1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certdb/certi.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,403 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * certi.h - private data structures for the certificate library
1.9 + */
1.10 +#ifndef _CERTI_H_
1.11 +#define _CERTI_H_
1.12 +
1.13 +#include "certt.h"
1.14 +#include "nssrwlkt.h"
1.15 +
1.16 +/*
1.17 +#define GLOBAL_RWLOCK 1
1.18 +*/
1.19 +
1.20 +#define DPC_RWLOCK 1
1.21 +
1.22 +/* all definitions in this file are subject to change */
1.23 +
1.24 +typedef struct OpaqueCRLFieldsStr OpaqueCRLFields;
1.25 +typedef struct CRLEntryCacheStr CRLEntryCache;
1.26 +typedef struct CRLDPCacheStr CRLDPCache;
1.27 +typedef struct CRLIssuerCacheStr CRLIssuerCache;
1.28 +typedef struct CRLCacheStr CRLCache;
1.29 +typedef struct CachedCrlStr CachedCrl;
1.30 +typedef struct NamedCRLCacheStr NamedCRLCache;
1.31 +typedef struct NamedCRLCacheEntryStr NamedCRLCacheEntry;
1.32 +
1.33 +struct OpaqueCRLFieldsStr {
1.34 + PRBool partial;
1.35 + PRBool decodingError;
1.36 + PRBool badEntries;
1.37 + PRBool badDER;
1.38 + PRBool badExtensions;
1.39 + PRBool heapDER;
1.40 +};
1.41 +
1.42 +typedef struct PreAllocatorStr PreAllocator;
1.43 +
1.44 +struct PreAllocatorStr
1.45 +{
1.46 + PRSize len;
1.47 + void* data;
1.48 + PRSize used;
1.49 + PLArenaPool* arena;
1.50 + PRSize extra;
1.51 +};
1.52 +
1.53 +/* CRL entry cache.
1.54 + This is the same as an entry plus the next/prev pointers for the hash table
1.55 +*/
1.56 +
1.57 +struct CRLEntryCacheStr {
1.58 + CERTCrlEntry entry;
1.59 + CRLEntryCache *prev, *next;
1.60 +};
1.61 +
1.62 +#define CRL_CACHE_INVALID_CRLS 0x0001 /* this state will be set
1.63 + if we have CRL objects with an invalid DER or signature. Can be
1.64 + cleared if the invalid objects are deleted from the token */
1.65 +#define CRL_CACHE_LAST_FETCH_FAILED 0x0002 /* this state will be set
1.66 + if the last CRL fetch encountered an error. Can be cleared if a
1.67 + new fetch succeeds */
1.68 +
1.69 +#define CRL_CACHE_OUT_OF_MEMORY 0x0004 /* this state will be set
1.70 + if we don't have enough memory to build the hash table of entries */
1.71 +
1.72 +typedef enum {
1.73 + CRL_OriginToken = 0, /* CRL came from PKCS#11 token */
1.74 + CRL_OriginExplicit = 1 /* CRL was explicitly added to the cache, from RAM */
1.75 +} CRLOrigin;
1.76 +
1.77 +typedef enum {
1.78 + dpcacheNoEntry = 0, /* no entry found for this SN */
1.79 + dpcacheFoundEntry = 1, /* entry found for this SN */
1.80 + dpcacheCallerError = 2, /* invalid args */
1.81 + dpcacheInvalidCacheError = 3, /* CRL in cache may be bad DER */
1.82 + /* or unverified */
1.83 + dpcacheEmpty = 4, /* no CRL in cache */
1.84 + dpcacheLookupError = 5 /* internal error */
1.85 +} dpcacheStatus;
1.86 +
1.87 +
1.88 +struct CachedCrlStr {
1.89 + CERTSignedCrl* crl;
1.90 + CRLOrigin origin;
1.91 + /* hash table of entries. We use a PLHashTable and pre-allocate the
1.92 + required amount of memory in one shot, so that our allocator can
1.93 + simply pass offsets into it when hashing.
1.94 +
1.95 + This won't work anymore when we support delta CRLs and iCRLs, because
1.96 + the size of the hash table will vary over time. At that point, the best
1.97 + solution will be to allocate large CRLEntry structures by modifying
1.98 + the DER decoding template. The extra space would be for next/prev
1.99 + pointers. This would allow entries from different CRLs to be mixed in
1.100 + the same hash table.
1.101 + */
1.102 + PLHashTable* entries;
1.103 + PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */
1.104 + PRBool sigChecked; /* this CRL signature has already been checked */
1.105 + PRBool sigValid; /* signature verification status .
1.106 + Only meaningful if checked is PR_TRUE . */
1.107 + PRBool unbuildable; /* Avoid using assosiated CRL is it fails
1.108 + * a decoding step */
1.109 +};
1.110 +
1.111 +/* CRL distribution point cache object
1.112 + This is a cache of CRL entries for a given distribution point of an issuer
1.113 + It is built from a collection of one full and 0 or more delta CRLs.
1.114 +*/
1.115 +
1.116 +struct CRLDPCacheStr {
1.117 +#ifdef DPC_RWLOCK
1.118 + NSSRWLock* lock;
1.119 +#else
1.120 + PRLock* lock;
1.121 +#endif
1.122 + CERTCertificate* issuer; /* issuer cert
1.123 + XXX there may be multiple issuer certs,
1.124 + with different validity dates. Also
1.125 + need to deal with SKID/AKID . See
1.126 + bugzilla 217387, 233118 */
1.127 + SECItem* subject; /* DER of issuer subject */
1.128 + SECItem* distributionPoint; /* DER of distribution point. This may be
1.129 + NULL when distribution points aren't
1.130 + in use (ie. the CA has a single CRL).
1.131 + Currently not used. */
1.132 +
1.133 + /* array of full CRLs matching this distribution point */
1.134 + PRUint32 ncrls; /* total number of CRLs in crls */
1.135 + CachedCrl** crls; /* array of all matching CRLs */
1.136 + /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several
1.137 + issuers. In the future, we'll need to globally recycle the CRL in a
1.138 + separate list in order to avoid extra lookups, decodes, and copies */
1.139 +
1.140 + /* pointers to good decoded CRLs used to build the cache */
1.141 + CachedCrl* selected; /* full CRL selected for use in the cache */
1.142 +#if 0
1.143 + /* for future use */
1.144 + PRInt32 numdeltas; /* number of delta CRLs used for the cache */
1.145 + CachedCrl** deltas; /* delta CRLs used for the cache */
1.146 +#endif
1.147 + /* cache invalidity bitflag */
1.148 + PRUint16 invalid; /* this state will be set if either
1.149 + CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
1.150 + In those cases, all certs are considered to have unknown status.
1.151 + The invalid state can only be cleared during an update if all
1.152 + error states are cleared */
1.153 + PRBool refresh; /* manual refresh from tokens has been forced */
1.154 + PRBool mustchoose; /* trigger reselection algorithm, for case when
1.155 + RAM CRL objects are dropped from the cache */
1.156 + PRTime lastfetch; /* time a CRL token fetch was last performed */
1.157 + PRTime lastcheck; /* time CRL token objects were last checked for
1.158 + existence */
1.159 +};
1.160 +
1.161 +/* CRL issuer cache object
1.162 + This object tracks all the distribution point caches for a given issuer.
1.163 + XCRL once we support multiple issuing distribution points, this object
1.164 + will be a hash table. For now, it just holds the single CRL distribution
1.165 + point cache structure.
1.166 +*/
1.167 +
1.168 +struct CRLIssuerCacheStr {
1.169 + SECItem* subject; /* DER of issuer subject */
1.170 + CRLDPCache* dpp;
1.171 +#if 0
1.172 + /* XCRL for future use.
1.173 + We don't need to lock at the moment because we only have one DP,
1.174 + which gets created at the same time as this object */
1.175 + NSSRWLock* lock;
1.176 + CRLDPCache** dps;
1.177 + PLHashTable* distributionpoints;
1.178 + CERTCertificate* issuer;
1.179 +#endif
1.180 +};
1.181 +
1.182 +/* CRL revocation cache object
1.183 + This object tracks all the issuer caches
1.184 +*/
1.185 +
1.186 +struct CRLCacheStr {
1.187 +#ifdef GLOBAL_RWLOCK
1.188 + NSSRWLock* lock;
1.189 +#else
1.190 + PRLock* lock;
1.191 +#endif
1.192 + /* hash table of issuer to CRLIssuerCacheStr,
1.193 + indexed by issuer DER subject */
1.194 + PLHashTable* issuers;
1.195 +};
1.196 +
1.197 +SECStatus InitCRLCache(void);
1.198 +SECStatus ShutdownCRLCache(void);
1.199 +
1.200 +/* Returns a pointer to an environment-like string, a series of
1.201 +** null-terminated strings, terminated by a zero-length string.
1.202 +** This function is intended to be internal to NSS.
1.203 +*/
1.204 +extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
1.205 +
1.206 +/*
1.207 + * These functions are used to map subjectKeyID extension values to certs
1.208 + * and to keep track of the checks for user certificates in each slot
1.209 + */
1.210 +SECStatus
1.211 +cert_CreateSubjectKeyIDHashTable(void);
1.212 +
1.213 +SECStatus
1.214 +cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
1.215 +
1.216 +SECStatus
1.217 +cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series);
1.218 +
1.219 +int
1.220 +cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid);
1.221 +
1.222 +/*
1.223 + * Call this function to remove an entry from the mapping table.
1.224 + */
1.225 +SECStatus
1.226 +cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
1.227 +
1.228 +SECStatus
1.229 +cert_DestroySubjectKeyIDHashTable(void);
1.230 +
1.231 +SECItem*
1.232 +cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID);
1.233 +
1.234 +/* return maximum length of AVA value based on its type OID tag. */
1.235 +extern int cert_AVAOidTagToMaxLen(SECOidTag tag);
1.236 +
1.237 +/* Make an AVA, allocated from pool, from OID and DER encoded value */
1.238 +extern CERTAVA * CERT_CreateAVAFromRaw(PLArenaPool *pool,
1.239 + const SECItem * OID, const SECItem * value);
1.240 +
1.241 +/* Make an AVA from binary input specified by SECItem */
1.242 +extern CERTAVA * CERT_CreateAVAFromSECItem(PLArenaPool *arena, SECOidTag kind,
1.243 + int valueType, SECItem *value);
1.244 +
1.245 +/*
1.246 + * get a DPCache object for the given issuer subject and dp
1.247 + * Automatically creates the cache object if it doesn't exist yet.
1.248 + */
1.249 +SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject,
1.250 + const SECItem* dp, PRTime t, void* wincx,
1.251 + CRLDPCache** dpcache, PRBool* writeLocked);
1.252 +
1.253 +/* check if a particular SN is in the CRL cache and return its entry */
1.254 +dpcacheStatus DPCache_Lookup(CRLDPCache* cache, const SECItem* sn,
1.255 + CERTCrlEntry** returned);
1.256 +
1.257 +/* release a DPCache object that was previously acquired */
1.258 +void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked);
1.259 +
1.260 +/*
1.261 + * map Stan errors into NSS errors
1.262 + * This function examines the stan error stack and automatically sets
1.263 + * PORT_SetError(); to the appropriate SEC_ERROR value.
1.264 + */
1.265 +void CERT_MapStanError();
1.266 +
1.267 +/* Like CERT_VerifyCert, except with an additional argument, flags. The
1.268 + * flags are defined immediately below.
1.269 + */
1.270 +SECStatus
1.271 +cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
1.272 + PRBool checkSig, SECCertUsage certUsage, PRTime t,
1.273 + PRUint32 flags, void *wincx, CERTVerifyLog *log);
1.274 +
1.275 +/* Use the default settings.
1.276 + * cert_VerifyCertWithFlags(..., CERT_VERIFYCERT_USE_DEFAULTS, ...) is
1.277 + * equivalent to CERT_VerifyCert(...);
1.278 + */
1.279 +#define CERT_VERIFYCERT_USE_DEFAULTS 0
1.280 +
1.281 +/* Skip all the OCSP checks during certificate verification, regardless of
1.282 + * the global OCSP settings. By default, certificate |cert| will have its
1.283 + * revocation status checked via OCSP according to the global OCSP settings.
1.284 + *
1.285 + * OCSP checking is always skipped when certUsage is certUsageStatusResponder.
1.286 + */
1.287 +#define CERT_VERIFYCERT_SKIP_OCSP 1
1.288 +
1.289 +/* Interface function for libpkix cert validation engine:
1.290 + * cert_verify wrapper. */
1.291 +SECStatus
1.292 +cert_VerifyCertChainPkix(CERTCertificate *cert,
1.293 + PRBool checkSig,
1.294 + SECCertUsage requiredUsage,
1.295 + PRTime time,
1.296 + void *wincx,
1.297 + CERTVerifyLog *log,
1.298 + PRBool *sigError,
1.299 + PRBool *revoked);
1.300 +
1.301 +SECStatus cert_InitLocks(void);
1.302 +
1.303 +SECStatus cert_DestroyLocks(void);
1.304 +
1.305 +/*
1.306 + * fill in nsCertType field of the cert based on the cert extension
1.307 + */
1.308 +extern SECStatus cert_GetCertType(CERTCertificate *cert);
1.309 +
1.310 +/*
1.311 + * compute and return the value of nsCertType for cert, but do not
1.312 + * update the CERTCertificate.
1.313 + */
1.314 +extern PRUint32 cert_ComputeCertType(CERTCertificate *cert);
1.315 +
1.316 +void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
1.317 + long errorCode, unsigned int depth,
1.318 + void *arg);
1.319 +
1.320 +/* Insert a DER CRL into the CRL cache, and take ownership of it.
1.321 + *
1.322 + * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument
1.323 + * completely. crl must be freeable by SECITEM_FreeItem. It will be freed
1.324 + * immediately if it is rejected from the CRL cache, or later during cache
1.325 + * updates when a new crl is available, or at shutdown time.
1.326 + *
1.327 + * canonicalizedName represents the source of the CRL, a GeneralName.
1.328 + * The format of the encoding is not restricted, but all callers of
1.329 + * cert_CacheCRLByGeneralName and cert_FindCRLByGeneralName must use
1.330 + * the same encoding. To facilitate X.500 name matching, a canonicalized
1.331 + * encoding of the GeneralName should be used, if available.
1.332 + */
1.333 +
1.334 +SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
1.335 + const SECItem* canonicalizedName);
1.336 +
1.337 +struct NamedCRLCacheStr {
1.338 + PRLock* lock;
1.339 + PLHashTable* entries;
1.340 +};
1.341 +
1.342 +/* NamedCRLCacheEntryStr is filled in by cert_CacheCRLByGeneralName,
1.343 + * and read by cert_FindCRLByGeneralName */
1.344 +struct NamedCRLCacheEntryStr {
1.345 + SECItem* canonicalizedName;
1.346 + SECItem* crl; /* DER, kept only if CRL
1.347 + * is successfully cached */
1.348 + PRBool inCRLCache;
1.349 + PRTime successfulInsertionTime; /* insertion time */
1.350 + PRTime lastAttemptTime; /* time of last call to
1.351 + cert_CacheCRLByGeneralName with this name */
1.352 + PRBool badDER; /* ASN.1 error */
1.353 + PRBool dupe; /* matching DER CRL already in CRL cache */
1.354 + PRBool unsupported; /* IDP, delta, any other reason */
1.355 +};
1.356 +
1.357 +typedef enum {
1.358 + certRevocationStatusRevoked = 0,
1.359 + certRevocationStatusValid = 1,
1.360 + certRevocationStatusUnknown = 2
1.361 +} CERTRevocationStatus;
1.362 +
1.363 +/* Returns detailed status of the cert(revStatus variable). Tells if
1.364 + * issuer cache has OriginFetchedWithTimeout crl in it. */
1.365 +SECStatus
1.366 +cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
1.367 + const SECItem* dp, PRTime t, void *wincx,
1.368 + CERTRevocationStatus *revStatus,
1.369 + CERTCRLEntryReasonCode *revReason);
1.370 +
1.371 +
1.372 +SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned);
1.373 +
1.374 +/* cert_FindCRLByGeneralName must be called only while the named cache is
1.375 + * acquired, and the entry is only valid until cache is released.
1.376 + */
1.377 +SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc,
1.378 + const SECItem* canonicalizedName,
1.379 + NamedCRLCacheEntry** retEntry);
1.380 +
1.381 +SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc);
1.382 +
1.383 +/* This is private for now. Maybe shoule be public. */
1.384 +CERTGeneralName *
1.385 +cert_GetSubjectAltNameList(const CERTCertificate *cert, PLArenaPool *arena);
1.386 +
1.387 +/* Count DNS names and IP addresses in a list of GeneralNames */
1.388 +PRUint32
1.389 +cert_CountDNSPatterns(CERTGeneralName *firstName);
1.390 +
1.391 +/*
1.392 + * returns the trust status of the leaf certificate based on usage.
1.393 + * If the leaf is explicitly untrusted, this function will fail and
1.394 + * failedFlags will be set to the trust bit value that lead to the failure.
1.395 + * If the leaf is trusted, isTrusted is set to true and the function returns
1.396 + * SECSuccess. This function does not check if the cert is fit for a
1.397 + * particular usage.
1.398 + */
1.399 +SECStatus
1.400 +cert_CheckLeafTrust(CERTCertificate *cert,
1.401 + SECCertUsage usage,
1.402 + unsigned int *failedFlags,
1.403 + PRBool *isTrusted);
1.404 +
1.405 +#endif /* _CERTI_H_ */
1.406 +
