1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,2735 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * This file defines several platform independent functions to
1.9 + * manipulate certificates and CRLs in a portable manner.
1.10 + *
1.11 + */
1.12 +
1.13 +#ifndef _PKIX_PL_PKI_H
1.14 +#define _PKIX_PL_PKI_H
1.15 +
1.16 +#include "pkixt.h"
1.17 +#include "seccomon.h"
1.18 +#include "certt.h"
1.19 +
1.20 +#ifdef __cplusplus
1.21 +extern "C" {
1.22 +#endif
1.23 +
1.24 +/* General
1.25 + *
1.26 + * Please refer to the libpkix Programmer's Guide for detailed information
1.27 + * about how to use the libpkix library. Certain key warnings and notices from
1.28 + * that document are repeated here for emphasis.
1.29 + *
1.30 + * All identifiers in this file (and all public identifiers defined in
1.31 + * libpkix) begin with "PKIX_". Private identifiers only intended for use
1.32 + * within the library begin with "pkix_".
1.33 + *
1.34 + * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
1.35 + *
1.36 + * Unless otherwise noted, for all accessor (gettor) functions that return a
1.37 + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
1.38 + * shared object. Therefore, the caller should treat this shared object as
1.39 + * read-only and should not modify this shared object. When done using the
1.40 + * shared object, the caller should release the reference to the object by
1.41 + * using the PKIX_PL_Object_DecRef function.
1.42 + *
1.43 + * While a function is executing, if its arguments (or anything referred to by
1.44 + * its arguments) are modified, free'd, or destroyed, the function's behavior
1.45 + * is undefined.
1.46 + *
1.47 + */
1.48 +
1.49 +/*
1.50 + * Cert
1.51 + *
1.52 + * A Cert represents an X.509 certificate. It can be created using the bytes
1.53 + * of a valid ASN.1 DER encoding. Once created, a Cert is immutable. The
1.54 + * following functions include accessors (gettors) for the various components
1.55 + * of an X.509 certificate. Also included are functions to perform various
1.56 + * checks on a certificate, including name constraints, key usage, validity
1.57 + * (expiration), and signature verification.
1.58 + */
1.59 +
1.60 +/*
1.61 + * FUNCTION: PKIX_PL_Cert_Create
1.62 + * DESCRIPTION:
1.63 + *
1.64 + * Creates a new certificate using the bytes in the ByteArray pointed to by
1.65 + * "byteArray" and stores it at "pCert". If the bytes are not a valid ASN.1
1.66 + * DER encoding of a certificate, a PKIX_Error pointer is returned. Once
1.67 + * created, a Cert is immutable.
1.68 + *
1.69 + * Certificate ::= SEQUENCE {
1.70 + * tbsCertificate TBSCertificate,
1.71 + * signatureAlgorithm AlgorithmIdentifier,
1.72 + * signatureValue BIT STRING }
1.73 + *
1.74 + * AlgorithmIdentifier ::= SEQUENCE {
1.75 + * algorithm OBJECT IDENTIFIER,
1.76 + * parameters ANY DEFINED BY algorithm OPTIONAL }
1.77 + *
1.78 + * TBSCertificate ::= SEQUENCE {
1.79 + * version [0] EXPLICIT Version DEFAULT v1,
1.80 + * serialNumber CertificateSerialNumber,
1.81 + * signature AlgorithmIdentifier,
1.82 + * issuer Name,
1.83 + * validity Validity,
1.84 + * subject Name,
1.85 + * subjectPublicKeyInfo SubjectPublicKeyInfo,
1.86 + * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
1.87 + * -- If present, version MUST be v2 or v3
1.88 + * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
1.89 + * -- If present, version MUST be v2 or v3
1.90 + * extensions [3] EXPLICIT Extensions OPTIONAL
1.91 + * -- If present, version MUST be v3
1.92 + * }
1.93 + *
1.94 + * Version ::= INTEGER { v1(0), v2(1), v3(2) }
1.95 + *
1.96 + * CertificateSerialNumber ::= INTEGER
1.97 + *
1.98 + * Validity ::= SEQUENCE {
1.99 + * notBefore Time,
1.100 + * notAfter Time }
1.101 + *
1.102 + * Time ::= CHOICE {
1.103 + * utcTime UTCTime,
1.104 + * generalTime GeneralizedTime }
1.105 + *
1.106 + * UniqueIdentifier ::= BIT STRING
1.107 + *
1.108 + * SubjectPublicKeyInfo ::= SEQUENCE {
1.109 + * algorithm AlgorithmIdentifier,
1.110 + * subjectPublicKey BIT STRING }
1.111 + *
1.112 + * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
1.113 + *
1.114 + * Extension ::= SEQUENCE {
1.115 + * extnID OBJECT IDENTIFIER,
1.116 + * critical BOOLEAN DEFAULT FALSE,
1.117 + * extnValue OCTET STRING }
1.118 + *
1.119 + * PARAMETERS:
1.120 + * "byteArray"
1.121 + * Address of ByteArray representing the CERT's DER encoding.
1.122 + * Must be non-NULL.
1.123 + * "pCert"
1.124 + * Address where object pointer will be stored. Must be non-NULL.
1.125 + * "plContext"
1.126 + * Platform-specific context pointer.
1.127 + * THREAD SAFETY:
1.128 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.129 + * RETURNS:
1.130 + * Returns NULL if the function succeeds.
1.131 + * Returns a Cert Error if the function fails in a non-fatal way.
1.132 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.133 + */
1.134 +PKIX_Error *
1.135 +PKIX_PL_Cert_Create(
1.136 + PKIX_PL_ByteArray *byteArray,
1.137 + PKIX_PL_Cert **pCert,
1.138 + void *plContext);
1.139 +
1.140 +/*
1.141 + * FUNCTION: PKIX_PL_Cert_CreateFromCERTCertificate
1.142 + * DESCRIPTION:
1.143 + *
1.144 + * Creates a new certificate using passed in CERTCertificate object.
1.145 + *
1.146 + * PARAMETERS:
1.147 + * "nssCert"
1.148 + * The object that will be used to create new PKIX_PL_Cert.
1.149 + * "pCert"
1.150 + * Address where object pointer will be stored. Must be non-NULL.
1.151 + * "plContext"
1.152 + * Platform-specific context pointer.
1.153 + * THREAD SAFETY:
1.154 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.155 + * RETURNS:
1.156 + * Returns NULL if the function succeeds.
1.157 + * Returns a Cert Error if the function fails in a non-fatal way.
1.158 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.159 + */
1.160 +PKIX_Error *
1.161 +PKIX_PL_Cert_CreateFromCERTCertificate(
1.162 + const CERTCertificate *nssCert,
1.163 + PKIX_PL_Cert **pCert,
1.164 + void *plContext);
1.165 +
1.166 +/*
1.167 + * FUNCTION: PKIX_PL_Cert_GetCERTCertificate
1.168 + * DESCRIPTION:
1.169 + *
1.170 + * Returns underlying CERTCertificate structure. Return CERTCertificate
1.171 + * object is duplicated and should be destroyed by caller.
1.172 + *
1.173 + * PARAMETERS:
1.174 + * "cert"
1.175 + * Address of PKIX_PL_Cert. Must be non-NULL.
1.176 + * "pCert"
1.177 + * Address where object pointer will be stored. Must be non-NULL.
1.178 + * "plContext"
1.179 + * Platform-specific context pointer.
1.180 + * THREAD SAFETY:
1.181 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.182 + * RETURNS:
1.183 + * Returns NULL if the function succeeds.
1.184 + * Returns a Cert Error if the function fails in a non-fatal way.
1.185 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.186 + */
1.187 +PKIX_Error *
1.188 +PKIX_PL_Cert_GetCERTCertificate(
1.189 + PKIX_PL_Cert *cert,
1.190 + CERTCertificate **pnssCert,
1.191 + void *plContext);
1.192 +
1.193 +/*
1.194 + * FUNCTION: PKIX_PL_Cert_GetVersion
1.195 + * DESCRIPTION:
1.196 + *
1.197 + * Retrieves the version of the Cert pointed to by "cert" and stores it at
1.198 + * "pVersion". The version number will either be 0, 1, or 2 (corresponding to
1.199 + * v1, v2, or v3, respectively).
1.200 + *
1.201 + * Version ::= INTEGER { v1(0), v2(1), v3(2) }
1.202 + *
1.203 + * PARAMETERS:
1.204 + * "cert"
1.205 + * Address of Cert whose version is to be stored. Must be non-NULL.
1.206 + * "pVersion"
1.207 + * Address where PKIX_UInt32 will be stored. Must be non-NULL.
1.208 + * "plContext"
1.209 + * Platform-specific context pointer.
1.210 + * THREAD SAFETY:
1.211 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.212 + * RETURNS:
1.213 + * Returns NULL if the function succeeds.
1.214 + * Returns a Cert Error if the function fails in a non-fatal way.
1.215 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.216 + */
1.217 +PKIX_Error *
1.218 +PKIX_PL_Cert_GetVersion(
1.219 + PKIX_PL_Cert *cert,
1.220 + PKIX_UInt32 *pVersion,
1.221 + void *plContext);
1.222 +
1.223 +/*
1.224 + * FUNCTION: PKIX_PL_Cert_GetSerialNumber
1.225 + * DESCRIPTION:
1.226 + *
1.227 + * Retrieves a pointer to the BigInt that represents the serial number of the
1.228 + * Cert pointed to by "cert" and stores it at "pSerialNumber".
1.229 + *
1.230 + * CertificateSerialNumber ::= INTEGER
1.231 + *
1.232 + * PARAMETERS:
1.233 + * "cert"
1.234 + * Address of Cert whose serial number is to be stored. Must be non-NULL.
1.235 + * "pSerial"
1.236 + * Address where object pointer will be stored. Must be non-NULL.
1.237 + * "plContext"
1.238 + * Platform-specific context pointer.
1.239 + * THREAD SAFETY:
1.240 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.241 + * RETURNS:
1.242 + * Returns NULL if the function succeeds.
1.243 + * Returns a Cert Error if the function fails in a non-fatal way.
1.244 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.245 + */
1.246 +PKIX_Error *
1.247 +PKIX_PL_Cert_GetSerialNumber(
1.248 + PKIX_PL_Cert *cert,
1.249 + PKIX_PL_BigInt **pSerial,
1.250 + void *plContext);
1.251 +
1.252 +/*
1.253 + * FUNCTION: PKIX_PL_Cert_GetIssuer
1.254 + * DESCRIPTION:
1.255 + *
1.256 + * Retrieves a pointer to the X500Name that represents the issuer DN of the
1.257 + * Cert pointed to by "cert" and stores it at "pIssuer".
1.258 + *
1.259 + * PARAMETERS:
1.260 + * "cert"
1.261 + * Address of Cert whose issuer is to be stored. Must be non-NULL.
1.262 + * "pIssuer"
1.263 + * Address where object pointer will be stored. Must be non-NULL.
1.264 + * "plContext"
1.265 + * Platform-specific context pointer.
1.266 + * THREAD SAFETY:
1.267 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.268 + * RETURNS:
1.269 + * Returns NULL if the function succeeds.
1.270 + * Returns a Cert Error if the function fails in a non-fatal way.
1.271 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.272 + */
1.273 +PKIX_Error *
1.274 +PKIX_PL_Cert_GetIssuer(
1.275 + PKIX_PL_Cert *cert,
1.276 + PKIX_PL_X500Name **pIssuer,
1.277 + void *plContext);
1.278 +
1.279 +/*
1.280 + * FUNCTION: PKIX_PL_Cert_GetSubject
1.281 + * DESCRIPTION:
1.282 + *
1.283 + * Retrieves a pointer to the X500Name that represents the subject DN of the
1.284 + * Cert pointed to by "cert" and stores it at "pSubject". If the Cert does not
1.285 + * have a subject DN, this function stores NULL at "pSubject".
1.286 + *
1.287 + * PARAMETERS:
1.288 + * "cert"
1.289 + * Address of Cert whose subject is to be stored. Must be non-NULL.
1.290 + * "pSubject"
1.291 + * Address where object pointer will be stored. Must be non-NULL.
1.292 + * "plContext"
1.293 + * Platform-specific context pointer.
1.294 + * THREAD SAFETY:
1.295 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.296 + * RETURNS:
1.297 + * Returns NULL if the function succeeds.
1.298 + * Returns a Cert Error if the function fails in a non-fatal way.
1.299 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.300 + */
1.301 +PKIX_Error *
1.302 +PKIX_PL_Cert_GetSubject(
1.303 + PKIX_PL_Cert *cert,
1.304 + PKIX_PL_X500Name **pSubject,
1.305 + void *plContext);
1.306 +
1.307 +/*
1.308 + * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKeyAlgId
1.309 + * DESCRIPTION:
1.310 + *
1.311 + * Retrieves a pointer to the OID that represents the subject public key
1.312 + * algorithm of the Cert pointed to by "cert" and stores it at
1.313 + * "pSubjKeyAlgId".
1.314 + *
1.315 + * SubjectPublicKeyInfo ::= SEQUENCE {
1.316 + * algorithm AlgorithmIdentifier,
1.317 + * subjectPublicKey BIT STRING }
1.318 + *
1.319 + * AlgorithmIdentifier ::= SEQUENCE {
1.320 + * algorithm OBJECT IDENTIFIER,
1.321 + * parameters ANY DEFINED BY algorithm OPTIONAL }
1.322 + *
1.323 + * PARAMETERS:
1.324 + * "cert"
1.325 + * Address of Cert whose subject public key algorithm OID is to be stored.
1.326 + * Must be non-NULL.
1.327 + * "pSubjKeyAlgId"
1.328 + * Address where object pointer will be stored. Must be non-NULL.
1.329 + * "plContext"
1.330 + * Platform-specific context pointer.
1.331 + * THREAD SAFETY:
1.332 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.333 + * RETURNS:
1.334 + * Returns NULL if the function succeeds.
1.335 + * Returns a Cert Error if the function fails in a non-fatal way.
1.336 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.337 + */
1.338 +PKIX_Error *
1.339 +PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
1.340 + PKIX_PL_Cert *cert,
1.341 + PKIX_PL_OID **pSubjKeyAlgId,
1.342 + void *plContext);
1.343 +
1.344 +/*
1.345 + * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey
1.346 + * DESCRIPTION:
1.347 + *
1.348 + * Retrieves a pointer to the PublicKey that represents the subject public key
1.349 + * of the Cert pointed to by "cert" and stores it at "pPublicKey".
1.350 + *
1.351 + * SubjectPublicKeyInfo ::= SEQUENCE {
1.352 + * algorithm AlgorithmIdentifier,
1.353 + * subjectPublicKey BIT STRING }
1.354 + *
1.355 + * PARAMETERS:
1.356 + * "cert"
1.357 + * Address of Cert whose subject public key is to be stored.
1.358 + * Must be non-NULL.
1.359 + * "pPublicKey"
1.360 + * Address where object pointer will be stored. Must be non-NULL.
1.361 + * "plContext"
1.362 + * Platform-specific context pointer.
1.363 + * THREAD SAFETY:
1.364 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.365 + * RETURNS:
1.366 + * Returns NULL if the function succeeds.
1.367 + * Returns a Cert Error if the function fails in a non-fatal way.
1.368 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.369 + */
1.370 +PKIX_Error *
1.371 +PKIX_PL_Cert_GetSubjectPublicKey(
1.372 + PKIX_PL_Cert *cert,
1.373 + PKIX_PL_PublicKey **pPublicKey,
1.374 + void *plContext);
1.375 +
1.376 +/*
1.377 + * FUNCTION: PKIX_PL_PublicKey_NeedsDSAParameters
1.378 + * DESCRIPTION:
1.379 + *
1.380 + * Determines if the PublicKey pointed to by "pubKey" is a DSA Key with null
1.381 + * parameters and stores the result at "pNeedsParams".
1.382 + *
1.383 + * PARAMETERS:
1.384 + * "pubKey"
1.385 + * Address of the Public Key of interest. Must be non-NULL.
1.386 + * "pNeedsParams"
1.387 + * Address where object pointer will be stored. Must be non-NULL.
1.388 + * "plContext"
1.389 + * Platform-specific context pointer.
1.390 + * THREAD SAFETY:
1.391 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.392 + * RETURNS:
1.393 + * Returns NULL if the function succeeds.
1.394 + * Returns a PublicKey Error if the function fails in a non-fatal way.
1.395 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.396 + */
1.397 +PKIX_Error *
1.398 +PKIX_PL_PublicKey_NeedsDSAParameters(
1.399 + PKIX_PL_PublicKey *pubKey,
1.400 + PKIX_Boolean *pNeedsParams,
1.401 + void *plContext);
1.402 +
1.403 +/*
1.404 + * FUNCTION: PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
1.405 + * DESCRIPTION:
1.406 + *
1.407 + * This function is used for DSA key parameter inheritance, which allows a
1.408 + * first DSA key with omitted parameters (pointed to by "firstKey") to inherit
1.409 + * the PQG parameters of a second DSA key that does have parameters. (pointed
1.410 + * to by "secondKey"). Once created, a PublicKey is immutable.
1.411 + *
1.412 + * Specifically, the algorithm used by the function is:
1.413 + *
1.414 + * If the first PublicKey is not a DSA public key with omitted parameters,
1.415 + * the function stores NULL at "pResultKey". (No Error is returned)
1.416 + * Else if the second PublicKey is not a DSA public key with non-NULL,
1.417 + * parameters, the function returns an Error.
1.418 + * Else
1.419 + * the function creates a third PublicKey with a "Y" value from the
1.420 + * first PublicKey and the DSA parameters from the second PublicKey,
1.421 + * and stores it at "pResultKey".
1.422 + *
1.423 + * PARAMETERS:
1.424 + * "firstKey"
1.425 + * Address of a Public Key that needs to inherit DSA parameters.
1.426 + * Must be non-NULL.
1.427 + * "secondKey"
1.428 + * Address of a Public Key that has DSA parameters that will be inherited
1.429 + * by "firstKey". Must be non-NULL.
1.430 + * "pResultKey"
1.431 + * Address where object pointer will be stored. Must be non-NULL.
1.432 + * "plContext"
1.433 + * Platform-specific context pointer.
1.434 + * THREAD SAFETY:
1.435 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.436 + * RETURNS:
1.437 + * Returns NULL if the function succeeds.
1.438 + * Returns a PublicKey Error if the function fails in a non-fatal way.
1.439 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.440 + */
1.441 +PKIX_Error *
1.442 +PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(
1.443 + PKIX_PL_PublicKey *firstKey,
1.444 + PKIX_PL_PublicKey *secondKey,
1.445 + PKIX_PL_PublicKey **pResultKey,
1.446 + void *plContext);
1.447 +
1.448 +/*
1.449 + * FUNCTION: PKIX_PL_Cert_GetCriticalExtensionOIDs
1.450 + * DESCRIPTION:
1.451 + *
1.452 + * Retrieves a pointer to the List of OIDs (each OID corresponding to a
1.453 + * critical extension of the Cert pointed to by "cert") and stores it at
1.454 + * "pExtensions". If "cert" does not have any critical extensions, this
1.455 + * function stores an empty List at "pExtensions".
1.456 + *
1.457 + * Note that the List returned by this function is immutable.
1.458 + *
1.459 + * PARAMETERS:
1.460 + * "cert"
1.461 + * Address of Cert whose critical extension OIDs are to be stored.
1.462 + * Must be non-NULL.
1.463 + * "pExtensions"
1.464 + * Address where object pointer will be stored. Must be non-NULL.
1.465 + * "plContext"
1.466 + * Platform-specific context pointer.
1.467 + * THREAD SAFETY:
1.468 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.469 + * RETURNS:
1.470 + * Returns NULL if the function succeeds.
1.471 + * Returns a Cert Error if the function fails in a non-fatal way.
1.472 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.473 + */
1.474 +PKIX_Error *
1.475 +PKIX_PL_Cert_GetCriticalExtensionOIDs(
1.476 + PKIX_PL_Cert *cert,
1.477 + PKIX_List **pExtensions, /* list of PKIX_PL_OID */
1.478 + void *plContext);
1.479 +
1.480 +/*
1.481 + * FUNCTION: PKIX_PL_Cert_GetAuthorityKeyIdentifier
1.482 + * DESCRIPTION:
1.483 + *
1.484 + * Retrieves a pointer to a ByteArray representing the authority key
1.485 + * identifier extension of the Cert pointed to by "cert" and stores it at
1.486 + * "pAuthKeyId".
1.487 + *
1.488 + * Note that this function only retrieves the keyIdentifier component
1.489 + * (OCTET STRING) of the AuthorityKeyIdentifier extension, when present.
1.490 + *
1.491 + * If "cert" does not have an AuthorityKeyIdentifier extension or if the
1.492 + * keyIdentifier component of the AuthorityKeyIdentifier extension is not
1.493 + * present, this function stores NULL at "pAuthKeyId".
1.494 + *
1.495 + * AuthorityKeyIdentifier ::= SEQUENCE {
1.496 + * keyIdentifier [0] KeyIdentifier OPTIONAL,
1.497 + * authorityCertIssuer [1] GeneralNames OPTIONAL,
1.498 + * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
1.499 + *
1.500 + * PARAMETERS:
1.501 + * "cert"
1.502 + * Address of Cert whose authority key identifier is to be stored.
1.503 + * Must be non-NULL.
1.504 + * "pAuthKeyId"
1.505 + * Address where object pointer will be stored. Must be non-NULL.
1.506 + * "plContext"
1.507 + * Platform-specific context pointer.
1.508 + * THREAD SAFETY:
1.509 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.510 + * RETURNS:
1.511 + * Returns NULL if the function succeeds.
1.512 + * Returns a Cert Error if the function fails in a non-fatal way.
1.513 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.514 + */
1.515 +PKIX_Error *
1.516 +PKIX_PL_Cert_GetAuthorityKeyIdentifier(
1.517 + PKIX_PL_Cert *cert,
1.518 + PKIX_PL_ByteArray **pAuthKeyId,
1.519 + void *plContext);
1.520 +
1.521 +/*
1.522 + * FUNCTION: PKIX_PL_Cert_GetSubjectKeyIdentifier
1.523 + * DESCRIPTION:
1.524 + *
1.525 + * Retrieves a pointer to a ByteArray representing the subject key identifier
1.526 + * extension of the Cert pointed to by "cert" and stores it at "pSubjKeyId".
1.527 + * If "cert" does not have a SubjectKeyIdentifier extension, this function
1.528 + * stores NULL at "pSubjKeyId".
1.529 + *
1.530 + * SubjectKeyIdentifier ::= KeyIdentifier
1.531 + *
1.532 + * PARAMETERS:
1.533 + * "cert"
1.534 + * Address of Cert whose subject key identifier is to be stored.
1.535 + * Must be non-NULL.
1.536 + * "pSubjKeyId"
1.537 + * Address where object pointer will be stored. Must be non-NULL.
1.538 + * "plContext"
1.539 + * Platform-specific context pointer.
1.540 + * THREAD SAFETY:
1.541 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.542 + * RETURNS:
1.543 + * Returns NULL if the function succeeds.
1.544 + * Returns a Cert Error if the function fails in a non-fatal way.
1.545 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.546 + */
1.547 +PKIX_Error *
1.548 +PKIX_PL_Cert_GetSubjectKeyIdentifier(
1.549 + PKIX_PL_Cert *cert,
1.550 + PKIX_PL_ByteArray **pSubjKeyId,
1.551 + void *plContext);
1.552 +
1.553 +/*
1.554 + * FUNCTION: PKIX_PL_Cert_GetSubjectAltNames
1.555 + * DESCRIPTION:
1.556 + *
1.557 + * Retrieves a pointer to the List of GeneralNames (each GeneralName
1.558 + * representing a subject alternative name found in the subject alternative
1.559 + * names extension of the Cert pointed to by "cert") and stores it at
1.560 + * "pSubjectAltNames". If "cert" does not have a SubjectAlternativeNames
1.561 + * extension, this function stores NULL at "pSubjectAltNames".
1.562 + *
1.563 + * Note that the List returned by this function is immutable.
1.564 + *
1.565 + * SubjectAltName ::= GeneralNames
1.566 + *
1.567 + * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
1.568 + *
1.569 + * GeneralName ::= CHOICE {
1.570 + * otherName [0] OtherName,
1.571 + * rfc822Name [1] IA5String,
1.572 + * dNSName [2] IA5String,
1.573 + * x400Address [3] ORAddress,
1.574 + * directoryName [4] Name,
1.575 + * ediPartyName [5] EDIPartyName,
1.576 + * uniformResourceIdentifier [6] IA5String,
1.577 + * iPAddress [7] OCTET STRING,
1.578 + * registeredID [8] OBJECT IDENTIFIER }
1.579 + *
1.580 + * OtherName ::= SEQUENCE {
1.581 + * type-id OBJECT IDENTIFIER,
1.582 + * value [0] EXPLICIT ANY DEFINED BY type-id }
1.583 + *
1.584 + * EDIPartyName ::= SEQUENCE {
1.585 + * nameAssigner [0] DirectoryString OPTIONAL,
1.586 + * partyName [1] DirectoryString }
1.587 + *
1.588 + * PARAMETERS:
1.589 + * "cert"
1.590 + * Address of Cert whose subjectAltNames are to be stored.
1.591 + * Must be non-NULL.
1.592 + * "pSubjectAltNames"
1.593 + * Address where object pointer will be stored. Must be non-NULL.
1.594 + * "plContext"
1.595 + * Platform-specific context pointer.
1.596 + * THREAD SAFETY:
1.597 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.598 + * RETURNS:
1.599 + * Returns NULL if the function succeeds.
1.600 + * Returns a Cert Error if the function fails in a non-fatal way.
1.601 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.602 + */
1.603 +PKIX_Error *
1.604 +PKIX_PL_Cert_GetSubjectAltNames(
1.605 + PKIX_PL_Cert *cert,
1.606 + PKIX_List **pSubjectAltNames, /* list of PKIX_PL_GeneralName */
1.607 + void *plContext);
1.608 +
1.609 +/*
1.610 + * FUNCTION: PKIX_PL_Cert_GetAllSubjectNames
1.611 + * DESCRIPTION:
1.612 + *
1.613 + * Retrieves a pointer to the List of GeneralNames (each GeneralName
1.614 + * representing a subject DN or a subject alternative name found in the
1.615 + * subject alternative names extension of the Cert pointed to by "cert") and
1.616 + * stores it at "pAllSubjectNames".If the Subject DN of "cert" is empty and
1.617 + * it does not have a SubjectAlternativeNames extension, this function stores
1.618 + * NULL at "pAllSubjectNames".
1.619 + *
1.620 + * Note that the List returned by this function is immutable.
1.621 + *
1.622 + * PARAMETERS:
1.623 + * "cert"
1.624 + * Address of Cert whose subject DN and subjectAltNames are to be stored.
1.625 + * Must be non-NULL.
1.626 + * "pAllSubjectNames"
1.627 + * Address where object pointer will be stored. Must be non-NULL.
1.628 + * "plContext"
1.629 + * Platform-specific context pointer.
1.630 + * THREAD SAFETY:
1.631 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.632 + * RETURNS:
1.633 + * Returns NULL if the function succeeds.
1.634 + * Returns a Cert Error if the function fails in a non-fatal way.
1.635 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.636 + */
1.637 +PKIX_Error *
1.638 +PKIX_PL_Cert_GetAllSubjectNames(
1.639 + PKIX_PL_Cert *cert,
1.640 + PKIX_List **pAllSubjectNames, /* list of PKIX_PL_GeneralName */
1.641 + void *plContext);
1.642 +
1.643 +/*
1.644 + * FUNCTION: PKIX_PL_Cert_GetExtendedKeyUsage
1.645 + * DESCRIPTION:
1.646 + *
1.647 + * Retrieves a pointer to a List of OIDs (each OID corresponding to an
1.648 + * extended key usage of the Cert pointed to by "cert") and stores it at
1.649 + * "pKeyUsage". If "cert" does not have an extended key usage extension, this
1.650 + * function stores a NULL at "pKeyUsage".
1.651 + *
1.652 + * Note that the List returned by this function is immutable.
1.653 + *
1.654 + * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
1.655 + *
1.656 + * KeyPurposeId ::= OBJECT IDENTIFIER
1.657 + *
1.658 + * PARAMETERS:
1.659 + * "cert"
1.660 + * Address of Cert whose extended key usage OIDs are to be stored.
1.661 + * Must be non-NULL.
1.662 + * "pKeyUsage"
1.663 + * Address where object pointer will be stored. Must be non-NULL.
1.664 + * "plContext"
1.665 + * Platform-specific context pointer.
1.666 + * THREAD SAFETY:
1.667 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.668 + * RETURNS:
1.669 + * Returns NULL if the function succeeds.
1.670 + * Returns a Cert Error if the function fails in a non-fatal way.
1.671 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.672 + */
1.673 +PKIX_Error *
1.674 +PKIX_PL_Cert_GetExtendedKeyUsage(
1.675 + PKIX_PL_Cert *cert,
1.676 + PKIX_List **pKeyUsage, /* list of PKIX_PL_OID */
1.677 + void *plContext);
1.678 +
1.679 +/*
1.680 + * FUNCTION: PKIX_PL_Cert_GetNameConstraints
1.681 + * DESCRIPTION:
1.682 + *
1.683 + * Retrieves a pointer to a CertNameConstraints object representing the name
1.684 + * constraints extension of the Cert pointed to by "cert" and stores it at
1.685 + * "pNameConstraints".
1.686 + *
1.687 + * If "cert" does not have a name constraints extension, this function stores
1.688 + * NULL at "pNameConstraints".
1.689 + *
1.690 + * NameConstraints ::= SEQUENCE {
1.691 + * permittedSubtrees [0] GeneralSubtrees OPTIONAL,
1.692 + * excludedSubtrees [1] GeneralSubtrees OPTIONAL }
1.693 + *
1.694 + * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1.695 + *
1.696 + * GeneralSubtree ::= SEQUENCE {
1.697 + * base GeneralName,
1.698 + * minimum [0] BaseDistance DEFAULT 0,
1.699 + * maximum [1] BaseDistance OPTIONAL }
1.700 + *
1.701 + * BaseDistance ::= INTEGER (0..MAX)
1.702 + *
1.703 + * PARAMETERS:
1.704 + * "cert"
1.705 + * Address of Cert whose name constraints extension is to be stored.
1.706 + * Must be non-NULL.
1.707 + * "pNameConstraints"
1.708 + * Address where object pointer will be stored. Must be non-NULL.
1.709 + * "plContext"
1.710 + * Platform-specific context pointer.
1.711 + * THREAD SAFETY:
1.712 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.713 + * RETURNS:
1.714 + * Returns NULL if the function succeeds.
1.715 + * Returns a Cert Error if the function fails in a non-fatal way.
1.716 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.717 + */
1.718 +PKIX_Error *
1.719 +PKIX_PL_Cert_GetNameConstraints(
1.720 + PKIX_PL_Cert *cert,
1.721 + PKIX_PL_CertNameConstraints **pNameConstraints,
1.722 + void *plContext);
1.723 +
1.724 +/*
1.725 + * FUNCTION: PKIX_PL_Cert_GetBasicConstraints
1.726 + * DESCRIPTION:
1.727 + *
1.728 + * Retrieves a pointer to a CertBasicConstraints object representing the basic
1.729 + * constraints extension of the Cert pointed to by "cert" and stores it at
1.730 + * "pBasicConstraints".
1.731 + *
1.732 + * If "cert" does not have a basic constraints extension, this function stores
1.733 + * NULL at "pBasicConstraints". Once created, a CertBasicConstraints object
1.734 + * is immutable.
1.735 + *
1.736 + * BasicConstraints ::= SEQUENCE {
1.737 + * cA BOOLEAN DEFAULT FALSE,
1.738 + * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
1.739 + *
1.740 + * PARAMETERS:
1.741 + * "cert"
1.742 + * Address of Cert whose basic constraints extension is to be stored.
1.743 + * Must be non-NULL.
1.744 + * "pBasicConstraints"
1.745 + * Address where object pointer will be stored. Must be non-NULL.
1.746 + * "plContext"
1.747 + * Platform-specific context pointer.
1.748 + * THREAD SAFETY:
1.749 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.750 + * RETURNS:
1.751 + * Returns NULL if the function succeeds.
1.752 + * Returns a Cert Error if the function fails in a non-fatal way.
1.753 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.754 + */
1.755 +PKIX_Error *
1.756 +PKIX_PL_Cert_GetBasicConstraints(
1.757 + PKIX_PL_Cert *cert,
1.758 + PKIX_PL_CertBasicConstraints **pBasicConstraints,
1.759 + void *plContext);
1.760 +
1.761 +/*
1.762 + * FUNCTION: PKIX_PL_BasicConstraints_GetCAFlag
1.763 + * DESCRIPTION:
1.764 + *
1.765 + * Retrieves a pointer to a Boolean value representing the cA Flag component
1.766 + * of the CertBasicConstraints object pointed to by "basicConstraints" and
1.767 + * stores it at "pResult".
1.768 + *
1.769 + * BasicConstraints ::= SEQUENCE {
1.770 + * cA BOOLEAN DEFAULT FALSE,
1.771 + * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
1.772 + *
1.773 + * PARAMETERS:
1.774 + * "basicConstraints"
1.775 + * Address of CertBasicConstraints whose cA Flag is to be stored.
1.776 + * Must be non-NULL.
1.777 + * "pResult"
1.778 + * Address where object pointer will be stored. Must be non-NULL.
1.779 + * "plContext"
1.780 + * Platform-specific context pointer.
1.781 + * THREAD SAFETY:
1.782 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.783 + * RETURNS:
1.784 + * Returns NULL if the function succeeds.
1.785 + * Returns a Cert Error if the function fails in a non-fatal way.
1.786 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.787 + */
1.788 +PKIX_Error *
1.789 +PKIX_PL_BasicConstraints_GetCAFlag(
1.790 + PKIX_PL_CertBasicConstraints *basicConstraints,
1.791 + PKIX_Boolean *pResult,
1.792 + void *plContext);
1.793 +
1.794 +/*
1.795 + * FUNCTION: PKIX_PL_BasicConstraints_GetPathLenConstraint
1.796 + * DESCRIPTION:
1.797 + *
1.798 + * Retrieves a pointer to an integer value representing the pathLenConstraint
1.799 + * component of the CertBasicConstraints object pointed to by
1.800 + * "basicConstraints" and stores it at "pPathLenConstraint". If the
1.801 + * pathLenConstraint component is not present, this function stores -1 at
1.802 + * "pPathLenConstraint".
1.803 + *
1.804 + * PARAMETERS:
1.805 + * "basicConstraints"
1.806 + * Address of CertBasicConstraints whose pathLen is to be stored.
1.807 + * Must be non-NULL.
1.808 + * "pPathLenConstraint"
1.809 + * Address where PKIX_Int32 will be stored. Must be non-NULL.
1.810 + * "plContext"
1.811 + * Platform-specific context pointer.
1.812 + * THREAD SAFETY:
1.813 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.814 + * RETURNS:
1.815 + * Returns NULL if the function succeeds.
1.816 + * Returns a Cert Error if the function fails in a non-fatal way.
1.817 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.818 + */
1.819 +PKIX_Error *
1.820 +PKIX_PL_BasicConstraints_GetPathLenConstraint(
1.821 + PKIX_PL_CertBasicConstraints *basicConstraints,
1.822 + PKIX_Int32 *pPathLenConstraint,
1.823 + void *plContext);
1.824 +
1.825 +/*
1.826 + * FUNCTION: PKIX_PL_Cert_GetPolicyInformation
1.827 + * DESCRIPTION:
1.828 + *
1.829 + * Retrieves a pointer to a List of CertPolicyInfos found in the certificate
1.830 + * policies extension of the Cert pointed to by "cert" and stores it at
1.831 + * "pPolicyInfo". If "cert" does not have a certificate policies extension,
1.832 + * this function stores NULL at "pPolicyInfo". Once created, a CertPolicyInfo
1.833 + * object is immutable.
1.834 + *
1.835 + * Note that the List returned by this function is immutable.
1.836 + *
1.837 + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
1.838 + *
1.839 + * PolicyInformation ::= SEQUENCE {
1.840 + * policyIdentifier CertPolicyId,
1.841 + * policyQualifiers SEQUENCE SIZE (1..MAX) OF
1.842 + * PolicyQualifierInfo OPTIONAL }
1.843 + *
1.844 + * PARAMETERS:
1.845 + * "cert"
1.846 + * Address of Cert whose CertPolicyInfos are to be stored.
1.847 + * Must be non-NULL.
1.848 + * "pPolicyInfo"
1.849 + * Address where object pointer will be stored. Must be non-NULL.
1.850 + * "plContext"
1.851 + * Platform-specific context pointer.
1.852 + * THREAD SAFETY:
1.853 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.854 + * RETURNS:
1.855 + * Returns NULL if the function succeeds.
1.856 + * Returns a Cert Error if the function fails in a non-fatal way.
1.857 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.858 + */
1.859 +PKIX_Error *
1.860 +PKIX_PL_Cert_GetPolicyInformation(
1.861 + PKIX_PL_Cert *cert,
1.862 + PKIX_List **pPolicyInfo, /* list of PKIX_PL_CertPolicyInfo */
1.863 + void *plContext);
1.864 +
1.865 +/*
1.866 + * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolicyId
1.867 + * DESCRIPTION:
1.868 + *
1.869 + * Retrieves a pointer to an OID representing the policyIdentifier of the
1.870 + * CertPolicyInfo pointed to by "policyInfo" and stores it at "pCertPolicyId".
1.871 + *
1.872 + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
1.873 + *
1.874 + * PolicyInformation ::= SEQUENCE {
1.875 + * policyIdentifier CertPolicyId,
1.876 + * policyQualifiers SEQUENCE SIZE (1..MAX) OF
1.877 + * PolicyQualifierInfo OPTIONAL }
1.878 + *
1.879 + * CertPolicyId ::= OBJECT IDENTIFIER
1.880 + *
1.881 + * PARAMETERS:
1.882 + * "policyInfo"
1.883 + * Address of CertPolicyInfo whose policy identifier is to be stored.
1.884 + * Must be non-NULL.
1.885 + * "pCertPolicyId"
1.886 + * Address where object pointer will be stored. Must be non-NULL.
1.887 + * "plContext"
1.888 + * Platform-specific context pointer.
1.889 + * THREAD SAFETY:
1.890 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.891 + * RETURNS:
1.892 + * Returns NULL if the function succeeds.
1.893 + * Returns a Cert Error if the function fails in a non-fatal way.
1.894 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.895 + */
1.896 +PKIX_Error *
1.897 +PKIX_PL_CertPolicyInfo_GetPolicyId(
1.898 + PKIX_PL_CertPolicyInfo *policyInfo,
1.899 + PKIX_PL_OID **pCertPolicyId,
1.900 + void *plContext);
1.901 +
1.902 +/*
1.903 + * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolQualifiers
1.904 + * DESCRIPTION:
1.905 + *
1.906 + * Retrieves a pointer to a List of the CertPolicyQualifiers representing
1.907 + * the policyQualifiers of the CertPolicyInfo pointed to by "policyInfo" and
1.908 + * stores it at "pPolicyQualifiers". If "policyInfo" does not have any
1.909 + * policyQualifiers, this function stores NULL at "pPolicyQualifiers". Once
1.910 + * created, a CertPolicyQualifier is immutable.
1.911 + *
1.912 + * Note that the List returned by this function is immutable.
1.913 + *
1.914 + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
1.915 + *
1.916 + * PolicyInformation ::= SEQUENCE {
1.917 + * policyIdentifier CertPolicyId,
1.918 + * policyQualifiers SEQUENCE SIZE (1..MAX) OF
1.919 + * PolicyQualifierInfo OPTIONAL }
1.920 + *
1.921 + * PolicyQualifierInfo ::= SEQUENCE {
1.922 + * policyQualifierId PolicyQualifierId,
1.923 + * qualifier ANY DEFINED BY policyQualifierId }
1.924 + *
1.925 + * PARAMETERS:
1.926 + * "policyInfo"
1.927 + * Address of CertPolicyInfo whose policy qualifiers List is to be stored.
1.928 + * Must be non-NULL.
1.929 + * "pPolicyQualifiers"
1.930 + * Address where object pointer will be stored. Must be non-NULL.
1.931 + * "plContext"
1.932 + * Platform-specific context pointer.
1.933 + * THREAD SAFETY:
1.934 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.935 + * RETURNS:
1.936 + * Returns NULL if the function succeeds.
1.937 + * Returns a Cert Error if the function fails in a non-fatal way.
1.938 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.939 + */
1.940 +PKIX_Error *
1.941 +PKIX_PL_CertPolicyInfo_GetPolQualifiers(
1.942 + PKIX_PL_CertPolicyInfo *policyInfo,
1.943 + PKIX_List **pPolicyQualifiers, /* list of PKIX_PL_CertPolicyQualifier */
1.944 + void *plContext);
1.945 +
1.946 +/*
1.947 + * FUNCTION: PKIX_PL_PolicyQualifier_GetPolicyQualifierId
1.948 + * DESCRIPTION:
1.949 + *
1.950 + * Retrieves a pointer to an OID representing the policyQualifierId of the
1.951 + * CertPolicyQualifier pointed to by "policyQualifier" and stores it at
1.952 + * "pPolicyQualifierId".
1.953 + *
1.954 + * PolicyQualifierInfo ::= SEQUENCE {
1.955 + * policyQualifierId PolicyQualifierId,
1.956 + * qualifier ANY DEFINED BY policyQualifierId }
1.957 + *
1.958 + * PolicyQualifierId ::=
1.959 + * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
1.960 + *
1.961 + * PARAMETERS:
1.962 + * "policyQualifier"
1.963 + * Address of CertPolQualifier whose policyQualifierId is to be stored.
1.964 + * Must be non-NULL.
1.965 + * "pPolicyQualifierId"
1.966 + * Address where object pointer will be stored. Must be non-NULL.
1.967 + * "plContext"
1.968 + * Platform-specific context pointer.
1.969 + * THREAD SAFETY:
1.970 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.971 + * RETURNS:
1.972 + * Returns NULL if the function succeeds.
1.973 + * Returns a Cert Error if the function fails in a non-fatal way.
1.974 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.975 + */
1.976 +PKIX_Error *
1.977 +PKIX_PL_PolicyQualifier_GetPolicyQualifierId(
1.978 + PKIX_PL_CertPolicyQualifier *policyQualifier,
1.979 + PKIX_PL_OID **pPolicyQualifierId,
1.980 + void *plContext);
1.981 +
1.982 +/*
1.983 + * FUNCTION: PKIX_PL_PolicyQualifier_GetQualifier
1.984 + * DESCRIPTION:
1.985 + *
1.986 + * Retrieves a pointer to a ByteArray representing the qualifier of the
1.987 + * CertPolicyQualifier pointed to by "policyQualifier" and stores it at
1.988 + * "pQualifier".
1.989 + *
1.990 + * PolicyQualifierInfo ::= SEQUENCE {
1.991 + * policyQualifierId PolicyQualifierId,
1.992 + * qualifier ANY DEFINED BY policyQualifierId }
1.993 + *
1.994 + * PARAMETERS:
1.995 + * "policyQualifier"
1.996 + * Address of CertPolicyQualifier whose qualifier is to be stored.
1.997 + * Must be non-NULL.
1.998 + * "pQualifier"
1.999 + * Address where object pointer will be stored. Must be non-NULL.
1.1000 + * "plContext"
1.1001 + * Platform-specific context pointer.
1.1002 + * THREAD SAFETY:
1.1003 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1004 + * RETURNS:
1.1005 + * Returns NULL if the function succeeds.
1.1006 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1007 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1008 + */
1.1009 +PKIX_Error *
1.1010 +PKIX_PL_PolicyQualifier_GetQualifier(
1.1011 + PKIX_PL_CertPolicyQualifier *policyQualifier,
1.1012 + PKIX_PL_ByteArray **pQualifier,
1.1013 + void *plContext);
1.1014 +
1.1015 +/*
1.1016 + * FUNCTION: PKIX_PL_Cert_GetPolicyMappings
1.1017 + * DESCRIPTION:
1.1018 + *
1.1019 + * Retrieves a pointer to a List of CertPolicyMaps found in the policy
1.1020 + * mappings extension of the Cert pointed to by "cert" and stores it at
1.1021 + * "pPolicyMappings". If "cert" does not have a policy mappings extension,
1.1022 + * this function stores NULL at "pPolicyMappings". Once created, a
1.1023 + * CertPolicyMap is immutable.
1.1024 + *
1.1025 + * Note that the List returned by this function is immutable.
1.1026 + *
1.1027 + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
1.1028 + * issuerDomainPolicy CertPolicyId,
1.1029 + * subjectDomainPolicy CertPolicyId }
1.1030 + *
1.1031 + * PARAMETERS:
1.1032 + * "cert"
1.1033 + * Address of Cert whose CertPolicyMaps are to be stored.
1.1034 + * Must be non-NULL.
1.1035 + * "pPolicyMappings"
1.1036 + * Address where object pointer will be stored. Must be non-NULL.
1.1037 + * "plContext"
1.1038 + * Platform-specific context pointer.
1.1039 + * THREAD SAFETY:
1.1040 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1041 + * RETURNS:
1.1042 + * Returns NULL if the function succeeds.
1.1043 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1044 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1045 + */
1.1046 +PKIX_Error *
1.1047 +PKIX_PL_Cert_GetPolicyMappings(
1.1048 + PKIX_PL_Cert *cert,
1.1049 + PKIX_List **pPolicyMappings, /* list of PKIX_PL_CertPolicyMap */
1.1050 + void *plContext);
1.1051 +
1.1052 +/*
1.1053 + * FUNCTION: PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
1.1054 + * DESCRIPTION:
1.1055 + *
1.1056 + * Retrieves a pointer to an OID representing the issuerDomainPolicy of the
1.1057 + * CertPolicyMap pointed to by "policyMapping" and stores it at
1.1058 + * "pIssuerDomainPolicy".
1.1059 + *
1.1060 + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
1.1061 + * issuerDomainPolicy CertPolicyId,
1.1062 + * subjectDomainPolicy CertPolicyId }
1.1063 + *
1.1064 + * PARAMETERS:
1.1065 + * "policyMapping"
1.1066 + * Address of CertPolicyMap whose issuerDomainPolicy is to be stored.
1.1067 + * Must be non-NULL.
1.1068 + * "pIssuerDomainPolicy"
1.1069 + * Address where object pointer will be stored. Must be non-NULL.
1.1070 + * "plContext"
1.1071 + * Platform-specific context pointer.
1.1072 + * THREAD SAFETY:
1.1073 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1074 + * RETURNS:
1.1075 + * Returns NULL if the function succeeds.
1.1076 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1077 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1078 + */
1.1079 +PKIX_Error *
1.1080 +PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(
1.1081 + PKIX_PL_CertPolicyMap *policyMapping,
1.1082 + PKIX_PL_OID **pIssuerDomainPolicy,
1.1083 + void *plContext);
1.1084 +
1.1085 +/*
1.1086 + * FUNCTION: PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
1.1087 + * DESCRIPTION:
1.1088 + *
1.1089 + * Retrieves a pointer to an OID representing the subjectDomainPolicy of the
1.1090 + * CertPolicyMap pointed to by "policyMapping" and stores it at
1.1091 + * "pSubjectDomainPolicy".
1.1092 + *
1.1093 + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
1.1094 + * issuerDomainPolicy CertPolicyId,
1.1095 + * subjectDomainPolicy CertPolicyId }
1.1096 + *
1.1097 + * PARAMETERS:
1.1098 + * "policyMapping"
1.1099 + * Address of CertPolicyMap whose subjectDomainPolicy is to be stored.
1.1100 + * Must be non-NULL.
1.1101 + * "pSubjectDomainPolicy"
1.1102 + * Address where object pointer will be stored. Must be non-NULL.
1.1103 + * "plContext"
1.1104 + * Platform-specific context pointer.
1.1105 + * THREAD SAFETY:
1.1106 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1107 + * RETURNS:
1.1108 + * Returns NULL if the function succeeds.
1.1109 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1110 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1111 + */
1.1112 +PKIX_Error *
1.1113 +PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy(
1.1114 + PKIX_PL_CertPolicyMap *policyMapping,
1.1115 + PKIX_PL_OID **pSubjectDomainPolicy,
1.1116 + void *plContext);
1.1117 +
1.1118 +/*
1.1119 + * FUNCTION: PKIX_PL_Cert_GetRequireExplicitPolicy
1.1120 + * DESCRIPTION:
1.1121 + *
1.1122 + * Retrieves the requireExplicitPolicy value of the policy constraints
1.1123 + * extension of the Cert pointed to by "cert" and stores it at "pSkipCerts".
1.1124 + * If "cert" does not have a policy constraints extension or the
1.1125 + * requireExplicitPolicy component is not populated, this function stores -1
1.1126 + * at "pSkipCerts".
1.1127 + *
1.1128 + * PolicyConstraints ::= SEQUENCE {
1.1129 + * requireExplicitPolicy [0] SkipCerts OPTIONAL,
1.1130 + * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
1.1131 + *
1.1132 + * SkipCerts ::= INTEGER (0..MAX)
1.1133 + *
1.1134 + * PARAMETERS:
1.1135 + * "cert"
1.1136 + * Address of Cert whose requireExplicitPolicy value is to be stored.
1.1137 + * Must be non-NULL.
1.1138 + * "pSkipCerts"
1.1139 + * Address where PKIX_Int32 will be stored. Must be non-NULL.
1.1140 + * "plContext"
1.1141 + * Platform-specific context pointer.
1.1142 + * THREAD SAFETY:
1.1143 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1144 + * RETURNS:
1.1145 + * Returns NULL if the function succeeds.
1.1146 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1147 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1148 + */
1.1149 +PKIX_Error *
1.1150 +PKIX_PL_Cert_GetRequireExplicitPolicy(
1.1151 + PKIX_PL_Cert *cert,
1.1152 + PKIX_Int32 *pSkipCerts,
1.1153 + void *plContext);
1.1154 +
1.1155 +/*
1.1156 + * FUNCTION: PKIX_PL_Cert_GetPolicyMappingInhibited
1.1157 + * DESCRIPTION:
1.1158 + *
1.1159 + * Retrieves the inhibitPolicyMapping value of the policy constraints
1.1160 + * extension of the Cert pointed to by "cert" and stores it at "pSkipCerts".
1.1161 + * If "cert" does not have a policy constraints extension or the
1.1162 + * inhibitPolicyMapping component is not populated, this function stores -1
1.1163 + * at "pSkipCerts".
1.1164 + *
1.1165 + * PolicyConstraints ::= SEQUENCE {
1.1166 + * requireExplicitPolicy [0] SkipCerts OPTIONAL,
1.1167 + * inhibitPolicyMapping [1] SkipCerts OPTIONAL }
1.1168 + *
1.1169 + * SkipCerts ::= INTEGER (0..MAX)
1.1170 + *
1.1171 + * PARAMETERS:
1.1172 + * "cert"
1.1173 + * Address of Cert whose requireExplicitPolicy value is to be stored.
1.1174 + * Must be non-NULL.
1.1175 + * "pSkipCerts"
1.1176 + * Address where PKIX_Int32 will be stored. Must be non-NULL.
1.1177 + * "plContext"
1.1178 + * Platform-specific context pointer.
1.1179 + * THREAD SAFETY:
1.1180 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1181 + * RETURNS:
1.1182 + * Returns NULL if the function succeeds.
1.1183 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1184 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1185 + */
1.1186 +PKIX_Error *
1.1187 +PKIX_PL_Cert_GetPolicyMappingInhibited(
1.1188 + PKIX_PL_Cert *cert,
1.1189 + PKIX_Int32 *pSkipCerts,
1.1190 + void *plContext);
1.1191 +
1.1192 +/*
1.1193 + * FUNCTION: PKIX_PL_Cert_GetInhibitAnyPolicy
1.1194 + * DESCRIPTION:
1.1195 + *
1.1196 + * Retrieves the value of the inhibit any-policy extension of the Cert
1.1197 + * pointed to by "cert" and stores it at "pSkipCerts". If "cert" does not have
1.1198 + * an inhibit any-policy extension, this function stores -1 at "pSkipCerts".
1.1199 + *
1.1200 + * InhibitAnyPolicy ::= SkipCerts
1.1201 + *
1.1202 + * SkipCerts ::= INTEGER (0..MAX)
1.1203 + *
1.1204 + * PARAMETERS:
1.1205 + * "cert"
1.1206 + * Address of Cert whose inhibit any-policy extensions value is to be
1.1207 + * stored. Must be non-NULL.
1.1208 + * "pSkipCerts"
1.1209 + * Address where PKIX_Int32 will be stored. Must be non-NULL.
1.1210 + * "plContext"
1.1211 + * Platform-specific context pointer.
1.1212 + * THREAD SAFETY:
1.1213 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1214 + * RETURNS:
1.1215 + * Returns NULL if the function succeeds.
1.1216 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1217 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1218 + */
1.1219 +PKIX_Error *
1.1220 +PKIX_PL_Cert_GetInhibitAnyPolicy(
1.1221 + PKIX_PL_Cert *cert,
1.1222 + PKIX_Int32 *pSkipCerts,
1.1223 + void *plContext);
1.1224 +
1.1225 +/* policy processing functions */
1.1226 +
1.1227 +/*
1.1228 + * FUNCTION: PKIX_PL_Cert_AreCertPoliciesCritical
1.1229 + * DESCRIPTION:
1.1230 + *
1.1231 + * Checks whether the certificate policies extension of the Cert pointed to
1.1232 + * by "cert" is critical and stores the Boolean result at "pCritical". If
1.1233 + * "cert" does not have a certificate policies extension, this function
1.1234 + * stores NULL at "pCritical".
1.1235 + *
1.1236 + * XXX what distinguishes NULL from PKIX_FALSE?
1.1237 + *
1.1238 + * PARAMETERS:
1.1239 + * "cert"
1.1240 + * Address of Cert whose certificate policies extension's criticality is
1.1241 + * to be determined. Must be non-NULL.
1.1242 + * "pCritical"
1.1243 + * Address where PKIX_Boolean will be stored. Must be non-NULL.
1.1244 + * "plContext"
1.1245 + * Platform-specific context pointer.
1.1246 + * THREAD SAFETY:
1.1247 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1248 + * RETURNS:
1.1249 + * Returns NULL if the function succeeds.
1.1250 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1251 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1252 + */
1.1253 +PKIX_Error *
1.1254 +PKIX_PL_Cert_AreCertPoliciesCritical(
1.1255 + PKIX_PL_Cert *cert,
1.1256 + PKIX_Boolean *pCritical,
1.1257 + void *plContext);
1.1258 +
1.1259 +/*
1.1260 + * FUNCTION: PKIX_PL_Cert_CheckNameConstraints
1.1261 + * DESCRIPTION:
1.1262 + *
1.1263 + * Checks whether the subject distinguished name and subject alternative names
1.1264 + * of the Cert pointed to by "cert" satisfy the CertNameConstraints pointed
1.1265 + * to by "nameConstraints". If the CertNameConstraints are not satisfied, a
1.1266 + * PKIX_Error pointer is returned. If "nameConstraints" is NULL, the function
1.1267 + * does nothing.
1.1268 + *
1.1269 + * PARAMETERS:
1.1270 + * "cert"
1.1271 + * Address of Cert whose subject names are to be checked.
1.1272 + * Must be non-NULL.
1.1273 + * "nameConstraints"
1.1274 + * Address of CertNameConstraints that need to be satisfied.
1.1275 + * "treatCommonNameAsDNSName"
1.1276 + * PKIX_TRUE if the subject common name should be considered a dNSName
1.1277 + * when evaluating name constraints.
1.1278 + * "plContext"
1.1279 + * Platform-specific context pointer.
1.1280 + * THREAD SAFETY:
1.1281 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1282 + * RETURNS:
1.1283 + * Returns NULL if the function succeeds.
1.1284 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1285 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1286 + */
1.1287 +PKIX_Error *
1.1288 +PKIX_PL_Cert_CheckNameConstraints(
1.1289 + PKIX_PL_Cert *cert,
1.1290 + PKIX_PL_CertNameConstraints *nameConstraints,
1.1291 + PKIX_Boolean treatCommonNameAsDNSName,
1.1292 + void *plContext);
1.1293 +
1.1294 +/*
1.1295 + * FUNCTION: PKIX_PL_Cert_MergeNameConstraints
1.1296 + * DESCRIPTION:
1.1297 + *
1.1298 + * Merges the CertNameConstraints pointed to by "firstNC" and the
1.1299 + * CertNameConstraints pointed to by "secondNC" and stores the merged
1.1300 + * CertNameConstraints at "pResultNC". If "secondNC" is NULL, the
1.1301 + * CertNameConstraints pointed to by "firstNC" is stored at "pResultNC".
1.1302 + *
1.1303 + * Once created, a CertNameConstraints object is immutable.
1.1304 + *
1.1305 + * PARAMETERS:
1.1306 + * "firstNC"
1.1307 + * Address of first CertNameConstraints to be merged. Must be non-NULL.
1.1308 + * "secondNC"
1.1309 + * Address of second CertNameConstraints to be merged
1.1310 + * "pResultNC"
1.1311 + * Address where object pointer will be stored. Must be non-NULL.
1.1312 + * "plContext"
1.1313 + * Platform-specific context pointer.
1.1314 + * THREAD SAFETY:
1.1315 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1316 + * RETURNS:
1.1317 + * Returns NULL if the function succeeds.
1.1318 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1319 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1320 + */
1.1321 +PKIX_Error *
1.1322 +PKIX_PL_Cert_MergeNameConstraints(
1.1323 + PKIX_PL_CertNameConstraints *firstNC,
1.1324 + PKIX_PL_CertNameConstraints *secondNC,
1.1325 + PKIX_PL_CertNameConstraints **pResultNC,
1.1326 + void *plContext);
1.1327 +
1.1328 +/*
1.1329 + * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage
1.1330 + * DESCRIPTION:
1.1331 + *
1.1332 + * Verifies that the keyUsage bit(s) specified by "keyUsage" appear in the
1.1333 + * keyUsage extension of the Cert pointed to by "cert". The keyUsage bit
1.1334 + * values specified in pkixt.h are supported, and can be bitwise or'ed if
1.1335 + * multiple bit values are to be verified. If the keyUsages do not all appear
1.1336 + * in the keyUsage extension of "cert", a PKIX_Error pointer is returned.
1.1337 + *
1.1338 + * KeyUsage ::= BIT STRING {
1.1339 + * digitalSignature (0),
1.1340 + * nonRepudiation (1),
1.1341 + * keyEncipherment (2),
1.1342 + * dataEncipherment (3),
1.1343 + * keyAgreement (4),
1.1344 + * keyCertSign (5),
1.1345 + * cRLSign (6),
1.1346 + * encipherOnly (7),
1.1347 + * decipherOnly (8) }
1.1348 + *
1.1349 + * PARAMETERS:
1.1350 + * "cert"
1.1351 + * Address of Cert whose keyUsage bits are to be verified.
1.1352 + * Must be non-NULL.
1.1353 + * "keyUsage"
1.1354 + * Constant representing keyUsage bit(s) that all must appear in keyUsage
1.1355 + * extension of "cert".
1.1356 + * "plContext" - Platform-specific context pointer.
1.1357 + * THREAD SAFETY:
1.1358 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1359 + * RETURNS:
1.1360 + * Returns NULL if the function succeeds.
1.1361 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1362 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1363 + */
1.1364 +PKIX_Error *
1.1365 +PKIX_PL_Cert_VerifyKeyUsage(
1.1366 + PKIX_PL_Cert *cert,
1.1367 + PKIX_UInt32 keyUsage,
1.1368 + void *plContext);
1.1369 +
1.1370 +/*
1.1371 + * FUNCTION: PKIX_PL_Cert_VerifyCertAndKeyType
1.1372 + * DESCRIPTION:
1.1373 + *
1.1374 + * Verifies cert and key types against certificate usage that is
1.1375 + * a part of plContext(pkix_pl_nsscontext) structure. Throws an error
1.1376 + * if cert or key types does not match.
1.1377 + *
1.1378 + * PARAMETERS:
1.1379 + * "cert"
1.1380 + * Address of Cert whose keyUsage bits are to be verified.
1.1381 + * Must be non-NULL.
1.1382 + * "isLeafCert"
1.1383 + * What type of a cert has been verified.
1.1384 + * "plContext" - Platform-specific context pointer.
1.1385 + * THREAD SAFETY:
1.1386 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1387 + * RETURNS:
1.1388 + * Returns NULL if the function succeeds.
1.1389 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1390 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1391 + */
1.1392 +PKIX_Error *
1.1393 +PKIX_PL_Cert_VerifyCertAndKeyType(
1.1394 + PKIX_PL_Cert *cert,
1.1395 + PKIX_Boolean isChainCert,
1.1396 + void *plContext);
1.1397 +
1.1398 +/*
1.1399 + * FUNCTION: PKIX_PL_Cert_CheckValidity
1.1400 + * DESCRIPTION:
1.1401 + *
1.1402 + * Checks whether the Cert pointed to by "cert" would be valid at the time
1.1403 + * represented by the Date pointed to by "date". If "date" is NULL, then this
1.1404 + * function checks whether the Cert would be valid at the current time. If the
1.1405 + * Cert would not be valid at the specified Date, a PKIX_Error pointer is
1.1406 + * returned.
1.1407 + *
1.1408 + * Validity ::= SEQUENCE {
1.1409 + * notBefore Time,
1.1410 + * notAfter Time }
1.1411 + *
1.1412 + * Time ::= CHOICE {
1.1413 + * utcTime UTCTime,
1.1414 + * generalTime GeneralizedTime }
1.1415 + *
1.1416 + * PARAMETERS:
1.1417 + * "cert"
1.1418 + * Address of Cert whose validity is to be checked. Must be non-NULL.
1.1419 + * "date"
1.1420 + * Address of Date at which the Cert is being checked for validity.
1.1421 + * If NULL, the current time is used for the Date.
1.1422 + * "plContext"
1.1423 + * Platform-specific context pointer.
1.1424 + * THREAD SAFETY:
1.1425 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1426 + * RETURNS:
1.1427 + * Returns NULL if the function succeeds.
1.1428 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1429 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1430 + */
1.1431 +PKIX_Error *
1.1432 +PKIX_PL_Cert_CheckValidity(
1.1433 + PKIX_PL_Cert *cert,
1.1434 + PKIX_PL_Date *date,
1.1435 + void *plContext);
1.1436 +
1.1437 +/*
1.1438 + * FUNCTION: PKIX_PL_Cert_GetValidityNotAfter
1.1439 + * DESCRIPTION:
1.1440 + *
1.1441 + * Retrieves a pointer to the Date that represents the notAfter time of the
1.1442 + * Certificate pointed to by "cert" and stores it at "pDate".
1.1443 + *
1.1444 + * Validity ::= SEQUENCE {
1.1445 + * notBefore Time,
1.1446 + * notAfter Time }
1.1447 + *
1.1448 + * PARAMETERS:
1.1449 + * "cert"
1.1450 + * Address of Cert whose validity time is to be retrieved. Must be
1.1451 + * non-NULL.
1.1452 + * "date"
1.1453 + * Address of Date at which the Cert's notAfter time is being retrieved.
1.1454 + * Must be non-NULL.
1.1455 + * "plContext"
1.1456 + * Platform-specific context pointer.
1.1457 + * THREAD SAFETY:
1.1458 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1459 + * RETURNS:
1.1460 + * Returns NULL if the function succeeds.
1.1461 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1462 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1463 + */
1.1464 +PKIX_Error *
1.1465 +PKIX_PL_Cert_GetValidityNotAfter(
1.1466 + PKIX_PL_Cert *cert,
1.1467 + PKIX_PL_Date **pDate,
1.1468 + void *plContext);
1.1469 +
1.1470 +/*
1.1471 + * FUNCTION: PKIX_PL_Cert_VerifySignature
1.1472 + * DESCRIPTION:
1.1473 + *
1.1474 + * Verifies the signature on the Cert pointed to by "cert" using the
1.1475 + * PublicKey pointed to by "pubKey". If the signature doesn't verify, an
1.1476 + * Error pointer is returned.
1.1477 + *
1.1478 + * PARAMETERS:
1.1479 + * "cert"
1.1480 + * Address of Cert whose signature is to be verified. Must be non-NULL.
1.1481 + * "pubKey"
1.1482 + * Address of a Public Key used to verify the signature. Must be non-NULL.
1.1483 + * "plContext"
1.1484 + * Platform-specific context pointer.
1.1485 + * THREAD SAFETY:
1.1486 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1487 + * RETURNS:
1.1488 + * Returns NULL if the function succeeds.
1.1489 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1490 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1491 + */
1.1492 +PKIX_Error *
1.1493 +PKIX_PL_Cert_VerifySignature(
1.1494 + PKIX_PL_Cert *cert,
1.1495 + PKIX_PL_PublicKey *pubKey,
1.1496 + void *plContext);
1.1497 +
1.1498 +/* A set of flags to indicate how explicitly configured trust anchors should be
1.1499 + * handled by PKIX_PL_Cert_IsCertTrusted
1.1500 + */
1.1501 +typedef enum PKIX_PL_TrustAnchorModeEnum {
1.1502 + /* Indicates trust anchors should be ignored; only the underlying
1.1503 + * platform's trust settings should be used.
1.1504 + */
1.1505 + PKIX_PL_TrustAnchorMode_Ignore,
1.1506 +
1.1507 + /* Indicates that explicitly configured trust anchors may be considered
1.1508 + * trustworthy, if present.
1.1509 + * Note: If the underlying platform supports marking a certificate as
1.1510 + * explicitly untrustworthy, explicitly configured trust anchors
1.1511 + * MAY be ignored/rejected.
1.1512 + */
1.1513 + PKIX_PL_TrustAnchorMode_Additive,
1.1514 +
1.1515 + /* Indicates that ONLY trust anchors should be considered as
1.1516 + * trustworthy.
1.1517 + * Note: If the underlying platform supports marking a certificate as
1.1518 + * explicitly untrustworthy, explicitly configured trust anchors
1.1519 + * MAY be ignored/rejected.
1.1520 + */
1.1521 + PKIX_PL_TrustAnchorMode_Exclusive
1.1522 +} PKIX_PL_TrustAnchorMode;
1.1523 +
1.1524 +/*
1.1525 + * FUNCTION: PKIX_PL_Cert_IsCertTrusted
1.1526 + * DESCRIPTION:
1.1527 + *
1.1528 + * Checks the Cert specified by "cert" to determine, in a manner that depends
1.1529 + * on the underlying platform, whether it is trusted, and stores the result in
1.1530 + * "pTrusted". If a certificate is trusted it means that a chain built to that
1.1531 + * certificate, and satisfying all the usage, policy, validity, and other
1.1532 + * tests, is a valid chain and the End Entity certificate from which it was
1.1533 + * built can be trusted.
1.1534 + *
1.1535 + * If the Certificate is not intrinsically trustworthy, it still might end up a
1.1536 + * component in a successful chain.
1.1537 + *
1.1538 + * If the Certificate is intrinsically untrustworthy, this function will return
1.1539 + * an error.
1.1540 + *
1.1541 + * PARAMETERS
1.1542 + * "cert"
1.1543 + * Address of Cert whose trustworthiness is to be determined. Must be
1.1544 + * non-NULL.
1.1545 + * "trustAnchorMode"
1.1546 + * A PKIX_PL_TrustAnchorMode that indicates how explicitly defined user
1.1547 + * trust anchors should be handled.
1.1548 + * "pTrusted"
1.1549 + * Address where the Boolean value will be stored. Must be non-NULL.
1.1550 + * "plContext"
1.1551 + * Platform-specific context pointer.
1.1552 + * THREAD SAFETY:
1.1553 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1554 + * RETURNS:
1.1555 + * Returns NULL if the function succeeds.
1.1556 + * Returns a CERT Error if the function fails in a non-fatal way.
1.1557 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1558 + */
1.1559 +PKIX_Error *
1.1560 +PKIX_PL_Cert_IsCertTrusted(
1.1561 + PKIX_PL_Cert *cert,
1.1562 + PKIX_PL_TrustAnchorMode trustAnchorMode,
1.1563 + PKIX_Boolean *pTrusted,
1.1564 + void *plContext);
1.1565 +
1.1566 +/*
1.1567 + * FUNCTION: PKIX_PL_Cert_IsLeafCertTrusted
1.1568 + * DESCRIPTION:
1.1569 + *
1.1570 + * Checks the Leaf Cert specified by "cert" to determine, in a manner that
1.1571 + * depends on the underlying platform, whether it is trusted, and stores the
1.1572 + * result in "pTrusted". If a certificate is trusted it means that this
1.1573 + * End Entify certificate has been marked as trusted for the requested usage,
1.1574 + * policy, validity, and other tests.
1.1575 + *
1.1576 + * If the Certificate is not intrinsically trustworthy, we can still try to
1.1577 + * build a successful chain.
1.1578 + *
1.1579 + * If the Certificate is intrinsically untrustworthy, this function will return
1.1580 + * an error.
1.1581 + *
1.1582 + * PARAMETERS
1.1583 + * "cert"
1.1584 + * Address of Cert whose trustworthiness is to be determined. Must be
1.1585 + * non-NULL.
1.1586 + * "pTrusted"
1.1587 + * Address where the Boolean value will be stored. Must be non-NULL.
1.1588 + * "plContext"
1.1589 + * Platform-specific context pointer.
1.1590 + * THREAD SAFETY:
1.1591 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1592 + * RETURNS:
1.1593 + * Returns NULL if the function succeeds.
1.1594 + * Returns a CERT Error if the function fails in a non-fatal way.
1.1595 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1596 + */
1.1597 +PKIX_Error *
1.1598 +PKIX_PL_Cert_IsLeafCertTrusted(
1.1599 + PKIX_PL_Cert *cert,
1.1600 + PKIX_Boolean *pTrusted,
1.1601 + void *plContext);
1.1602 +
1.1603 +/* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */
1.1604 +PKIX_Error*
1.1605 +PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert,
1.1606 + void *plContext);
1.1607 +
1.1608 +/*
1.1609 + * FUNCTION: PKIX_PL_Cert_GetCacheFlag
1.1610 + * DESCRIPTION:
1.1611 + *
1.1612 + * Retrieves the value of the cache flag in "cert" and return it at address
1.1613 + * pointed by "pCacheFlag". The initila cache flag is determined by the
1.1614 + * CertStore this "cert" is fetched from. When CertStore is created, user
1.1615 + * need to specify if the data should be cached.
1.1616 + *
1.1617 + * PARAMETERS:
1.1618 + * "cert"
1.1619 + * Address of Cert whose cache flag is fetched. Must be non-NULL.
1.1620 + * "pCacheFlag"
1.1621 + * Address where PKIX_Boolean will be stored. Must be non-NULL.
1.1622 + * "plContext"
1.1623 + * Platform-specific context pointer.
1.1624 + * THREAD SAFETY:
1.1625 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1626 + * RETURNS:
1.1627 + * Returns NULL if the function succeeds.
1.1628 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1629 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1630 + */
1.1631 +PKIX_Error *
1.1632 +PKIX_PL_Cert_GetCacheFlag(
1.1633 + PKIX_PL_Cert *cert,
1.1634 + PKIX_Boolean *pCacheFlag,
1.1635 + void *plContext);
1.1636 +
1.1637 +/*
1.1638 + * FUNCTION: PKIX_PL_Cert_SetCacheFlag
1.1639 + * DESCRIPTION:
1.1640 + *
1.1641 + * Set the value of the cache flag in "cert" base on the boolean value stored
1.1642 + * at "cacheFlag". This function is meant to be used by CertStore after a
1.1643 + * Cert is created.
1.1644 + *
1.1645 + * PARAMETERS:
1.1646 + * "cert"
1.1647 + * Address of Cert where "cacheFlag" is stored. Must be non-NULL.
1.1648 + * "cacheFlag"
1.1649 + * PKIX_Boolean flag for cache flag.
1.1650 + * "plContext"
1.1651 + * Platform-specific context pointer.
1.1652 + * THREAD SAFETY:
1.1653 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1654 + * RETURNS:
1.1655 + * Returns NULL if the function succeeds.
1.1656 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1657 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1658 + */
1.1659 +PKIX_Error *
1.1660 +PKIX_PL_Cert_SetCacheFlag(
1.1661 + PKIX_PL_Cert *cert,
1.1662 + PKIX_Boolean cacheFlag,
1.1663 + void *plContext);
1.1664 +
1.1665 +/*
1.1666 + * FUNCTION: PKIX_PL_Cert_GetTrustCertStore
1.1667 + * DESCRIPTION:
1.1668 + *
1.1669 + * Retrieves the value of the CertStore in "cert" and return it at address
1.1670 + * pointed by "pCertStore".
1.1671 + *
1.1672 + * PARAMETERS:
1.1673 + * "cert"
1.1674 + * Address of Cert whose CertStore is fetched. Must be non-NULL.
1.1675 + * "pTrustCertStore"
1.1676 + * Address where CertStore will be stored and returned. Must be non-NULL.
1.1677 + * "plContext"
1.1678 + * Platform-specific context pointer.
1.1679 + * THREAD SAFETY:
1.1680 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1681 + * RETURNS:
1.1682 + * Returns NULL if the function succeeds.
1.1683 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1684 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1685 + */
1.1686 +PKIX_Error *
1.1687 +PKIX_PL_Cert_GetTrustCertStore(
1.1688 + PKIX_PL_Cert *cert,
1.1689 + PKIX_CertStore **pTrustCertStore,
1.1690 + void *plContext);
1.1691 +
1.1692 +/*
1.1693 + * FUNCTION: PKIX_PL_Cert_SetTrustCertStore
1.1694 + * DESCRIPTION:
1.1695 + *
1.1696 + * Set the value of the CertStore "certStore" in "cert".
1.1697 + *
1.1698 + * PARAMETERS:
1.1699 + * "cert"
1.1700 + * Address of Cert where "certStore" will be stored. Must be non-NULL.
1.1701 + * "trustCertStore"
1.1702 + * Address where the CertStore is. Must be non-NULL.
1.1703 + * "plContext"
1.1704 + * Platform-specific context pointer.
1.1705 + * THREAD SAFETY:
1.1706 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1707 + * RETURNS:
1.1708 + * Returns NULL if the function succeeds.
1.1709 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1710 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1711 + */
1.1712 +PKIX_Error *
1.1713 +PKIX_PL_Cert_SetTrustCertStore(
1.1714 + PKIX_PL_Cert *cert,
1.1715 + PKIX_CertStore *trustCertStore,
1.1716 + void *plContext);
1.1717 +
1.1718 +
1.1719 +/*
1.1720 + * FUNCTION: PKIX_PL_Cert_GetAuthorityInfoAccess
1.1721 + * DESCRIPTION:
1.1722 + *
1.1723 + * Retrieves the value(s) of the Authority Information Access in "cert" and
1.1724 + * returns it in a list at address pointed by "pAuthorityInfoAccess".
1.1725 + *
1.1726 + * SubjectInfoAccess ::=
1.1727 + * SEQUENCE SIZE (1..MAX) of AccessDescription
1.1728 + * AccessDescription ::= SEQUENCE {
1.1729 + * accessMethod OBJECT IDENTIFIER,
1.1730 + * accessLocation GeneralName
1.1731 + * }
1.1732 + *
1.1733 + * PARAMETERS:
1.1734 + * "cert"
1.1735 + * Address of Cert whose Authority Information Access is fetched.
1.1736 + * Must be non-NULL.
1.1737 + * "pAuthorityInfoAccess"
1.1738 + * Address where Authority InfoAccess will be stored and returned.
1.1739 + * Must be non-NULL.
1.1740 + * "plContext"
1.1741 + * Platform-specific context pointer.
1.1742 + * THREAD SAFETY:
1.1743 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1744 + * RETURNS:
1.1745 + * Returns NULL if the function succeeds.
1.1746 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1747 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1748 + */
1.1749 +PKIX_Error *
1.1750 +PKIX_PL_Cert_GetAuthorityInfoAccess(
1.1751 + PKIX_PL_Cert *cert,
1.1752 + PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
1.1753 + void *plContext);
1.1754 +
1.1755 +
1.1756 +/*
1.1757 + * FUNCTION: PKIX_PL_Cert_GetSubjectInfoAccess
1.1758 + * DESCRIPTION:
1.1759 + *
1.1760 + * Retrieves the value(s) of the Subject Information Access in "cert" and
1.1761 + * returns it in a list at address pointed by "pSubjectInfoAccess".
1.1762 + *
1.1763 + * SubjectInfoAccess ::=
1.1764 + * SEQUENCE SIZE (1..MAX) of AccessDescription
1.1765 + * AccessDescription ::= SEQUENCE {
1.1766 + * accessMethod OBJECT IDENTIFIER,
1.1767 + * accessLocation GeneralName
1.1768 + * }
1.1769 + *
1.1770 + * PARAMETERS:
1.1771 + * "cert"
1.1772 + * Address of Cert whose Subject Information Access is fetched.
1.1773 + * Must be non-NULL.
1.1774 + * "pSubjectInfoAccess"
1.1775 + * Address where Subject InfoAccess will be stored and returned.
1.1776 + * Must be non-NULL.
1.1777 + * "plContext"
1.1778 + * Platform-specific context pointer.
1.1779 + * THREAD SAFETY:
1.1780 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1781 + * RETURNS:
1.1782 + * Returns NULL if the function succeeds.
1.1783 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1784 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1785 + */
1.1786 +PKIX_Error *
1.1787 +PKIX_PL_Cert_GetSubjectInfoAccess(
1.1788 + PKIX_PL_Cert *cert,
1.1789 + PKIX_List **pSiaList, /* of PKIX_PL_InfoAccess */
1.1790 + void *plContext);
1.1791 +
1.1792 +
1.1793 +
1.1794 +/*
1.1795 + * FUNCTION: PKIX_PL_Cert_GetCrlDp
1.1796 + * DESCRIPTION:
1.1797 + *
1.1798 + * Retrieves the value(s) of the CRL Distribution Point Extension and
1.1799 + * returns it in a list at address pointed by "pDpList".
1.1800 + *
1.1801 + * PARAMETERS:
1.1802 + * "cert"
1.1803 + * Address of Cert whose Subject Information Access is fetched.
1.1804 + * Must be non-NULL.
1.1805 + * "pDpList"
1.1806 + * Address where CRL DP will be stored and returned.
1.1807 + * Must be non-NULL.
1.1808 + * "plContext"
1.1809 + * Platform-specific context pointer.
1.1810 + * THREAD SAFETY:
1.1811 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1812 + * RETURNS:
1.1813 + * Returns NULL if the function succeeds.
1.1814 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1815 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1816 + */
1.1817 +PKIX_Error *
1.1818 +PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert,
1.1819 + PKIX_List **pDpList,
1.1820 + void *plContext);
1.1821 +
1.1822 +
1.1823 +/*
1.1824 + * InfoAccess
1.1825 + *
1.1826 + * To hold Authority Information Access or Subject Information Access
1.1827 + * retrieved from a Certificate.
1.1828 + */
1.1829 +
1.1830 +#define PKIX_INFOACCESS_OCSP 1
1.1831 +#define PKIX_INFOACCESS_CA_ISSUERS 2
1.1832 +#define PKIX_INFOACCESS_TIMESTAMPING 3
1.1833 +#define PKIX_INFOACCESS_CA_REPOSITORY 5
1.1834 +
1.1835 +#define PKIX_INFOACCESS_LOCATION_UNKNOWN 0
1.1836 +#define PKIX_INFOACCESS_LOCATION_HTTP 1
1.1837 +#ifndef NSS_PKIX_NO_LDAP
1.1838 +#define PKIX_INFOACCESS_LOCATION_LDAP 2
1.1839 +#endif
1.1840 +
1.1841 +/*
1.1842 + * FUNCTION: PKIX_PL_InfoAccess_GetMethod
1.1843 + * DESCRIPTION:
1.1844 + *
1.1845 + * Stores the method of the Information Access from "infoAccess" and
1.1846 + * returns in "pMethod".
1.1847 + *
1.1848 + * SubjectInfoAccess ::=
1.1849 + * AccessDescription ::= SEQUENCE {
1.1850 + * accessMethod OBJECT IDENTIFIER,
1.1851 + * accessLocation GeneralName
1.1852 + * }
1.1853 + *
1.1854 + * PARAMETERS:
1.1855 + * "infoAccess"
1.1856 + * Address of PKIX_PL_InfoAccess that has the access data.
1.1857 + * Must be non-NULL.
1.1858 + * "pMethod"
1.1859 + * Address where access method will be stored and returned.
1.1860 + * Must be non-NULL.
1.1861 + * "plContext"
1.1862 + * Platform-specific context pointer.
1.1863 + * THREAD SAFETY:
1.1864 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1865 + * RETURNS:
1.1866 + * Returns NULL if the function succeeds.
1.1867 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1868 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1869 + */
1.1870 +PKIX_Error *
1.1871 +PKIX_PL_InfoAccess_GetMethod(
1.1872 + PKIX_PL_InfoAccess *infoAccess,
1.1873 + PKIX_UInt32 *pMethod,
1.1874 + void *plContext);
1.1875 +
1.1876 +/*
1.1877 + * FUNCTION: PKIX_PL_InfoAccess_GetLocation
1.1878 + * DESCRIPTION:
1.1879 + *
1.1880 + * Stores the location of the Information Access from "infoAccess" and
1.1881 + * returns in "pLocation".
1.1882 + *
1.1883 + * SubjectInfoAccess ::=
1.1884 + * AccessDescription ::= SEQUENCE {
1.1885 + * accessMethod OBJECT IDENTIFIER,
1.1886 + * accessLocation GeneralName
1.1887 + * }
1.1888 + *
1.1889 + * PARAMETERS:
1.1890 + * "infoAccess"
1.1891 + * Address of PKIX_PL_InfoAccess that has the access data.
1.1892 + * Must be non-NULL.
1.1893 + * "pLocation"
1.1894 + * Address where access location will be stored and returned.
1.1895 + * Must be non-NULL.
1.1896 + * "plContext"
1.1897 + * Platform-specific context pointer.
1.1898 + * THREAD SAFETY:
1.1899 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1900 + * RETURNS:
1.1901 + * Returns NULL if the function succeeds.
1.1902 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1903 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1904 + */
1.1905 +PKIX_Error *
1.1906 +PKIX_PL_InfoAccess_GetLocation(
1.1907 + PKIX_PL_InfoAccess *infoAccess,
1.1908 + PKIX_PL_GeneralName **pLocation,
1.1909 + void *plContext);
1.1910 +
1.1911 +/*
1.1912 + * FUNCTION: PKIX_PL_InfoAccess_GetLocationType
1.1913 + * DESCRIPTION:
1.1914 + *
1.1915 + * Stores the type of location of the Information Access from "infoAccess" and
1.1916 + * returns in "pType".
1.1917 + *
1.1918 + * SubjectInfoAccess ::=
1.1919 + * AccessDescription ::= SEQUENCE {
1.1920 + * accessMethod OBJECT IDENTIFIER,
1.1921 + * accessLocation GeneralName
1.1922 + * }
1.1923 + *
1.1924 + * PARAMETERS:
1.1925 + * "infoAccess"
1.1926 + * Address of PKIX_PL_InfoAccess that has the access data.
1.1927 + * Must be non-NULL.
1.1928 + * "pType"
1.1929 + * Address where access location type will be stored and returned.
1.1930 + * Must be non-NULL.
1.1931 + * "plContext"
1.1932 + * Platform-specific context pointer.
1.1933 + * THREAD SAFETY:
1.1934 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1935 + * RETURNS:
1.1936 + * Returns NULL if the function succeeds.
1.1937 + * Returns a Cert Error if the function fails in a non-fatal way.
1.1938 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1939 + */
1.1940 +PKIX_Error *
1.1941 +PKIX_PL_InfoAccess_GetLocationType(
1.1942 + PKIX_PL_InfoAccess *infoAccess,
1.1943 + PKIX_UInt32 *pType,
1.1944 + void *plContext);
1.1945 +
1.1946 +PKIX_Error *
1.1947 +pkix_pl_InfoAccess_GetAIACerts(
1.1948 + PKIX_PL_InfoAccess *ia,
1.1949 + void **pNBIOContext,
1.1950 + void **pHandle,
1.1951 + PKIX_List **pCerts,
1.1952 + void *plContext);
1.1953 +
1.1954 +/*
1.1955 + * CRL
1.1956 + *
1.1957 + * A CRL represents an X.509 certificate revocation list. It can be created
1.1958 + * using the bytes of a valid ASN.1 DER encoding. Once created, a CRL is
1.1959 + * immutable. The following functions include accessors (gettors) for the
1.1960 + * various components of an X.509 CRL, as well as a function for signature
1.1961 + * verification.
1.1962 + */
1.1963 +
1.1964 +/*
1.1965 + * FUNCTION: PKIX_PL_CRL_Create
1.1966 + * DESCRIPTION:
1.1967 + *
1.1968 + * Creates a new CRL using the bytes in the ByteArray pointed to by
1.1969 + * "byteArray" and stores it at "pCRL". If the bytes are not a valid ASN.1
1.1970 + * DER encoding of a CRL, a PKIX_Error pointer is returned. Once created, a
1.1971 + * CRL is immutable.
1.1972 + *
1.1973 + * CertificateList ::= SEQUENCE {
1.1974 + * tbsCertList TBSCertList,
1.1975 + * signatureAlgorithm AlgorithmIdentifier,
1.1976 + * signatureValue BIT STRING }
1.1977 + *
1.1978 + * TBSCertList ::= SEQUENCE {
1.1979 + * version Version OPTIONAL,
1.1980 + * -- if present, MUST be v2
1.1981 + * signature AlgorithmIdentifier,
1.1982 + * issuer Name,
1.1983 + * thisUpdate Time,
1.1984 + * nextUpdate Time OPTIONAL,
1.1985 + * revokedCertificates SEQUENCE OF SEQUENCE {
1.1986 + * userCertificate CertificateSerialNumber,
1.1987 + * revocationDate Time,
1.1988 + * crlEntryExtensions Extensions OPTIONAL
1.1989 + * -- if present, MUST be v2
1.1990 + * } OPTIONAL,
1.1991 + * crlExtensions [0] EXPLICIT Extensions OPTIONAL
1.1992 + * -- if present, MUST be v2
1.1993 + * }
1.1994 + *
1.1995 + * PARAMETERS:
1.1996 + * "byteArray"
1.1997 + * Address of ByteArray representing the CRL's DER encoding.
1.1998 + * Must be non-NULL.
1.1999 + * "pCRL"
1.2000 + * Address where object pointer will be stored. Must be non-NULL.
1.2001 + * "plContext"
1.2002 + * Platform-specific context pointer.
1.2003 + * THREAD SAFETY:
1.2004 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2005 + * RETURNS:
1.2006 + * Returns NULL if the function succeeds.
1.2007 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2008 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2009 + */
1.2010 +PKIX_Error *
1.2011 +PKIX_PL_CRL_Create(
1.2012 + PKIX_PL_ByteArray *byteArray,
1.2013 + PKIX_PL_CRL **pCRL,
1.2014 + void *plContext);
1.2015 +
1.2016 +/*
1.2017 + * FUNCTION: PKIX_PL_CRL_GetIssuer
1.2018 + * DESCRIPTION:
1.2019 + *
1.2020 + * Retrieves a pointer to the X500Name that represents the issuer of the CRL
1.2021 + * pointed to by "crl" and stores it at "pCRLIssuer".
1.2022 + *
1.2023 + * PARAMETERS:
1.2024 + * "crl"
1.2025 + * Address of CRL whose issuer is to be stored. Must be non-NULL.
1.2026 + * "pCRLIssuer"
1.2027 + * Address where object pointer will be stored. Must be non-NULL.
1.2028 + * "plContext"
1.2029 + * Platform-specific context pointer.
1.2030 + * THREAD SAFETY:
1.2031 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2032 + * RETURNS:
1.2033 + * Returns NULL if the function succeeds.
1.2034 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2035 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2036 + */
1.2037 +PKIX_Error *
1.2038 +PKIX_PL_CRL_GetIssuer(
1.2039 + PKIX_PL_CRL *crl,
1.2040 + PKIX_PL_X500Name **pCRLIssuer,
1.2041 + void *plContext);
1.2042 +
1.2043 +/*
1.2044 + * FUNCTION: PKIX_PL_CRL_GetCriticalExtensionOIDs
1.2045 + * DESCRIPTION:
1.2046 + *
1.2047 + * Retrieves a pointer to the List of OIDs (each OID corresponding to a
1.2048 + * critical extension of the CRL pointed to by "crl") and stores it at
1.2049 + * "pExtensions". If "crl" does not have any critical extensions, this
1.2050 + * function stores an empty List at "pExtensions".
1.2051 + *
1.2052 + * Note that the List returned by this function is immutable.
1.2053 + *
1.2054 + * PARAMETERS:
1.2055 + * "crl"
1.2056 + * Address of CRL whose critical extension OIDs are to be stored.
1.2057 + * Must be non-NULL.
1.2058 + * "pExtensions"
1.2059 + * Address where object pointer will be stored. Must be non-NULL.
1.2060 + * "plContext"
1.2061 + * Platform-specific context pointer.
1.2062 + * THREAD SAFETY:
1.2063 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2064 + * RETURNS:
1.2065 + * Returns NULL if the function succeeds.
1.2066 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2067 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2068 + */
1.2069 +PKIX_Error *
1.2070 +PKIX_PL_CRL_GetCriticalExtensionOIDs(
1.2071 + PKIX_PL_CRL *crl,
1.2072 + PKIX_List **pExtensions, /* list of PKIX_PL_OID */
1.2073 + void *plContext);
1.2074 +
1.2075 +/*
1.2076 + * FUNCTION: PKIX_PL_CRL_GetCRLEntryForSerialNumber
1.2077 + * DESCRIPTION:
1.2078 + *
1.2079 + * Retrieves a pointer to the CRLEntry (found in the CRL pointed to by "crl")
1.2080 + * corresponding to the BigInt pointed to by "serialNumber" and stores it at
1.2081 + * "pCRLEntry". If there is no such CRLEntry, this functions stores NULL at
1.2082 + * "pCRLEntry". Once created, a CRLEntry is immutable.
1.2083 + *
1.2084 + * PARAMETERS:
1.2085 + * "crl"
1.2086 + * Address of CRL whose CRL Entries are to be searched. Must be non-NULL.
1.2087 + * "serialNumber"
1.2088 + * Address of BigInt representing serial number of certificate whose
1.2089 + * CRLEntry is to be found. Must be non-NULL.
1.2090 + * "pCRLEntry"
1.2091 + * Address where object pointer will be stored. Must be non-NULL.
1.2092 + * "plContext"
1.2093 + * Platform-specific context pointer.
1.2094 + * THREAD SAFETY:
1.2095 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2096 + * RETURNS:
1.2097 + * Returns NULL if the function succeeds.
1.2098 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2099 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2100 + */
1.2101 +PKIX_Error *
1.2102 +PKIX_PL_CRL_GetCRLEntryForSerialNumber(
1.2103 + PKIX_PL_CRL *crl,
1.2104 + PKIX_PL_BigInt *serialNumber,
1.2105 + PKIX_PL_CRLEntry **pCRLEntry,
1.2106 + void *plContext);
1.2107 +
1.2108 +/*
1.2109 + * FUNCTION: PKIX_PL_CRL_GetCRLNumber
1.2110 + * DESCRIPTION:
1.2111 + * Retrieves the CRL Number from extension. This is non-critical extension.
1.2112 + *
1.2113 + * PARAMETERS:
1.2114 + * "crl"
1.2115 + * Address of CRL whose version is to be stored. Must be non-NULL.
1.2116 + * "pCrlNumber"
1.2117 + * Address where a CRL Number will be stored. Must be non-NULL.
1.2118 + * "plContext"
1.2119 + * Platform-specific context pointer.
1.2120 + * THREAD SAFETY:
1.2121 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2122 + * RETURNS:
1.2123 + * Returns NULL if the function succeeds.
1.2124 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2125 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2126 + */
1.2127 +PKIX_Error *
1.2128 +PKIX_PL_CRL_GetCRLNumber(
1.2129 + PKIX_PL_CRL *crl,
1.2130 + PKIX_PL_BigInt **pCrlNumber,
1.2131 + void *plContext);
1.2132 +
1.2133 +/*
1.2134 + * FUNCTION: PKIX_PL_CRL_VerifyUpdateTime
1.2135 + * DESCRIPTION:
1.2136 + *
1.2137 + * Checks whether the CRL pointed to by "crl" would be valid at the time
1.2138 + * represented by the Date pointed to by "date" and stores the Boolean result
1.2139 + * at "pResult". This check is done only when NIST policy is enforced.
1.2140 + *
1.2141 + * Time ::= CHOICE {
1.2142 + * utcTime UTCTime,
1.2143 + * generalTime GeneralizedTime }
1.2144 + *
1.2145 + * PARAMETERS:
1.2146 + * "crl"
1.2147 + * Address of CRL whose validity is to be checked. Must be non-NULL.
1.2148 + * "date"
1.2149 + * Address of Date at which the CRL is being checked for validity.
1.2150 + * Must be non-NULL.
1.2151 + * "pResult"
1.2152 + * Address of Boolean result. Must be non-NULL.
1.2153 + * "plContext"
1.2154 + * Platform-specific context pointer.
1.2155 + * THREAD SAFETY:
1.2156 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2157 + * RETURNS:
1.2158 + * Returns NULL if the function succeeds.
1.2159 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2160 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2161 + */
1.2162 +PKIX_Error *
1.2163 +PKIX_PL_CRL_VerifyUpdateTime(
1.2164 + PKIX_PL_CRL *crl,
1.2165 + PKIX_PL_Date *date,
1.2166 + PKIX_Boolean *pResult,
1.2167 + void *plContext);
1.2168 +
1.2169 +/*
1.2170 + * FUNCTION: PKIX_PL_CRL_VerifySignature
1.2171 + * DESCRIPTION:
1.2172 + *
1.2173 + * Verifies the signature on the CRL pointed to by "crl" using the PublicKey
1.2174 + * pointed to by "pubKey". If the signature doesn't verify, a PKIX_Error
1.2175 + * pointer is returned.
1.2176 + *
1.2177 + * PARAMETERS:
1.2178 + * "crl"
1.2179 + * Address of CRL whose signature is to be verified. Must be non-NULL.
1.2180 + * "pubKey"
1.2181 + * Address of a Public Key used to verify the signature. Must be non-NULL.
1.2182 + * "plContext"
1.2183 + * Platform-specific context pointer.
1.2184 + * THREAD SAFETY:
1.2185 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2186 + * RETURNS:
1.2187 + * Returns NULL if the function succeeds.
1.2188 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2189 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2190 + */
1.2191 +PKIX_Error *
1.2192 +PKIX_PL_CRL_VerifySignature(
1.2193 + PKIX_PL_CRL *crl,
1.2194 + PKIX_PL_PublicKey *pubKey,
1.2195 + void *plContext);
1.2196 +
1.2197 +/*
1.2198 + * FUNCTION: PKIX_PL_CRL_ReleaseDerCrl
1.2199 + * DESCRIPTION:
1.2200 + *
1.2201 + * Relinguish the ownership for the crl der. The operation will succeed if
1.2202 + * a crl owns the der. If the crl was created from existing crl and does not
1.2203 + * own the der, then the function will return null.
1.2204 + *
1.2205 + * PARAMETERS:
1.2206 + * "crl"
1.2207 + * Address of CRL whose signature is to be verified. Must be non-NULL.
1.2208 + * "derCrl"
1.2209 + * Pointer to a SECItem that has der crl.
1.2210 + * "plContext"
1.2211 + * Platform-specific context pointer.
1.2212 + * THREAD SAFETY:
1.2213 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2214 + * RETURNS:
1.2215 + * Returns NULL if the function succeeds.
1.2216 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2217 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2218 + */
1.2219 +PKIX_Error *
1.2220 +PKIX_PL_CRL_ReleaseDerCrl(PKIX_PL_CRL *crl,
1.2221 + SECItem **derCrl,
1.2222 + void *plContext);
1.2223 +/*
1.2224 + * FUNCTION: PKIX_PL_CRL_AdoptDerCrl
1.2225 + * DESCRIPTION:
1.2226 + *
1.2227 + * Adopt memory of the der. The secItem that contains der will be
1.2228 + * freed with destruction of parent pkix crl structure.
1.2229 + *
1.2230 + * * PARAMETERS:
1.2231 + * "crl"
1.2232 + * Address of CRL whose signature is to be verified. Must be non-NULL.
1.2233 + * "derCrl"
1.2234 + * Pointer to a SECItem that has der crl.
1.2235 + * "plContext"
1.2236 + * Platform-specific context pointer.
1.2237 + * THREAD SAFETY:
1.2238 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2239 + * RETURNS:
1.2240 + * Returns NULL if the function succeeds.
1.2241 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2242 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2243 + */
1.2244 +PKIX_Error *
1.2245 +PKIX_PL_CRL_AdoptDerCrl(PKIX_PL_CRL *crl,
1.2246 + SECItem *derCrl,
1.2247 + void *plContext);
1.2248 +
1.2249 +/*
1.2250 + * FUNCTION: PKIX_PL_CRLEntry_GetCRLEntryReasonCode
1.2251 + * DESCRIPTION:
1.2252 + *
1.2253 + * Retrieves the value of the reason code extension of the CRLEntry pointed
1.2254 + * to by "crlEntry" and stores it at "pReason". If the "crlEntry" has no
1.2255 + * reason code extension, this function stores -1 at "pReason".
1.2256 + *
1.2257 + * CRLReason ::= ENUMERATED {
1.2258 + * unspecified (0),
1.2259 + * keyCompromise (1),
1.2260 + * cACompromise (2),
1.2261 + * affiliationChanged (3),
1.2262 + * superseded (4),
1.2263 + * cessationOfOperation (5),
1.2264 + * certificateHold (6),
1.2265 + * removeFromCRL (8),
1.2266 + * privilegeWithdrawn (9),
1.2267 + * aACompromise (10) }
1.2268 + *
1.2269 + * PARAMETERS:
1.2270 + * "crlEntry"
1.2271 + * Address of CRLEntry whose reason code bit values are to be returned
1.2272 + * at "pReason". Must be non-NULL.
1.2273 + * "pReason"
1.2274 + * Address of PKIX_Int32 where reason code is stored. Must be non-NULL.
1.2275 + * "plContext"
1.2276 + * Platform-specific context pointer.
1.2277 + * THREAD SAFETY:
1.2278 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2279 + * RETURNS:
1.2280 + * Returns NULL if the function succeeds.
1.2281 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2282 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2283 + */
1.2284 +PKIX_Error *
1.2285 +PKIX_PL_CRLEntry_GetCRLEntryReasonCode(
1.2286 + PKIX_PL_CRLEntry *crlEntry,
1.2287 + PKIX_Int32 *pReason,
1.2288 + void *plContext);
1.2289 +
1.2290 +/*
1.2291 + * FUNCTION: PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
1.2292 + * DESCRIPTION:
1.2293 + *
1.2294 + * Retrieves a pointer to the List of OIDs (each OID corresponding to a
1.2295 + * critical extension of the CRLEntry pointed to by "crlEntry") and stores it
1.2296 + * at "pExtensions". If "crlEntry" does not have any critical extensions, this
1.2297 + * function stores an empty List at "pExtensions".
1.2298 + *
1.2299 + * Note that the List returned by this function is immutable.
1.2300 + *
1.2301 + * PARAMETERS:
1.2302 + * "crlEntry"
1.2303 + * Address of CRLEntry whose critical extension OIDs are to be stored.
1.2304 + * Must be non-NULL.
1.2305 + * "pExtensions"
1.2306 + * Address where object pointer will be stored. Must be non-NULL.
1.2307 + * "plContext"
1.2308 + * Platform-specific context pointer.
1.2309 + * THREAD SAFETY:
1.2310 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2311 + * RETURNS:
1.2312 + * Returns NULL if the function succeeds.
1.2313 + * Returns a CRL Error if the function fails in a non-fatal way.
1.2314 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2315 + */
1.2316 +PKIX_Error *
1.2317 +PKIX_PL_CRLEntry_GetCriticalExtensionOIDs(
1.2318 + PKIX_PL_CRLEntry *crlEntry,
1.2319 + PKIX_List **pExtensions, /* list of PKIX_PL_OID */
1.2320 + void *plContext);
1.2321 +
1.2322 +#ifdef BUILD_LIBPKIX_TESTS
1.2323 +/*
1.2324 + * FUNCTION: PKIX_PL_X500Name_Create
1.2325 + * DESCRIPTION:
1.2326 + *
1.2327 + * Creates a new X500Name using the UTF8 string representation pointed to by
1.2328 + * "stringRep" and stores it at "pName". Once created, an X500Name is
1.2329 + * immutable.
1.2330 + *
1.2331 + * Name ::= CHOICE {
1.2332 + * RDNSequence }
1.2333 + *
1.2334 + * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
1.2335 + *
1.2336 + * RelativeDistinguishedName ::=
1.2337 + * SET OF AttributeTypeAndValue
1.2338 + *
1.2339 + * AttributeTypeAndValue ::= SEQUENCE {
1.2340 + * type AttributeType,
1.2341 + * value AttributeValue }
1.2342 + *
1.2343 + * AttributeType ::= OBJECT IDENTIFIER
1.2344 + *
1.2345 + * AttributeValue ::= ANY DEFINED BY AttributeType
1.2346 + *
1.2347 + * DirectoryString ::= CHOICE {
1.2348 + * teletexString TeletexString (SIZE (1..MAX)),
1.2349 + * printableString PrintableString (SIZE (1..MAX)),
1.2350 + * universalString UniversalString (SIZE (1..MAX)),
1.2351 + * utf8String UTF8String (SIZE (1..MAX)),
1.2352 + * bmpString BMPString (SIZE (1..MAX)) }
1.2353 + *
1.2354 + * PARAMETERS:
1.2355 + * "stringRep"
1.2356 + * Address of UTF8 String representation of X500Name. Must be non-NULL.
1.2357 + * "pName"
1.2358 + * Address where object pointer will be stored. Must be non-NULL.
1.2359 + * "plContext"
1.2360 + * Platform-specific context pointer.
1.2361 + * THREAD SAFETY:
1.2362 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2363 + * RETURNS:
1.2364 + * Returns NULL if the function succeeds.
1.2365 + * Returns an X500Name Error if the function fails in a non-fatal way.
1.2366 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2367 + */
1.2368 +PKIX_Error *
1.2369 +PKIX_PL_X500Name_Create (
1.2370 + PKIX_PL_String *stringRep,
1.2371 + PKIX_PL_X500Name **pName,
1.2372 + void *plContext);
1.2373 +
1.2374 +#endif /* BUILD_LIBPKIX_TESTS */
1.2375 +
1.2376 +/*
1.2377 + * FUNCTION: PKIX_PL_X500Name_CreateFromCERTName
1.2378 + * DESCRIPTION:
1.2379 + *
1.2380 + * The function creates x500Name using der encoded DN and/or pointer to
1.2381 + * CERTName. If arument "name" is NULL, but derName is supplied when
1.2382 + * the function generates nssDN(CERTName type) from der data. If derName
1.2383 + * is not supplied, CERTName *name will not be used to generate DN DER
1.2384 + * encoding.
1.2385 + *
1.2386 + * PARAMETERS:
1.2387 + * "derName"
1.2388 + * Address of DER representation of X500Name. Can be NULL
1.2389 + * "name"
1.2390 + * Address of CERTName representation of X500Name. Can be NULL
1.2391 + * "pName"
1.2392 + * Address where object pointer will be stored. Must be non-NULL.
1.2393 + * "plContext"
1.2394 + * Platform-specific context pointer.
1.2395 + * THREAD SAFETY:
1.2396 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2397 + * RETURNS:
1.2398 + * Returns NULL if the function succeeds.
1.2399 + * Returns an X500Name Error if the function fails in a non-fatal way.
1.2400 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2401 + */
1.2402 +PKIX_Error *
1.2403 +PKIX_PL_X500Name_CreateFromCERTName(
1.2404 + SECItem *derName,
1.2405 + CERTName *name,
1.2406 + PKIX_PL_X500Name **pName,
1.2407 + void *plContext);
1.2408 +
1.2409 +
1.2410 +/*
1.2411 + * TYPE: PKIX_PL_X500Name_Match
1.2412 + * DESCRIPTION:
1.2413 + * Checks whether the X500Name pointed to by "firstX500Name" MATCHES the
1.2414 + * X500Name pointed to by "secondX500Name" and stores the boolean result at
1.2415 + * "pResult". Two X500Names MATCH if they meet the conditions specified by
1.2416 + * RFC 3280 (section 4.1.2.4). Namely:
1.2417 + *
1.2418 + * "This specification requires only a subset of the name comparison
1.2419 + * functionality specified in the X.500 series of specifications.
1.2420 + * Conforming implementations are REQUIRED to implement the following
1.2421 + * name comparison rules:
1.2422 + *
1.2423 + * (a) attribute values encoded in different types (e.g., PrintableString
1.2424 + * and BMPString) MAY be assumed to represent different strings;
1.2425 + *
1.2426 + * (b) attribute values in types other than PrintableString are case
1.2427 + * sensitive (this permits matching of attribute values as binary objects)
1.2428 + *
1.2429 + * (c) attribute values in PrintableString are not case sensitive
1.2430 + * (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
1.2431 + *
1.2432 + * (d) attribute values in PrintableString are compared after removing
1.2433 + * leading and trailing white space and converting internal substrings of
1.2434 + * one or more consecutive white space characters to a single space."
1.2435 + *
1.2436 + * PARAMETERS:
1.2437 + * "firstX500Name"
1.2438 + * Address of first X500Name to compare. Must be non-NULL.
1.2439 + * "secondX500Name"
1.2440 + * Address of second X500Name to compare. Must be non-NULL.
1.2441 + * "pResult"
1.2442 + * Address of Boolean result. Must be non-NULL.
1.2443 + * "plContext"
1.2444 + * Platform-specific context pointer.
1.2445 + * THREAD SAFETY:
1.2446 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2447 + * RETURNS:
1.2448 + * Returns NULL if the function succeeds.
1.2449 + * Returns an X500Name Error if the function fails in a non-fatal way.
1.2450 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2451 + */
1.2452 +PKIX_Error *
1.2453 +PKIX_PL_X500Name_Match(
1.2454 + PKIX_PL_X500Name *firstX500Name,
1.2455 + PKIX_PL_X500Name *secondX500Name,
1.2456 + PKIX_Boolean *pResult,
1.2457 + void *plContext);
1.2458 +
1.2459 +/*
1.2460 + * FUNCTION: PKIX_PL_Date_Create_UTCTime
1.2461 + * DESCRIPTION:
1.2462 + * Creates a new Date of type UTCTime using the string representation pointed
1.2463 + * to by "stringRep" and stores it at "pDate". The UTCTime restriction means
1.2464 + * that the year can only be specified by the least significant two digits
1.2465 + * (YY). As such, Only the years 1950-2049 can be represented. If "stringRep"
1.2466 + * is NULL, this function creates a new Date representing the current time
1.2467 + * and stores it at "pDate". Once created, a Date is immutable.
1.2468 + *
1.2469 + * If YY is greater than or equal to 50, the year is interpreted as 19YY.
1.2470 + * If YY is less than 50, the year is interpreted as 20YY.
1.2471 + *
1.2472 + * The string representation of the date must be in the following form:
1.2473 + * "YYMMDDhhmmssZ" where:
1.2474 + *
1.2475 + * YY is the least significant two digits of the year
1.2476 + * MM is the month (01 to 12)
1.2477 + * DD is the day (01 to 31)
1.2478 + * hh is the hour (00 to 23)
1.2479 + * mm are the minutes (00 to 59)
1.2480 + * ss are the seconds (00 to 59)
1.2481 + * Z indicates that local time is GMT
1.2482 + *
1.2483 + * PARAMETERS:
1.2484 + * "stringRep"
1.2485 + * Address of String representation of Date.
1.2486 + * If NULL, current time is used.
1.2487 + * "pDate"
1.2488 + * Address where object pointer will be stored. Must be non-NULL.
1.2489 + * "plContext"
1.2490 + * Platform-specific context pointer.
1.2491 + * THREAD SAFETY:
1.2492 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2493 + * RETURNS:
1.2494 + * Returns NULL if the function succeeds.
1.2495 + * Returns a Date Error if the function fails in a non-fatal way.
1.2496 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2497 + */
1.2498 +PKIX_Error *
1.2499 +PKIX_PL_Date_Create_UTCTime (
1.2500 + PKIX_PL_String *stringRep,
1.2501 + PKIX_PL_Date **pDate,
1.2502 + void *plContext);
1.2503 +
1.2504 +/*
1.2505 + * FUNCTION: PKIX_PL_Date_Create_UTCTime
1.2506 + * DESCRIPTION:
1.2507 + * Creates a new Date from PRTime data.
1.2508 + *
1.2509 + * PARAMETERS:
1.2510 + * "time"
1.2511 + * Represented time in PRTime type.
1.2512 + * "pDate"
1.2513 + * Address where object pointer will be stored. Must be non-NULL.
1.2514 + * "plContext"
1.2515 + * Platform-specific context pointer.
1.2516 + * THREAD SAFETY:
1.2517 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2518 + * RETURNS:
1.2519 + * Returns NULL if the function succeeds.
1.2520 + * Returns a Date Error if the function fails in a non-fatal way.
1.2521 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2522 + */
1.2523 +PKIX_Error *
1.2524 +PKIX_PL_Date_CreateFromPRTime(
1.2525 + PRTime time,
1.2526 + PKIX_PL_Date **pDate,
1.2527 + void *plContext);
1.2528 +
1.2529 +/*
1.2530 + * FUNCTION: PKIX_PL_Date_Create_CurrentOffBySeconds
1.2531 + * DESCRIPTION:
1.2532 + * Creates a new Date of type UTCTime for current time with seconds off by
1.2533 + * "secondsOffset" and returns it at "pDate".
1.2534 + *
1.2535 + * PARAMETERS:
1.2536 + * "secondsOffset"
1.2537 + * A PKIX_Int32 indicates the time offset from current. If "secondsOffset"
1.2538 + * is negative, the time is in past.
1.2539 + * "pDate"
1.2540 + * Address where object pointer will be stored. Must be non-NULL.
1.2541 + * "plContext"
1.2542 + * Platform-specific context pointer.
1.2543 + * THREAD SAFETY:
1.2544 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2545 + * RETURNS:
1.2546 + * Returns NULL if the function succeeds.
1.2547 + * Returns a Date Error if the function fails in a non-fatal way.
1.2548 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2549 + */
1.2550 +PKIX_Error *
1.2551 +PKIX_PL_Date_Create_CurrentOffBySeconds(
1.2552 + PKIX_Int32 secondsOffset,
1.2553 + PKIX_PL_Date **pDate,
1.2554 + void *plContext);
1.2555 +
1.2556 +#ifdef BUILD_LIBPKIX_TESTS
1.2557 +/*
1.2558 + * FUNCTION: PKIX_PL_GeneralName_Create
1.2559 + * DESCRIPTION:
1.2560 + *
1.2561 + * Creates a new GeneralName of type "nameType" using the string
1.2562 + * representation pointed to by "stringRep" and stores it at "pGName".
1.2563 + * All of the GeneralName type format values specified in pkixt.h are
1.2564 + * supported, with the exception of PKIX_OTHER_NAME, PKIX_EDIPARTY_NAME,
1.2565 + * PKIX_IP_NAME, and PKIX_X400_ADDRESS. A PKIX_ESCASCII string representation
1.2566 + * should be used for all supported nameTypes, with the exception of
1.2567 + * registeredID and directoryName. For registeredID, the string representation
1.2568 + * should be the same as that used by PKIX_PL_OID_Create. For directoryName,
1.2569 + * the string representation should be the same as that used by
1.2570 + * PKIX_PL_X500Name_Create. If an unsupported name type is used, an Error is
1.2571 + * returned. Once created, a GeneralName is immutable.
1.2572 + *
1.2573 + * GeneralName ::= CHOICE {
1.2574 + * otherName [0] OtherName,
1.2575 + * rfc822Name [1] IA5String,
1.2576 + * dNSName [2] IA5String,
1.2577 + * x400Address [3] ORAddress,
1.2578 + * directoryName [4] Name,
1.2579 + * ediPartyName [5] EDIPartyName,
1.2580 + * uniformResourceIdentifier [6] IA5String,
1.2581 + * iPAddress [7] OCTET STRING,
1.2582 + * registeredID [8] OBJECT IDENTIFIER }
1.2583 + *
1.2584 + *
1.2585 + * NOTE: This function is allowed to be called only by pkix tests programs.
1.2586 + *
1.2587 + * PARAMETERS:
1.2588 + * "nameType"
1.2589 + * Type of GeneralName to be created. This must be one of the GeneralName
1.2590 + * type format values specified in pkixt.h
1.2591 + * "stringRep"
1.2592 + * Address of String representation of GeneralName. Must be non-NULL.
1.2593 + * "pGName"
1.2594 + * Address where object pointer will be stored. Must be non-NULL.
1.2595 + * "plContext"
1.2596 + * Platform-specific context pointer.
1.2597 + * THREAD SAFETY:
1.2598 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2599 + * RETURNS:
1.2600 + * Returns NULL if the function succeeds.
1.2601 + * Returns a GeneralName Error if the function fails in a non-fatal way.
1.2602 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2603 + */
1.2604 +PKIX_Error *
1.2605 +PKIX_PL_GeneralName_Create (
1.2606 + PKIX_UInt32 nameType,
1.2607 + PKIX_PL_String *stringRep,
1.2608 + PKIX_PL_GeneralName **pGName,
1.2609 + void *plContext);
1.2610 +#endif /* BUILD_LIBPKIX_TESTS */
1.2611 +
1.2612 +/*
1.2613 + * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
1.2614 + * DESCRIPTION:
1.2615 + *
1.2616 + * This function checks whether names in "nameList" comply with
1.2617 + * "nameConstraints". It stores PKIX_TRUE at "pCheckPass" if the names meet the
1.2618 + * requirement of the NameConstraints, PKIX_FALSE otherwise.
1.2619 + *
1.2620 + * PARAMETERS
1.2621 + * "nameList"
1.2622 + * List of GeneralNames that are checked for compliance. May be empty
1.2623 + * or NULL.
1.2624 + * "nameConstraints"
1.2625 + * Address of CertNameConstraints that provides lists of permitted
1.2626 + * and excluded names. Must be non-NULL.
1.2627 + * "pCheckPass"
1.2628 + * Address where PKIX_TRUE is returned if the all names in "nameList" are
1.2629 + * valid. Must be non-NULL.
1.2630 + * "plContext" - Platform-specific context pointer.
1.2631 + * THREAD SAFETY:
1.2632 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2633 + * RETURNS:
1.2634 + * Returns NULL if the function succeeds.
1.2635 + * Returns a NameConstraints Error if the function fails in a
1.2636 + * non-fatal way.
1.2637 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2638 + */
1.2639 +PKIX_Error *
1.2640 +PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
1.2641 + PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
1.2642 + PKIX_PL_CertNameConstraints *nameConstraints,
1.2643 + PKIX_Boolean *pCheckPass,
1.2644 + void *plContext);
1.2645 +
1.2646 +/*
1.2647 + * FUNCTION: PKIX_PL_AIAMgr_Create
1.2648 + * DESCRIPTION:
1.2649 + *
1.2650 + * This function creates an AIAMgr to handle retrieval of Certs and CRLs
1.2651 + * from servers given by AIA Certificate extensions. It manages connections
1.2652 + * and caches. The manager created is stored at "pAIAMgr".
1.2653 + *
1.2654 + * PARAMETERS:
1.2655 + * "pAIAMgr"
1.2656 + * The address at which the result is stored. Must be non-NULL.
1.2657 + * THREAD SAFETY:
1.2658 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2659 + * RETURNS:
1.2660 + * Returns NULL if the function succeeds.
1.2661 + * Returns an AIAMgr Error if the function fails in a non-fatal way
1.2662 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2663 + */
1.2664 +PKIX_Error *
1.2665 +PKIX_PL_AIAMgr_Create(
1.2666 + PKIX_PL_AIAMgr **pAIAMgr,
1.2667 + void *plContext);
1.2668 +
1.2669 +/*
1.2670 + * FUNCTION: PKIX_PL_AIAMgr_GetAIACerts
1.2671 + * DESCRIPTION:
1.2672 + *
1.2673 + * This function uses the AIAMgr pointed to by "aiaMgr" to retrieve the Certs
1.2674 + * specified by an AIA certificate extension, if any, in the Cert pointed to by
1.2675 + * "prevCert", storing the results at "pCerts". If the certificate has no such
1.2676 + * extension, this function stores NULL at "pCerts".
1.2677 + *
1.2678 + * If the request is suspended for non-blocking I/O, a platform-dependent
1.2679 + * context is stored at "pNBIOContext" and NULL is stored at "pCerts". This
1.2680 + * return is referred to as the WOULDBLOCK state. Note that the caller must
1.2681 + * check for a non-NULL value at "pNBIOContext", to distinguish this state from
1.2682 + * the "no such extension" return described in the first paragraph. (The
1.2683 + * alternative would be to return an empty List, but it seemed wrong to incur
1.2684 + * the overhead of creating and destroying an empty List for the most common
1.2685 + * situation.)
1.2686 + *
1.2687 + * After a WOULDBLOCK return, the user may continue the operation by calling
1.2688 + * pkix_AIAMgr_GetAIACerts (possibly more than once, if the function again
1.2689 + * returns in the WOULDBLOCK state) with the previously-returned non-NULL
1.2690 + * value of "pNBIOContext". When results are complete, NULL is stored at
1.2691 + * "pNBIOContext", and the results (which may be NULL) are stored at "pCerts".
1.2692 + *
1.2693 + * PARAMETERS:
1.2694 + * "aiaMgr"
1.2695 + * The AIAMgr which controls the retrieval of certificates. Must be
1.2696 + * non-NULL.
1.2697 + * "prevCert"
1.2698 + * Address of PKIX_PL_Cert which may provide an AIA or SIA extension. Must
1.2699 + * be non-NULL.
1.2700 + * "pNBIOContext"
1.2701 + * Address at which platform-dependent information is returned if request
1.2702 + * is suspended for non-blocking I/O. Must be non-NULL.
1.2703 + * "pCerts"
1.2704 + * Address at which the returned List is stored. Must be non-NULL.
1.2705 + * "plContext"
1.2706 + * Platform-specific context pointer.
1.2707 + * THREAD SAFETY:
1.2708 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2709 + * RETURNS:
1.2710 + * Returns NULL if the function succeeds.
1.2711 + * Returns an AIAMgr Error if the function fails in a non-fatal way
1.2712 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.2713 + */
1.2714 +PKIX_Error *
1.2715 +PKIX_PL_AIAMgr_GetAIACerts(
1.2716 + PKIX_PL_AIAMgr *aiaMgr,
1.2717 + PKIX_PL_Cert *prevCert,
1.2718 + void **pNBIOContext,
1.2719 + PKIX_List **pCerts,
1.2720 + void *plContext);
1.2721 +
1.2722 +typedef PKIX_Error *
1.2723 +(*PKIX_PL_VerifyCallback)(
1.2724 + PKIX_PL_Object *signedObject,
1.2725 + PKIX_PL_Cert *signerCert, /* can be unknown */
1.2726 + PKIX_PL_Date *producedAt,
1.2727 + PKIX_ProcessingParams *procParams,
1.2728 + void **pNBIOContext,
1.2729 + void **pState,
1.2730 + PKIX_BuildResult **pBuildResult,
1.2731 + PKIX_VerifyNode **pVerifyTree,
1.2732 + void *plContext);
1.2733 +
1.2734 +#ifdef __cplusplus
1.2735 +}
1.2736 +#endif
1.2737 +
1.2738 +#endif /* _PKIX_PL_PKI_H */
