security/nss/lib/softoken/legacydb/pcertt.h@7e26c7da4463
security/nss/lib/softoken/legacydb/pcertt.h
Wed, 31 Dec 2014 06:55:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:55:50 +0100
- changeset 2
- 7e26c7da4463
- permissions
- -rw-r--r--
Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * certt.h - public data structures for the certificate library
6 */
7 #ifndef _PCERTT_H_
8 #define _PCERTT_H_
10 #include "prclist.h"
11 #include "pkcs11t.h"
12 #include "seccomon.h"
13 #include "secoidt.h"
14 #include "plarena.h"
15 #include "prcvar.h"
16 #include "nssilock.h"
17 #include "prio.h"
18 #include "prmon.h"
20 /* Non-opaque objects */
21 typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle;
22 typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey;
24 typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust;
25 typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust;
26 typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate;
27 typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList;
28 typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN;
29 typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData;
30 typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo;
31 typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity;
33 /*
34 ** An X.509 validity object
35 */
36 struct NSSLOWCERTValidityStr {
37 PLArenaPool *arena;
38 SECItem notBefore;
39 SECItem notAfter;
40 };
42 /*
43 * A serial number and issuer name, which is used as a database key
44 */
45 struct NSSLOWCERTCertKeyStr {
46 SECItem serialNumber;
47 SECItem derIssuer;
48 };
50 /*
51 ** A signed data object. Used to implement the "signed" macro used
52 ** in the X.500 specs.
53 */
54 struct NSSLOWCERTSignedDataStr {
55 SECItem data;
56 SECAlgorithmID signatureAlgorithm;
57 SECItem signature;
58 };
60 /*
61 ** An X.509 subject-public-key-info object
62 */
63 struct NSSLOWCERTSubjectPublicKeyInfoStr {
64 PLArenaPool *arena;
65 SECAlgorithmID algorithm;
66 SECItem subjectPublicKey;
67 };
69 typedef struct _certDBEntryCert certDBEntryCert;
70 typedef struct _certDBEntryRevocation certDBEntryRevocation;
72 struct NSSLOWCERTCertTrustStr {
73 unsigned int sslFlags;
74 unsigned int emailFlags;
75 unsigned int objectSigningFlags;
76 };
78 /*
79 ** PKCS11 Trust representation
80 */
81 struct NSSLOWCERTTrustStr {
82 NSSLOWCERTTrust *next;
83 NSSLOWCERTCertDBHandle *dbhandle;
84 SECItem dbKey; /* database key for this cert */
85 certDBEntryCert *dbEntry; /* database entry struct */
86 NSSLOWCERTCertTrust *trust;
87 SECItem *derCert; /* original DER for the cert */
88 unsigned char dbKeySpace[512];
89 };
91 /*
92 ** An X.509 certificate object (the unsigned form)
93 */
94 struct NSSLOWCERTCertificateStr {
95 /* the arena is used to allocate any data structures that have the same
96 * lifetime as the cert. This is all stuff that hangs off of the cert
97 * structure, and is all freed at the same time. I is used when the
98 * cert is decoded, destroyed, and at some times when it changes
99 * state
100 */
101 NSSLOWCERTCertificate *next;
102 NSSLOWCERTCertDBHandle *dbhandle;
104 SECItem derCert; /* original DER for the cert */
105 SECItem derIssuer; /* DER for issuer name */
106 SECItem derSN;
107 SECItem serialNumber;
108 SECItem derSubject; /* DER for subject name */
109 SECItem derSubjKeyInfo;
110 NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
111 SECItem certKey; /* database key for this cert */
112 SECItem validity;
113 certDBEntryCert *dbEntry; /* database entry struct */
114 SECItem subjectKeyID; /* x509v3 subject key identifier */
115 SECItem extensions;
116 char *nickname;
117 char *emailAddr;
118 NSSLOWCERTCertTrust *trust;
120 /* the reference count is modified whenever someone looks up, dups
121 * or destroys a certificate
122 */
123 int referenceCount;
125 char nicknameSpace[200];
126 char emailAddrSpace[200];
127 unsigned char certKeySpace[512];
128 };
130 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
131 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
132 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
134 #define SEC_CRL_VERSION_1 0 /* default */
135 #define SEC_CRL_VERSION_2 1 /* v2 extensions */
137 #define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024)
139 struct NSSLOWCERTIssuerAndSNStr {
140 SECItem derIssuer;
141 SECItem serialNumber;
142 };
144 typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
146 /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
147 /* callback to return database name based on version number */
148 typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
150 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
152 #include "secasn1t.h" /* way down here because I expect template stuff to
153 * move out of here anyway */
155 /*
156 * Certificate Database related definitions and data structures
157 */
159 /* version number of certificate database */
160 #define CERT_DB_FILE_VERSION 8
161 #define CERT_DB_V7_FILE_VERSION 7
162 #define CERT_DB_CONTENT_VERSION 2
164 #define SEC_DB_ENTRY_HEADER_LEN 3
165 #define SEC_DB_KEY_HEADER_LEN 1
167 /* All database entries have this form:
168 *
169 * byte offset field
170 * ----------- -----
171 * 0 version
172 * 1 type
173 * 2 flags
174 */
176 /* database entry types */
177 typedef enum {
178 certDBEntryTypeVersion = 0,
179 certDBEntryTypeCert = 1,
180 certDBEntryTypeNickname = 2,
181 certDBEntryTypeSubject = 3,
182 certDBEntryTypeRevocation = 4,
183 certDBEntryTypeKeyRevocation = 5,
184 certDBEntryTypeSMimeProfile = 6,
185 certDBEntryTypeContentVersion = 7,
186 certDBEntryTypeBlob = 8
187 } certDBEntryType;
189 typedef struct {
190 certDBEntryType type;
191 unsigned int version;
192 unsigned int flags;
193 PLArenaPool *arena;
194 } certDBEntryCommon;
196 /*
197 * Certificate entry:
198 *
199 * byte offset field
200 * ----------- -----
201 * 0 sslFlags-msb
202 * 1 sslFlags-lsb
203 * 2 emailFlags-msb
204 * 3 emailFlags-lsb
205 * 4 objectSigningFlags-msb
206 * 5 objectSigningFlags-lsb
207 * 6 derCert-len-msb
208 * 7 derCert-len-lsb
209 * 8 nickname-len-msb
210 * 9 nickname-len-lsb
211 * ... derCert
212 * ... nickname
213 *
214 * NOTE: the nickname string as stored in the database is null terminated,
215 * in other words, the last byte of the db entry is always 0
216 * if a nickname is present.
217 * NOTE: if nickname is not present, then nickname-len-msb and
218 * nickname-len-lsb will both be zero.
219 */
220 struct _certDBEntryCert {
221 certDBEntryCommon common;
222 certDBEntryCert *next;
223 NSSLOWCERTCertTrust trust;
224 SECItem derCert;
225 char *nickname;
226 char nicknameSpace[200];
227 unsigned char derCertSpace[2048];
228 };
230 /*
231 * Certificate Nickname entry:
232 *
233 * byte offset field
234 * ----------- -----
235 * 0 subjectname-len-msb
236 * 1 subjectname-len-lsb
237 * 2... subjectname
238 *
239 * The database key for this type of entry is a nickname string
240 * The "subjectname" value is the DER encoded DN of the identity
241 * that matches this nickname.
242 */
243 typedef struct {
244 certDBEntryCommon common;
245 char *nickname;
246 SECItem subjectName;
247 } certDBEntryNickname;
249 #define DB_NICKNAME_ENTRY_HEADER_LEN 2
251 /*
252 * Certificate Subject entry:
253 *
254 * byte offset field
255 * ----------- -----
256 * 0 ncerts-msb
257 * 1 ncerts-lsb
258 * 2 nickname-msb
259 * 3 nickname-lsb
260 * 4 emailAddr-msb
261 * 5 emailAddr-lsb
262 * ... nickname
263 * ... emailAddr
264 * ...+2*i certkey-len-msb
265 * ...+1+2*i certkey-len-lsb
266 * ...+2*ncerts+2*i keyid-len-msb
267 * ...+1+2*ncerts+2*i keyid-len-lsb
268 * ... certkeys
269 * ... keyids
270 *
271 * The database key for this type of entry is the DER encoded subject name
272 * The "certkey" value is an array of certificate database lookup keys that
273 * points to the database entries for the certificates that matche
274 * this subject.
275 *
276 */
277 typedef struct _certDBEntrySubject {
278 certDBEntryCommon common;
279 SECItem derSubject;
280 unsigned int ncerts;
281 char *nickname;
282 SECItem *certKeys;
283 SECItem *keyIDs;
284 char **emailAddrs;
285 unsigned int nemailAddrs;
286 } certDBEntrySubject;
288 #define DB_SUBJECT_ENTRY_HEADER_LEN 6
290 /*
291 * Certificate SMIME profile entry:
292 *
293 * byte offset field
294 * ----------- -----
295 * 0 subjectname-len-msb
296 * 1 subjectname-len-lsb
297 * 2 smimeoptions-len-msb
298 * 3 smimeoptions-len-lsb
299 * 4 options-date-len-msb
300 * 5 options-date-len-lsb
301 * 6... subjectname
302 * ... smimeoptions
303 * ... options-date
304 *
305 * The database key for this type of entry is the email address string
306 * The "subjectname" value is the DER encoded DN of the identity
307 * that matches this nickname.
308 * The "smimeoptions" value is a string that represents the algorithm
309 * capabilities on the remote user.
310 * The "options-date" is the date that the smime options value was created.
311 * This is generally the signing time of the signed message that contained
312 * the options. It is a UTCTime value.
313 */
314 typedef struct {
315 certDBEntryCommon common;
316 char *emailAddr;
317 SECItem subjectName;
318 SECItem smimeOptions;
319 SECItem optionsDate;
320 } certDBEntrySMime;
322 #define DB_SMIME_ENTRY_HEADER_LEN 6
324 /*
325 * Crl/krl entry:
326 *
327 * byte offset field
328 * ----------- -----
329 * 0 derCert-len-msb
330 * 1 derCert-len-lsb
331 * 2 url-len-msb
332 * 3 url-len-lsb
333 * ... derCert
334 * ... url
335 *
336 * NOTE: the url string as stored in the database is null terminated,
337 * in other words, the last byte of the db entry is always 0
338 * if a nickname is present.
339 * NOTE: if url is not present, then url-len-msb and
340 * url-len-lsb will both be zero.
341 */
342 #define DB_CRL_ENTRY_HEADER_LEN 4
343 struct _certDBEntryRevocation {
344 certDBEntryCommon common;
345 SECItem derCrl;
346 char *url; /* where to load the crl from */
347 };
349 /*
350 * Database Version Entry:
351 *
352 * byte offset field
353 * ----------- -----
354 * only the low level header...
355 *
356 * The database key for this type of entry is the string "Version"
357 */
358 typedef struct {
359 certDBEntryCommon common;
360 } certDBEntryVersion;
362 #define SEC_DB_VERSION_KEY "Version"
363 #define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
365 /*
366 * Database Content Version Entry:
367 *
368 * byte offset field
369 * ----------- -----
370 * 0 contentVersion
371 *
372 * The database key for this type of entry is the string "ContentVersion"
373 */
374 typedef struct {
375 certDBEntryCommon common;
376 char contentVersion;
377 } certDBEntryContentVersion;
379 #define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
380 #define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
382 typedef union {
383 certDBEntryCommon common;
384 certDBEntryCert cert;
385 certDBEntryContentVersion content;
386 certDBEntryNickname nickname;
387 certDBEntryRevocation revocation;
388 certDBEntrySMime smime;
389 certDBEntrySubject subject;
390 certDBEntryVersion version;
391 } certDBEntry;
393 /* length of the fixed part of a database entry */
394 #define DBCERT_V4_HEADER_LEN 7
395 #define DB_CERT_V5_ENTRY_HEADER_LEN 7
396 #define DB_CERT_V6_ENTRY_HEADER_LEN 7
397 #define DB_CERT_ENTRY_HEADER_LEN 10
399 /* common flags for all types of certificates */
400 #define CERTDB_TERMINAL_RECORD (1u<<0)
401 #define CERTDB_TRUSTED (1u<<1)
402 #define CERTDB_SEND_WARN (1u<<2)
403 #define CERTDB_VALID_CA (1u<<3)
404 #define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */
405 #define CERTDB_NS_TRUSTED_CA (1u<<5)
406 #define CERTDB_USER (1u<<6)
407 #define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */
408 #define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */
409 #define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */
410 #define CERTDB_MUST_VERIFY (1u<<10) /* explicitly don't trust this cert */
411 #define CERTDB_TRUSTED_UNKNOWN (1u<<11) /* accept trust from another source */
413 /* bits not affected by the CKO_NETSCAPE_TRUST object */
414 #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \
415 CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
416 CERTDB_GOVT_APPROVED_CA)
418 #endif /* _PCERTT_H_ */
