1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/softoken/legacydb/pcertt.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,418 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * certt.h - public data structures for the certificate library
1.9 + */
1.10 +#ifndef _PCERTT_H_
1.11 +#define _PCERTT_H_
1.12 +
1.13 +#include "prclist.h"
1.14 +#include "pkcs11t.h"
1.15 +#include "seccomon.h"
1.16 +#include "secoidt.h"
1.17 +#include "plarena.h"
1.18 +#include "prcvar.h"
1.19 +#include "nssilock.h"
1.20 +#include "prio.h"
1.21 +#include "prmon.h"
1.22 +
1.23 +/* Non-opaque objects */
1.24 +typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle;
1.25 +typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey;
1.26 +
1.27 +typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust;
1.28 +typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust;
1.29 +typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate;
1.30 +typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList;
1.31 +typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN;
1.32 +typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData;
1.33 +typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo;
1.34 +typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity;
1.35 +
1.36 +/*
1.37 +** An X.509 validity object
1.38 +*/
1.39 +struct NSSLOWCERTValidityStr {
1.40 + PLArenaPool *arena;
1.41 + SECItem notBefore;
1.42 + SECItem notAfter;
1.43 +};
1.44 +
1.45 +/*
1.46 + * A serial number and issuer name, which is used as a database key
1.47 + */
1.48 +struct NSSLOWCERTCertKeyStr {
1.49 + SECItem serialNumber;
1.50 + SECItem derIssuer;
1.51 +};
1.52 +
1.53 +/*
1.54 +** A signed data object. Used to implement the "signed" macro used
1.55 +** in the X.500 specs.
1.56 +*/
1.57 +struct NSSLOWCERTSignedDataStr {
1.58 + SECItem data;
1.59 + SECAlgorithmID signatureAlgorithm;
1.60 + SECItem signature;
1.61 +};
1.62 +
1.63 +/*
1.64 +** An X.509 subject-public-key-info object
1.65 +*/
1.66 +struct NSSLOWCERTSubjectPublicKeyInfoStr {
1.67 + PLArenaPool *arena;
1.68 + SECAlgorithmID algorithm;
1.69 + SECItem subjectPublicKey;
1.70 +};
1.71 +
1.72 +typedef struct _certDBEntryCert certDBEntryCert;
1.73 +typedef struct _certDBEntryRevocation certDBEntryRevocation;
1.74 +
1.75 +struct NSSLOWCERTCertTrustStr {
1.76 + unsigned int sslFlags;
1.77 + unsigned int emailFlags;
1.78 + unsigned int objectSigningFlags;
1.79 +};
1.80 +
1.81 +/*
1.82 +** PKCS11 Trust representation
1.83 +*/
1.84 +struct NSSLOWCERTTrustStr {
1.85 + NSSLOWCERTTrust *next;
1.86 + NSSLOWCERTCertDBHandle *dbhandle;
1.87 + SECItem dbKey; /* database key for this cert */
1.88 + certDBEntryCert *dbEntry; /* database entry struct */
1.89 + NSSLOWCERTCertTrust *trust;
1.90 + SECItem *derCert; /* original DER for the cert */
1.91 + unsigned char dbKeySpace[512];
1.92 +};
1.93 +
1.94 +/*
1.95 +** An X.509 certificate object (the unsigned form)
1.96 +*/
1.97 +struct NSSLOWCERTCertificateStr {
1.98 + /* the arena is used to allocate any data structures that have the same
1.99 + * lifetime as the cert. This is all stuff that hangs off of the cert
1.100 + * structure, and is all freed at the same time. I is used when the
1.101 + * cert is decoded, destroyed, and at some times when it changes
1.102 + * state
1.103 + */
1.104 + NSSLOWCERTCertificate *next;
1.105 + NSSLOWCERTCertDBHandle *dbhandle;
1.106 +
1.107 + SECItem derCert; /* original DER for the cert */
1.108 + SECItem derIssuer; /* DER for issuer name */
1.109 + SECItem derSN;
1.110 + SECItem serialNumber;
1.111 + SECItem derSubject; /* DER for subject name */
1.112 + SECItem derSubjKeyInfo;
1.113 + NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
1.114 + SECItem certKey; /* database key for this cert */
1.115 + SECItem validity;
1.116 + certDBEntryCert *dbEntry; /* database entry struct */
1.117 + SECItem subjectKeyID; /* x509v3 subject key identifier */
1.118 + SECItem extensions;
1.119 + char *nickname;
1.120 + char *emailAddr;
1.121 + NSSLOWCERTCertTrust *trust;
1.122 +
1.123 + /* the reference count is modified whenever someone looks up, dups
1.124 + * or destroys a certificate
1.125 + */
1.126 + int referenceCount;
1.127 +
1.128 + char nicknameSpace[200];
1.129 + char emailAddrSpace[200];
1.130 + unsigned char certKeySpace[512];
1.131 +};
1.132 +
1.133 +#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
1.134 +#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
1.135 +#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
1.136 +
1.137 +#define SEC_CRL_VERSION_1 0 /* default */
1.138 +#define SEC_CRL_VERSION_2 1 /* v2 extensions */
1.139 +
1.140 +#define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024)
1.141 +
1.142 +struct NSSLOWCERTIssuerAndSNStr {
1.143 + SECItem derIssuer;
1.144 + SECItem serialNumber;
1.145 +};
1.146 +
1.147 +typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
1.148 +
1.149 +/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
1.150 +/* callback to return database name based on version number */
1.151 +typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
1.152 +
1.153 +/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1.154 +
1.155 +#include "secasn1t.h" /* way down here because I expect template stuff to
1.156 + * move out of here anyway */
1.157 +
1.158 +/*
1.159 + * Certificate Database related definitions and data structures
1.160 + */
1.161 +
1.162 +/* version number of certificate database */
1.163 +#define CERT_DB_FILE_VERSION 8
1.164 +#define CERT_DB_V7_FILE_VERSION 7
1.165 +#define CERT_DB_CONTENT_VERSION 2
1.166 +
1.167 +#define SEC_DB_ENTRY_HEADER_LEN 3
1.168 +#define SEC_DB_KEY_HEADER_LEN 1
1.169 +
1.170 +/* All database entries have this form:
1.171 + *
1.172 + * byte offset field
1.173 + * ----------- -----
1.174 + * 0 version
1.175 + * 1 type
1.176 + * 2 flags
1.177 + */
1.178 +
1.179 +/* database entry types */
1.180 +typedef enum {
1.181 + certDBEntryTypeVersion = 0,
1.182 + certDBEntryTypeCert = 1,
1.183 + certDBEntryTypeNickname = 2,
1.184 + certDBEntryTypeSubject = 3,
1.185 + certDBEntryTypeRevocation = 4,
1.186 + certDBEntryTypeKeyRevocation = 5,
1.187 + certDBEntryTypeSMimeProfile = 6,
1.188 + certDBEntryTypeContentVersion = 7,
1.189 + certDBEntryTypeBlob = 8
1.190 +} certDBEntryType;
1.191 +
1.192 +typedef struct {
1.193 + certDBEntryType type;
1.194 + unsigned int version;
1.195 + unsigned int flags;
1.196 + PLArenaPool *arena;
1.197 +} certDBEntryCommon;
1.198 +
1.199 +/*
1.200 + * Certificate entry:
1.201 + *
1.202 + * byte offset field
1.203 + * ----------- -----
1.204 + * 0 sslFlags-msb
1.205 + * 1 sslFlags-lsb
1.206 + * 2 emailFlags-msb
1.207 + * 3 emailFlags-lsb
1.208 + * 4 objectSigningFlags-msb
1.209 + * 5 objectSigningFlags-lsb
1.210 + * 6 derCert-len-msb
1.211 + * 7 derCert-len-lsb
1.212 + * 8 nickname-len-msb
1.213 + * 9 nickname-len-lsb
1.214 + * ... derCert
1.215 + * ... nickname
1.216 + *
1.217 + * NOTE: the nickname string as stored in the database is null terminated,
1.218 + * in other words, the last byte of the db entry is always 0
1.219 + * if a nickname is present.
1.220 + * NOTE: if nickname is not present, then nickname-len-msb and
1.221 + * nickname-len-lsb will both be zero.
1.222 + */
1.223 +struct _certDBEntryCert {
1.224 + certDBEntryCommon common;
1.225 + certDBEntryCert *next;
1.226 + NSSLOWCERTCertTrust trust;
1.227 + SECItem derCert;
1.228 + char *nickname;
1.229 + char nicknameSpace[200];
1.230 + unsigned char derCertSpace[2048];
1.231 +};
1.232 +
1.233 +/*
1.234 + * Certificate Nickname entry:
1.235 + *
1.236 + * byte offset field
1.237 + * ----------- -----
1.238 + * 0 subjectname-len-msb
1.239 + * 1 subjectname-len-lsb
1.240 + * 2... subjectname
1.241 + *
1.242 + * The database key for this type of entry is a nickname string
1.243 + * The "subjectname" value is the DER encoded DN of the identity
1.244 + * that matches this nickname.
1.245 + */
1.246 +typedef struct {
1.247 + certDBEntryCommon common;
1.248 + char *nickname;
1.249 + SECItem subjectName;
1.250 +} certDBEntryNickname;
1.251 +
1.252 +#define DB_NICKNAME_ENTRY_HEADER_LEN 2
1.253 +
1.254 +/*
1.255 + * Certificate Subject entry:
1.256 + *
1.257 + * byte offset field
1.258 + * ----------- -----
1.259 + * 0 ncerts-msb
1.260 + * 1 ncerts-lsb
1.261 + * 2 nickname-msb
1.262 + * 3 nickname-lsb
1.263 + * 4 emailAddr-msb
1.264 + * 5 emailAddr-lsb
1.265 + * ... nickname
1.266 + * ... emailAddr
1.267 + * ...+2*i certkey-len-msb
1.268 + * ...+1+2*i certkey-len-lsb
1.269 + * ...+2*ncerts+2*i keyid-len-msb
1.270 + * ...+1+2*ncerts+2*i keyid-len-lsb
1.271 + * ... certkeys
1.272 + * ... keyids
1.273 + *
1.274 + * The database key for this type of entry is the DER encoded subject name
1.275 + * The "certkey" value is an array of certificate database lookup keys that
1.276 + * points to the database entries for the certificates that matche
1.277 + * this subject.
1.278 + *
1.279 + */
1.280 +typedef struct _certDBEntrySubject {
1.281 + certDBEntryCommon common;
1.282 + SECItem derSubject;
1.283 + unsigned int ncerts;
1.284 + char *nickname;
1.285 + SECItem *certKeys;
1.286 + SECItem *keyIDs;
1.287 + char **emailAddrs;
1.288 + unsigned int nemailAddrs;
1.289 +} certDBEntrySubject;
1.290 +
1.291 +#define DB_SUBJECT_ENTRY_HEADER_LEN 6
1.292 +
1.293 +/*
1.294 + * Certificate SMIME profile entry:
1.295 + *
1.296 + * byte offset field
1.297 + * ----------- -----
1.298 + * 0 subjectname-len-msb
1.299 + * 1 subjectname-len-lsb
1.300 + * 2 smimeoptions-len-msb
1.301 + * 3 smimeoptions-len-lsb
1.302 + * 4 options-date-len-msb
1.303 + * 5 options-date-len-lsb
1.304 + * 6... subjectname
1.305 + * ... smimeoptions
1.306 + * ... options-date
1.307 + *
1.308 + * The database key for this type of entry is the email address string
1.309 + * The "subjectname" value is the DER encoded DN of the identity
1.310 + * that matches this nickname.
1.311 + * The "smimeoptions" value is a string that represents the algorithm
1.312 + * capabilities on the remote user.
1.313 + * The "options-date" is the date that the smime options value was created.
1.314 + * This is generally the signing time of the signed message that contained
1.315 + * the options. It is a UTCTime value.
1.316 + */
1.317 +typedef struct {
1.318 + certDBEntryCommon common;
1.319 + char *emailAddr;
1.320 + SECItem subjectName;
1.321 + SECItem smimeOptions;
1.322 + SECItem optionsDate;
1.323 +} certDBEntrySMime;
1.324 +
1.325 +#define DB_SMIME_ENTRY_HEADER_LEN 6
1.326 +
1.327 +/*
1.328 + * Crl/krl entry:
1.329 + *
1.330 + * byte offset field
1.331 + * ----------- -----
1.332 + * 0 derCert-len-msb
1.333 + * 1 derCert-len-lsb
1.334 + * 2 url-len-msb
1.335 + * 3 url-len-lsb
1.336 + * ... derCert
1.337 + * ... url
1.338 + *
1.339 + * NOTE: the url string as stored in the database is null terminated,
1.340 + * in other words, the last byte of the db entry is always 0
1.341 + * if a nickname is present.
1.342 + * NOTE: if url is not present, then url-len-msb and
1.343 + * url-len-lsb will both be zero.
1.344 + */
1.345 +#define DB_CRL_ENTRY_HEADER_LEN 4
1.346 +struct _certDBEntryRevocation {
1.347 + certDBEntryCommon common;
1.348 + SECItem derCrl;
1.349 + char *url; /* where to load the crl from */
1.350 +};
1.351 +
1.352 +/*
1.353 + * Database Version Entry:
1.354 + *
1.355 + * byte offset field
1.356 + * ----------- -----
1.357 + * only the low level header...
1.358 + *
1.359 + * The database key for this type of entry is the string "Version"
1.360 + */
1.361 +typedef struct {
1.362 + certDBEntryCommon common;
1.363 +} certDBEntryVersion;
1.364 +
1.365 +#define SEC_DB_VERSION_KEY "Version"
1.366 +#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
1.367 +
1.368 +/*
1.369 + * Database Content Version Entry:
1.370 + *
1.371 + * byte offset field
1.372 + * ----------- -----
1.373 + * 0 contentVersion
1.374 + *
1.375 + * The database key for this type of entry is the string "ContentVersion"
1.376 + */
1.377 +typedef struct {
1.378 + certDBEntryCommon common;
1.379 + char contentVersion;
1.380 +} certDBEntryContentVersion;
1.381 +
1.382 +#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
1.383 +#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
1.384 +
1.385 +typedef union {
1.386 + certDBEntryCommon common;
1.387 + certDBEntryCert cert;
1.388 + certDBEntryContentVersion content;
1.389 + certDBEntryNickname nickname;
1.390 + certDBEntryRevocation revocation;
1.391 + certDBEntrySMime smime;
1.392 + certDBEntrySubject subject;
1.393 + certDBEntryVersion version;
1.394 +} certDBEntry;
1.395 +
1.396 +/* length of the fixed part of a database entry */
1.397 +#define DBCERT_V4_HEADER_LEN 7
1.398 +#define DB_CERT_V5_ENTRY_HEADER_LEN 7
1.399 +#define DB_CERT_V6_ENTRY_HEADER_LEN 7
1.400 +#define DB_CERT_ENTRY_HEADER_LEN 10
1.401 +
1.402 +/* common flags for all types of certificates */
1.403 +#define CERTDB_TERMINAL_RECORD (1u<<0)
1.404 +#define CERTDB_TRUSTED (1u<<1)
1.405 +#define CERTDB_SEND_WARN (1u<<2)
1.406 +#define CERTDB_VALID_CA (1u<<3)
1.407 +#define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */
1.408 +#define CERTDB_NS_TRUSTED_CA (1u<<5)
1.409 +#define CERTDB_USER (1u<<6)
1.410 +#define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */
1.411 +#define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */
1.412 +#define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */
1.413 +#define CERTDB_MUST_VERIFY (1u<<10) /* explicitly don't trust this cert */
1.414 +#define CERTDB_TRUSTED_UNKNOWN (1u<<11) /* accept trust from another source */
1.415 +
1.416 +/* bits not affected by the CKO_NETSCAPE_TRUST object */
1.417 +#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \
1.418 + CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
1.419 + CERTDB_GOVT_APPROVED_CA)
1.420 +
1.421 +#endif /* _PCERTT_H_ */
