The Tor Browser: comparison security/nss/lib/crmf/crmf.h

--1:000000000000
+:e4da7899bf96
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef _CRMF_H_
+#define _CRMF_H_
+#include "seccomon.h"
+#include "cert.h"
+#include "crmft.h"
+#include "secoid.h"
+#include "secpkcs7.h"
+SEC_BEGIN_PROTOS
+/*
+* FUNCTION: CRMF_EncodeCertReqMsg
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to be encoded.
+*    fn
+*        A Callback function that the ASN1 encoder calls whenever
+*        the encoder wants to write out some DER encoded bytes.
+*    arg
+*        An opaque pointer that gets passed to the function fn
+* OUTPUT:
+*    The function fn will be called multiple times.  Look at the
+*    comments in crmft.h where the CRMFEncoderOutputCallback type is
+*    defined for information on proper behavior of the function fn.
+* RETURN:
+*    SECSuccess if encoding was successful.  Any other return value
+*    indicates an error occurred during encoding.
+*/
+extern SECStatus
+CRMF_EncodeCertReqMsg (CRMFCertReqMsg            *inCertReqMsg,
+			       CRMFEncoderOutputCallback  fn,
+			       void                      *arg);
+/*
+* FUNCTION: CRMF_EncoderCertRequest
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to be encoded.
+*    fn
+*        A Callback function that the ASN1 encoder calls whenever
+*        the encoder wants to write out some DER encoded bytes.
+*    arg
+*        An opaque pointer that gets passed to the function fn.
+* OUTPUT:
+*    The function fn will be called, probably multiple times whenever
+*    the ASN1 encoder wants to write out DER-encoded bytes.  Look at the
+*    comments in crmft.h where the CRMFEncoderOutputCallback type is
+*    defined for information on proper behavior of the function fn.
+* RETURN:
+*    SECSuccess if encoding was successful.  Any other return value
+*    indicates an error occurred during encoding.
+*/
+extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest           *inCertReq,
+					 CRMFEncoderOutputCallback  fn,
+					 void                      *arg);
+/*
+* FUNCTION: CRMF_EncodeCertReqMessages
+* INPUTS:
+*    inCertReqMsgs
+*        An array of pointers to the Certificate Request Messages
+*        to encode.  The user must place a NULL pointer in the index
+*        after the last message to be encoded.  When the library runs
+*        into the NULL pointer, the library assumes there are no more
+*        messages to encode.
+*    fn
+*        A Callback function that the ASN1 encoder calls whenever
+*        the encoder wants to write out some DER encoded byts.
+*    arg
+*        An opaque pointer that gets passed to the function fn.
+*
+* NOTES:
+*    The parameter inCertReqMsgs needs to be an array with a NULL pointer
+*    to signal the end of messages.  An array in the form of
+*    {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and
+*    m3.  All messages from m4 on will not be looked at by the library.
+*
+* OUTPUT:
+*    The function fn will be called, probably multiple times.  Look at the
+*    comments in crmft.h where the CRMFEncoderOutputCallback type is
+*    defined for information on proper behavior of the function fn.
+*
+* RETURN:
+* SECSuccess if encoding the Certificate Request Messages was successful.
+* Any other return value indicates an error occurred while encoding the
+* certificate request messages.
+*/
+extern SECStatus
+CRMF_EncodeCertReqMessages(CRMFCertReqMsg           **inCertReqMsgs,
+				  CRMFEncoderOutputCallback  fn,
+				  void                      *arg);
+/*
+* FUNCTION: CRMF_CreateCertReqMsg
+* INPUTS:
+*    NONE
+* OUTPUT:
+*    An empty CRMF Certificate Request Message.
+*    Before encoding this message, the user must set
+*    the ProofOfPossession field and the certificate
+*    request which are necessary for the full message.
+*    After the user no longer needs this CertReqMsg,
+*    the user must call CRMF_DestroyCertReqMsg to free
+*    all memory associated with the Certificate Request
+*    Message.
+* RETURN:
+*    A pointer to a Certificate Request Message.  The user
+*    must pass the return value of this function to
+*    CRMF_DestroyCertReqMsg after the Certificate Request
+*    Message is no longer necessary.
+*/
+extern CRMFCertReqMsg* CRMF_CreateCertReqMsg(void);
+/*
+* FUNCTION: CRMF_DestroyCertReqMsg
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to destroy.
+*  NOTES:
+*    This function frees all the memory used for the Certificate
+*    Request Message and all the memory used in making copies of
+*    fields of elelments of the message, eg. the Proof Of Possession
+*    filed and the Cetificate Request.
+* RETURN:
+*    SECSuccess if destruction was successful.  Any other return value
+*    indicates an error while trying to free the memory associated
+*    with inCertReqMsg.
+*
+*/
+extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg);
+/*
+* FUNCTION: CRMF_CertReqMsgSetCertRequest
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message that the function will set
+*        the certificate request for.
+*    inCertReq
+*        The Certificate Request that will be added to the Certificate
+*        Request Message.
+* NOTES:
+*    This function will make a copy of the Certificate Request passed in
+*    and store it as part of the Certificate Request Message.  Therefore,
+*    the user must not call this function until the Certificate Request
+*    has been fully built and is ready to be encoded.
+* RETURN:
+*    SECSuccess
+*        If copying the Certificate as a member of the Certificate
+*        request message was successful.
+*    Any other return value indicates a failure to copy the Certificate
+*    Request and make it a part of the Certificate Request Message.
+*/
+extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg  *inCertReqMsg,
+					       CRMFCertRequest *inCertReq);
+/*
+* FUNCTION: CRMF_CreateCertRequest
+* INPUTS:
+*    inRequestID
+*        The ID that will be associated with this certificate request.
+* OUTPUTS:
+*    A certificate request which only has the requestID set.
+* NOTES:
+*    The user must call the function CRMF_DestroyCertRequest when
+*    the returned value is no longer needed.  This is usually the
+*    case after fully constructing the Certificate Request and then
+*    calling the function CRMF_CertReqMsgSetCertRequest.
+* RETURN:
+*    A pointer to the new Certificate Request.  A NULL return value
+*    indicates an error in creating the Certificate Request.
+*/
+extern CRMFCertRequest *CRMF_CreateCertRequest (PRUint32 inRequestID);
+/*
+* FUNCTION: CRMF_DestroyCertRequest
+* INPUTS:
+*    inCertReq
+*        The Certificate Request that will be destroyed.
+* RETURN:
+*    SECSuccess
+*        If freeing the memory associated with the certificate request
+*        was successful.
+*    Any other return value indicates an error while trying to free the
+*    memory.
+*/
+extern SECStatus CRMF_DestroyCertRequest (CRMFCertRequest *inCertReq);
+/*
+* FUNCTION: CRMF_CreateCertExtension
+* INPUTS:
+*    id
+*        The SECOidTag to associate with this CertExtension.  This must
+*        correspond to a valid Certificate Extension, if not the function
+*        will fail.
+*    isCritical
+*        A boolean value stating if the extension value is crtical.  PR_TRUE
+*        means the value is crtical.  PR_FALSE indicates the value is not
+*        critical.
+*    data
+*        This is the data associated with the extension.  The user of the
+*        library is responsible for making sure the value passed in is a
+*        valid interpretation of the certificate extension.
+* NOTES:
+* Use this function to create CRMFCertExtension Structures which will
+* then be passed to CRMF_AddFieldToCertTemplate as part of the
+* CRMFCertCreationInfo.extensions  The user must call
+* CRMF_DestroyCertExtension after the extension has been added to a certifcate
+* and the extension is no longer needed.
+*
+* RETURN:
+* A pointer to a newly created CertExtension.  A return value of NULL
+* indicates the id passed in was an invalid certificate extension.
+*/
+extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag      id,
+						   PRBool         isCritical,
+						   SECItem       *data);
+/*
+* FUNCTION: CMRF_DestroyCertExtension
+* INPUTS:
+*    inExtension
+*        The Cert Extension to destroy
+* NOTES:
+* Destroy a structure allocated by CRMF_CreateCertExtension.
+*
+* RETURN:
+* SECSuccess if freeing the memory associated with the certificate extension
+* was successful.  Any other error indicates an error while freeing the
+* memory.
+*/
+extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension);
+/*
+* FUNCTION: CRMF_CertRequestSetTemplateField
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    inTemplateField
+*        An enumeration that indicates which field of the Certificate
+*        template to add.
+*    data
+*        A generic pointer that will be type cast according to the
+*        table under NOTES and used as the key for adding to the
+*        certificate template;
+* NOTES:
+*
+* Below is a table that tells what type to pass in as data
+* depending on the template field one wants to set.
+*
+* Look in crmft.h for the definition of CRMFCertTemplateField.
+*
+* In all cases, the library makes copies of the data passed in.
+*
+*   CRMFCertTemplateField    Type of data    What data means
+*   ---------------------    ------------    ---------------
+*   crmfVersion              long *          The version of
+*                                            the certificate
+*                                            to be created.
+*
+*   crmfSerialNumber         long *          The serial number
+*                                            for the cert to be
+*                                            created.
+*
+*   crmfSigningAlg           SECAlgorithm *  The ASN.1 object ID for
+*                                            the algorithm used in encoding
+*                                            the certificate.
+*
+*   crmfIssuer               CERTName *      Certificate Library
+*                                            representation of the ASN1 type
+*                                            Name from X.509
+*
+*   crmfValidity     CRMFValidityCreationInfo *  At least one of the two
+*                                                fields in the structure must
+*                                                be present.  A NULL pointer
+*                                                in the structure indicates
+*                                                that member should not be
+*                                                added.
+*
+*   crmfSubject              CERTName *      Certificate Library
+*                                            representation of the ASN1 type
+*                                            Name from X.509
+*
+*   crmfPublicKey    CERTSubjectPublicKeyInfo *  The public key info for the
+*                                                certificate being requested.
+*
+*   crmfIssuerUID            SECItem *           A bit string representation
+*                                                of the issuer UID. NOTE: The
+*                                                length is the number of bits
+*                                                and not the number of bytes.
+*
+*   crmfSubjectUID           SECItem*            A bit string representation
+*                                                of the subject UID. NOTE: The
+*                                                length is the number of bits
+*                                                and not the number of bytes.
+*
+*   crmfExtension   CRMFCertExtCreationInfo *     A pointer to the structure
+*                                                 populated with an array of
+*                                                 of certificate extensions
+*                                                 and an integer that tells
+*                                                 how many elements are in the
+*                                                 array. Look in crmft.h for
+*                                                 the definition of
+*                                                 CRMFCertExtCreationInfo
+* RETURN:
+*    SECSuccess if adding the desired field to the template was successful.
+*    Any other return value indicates failure when trying to add the field
+*    to the template.
+*
+*/
+extern SECStatus
+CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq,
+				   CRMFCertTemplateField  inTemplateField,
+				   void                  *data);
+/*
+* FUNCTION: CRMF_CertRequestIsFieldPresent
+* INPUTS:
+*    inCertReq
+*        The certificate request to operate on.
+*    inTemplateField
+*        The enumeration for the template field the user wants to query
+*        about.
+* NOTES:
+* This function checks to see if the the field associated with inTemplateField
+* enumeration is already present in the certificate request passed in.
+*
+* RETURN:
+* The function returns PR_TRUE if the field associated with inTemplateField
+* is already present in the certificate request.  If the field is not present
+* the function returns PR_FALSE.
+*/
+extern PRBool
+CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
+				 CRMFCertTemplateField  inTemplateField);
+/*
+* FUNCTION: CRMF_CertRequestIsControlPresent
+* INPUTS:
+*    inCertReq
+*        The certificate request to operate on.
+*    inControlType
+*        The type of control to look for.
+* NOTES:
+* This function looks at the control present in the certificate request
+* and returns PR_TRUE iff a control of type inControlType already exists.
+* The CRMF draft does not explicitly state that two controls of the same
+* type can not exist within the same request.  So the library will not
+* cause an error if you try to add a control and one of the same type
+* already exists.  It is up to the application to ensure that multiple
+* controls of the same type do not exist, if that is the desired behavior
+* by the application.
+*
+* RETURN:
+* The function returns PR_TRUE if a control of type inControlType already
+* exists in the certificate request.  If a control of type inControlType
+* does not exist, the function will return PR_FALSE.
+*/
+extern PRBool
+CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
+				   CRMFControlType  inControlType);
+/*
+* FUNCTION: CRMF_CertRequestSetRegTokenControl
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    value
+*        The UTF8 value which will be the Registration Token Control
+*        for this Certificate Request.
+* NOTES:
+*    The library does no verification that the value passed in is
+*    a valid UTF8 value.  The caller must make sure of this in order
+*    to get an encoding that is valid.  The library will ultimately
+*    encode this value as it was passed in.
+* RETURN:
+*    SECSucces on successful addition of the Registration Token Control.
+*    Any other return value indicates an unsuccessful attempt to add the
+*    control.
+*
+*/
+extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq,
+						    SECItem         *value);
+/*
+* FUNCTION: CRMF_CertRequestSetAuthenticatorControl
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    value
+*        The UTF8 value that will become the Authenticator Control
+*        for the passed in Certificate Request.
+* NOTES:
+*    The library does no verification that the value passed in is
+*    a valid UTF8 value.  The caller must make sure of this in order
+*    to get an encoding that is valid.  The library will ultimately
+*    encode this value as it was passed in.
+* RETURN:
+*    SECSucces on successful addition of the Authenticator Control.
+*    Any other return value indicates an unsuccessful attempt to add the
+*    control.
+*/
+extern SECStatus
+CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq,
+						SECItem         *value);
+/*
+* FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue
+* INPUTS:
+*    inPrivKey
+*        This is the private key associated with a certificate that is
+*        being requested.  This structure will eventually wind up as
+*        a part of the PKIArchiveOptions Control.
+*    inCACert
+*        This is the certificate for the CA that will be receiving the
+*        certificate request for the private key passed in.
+* OUTPUT:
+*    A CRMFEncryptedKey that can ultimately be used as part of the
+*    PKIArchiveOptions Control.
+*
+* RETURN:
+*    A pointer to a CRMFEncyptedKey.  A NULL return value indicates an erro
+*    during the creation of the encrypted key.
+*/
+extern CRMFEncryptedKey*
+CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey,
+						 CERTCertificate  *inCACert);
+/*
+* FUNCTION: CRMF_DestroyEncryptedKey
+* INPUTS:
+*    inEncrKey
+*        The CRMFEncryptedKey to be destroyed.
+* NOTES:
+*    Frees all memory associated with the CRMFEncryptedKey passed in.
+* RETURN:
+*    SECSuccess if freeing the memory was successful.  Any other return
+*    value indicates an error while freeig the memroy.
+*/
+extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey);
+/*
+* FUNCTION: CRMF_CreatePKIArchiveOptions
+* INPUTS:
+*    inType
+*        An enumeration value indicating which option for
+*        PKIArchiveOptions to use.
+*    data
+*        A pointer that will be type-cast and de-referenced according
+*        to the table under NOTES.
+* NOTES:
+* A table listing what should be passed in as data
+* ------------------------------------------------
+*
+* inType                            data
+* ------                            ----
+* crmfEncryptedPrivateKey           CRMFEncryptedKey*
+* crmfKeyGenParameters              SECItem*(This needs to be an octet string)
+* crmfArchiveRemGenPrivKey          PRBool*
+*
+* RETURN:
+*    A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate
+*    Request.  A NULL pointer indicates an error occurred while creating
+*    the CRMFPKIArchiveOptions Structure.
+*/
+extern CRMFPKIArchiveOptions*
+CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType  inType,
+				    void                      *data);
+/*
+* FUNCTION: CRMF_DestroyPKIArchiveOptions
+* INPUTS:
+*    inArchOpt
+*        A pointer to the CRMFPKIArchiveOptions structure to free.
+* NOTES:
+*    Will free all memory associated with 'inArchOpt'.
+* RETURN:
+*    SECSuccess if successful in freeing the memory used by 'inArchOpt'
+*    Any other return value indicates an error while freeing the memory.
+*/
+extern SECStatus
+CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt);
+/*
+* FUNCTION: CRMF_CertRequestSetPKIArchiveOptions
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to add the the options to.
+*    inOptions
+*        The Archive Options to add to the Certificate Request.
+* NOTES:
+*    Adds the PKIArchiveOption to the Certificate Request.  This is what
+*    enables Key Escrow to take place through CRMF.  The library makes
+*    its own copy of the information.
+* RETURN:
+*    SECSuccess if successful in adding the ArchiveOptions to the Certificate
+*    request.  Any other return value indicates an error when trying to add
+*    the Archive Options  to the Certificate Request.
+*/
+extern SECStatus
+CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
+					    CRMFPKIArchiveOptions *inOptions);
+/*
+* FUNCTION: CRMF_CertReqMsgGetPOPType
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to operate on.
+* NOTES:
+*    Returns an enumeration value indicating the method of Proof
+*    of Possession that was used for the passed in Certificate Request
+*    Message.
+* RETURN:
+*    An enumeration indicating what method for Proof Of Possession is
+*    being used in this Certificate Request Message.  Look in the file
+*    crmft.h for the definition of CRMFPOPChoice for the possible return
+*    values.
+*/
+extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg);
+/*
+* FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP
+* INPUT:
+*    InCertReqMsg
+*        The Certificate Request Message to operate on.
+* NOTES:
+*    This function will set the method of Proof Of Possession to
+*    crmfRAVerified which means the RA has already verified the
+*    requester does possess the private key.
+* RETURN:
+*    SECSuccess if adding RAVerified to the message is successful.
+*    Any other message indicates an error while trying to add RAVerified
+*    as the Proof of Possession.
+*/
+extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
+/*
+* FUNCTION: CRMF_CertReqMsgSetSignaturePOP
+* INPUT:
+*    inCertReqMsg
+*        The Certificate Request Message to add the SignaturePOP to.
+*    inPrivKey
+*        The Private Key which corresponds to the the Certificate Request
+*        Message.
+*    inPubKey
+*        The Public Key which corresponds to the Private Key passed in.
+*    inCertForInput
+*        A Certificate that in the future may be used to create
+*        POPOSigningKeyInput.
+*    fn
+*        A callback for retrieving a password which may be used in the
+*       future to generate POPOSigningKeyInput.
+*    arg
+*        An opaque pointer that would be passed to fn whenever it is
+*        called.
+* NOTES:
+* Adds Proof Of Possession to the CertRequest using the signature field
+* of the ProofOfPossession field.  NOTE: In order to use this option,
+* the certificate template must contain the publicKey at the very minimum.
+*
+* If you don't want the function to generate POPOSigningKeyInput, then
+* make sure the cert template already contains the subject and public key
+* values.  Currently creating POPOSigningKeyInput is not supported, so
+* a Message passed to this function must have the publicKey and the subject
+* as part of the template
+*
+* This will take care of creating the entire POPOSigningKey structure
+* that will become part of the message.
+*
+* inPrivKey is the key to be used in the signing operation when creating
+* POPOSigningKey structure.  This should be the key corresponding to
+* the certificate being requested.
+*
+* inCertForInput will be used if POPOSigningKeyInput needs to be generated.
+* It will be used in generating the authInfo.sender field.  If the parameter
+* is not passed in then authInfo.publicKeyMAC will be generated instead.
+* If passed in, this certificate needs to be a valid certificate.
+*
+* The last 3 arguments are for future compatibility in case we ever want to
+* support generating POPOSigningKeyInput.  Pass in NULL for all 3 if you
+* definitely don't want the function to even try to generate
+* POPOSigningKeyInput.  If you try to use POPOSigningKeyInput, the function
+* will fail.
+*
+* RETURN:
+*    SECSuccess if adding the Signature Proof Of Possession worked.
+*    Any other return value indicates an error in trying to add
+*    the Signature Proof Of Possession.
+*/
+extern SECStatus
+CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
+				      SECKEYPrivateKey *inPrivKey,
+				      SECKEYPublicKey  *inPubKey,
+				      CERTCertificate  *inCertForInput,
+				      CRMFMACPasswordCallback  fn,
+				      void                    *arg);
+/*
+* FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to operate on.
+*    inKeyChoice
+*        An enumeration indicating which POPOPrivKey Choice to use
+*        in constructing the KeyEnciphermentPOP.
+*    subseqMess
+*        This parameter must be provided iff inKeyChoice is
+*        crmfSubsequentMessage.  This details how the RA is to respond
+*        in order to perform Proof Of Possession.  Look in crmft.h under
+*        the definition of CRMFSubseqMessOptions for possible values.
+*    encPrivKey
+*        This parameter only needs to be provided if inKeyChoice is
+*        crmfThisMessage.  The item should contain the encrypted private
+*        key.
+*
+* NOTES:
+* Adds Proof Of Possession using the keyEncipherment field of
+* ProofOfPossession.
+*
+* The function looks at the the inKeyChoice parameter and interprets it in
+* in the following manner.
+*
+* If a parameter is not mentioned under interpretation, the function will not
+* look at its value when implementing that case.
+*
+* inKeyChoice          Interpretation
+* -----------          --------------
+* crmfThisMessage      This options requires that the encrypted private key
+*                      be included in the thisMessage field of POPOPrivKey.
+*                      We don't support this yet, so any clients who want
+*                      to use this feature have to implement a wrapping
+*                      function and agree with the server on how to properly
+*                      wrap the key.  That encrypted key must be passed in
+*                      as the encPrivKey parameter.
+*
+* crmfSubequentMessage Must pass in a value for subseqMess.  The value must
+*                      be either CRMFEncrCert or CRMFChallengeResp.  The
+*                      parameter encPrivKey will not be looked at in this
+*                      case.
+*
+* crmfDHMAC            This is not a valid option for this function.  Passing
+*                      in this value will result in the function returning
+*                      SECFailure.
+* RETURN:
+*    SECSuccess if adding KeyEnciphermentPOP was successful.  Any other return
+*    value indicates an error in adding KeyEnciphermentPOP.
+*/
+extern SECStatus
+CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
+					   CRMFPOPOPrivKeyChoice  inKeyChoice,
+					   CRMFSubseqMessOptions  subseqMess,
+					   SECItem               *encPrivKey);
+/*
+* FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to operate on.
+*    inKeyChoice
+*        An enumeration indicating which POPOPrivKey Choice to use
+*        in constructing the KeyAgreementPOP.
+*    subseqMess
+*        This parameter must be provided iff inKeyChoice is
+*        crmfSubsequentMessage.  This details how the RA is to respond
+*        in order to perform Proof Of Possession.  Look in crmft.h under
+*        the definition of CRMFSubseqMessOptions for possible values.
+*    encPrivKey
+*        This parameter only needs to be provided if inKeyChoice is
+*        crmfThisMessage.  The item should contain the encrypted private
+*        key.
+* Adds Proof Of Possession using the keyAgreement field of
+* ProofOfPossession.
+*
+* The function looks at the the inKeyChoice parameter and interprets it in
+* in the following manner.
+*
+* If a parameter is not mentioned under interpretation, the function will not
+* look at its value when implementing that case.
+*
+* inKeyChoice          Interpretation
+* -----------          --------------
+* crmfThisMessage      This options requires that the encrypted private key
+*                      be included in the thisMessage field of POPOPrivKey.
+*                      We don't support this yet, so any clients who want
+*                      to use this feature have to implement a wrapping
+*                      function and agree with the server on how to properly
+*                      wrap the key.  That encrypted key must be passed in
+*                      as the encPrivKey parameter.
+*
+* crmfSubequentMessage Must pass in a value for subseqMess.  The value must
+*                      be either crmfEncrCert or crmfChallengeResp.  The
+*                      parameter encPrivKey will not be looked at in this
+*                      case.
+*
+* crmfDHMAC            This option is not supported.
+*/
+extern SECStatus
+CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg        *inCertReqMsg,
+					 CRMFPOPOPrivKeyChoice  inKeyChoice,
+					 CRMFSubseqMessOptions  subseqMess,
+					 SECItem               *encPrivKey);
+/*
+* FUNCTION: CRMF_CreateCertReqMsgFromDER
+* INPUTS:
+*    buf
+*        A buffer to the DER-encoded Certificate Request Message.
+*    len
+*        The length in bytes of the buffer 'buf'
+* NOTES:
+* This function passes the buffer to the ASN1 decoder and creates a
+* CRMFCertReqMsg structure.  Do not try adding any fields to a message
+* returned from this function.  Specifically adding more Controls or
+* Extensions may cause your program to crash.
+*
+* RETURN:
+*    A pointer to the Certificate Request Message structure.  A NULL return
+*    value indicates the library was unable to parse the DER.
+*/
+extern CRMFCertReqMsg* CRMF_CreateCertReqMsgFromDER(const char *buf, long len);
+/*
+* FUNCTION: CRMF_CreateCertReqMessagesFromDER
+* INPUTS:
+*    buf
+*        A buffer to the DER-encoded Certificate Request Messages.
+*    len
+*        The length in bytes of buf
+* NOTES:
+* This function passes the buffer to the ASN1 decoder and creates a
+* CRMFCertReqMessages structure.  Do not try adding any fields to a message
+* derived from this function.  Specifically adding more Controls or
+* Extensions may cause your program to crash.
+* The user must call CRMF_DestroyCertReqMessages after the return value is
+* no longer needed, ie when all individual messages have been extracted.
+*
+* RETURN:
+*    A pointer to the Certificate Request Messages structure.  A NULL return
+*    value indicates the library was unable to parse the DER.
+*/
+extern CRMFCertReqMessages*
+CRMF_CreateCertReqMessagesFromDER(const char *buf, long len);
+/*
+* FUNCTION: CRMF_DestroyCertReqMessages
+* INPUTS
+*    inCertReqMsgs
+*        The Messages to destroy.
+* RETURN:
+*    SECSuccess if freeing the memory was done successfully.  Any other
+*    return value indicates an error in freeing up memory.
+*/
+extern SECStatus
+CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs);
+/*
+* FUNCTION: CRMF_CertReqMessagesGetNumMessages
+* INPUTS:
+*    inCertReqMsgs
+*        The Request Messages to operate on.
+* RETURN:
+*    The number of messages contained in the in the Request Messages
+*    strucure.
+*/
+extern int
+CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs);
+/*
+* FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex
+* INPUTS:
+*    inReqMsgs
+*        The Certificate Request Messages to operate on.
+*    index
+*        The index of the single message the user wants a copy of.
+* NOTES:
+* This function returns a copy of the request messages stored at the
+* index corresponding to the parameter 'index'.  Indexing of the messages
+* is done in the same manner as a C array.  Meaning the valid index are
+* 0...numMessages-1.  User must call CRMF_DestroyCertReqMsg when done using
+* the return value of this function.
+*
+* RETURN:
+* SECSuccess if copying the message at the requested index was successful.
+* Any other return value indicates an invalid index or error while copying
+* the single request message.
+*/
+extern CRMFCertReqMsg*
+CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
+						int                  index);
+/*
+* FUNCTION: CRMF_CertReqMsgGetID
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to get the ID from.
+*    destID
+*        A pointer to where the library can place the ID of the Message.
+* RETURN:
+*    SECSuccess if the function was able to retrieve the ID and place it
+*    at *destID.  Any other return value indicates an error meaning the value
+*    in *destId is un-reliable and should not be used by the caller of this
+*    function.
+*
+*/
+extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg,
+				      long           *destID);
+/*
+* FUNCTION: CRMF_DoesRequestHaveField
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    inField
+*        An enumeration indicating which filed of the certificate template
+*        to look for.
+* NOTES:
+* All the fields in a certificate template are optional.  This function
+* checks to see if the requested field is present.  Look in crmft.h at the
+* definition of CRMFCertTemplateField for possible values for possible
+* querying.
+*
+* RETURN:
+* PR_TRUE iff the field corresponding to 'inField' has been specified as part
+*         of 'inCertReq'
+* PR_FALSE iff the field corresponding to 'inField' has not been speicified
+*          as part of 'inCertReq'
+*
+*/
+extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest       *inCertReq,
+					CRMFCertTemplateField  inField);
+/*
+* FUNCTION: CRMF_CertReqMsgGetCertRequest
+* INPUTS:
+*    inCertReqMsg
+*        The Certificate Request Message to operate on.
+* NOTES:
+*    This function returns a copy of the Certificate Request to the user.
+*    The user can keep adding to this request and then making it a part
+*    of another message.  After the user no longer wants to use the
+*    returned request, the user must call CRMF_DestroyCertRequest and
+*    pass it the request returned by this function.
+* RETURN:
+*    A pointer to a copy of the certificate request contained by the message.
+*    A NULL return value indicates an error occurred while copying the
+*   certificate request.
+*/
+extern CRMFCertRequest *
+CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateVersion
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    version
+*        A pointer to where the library can store the version contatined
+*        in the certificate template within the certifcate request.
+* RETURN:
+*    SECSuccess if the Certificate template contains the version field.  In
+*    this case, *version will hold the value of the certificate template
+*    version.
+*    SECFailure indicates that version field was not present as part of
+*    of the certificate template.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq,
+					      long            *version);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber
+* INPUTS:
+*    inCertReq
+*        The certificate request to operate on.
+*    serialNumber
+*        A pointer where the library can put the serial number contained
+*        in the certificate request's certificate template.
+* RETURN:
+* If a serial number exists in the CertTemplate of the request, the function
+* returns SECSuccess and the value at *serialNumber contains the serial
+* number.
+* If no serial number is present, then the function returns SECFailure and
+* the value at *serialNumber is un-changed.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq,
+						   long         *serialNumber);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg
+* INPUT:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    destAlg
+*        A Pointer to where the library can place a copy of the signing alg
+*        used in the cert request's cert template.
+* RETURN:
+* If the signingAlg is present in the CertRequest's CertTemplate, then
+* the function returns SECSuccess and places a copy of sigingAlg in
+* *destAlg.
+* If no signingAlg is present, then the function returns SECFailure and
+* the value at *destAlg is un-changed
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
+						 SECAlgorithmID  *destAlg);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateIssuer
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    destIssuer
+*        A pointer to where the library can place a copy of the cert
+*        request's cert template issuer field.
+* RETURN:
+* If the issuer is present in the cert request cert template, the function
+* returns SECSuccess and places a  copy of the issuer in *destIssuer.
+* If there is no issuer present, the function returns SECFailure and the
+* value at *destIssuer is unchanged.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
+					     CERTName        *destIssuer);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateValidity
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    destValdity
+*        A pointer to where the library can place a copy of the validity
+*        info in the cert request cert template.
+* NOTES:
+* Pass the pointer to
+* RETURN:
+* If there is an OptionalValidity field, the function will return SECSuccess
+* and place the appropriate values in *destValidity->notBefore and
+* *destValidity->notAfter. (Each field is optional, but at least one will
+* be present if the function returns SECSuccess)
+*
+* If there is no OptionalValidity field, the function will return SECFailure
+* and the values at *destValidity will be un-changed.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
+					       CRMFGetValidity *destValidity);
+/*
+* FUNCTION: CRMF_DestroyGetValidity
+* INPUTS:
+*    inValidity
+*        A pointer to the memroy to be freed.
+* NOTES:
+* The function will free the memory allocated by the function
+* CRMF_CertRequestGetCertTemplateValidity.  That means only memory pointed
+* to within the CRMFGetValidity structure.  Since
+* CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the
+* structure passed into it, it will not free it.  Meaning this function will
+* free the memory at inValidity->notBefore and inValidity->notAfter, but not
+* the memory directly at inValdity.
+*
+* RETURN:
+* SECSuccess if freeing the memory was successful.  Any other return value
+* indicates an error while freeing the memory.
+*/
+extern SECStatus
+CRMF_DestroyGetValidity(CRMFGetValidity *inValidity);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateSubject
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+*    destSubject
+*        A pointer to where the library can place a copy of the subject
+*        contained in the request's cert template.
+* RETURN:
+* If there is a subject in the CertTemplate, then the function returns
+* SECSuccess and a copy of the subject is placed in *destSubject.
+*
+* If there is no subject, the function returns SECFailure and the values at
+* *destSubject is unchanged.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateSubject (CRMFCertRequest *inCertReq,
+					       CERTName        *destSubject);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey
+* INPUTS:
+*    inCertReq
+*        The Cert request to operate on.
+*    destPublicKey
+*        A pointer to where the library can place a copy of the request's
+*        cert template public key.
+* RETURN:
+* If there is a publicKey parameter in the CertRequest, the function returns
+* SECSuccess, and places a copy of the publicKey in *destPublicKey.
+*
+* If there is no publicKey, the function returns SECFailure and the value
+* at *destPublicKey is un-changed.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq,
+				      CERTSubjectPublicKeyInfo *destPublicKey);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID
+* INPUTS:
+*    inCertReq
+*        The Cert request to operate on.
+*    destIssuerUID
+*        A pointer to where the library can store a copy of the request's
+*        cert template destIssuerUID.
+*
+* NOTES:
+* destIssuerUID is a bit string and will be returned in a SECItem as
+* a bit string.  Meaning the len field contains the number of valid bits as
+* opposed to the number of bytes allocated.
+*
+* RETURN:
+* If the CertTemplate has an issuerUID, the function returns SECSuccess and
+* places a copy of the issuerUID in *destIssuerUID.
+*
+* If there is no issuerUID, the function returns SECFailure and the value
+* *destIssuerUID is unchanged.
+*/
+extern SECStatus
+CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
+						SECItem        *destIssuerUID);
+/*
+* FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID
+*    inCertReq
+*        The Cert request to operate on.
+*    destSubjectUID
+*        A pointer to where the library can store a copy of the request's
+*        cert template destIssuerUID.
+*
+* NOTES:
+* destSubjectUID is a bit string and will be returned in a SECItem as
+* a bit string.  Meaning the len field contains the number of valid bits as
+* opposed to the number of bytes allocated.
+*
+* RETURN:
+* If the CertTemplate has an issuerUID, the function returns SECSuccess and
+* places a copy of the issuerUID in *destIssuerUID.
+*
+* If there is no issuerUID, the function returns SECSuccess and the value
+* *destIssuerUID is unchanged.
+*/
+extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
+						SECItem       *destSubjectUID);
+/*
+* FUNCTION: CRMF_CertRequestGetNumberOfExtensions
+* INPUTS:
+*    inCertReq
+*        The cert request to operate on.
+* RETURN:
+*    Returns the number of extensions contained by the Cert Request.
+*/
+extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq);
+/*
+* FUNCTION: CRMF_CertRequestGetExtensionAtIndex
+* INPUTS:
+*    inCertReq
+*        The Certificate request to operate on.
+*    index
+*        The index of the extension array whihc the user wants to access.
+* NOTES:
+* This function retrieves the extension at the index corresponding to the
+* parameter "index" indicates.  Indexing is done like a C array.
+* (0 ... numElements-1)
+*
+* Call CRMF_DestroyCertExtension when done using the return value.
+*
+* RETURN:
+*    A pointer to a copy of the extension at the desired index.  A NULL
+*    return value indicates an invalid index or an error while copying
+*    the extension.
+*/
+extern CRMFCertExtension *
+CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
+					   int              index);
+/*
+* FUNCTION: CRMF_CertExtensionGetOidTag
+* INPUTS:
+*    inExtension
+*        The extension to operate on.
+* RETURN:
+*    Returns the SECOidTag associated with the cert extension passed in.
+*/
+extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension);
+/*
+* FUNCTION: CRMF_CertExtensionGetIsCritical
+* INPUT:
+*    inExt
+*        The cert extension to operate on.
+*
+* RETURN:
+* PR_TRUE if the extension is critical.
+* PR_FALSE if the extension is not critical.
+*/
+extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt);
+/*
+* FUNCTION: CRMF_CertExtensionGetValue
+* INPUT:
+*    inExtension
+*        The extension to operate on.
+* NOTES:
+* Caller is responsible for freeing the memory associated with the return
+* value.  Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return
+* value.
+*
+* RETURN:
+* A pointer to an item containig the value for the certificate extension.
+* A NULL return value indicates an error in copying the information.
+*/
+extern SECItem*  CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension);
+/*
+* FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey
+* INPUTS:
+*    inCertReqMsg
+*        The certificate request message to operate on.
+*    destKey
+*        A pointer to where the library can place a pointer to
+*        a copy of the Proof Of Possession Signing Key used
+*        by the message.
+*
+* RETURN:
+* Get the POPOSigningKey associated with this CRMFCertReqMsg.
+* If the CertReqMsg does not have a pop, the function returns
+* SECFailure and the value at *destKey is un-changed..
+*
+* If the CertReqMsg does have a pop, then the CertReqMsg's
+* POPOSigningKey will be placed at *destKey.
+*/
+extern SECStatus
+CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
+					CRMFPOPOSigningKey **destKey);
+/*
+* FUNCTION: CRMF_DestroyPOPOSigningKey
+* INPUTS:
+*    inKey
+*        The signing key to free.
+*
+* RETURN:
+* SECSuccess if freeing the memory was successful.  Any other return value
+* indicates an error while freeing memory.
+*/
+extern SECStatus CRMF_DestroyPOPOSigningKey (CRMFPOPOSigningKey *inKey);
+/*
+* FUNCTION: CRMF_POPOSigningKeyGetAlgID
+* INPUTS:
+*    inSignKey
+*        The Signing Key to operate on.
+* RETURN:
+* Return the algorithmID used by the CRMFPOPOSigningKey.  User must
+* call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the
+* return value.
+*/
+extern SECAlgorithmID*
+CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey);
+/*
+* FUNCTION: CRMF_POPOSigningKeyGetSignature
+* INPUTS:
+*    inSignKey
+*        The Signing Key to operate on.
+*
+* RETURN:
+* Get the actual signature stored away in the CRMFPOPOSigningKey.  SECItem
+* returned is a BIT STRING, so the len field is the number of bits as opposed
+* to the total number of bytes allocatd.  User must call
+* SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value.
+*/
+extern SECItem* CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey);
+/*
+* FUNCTION: CRMF_POPOSigningKeyGetInput
+* INPUTS:
+*    inSignKey
+*        The Signing Key to operate on.
+* NOTES:
+* This function will return the der encoded input that was read in while
+* decoding.  The API does not support this option when creating, so you
+* cannot add this field.
+*
+* RETURN:
+* Get the poposkInput that is part of the of the POPOSigningKey. If the
+* optional field is not part of the POPOSigningKey, the function returns
+* NULL.
+*
+* If the optional field is part of the POPOSingingKey, the function will
+* return a copy of the der encoded poposkInput.
+*/
+extern SECItem* CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey);
+/*
+* FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment
+* INPUTS:
+*    inCertReqMsg
+*        The certificate request message to operate on.
+*    destKey
+*        A pointer to where the library can place a pointer to a
+*        copy of the POPOPrivKey representing Key Encipherment
+*        Proof of Possession.
+*NOTES:
+* This function gets the POPOPrivKey associated with this CRMFCertReqMsg
+* for Key Encipherment.
+*
+* RETURN:
+* If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the
+* function returns SECFailure and the value at *destKey is un-changed.
+*
+* If the CertReqMsg did use Key Encipherment for ProofOfPossession, the
+* function returns SECSuccess and places the POPOPrivKey representing the
+* Key Encipherment Proof Of Possessin at *destKey.
+*/
+extern SECStatus
+CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
+					    CRMFPOPOPrivKey **destKey);
+/*
+* FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement
+* INPUTS:
+*    inCertReqMsg
+*        The certificate request message to operate on.
+*    destKey
+*        A pointer to where the library can place a pointer to a
+*        copy of the POPOPrivKey representing Key Agreement
+*        Proof of Possession.
+* NOTES:
+* This function gets the POPOPrivKey associated with this CRMFCertReqMsg for
+* Key Agreement.
+*
+* RETURN:
+* If the CertReqMsg used Key Agreement for Proof Of Possession, the
+* function returns SECSuccess and the POPOPrivKey for Key Agreement
+* is placed at *destKey.
+*
+* If the CertReqMsg did not use Key Agreement for Proof Of Possession, the
+* function return SECFailure and the value at *destKey is unchanged.
+*/
+extern SECStatus
+CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
+					 CRMFPOPOPrivKey **destKey);
+/*
+* FUNCTION: CRMF_DestroyPOPOPrivKey
+* INPUTS:
+*    inPrivKey
+*        The POPOPrivKey to destroy.
+* NOTES:
+* Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or
+* CRMF_GetPOPKeyAgreement.
+*
+* RETURN:
+* SECSuccess on successful destruction of the POPOPrivKey.
+* Any other return value indicates an error in freeing the
+* memory.
+*/
+extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey);
+/*
+* FUNCTION: CRMF_POPOPrivKeyGetChoice
+* INPUT:
+*    inKey
+*        The POPOPrivKey to operate on.
+* RETURN:
+* Returns which choice was used in constructing the POPPOPrivKey. Look at
+* the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return
+* values.
+*/
+extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey);
+/*
+* FUNCTION: CRMF_POPOPrivKeyGetThisMessage
+* INPUTS:
+*    inKey
+*        The POPOPrivKey to operate on.
+*    destString
+*        A pointer to where the library can place a copy of the This Message
+*        field stored in the POPOPrivKey
+*
+* RETURN:
+* Returns the field thisMessage from the POPOPrivKey.
+* If the POPOPrivKey did not use the field thisMessage, the function
+* returns SECFailure and the value at *destString is unchanged.
+*
+* If the POPOPrivKey did use the field thisMessage, the function returns
+* SECSuccess and the BIT STRING representing thisMessage is placed
+* at *destString. BIT STRING representation means the len field is the
+* number of valid bits as opposed to the total number of bytes.
+*/
+extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
+						SECItem          *destString);
+/*
+* FUNCTION: CRMF_POPOPrivKeyGetSubseqMess
+* INPUTS:
+*    inKey
+*        The POPOPrivKey to operate on.
+*    destOpt
+*        A pointer to where the library can place the value of the
+*        Subsequent Message option used by POPOPrivKey.
+*
+* RETURN:
+* Retrieves the field subsequentMessage from the POPOPrivKey.
+* If the POPOPrivKey used the subsequentMessage option, the function
+* returns SECSuccess and places the appropriate enumerated value at
+* *destMessageOption.
+*
+* If the POPOPrivKey did not use the subsequenMessage option, the function
+* returns SECFailure and the value at *destOpt is un-changed.
+*/
+extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey       *inKey,
+					       CRMFSubseqMessOptions *destOpt);
+/*
+* FUNCTION: CRMF_POPOPrivKeyGetDHMAC
+* INPUTS:
+*    inKey
+*        The POPOPrivKey to operate on.
+*    destMAC
+*        A pointer to where the library can place a copy of the dhMAC
+*        field of the POPOPrivKey.
+*
+* NOTES:
+* Returns the field dhMAC from the POPOPrivKey.  The populated SECItem
+* is in BIT STRING format.
+*
+* RETURN:
+* If the POPOPrivKey used the dhMAC option, the function returns SECSuccess
+* and the BIT STRING for dhMAC will be placed at *destMAC.  The len field in
+* destMAC (ie destMAC->len) will be the valid number of bits as opposed to
+* the number of allocated bytes.
+*
+* If the POPOPrivKey did not use the dhMAC option, the function returns
+* SECFailure and the value at *destMAC is unchanged.
+*
+*/
+extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey,
+					  SECItem         *destMAC);
+/*
+* FUNCTION: CRMF_CertRequestGetNumControls
+* INPUTS:
+*    inCertReq
+*        The Certificate Request to operate on.
+* RETURN:
+* Returns the number of Controls registered with this CertRequest.
+*/
+extern int CRMF_CertRequestGetNumControls (CRMFCertRequest *inCertReq);
+/*
+* FUNCTION: CRMF_CertRequestGetControlAtIndex
+* INPUTS:
+*    inCertReq
+*        The certificate request to operate on.
+*    index
+*        The index of the control the user wants a copy of.
+* NOTES:
+* Function retrieves the Control at located at index.  The Controls
+* are numbered like a traditional C array (0 ... numElements-1)
+*
+* RETURN:
+* Returns a copy of the control at the index specified.  This is a copy
+* so the user must call CRMF_DestroyControl after the return value is no
+* longer needed.  A return value of NULL indicates an error while copying
+* the control or that the index was invalid.
+*/
+extern CRMFControl*
+CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq,
+					 int              index);
+/*
+* FUNCTION: CRMF_DestroyControl
+* INPUTS:
+*    inControl
+*        The Control to destroy.
+* NOTES:
+* Destroy a CRMFControl allocated by CRMF_GetControlAtIndex.
+*
+* RETURN:
+* SECSuccess if freeing the memory was successful.  Any other return
+* value indicates an error while freeing the memory.
+*/
+extern SECStatus CRMF_DestroyControl(CRMFControl *inControl);
+/*
+* FUNCTION: CRMF_ControlGetControlType
+* INPUTS:
+*    inControl
+*        The control to operate on.
+* NOTES:
+* The function returns an enumertion which indicates the type of control
+* 'inControl'.
+*
+* RETURN:
+* Look in crmft.h at the definition of the enumerated type CRMFControlType
+* for the possible return values.
+*/
+extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl);
+/*
+* FUNCTION: CRMF_ControlGetRegTokenControlValue
+* INPUTS:
+*    inControl
+*        The Control to operate on.
+* NOTES:
+* The user must call SECITEM_FreeItem passing in the return value
+* after the returnvalue is no longer needed.
+* RETURN:
+* Return the value for a Registration Token Control.
+* The SECItem returned should be in UTF8 format.  A NULL
+* return value indicates there was no Registration Control associated
+* with the Control.
+* (This library will not verify format.  It assumes the client properly
+* formatted the strings when adding it or the message decoded was properly
+* formatted.  The library will just give back the bytes it was given.)
+*/
+extern SECItem* CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl);
+/*
+* FUNCTION: CRMF_ControlGetAuthenticatorControlValue
+* INPUTS:
+*    inControl
+*        The Control to operate on.
+* NOTES:
+* The user must call SECITEM_FreeItem passing in the return value
+* after the returnvalue is no longer needed.
+*
+* RETURN:
+* Return the value for the Authenticator Control.
+* The SECItem returned should be in UTF8 format.  A NULL
+* return value indicates there was no Authenticator Control associated
+* with the CRMFControl..
+* (This library will not verify format.  It assumes the client properly
+* formatted the strings when adding it or the message decoded was properly
+* formatted.  The library will just give back the bytes it was given.)
+*/
+extern SECItem* CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl);
+/*
+* FUNCTION: CRMF_ControlGetPKIArchiveOptions
+* INPUTS:inControl
+*    The Control tooperate on.
+* NOTES:
+* This function returns a copy of the PKIArchiveOptions.  The user must call
+* the function CRMF_DestroyPKIArchiveOptions when the return value is no
+* longer needed.
+*
+* RETURN:
+* Get the PKIArchiveOptions associated with the Control.  A return
+* value of NULL indicates the Control was not a PKIArchiveOptions
+* Control.
+*/
+extern CRMFPKIArchiveOptions*
+CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl);
+/*
+* FUNCTION: CMRF_DestroyPKIArchiveOptions
+* INPUTS:
+*    inOptions
+*        The ArchiveOptions to destroy.
+* NOTE:
+* Destroy the CRMFPKIArchiveOptions structure.
+*
+* RETURN:
+* SECSuccess if successful in freeing all the memory associated with
+* the PKIArchiveOptions.  Any other return value indicates an error while
+* freeing the PKIArchiveOptions.
+*/
+extern SECStatus
+CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions);
+/*
+* FUNCTION: CRMF_PKIArchiveOptionsGetOptionType
+* INPUTS:
+*    inOptions
+*        The PKIArchiveOptions to operate on.
+* RETURN:
+* Returns the choice used for the PKIArchiveOptions.  Look at the definition
+* of CRMFPKIArchiveOptionsType in crmft.h for possible return values.
+*/
+extern CRMFPKIArchiveOptionsType
+CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions);
+/*
+* FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey
+* INPUTS:
+*    inOpts
+*        The PKIArchiveOptions to operate on.
+*
+* NOTES:
+* The user must call CRMF_DestroyEncryptedKey when done using this return
+* value.
+*
+* RETURN:
+* Get the encryptedPrivKey field of the PKIArchiveOptions structure.
+* A return value of NULL indicates that encryptedPrivKey was not used as
+* the choice for this PKIArchiveOptions.
+*/
+extern CRMFEncryptedKey*
+CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts);
+/*
+* FUNCTION: CRMF_EncryptedKeyGetChoice
+* INPUTS:
+*    inEncrKey
+*        The EncryptedKey to operate on.
+*
+* NOTES:
+* Get the choice used for representing the EncryptedKey.
+*
+* RETURN:
+* Returns the Choice used in representing the EncryptedKey.  Look in
+* crmft.h at the definition of CRMFEncryptedKeyChoice for possible return
+* values.
+*/
+extern CRMFEncryptedKeyChoice
+CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey);
+/*
+* FUNCTION: CRMF_EncryptedKeyGetEncryptedValue
+* INPUTS:
+*    inKey
+*        The EncryptedKey to operate on.
+*
+* NOTES:
+* The user must call CRMF_DestroyEncryptedValue passing in
+* CRMF_GetEncryptedValue's return value.
+*
+* RETURN:
+* A pointer to a copy of the EncryptedValue contained as a member of
+* the EncryptedKey.
+*/
+extern CRMFEncryptedValue*
+CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey);
+/*
+* FUNCTION: CRMF_DestroyEncryptedValue
+* INPUTS:
+*    inEncrValue
+*        The EncryptedValue to destroy.
+*
+* NOTES:
+* Free up all memory associated with 'inEncrValue'.
+*
+* RETURN:
+* SECSuccess if freeing up the memory associated with the EncryptedValue
+* is successful. Any other return value indicates an error while freeing the
+* memory.
+*/
+extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue);
+/*
+* FUNCTION: CRMF_EncryptedValueGetEncValue
+* INPUTS:
+*    inEncValue
+*        The EncryptedValue to operate on.
+* NOTES:
+* Function retrieves the encValue from an EncryptedValue structure.
+*
+* RETURN:
+* A poiner to a SECItem containing the encValue of the EncryptedValue
+* structure.  The return value is in BIT STRING format, meaning the
+* len field of the return structure represents the number of valid bits
+* as opposed to the allocated number of bytes.
+* ANULL return value indicates an error in copying the encValue field.
+*/
+extern SECItem* CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue);
+/*
+* FUNCTION: CRMF_EncryptedValueGetIntendedAlg
+* INPUTS
+*    inEncValue
+*        The EncryptedValue to operate on.
+* NOTES:
+* Retrieve the IntendedAlg field from the EncryptedValue structure.
+* Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+* the return value.  When present, this alogorithm is the alogrithm for
+* which the private key will be used.
+*
+* RETURN:
+* A Copy of the intendedAlg field.  A NULL return value indicates the
+* optional field was not present in the structure.
+*/
+extern SECAlgorithmID*
+CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue  *inEncValue);
+/*
+* FUNCTION: CRMF_EncryptedValueGetSymmAlg
+* INPUTS
+*    inEncValue
+*        The EncryptedValue to operate on.
+* NOTES:
+* Retrieve the symmAlg field from the EncryptedValue structure.
+* Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+* the return value.  When present, this is algorithm used to
+* encrypt the encValue of the EncryptedValue.
+*
+* RETURN:
+* A Copy of the symmAlg field.  A NULL return value indicates the
+* optional field was not present in the structure.
+*/
+extern SECAlgorithmID*
+CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue  *inEncValue);
+/*
+* FUNCTION: CRMF_EncryptedValueGetKeyAlg
+* INPUTS
+*    inEncValue
+*        The EncryptedValue to operate on.
+* NOTES:
+* Retrieve the keyAlg field from the EncryptedValue structure.
+* Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+* the return value.  When present, this is the algorithm used to encrypt
+* the symmetric key in the encSymmKey field of the EncryptedValue structure.
+*
+* RETURN:
+* A Copy of the keyAlg field.  A NULL return value indicates the
+* optional field was not present in the structure.
+*/
+extern SECAlgorithmID*
+CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue);
+/*
+* FUNCTION: CRMF_EncryptedValueGetValueHint
+* INPUTS:
+*    inEncValue
+*        The EncryptedValue to operate on.
+*
+* NOTES:
+* Return a copy of the der-encoded value hint.
+* User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the
+* return value.  When, present, this is a value that the client which
+* originally issued a certificate request can use to reproduce any data
+* it wants.  The RA does not know how to interpret this data.
+*
+* RETURN:
+* A copy of the valueHint field of the EncryptedValue.  A NULL return
+* value indicates the optional valueHint field is not present in the
+* EncryptedValue.
+*/
+extern SECItem*
+CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue  *inEncValue);
+/*
+* FUNCTION: CRMF_EncrypteValueGetEncSymmKey
+* INPUTS:
+*    inEncValue
+*        The EncryptedValue to operate on.
+*
+* NOTES:
+* Return a copy of the encSymmKey field. This field is the encrypted
+* symmetric key that the client uses in doing Public Key wrap of a private
+* key.  When present, this is the symmetric key that was used to wrap the
+* private key.  (The encrypted private key will be stored in encValue
+* of the same EncryptedValue structure.)  The user must call
+* SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer
+* needed.
+*
+* RETURN:
+* A copy of the optional encSymmKey field of the EncryptedValue structure.
+* The return value will be in BIT STRING format, meaning the len field will
+* be the number of valid bits as opposed to the number of bytes. A return
+* value of NULL means the optional encSymmKey field was not present in
+* the EncryptedValue structure.
+*/
+extern SECItem*
+CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue);
+/*
+* FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters
+* INPUTS:
+*    inOptions
+*        The PKiArchiveOptions to operate on.
+*
+* NOTES:
+* User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return
+* value is no longer needed.
+*
+* RETURN:
+* Get the keyGenParameters field of the PKIArchiveOptions.
+* A NULL return value indicates that keyGenParameters was not
+* used as the choice for this PKIArchiveOptions.
+*
+* The SECItem returned is in BIT STRING format (ie, the len field indicates
+* number of valid bits as opposed to allocated number of bytes.)
+*/
+extern SECItem*
+CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions);
+/*
+* FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey
+* INPUTS:
+*    inOpt
+*        The PKIArchiveOptions to operate on.
+*    destVal
+*        A pointer to where the library can place the value for
+*        arciveRemGenPrivKey
+* RETURN:
+* If the PKIArchiveOptions used the archiveRemGenPrivKey field, the
+* function returns SECSuccess and fills the value at *destValue with either
+* PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a
+* value.
+*
+* If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the
+* function returns SECFailure and the value at *destValue is unchanged.
+*/
+extern SECStatus
+CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt,
+						  PRBool             *destVal);
+/* Helper functions that can be used by other libraries. */
+/*
+* A quick helper function to get the best wrap mechanism.
+*/
+extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot);
+/*
+* A helper function to get a randomly generated IV from a mechanism
+* type.
+*/
+extern SECItem* CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType);
+SEC_END_PROTOS
+#endif /*_CRMF_H_*/

The Tor Browser / file comparison

comparison: security/nss/lib/crmf/crmf.h

security/nss/lib/crmf/crmf.h