1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certdb/cert.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1669 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +/*
1.9 + * cert.h - public data structures and prototypes for the certificate library
1.10 + */
1.11 +
1.12 +#ifndef _CERT_H_
1.13 +#define _CERT_H_
1.14 +
1.15 +#include "utilrename.h"
1.16 +#include "plarena.h"
1.17 +#include "plhash.h"
1.18 +#include "prlong.h"
1.19 +#include "prlog.h"
1.20 +
1.21 +#include "seccomon.h"
1.22 +#include "secdert.h"
1.23 +#include "secoidt.h"
1.24 +#include "keyt.h"
1.25 +#include "certt.h"
1.26 +
1.27 +SEC_BEGIN_PROTOS
1.28 +
1.29 +/****************************************************************************
1.30 + *
1.31 + * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
1.32 + *
1.33 + ****************************************************************************/
1.34 +
1.35 +/*
1.36 +** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
1.37 +*/
1.38 +extern CERTName *CERT_AsciiToName(const char *string);
1.39 +
1.40 +/*
1.41 +** Convert an CERTName into its RFC1485 encoded equivalent.
1.42 +** Returns a string that must be freed with PORT_Free().
1.43 +** This version produces a string for maximum human readability,
1.44 +** not for strict RFC compliance.
1.45 +*/
1.46 +extern char *CERT_NameToAscii(CERTName *name);
1.47 +
1.48 +/*
1.49 +** Convert an CERTName into its RFC1485 encoded equivalent.
1.50 +** Returns a string that must be freed with PORT_Free().
1.51 +** Caller chooses encoding rules.
1.52 +*/
1.53 +extern char *CERT_NameToAsciiInvertible(CERTName *name,
1.54 + CertStrictnessLevel strict);
1.55 +
1.56 +extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
1.57 +
1.58 +/* convert an OID to dotted-decimal representation */
1.59 +/* Returns a string that must be freed with PR_smprintf_free(). */
1.60 +extern char * CERT_GetOidString(const SECItem *oid);
1.61 +
1.62 +/*
1.63 +** Examine an AVA and return the tag that refers to it. The AVA tags are
1.64 +** defined as SEC_OID_AVA*.
1.65 +*/
1.66 +extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
1.67 +
1.68 +/*
1.69 +** Compare two AVA's, returning the difference between them.
1.70 +*/
1.71 +extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
1.72 +
1.73 +/*
1.74 +** Create an RDN (relative-distinguished-name). The argument list is a
1.75 +** NULL terminated list of AVA's.
1.76 +*/
1.77 +extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
1.78 +
1.79 +/*
1.80 +** Make a copy of "src" storing it in "dest".
1.81 +*/
1.82 +extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
1.83 +
1.84 +/*
1.85 +** Add an AVA to an RDN.
1.86 +** "rdn" the RDN to add to
1.87 +** "ava" the AVA to add
1.88 +*/
1.89 +extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
1.90 +
1.91 +/*
1.92 +** Compare two RDN's, returning the difference between them.
1.93 +*/
1.94 +extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b);
1.95 +
1.96 +/*
1.97 +** Create an X.500 style name using a NULL terminated list of RDN's.
1.98 +*/
1.99 +extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
1.100 +
1.101 +/*
1.102 +** Make a copy of "src" storing it in "dest". Memory is allocated in
1.103 +** "dest" for each of the appropriate sub objects. Memory is not freed in
1.104 +** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
1.105 +** do that).
1.106 +*/
1.107 +extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest,
1.108 + const CERTName *src);
1.109 +
1.110 +/*
1.111 +** Destroy a Name object.
1.112 +** "name" the CERTName to destroy
1.113 +** "freeit" if PR_TRUE then free the object as well as its sub-objects
1.114 +*/
1.115 +extern void CERT_DestroyName(CERTName *name);
1.116 +
1.117 +/*
1.118 +** Add an RDN to a name.
1.119 +** "name" the name to add the RDN to
1.120 +** "rdn" the RDN to add to name
1.121 +*/
1.122 +extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
1.123 +
1.124 +/*
1.125 +** Compare two names, returning the difference between them.
1.126 +*/
1.127 +extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b);
1.128 +
1.129 +/*
1.130 +** Convert a CERTName into something readable
1.131 +*/
1.132 +extern char *CERT_FormatName (CERTName *name);
1.133 +
1.134 +/*
1.135 +** Convert a der-encoded integer to a hex printable string form.
1.136 +** Perhaps this should be a SEC function but it's only used for certs.
1.137 +*/
1.138 +extern char *CERT_Hexify (SECItem *i, int do_colon);
1.139 +
1.140 +/*
1.141 +** Converts DER string (with explicit length) into zString, if destination
1.142 +** buffer is big enough to receive it. Does quoting and/or escaping as
1.143 +** specified in RFC 1485. Input string must be single or multi-byte DER
1.144 +** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set.
1.145 +** Returns SECSuccess or SECFailure with error code set. If output buffer
1.146 +** is too small, sets error code SEC_ERROR_OUTPUT_LEN.
1.147 +*/
1.148 +extern SECStatus
1.149 +CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen);
1.150 +
1.151 +/******************************************************************************
1.152 + *
1.153 + * Certificate handling operations
1.154 + *
1.155 + *****************************************************************************/
1.156 +
1.157 +/*
1.158 +** Create a new validity object given two unix time values.
1.159 +** "notBefore" the time before which the validity is not valid
1.160 +** "notAfter" the time after which the validity is not valid
1.161 +*/
1.162 +extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
1.163 +
1.164 +/*
1.165 +** Destroy a validity object.
1.166 +** "v" the validity to destroy
1.167 +** "freeit" if PR_TRUE then free the object as well as its sub-objects
1.168 +*/
1.169 +extern void CERT_DestroyValidity(CERTValidity *v);
1.170 +
1.171 +/*
1.172 +** Copy the "src" object to "dest". Memory is allocated in "dest" for
1.173 +** each of the appropriate sub-objects. Memory in "dest" is not freed
1.174 +** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
1.175 +** that).
1.176 +*/
1.177 +extern SECStatus CERT_CopyValidity
1.178 + (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src);
1.179 +
1.180 +/*
1.181 +** The cert lib considers a cert or CRL valid if the "notBefore" time is
1.182 +** in the not-too-distant future, e.g. within the next 24 hours. This
1.183 +** prevents freshly issued certificates from being considered invalid
1.184 +** because the local system's time zone is incorrectly set.
1.185 +** The amount of "pending slop time" is adjustable by the application.
1.186 +** Units of SlopTime are seconds. Default is 86400 (24 hours).
1.187 +** Negative SlopTime values are not allowed.
1.188 +*/
1.189 +PRInt32 CERT_GetSlopTime(void);
1.190 +
1.191 +SECStatus CERT_SetSlopTime(PRInt32 slop);
1.192 +
1.193 +/*
1.194 +** Create a new certificate object. The result must be wrapped with an
1.195 +** CERTSignedData to create a signed certificate.
1.196 +** "serialNumber" the serial number
1.197 +** "issuer" the name of the certificate issuer
1.198 +** "validity" the validity period of the certificate
1.199 +** "req" the certificate request that prompted the certificate issuance
1.200 +*/
1.201 +extern CERTCertificate *
1.202 +CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
1.203 + CERTValidity *validity, CERTCertificateRequest *req);
1.204 +
1.205 +/*
1.206 +** Destroy a certificate object
1.207 +** "cert" the certificate to destroy
1.208 +** NOTE: certificate's are reference counted. This call decrements the
1.209 +** reference count, and if the result is zero, then the object is destroyed
1.210 +** and optionally freed.
1.211 +*/
1.212 +extern void CERT_DestroyCertificate(CERTCertificate *cert);
1.213 +
1.214 +/*
1.215 +** Make a shallow copy of a certificate "c". Just increments the
1.216 +** reference count on "c".
1.217 +*/
1.218 +extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
1.219 +
1.220 +/*
1.221 +** Create a new certificate request. This result must be wrapped with an
1.222 +** CERTSignedData to create a signed certificate request.
1.223 +** "name" the subject name (who the certificate request is from)
1.224 +** "spki" describes/defines the public key the certificate is for
1.225 +** "attributes" if non-zero, some optional attribute data
1.226 +*/
1.227 +extern CERTCertificateRequest *
1.228 +CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
1.229 + SECItem **attributes);
1.230 +
1.231 +/*
1.232 +** Destroy a certificate-request object
1.233 +** "r" the certificate-request to destroy
1.234 +** "freeit" if PR_TRUE then free the object as well as its sub-objects
1.235 +*/
1.236 +extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
1.237 +
1.238 +/*
1.239 +** Start adding extensions to a certificate request.
1.240 +*/
1.241 +void *
1.242 +CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
1.243 +
1.244 +/*
1.245 +** Reformat the certificate extension list into a CertificateRequest
1.246 +** attribute list.
1.247 +*/
1.248 +SECStatus
1.249 +CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
1.250 +
1.251 +/*
1.252 +** Extract the Extension Requests from a DER CertRequest attribute list.
1.253 +*/
1.254 +SECStatus
1.255 +CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
1.256 + CERTCertExtension ***exts);
1.257 +
1.258 +/*
1.259 +** Extract a public key object from a certificate
1.260 +*/
1.261 +extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
1.262 +
1.263 +/*
1.264 +** Retrieve the Key Type associated with the cert we're dealing with
1.265 +*/
1.266 +
1.267 +extern KeyType CERT_GetCertKeyType (const CERTSubjectPublicKeyInfo *spki);
1.268 +
1.269 +/*
1.270 +** Initialize the certificate database. This is called to create
1.271 +** the initial list of certificates in the database.
1.272 +*/
1.273 +extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
1.274 +
1.275 +extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
1.276 +
1.277 +/*
1.278 +** Default certificate database routines
1.279 +*/
1.280 +extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
1.281 +
1.282 +extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
1.283 +
1.284 +extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert,
1.285 + PRTime time,
1.286 + SECCertUsage usage);
1.287 +extern CERTCertificate *
1.288 +CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
1.289 + char *nickname, PRBool isperm, PRBool copyDER);
1.290 +
1.291 +
1.292 +/******************************************************************************
1.293 + *
1.294 + * X.500 Name handling operations
1.295 + *
1.296 + *****************************************************************************/
1.297 +
1.298 +/*
1.299 +** Create an AVA (attribute-value-assertion)
1.300 +** "arena" the memory arena to alloc from
1.301 +** "kind" is one of SEC_OID_AVA_*
1.302 +** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
1.303 +** DER_T61_STRING
1.304 +** "value" is the null terminated string containing the value
1.305 +*/
1.306 +extern CERTAVA *CERT_CreateAVA
1.307 + (PLArenaPool *arena, SECOidTag kind, int valueType, char *value);
1.308 +
1.309 +/*
1.310 +** Extract the Distinguished Name from a DER encoded certificate
1.311 +** "derCert" is the DER encoded certificate
1.312 +** "derName" is the SECItem that the name is returned in
1.313 +*/
1.314 +extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
1.315 +
1.316 +/*
1.317 +** Extract the Issuers Distinguished Name from a DER encoded certificate
1.318 +** "derCert" is the DER encoded certificate
1.319 +** "derName" is the SECItem that the name is returned in
1.320 +*/
1.321 +extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert,
1.322 + SECItem *derName);
1.323 +
1.324 +extern SECItem *
1.325 +CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
1.326 + PLArenaPool *arena);
1.327 +
1.328 +extern CERTGeneralName *
1.329 +CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName,
1.330 + CERTGeneralName *genName);
1.331 +
1.332 +
1.333 +
1.334 +/*
1.335 +** Generate a database search key for a certificate, based on the
1.336 +** issuer and serial number.
1.337 +** "arena" the memory arena to alloc from
1.338 +** "derCert" the DER encoded certificate
1.339 +** "key" the returned key
1.340 +*/
1.341 +extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
1.342 + SECItem *key);
1.343 +
1.344 +extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
1.345 + SECItem *sn, SECItem *key);
1.346 +
1.347 +extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert,
1.348 + SECItem *derName);
1.349 +
1.350 +
1.351 +/*
1.352 +** Generate a database search key for a crl, based on the
1.353 +** issuer.
1.354 +** "arena" the memory arena to alloc from
1.355 +** "derCrl" the DER encoded crl
1.356 +** "key" the returned key
1.357 +*/
1.358 +extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key);
1.359 +
1.360 +/*
1.361 +** Open the certificate database. Use callback to get name of database.
1.362 +*/
1.363 +extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
1.364 + CERTDBNameFunc namecb, void *cbarg);
1.365 +
1.366 +/* Open the certificate database. Use given filename for database. */
1.367 +extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
1.368 + char *certdbname, PRBool readOnly);
1.369 +
1.370 +/*
1.371 +** Open and initialize a cert database that is entirely in memory. This
1.372 +** can be used when the permanent database can not be opened or created.
1.373 +*/
1.374 +extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
1.375 +
1.376 +/*
1.377 +** Extract the list of host names, host name patters, IP address strings
1.378 +** this cert is valid for.
1.379 +** This function does NOT return nicknames.
1.380 +** Type CERTCertNicknames is being used because it's a convenient
1.381 +** data structure to carry a list of strings and its count.
1.382 +*/
1.383 +extern CERTCertNicknames *
1.384 + CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert);
1.385 +
1.386 +/*
1.387 +** Check the hostname to make sure that it matches the shexp that
1.388 +** is given in the common name of the certificate.
1.389 +*/
1.390 +extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert,
1.391 + const char *hostname);
1.392 +
1.393 +/*
1.394 +** Add a domain name to the list of names that the user has explicitly
1.395 +** allowed (despite cert name mismatches) for use with a server cert.
1.396 +*/
1.397 +extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
1.398 +
1.399 +/*
1.400 +** Decode a DER encoded certificate into an CERTCertificate structure
1.401 +** "derSignedCert" is the DER encoded signed certificate
1.402 +** "copyDER" is true if the DER should be copied, false if the
1.403 +** existing copy should be referenced
1.404 +** "nickname" is the nickname to use in the database. If it is NULL
1.405 +** then a temporary nickname is generated.
1.406 +*/
1.407 +extern CERTCertificate *
1.408 +CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
1.409 +/*
1.410 +** Decode a DER encoded CRL into a CERTSignedCrl structure
1.411 +** "derSignedCrl" is the DER encoded signed CRL.
1.412 +** "type" must be SEC_CRL_TYPE.
1.413 +*/
1.414 +#define SEC_CRL_TYPE 1
1.415 +#define SEC_KRL_TYPE 0 /* deprecated */
1.416 +
1.417 +extern CERTSignedCrl *
1.418 +CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
1.419 +
1.420 +/*
1.421 + * same as CERT_DecodeDERCrl, plus allow options to be passed in
1.422 + */
1.423 +
1.424 +extern CERTSignedCrl *
1.425 +CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl,
1.426 + int type, PRInt32 options);
1.427 +
1.428 +/* CRL options to pass */
1.429 +
1.430 +#define CRL_DECODE_DEFAULT_OPTIONS 0x00000000
1.431 +
1.432 +/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
1.433 + application must then keep derSignedCrl until it destroys the
1.434 + CRL . Ideally, it should allocate derSignedCrl in an arena
1.435 + and pass that arena in as the first argument to
1.436 + CERT_DecodeDERCrlWithFlags */
1.437 +
1.438 +#define CRL_DECODE_DONT_COPY_DER 0x00000001
1.439 +#define CRL_DECODE_SKIP_ENTRIES 0x00000002
1.440 +#define CRL_DECODE_KEEP_BAD_CRL 0x00000004
1.441 +#define CRL_DECODE_ADOPT_HEAP_DER 0x00000008
1.442 +
1.443 +/* complete the decoding of a partially decoded CRL, ie. decode the
1.444 + entries. Note that entries is an optional field in a CRL, so the
1.445 + "entries" pointer in CERTCrlStr may still be NULL even after
1.446 + function returns SECSuccess */
1.447 +
1.448 +extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl);
1.449 +
1.450 +/* Validate CRL then import it to the dbase. If there is already a CRL with the
1.451 + * same CA in the dbase, it will be replaced if derCRL is more up to date.
1.452 + * If the process successes, a CRL will be returned. Otherwise, a NULL will
1.453 + * be returned. The caller should call PORT_GetError() for the exactly error
1.454 + * code.
1.455 + */
1.456 +extern CERTSignedCrl *
1.457 +CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url,
1.458 + int type, void * wincx);
1.459 +
1.460 +extern void CERT_DestroyCrl (CERTSignedCrl *crl);
1.461 +
1.462 +/* this is a hint to flush the CRL cache. crlKey is the DER subject of
1.463 + the issuer (CA). */
1.464 +void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey);
1.465 +
1.466 +/* add the specified DER CRL object to the CRL cache. Doing so will allow
1.467 + certificate verification functions (such as CERT_VerifyCertificate)
1.468 + to automatically find and make use of this CRL object.
1.469 + Once a CRL is added to the CRL cache, the application must hold on to
1.470 + the object's memory, because the cache will reference it directly. The
1.471 + application can only free the object after it calls CERT_UncacheCRL to
1.472 + remove it from the CRL cache.
1.473 +*/
1.474 +SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
1.475 +
1.476 +/* remove a previously added CRL object from the CRL cache. It is OK
1.477 + for the application to free the memory after a successful removal
1.478 +*/
1.479 +SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
1.480 +
1.481 +/*
1.482 +** Find a certificate in the database
1.483 +** "key" is the database key to look for
1.484 +*/
1.485 +extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
1.486 +
1.487 +/*
1.488 +** Find a certificate in the database by name
1.489 +** "name" is the distinguished name to look up
1.490 +*/
1.491 +extern CERTCertificate *
1.492 +CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
1.493 +
1.494 +/*
1.495 +** Find a certificate in the database by name
1.496 +** "name" is the distinguished name to look up (in ascii)
1.497 +*/
1.498 +extern CERTCertificate *
1.499 +CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
1.500 +
1.501 +/*
1.502 +** Find a certificate in the database by name and keyid
1.503 +** "name" is the distinguished name to look up
1.504 +** "keyID" is the value of the subjectKeyID to match
1.505 +*/
1.506 +extern CERTCertificate *
1.507 +CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
1.508 +
1.509 +/*
1.510 +** Generate a certificate key from the issuer and serialnumber, then look it
1.511 +** up in the database. Return the cert if found.
1.512 +** "issuerAndSN" is the issuer and serial number to look for
1.513 +*/
1.514 +extern CERTCertificate *
1.515 +CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
1.516 +
1.517 +/*
1.518 +** Find a certificate in the database by a subject key ID
1.519 +** "subjKeyID" is the subject Key ID to look for
1.520 +*/
1.521 +extern CERTCertificate *
1.522 +CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
1.523 +
1.524 +/*
1.525 +** Encode Certificate SKID (Subject Key ID) extension.
1.526 +**
1.527 +*/
1.528 +extern SECStatus
1.529 +CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString,
1.530 + SECItem *encodedValue);
1.531 +
1.532 +/*
1.533 +** Find a certificate in the database by a nickname
1.534 +** "nickname" is the ascii string nickname to look for
1.535 +*/
1.536 +extern CERTCertificate *
1.537 +CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname);
1.538 +
1.539 +/*
1.540 +** Find a certificate in the database by a DER encoded certificate
1.541 +** "derCert" is the DER encoded certificate
1.542 +*/
1.543 +extern CERTCertificate *
1.544 +CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
1.545 +
1.546 +/*
1.547 +** Find a certificate in the database by a email address
1.548 +** "emailAddr" is the email address to look up
1.549 +*/
1.550 +CERTCertificate *
1.551 +CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
1.552 +
1.553 +/*
1.554 +** Find a certificate in the database by a email address or nickname
1.555 +** "name" is the email address or nickname to look up
1.556 +*/
1.557 +CERTCertificate *
1.558 +CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name);
1.559 +
1.560 +/*
1.561 +** Find a certificate in the database by a email address or nickname
1.562 +** and require it to have the given usage.
1.563 +** "name" is the email address or nickname to look up
1.564 +*/
1.565 +CERTCertificate *
1.566 +CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
1.567 + const char *name,
1.568 + SECCertUsage lookingForUsage);
1.569 +
1.570 +/*
1.571 +** Find a certificate in the database by a digest of a subject public key
1.572 +** "spkDigest" is the digest to look up
1.573 +*/
1.574 +extern CERTCertificate *
1.575 +CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
1.576 +
1.577 +/*
1.578 + * Find the issuer of a cert
1.579 + */
1.580 +CERTCertificate *
1.581 +CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage);
1.582 +
1.583 +/*
1.584 +** Check the validity times of a certificate vs. time 't', allowing
1.585 +** some slop for broken clocks and stuff.
1.586 +** "cert" is the certificate to be checked
1.587 +** "t" is the time to check against
1.588 +** "allowOverride" if true then check to see if the invalidity has
1.589 +** been overridden by the user.
1.590 +*/
1.591 +extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert,
1.592 + PRTime t,
1.593 + PRBool allowOverride);
1.594 +
1.595 +/*
1.596 +** WARNING - this function is deprecated, and will either go away or have
1.597 +** a new API in the near future.
1.598 +**
1.599 +** Check the validity times of a certificate vs. the current time, allowing
1.600 +** some slop for broken clocks and stuff.
1.601 +** "cert" is the certificate to be checked
1.602 +*/
1.603 +extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
1.604 +
1.605 +/*
1.606 +** Extract the validity times from a certificate
1.607 +** "c" is the certificate
1.608 +** "notBefore" is the start of the validity period
1.609 +** "notAfter" is the end of the validity period
1.610 +*/
1.611 +extern SECStatus
1.612 +CERT_GetCertTimes (const CERTCertificate *c, PRTime *notBefore,
1.613 + PRTime *notAfter);
1.614 +
1.615 +/*
1.616 +** Extract the issuer and serial number from a certificate
1.617 +*/
1.618 +extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *,
1.619 + CERTCertificate *);
1.620 +
1.621 +/*
1.622 +** verify the signature of a signed data object with a given certificate
1.623 +** "sd" the signed data object to be verified
1.624 +** "cert" the certificate to use to check the signature
1.625 +*/
1.626 +extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
1.627 + CERTCertificate *cert,
1.628 + PRTime t,
1.629 + void *wincx);
1.630 +/*
1.631 +** verify the signature of a signed data object with the given DER publickey
1.632 +*/
1.633 +extern SECStatus
1.634 +CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
1.635 + CERTSubjectPublicKeyInfo *pubKeyInfo,
1.636 + void *wincx);
1.637 +
1.638 +/*
1.639 +** verify the signature of a signed data object with a SECKEYPublicKey.
1.640 +*/
1.641 +extern SECStatus
1.642 +CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
1.643 + SECKEYPublicKey *pubKey, void *wincx);
1.644 +
1.645 +/*
1.646 +** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
1.647 +** verify a certificate by checking validity times against a certain time,
1.648 +** that we trust the issuer, and that the signature on the certificate is
1.649 +** valid.
1.650 +** "cert" the certificate to verify
1.651 +** "checkSig" only check signatures if true
1.652 +*/
1.653 +extern SECStatus
1.654 +CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
1.655 + PRBool checkSig, SECCertificateUsage requiredUsages,
1.656 + PRTime t, void *wincx, CERTVerifyLog *log,
1.657 + SECCertificateUsage* returnedUsages);
1.658 +
1.659 +/* same as above, but uses current time */
1.660 +extern SECStatus
1.661 +CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
1.662 + PRBool checkSig, SECCertificateUsage requiredUsages,
1.663 + void *wincx, SECCertificateUsage* returnedUsages);
1.664 +
1.665 +/*
1.666 +** Verify that a CA cert can certify some (unspecified) leaf cert for a given
1.667 +** purpose. This is used by UI code to help identify where a chain may be
1.668 +** broken and why. This takes identical parameters to CERT_VerifyCert
1.669 +*/
1.670 +extern SECStatus
1.671 +CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
1.672 + PRBool checkSig, SECCertUsage certUsage, PRTime t,
1.673 + void *wincx, CERTVerifyLog *log);
1.674 +
1.675 +/*
1.676 +** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
1.677 +** verify a certificate by checking validity times against a certain time,
1.678 +** that we trust the issuer, and that the signature on the certificate is
1.679 +** valid.
1.680 +** "cert" the certificate to verify
1.681 +** "checkSig" only check signatures if true
1.682 +*/
1.683 +extern SECStatus
1.684 +CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
1.685 + PRBool checkSig, SECCertUsage certUsage, PRTime t,
1.686 + void *wincx, CERTVerifyLog *log);
1.687 +
1.688 +/* same as above, but uses current time */
1.689 +extern SECStatus
1.690 +CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
1.691 + PRBool checkSig, SECCertUsage certUsage, void *wincx);
1.692 +
1.693 +SECStatus
1.694 +CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
1.695 + PRBool checkSig, SECCertUsage certUsage, PRTime t,
1.696 + void *wincx, CERTVerifyLog *log);
1.697 +
1.698 +/*
1.699 +** Read a base64 ascii encoded DER certificate and convert it to our
1.700 +** internal format.
1.701 +** "certstr" is a null-terminated string containing the certificate
1.702 +*/
1.703 +extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
1.704 +
1.705 +/*
1.706 +** Read a certificate in some foreign format, and convert it to our
1.707 +** internal format.
1.708 +** "certbuf" is the buffer containing the certificate
1.709 +** "certlen" is the length of the buffer
1.710 +** NOTE - currently supports netscape base64 ascii encoded raw certs
1.711 +** and netscape binary DER typed files.
1.712 +*/
1.713 +extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
1.714 +
1.715 +extern SECStatus
1.716 +CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
1.717 +
1.718 +extern SECStatus
1.719 +CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
1.720 +
1.721 +/*
1.722 +** Read a certificate chain in some foreign format, and pass it to a
1.723 +** callback function.
1.724 +** "certbuf" is the buffer containing the certificate
1.725 +** "certlen" is the length of the buffer
1.726 +** "f" is the callback function
1.727 +** "arg" is the callback argument
1.728 +*/
1.729 +typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
1.730 + (void *arg, SECItem **certs, int numcerts);
1.731 +
1.732 +extern SECStatus
1.733 +CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
1.734 + void *arg);
1.735 +
1.736 +/*
1.737 +** Returns the value of an AVA. This was a formerly static
1.738 +** function that has been exposed due to the need to decode
1.739 +** and convert unicode strings to UTF8.
1.740 +**
1.741 +** XXX This function resides in certhtml.c, should it be
1.742 +** moved elsewhere?
1.743 +*/
1.744 +extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
1.745 +
1.746 +
1.747 +
1.748 +/*
1.749 +** extract various element strings from a distinguished name.
1.750 +** "name" the distinguished name
1.751 +*/
1.752 +
1.753 +extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
1.754 +
1.755 +extern char *CERT_GetCertEmailAddress(const CERTName *name);
1.756 +
1.757 +extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
1.758 +
1.759 +extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert,
1.760 + const char * prev);
1.761 +
1.762 +/* The return value must be freed with PORT_Free. */
1.763 +extern char *CERT_GetCommonName(const CERTName *name);
1.764 +
1.765 +extern char *CERT_GetCountryName(const CERTName *name);
1.766 +
1.767 +extern char *CERT_GetLocalityName(const CERTName *name);
1.768 +
1.769 +extern char *CERT_GetStateName(const CERTName *name);
1.770 +
1.771 +extern char *CERT_GetOrgName(const CERTName *name);
1.772 +
1.773 +extern char *CERT_GetOrgUnitName(const CERTName *name);
1.774 +
1.775 +extern char *CERT_GetDomainComponentName(const CERTName *name);
1.776 +
1.777 +extern char *CERT_GetCertUid(const CERTName *name);
1.778 +
1.779 +/* manipulate the trust parameters of a certificate */
1.780 +
1.781 +extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert,
1.782 + CERTCertTrust *trust);
1.783 +
1.784 +extern SECStatus
1.785 +CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
1.786 + CERTCertTrust *trust);
1.787 +
1.788 +extern SECStatus
1.789 +CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
1.790 + SECCertUsage usage);
1.791 +
1.792 +/*************************************************************************
1.793 + *
1.794 + * manipulate the extensions of a certificate
1.795 + *
1.796 + ************************************************************************/
1.797 +
1.798 +/*
1.799 +** Set up a cert for adding X509v3 extensions. Returns an opaque handle
1.800 +** used by the next two routines.
1.801 +** "cert" is the certificate we are adding extensions to
1.802 +*/
1.803 +extern void *CERT_StartCertExtensions(CERTCertificate *cert);
1.804 +
1.805 +/*
1.806 +** Add an extension to a certificate.
1.807 +** "exthandle" is the handle returned by the previous function
1.808 +** "idtag" is the integer tag for the OID that should ID this extension
1.809 +** "value" is the value of the extension
1.810 +** "critical" is the critical extension flag
1.811 +** "copyData" is a flag indicating whether the value data should be
1.812 +** copied.
1.813 +*/
1.814 +extern SECStatus CERT_AddExtension (void *exthandle, int idtag,
1.815 + SECItem *value, PRBool critical, PRBool copyData);
1.816 +
1.817 +extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
1.818 + SECItem *value, PRBool critical, PRBool copyData);
1.819 +
1.820 +extern SECStatus CERT_EncodeAndAddExtension
1.821 + (void *exthandle, int idtag, void *value, PRBool critical,
1.822 + const SEC_ASN1Template *atemplate);
1.823 +
1.824 +extern SECStatus CERT_EncodeAndAddBitStrExtension
1.825 + (void *exthandle, int idtag, SECItem *value, PRBool critical);
1.826 +
1.827 +
1.828 +extern SECStatus
1.829 +CERT_EncodeAltNameExtension(PLArenaPool *arena, CERTGeneralName *value, SECItem *encodedValue);
1.830 +
1.831 +
1.832 +/*
1.833 +** Finish adding cert extensions. Does final processing on extension
1.834 +** data, putting it in the right format, and freeing any temporary
1.835 +** storage.
1.836 +** "exthandle" is the handle used to add extensions to a certificate
1.837 +*/
1.838 +extern SECStatus CERT_FinishExtensions(void *exthandle);
1.839 +
1.840 +/*
1.841 +** Merge an external list of extensions into a cert's extension list, adding one
1.842 +** only when its OID matches none of the cert's existing extensions. Call this
1.843 +** immediately before calling CERT_FinishExtensions().
1.844 +*/
1.845 +SECStatus
1.846 +CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
1.847 +
1.848 +/* If the extension is found, return its criticality and value.
1.849 +** This allocate storage for the returning extension value.
1.850 +*/
1.851 +extern SECStatus CERT_GetExtenCriticality
1.852 + (CERTCertExtension **extensions, int tag, PRBool *isCritical);
1.853 +
1.854 +extern void
1.855 +CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
1.856 +
1.857 +/****************************************************************************
1.858 + *
1.859 + * DER encode and decode extension values
1.860 + *
1.861 + ****************************************************************************/
1.862 +
1.863 +/* Encode the value of the basicConstraint extension.
1.864 +** arena - where to allocate memory for the encoded value.
1.865 +** value - extension value to encode
1.866 +** encodedValue - output encoded value
1.867 +*/
1.868 +extern SECStatus CERT_EncodeBasicConstraintValue
1.869 + (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
1.870 +
1.871 +/*
1.872 +** Encode the value of the authorityKeyIdentifier extension.
1.873 +*/
1.874 +extern SECStatus CERT_EncodeAuthKeyID
1.875 + (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
1.876 +
1.877 +/*
1.878 +** Encode the value of the crlDistributionPoints extension.
1.879 +*/
1.880 +extern SECStatus CERT_EncodeCRLDistributionPoints
1.881 + (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
1.882 +
1.883 +/*
1.884 +** Decodes a DER encoded basicConstaint extension value into a readable format
1.885 +** value - decoded value
1.886 +** encodedValue - value to decoded
1.887 +*/
1.888 +extern SECStatus CERT_DecodeBasicConstraintValue
1.889 + (CERTBasicConstraints *value, const SECItem *encodedValue);
1.890 +
1.891 +/* Decodes a DER encoded authorityKeyIdentifier extension value into a
1.892 +** readable format.
1.893 +** arena - where to allocate memory for the decoded value
1.894 +** encodedValue - value to be decoded
1.895 +** Returns a CERTAuthKeyID structure which contains the decoded value
1.896 +*/
1.897 +extern CERTAuthKeyID *CERT_DecodeAuthKeyID
1.898 + (PLArenaPool *arena, const SECItem *encodedValue);
1.899 +
1.900 +/* Decodes a DER encoded crlDistributionPoints extension value into a
1.901 +** readable format.
1.902 +** arena - where to allocate memory for the decoded value
1.903 +** der - value to be decoded
1.904 +** Returns a CERTCrlDistributionPoints structure which contains the
1.905 +** decoded value
1.906 +*/
1.907 +extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
1.908 + (PLArenaPool *arena, SECItem *der);
1.909 +
1.910 +/* Extract certain name type from a generalName */
1.911 +extern void *CERT_GetGeneralNameByType
1.912 + (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
1.913 +
1.914 +
1.915 +extern CERTOidSequence *
1.916 +CERT_DecodeOidSequence(const SECItem *seqItem);
1.917 +
1.918 +
1.919 +
1.920 +
1.921 +/****************************************************************************
1.922 + *
1.923 + * Find extension values of a certificate
1.924 + *
1.925 + ***************************************************************************/
1.926 +
1.927 +extern SECStatus CERT_FindCertExtension
1.928 + (const CERTCertificate *cert, int tag, SECItem *value);
1.929 +
1.930 +extern SECStatus CERT_FindNSCertTypeExtension
1.931 + (CERTCertificate *cert, SECItem *value);
1.932 +
1.933 +extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
1.934 +
1.935 +extern SECStatus CERT_FindIssuerCertExtension
1.936 + (CERTCertificate *cert, int tag, SECItem *value);
1.937 +
1.938 +extern SECStatus CERT_FindCertExtensionByOID
1.939 + (CERTCertificate *cert, SECItem *oid, SECItem *value);
1.940 +
1.941 +extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag,
1.942 + int catag);
1.943 +
1.944 +/* Returns the decoded value of the authKeyID extension.
1.945 +** Note that this uses passed in the arena to allocate storage for the result
1.946 +*/
1.947 +extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert);
1.948 +
1.949 +/* Returns the decoded value of the basicConstraint extension.
1.950 + */
1.951 +extern SECStatus CERT_FindBasicConstraintExten
1.952 + (CERTCertificate *cert, CERTBasicConstraints *value);
1.953 +
1.954 +/* Returns the decoded value of the crlDistributionPoints extension.
1.955 +** Note that the arena in cert is used to allocate storage for the result
1.956 +*/
1.957 +extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
1.958 + (CERTCertificate *cert);
1.959 +
1.960 +/* Returns value of the keyUsage extension. This uses PR_Alloc to allocate
1.961 +** buffer for the decoded value. The caller should free up the storage
1.962 +** allocated in value->data.
1.963 +*/
1.964 +extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert,
1.965 + SECItem *value);
1.966 +
1.967 +/* Return the decoded value of the subjectKeyID extension. The caller should
1.968 +** free up the storage allocated in retItem->data.
1.969 +*/
1.970 +extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert,
1.971 + SECItem *retItem);
1.972 +
1.973 +/*
1.974 +** If cert is a v3 certificate, and a critical keyUsage extension is included,
1.975 +** then check the usage against the extension value. If a non-critical
1.976 +** keyUsage extension is included, this will return SECSuccess without
1.977 +** checking, since the extension is an advisory field, not a restriction.
1.978 +** If cert is not a v3 certificate, this will return SECSuccess.
1.979 +** cert - certificate
1.980 +** usage - one of the x.509 v3 the Key Usage Extension flags
1.981 +*/
1.982 +extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert,
1.983 + unsigned char usage);
1.984 +
1.985 +/****************************************************************************
1.986 + *
1.987 + * CRL v2 Extensions supported routines
1.988 + *
1.989 + ****************************************************************************/
1.990 +
1.991 +extern SECStatus CERT_FindCRLExtensionByOID
1.992 + (CERTCrl *crl, SECItem *oid, SECItem *value);
1.993 +
1.994 +extern SECStatus CERT_FindCRLExtension
1.995 + (CERTCrl *crl, int tag, SECItem *value);
1.996 +
1.997 +extern SECStatus
1.998 + CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value);
1.999 +
1.1000 +/*
1.1001 +** Set up a crl for adding X509v3 extensions. Returns an opaque handle
1.1002 +** used by routines that take an exthandle (void*) argument .
1.1003 +** "crl" is the CRL we are adding extensions to
1.1004 +*/
1.1005 +extern void *CERT_StartCRLExtensions(CERTCrl *crl);
1.1006 +
1.1007 +/*
1.1008 +** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle
1.1009 +** used by routines that take an exthandle (void*) argument .
1.1010 +** "crl" is the crl we are adding certs entries to
1.1011 +** "entry" is the crl entry we are adding extensions to
1.1012 +*/
1.1013 +extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
1.1014 +
1.1015 +extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
1.1016 + int what, void *wincx);
1.1017 +
1.1018 +/*
1.1019 +** Finds the crlNumber extension and decodes its value into 'value'
1.1020 +*/
1.1021 +extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
1.1022 + SECItem *value);
1.1023 +
1.1024 +extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
1.1025 + CERTCRLEntryReasonCode *value);
1.1026 +
1.1027 +extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
1.1028 +
1.1029 +extern PRBool CERT_CompareCerts(const CERTCertificate *c1,
1.1030 + const CERTCertificate *c2);
1.1031 +
1.1032 +extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
1.1033 + CERTCertificate *c2);
1.1034 +
1.1035 +/*
1.1036 +** Generate an array of the Distinguished Names that the given cert database
1.1037 +** "trusts"
1.1038 +*/
1.1039 +extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
1.1040 +
1.1041 +extern void CERT_FreeDistNames(CERTDistNames *names);
1.1042 +
1.1043 +/* Duplicate distinguished name array */
1.1044 +extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig);
1.1045 +
1.1046 +/*
1.1047 +** Generate an array of Distinguished names from an array of nicknames
1.1048 +*/
1.1049 +extern CERTDistNames *CERT_DistNamesFromNicknames
1.1050 + (CERTCertDBHandle *handle, char **nicknames, int nnames);
1.1051 +
1.1052 +/*
1.1053 +** Generate an array of Distinguished names from a list of certs.
1.1054 +*/
1.1055 +extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list);
1.1056 +
1.1057 +/*
1.1058 +** Generate a certificate chain from a certificate.
1.1059 +*/
1.1060 +extern CERTCertificateList *
1.1061 +CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
1.1062 + PRBool includeRoot);
1.1063 +
1.1064 +extern CERTCertificateList *
1.1065 +CERT_CertListFromCert(CERTCertificate *cert);
1.1066 +
1.1067 +extern CERTCertificateList *
1.1068 +CERT_DupCertList(const CERTCertificateList * oldList);
1.1069 +
1.1070 +extern void CERT_DestroyCertificateList(CERTCertificateList *list);
1.1071 +
1.1072 +/*
1.1073 +** is cert a user cert? i.e. does it have CERTDB_USER trust,
1.1074 +** i.e. a private key?
1.1075 +*/
1.1076 +PRBool CERT_IsUserCert(CERTCertificate* cert);
1.1077 +
1.1078 +/* is cert a newer than cert b? */
1.1079 +PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
1.1080 +
1.1081 +/* currently a stub for address book */
1.1082 +PRBool
1.1083 +CERT_IsCertRevoked(CERTCertificate *cert);
1.1084 +
1.1085 +void
1.1086 +CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
1.1087 +
1.1088 +/* convert an email address to lower case */
1.1089 +char *CERT_FixupEmailAddr(const char *emailAddr);
1.1090 +
1.1091 +/* decode string representation of trust flags into trust struct */
1.1092 +SECStatus
1.1093 +CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts);
1.1094 +
1.1095 +/* encode trust struct into string representation of trust flags */
1.1096 +char *
1.1097 +CERT_EncodeTrustString(CERTCertTrust *trust);
1.1098 +
1.1099 +/* find the next or prev cert in a subject list */
1.1100 +CERTCertificate *
1.1101 +CERT_PrevSubjectCert(CERTCertificate *cert);
1.1102 +CERTCertificate *
1.1103 +CERT_NextSubjectCert(CERTCertificate *cert);
1.1104 +
1.1105 +/*
1.1106 + * import a collection of certs into the temporary or permanent cert
1.1107 + * database
1.1108 + */
1.1109 +SECStatus
1.1110 +CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
1.1111 + unsigned int ncerts, SECItem **derCerts,
1.1112 + CERTCertificate ***retCerts, PRBool keepCerts,
1.1113 + PRBool caOnly, char *nickname);
1.1114 +
1.1115 +char *
1.1116 +CERT_MakeCANickname(CERTCertificate *cert);
1.1117 +
1.1118 +PRBool
1.1119 +CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
1.1120 +
1.1121 +PRBool
1.1122 +CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
1.1123 +
1.1124 +PRBool
1.1125 +CERT_IsRootDERCert(SECItem *derCert);
1.1126 +
1.1127 +SECStatus
1.1128 +CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
1.1129 + SECItem *profileTime);
1.1130 +
1.1131 +/*
1.1132 + * find the smime symmetric capabilities profile for a given cert
1.1133 + */
1.1134 +SECItem *
1.1135 +CERT_FindSMimeProfile(CERTCertificate *cert);
1.1136 +
1.1137 +SECStatus
1.1138 +CERT_AddNewCerts(CERTCertDBHandle *handle);
1.1139 +
1.1140 +CERTCertificatePolicies *
1.1141 +CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue);
1.1142 +
1.1143 +void
1.1144 +CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
1.1145 +
1.1146 +CERTCertificatePolicyMappings *
1.1147 +CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
1.1148 +
1.1149 +SECStatus
1.1150 +CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
1.1151 +
1.1152 +SECStatus
1.1153 +CERT_DecodePolicyConstraintsExtension(
1.1154 + CERTCertificatePolicyConstraints *decodedValue,
1.1155 + const SECItem *encodedValue);
1.1156 +
1.1157 +SECStatus CERT_DecodeInhibitAnyExtension
1.1158 + (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
1.1159 +
1.1160 +CERTUserNotice *
1.1161 +CERT_DecodeUserNotice(SECItem *noticeItem);
1.1162 +
1.1163 +extern CERTGeneralName *
1.1164 +CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName);
1.1165 +
1.1166 +extern CERTNameConstraints *
1.1167 +CERT_DecodeNameConstraintsExtension(PLArenaPool *arena,
1.1168 + const SECItem *encodedConstraints);
1.1169 +
1.1170 +/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
1.1171 +extern CERTAuthInfoAccess **
1.1172 +CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
1.1173 + SECItem *encodedExtension);
1.1174 +
1.1175 +extern CERTPrivKeyUsagePeriod *
1.1176 +CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
1.1177 +
1.1178 +extern CERTGeneralName *
1.1179 +CERT_GetNextGeneralName(CERTGeneralName *current);
1.1180 +
1.1181 +extern CERTGeneralName *
1.1182 +CERT_GetPrevGeneralName(CERTGeneralName *current);
1.1183 +
1.1184 +CERTNameConstraint *
1.1185 +CERT_GetNextNameConstraint(CERTNameConstraint *current);
1.1186 +
1.1187 +CERTNameConstraint *
1.1188 +CERT_GetPrevNameConstraint(CERTNameConstraint *current);
1.1189 +
1.1190 +void
1.1191 +CERT_DestroyUserNotice(CERTUserNotice *userNotice);
1.1192 +
1.1193 +typedef char * (* CERTPolicyStringCallback)(char *org,
1.1194 + unsigned long noticeNumber,
1.1195 + void *arg);
1.1196 +void
1.1197 +CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
1.1198 +
1.1199 +char *
1.1200 +CERT_GetCertCommentString(CERTCertificate *cert);
1.1201 +
1.1202 +PRBool
1.1203 +CERT_GovtApprovedBitSet(CERTCertificate *cert);
1.1204 +
1.1205 +SECStatus
1.1206 +CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
1.1207 +
1.1208 +CERTCertList *
1.1209 +CERT_MatchUserCert(CERTCertDBHandle *handle,
1.1210 + SECCertUsage usage,
1.1211 + int nCANames, char **caNames,
1.1212 + void *proto_win);
1.1213 +
1.1214 +CERTCertList *
1.1215 +CERT_NewCertList(void);
1.1216 +
1.1217 +/* free the cert list and all the certs in the list */
1.1218 +void
1.1219 +CERT_DestroyCertList(CERTCertList *certs);
1.1220 +
1.1221 +/* remove the node and free the cert */
1.1222 +void
1.1223 +CERT_RemoveCertListNode(CERTCertListNode *node);
1.1224 +
1.1225 +/* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */
1.1226 +SECStatus
1.1227 +CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
1.1228 +
1.1229 +/* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */
1.1230 +SECStatus
1.1231 +CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
1.1232 +
1.1233 +/*
1.1234 + * The new cert list node takes ownership of "cert". "cert" is freed
1.1235 + * when the list node is removed.
1.1236 + */
1.1237 +SECStatus
1.1238 +CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
1.1239 + void *appData);
1.1240 +
1.1241 +/*
1.1242 + * The new cert list node takes ownership of "cert". "cert" is freed
1.1243 + * when the list node is removed.
1.1244 + */
1.1245 +SECStatus
1.1246 +CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
1.1247 + void *appData);
1.1248 +
1.1249 +typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
1.1250 + CERTCertificate *certb,
1.1251 + void *arg);
1.1252 +SECStatus
1.1253 +CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
1.1254 + CERTSortCallback f, void *arg);
1.1255 +
1.1256 +/* callback for CERT_AddCertToListSorted that sorts based on validity
1.1257 + * period and a given time.
1.1258 + */
1.1259 +PRBool
1.1260 +CERT_SortCBValidity(CERTCertificate *certa,
1.1261 + CERTCertificate *certb,
1.1262 + void *arg);
1.1263 +
1.1264 +SECStatus
1.1265 +CERT_CheckForEvilCert(CERTCertificate *cert);
1.1266 +
1.1267 +CERTGeneralName *
1.1268 +CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
1.1269 +
1.1270 +CERTGeneralName *
1.1271 +CERT_GetConstrainedCertificateNames(const CERTCertificate *cert,
1.1272 + PLArenaPool *arena,
1.1273 + PRBool includeSubjectCommonName);
1.1274 +
1.1275 +/*
1.1276 + * Creates or adds to a list of all certs with a give subject name, sorted by
1.1277 + * validity time, newest first. Invalid certs are considered older than
1.1278 + * valid certs. If validOnly is set, do not include invalid certs on list.
1.1279 + */
1.1280 +CERTCertList *
1.1281 +CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1.1282 + const SECItem *name, PRTime sorttime,
1.1283 + PRBool validOnly);
1.1284 +
1.1285 +/*
1.1286 + * remove certs from a list that don't have keyUsage and certType
1.1287 + * that match the given usage.
1.1288 + */
1.1289 +SECStatus
1.1290 +CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
1.1291 + PRBool ca);
1.1292 +
1.1293 +/*
1.1294 + * check the key usage of a cert against a set of required values
1.1295 + */
1.1296 +SECStatus
1.1297 +CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
1.1298 +
1.1299 +/*
1.1300 + * return required key usage and cert type based on cert usage
1.1301 + */
1.1302 +SECStatus
1.1303 +CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
1.1304 + PRBool ca,
1.1305 + unsigned int *retKeyUsage,
1.1306 + unsigned int *retCertType);
1.1307 +/*
1.1308 + * return required trust flags for various cert usages for CAs
1.1309 + */
1.1310 +SECStatus
1.1311 +CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
1.1312 + unsigned int *retFlags,
1.1313 + SECTrustType *retTrustType);
1.1314 +
1.1315 +/*
1.1316 + * Find all user certificates that match the given criteria.
1.1317 + *
1.1318 + * "handle" - database to search
1.1319 + * "usage" - certificate usage to match
1.1320 + * "oneCertPerName" - if set then only return the "best" cert per
1.1321 + * name
1.1322 + * "validOnly" - only return certs that are curently valid
1.1323 + * "proto_win" - window handle passed to pkcs11
1.1324 + */
1.1325 +CERTCertList *
1.1326 +CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
1.1327 + SECCertUsage usage,
1.1328 + PRBool oneCertPerName,
1.1329 + PRBool validOnly,
1.1330 + void *proto_win);
1.1331 +
1.1332 +/*
1.1333 + * Find a user certificate that matchs the given criteria.
1.1334 + *
1.1335 + * "handle" - database to search
1.1336 + * "nickname" - nickname to match
1.1337 + * "usage" - certificate usage to match
1.1338 + * "validOnly" - only return certs that are curently valid
1.1339 + * "proto_win" - window handle passed to pkcs11
1.1340 + */
1.1341 +CERTCertificate *
1.1342 +CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
1.1343 + const char *nickname,
1.1344 + SECCertUsage usage,
1.1345 + PRBool validOnly,
1.1346 + void *proto_win);
1.1347 +
1.1348 +/*
1.1349 + * Filter a list of certificates, removing those certs that do not have
1.1350 + * one of the named CA certs somewhere in their cert chain.
1.1351 + *
1.1352 + * "certList" - the list of certificates to filter
1.1353 + * "nCANames" - number of CA names
1.1354 + * "caNames" - array of CA names in string(rfc 1485) form
1.1355 + * "usage" - what use the certs are for, this is used when
1.1356 + * selecting CA certs
1.1357 + */
1.1358 +SECStatus
1.1359 +CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
1.1360 + char **caNames, SECCertUsage usage);
1.1361 +
1.1362 +/*
1.1363 + * Filter a list of certificates, removing those certs that aren't user certs
1.1364 + */
1.1365 +SECStatus
1.1366 +CERT_FilterCertListForUserCerts(CERTCertList *certList);
1.1367 +
1.1368 +/*
1.1369 + * Collect the nicknames from all certs in a CertList. If the cert is not
1.1370 + * valid, append a string to that nickname.
1.1371 + *
1.1372 + * "certList" - the list of certificates
1.1373 + * "expiredString" - the string to append to the nickname of any expired cert
1.1374 + * "notYetGoodString" - the string to append to the nickname of any cert
1.1375 + * that is not yet valid
1.1376 + */
1.1377 +CERTCertNicknames *
1.1378 +CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
1.1379 + char *notYetGoodString);
1.1380 +
1.1381 +/*
1.1382 + * Extract the nickname from a nickmake string that may have either
1.1383 + * expiredString or notYetGoodString appended.
1.1384 + *
1.1385 + * Args:
1.1386 + * "namestring" - the string containing the nickname, and possibly
1.1387 + * one of the validity label strings
1.1388 + * "expiredString" - the expired validity label string
1.1389 + * "notYetGoodString" - the not yet good validity label string
1.1390 + *
1.1391 + * Returns the raw nickname
1.1392 + */
1.1393 +char *
1.1394 +CERT_ExtractNicknameString(char *namestring, char *expiredString,
1.1395 + char *notYetGoodString);
1.1396 +
1.1397 +/*
1.1398 + * Given a certificate, return a string containing the nickname, and possibly
1.1399 + * one of the validity strings, based on the current validity state of the
1.1400 + * certificate.
1.1401 + *
1.1402 + * "arena" - arena to allocate returned string from. If NULL, then heap
1.1403 + * is used.
1.1404 + * "cert" - the cert to get nickname from
1.1405 + * "expiredString" - the string to append to the nickname if the cert is
1.1406 + * expired.
1.1407 + * "notYetGoodString" - the string to append to the nickname if the cert is
1.1408 + * not yet good.
1.1409 + */
1.1410 +char *
1.1411 +CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
1.1412 + char *expiredString, char *notYetGoodString);
1.1413 +
1.1414 +/*
1.1415 + * Return the string representation of a DER encoded distinguished name
1.1416 + * "dername" - The DER encoded name to convert
1.1417 + */
1.1418 +char *
1.1419 +CERT_DerNameToAscii(SECItem *dername);
1.1420 +
1.1421 +/*
1.1422 + * Supported usage values and types:
1.1423 + * certUsageSSLClient
1.1424 + * certUsageSSLServer
1.1425 + * certUsageSSLServerWithStepUp
1.1426 + * certUsageEmailSigner
1.1427 + * certUsageEmailRecipient
1.1428 + * certUsageObjectSigner
1.1429 + */
1.1430 +
1.1431 +CERTCertificate *
1.1432 +CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
1.1433 + CERTCertOwner owner, SECCertUsage usage,
1.1434 + PRBool preferTrusted, PRTime validTime, PRBool validOnly);
1.1435 +
1.1436 +/*
1.1437 + * Acquire the global lock on the cert database.
1.1438 + * This lock is currently used for the following operations:
1.1439 + * adding or deleting a cert to either the temp or perm databases
1.1440 + * converting a temp to perm or perm to temp
1.1441 + * changing(maybe just adding?) the trust of a cert
1.1442 + * adjusting the reference count of a cert
1.1443 + */
1.1444 +void
1.1445 +CERT_LockDB(CERTCertDBHandle *handle);
1.1446 +
1.1447 +/*
1.1448 + * Free the global cert database lock.
1.1449 + */
1.1450 +void
1.1451 +CERT_UnlockDB(CERTCertDBHandle *handle);
1.1452 +
1.1453 +/*
1.1454 + * Get the certificate status checking configuratino data for
1.1455 + * the certificate database
1.1456 + */
1.1457 +CERTStatusConfig *
1.1458 +CERT_GetStatusConfig(CERTCertDBHandle *handle);
1.1459 +
1.1460 +/*
1.1461 + * Set the certificate status checking information for the
1.1462 + * database. The input structure becomes part of the certificate
1.1463 + * database and will be freed by calling the 'Destroy' function in
1.1464 + * the configuration object.
1.1465 + */
1.1466 +void
1.1467 +CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
1.1468 +
1.1469 +
1.1470 +
1.1471 +/*
1.1472 + * Acquire the cert reference count lock
1.1473 + * There is currently one global lock for all certs, but I'm putting a cert
1.1474 + * arg here so that it will be easy to make it per-cert in the future if
1.1475 + * that turns out to be necessary.
1.1476 + */
1.1477 +void
1.1478 +CERT_LockCertRefCount(CERTCertificate *cert);
1.1479 +
1.1480 +/*
1.1481 + * Free the cert reference count lock
1.1482 + */
1.1483 +void
1.1484 +CERT_UnlockCertRefCount(CERTCertificate *cert);
1.1485 +
1.1486 +/*
1.1487 + * Acquire the cert trust lock
1.1488 + * There is currently one global lock for all certs, but I'm putting a cert
1.1489 + * arg here so that it will be easy to make it per-cert in the future if
1.1490 + * that turns out to be necessary.
1.1491 + */
1.1492 +void
1.1493 +CERT_LockCertTrust(const CERTCertificate *cert);
1.1494 +
1.1495 +/*
1.1496 + * Free the cert trust lock
1.1497 + */
1.1498 +void
1.1499 +CERT_UnlockCertTrust(const CERTCertificate *cert);
1.1500 +
1.1501 +/*
1.1502 + * Digest the cert's subject public key using the specified algorithm.
1.1503 + * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
1.1504 + * the tag, length, and number of unused bits) rather than the whole
1.1505 + * subjectPublicKeyInfo field.
1.1506 + *
1.1507 + * The necessary storage for the digest data is allocated. If "fill" is
1.1508 + * non-null, the data is put there, otherwise a SECItem is allocated.
1.1509 + * Allocation from "arena" if it is non-null, heap otherwise. Any problem
1.1510 + * results in a NULL being returned (and an appropriate error set).
1.1511 + */
1.1512 +extern SECItem *
1.1513 +CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
1.1514 + SECOidTag digestAlg, SECItem *fill);
1.1515 +
1.1516 +/*
1.1517 + * Digest the cert's subject name using the specified algorithm.
1.1518 + */
1.1519 +extern SECItem *
1.1520 +CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
1.1521 + SECOidTag digestAlg, SECItem *fill);
1.1522 +
1.1523 +SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
1.1524 + const SECItem* dp, PRTime t, void* wincx);
1.1525 +
1.1526 +
1.1527 +/*
1.1528 + * Add a CERTNameConstraint to the CERTNameConstraint list
1.1529 + */
1.1530 +extern CERTNameConstraint *
1.1531 +CERT_AddNameConstraint(CERTNameConstraint *list,
1.1532 + CERTNameConstraint *constraint);
1.1533 +
1.1534 +/*
1.1535 + * Allocate space and copy CERTNameConstraint from src to dest.
1.1536 + * Arena is used to allocate result(if dest eq NULL) and its members
1.1537 + * SECItem data.
1.1538 + */
1.1539 +extern CERTNameConstraint *
1.1540 +CERT_CopyNameConstraint(PLArenaPool *arena,
1.1541 + CERTNameConstraint *dest,
1.1542 + CERTNameConstraint *src);
1.1543 +
1.1544 +/*
1.1545 + * Verify name against all the constraints relevant to that type of
1.1546 + * the name.
1.1547 + */
1.1548 +extern SECStatus
1.1549 +CERT_CheckNameSpace(PLArenaPool *arena,
1.1550 + const CERTNameConstraints *constraints,
1.1551 + const CERTGeneralName *currentName);
1.1552 +
1.1553 +/*
1.1554 + * Extract and allocate the name constraints extension from the CA cert.
1.1555 + */
1.1556 +extern SECStatus
1.1557 +CERT_FindNameConstraintsExten(PLArenaPool *arena,
1.1558 + CERTCertificate *cert,
1.1559 + CERTNameConstraints **constraints);
1.1560 +
1.1561 +/*
1.1562 + * Initialize a new GERTGeneralName fields (link)
1.1563 + */
1.1564 +extern CERTGeneralName *
1.1565 +CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type);
1.1566 +
1.1567 +/*
1.1568 + * PKIX extension encoding routines
1.1569 + */
1.1570 +extern SECStatus
1.1571 +CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
1.1572 + CERTCertificatePolicyConstraints *constr,
1.1573 + SECItem *dest);
1.1574 +extern SECStatus
1.1575 +CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
1.1576 + CERTCertificateInhibitAny *inhibitAny,
1.1577 + SECItem *dest);
1.1578 +extern SECStatus
1.1579 +CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
1.1580 + CERTCertificatePolicyMappings *maps,
1.1581 + SECItem *dest);
1.1582 +
1.1583 +extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
1.1584 + CERTAuthInfoAccess **info,
1.1585 + SECItem *dest);
1.1586 +extern SECStatus
1.1587 +CERT_EncodeUserNotice(PLArenaPool *arena,
1.1588 + CERTUserNotice *notice,
1.1589 + SECItem *dest);
1.1590 +
1.1591 +extern SECStatus
1.1592 +CERT_EncodeDisplayText(PLArenaPool *arena,
1.1593 + SECItem *text,
1.1594 + SECItem *dest);
1.1595 +
1.1596 +extern SECStatus
1.1597 +CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
1.1598 + CERTPolicyInfo **info,
1.1599 + SECItem *dest);
1.1600 +extern SECStatus
1.1601 +CERT_EncodeNoticeReference(PLArenaPool *arena,
1.1602 + CERTNoticeReference *reference,
1.1603 + SECItem *dest);
1.1604 +
1.1605 +/*
1.1606 + * Returns a pointer to a static structure.
1.1607 + */
1.1608 +extern const CERTRevocationFlags*
1.1609 +CERT_GetPKIXVerifyNistRevocationPolicy(void);
1.1610 +
1.1611 +/*
1.1612 + * Returns a pointer to a static structure.
1.1613 + */
1.1614 +extern const CERTRevocationFlags*
1.1615 +CERT_GetClassicOCSPEnabledSoftFailurePolicy(void);
1.1616 +
1.1617 +/*
1.1618 + * Returns a pointer to a static structure.
1.1619 + */
1.1620 +extern const CERTRevocationFlags*
1.1621 +CERT_GetClassicOCSPEnabledHardFailurePolicy(void);
1.1622 +
1.1623 +/*
1.1624 + * Returns a pointer to a static structure.
1.1625 + */
1.1626 +extern const CERTRevocationFlags*
1.1627 +CERT_GetClassicOCSPDisabledPolicy(void);
1.1628 +
1.1629 +/*
1.1630 + * Verify a Cert with libpkix
1.1631 + * paramsIn control the verification options. If a value isn't specified
1.1632 + * in paramsIn, it reverts to the application default.
1.1633 + * paramsOut specifies the parameters the caller would like to get back.
1.1634 + * the caller may pass NULL, in which case no parameters are returned.
1.1635 + */
1.1636 +extern SECStatus CERT_PKIXVerifyCert(
1.1637 + CERTCertificate *cert,
1.1638 + SECCertificateUsage usages,
1.1639 + CERTValInParam *paramsIn,
1.1640 + CERTValOutParam *paramsOut,
1.1641 + void *wincx);
1.1642 +
1.1643 +/* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
1.1644 + * to use libpkix validation engine. The function should be called ones at
1.1645 + * application initialization time.
1.1646 + * Function is not thread safe.*/
1.1647 +extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
1.1648 +
1.1649 +/* The function return PR_TRUE if cert validation should use
1.1650 + * libpkix cert validation engine. */
1.1651 +extern PRBool CERT_GetUsePKIXForValidation(void);
1.1652 +
1.1653 +/*
1.1654 + * Allocate a parameter container of type CERTRevocationFlags,
1.1655 + * and allocate the inner arrays of the given sizes.
1.1656 + * To cleanup call CERT_DestroyCERTRevocationFlags.
1.1657 + */
1.1658 +extern CERTRevocationFlags *
1.1659 +CERT_AllocCERTRevocationFlags(
1.1660 + PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
1.1661 + PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods);
1.1662 +
1.1663 +/*
1.1664 + * Destroy the arrays inside flags,
1.1665 + * and destroy the object pointed to by flags, too.
1.1666 + */
1.1667 +extern void
1.1668 +CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags);
1.1669 +
1.1670 +SEC_END_PROTOS
1.1671 +
1.1672 +#endif /* _CERT_H_ */
