11SlotInfo *slot;
+CK_OBJECT_HANDLE pkcs11ID;
+void* opaque; /* do not touch */
+};
+struct CERTCrlHeadNodeStr {
+PLArenaPool *arena;
+CERTCertDBHandle *dbhandle;
+CERTCrlNode *first;
+CERTCrlNode *last;
+};
+struct CERTCrlNodeStr {
+CERTCrlNode *next;
+int 	type;
+CERTSignedCrl *crl;
+};
+/*
+* Array of X.500 Distinguished Names
+*/
+struct CERTDistNamesStr {
+PLArenaPool *arena;
+int nnames;
+SECItem  *names;
+void *head; /* private */
+};
+#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
+#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
+#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
+#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
+#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
+#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
+#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
+#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
+#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
+#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
+			  NS_CERT_TYPE_SSL_SERVER | \
+			  NS_CERT_TYPE_EMAIL | \
+			  NS_CERT_TYPE_OBJECT_SIGNING )
+#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
+			 NS_CERT_TYPE_EMAIL_CA | \
+			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
+			 EXT_KEY_USAGE_STATUS_RESPONDER )
+typedef enum SECCertUsageEnum {
+certUsageSSLClient = 0,
+certUsageSSLServer = 1,
+certUsageSSLServerWithStepUp = 2,
+certUsageSSLCA = 3,
+certUsageEmailSigner = 4,
+certUsageEmailRecipient = 5,
+certUsageObjectSigner = 6,
+certUsageUserCertImport = 7,
+certUsageVerifyCA = 8,
+certUsageProtectedObjectSigner = 9,
+certUsageStatusResponder = 10,
+certUsageAnyCA = 11
+} SECCertUsage;
+typedef PRInt64 SECCertificateUsage;
+#define certificateUsageCheckAllUsages         (0x0000)
+#define certificateUsageSSLClient              (0x0001)
+#define certificateUsageSSLServer              (0x0002)
+#define certificateUsageSSLServerWithStepUp    (0x0004)
+#define certificateUsageSSLCA                  (0x0008)
+#define certificateUsageEmailSigner            (0x0010)
+#define certificateUsageEmailRecipient         (0x0020)
+#define certificateUsageObjectSigner           (0x0040)
+#define certificateUsageUserCertImport         (0x0080)
+#define certificateUsageVerifyCA               (0x0100)
+#define certificateUsageProtectedObjectSigner  (0x0200)
+#define certificateUsageStatusResponder        (0x0400)
+#define certificateUsageAnyCA                  (0x0800)
+#define certificateUsageHighest certificateUsageAnyCA
+/*
+* Does the cert belong to the user, a peer, or a CA.
+*/
+typedef enum CERTCertOwnerEnum {
+certOwnerUser = 0,
+certOwnerPeer = 1,
+certOwnerCA = 2
+} CERTCertOwner;
+/*
+* This enum represents the state of validity times of a certificate
+*/
+typedef enum SECCertTimeValidityEnum {
+secCertTimeValid = 0,
+secCertTimeExpired = 1,
+secCertTimeNotValidYet = 2,
+secCertTimeUndetermined = 3 /* validity could not be decoded from the
+cert, most likely because it was NULL */
+} SECCertTimeValidity;
+/*
+* This is used as return status in functions that compare the validity
+* periods of two certificates A and B, currently only
+* CERT_CompareValidityTimes.
+*/
+typedef enum CERTCompareValidityStatusEnum
+{
+certValidityUndetermined = 0, /* the function is unable to select one cert
+over another */
+certValidityChooseB = 1,      /* cert B should be preferred */
+certValidityEqual = 2,        /* both certs have the same validity period */
+certValidityChooseA = 3       /* cert A should be preferred */
+} CERTCompareValidityStatus;
+/*
+* Interface for getting certificate nickname strings out of the database
+*/
+/* these are values for the what argument below */
+#define SEC_CERT_NICKNAMES_ALL		1
+#define SEC_CERT_NICKNAMES_USER		2
+#define SEC_CERT_NICKNAMES_SERVER	3
+#define SEC_CERT_NICKNAMES_CA		4
+struct CERTCertNicknamesStr {
+PLArenaPool *arena;
+void *head;
+int numnicknames;
+char **nicknames;
+int what;
+int totallen;
+};
+struct CERTIssuerAndSNStr {
+SECItem derIssuer;
+CERTName issuer;
+SECItem serialNumber;
+};
+/* X.509 v3 Key Usage Extension flags */
+#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
+#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
+#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
+#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
+#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
+#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
+#define KU_CRL_SIGN			(0x02)  /* bit 6 */
+#define KU_ENCIPHER_ONLY		(0x01)  /* bit 7 */
+#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
+					 KU_NON_REPUDIATION | \
+					 KU_KEY_ENCIPHERMENT | \
+					 KU_DATA_ENCIPHERMENT | \
+					 KU_KEY_AGREEMENT | \
+					 KU_KEY_CERT_SIGN | \
+					 KU_CRL_SIGN | \
+					 KU_ENCIPHER_ONLY)
+/* This value will not occur in certs.  It is used internally for the case
+* when either digital signature or non-repudiation is the correct value.
+*/
+#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
+/* This value will not occur in certs.  It is used internally for the case
+* when the key type is not know ahead of time and either key agreement or
+* key encipherment are the correct value based on key type
+*/
+#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
+/* internal bits that do not match bits in the x509v3 spec, but are used
+* for similar purposes
+*/
+#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
+/*
+* x.509 v3 Basic Constraints Extension
+* If isCA is false, the pathLenConstraint is ignored.
+* Otherwise, the following pathLenConstraint values will apply:
+*	< 0 - there is no limit to the certificate path
+*	0   - CA can issues end-entity certificates only
+*	> 0 - the number of certificates in the certificate path is
+*	      limited to this number
+*/
+#define CERT_UNLIMITED_PATH_CONSTRAINT -2
+struct CERTBasicConstraintsStr {
+PRBool isCA;			/* on if is CA */
+int pathLenConstraint;		/* maximum number of certificates that can be
+					   in the cert path.  Only applies to a CA
+					   certificate; otherwise, it's ignored.
+					 */
+};
+/* Maximum length of a certificate chain */
+#define CERT_MAX_CERT_CHAIN 20
+#define CERT_MAX_SERIAL_NUMBER_BYTES  20    /* from RFC 3280 */
+#define CERT_MAX_DN_BYTES             4096  /* arbitrary */
+/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
+#define RF_UNUSED			(0x80)	/* bit 0 */
+#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
+#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
+#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
+#define RF_SUPERSEDED			(0x08)  /* bit 4 */
+#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
+#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
+/* enum for CRL Entry Reason Code */
+typedef enum CERTCRLEntryReasonCodeEnum {
+crlEntryReasonUnspecified = 0,
+crlEntryReasonKeyCompromise = 1,
+crlEntryReasonCaCompromise = 2,
+crlEntryReasonAffiliationChanged = 3,
+crlEntryReasonSuperseded = 4,
+crlEntryReasonCessationOfOperation = 5,
+crlEntryReasoncertificatedHold = 6,
+crlEntryReasonRemoveFromCRL = 8,
+crlEntryReasonPrivilegeWithdrawn = 9,
+crlEntryReasonAaCompromise = 10
+} CERTCRLEntryReasonCode;
+/* If we needed to extract the general name field, use this */
+/* General Name types */
+typedef enum CERTGeneralNameTypeEnum {
+certOtherName = 1,
+certRFC822Name = 2,
+certDNSName = 3,
+certX400Address = 4,
+certDirectoryName = 5,
+certEDIPartyName = 6,
+certURI = 7,
+certIPAddress = 8,
+certRegisterID = 9
+} CERTGeneralNameType;
+typedef struct OtherNameStr {
+SECItem          name;
+SECItem          oid;
+}OtherName;
+struct CERTGeneralNameStr {
+CERTGeneralNameType type;		/* name type */
+union {
+	CERTName directoryName;         /* distinguish name */
+	OtherName  OthName;		/* Other Name */
+	SECItem other;                  /* the rest of the name forms */
+}name;
+SECItem derDirectoryName;		/* this is saved to simplify directory name
+					   comparison */
+PRCList l;
+};
+struct CERTGeneralNameListStr {
+PLArenaPool *arena;
+CERTGeneralName *name;
+int refCount;
+int len;
+PZLock *lock;
+};
+struct CERTNameConstraintStr {
+CERTGeneralName  name;
+SECItem          DERName;
+SECItem          min;
+SECItem          max;
+PRCList          l;
+};
+struct CERTNameConstraintsStr {
+CERTNameConstraint  *permited;
+CERTNameConstraint  *excluded;
+SECItem             **DERPermited;
+SECItem             **DERExcluded;
+};
+/* Private Key Usage Period extension struct. */
+struct CERTPrivKeyUsagePeriodStr {
+SECItem notBefore;
+SECItem notAfter;
+PLArenaPool *arena;
+};
+/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
+issuer field, we only support URI now.
+*/
+struct CERTAuthKeyIDStr {
+SECItem keyID;			/* unique key identifier */
+CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
+SECItem authCertSerialNumber;	/* CA's certificate serial number */
+SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
+					   the authCertIssuer field. It is used
+					   by the encoding engine. It should be
+					   used as a read only field by the caller.
+					*/
+};
+/* x.509 v3 CRL Distributeion Point */
+/*
+* defined the types of CRL Distribution points
+*/
+typedef enum DistributionPointTypesEnum {
+generalName = 1,			/* only support this for now */
+relativeDistinguishedName = 2
+} DistributionPointTypes;
+struct CRLDistributionPointStr {
+DistributionPointTypes distPointType;
+union {
+	CERTGeneralName *fullName;
+	CERTRDN relativeName;
+} distPoint;
+SECItem reasons;
+CERTGeneralName *crlIssuer;
+/* Reserved for internal use only*/
+SECItem derDistPoint;
+SECItem derRelativeName;
+SECItem **derCrlIssuer;
+SECItem **derFullName;
+SECItem bitsmap;
+};
+struct CERTCrlDistributionPointsStr {
+CRLDistributionPoint **distPoints;
+};
+/*
+* This structure is used to keep a log of errors when verifying
+* a cert chain.  This allows multiple errors to be reported all at
+* once.
+*/
+struct CERTVerifyLogNodeStr {
+CERTCertificate *cert;	/* what cert had the error */
+long error;			/* what error was it? */
+unsigned int depth;		/* how far up the chain are we */
+void *arg;			/* error specific argument */
+struct CERTVerifyLogNodeStr *next; /* next in the list */
+struct CERTVerifyLogNodeStr *prev; /* next in the list */
+};
+struct CERTVerifyLogStr {
+PLArenaPool *arena;
+unsigned int count;
+struct CERTVerifyLogNodeStr *head;
+struct CERTVerifyLogNodeStr *tail;
+};
+struct CERTOKDomainNameStr {
+CERTOKDomainName *next;
+char              name[1]; /* actual length may be longer. */
+};
+typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
+						    CERTCertificate *cert,
+						    PRTime time,
+						    void *pwArg);
+typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
+struct CERTStatusConfigStr {
+CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
+CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
+void *statusContext;		/* cx specific to checking protocol */
+};
+struct CERTAuthInfoAccessStr {
+SECItem method;
+SECItem derLocation;
+CERTGeneralName *location;		/* decoded location */
+};
+/* This is the typedef for the callback passed to CERT_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
+/*
+* types of cert packages that we can decode
+*/
+typedef enum CERTPackageTypeEnum {
+certPackageNone = 0,
+certPackageCert = 1,
+certPackagePKCS7 = 2,
+certPackageNSCertSeq = 3,
+certPackageNSCertWrap = 4
+} CERTPackageType;
+/*
+* these types are for the PKIX Certificate Policies extension
+*/
+typedef struct {
+SECOidTag oid;
+SECItem qualifierID;
+SECItem qualifierValue;
+} CERTPolicyQualifier;
+typedef struct {
+SECOidTag oid;
+SECItem policyID;
+CERTPolicyQualifier **policyQualifiers;
+} CERTPolicyInfo;
+typedef struct {
+PLArenaPool *arena;
+CERTPolicyInfo **policyInfos;
+} CERTCertificatePolicies;
+typedef struct {
+SECItem organization;
+SECItem **noticeNumbers;
+} CERTNoticeReference;
+typedef struct {
+PLArenaPool *arena;
+CERTNoticeReference noticeReference;
+SECItem derNoticeReference;
+SECItem displayText;
+} CERTUserNotice;
+typedef struct {
+PLArenaPool *arena;
+SECItem **oids;
+} CERTOidSequence;
+/*
+* these types are for the PKIX Policy Mappings extension
+*/
+typedef struct {
+SECItem issuerDomainPolicy;
+SECItem subjectDomainPolicy;
+} CERTPolicyMap;
+typedef struct {
+PLArenaPool *arena;
+CERTPolicyMap **policyMaps;
+} CERTCertificatePolicyMappings;
+/*
+* these types are for the PKIX inhibitAnyPolicy extension
+*/
+typedef struct {
+SECItem inhibitAnySkipCerts;
+} CERTCertificateInhibitAny;
+/*
+* these types are for the PKIX Policy Constraints extension
+*/
+typedef struct {
+SECItem explicitPolicySkipCerts;
+SECItem inhibitMappingSkipCerts;
+} CERTCertificatePolicyConstraints;
+/*
+* These types are for the validate chain callback param.
+*
+* CERTChainVerifyCallback is an application-supplied callback that can be used
+* to augment libpkix's certificate chain validation with additional
+* application-specific checks. It may be called multiple times if there are
+* multiple potentially-valid paths for the certificate being validated. This
+* callback is called before revocation checking is done on the certificates in
+* the given chain.
+*
+* - isValidChainArg contains the application-provided opaque argument
+* - currentChain is the currently validated chain. It is ordered with the leaf
+*   certificate at the head and the trust anchor at the tail.
+*
+* The callback should set *chainOK = PR_TRUE and return SECSuccess if the
+* certificate chain is acceptable. It should set *chainOK = PR_FALSE and
+* return SECSuccess if the chain is unacceptable, to indicate that the given
+* chain is bad and path building should continue. It should return SECFailure
+* to indicate an fatal error that will cause path validation to fail
+* immediately.
+*/
+typedef SECStatus (*CERTChainVerifyCallbackFunc)
+(void *isChainValidArg,
+const CERTCertList *currentChain,
+PRBool *chainOK);
+/*
+* Note: If extending this structure, it will be necessary to change the
+* associated CERTValParamInType
+*/
+typedef struct {
+CERTChainVerifyCallbackFunc isChainValid;
+void *isChainValidArg;
+} CERTChainVerifyCallback;
+/*
+* these types are for the CERT_PKIX* Verification functions
+* These are all optional parameters.
+*/
+typedef enum {
+cert_pi_end             = 0, /* SPECIAL: signifies end of array of
+				 * CERTValParam* */
+cert_pi_nbioContext     = 1, /* specify a non-blocking IO context used to
+			         * resume a session. If this argument is
+				 * specified, no other arguments should be.
+				 * Specified in value.pointer.p. If the
+				 * operation completes the context will be
+				 * freed. */
+cert_pi_nbioAbort       = 2, /* specify a non-blocking IO context for an
+				 * existing operation which the caller wants
+			         * to abort. If this argument is
+				 * specified, no other arguments should be.
+				 * Specified in value.pointer.p. If the
+			         * operation succeeds the context will be
+				 * freed. */
+cert_pi_certList        = 3, /* specify the chain to validate against. If
+				 * this value is given, then the path
+				 * construction step in the validation is
+				 * skipped. Specified in value.pointer.chain */
+cert_pi_policyOID       = 4, /* validate certificate for policy OID.
+				 * Specified in value.array.oids. Cert must
+				 * be good for at least one OID in order
+				 * to validate. Default is that the user is not
+				 * concerned about certificate policy. */
+cert_pi_policyFlags     = 5, /* flags for each policy specified in policyOID.
+				 * Specified in value.scalar.ul. Policy flags
+				 * apply to all specified oids.
+				 * Use CERT_POLICY_FLAG_* macros below. If not
+				 * specified policy flags default to 0 */
+cert_pi_keyusage        = 6, /* specify what the keyusages the certificate
+				 * will be evaluated against, specified in
+				 * value.scalar.ui. The cert must validate for
+				 * at least one of the specified key usages.
+				 * Values match the KU_  bit flags defined
+				 * in this file. Default is derived from
+				 * the 'usages' function argument */
+cert_pi_extendedKeyusage= 7, /* specify what the required extended key
+				 * usage of the certificate. Specified as
+				 * an array of oidTags in value.array.oids.
+				 * The cert must validate for at least one
+				 * of the specified extended key usages.
+				 * If not specified, no extended key usages
+				 * will be checked. */
+cert_pi_date            = 8, /* validate certificate is valid as of date
+				 * specified in value.scalar.time. A special
+				 * value '0' indicates 'now'. default is '0' */
+cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
+				 * See CERT_REV_FLAG_* macros below
+				 * Set in value.pointer.revocation */
+cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
+				 * Set in value.scalar.ui */
+cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to
+				 * validate against.
+				 * The default set of trusted roots, these are
+				 * root CA certs from libnssckbi.so or CA
+				 * certs trusted by user, are used in any of
+				 * the following cases:
+				 *      * when the parameter is not set.
+				 *      * when the list of trust anchors is empty.
+				 * Note that this handling can be further altered by altering the
+				 * cert_pi_useOnlyTrustAnchors flag
+				 * Specified in value.pointer.chain */
+cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
+				 * In NSS 3.12.1 or later. Default is off.
+				 * Value is in value.scalar.b */
+cert_pi_chainVerifyCallback = 13,
+/* The callback container for doing extra
+* validation on the currently calculated chain.
+* Value is in value.pointer.chainVerifyCallback */
+cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
+				 * certificates other than the ones passed in via cert_pi_trustAnchors.
+				 * If false, then the certificates specified via cert_pi_trustAnchors
+				 * will be combined with the pre-existing trusted roots, but only for
+				 * the certificate validation being performed.
+				 * If no value has been supplied via cert_pi_trustAnchors, this has no
+				 * effect.
+				 * The default value is true, meaning if this is not supplied, only
+				 * trust anchors supplied via cert_pi_trustAnchors are trusted.
+				 * Specified in value.scalar.b */
+cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
+				 *  can increase in future releases */
+} CERTValParamInType;
+/*
+* for all out parameters:
+*  out parameters are only returned if the caller asks for them in
+*  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
+*  array itself. The pkix verify function will allocate and other arrays
+*  pointers, or objects. The Caller is responsible for freeing those results.
+* If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
+*/
+typedef enum {
+cert_po_end             = 0, /* SPECIAL: signifies end of array of
+				 * CERTValParam* */
+cert_po_nbioContext     = 1, /* Return a nonblocking context. If no
+				 * non-blocking context is specified, then
+				 * blocking IO will be used.
+				 * Returned in value.pointer.p. The context is
+				 * freed after an abort or a complete operation.
+				 * This value is only returned on SECWouldBlock.
+				 */
+cert_po_trustAnchor     = 2, /* Return the trust anchor for the chain that
+				 * was validated. Returned in
+				 * value.pointer.cert, this value is only
+				 * returned on SECSuccess. */
+cert_po_certList        = 3, /* Return the entire chain that was validated.
+				 * Returned in value.pointer.certList. If no
+				 * chain could be constructed, this value
+				 * would be NULL. */
+cert_po_policyOID       = 4, /* Return the policies that were found to be
+				 * valid. Returned in value.array.oids as an
+				 * array. This is only returned on
+				 * SECSuccess. */
+cert_po_errorLog        = 5, /* Return a log of problems with the chain.
+				 * Returned in value.pointer.log  */
+cert_po_usages          = 6, /* Return what usages the certificate is valid
+				   for. Returned in value.scalar.usages */
+cert_po_keyUsage        = 7, /* Return what key usages the certificate
+				 * is valid for.
+				 * Returned in value.scalar.usage */
+cert_po_extendedKeyusage= 8, /* Return what extended key usages the
+				 * certificate is valid for.
+				 * Returned in value.array.oids */
+cert_po_max                  /* SPECIAL: signifies maximum allowed value,
+				 *  can increase in future releases */
+} CERTValParamOutType;
+typedef enum {
+cert_revocation_method_crl = 0,
+cert_revocation_method_ocsp,
+cert_revocation_method_count
+} CERTRevocationMethodIndex;
+/*
+* The following flags are supposed to be used to control bits in
+* each integer contained in the array pointed to be:
+*     CERTRevocationTests.cert_rev_flags_per_method
+* All Flags are prefixed by CERT_REV_M_, where _M_ indicates
+* this is a method dependent flag.
+*/
+/*
+* Whether or not to use a method for revocation testing.
+* If set to "do not test", then all other flags are ignored.
+*/
+#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD     0UL
+#define CERT_REV_M_TEST_USING_THIS_METHOD            1UL
+/*
+* Whether or not NSS is allowed to attempt to fetch fresh information
+*         from the network.
+* (Although fetching will never happen if fresh information for the
+*           method is already locally available.)
+*/
+#define CERT_REV_M_ALLOW_NETWORK_FETCHING            0UL
+#define CERT_REV_M_FORBID_NETWORK_FETCHING           2UL
+/*
+* Example for an implicit default source:
+*         The globally configured default OCSP responder.
+* IGNORE means:
+*        ignore the implicit default source, whether it's configured or not.
+* ALLOW means:
+*       if an implicit default source is configured,
+*          then it overrides any available or missing source in the cert.
+*       if no implicit default source is configured,
+*          then we continue to use what's available (or not available)
+*          in the certs.
+*/
+#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE     0UL
+#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE    4UL
+/*
+* Defines the behavior if no fresh information is available,
+*   fetching from the network is allowed, but the source of revocation
+*   information is unknown (even after considering implicit sources,
+*   if allowed by other flags).
+* SKIPT_TEST means:
+*          We ignore that no fresh information is available and
+*          skip this test.
+* REQUIRE_INFO means:
+*          We still require that fresh information is available.
+*          Other flags define what happens on missing fresh info.
+*/
+#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE       0UL
+#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE    8UL
+/*
+* Defines the behavior if we are unable to obtain fresh information.
+* INGORE means:
+*      Return "cert status unknown"
+* FAIL means:
+*      Return "cert revoked".
+*/
+#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO         0UL
+#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO        16UL
+/*
+* What should happen if we were able to find fresh information using
+* this method, and the data indicated the cert is good?
+* STOP_TESTING means:
+*              Our success is sufficient, do not continue testing
+*              other methods.
+* CONTINUE_TESTING means:
+*                  We will continue and test the next allowed
+*                  specified method.
+*/
+#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO        0UL
+#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO    32UL
+/* When this flag is used, libpkix will never attempt to use the GET HTTP
+* method for OCSP requests; it will always use POST.
+*/
+#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
+/*
+* The following flags are supposed to be used to control bits in
+*     CERTRevocationTests.cert_rev_method_independent_flags
+* All Flags are prefixed by CERT_REV_M_, where _M_ indicates
+* this is a method independent flag.
+*/
+/*
+* This defines the order to checking.
+* EACH_METHOD_SEPARATELY means:
+*      Do all tests related to a particular allowed method
+*      (both local information and network fetching) in a single step.
+*      Only after testing for a particular method is done,
+*      then switching to the next method will happen.
+* ALL_LOCAL_INFORMATION_FIRST means:
+*      Start by testing the information for all allowed methods
+*      which are already locally available. Only after that is done
+*      consider to fetch from the network (as allowed by other flags).
+*/
+#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY       0UL
+#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST  1UL
+/*
+* Use this flag to specify that it's necessary that fresh information
+* is available for at least one of the allowed methods, but it's
+* irrelevant which of the mechanisms succeeded.
+* NO_OVERALL_INFO_REQUIREMENT means:
+*     We strictly follow the requirements for each individual method.
+* REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
+*     After the individual tests have been executed, we must have
+*     been able to find fresh information using at least one method.
+*     If we were unable to find fresh info, it's a failure.
+*     This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+*     flag on all methods.
+*/
+#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0UL
+#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
+typedef struct {
+/*
+* The size of the array that cert_rev_flags_per_method points to,
+* meaning, the number of methods that are known and defined
+* by the caller.
+*/
+PRUint32 number_of_defined_methods;
+/*
+* A pointer to an array of integers.
+* Each integer defines revocation checking for a single method,
+*      by having individual CERT_REV_M_* bits set or not set.
+* The meaning of index numbers into this array are defined by
+*     enum CERTRevocationMethodIndex
+* The size of the array must be specified by the caller in the separate
+*     variable number_of_defined_methods.
+* The size of the array may be smaller than
+*     cert_revocation_method_count, it can happen if a caller
+*     is not yet aware of the latest revocation methods
+*     (or does not want to use them).
+*/
+PRUint64 *cert_rev_flags_per_method;
+/*
+* How many preferred methods are specified?
+* This is equivalent to the size of the array that
+*      preferred_revocation_methods points to.
+* It's allowed to set this value to zero,
+*      then NSS will decide which methods to prefer.
+*/
+PRUint32 number_of_preferred_methods;
+/* Array that may specify an optional order of preferred methods.
+* Each array entry shall contain a method identifier as defined
+*   by CERTRevocationMethodIndex.
+* The entry at index [0] specifies the method with highest preferrence.
+* These methods will be tested first for locally available information.
+* Methods allowed for downloading will be attempted in the same order.
+*/
+CERTRevocationMethodIndex *preferred_methods;
+/*
+* An integer which defines certain aspects of revocation checking
+* (independent of individual methods) by having individual
+* CERT_REV_MI_* bits set or not set.
+*/
+PRUint64 cert_rev_method_independent_flags;
+} CERTRevocationTests;
+typedef struct {
+CERTRevocationTests leafTests;
+CERTRevocationTests chainTests;
+} CERTRevocationFlags;
+typedef struct CERTValParamInValueStr {
+union {
+PRBool   b;
+PRInt32  i;
+PRUint32 ui;
+PRInt64  l;
+PRUint64 ul;
+PRTime time;
+} scalar;
+union {
+const void*    p;
+const char*    s;
+const CERTCertificate* cert;
+const CERTCertList *chain;
+const CERTRevocationFlags *revocation;
+const CERTChainVerifyCallback *chainVerifyCallback;
+} pointer;
+union {
+const PRInt32  *pi;
+const PRUint32 *pui;
+const PRInt64  *pl;
+const PRUint64 *pul;
+const SECOidTag *oids;
+} array;
+int arraySize;
+} CERTValParamInValue;
+typedef struct CERTValParamOutValueStr {
+union {
+PRBool   b;
+PRInt32  i;
+PRUint32 ui;
+PRInt64  l;
+PRUint64 ul;
+SECCertificateUsage usages;
+} scalar;
+union {
+void*    p;
+char*    s;
+CERTVerifyLog *log;
+CERTCertificate* cert;
+CERTCertList *chain;
+} pointer;
+union {
+void 	  *p;
+SECOidTag *oids;
+} array;
+int arraySize;
+} CERTValParamOutValue;
+typedef struct {
+CERTValParamInType type;
+CERTValParamInValue value;
+} CERTValInParam;
+typedef struct {
+CERTValParamOutType type;
+CERTValParamOutValue value;
+} CERTValOutParam;
+/*
+* Levels of standards conformance strictness for CERT_NameToAsciiInvertible
+*/
+typedef enum CertStrictnessLevels {
+CERT_N2A_READABLE   =  0, /* maximum human readability */
+CERT_N2A_STRICT     = 10, /* strict RFC compliance    */
+CERT_N2A_INVERTIBLE = 20  /* maximum invertibility,
+all DirectoryStrings encoded in hex */
+} CertStrictnessLevel;
+/*
+* policy flag defines
+*/
+#define CERT_POLICY_FLAG_NO_MAPPING    1
+#define CERT_POLICY_FLAG_EXPLICIT      2
+#define CERT_POLICY_FLAG_NO_ANY        4
+/*
+* CertStore flags
+*/
+#define CERT_ENABLE_LDAP_FETCH          1
+#define CERT_ENABLE_HTTP_FETCH          2
+/* This functin pointer type may be used for any function that takes
+* a CERTCertificate * and returns an allocated string, which must be
+* freed by a call to PORT_Free.
+*/
+typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+SEC_BEGIN_PROTOS
+extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
+extern const SEC_ASN1Template CERT_CertificateTemplate[];
+extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
+extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
+extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
+extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
+extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
+extern const SEC_ASN1Template CERT_ValidityTemplate[];
+extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
+extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
+extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
+extern const SEC_ASN1Template CERT_NameTemplate[];
+extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
+extern const SEC_ASN1Template CERT_RDNTemplate[];
+extern const SEC_ASN1Template CERT_SignedDataTemplate[];
+extern const SEC_ASN1Template CERT_CrlTemplate[];
+extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
+/*
+** XXX should the attribute stuff be centralized for all of ns/security?
+*/
+extern const SEC_ASN1Template CERT_AttributeTemplate[];
+extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
+SEC_END_PROTOS
+#endif /* _CERTT_H_ */

The Tor Browser / file comparison

comparison: security/nss/lib/certdb/certt.h

security/nss/lib/certdb/certt.h