1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certdb/certt.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1349 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * certt.h - public data structures for the certificate library
1.9 + */
1.10 +#ifndef _CERTT_H_
1.11 +#define _CERTT_H_
1.12 +
1.13 +#include "prclist.h"
1.14 +#include "pkcs11t.h"
1.15 +#include "seccomon.h"
1.16 +#include "secmodt.h"
1.17 +#include "secoidt.h"
1.18 +#include "plarena.h"
1.19 +#include "prcvar.h"
1.20 +#include "nssilock.h"
1.21 +#include "prio.h"
1.22 +#include "prmon.h"
1.23 +
1.24 +/* Stan data types */
1.25 +struct NSSCertificateStr;
1.26 +struct NSSTrustDomainStr;
1.27 +
1.28 +/* Non-opaque objects */
1.29 +typedef struct CERTAVAStr CERTAVA;
1.30 +typedef struct CERTAttributeStr CERTAttribute;
1.31 +typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
1.32 +typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
1.33 +typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
1.34 +typedef struct NSSTrustDomainStr CERTCertDBHandle;
1.35 +typedef struct CERTCertExtensionStr CERTCertExtension;
1.36 +typedef struct CERTCertKeyStr CERTCertKey;
1.37 +typedef struct CERTCertListStr CERTCertList;
1.38 +typedef struct CERTCertListNodeStr CERTCertListNode;
1.39 +typedef struct CERTCertNicknamesStr CERTCertNicknames;
1.40 +typedef struct CERTCertTrustStr CERTCertTrust;
1.41 +typedef struct CERTCertificateStr CERTCertificate;
1.42 +typedef struct CERTCertificateListStr CERTCertificateList;
1.43 +typedef struct CERTCertificateRequestStr CERTCertificateRequest;
1.44 +typedef struct CERTCrlStr CERTCrl;
1.45 +typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
1.46 +typedef struct CERTCrlEntryStr CERTCrlEntry;
1.47 +typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
1.48 +typedef struct CERTCrlKeyStr CERTCrlKey;
1.49 +typedef struct CERTCrlNodeStr CERTCrlNode;
1.50 +typedef struct CERTDERCertsStr CERTDERCerts;
1.51 +typedef struct CERTDistNamesStr CERTDistNames;
1.52 +typedef struct CERTGeneralNameStr CERTGeneralName;
1.53 +typedef struct CERTGeneralNameListStr CERTGeneralNameList;
1.54 +typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
1.55 +typedef struct CERTNameStr CERTName;
1.56 +typedef struct CERTNameConstraintStr CERTNameConstraint;
1.57 +typedef struct CERTNameConstraintsStr CERTNameConstraints;
1.58 +typedef struct CERTOKDomainNameStr CERTOKDomainName;
1.59 +typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
1.60 +typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
1.61 +typedef struct CERTRDNStr CERTRDN;
1.62 +typedef struct CERTSignedCrlStr CERTSignedCrl;
1.63 +typedef struct CERTSignedDataStr CERTSignedData;
1.64 +typedef struct CERTStatusConfigStr CERTStatusConfig;
1.65 +typedef struct CERTSubjectListStr CERTSubjectList;
1.66 +typedef struct CERTSubjectNodeStr CERTSubjectNode;
1.67 +typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
1.68 +typedef struct CERTValidityStr CERTValidity;
1.69 +typedef struct CERTVerifyLogStr CERTVerifyLog;
1.70 +typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
1.71 +typedef struct CRLDistributionPointStr CRLDistributionPoint;
1.72 +
1.73 +/* CRL extensions type */
1.74 +typedef unsigned long CERTCrlNumber;
1.75 +
1.76 +/*
1.77 +** An X.500 AVA object
1.78 +*/
1.79 +struct CERTAVAStr {
1.80 + SECItem type;
1.81 + SECItem value;
1.82 +};
1.83 +
1.84 +/*
1.85 +** An X.500 RDN object
1.86 +*/
1.87 +struct CERTRDNStr {
1.88 + CERTAVA **avas;
1.89 +};
1.90 +
1.91 +/*
1.92 +** An X.500 name object
1.93 +*/
1.94 +struct CERTNameStr {
1.95 + PLArenaPool *arena;
1.96 + CERTRDN **rdns;
1.97 +};
1.98 +
1.99 +/*
1.100 +** An X.509 validity object
1.101 +*/
1.102 +struct CERTValidityStr {
1.103 + PLArenaPool *arena;
1.104 + SECItem notBefore;
1.105 + SECItem notAfter;
1.106 +};
1.107 +
1.108 +/*
1.109 + * A serial number and issuer name, which is used as a database key
1.110 + */
1.111 +struct CERTCertKeyStr {
1.112 + SECItem serialNumber;
1.113 + SECItem derIssuer;
1.114 +};
1.115 +
1.116 +/*
1.117 +** A signed data object. Used to implement the "signed" macro used
1.118 +** in the X.500 specs.
1.119 +*/
1.120 +struct CERTSignedDataStr {
1.121 + SECItem data;
1.122 + SECAlgorithmID signatureAlgorithm;
1.123 + SECItem signature;
1.124 +};
1.125 +
1.126 +/*
1.127 +** An X.509 subject-public-key-info object
1.128 +*/
1.129 +struct CERTSubjectPublicKeyInfoStr {
1.130 + PLArenaPool *arena;
1.131 + SECAlgorithmID algorithm;
1.132 + SECItem subjectPublicKey;
1.133 +};
1.134 +
1.135 +struct CERTPublicKeyAndChallengeStr {
1.136 + SECItem spki;
1.137 + SECItem challenge;
1.138 +};
1.139 +
1.140 +struct CERTCertTrustStr {
1.141 + unsigned int sslFlags;
1.142 + unsigned int emailFlags;
1.143 + unsigned int objectSigningFlags;
1.144 +};
1.145 +
1.146 +/*
1.147 + * defined the types of trust that exist
1.148 + */
1.149 +typedef enum SECTrustTypeEnum {
1.150 + trustSSL = 0,
1.151 + trustEmail = 1,
1.152 + trustObjectSigning = 2,
1.153 + trustTypeNone = 3
1.154 +} SECTrustType;
1.155 +
1.156 +#define SEC_GET_TRUST_FLAGS(trust,type) \
1.157 + (((type)==trustSSL)?((trust)->sslFlags): \
1.158 + (((type)==trustEmail)?((trust)->emailFlags): \
1.159 + (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
1.160 +
1.161 +/*
1.162 +** An X.509.3 certificate extension
1.163 +*/
1.164 +struct CERTCertExtensionStr {
1.165 + SECItem id;
1.166 + SECItem critical;
1.167 + SECItem value;
1.168 +};
1.169 +
1.170 +struct CERTSubjectNodeStr {
1.171 + struct CERTSubjectNodeStr *next;
1.172 + struct CERTSubjectNodeStr *prev;
1.173 + SECItem certKey;
1.174 + SECItem keyID;
1.175 +};
1.176 +
1.177 +struct CERTSubjectListStr {
1.178 + PLArenaPool *arena;
1.179 + int ncerts;
1.180 + char *emailAddr;
1.181 + CERTSubjectNode *head;
1.182 + CERTSubjectNode *tail; /* do we need tail? */
1.183 + void *entry;
1.184 +};
1.185 +
1.186 +/*
1.187 +** An X.509 certificate object (the unsigned form)
1.188 +*/
1.189 +struct CERTCertificateStr {
1.190 + /* the arena is used to allocate any data structures that have the same
1.191 + * lifetime as the cert. This is all stuff that hangs off of the cert
1.192 + * structure, and is all freed at the same time. I is used when the
1.193 + * cert is decoded, destroyed, and at some times when it changes
1.194 + * state
1.195 + */
1.196 + PLArenaPool *arena;
1.197 +
1.198 + /* The following fields are static after the cert has been decoded */
1.199 + char *subjectName;
1.200 + char *issuerName;
1.201 + CERTSignedData signatureWrap; /* XXX */
1.202 + SECItem derCert; /* original DER for the cert */
1.203 + SECItem derIssuer; /* DER for issuer name */
1.204 + SECItem derSubject; /* DER for subject name */
1.205 + SECItem derPublicKey; /* DER for the public key */
1.206 + SECItem certKey; /* database key for this cert */
1.207 + SECItem version;
1.208 + SECItem serialNumber;
1.209 + SECAlgorithmID signature;
1.210 + CERTName issuer;
1.211 + CERTValidity validity;
1.212 + CERTName subject;
1.213 + CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
1.214 + SECItem issuerID;
1.215 + SECItem subjectID;
1.216 + CERTCertExtension **extensions;
1.217 + char *emailAddr;
1.218 + CERTCertDBHandle *dbhandle;
1.219 + SECItem subjectKeyID; /* x509v3 subject key identifier */
1.220 + PRBool keyIDGenerated; /* was the keyid generated? */
1.221 + unsigned int keyUsage; /* what uses are allowed for this cert */
1.222 + unsigned int rawKeyUsage; /* value of the key usage extension */
1.223 + PRBool keyUsagePresent; /* was the key usage extension present */
1.224 + PRUint32 nsCertType; /* value of the ns cert type extension */
1.225 + /* must be 32-bit for PR_ATOMIC_SET */
1.226 +
1.227 + /* these values can be set by the application to bypass certain checks
1.228 + * or to keep the cert in memory for an entire session.
1.229 + * XXX - need an api to set these
1.230 + */
1.231 + PRBool keepSession; /* keep this cert for entire session*/
1.232 + PRBool timeOK; /* is the bad validity time ok? */
1.233 + CERTOKDomainName *domainOK; /* these domain names are ok */
1.234 +
1.235 + /*
1.236 + * these values can change when the cert changes state. These state
1.237 + * changes include transitions from temp to perm or vice-versa, and
1.238 + * changes of trust flags
1.239 + */
1.240 + PRBool isperm;
1.241 + PRBool istemp;
1.242 + char *nickname;
1.243 + char *dbnickname;
1.244 + struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
1.245 + CERTCertTrust *trust;
1.246 +
1.247 + /* the reference count is modified whenever someone looks up, dups
1.248 + * or destroys a certificate
1.249 + */
1.250 + int referenceCount;
1.251 +
1.252 + /* The subject list is a list of all certs with the same subject name.
1.253 + * It can be modified any time a cert is added or deleted from either
1.254 + * the in-memory(temporary) or on-disk(permanent) database.
1.255 + */
1.256 + CERTSubjectList *subjectList;
1.257 +
1.258 + /* these belong in the static section, but are here to maintain
1.259 + * the structure's integrity
1.260 + */
1.261 + CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */
1.262 + PRBool isRoot; /* cert is the end of a chain */
1.263 +
1.264 + /* these fields are used by client GUI code to keep track of ssl sockets
1.265 + * that are blocked waiting on GUI feedback related to this cert.
1.266 + * XXX - these should be moved into some sort of application specific
1.267 + * data structure. They are only used by the browser right now.
1.268 + */
1.269 + union {
1.270 + void* apointer; /* was struct SECSocketNode* authsocketlist */
1.271 + struct {
1.272 + unsigned int hasUnsupportedCriticalExt :1;
1.273 + /* add any new option bits needed here */
1.274 + } bits;
1.275 + } options;
1.276 + int series; /* was int authsocketcount; record the series of the pkcs11ID */
1.277 +
1.278 + /* This is PKCS #11 stuff. */
1.279 + PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
1.280 + CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
1.281 + PRBool ownSlot; /*true if the cert owns the slot reference */
1.282 +};
1.283 +#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
1.284 +#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
1.285 +#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
1.286 +
1.287 +#define SEC_CRL_VERSION_1 0 /* default */
1.288 +#define SEC_CRL_VERSION_2 1 /* v2 extensions */
1.289 +
1.290 +/*
1.291 + * used to identify class of cert in mime stream code
1.292 + */
1.293 +#define SEC_CERT_CLASS_CA 1
1.294 +#define SEC_CERT_CLASS_SERVER 2
1.295 +#define SEC_CERT_CLASS_USER 3
1.296 +#define SEC_CERT_CLASS_EMAIL 4
1.297 +
1.298 +struct CERTDERCertsStr {
1.299 + PLArenaPool *arena;
1.300 + int numcerts;
1.301 + SECItem *rawCerts;
1.302 +};
1.303 +
1.304 +/*
1.305 +** A PKCS ? Attribute
1.306 +** XXX this is duplicated through out the code, it *should* be moved
1.307 +** to a central location. Where would be appropriate?
1.308 +*/
1.309 +struct CERTAttributeStr {
1.310 + SECItem attrType;
1.311 + SECItem **attrValue;
1.312 +};
1.313 +
1.314 +/*
1.315 +** A PKCS#10 certificate-request object (the unsigned form)
1.316 +*/
1.317 +struct CERTCertificateRequestStr {
1.318 + PLArenaPool *arena;
1.319 + SECItem version;
1.320 + CERTName subject;
1.321 + CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
1.322 + CERTAttribute **attributes;
1.323 +};
1.324 +#define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
1.325 +
1.326 +
1.327 +/*
1.328 +** A certificate list object.
1.329 +*/
1.330 +struct CERTCertificateListStr {
1.331 + SECItem *certs;
1.332 + int len; /* number of certs */
1.333 + PLArenaPool *arena;
1.334 +};
1.335 +
1.336 +struct CERTCertListNodeStr {
1.337 + PRCList links;
1.338 + CERTCertificate *cert;
1.339 + void *appData;
1.340 +};
1.341 +
1.342 +struct CERTCertListStr {
1.343 + PRCList list;
1.344 + PLArenaPool *arena;
1.345 +};
1.346 +
1.347 +#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
1.348 +#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
1.349 +#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
1.350 +#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
1.351 +#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
1.352 +
1.353 +struct CERTCrlEntryStr {
1.354 + SECItem serialNumber;
1.355 + SECItem revocationDate;
1.356 + CERTCertExtension **extensions;
1.357 +};
1.358 +
1.359 +struct CERTCrlStr {
1.360 + PLArenaPool *arena;
1.361 + SECItem version;
1.362 + SECAlgorithmID signatureAlg;
1.363 + SECItem derName;
1.364 + CERTName name;
1.365 + SECItem lastUpdate;
1.366 + SECItem nextUpdate; /* optional for x.509 CRL */
1.367 + CERTCrlEntry **entries;
1.368 + CERTCertExtension **extensions;
1.369 + /* can't add anything there for binary backwards compatibility reasons */
1.370 +};
1.371 +
1.372 +struct CERTCrlKeyStr {
1.373 + SECItem derName;
1.374 + SECItem dummy; /* The decoder can not skip a primitive,
1.375 + this serves as a place holder for the
1.376 + decoder to finish its task only
1.377 + */
1.378 +};
1.379 +
1.380 +struct CERTSignedCrlStr {
1.381 + PLArenaPool *arena;
1.382 + CERTCrl crl;
1.383 + void *reserved1;
1.384 + PRBool reserved2;
1.385 + PRBool isperm;
1.386 + PRBool istemp;
1.387 + int referenceCount;
1.388 + CERTCertDBHandle *dbhandle;
1.389 + CERTSignedData signatureWrap; /* XXX */
1.390 + char *url;
1.391 + SECItem *derCrl;
1.392 + PK11SlotInfo *slot;
1.393 + CK_OBJECT_HANDLE pkcs11ID;
1.394 + void* opaque; /* do not touch */
1.395 +};
1.396 +
1.397 +
1.398 +struct CERTCrlHeadNodeStr {
1.399 + PLArenaPool *arena;
1.400 + CERTCertDBHandle *dbhandle;
1.401 + CERTCrlNode *first;
1.402 + CERTCrlNode *last;
1.403 +};
1.404 +
1.405 +
1.406 +struct CERTCrlNodeStr {
1.407 + CERTCrlNode *next;
1.408 + int type;
1.409 + CERTSignedCrl *crl;
1.410 +};
1.411 +
1.412 +
1.413 +/*
1.414 + * Array of X.500 Distinguished Names
1.415 + */
1.416 +struct CERTDistNamesStr {
1.417 + PLArenaPool *arena;
1.418 + int nnames;
1.419 + SECItem *names;
1.420 + void *head; /* private */
1.421 +};
1.422 +
1.423 +
1.424 +#define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
1.425 +#define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
1.426 +#define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
1.427 +#define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
1.428 +#define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
1.429 +#define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
1.430 +#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
1.431 +#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
1.432 +
1.433 +#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
1.434 +#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
1.435 +
1.436 +#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
1.437 + NS_CERT_TYPE_SSL_SERVER | \
1.438 + NS_CERT_TYPE_EMAIL | \
1.439 + NS_CERT_TYPE_OBJECT_SIGNING )
1.440 +
1.441 +#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
1.442 + NS_CERT_TYPE_EMAIL_CA | \
1.443 + NS_CERT_TYPE_OBJECT_SIGNING_CA | \
1.444 + EXT_KEY_USAGE_STATUS_RESPONDER )
1.445 +typedef enum SECCertUsageEnum {
1.446 + certUsageSSLClient = 0,
1.447 + certUsageSSLServer = 1,
1.448 + certUsageSSLServerWithStepUp = 2,
1.449 + certUsageSSLCA = 3,
1.450 + certUsageEmailSigner = 4,
1.451 + certUsageEmailRecipient = 5,
1.452 + certUsageObjectSigner = 6,
1.453 + certUsageUserCertImport = 7,
1.454 + certUsageVerifyCA = 8,
1.455 + certUsageProtectedObjectSigner = 9,
1.456 + certUsageStatusResponder = 10,
1.457 + certUsageAnyCA = 11
1.458 +} SECCertUsage;
1.459 +
1.460 +typedef PRInt64 SECCertificateUsage;
1.461 +
1.462 +#define certificateUsageCheckAllUsages (0x0000)
1.463 +#define certificateUsageSSLClient (0x0001)
1.464 +#define certificateUsageSSLServer (0x0002)
1.465 +#define certificateUsageSSLServerWithStepUp (0x0004)
1.466 +#define certificateUsageSSLCA (0x0008)
1.467 +#define certificateUsageEmailSigner (0x0010)
1.468 +#define certificateUsageEmailRecipient (0x0020)
1.469 +#define certificateUsageObjectSigner (0x0040)
1.470 +#define certificateUsageUserCertImport (0x0080)
1.471 +#define certificateUsageVerifyCA (0x0100)
1.472 +#define certificateUsageProtectedObjectSigner (0x0200)
1.473 +#define certificateUsageStatusResponder (0x0400)
1.474 +#define certificateUsageAnyCA (0x0800)
1.475 +
1.476 +#define certificateUsageHighest certificateUsageAnyCA
1.477 +
1.478 +/*
1.479 + * Does the cert belong to the user, a peer, or a CA.
1.480 + */
1.481 +typedef enum CERTCertOwnerEnum {
1.482 + certOwnerUser = 0,
1.483 + certOwnerPeer = 1,
1.484 + certOwnerCA = 2
1.485 +} CERTCertOwner;
1.486 +
1.487 +/*
1.488 + * This enum represents the state of validity times of a certificate
1.489 + */
1.490 +typedef enum SECCertTimeValidityEnum {
1.491 + secCertTimeValid = 0,
1.492 + secCertTimeExpired = 1,
1.493 + secCertTimeNotValidYet = 2,
1.494 + secCertTimeUndetermined = 3 /* validity could not be decoded from the
1.495 + cert, most likely because it was NULL */
1.496 +} SECCertTimeValidity;
1.497 +
1.498 +/*
1.499 + * This is used as return status in functions that compare the validity
1.500 + * periods of two certificates A and B, currently only
1.501 + * CERT_CompareValidityTimes.
1.502 + */
1.503 +
1.504 +typedef enum CERTCompareValidityStatusEnum
1.505 +{
1.506 + certValidityUndetermined = 0, /* the function is unable to select one cert
1.507 + over another */
1.508 + certValidityChooseB = 1, /* cert B should be preferred */
1.509 + certValidityEqual = 2, /* both certs have the same validity period */
1.510 + certValidityChooseA = 3 /* cert A should be preferred */
1.511 +} CERTCompareValidityStatus;
1.512 +
1.513 +/*
1.514 + * Interface for getting certificate nickname strings out of the database
1.515 + */
1.516 +
1.517 +/* these are values for the what argument below */
1.518 +#define SEC_CERT_NICKNAMES_ALL 1
1.519 +#define SEC_CERT_NICKNAMES_USER 2
1.520 +#define SEC_CERT_NICKNAMES_SERVER 3
1.521 +#define SEC_CERT_NICKNAMES_CA 4
1.522 +
1.523 +struct CERTCertNicknamesStr {
1.524 + PLArenaPool *arena;
1.525 + void *head;
1.526 + int numnicknames;
1.527 + char **nicknames;
1.528 + int what;
1.529 + int totallen;
1.530 +};
1.531 +
1.532 +struct CERTIssuerAndSNStr {
1.533 + SECItem derIssuer;
1.534 + CERTName issuer;
1.535 + SECItem serialNumber;
1.536 +};
1.537 +
1.538 +
1.539 +/* X.509 v3 Key Usage Extension flags */
1.540 +#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
1.541 +#define KU_NON_REPUDIATION (0x40) /* bit 1 */
1.542 +#define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
1.543 +#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
1.544 +#define KU_KEY_AGREEMENT (0x08) /* bit 4 */
1.545 +#define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
1.546 +#define KU_CRL_SIGN (0x02) /* bit 6 */
1.547 +#define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
1.548 +#define KU_ALL (KU_DIGITAL_SIGNATURE | \
1.549 + KU_NON_REPUDIATION | \
1.550 + KU_KEY_ENCIPHERMENT | \
1.551 + KU_DATA_ENCIPHERMENT | \
1.552 + KU_KEY_AGREEMENT | \
1.553 + KU_KEY_CERT_SIGN | \
1.554 + KU_CRL_SIGN | \
1.555 + KU_ENCIPHER_ONLY)
1.556 +
1.557 +/* This value will not occur in certs. It is used internally for the case
1.558 + * when either digital signature or non-repudiation is the correct value.
1.559 + */
1.560 +#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
1.561 +
1.562 +/* This value will not occur in certs. It is used internally for the case
1.563 + * when the key type is not know ahead of time and either key agreement or
1.564 + * key encipherment are the correct value based on key type
1.565 + */
1.566 +#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
1.567 +
1.568 +/* internal bits that do not match bits in the x509v3 spec, but are used
1.569 + * for similar purposes
1.570 + */
1.571 +#define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
1.572 +/*
1.573 + * x.509 v3 Basic Constraints Extension
1.574 + * If isCA is false, the pathLenConstraint is ignored.
1.575 + * Otherwise, the following pathLenConstraint values will apply:
1.576 + * < 0 - there is no limit to the certificate path
1.577 + * 0 - CA can issues end-entity certificates only
1.578 + * > 0 - the number of certificates in the certificate path is
1.579 + * limited to this number
1.580 + */
1.581 +#define CERT_UNLIMITED_PATH_CONSTRAINT -2
1.582 +
1.583 +struct CERTBasicConstraintsStr {
1.584 + PRBool isCA; /* on if is CA */
1.585 + int pathLenConstraint; /* maximum number of certificates that can be
1.586 + in the cert path. Only applies to a CA
1.587 + certificate; otherwise, it's ignored.
1.588 + */
1.589 +};
1.590 +
1.591 +/* Maximum length of a certificate chain */
1.592 +#define CERT_MAX_CERT_CHAIN 20
1.593 +
1.594 +#define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
1.595 +#define CERT_MAX_DN_BYTES 4096 /* arbitrary */
1.596 +
1.597 +/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
1.598 +#define RF_UNUSED (0x80) /* bit 0 */
1.599 +#define RF_KEY_COMPROMISE (0x40) /* bit 1 */
1.600 +#define RF_CA_COMPROMISE (0x20) /* bit 2 */
1.601 +#define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
1.602 +#define RF_SUPERSEDED (0x08) /* bit 4 */
1.603 +#define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
1.604 +#define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
1.605 +
1.606 +/* enum for CRL Entry Reason Code */
1.607 +typedef enum CERTCRLEntryReasonCodeEnum {
1.608 + crlEntryReasonUnspecified = 0,
1.609 + crlEntryReasonKeyCompromise = 1,
1.610 + crlEntryReasonCaCompromise = 2,
1.611 + crlEntryReasonAffiliationChanged = 3,
1.612 + crlEntryReasonSuperseded = 4,
1.613 + crlEntryReasonCessationOfOperation = 5,
1.614 + crlEntryReasoncertificatedHold = 6,
1.615 + crlEntryReasonRemoveFromCRL = 8,
1.616 + crlEntryReasonPrivilegeWithdrawn = 9,
1.617 + crlEntryReasonAaCompromise = 10
1.618 +} CERTCRLEntryReasonCode;
1.619 +
1.620 +/* If we needed to extract the general name field, use this */
1.621 +/* General Name types */
1.622 +typedef enum CERTGeneralNameTypeEnum {
1.623 + certOtherName = 1,
1.624 + certRFC822Name = 2,
1.625 + certDNSName = 3,
1.626 + certX400Address = 4,
1.627 + certDirectoryName = 5,
1.628 + certEDIPartyName = 6,
1.629 + certURI = 7,
1.630 + certIPAddress = 8,
1.631 + certRegisterID = 9
1.632 +} CERTGeneralNameType;
1.633 +
1.634 +
1.635 +typedef struct OtherNameStr {
1.636 + SECItem name;
1.637 + SECItem oid;
1.638 +}OtherName;
1.639 +
1.640 +
1.641 +
1.642 +struct CERTGeneralNameStr {
1.643 + CERTGeneralNameType type; /* name type */
1.644 + union {
1.645 + CERTName directoryName; /* distinguish name */
1.646 + OtherName OthName; /* Other Name */
1.647 + SECItem other; /* the rest of the name forms */
1.648 + }name;
1.649 + SECItem derDirectoryName; /* this is saved to simplify directory name
1.650 + comparison */
1.651 + PRCList l;
1.652 +};
1.653 +
1.654 +struct CERTGeneralNameListStr {
1.655 + PLArenaPool *arena;
1.656 + CERTGeneralName *name;
1.657 + int refCount;
1.658 + int len;
1.659 + PZLock *lock;
1.660 +};
1.661 +
1.662 +struct CERTNameConstraintStr {
1.663 + CERTGeneralName name;
1.664 + SECItem DERName;
1.665 + SECItem min;
1.666 + SECItem max;
1.667 + PRCList l;
1.668 +};
1.669 +
1.670 +
1.671 +struct CERTNameConstraintsStr {
1.672 + CERTNameConstraint *permited;
1.673 + CERTNameConstraint *excluded;
1.674 + SECItem **DERPermited;
1.675 + SECItem **DERExcluded;
1.676 +};
1.677 +
1.678 +
1.679 +/* Private Key Usage Period extension struct. */
1.680 +struct CERTPrivKeyUsagePeriodStr {
1.681 + SECItem notBefore;
1.682 + SECItem notAfter;
1.683 + PLArenaPool *arena;
1.684 +};
1.685 +
1.686 +/* X.509 v3 Authority Key Identifier extension. For the authority certificate
1.687 + issuer field, we only support URI now.
1.688 + */
1.689 +struct CERTAuthKeyIDStr {
1.690 + SECItem keyID; /* unique key identifier */
1.691 + CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
1.692 + SECItem authCertSerialNumber; /* CA's certificate serial number */
1.693 + SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
1.694 + the authCertIssuer field. It is used
1.695 + by the encoding engine. It should be
1.696 + used as a read only field by the caller.
1.697 + */
1.698 +};
1.699 +
1.700 +/* x.509 v3 CRL Distributeion Point */
1.701 +
1.702 +/*
1.703 + * defined the types of CRL Distribution points
1.704 + */
1.705 +typedef enum DistributionPointTypesEnum {
1.706 + generalName = 1, /* only support this for now */
1.707 + relativeDistinguishedName = 2
1.708 +} DistributionPointTypes;
1.709 +
1.710 +struct CRLDistributionPointStr {
1.711 + DistributionPointTypes distPointType;
1.712 + union {
1.713 + CERTGeneralName *fullName;
1.714 + CERTRDN relativeName;
1.715 + } distPoint;
1.716 + SECItem reasons;
1.717 + CERTGeneralName *crlIssuer;
1.718 +
1.719 + /* Reserved for internal use only*/
1.720 + SECItem derDistPoint;
1.721 + SECItem derRelativeName;
1.722 + SECItem **derCrlIssuer;
1.723 + SECItem **derFullName;
1.724 + SECItem bitsmap;
1.725 +};
1.726 +
1.727 +struct CERTCrlDistributionPointsStr {
1.728 + CRLDistributionPoint **distPoints;
1.729 +};
1.730 +
1.731 +/*
1.732 + * This structure is used to keep a log of errors when verifying
1.733 + * a cert chain. This allows multiple errors to be reported all at
1.734 + * once.
1.735 + */
1.736 +struct CERTVerifyLogNodeStr {
1.737 + CERTCertificate *cert; /* what cert had the error */
1.738 + long error; /* what error was it? */
1.739 + unsigned int depth; /* how far up the chain are we */
1.740 + void *arg; /* error specific argument */
1.741 + struct CERTVerifyLogNodeStr *next; /* next in the list */
1.742 + struct CERTVerifyLogNodeStr *prev; /* next in the list */
1.743 +};
1.744 +
1.745 +
1.746 +struct CERTVerifyLogStr {
1.747 + PLArenaPool *arena;
1.748 + unsigned int count;
1.749 + struct CERTVerifyLogNodeStr *head;
1.750 + struct CERTVerifyLogNodeStr *tail;
1.751 +};
1.752 +
1.753 +
1.754 +struct CERTOKDomainNameStr {
1.755 + CERTOKDomainName *next;
1.756 + char name[1]; /* actual length may be longer. */
1.757 +};
1.758 +
1.759 +
1.760 +typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
1.761 + CERTCertificate *cert,
1.762 + PRTime time,
1.763 + void *pwArg);
1.764 +
1.765 +typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
1.766 +
1.767 +struct CERTStatusConfigStr {
1.768 + CERTStatusChecker statusChecker; /* NULL means no checking enabled */
1.769 + CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
1.770 + void *statusContext; /* cx specific to checking protocol */
1.771 +};
1.772 +
1.773 +struct CERTAuthInfoAccessStr {
1.774 + SECItem method;
1.775 + SECItem derLocation;
1.776 + CERTGeneralName *location; /* decoded location */
1.777 +};
1.778 +
1.779 +
1.780 +/* This is the typedef for the callback passed to CERT_OpenCertDB() */
1.781 +/* callback to return database name based on version number */
1.782 +typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
1.783 +
1.784 +/*
1.785 + * types of cert packages that we can decode
1.786 + */
1.787 +typedef enum CERTPackageTypeEnum {
1.788 + certPackageNone = 0,
1.789 + certPackageCert = 1,
1.790 + certPackagePKCS7 = 2,
1.791 + certPackageNSCertSeq = 3,
1.792 + certPackageNSCertWrap = 4
1.793 +} CERTPackageType;
1.794 +
1.795 +/*
1.796 + * these types are for the PKIX Certificate Policies extension
1.797 + */
1.798 +typedef struct {
1.799 + SECOidTag oid;
1.800 + SECItem qualifierID;
1.801 + SECItem qualifierValue;
1.802 +} CERTPolicyQualifier;
1.803 +
1.804 +typedef struct {
1.805 + SECOidTag oid;
1.806 + SECItem policyID;
1.807 + CERTPolicyQualifier **policyQualifiers;
1.808 +} CERTPolicyInfo;
1.809 +
1.810 +typedef struct {
1.811 + PLArenaPool *arena;
1.812 + CERTPolicyInfo **policyInfos;
1.813 +} CERTCertificatePolicies;
1.814 +
1.815 +typedef struct {
1.816 + SECItem organization;
1.817 + SECItem **noticeNumbers;
1.818 +} CERTNoticeReference;
1.819 +
1.820 +typedef struct {
1.821 + PLArenaPool *arena;
1.822 + CERTNoticeReference noticeReference;
1.823 + SECItem derNoticeReference;
1.824 + SECItem displayText;
1.825 +} CERTUserNotice;
1.826 +
1.827 +typedef struct {
1.828 + PLArenaPool *arena;
1.829 + SECItem **oids;
1.830 +} CERTOidSequence;
1.831 +
1.832 +/*
1.833 + * these types are for the PKIX Policy Mappings extension
1.834 + */
1.835 +typedef struct {
1.836 + SECItem issuerDomainPolicy;
1.837 + SECItem subjectDomainPolicy;
1.838 +} CERTPolicyMap;
1.839 +
1.840 +typedef struct {
1.841 + PLArenaPool *arena;
1.842 + CERTPolicyMap **policyMaps;
1.843 +} CERTCertificatePolicyMappings;
1.844 +
1.845 +/*
1.846 + * these types are for the PKIX inhibitAnyPolicy extension
1.847 + */
1.848 +typedef struct {
1.849 + SECItem inhibitAnySkipCerts;
1.850 +} CERTCertificateInhibitAny;
1.851 +
1.852 +/*
1.853 + * these types are for the PKIX Policy Constraints extension
1.854 + */
1.855 +typedef struct {
1.856 + SECItem explicitPolicySkipCerts;
1.857 + SECItem inhibitMappingSkipCerts;
1.858 +} CERTCertificatePolicyConstraints;
1.859 +
1.860 +/*
1.861 + * These types are for the validate chain callback param.
1.862 + *
1.863 + * CERTChainVerifyCallback is an application-supplied callback that can be used
1.864 + * to augment libpkix's certificate chain validation with additional
1.865 + * application-specific checks. It may be called multiple times if there are
1.866 + * multiple potentially-valid paths for the certificate being validated. This
1.867 + * callback is called before revocation checking is done on the certificates in
1.868 + * the given chain.
1.869 + *
1.870 + * - isValidChainArg contains the application-provided opaque argument
1.871 + * - currentChain is the currently validated chain. It is ordered with the leaf
1.872 + * certificate at the head and the trust anchor at the tail.
1.873 + *
1.874 + * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
1.875 + * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
1.876 + * return SECSuccess if the chain is unacceptable, to indicate that the given
1.877 + * chain is bad and path building should continue. It should return SECFailure
1.878 + * to indicate an fatal error that will cause path validation to fail
1.879 + * immediately.
1.880 + */
1.881 +typedef SECStatus (*CERTChainVerifyCallbackFunc)
1.882 + (void *isChainValidArg,
1.883 + const CERTCertList *currentChain,
1.884 + PRBool *chainOK);
1.885 +
1.886 +/*
1.887 + * Note: If extending this structure, it will be necessary to change the
1.888 + * associated CERTValParamInType
1.889 + */
1.890 +typedef struct {
1.891 + CERTChainVerifyCallbackFunc isChainValid;
1.892 + void *isChainValidArg;
1.893 +} CERTChainVerifyCallback;
1.894 +
1.895 +/*
1.896 + * these types are for the CERT_PKIX* Verification functions
1.897 + * These are all optional parameters.
1.898 + */
1.899 +
1.900 +typedef enum {
1.901 + cert_pi_end = 0, /* SPECIAL: signifies end of array of
1.902 + * CERTValParam* */
1.903 + cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
1.904 + * resume a session. If this argument is
1.905 + * specified, no other arguments should be.
1.906 + * Specified in value.pointer.p. If the
1.907 + * operation completes the context will be
1.908 + * freed. */
1.909 + cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
1.910 + * existing operation which the caller wants
1.911 + * to abort. If this argument is
1.912 + * specified, no other arguments should be.
1.913 + * Specified in value.pointer.p. If the
1.914 + * operation succeeds the context will be
1.915 + * freed. */
1.916 + cert_pi_certList = 3, /* specify the chain to validate against. If
1.917 + * this value is given, then the path
1.918 + * construction step in the validation is
1.919 + * skipped. Specified in value.pointer.chain */
1.920 + cert_pi_policyOID = 4, /* validate certificate for policy OID.
1.921 + * Specified in value.array.oids. Cert must
1.922 + * be good for at least one OID in order
1.923 + * to validate. Default is that the user is not
1.924 + * concerned about certificate policy. */
1.925 + cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
1.926 + * Specified in value.scalar.ul. Policy flags
1.927 + * apply to all specified oids.
1.928 + * Use CERT_POLICY_FLAG_* macros below. If not
1.929 + * specified policy flags default to 0 */
1.930 + cert_pi_keyusage = 6, /* specify what the keyusages the certificate
1.931 + * will be evaluated against, specified in
1.932 + * value.scalar.ui. The cert must validate for
1.933 + * at least one of the specified key usages.
1.934 + * Values match the KU_ bit flags defined
1.935 + * in this file. Default is derived from
1.936 + * the 'usages' function argument */
1.937 + cert_pi_extendedKeyusage= 7, /* specify what the required extended key
1.938 + * usage of the certificate. Specified as
1.939 + * an array of oidTags in value.array.oids.
1.940 + * The cert must validate for at least one
1.941 + * of the specified extended key usages.
1.942 + * If not specified, no extended key usages
1.943 + * will be checked. */
1.944 + cert_pi_date = 8, /* validate certificate is valid as of date
1.945 + * specified in value.scalar.time. A special
1.946 + * value '0' indicates 'now'. default is '0' */
1.947 + cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
1.948 + * See CERT_REV_FLAG_* macros below
1.949 + * Set in value.pointer.revocation */
1.950 + cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below)
1.951 + * Set in value.scalar.ui */
1.952 + cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to
1.953 + * validate against.
1.954 + * The default set of trusted roots, these are
1.955 + * root CA certs from libnssckbi.so or CA
1.956 + * certs trusted by user, are used in any of
1.957 + * the following cases:
1.958 + * * when the parameter is not set.
1.959 + * * when the list of trust anchors is empty.
1.960 + * Note that this handling can be further altered by altering the
1.961 + * cert_pi_useOnlyTrustAnchors flag
1.962 + * Specified in value.pointer.chain */
1.963 + cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
1.964 + * In NSS 3.12.1 or later. Default is off.
1.965 + * Value is in value.scalar.b */
1.966 + cert_pi_chainVerifyCallback = 13,
1.967 + /* The callback container for doing extra
1.968 + * validation on the currently calculated chain.
1.969 + * Value is in value.pointer.chainVerifyCallback */
1.970 + cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
1.971 + * certificates other than the ones passed in via cert_pi_trustAnchors.
1.972 + * If false, then the certificates specified via cert_pi_trustAnchors
1.973 + * will be combined with the pre-existing trusted roots, but only for
1.974 + * the certificate validation being performed.
1.975 + * If no value has been supplied via cert_pi_trustAnchors, this has no
1.976 + * effect.
1.977 + * The default value is true, meaning if this is not supplied, only
1.978 + * trust anchors supplied via cert_pi_trustAnchors are trusted.
1.979 + * Specified in value.scalar.b */
1.980 + cert_pi_max /* SPECIAL: signifies maximum allowed value,
1.981 + * can increase in future releases */
1.982 +} CERTValParamInType;
1.983 +
1.984 +/*
1.985 + * for all out parameters:
1.986 + * out parameters are only returned if the caller asks for them in
1.987 + * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
1.988 + * array itself. The pkix verify function will allocate and other arrays
1.989 + * pointers, or objects. The Caller is responsible for freeing those results.
1.990 + * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
1.991 + */
1.992 +typedef enum {
1.993 + cert_po_end = 0, /* SPECIAL: signifies end of array of
1.994 + * CERTValParam* */
1.995 + cert_po_nbioContext = 1, /* Return a nonblocking context. If no
1.996 + * non-blocking context is specified, then
1.997 + * blocking IO will be used.
1.998 + * Returned in value.pointer.p. The context is
1.999 + * freed after an abort or a complete operation.
1.1000 + * This value is only returned on SECWouldBlock.
1.1001 + */
1.1002 + cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
1.1003 + * was validated. Returned in
1.1004 + * value.pointer.cert, this value is only
1.1005 + * returned on SECSuccess. */
1.1006 + cert_po_certList = 3, /* Return the entire chain that was validated.
1.1007 + * Returned in value.pointer.certList. If no
1.1008 + * chain could be constructed, this value
1.1009 + * would be NULL. */
1.1010 + cert_po_policyOID = 4, /* Return the policies that were found to be
1.1011 + * valid. Returned in value.array.oids as an
1.1012 + * array. This is only returned on
1.1013 + * SECSuccess. */
1.1014 + cert_po_errorLog = 5, /* Return a log of problems with the chain.
1.1015 + * Returned in value.pointer.log */
1.1016 + cert_po_usages = 6, /* Return what usages the certificate is valid
1.1017 + for. Returned in value.scalar.usages */
1.1018 + cert_po_keyUsage = 7, /* Return what key usages the certificate
1.1019 + * is valid for.
1.1020 + * Returned in value.scalar.usage */
1.1021 + cert_po_extendedKeyusage= 8, /* Return what extended key usages the
1.1022 + * certificate is valid for.
1.1023 + * Returned in value.array.oids */
1.1024 + cert_po_max /* SPECIAL: signifies maximum allowed value,
1.1025 + * can increase in future releases */
1.1026 +
1.1027 +} CERTValParamOutType;
1.1028 +
1.1029 +typedef enum {
1.1030 + cert_revocation_method_crl = 0,
1.1031 + cert_revocation_method_ocsp,
1.1032 + cert_revocation_method_count
1.1033 +} CERTRevocationMethodIndex;
1.1034 +
1.1035 +
1.1036 +/*
1.1037 + * The following flags are supposed to be used to control bits in
1.1038 + * each integer contained in the array pointed to be:
1.1039 + * CERTRevocationTests.cert_rev_flags_per_method
1.1040 + * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1.1041 + * this is a method dependent flag.
1.1042 + */
1.1043 +
1.1044 +/*
1.1045 + * Whether or not to use a method for revocation testing.
1.1046 + * If set to "do not test", then all other flags are ignored.
1.1047 + */
1.1048 +#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1.1049 +#define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1.1050 +
1.1051 +/*
1.1052 + * Whether or not NSS is allowed to attempt to fetch fresh information
1.1053 + * from the network.
1.1054 + * (Although fetching will never happen if fresh information for the
1.1055 + * method is already locally available.)
1.1056 + */
1.1057 +#define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1.1058 +#define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1.1059 +
1.1060 +/*
1.1061 + * Example for an implicit default source:
1.1062 + * The globally configured default OCSP responder.
1.1063 + * IGNORE means:
1.1064 + * ignore the implicit default source, whether it's configured or not.
1.1065 + * ALLOW means:
1.1066 + * if an implicit default source is configured,
1.1067 + * then it overrides any available or missing source in the cert.
1.1068 + * if no implicit default source is configured,
1.1069 + * then we continue to use what's available (or not available)
1.1070 + * in the certs.
1.1071 + */
1.1072 +#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1.1073 +#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1.1074 +
1.1075 +/*
1.1076 + * Defines the behavior if no fresh information is available,
1.1077 + * fetching from the network is allowed, but the source of revocation
1.1078 + * information is unknown (even after considering implicit sources,
1.1079 + * if allowed by other flags).
1.1080 + * SKIPT_TEST means:
1.1081 + * We ignore that no fresh information is available and
1.1082 + * skip this test.
1.1083 + * REQUIRE_INFO means:
1.1084 + * We still require that fresh information is available.
1.1085 + * Other flags define what happens on missing fresh info.
1.1086 + */
1.1087 +#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1.1088 +#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1.1089 +
1.1090 +/*
1.1091 + * Defines the behavior if we are unable to obtain fresh information.
1.1092 + * INGORE means:
1.1093 + * Return "cert status unknown"
1.1094 + * FAIL means:
1.1095 + * Return "cert revoked".
1.1096 + */
1.1097 +#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1.1098 +#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1.1099 +
1.1100 +/*
1.1101 + * What should happen if we were able to find fresh information using
1.1102 + * this method, and the data indicated the cert is good?
1.1103 + * STOP_TESTING means:
1.1104 + * Our success is sufficient, do not continue testing
1.1105 + * other methods.
1.1106 + * CONTINUE_TESTING means:
1.1107 + * We will continue and test the next allowed
1.1108 + * specified method.
1.1109 + */
1.1110 +#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1.1111 +#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1.1112 +
1.1113 +/* When this flag is used, libpkix will never attempt to use the GET HTTP
1.1114 + * method for OCSP requests; it will always use POST.
1.1115 + */
1.1116 +#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1.1117 +
1.1118 +/*
1.1119 + * The following flags are supposed to be used to control bits in
1.1120 + * CERTRevocationTests.cert_rev_method_independent_flags
1.1121 + * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1.1122 + * this is a method independent flag.
1.1123 + */
1.1124 +
1.1125 +/*
1.1126 + * This defines the order to checking.
1.1127 + * EACH_METHOD_SEPARATELY means:
1.1128 + * Do all tests related to a particular allowed method
1.1129 + * (both local information and network fetching) in a single step.
1.1130 + * Only after testing for a particular method is done,
1.1131 + * then switching to the next method will happen.
1.1132 + * ALL_LOCAL_INFORMATION_FIRST means:
1.1133 + * Start by testing the information for all allowed methods
1.1134 + * which are already locally available. Only after that is done
1.1135 + * consider to fetch from the network (as allowed by other flags).
1.1136 + */
1.1137 +#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1.1138 +#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1.1139 +
1.1140 +/*
1.1141 + * Use this flag to specify that it's necessary that fresh information
1.1142 + * is available for at least one of the allowed methods, but it's
1.1143 + * irrelevant which of the mechanisms succeeded.
1.1144 + * NO_OVERALL_INFO_REQUIREMENT means:
1.1145 + * We strictly follow the requirements for each individual method.
1.1146 + * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1.1147 + * After the individual tests have been executed, we must have
1.1148 + * been able to find fresh information using at least one method.
1.1149 + * If we were unable to find fresh info, it's a failure.
1.1150 + * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1.1151 + * flag on all methods.
1.1152 + */
1.1153 +#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1.1154 +#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1.1155 +
1.1156 +
1.1157 +typedef struct {
1.1158 + /*
1.1159 + * The size of the array that cert_rev_flags_per_method points to,
1.1160 + * meaning, the number of methods that are known and defined
1.1161 + * by the caller.
1.1162 + */
1.1163 + PRUint32 number_of_defined_methods;
1.1164 +
1.1165 + /*
1.1166 + * A pointer to an array of integers.
1.1167 + * Each integer defines revocation checking for a single method,
1.1168 + * by having individual CERT_REV_M_* bits set or not set.
1.1169 + * The meaning of index numbers into this array are defined by
1.1170 + * enum CERTRevocationMethodIndex
1.1171 + * The size of the array must be specified by the caller in the separate
1.1172 + * variable number_of_defined_methods.
1.1173 + * The size of the array may be smaller than
1.1174 + * cert_revocation_method_count, it can happen if a caller
1.1175 + * is not yet aware of the latest revocation methods
1.1176 + * (or does not want to use them).
1.1177 + */
1.1178 + PRUint64 *cert_rev_flags_per_method;
1.1179 +
1.1180 + /*
1.1181 + * How many preferred methods are specified?
1.1182 + * This is equivalent to the size of the array that
1.1183 + * preferred_revocation_methods points to.
1.1184 + * It's allowed to set this value to zero,
1.1185 + * then NSS will decide which methods to prefer.
1.1186 + */
1.1187 + PRUint32 number_of_preferred_methods;
1.1188 +
1.1189 + /* Array that may specify an optional order of preferred methods.
1.1190 + * Each array entry shall contain a method identifier as defined
1.1191 + * by CERTRevocationMethodIndex.
1.1192 + * The entry at index [0] specifies the method with highest preferrence.
1.1193 + * These methods will be tested first for locally available information.
1.1194 + * Methods allowed for downloading will be attempted in the same order.
1.1195 + */
1.1196 + CERTRevocationMethodIndex *preferred_methods;
1.1197 +
1.1198 + /*
1.1199 + * An integer which defines certain aspects of revocation checking
1.1200 + * (independent of individual methods) by having individual
1.1201 + * CERT_REV_MI_* bits set or not set.
1.1202 + */
1.1203 + PRUint64 cert_rev_method_independent_flags;
1.1204 +} CERTRevocationTests;
1.1205 +
1.1206 +typedef struct {
1.1207 + CERTRevocationTests leafTests;
1.1208 + CERTRevocationTests chainTests;
1.1209 +} CERTRevocationFlags;
1.1210 +
1.1211 +typedef struct CERTValParamInValueStr {
1.1212 + union {
1.1213 + PRBool b;
1.1214 + PRInt32 i;
1.1215 + PRUint32 ui;
1.1216 + PRInt64 l;
1.1217 + PRUint64 ul;
1.1218 + PRTime time;
1.1219 + } scalar;
1.1220 + union {
1.1221 + const void* p;
1.1222 + const char* s;
1.1223 + const CERTCertificate* cert;
1.1224 + const CERTCertList *chain;
1.1225 + const CERTRevocationFlags *revocation;
1.1226 + const CERTChainVerifyCallback *chainVerifyCallback;
1.1227 + } pointer;
1.1228 + union {
1.1229 + const PRInt32 *pi;
1.1230 + const PRUint32 *pui;
1.1231 + const PRInt64 *pl;
1.1232 + const PRUint64 *pul;
1.1233 + const SECOidTag *oids;
1.1234 + } array;
1.1235 + int arraySize;
1.1236 +} CERTValParamInValue;
1.1237 +
1.1238 +
1.1239 +typedef struct CERTValParamOutValueStr {
1.1240 + union {
1.1241 + PRBool b;
1.1242 + PRInt32 i;
1.1243 + PRUint32 ui;
1.1244 + PRInt64 l;
1.1245 + PRUint64 ul;
1.1246 + SECCertificateUsage usages;
1.1247 + } scalar;
1.1248 + union {
1.1249 + void* p;
1.1250 + char* s;
1.1251 + CERTVerifyLog *log;
1.1252 + CERTCertificate* cert;
1.1253 + CERTCertList *chain;
1.1254 + } pointer;
1.1255 + union {
1.1256 + void *p;
1.1257 + SECOidTag *oids;
1.1258 + } array;
1.1259 + int arraySize;
1.1260 +} CERTValParamOutValue;
1.1261 +
1.1262 +typedef struct {
1.1263 + CERTValParamInType type;
1.1264 + CERTValParamInValue value;
1.1265 +} CERTValInParam;
1.1266 +
1.1267 +typedef struct {
1.1268 + CERTValParamOutType type;
1.1269 + CERTValParamOutValue value;
1.1270 +} CERTValOutParam;
1.1271 +
1.1272 +/*
1.1273 + * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1.1274 + */
1.1275 +typedef enum CertStrictnessLevels {
1.1276 + CERT_N2A_READABLE = 0, /* maximum human readability */
1.1277 + CERT_N2A_STRICT = 10, /* strict RFC compliance */
1.1278 + CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
1.1279 + all DirectoryStrings encoded in hex */
1.1280 +} CertStrictnessLevel;
1.1281 +
1.1282 +/*
1.1283 + * policy flag defines
1.1284 + */
1.1285 +#define CERT_POLICY_FLAG_NO_MAPPING 1
1.1286 +#define CERT_POLICY_FLAG_EXPLICIT 2
1.1287 +#define CERT_POLICY_FLAG_NO_ANY 4
1.1288 +
1.1289 +/*
1.1290 + * CertStore flags
1.1291 + */
1.1292 +#define CERT_ENABLE_LDAP_FETCH 1
1.1293 +#define CERT_ENABLE_HTTP_FETCH 2
1.1294 +
1.1295 +/* This functin pointer type may be used for any function that takes
1.1296 + * a CERTCertificate * and returns an allocated string, which must be
1.1297 + * freed by a call to PORT_Free.
1.1298 + */
1.1299 +typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
1.1300 +
1.1301 +/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1.1302 +
1.1303 +#include "secasn1t.h" /* way down here because I expect template stuff to
1.1304 + * move out of here anyway */
1.1305 +
1.1306 +SEC_BEGIN_PROTOS
1.1307 +
1.1308 +extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1.1309 +extern const SEC_ASN1Template CERT_CertificateTemplate[];
1.1310 +extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1.1311 +extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1.1312 +extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1.1313 +extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1.1314 +extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1.1315 +extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1.1316 +extern const SEC_ASN1Template CERT_ValidityTemplate[];
1.1317 +extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1.1318 +extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1.1319 +
1.1320 +extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1.1321 +extern const SEC_ASN1Template CERT_NameTemplate[];
1.1322 +extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1.1323 +extern const SEC_ASN1Template CERT_RDNTemplate[];
1.1324 +extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1.1325 +extern const SEC_ASN1Template CERT_CrlTemplate[];
1.1326 +extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1.1327 +
1.1328 +/*
1.1329 +** XXX should the attribute stuff be centralized for all of ns/security?
1.1330 +*/
1.1331 +extern const SEC_ASN1Template CERT_AttributeTemplate[];
1.1332 +extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1.1333 +
1.1334 +/* These functions simply return the address of the above-declared templates.
1.1335 +** This is necessary for Windows DLLs. Sigh.
1.1336 +*/
1.1337 +SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1.1338 +SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1.1339 +SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1.1340 +SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1.1341 +SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1.1342 +SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1.1343 +SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1.1344 +SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1.1345 +SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1.1346 +SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1.1347 +SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1.1348 +SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1.1349 +
1.1350 +SEC_END_PROTOS
1.1351 +
1.1352 +#endif /* _CERTT_H_ */
