security/nss/lib/certdb/certt.h@b8a032363ba2
security/nss/lib/certdb/certt.h
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * certt.h - public data structures for the certificate library
6 */
7 #ifndef _CERTT_H_
8 #define _CERTT_H_
10 #include "prclist.h"
11 #include "pkcs11t.h"
12 #include "seccomon.h"
13 #include "secmodt.h"
14 #include "secoidt.h"
15 #include "plarena.h"
16 #include "prcvar.h"
17 #include "nssilock.h"
18 #include "prio.h"
19 #include "prmon.h"
21 /* Stan data types */
22 struct NSSCertificateStr;
23 struct NSSTrustDomainStr;
25 /* Non-opaque objects */
26 typedef struct CERTAVAStr CERTAVA;
27 typedef struct CERTAttributeStr CERTAttribute;
28 typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
29 typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
30 typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
31 typedef struct NSSTrustDomainStr CERTCertDBHandle;
32 typedef struct CERTCertExtensionStr CERTCertExtension;
33 typedef struct CERTCertKeyStr CERTCertKey;
34 typedef struct CERTCertListStr CERTCertList;
35 typedef struct CERTCertListNodeStr CERTCertListNode;
36 typedef struct CERTCertNicknamesStr CERTCertNicknames;
37 typedef struct CERTCertTrustStr CERTCertTrust;
38 typedef struct CERTCertificateStr CERTCertificate;
39 typedef struct CERTCertificateListStr CERTCertificateList;
40 typedef struct CERTCertificateRequestStr CERTCertificateRequest;
41 typedef struct CERTCrlStr CERTCrl;
42 typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
43 typedef struct CERTCrlEntryStr CERTCrlEntry;
44 typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
45 typedef struct CERTCrlKeyStr CERTCrlKey;
46 typedef struct CERTCrlNodeStr CERTCrlNode;
47 typedef struct CERTDERCertsStr CERTDERCerts;
48 typedef struct CERTDistNamesStr CERTDistNames;
49 typedef struct CERTGeneralNameStr CERTGeneralName;
50 typedef struct CERTGeneralNameListStr CERTGeneralNameList;
51 typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
52 typedef struct CERTNameStr CERTName;
53 typedef struct CERTNameConstraintStr CERTNameConstraint;
54 typedef struct CERTNameConstraintsStr CERTNameConstraints;
55 typedef struct CERTOKDomainNameStr CERTOKDomainName;
56 typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
57 typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
58 typedef struct CERTRDNStr CERTRDN;
59 typedef struct CERTSignedCrlStr CERTSignedCrl;
60 typedef struct CERTSignedDataStr CERTSignedData;
61 typedef struct CERTStatusConfigStr CERTStatusConfig;
62 typedef struct CERTSubjectListStr CERTSubjectList;
63 typedef struct CERTSubjectNodeStr CERTSubjectNode;
64 typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
65 typedef struct CERTValidityStr CERTValidity;
66 typedef struct CERTVerifyLogStr CERTVerifyLog;
67 typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
68 typedef struct CRLDistributionPointStr CRLDistributionPoint;
70 /* CRL extensions type */
71 typedef unsigned long CERTCrlNumber;
73 /*
74 ** An X.500 AVA object
75 */
76 struct CERTAVAStr {
77 SECItem type;
78 SECItem value;
79 };
81 /*
82 ** An X.500 RDN object
83 */
84 struct CERTRDNStr {
85 CERTAVA **avas;
86 };
88 /*
89 ** An X.500 name object
90 */
91 struct CERTNameStr {
92 PLArenaPool *arena;
93 CERTRDN **rdns;
94 };
96 /*
97 ** An X.509 validity object
98 */
99 struct CERTValidityStr {
100 PLArenaPool *arena;
101 SECItem notBefore;
102 SECItem notAfter;
103 };
105 /*
106 * A serial number and issuer name, which is used as a database key
107 */
108 struct CERTCertKeyStr {
109 SECItem serialNumber;
110 SECItem derIssuer;
111 };
113 /*
114 ** A signed data object. Used to implement the "signed" macro used
115 ** in the X.500 specs.
116 */
117 struct CERTSignedDataStr {
118 SECItem data;
119 SECAlgorithmID signatureAlgorithm;
120 SECItem signature;
121 };
123 /*
124 ** An X.509 subject-public-key-info object
125 */
126 struct CERTSubjectPublicKeyInfoStr {
127 PLArenaPool *arena;
128 SECAlgorithmID algorithm;
129 SECItem subjectPublicKey;
130 };
132 struct CERTPublicKeyAndChallengeStr {
133 SECItem spki;
134 SECItem challenge;
135 };
137 struct CERTCertTrustStr {
138 unsigned int sslFlags;
139 unsigned int emailFlags;
140 unsigned int objectSigningFlags;
141 };
143 /*
144 * defined the types of trust that exist
145 */
146 typedef enum SECTrustTypeEnum {
147 trustSSL = 0,
148 trustEmail = 1,
149 trustObjectSigning = 2,
150 trustTypeNone = 3
151 } SECTrustType;
153 #define SEC_GET_TRUST_FLAGS(trust,type) \
154 (((type)==trustSSL)?((trust)->sslFlags): \
155 (((type)==trustEmail)?((trust)->emailFlags): \
156 (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
158 /*
159 ** An X.509.3 certificate extension
160 */
161 struct CERTCertExtensionStr {
162 SECItem id;
163 SECItem critical;
164 SECItem value;
165 };
167 struct CERTSubjectNodeStr {
168 struct CERTSubjectNodeStr *next;
169 struct CERTSubjectNodeStr *prev;
170 SECItem certKey;
171 SECItem keyID;
172 };
174 struct CERTSubjectListStr {
175 PLArenaPool *arena;
176 int ncerts;
177 char *emailAddr;
178 CERTSubjectNode *head;
179 CERTSubjectNode *tail; /* do we need tail? */
180 void *entry;
181 };
183 /*
184 ** An X.509 certificate object (the unsigned form)
185 */
186 struct CERTCertificateStr {
187 /* the arena is used to allocate any data structures that have the same
188 * lifetime as the cert. This is all stuff that hangs off of the cert
189 * structure, and is all freed at the same time. I is used when the
190 * cert is decoded, destroyed, and at some times when it changes
191 * state
192 */
193 PLArenaPool *arena;
195 /* The following fields are static after the cert has been decoded */
196 char *subjectName;
197 char *issuerName;
198 CERTSignedData signatureWrap; /* XXX */
199 SECItem derCert; /* original DER for the cert */
200 SECItem derIssuer; /* DER for issuer name */
201 SECItem derSubject; /* DER for subject name */
202 SECItem derPublicKey; /* DER for the public key */
203 SECItem certKey; /* database key for this cert */
204 SECItem version;
205 SECItem serialNumber;
206 SECAlgorithmID signature;
207 CERTName issuer;
208 CERTValidity validity;
209 CERTName subject;
210 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
211 SECItem issuerID;
212 SECItem subjectID;
213 CERTCertExtension **extensions;
214 char *emailAddr;
215 CERTCertDBHandle *dbhandle;
216 SECItem subjectKeyID; /* x509v3 subject key identifier */
217 PRBool keyIDGenerated; /* was the keyid generated? */
218 unsigned int keyUsage; /* what uses are allowed for this cert */
219 unsigned int rawKeyUsage; /* value of the key usage extension */
220 PRBool keyUsagePresent; /* was the key usage extension present */
221 PRUint32 nsCertType; /* value of the ns cert type extension */
222 /* must be 32-bit for PR_ATOMIC_SET */
224 /* these values can be set by the application to bypass certain checks
225 * or to keep the cert in memory for an entire session.
226 * XXX - need an api to set these
227 */
228 PRBool keepSession; /* keep this cert for entire session*/
229 PRBool timeOK; /* is the bad validity time ok? */
230 CERTOKDomainName *domainOK; /* these domain names are ok */
232 /*
233 * these values can change when the cert changes state. These state
234 * changes include transitions from temp to perm or vice-versa, and
235 * changes of trust flags
236 */
237 PRBool isperm;
238 PRBool istemp;
239 char *nickname;
240 char *dbnickname;
241 struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
242 CERTCertTrust *trust;
244 /* the reference count is modified whenever someone looks up, dups
245 * or destroys a certificate
246 */
247 int referenceCount;
249 /* The subject list is a list of all certs with the same subject name.
250 * It can be modified any time a cert is added or deleted from either
251 * the in-memory(temporary) or on-disk(permanent) database.
252 */
253 CERTSubjectList *subjectList;
255 /* these belong in the static section, but are here to maintain
256 * the structure's integrity
257 */
258 CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */
259 PRBool isRoot; /* cert is the end of a chain */
261 /* these fields are used by client GUI code to keep track of ssl sockets
262 * that are blocked waiting on GUI feedback related to this cert.
263 * XXX - these should be moved into some sort of application specific
264 * data structure. They are only used by the browser right now.
265 */
266 union {
267 void* apointer; /* was struct SECSocketNode* authsocketlist */
268 struct {
269 unsigned int hasUnsupportedCriticalExt :1;
270 /* add any new option bits needed here */
271 } bits;
272 } options;
273 int series; /* was int authsocketcount; record the series of the pkcs11ID */
275 /* This is PKCS #11 stuff. */
276 PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
277 CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
278 PRBool ownSlot; /*true if the cert owns the slot reference */
279 };
280 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
281 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
282 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
284 #define SEC_CRL_VERSION_1 0 /* default */
285 #define SEC_CRL_VERSION_2 1 /* v2 extensions */
287 /*
288 * used to identify class of cert in mime stream code
289 */
290 #define SEC_CERT_CLASS_CA 1
291 #define SEC_CERT_CLASS_SERVER 2
292 #define SEC_CERT_CLASS_USER 3
293 #define SEC_CERT_CLASS_EMAIL 4
295 struct CERTDERCertsStr {
296 PLArenaPool *arena;
297 int numcerts;
298 SECItem *rawCerts;
299 };
301 /*
302 ** A PKCS ? Attribute
303 ** XXX this is duplicated through out the code, it *should* be moved
304 ** to a central location. Where would be appropriate?
305 */
306 struct CERTAttributeStr {
307 SECItem attrType;
308 SECItem **attrValue;
309 };
311 /*
312 ** A PKCS#10 certificate-request object (the unsigned form)
313 */
314 struct CERTCertificateRequestStr {
315 PLArenaPool *arena;
316 SECItem version;
317 CERTName subject;
318 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
319 CERTAttribute **attributes;
320 };
321 #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
324 /*
325 ** A certificate list object.
326 */
327 struct CERTCertificateListStr {
328 SECItem *certs;
329 int len; /* number of certs */
330 PLArenaPool *arena;
331 };
333 struct CERTCertListNodeStr {
334 PRCList links;
335 CERTCertificate *cert;
336 void *appData;
337 };
339 struct CERTCertListStr {
340 PRCList list;
341 PLArenaPool *arena;
342 };
344 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
345 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
346 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
347 #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
348 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
350 struct CERTCrlEntryStr {
351 SECItem serialNumber;
352 SECItem revocationDate;
353 CERTCertExtension **extensions;
354 };
356 struct CERTCrlStr {
357 PLArenaPool *arena;
358 SECItem version;
359 SECAlgorithmID signatureAlg;
360 SECItem derName;
361 CERTName name;
362 SECItem lastUpdate;
363 SECItem nextUpdate; /* optional for x.509 CRL */
364 CERTCrlEntry **entries;
365 CERTCertExtension **extensions;
366 /* can't add anything there for binary backwards compatibility reasons */
367 };
369 struct CERTCrlKeyStr {
370 SECItem derName;
371 SECItem dummy; /* The decoder can not skip a primitive,
372 this serves as a place holder for the
373 decoder to finish its task only
374 */
375 };
377 struct CERTSignedCrlStr {
378 PLArenaPool *arena;
379 CERTCrl crl;
380 void *reserved1;
381 PRBool reserved2;
382 PRBool isperm;
383 PRBool istemp;
384 int referenceCount;
385 CERTCertDBHandle *dbhandle;
386 CERTSignedData signatureWrap; /* XXX */
387 char *url;
388 SECItem *derCrl;
389 PK11SlotInfo *slot;
390 CK_OBJECT_HANDLE pkcs11ID;
391 void* opaque; /* do not touch */
392 };
395 struct CERTCrlHeadNodeStr {
396 PLArenaPool *arena;
397 CERTCertDBHandle *dbhandle;
398 CERTCrlNode *first;
399 CERTCrlNode *last;
400 };
403 struct CERTCrlNodeStr {
404 CERTCrlNode *next;
405 int type;
406 CERTSignedCrl *crl;
407 };
410 /*
411 * Array of X.500 Distinguished Names
412 */
413 struct CERTDistNamesStr {
414 PLArenaPool *arena;
415 int nnames;
416 SECItem *names;
417 void *head; /* private */
418 };
421 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
422 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
423 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
424 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
425 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
426 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
427 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
428 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
430 #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
431 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
433 #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
434 NS_CERT_TYPE_SSL_SERVER | \
435 NS_CERT_TYPE_EMAIL | \
436 NS_CERT_TYPE_OBJECT_SIGNING )
438 #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
439 NS_CERT_TYPE_EMAIL_CA | \
440 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
441 EXT_KEY_USAGE_STATUS_RESPONDER )
442 typedef enum SECCertUsageEnum {
443 certUsageSSLClient = 0,
444 certUsageSSLServer = 1,
445 certUsageSSLServerWithStepUp = 2,
446 certUsageSSLCA = 3,
447 certUsageEmailSigner = 4,
448 certUsageEmailRecipient = 5,
449 certUsageObjectSigner = 6,
450 certUsageUserCertImport = 7,
451 certUsageVerifyCA = 8,
452 certUsageProtectedObjectSigner = 9,
453 certUsageStatusResponder = 10,
454 certUsageAnyCA = 11
455 } SECCertUsage;
457 typedef PRInt64 SECCertificateUsage;
459 #define certificateUsageCheckAllUsages (0x0000)
460 #define certificateUsageSSLClient (0x0001)
461 #define certificateUsageSSLServer (0x0002)
462 #define certificateUsageSSLServerWithStepUp (0x0004)
463 #define certificateUsageSSLCA (0x0008)
464 #define certificateUsageEmailSigner (0x0010)
465 #define certificateUsageEmailRecipient (0x0020)
466 #define certificateUsageObjectSigner (0x0040)
467 #define certificateUsageUserCertImport (0x0080)
468 #define certificateUsageVerifyCA (0x0100)
469 #define certificateUsageProtectedObjectSigner (0x0200)
470 #define certificateUsageStatusResponder (0x0400)
471 #define certificateUsageAnyCA (0x0800)
473 #define certificateUsageHighest certificateUsageAnyCA
475 /*
476 * Does the cert belong to the user, a peer, or a CA.
477 */
478 typedef enum CERTCertOwnerEnum {
479 certOwnerUser = 0,
480 certOwnerPeer = 1,
481 certOwnerCA = 2
482 } CERTCertOwner;
484 /*
485 * This enum represents the state of validity times of a certificate
486 */
487 typedef enum SECCertTimeValidityEnum {
488 secCertTimeValid = 0,
489 secCertTimeExpired = 1,
490 secCertTimeNotValidYet = 2,
491 secCertTimeUndetermined = 3 /* validity could not be decoded from the
492 cert, most likely because it was NULL */
493 } SECCertTimeValidity;
495 /*
496 * This is used as return status in functions that compare the validity
497 * periods of two certificates A and B, currently only
498 * CERT_CompareValidityTimes.
499 */
501 typedef enum CERTCompareValidityStatusEnum
502 {
503 certValidityUndetermined = 0, /* the function is unable to select one cert
504 over another */
505 certValidityChooseB = 1, /* cert B should be preferred */
506 certValidityEqual = 2, /* both certs have the same validity period */
507 certValidityChooseA = 3 /* cert A should be preferred */
508 } CERTCompareValidityStatus;
510 /*
511 * Interface for getting certificate nickname strings out of the database
512 */
514 /* these are values for the what argument below */
515 #define SEC_CERT_NICKNAMES_ALL 1
516 #define SEC_CERT_NICKNAMES_USER 2
517 #define SEC_CERT_NICKNAMES_SERVER 3
518 #define SEC_CERT_NICKNAMES_CA 4
520 struct CERTCertNicknamesStr {
521 PLArenaPool *arena;
522 void *head;
523 int numnicknames;
524 char **nicknames;
525 int what;
526 int totallen;
527 };
529 struct CERTIssuerAndSNStr {
530 SECItem derIssuer;
531 CERTName issuer;
532 SECItem serialNumber;
533 };
536 /* X.509 v3 Key Usage Extension flags */
537 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
538 #define KU_NON_REPUDIATION (0x40) /* bit 1 */
539 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
540 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
541 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
542 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
543 #define KU_CRL_SIGN (0x02) /* bit 6 */
544 #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
545 #define KU_ALL (KU_DIGITAL_SIGNATURE | \
546 KU_NON_REPUDIATION | \
547 KU_KEY_ENCIPHERMENT | \
548 KU_DATA_ENCIPHERMENT | \
549 KU_KEY_AGREEMENT | \
550 KU_KEY_CERT_SIGN | \
551 KU_CRL_SIGN | \
552 KU_ENCIPHER_ONLY)
554 /* This value will not occur in certs. It is used internally for the case
555 * when either digital signature or non-repudiation is the correct value.
556 */
557 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
559 /* This value will not occur in certs. It is used internally for the case
560 * when the key type is not know ahead of time and either key agreement or
561 * key encipherment are the correct value based on key type
562 */
563 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
565 /* internal bits that do not match bits in the x509v3 spec, but are used
566 * for similar purposes
567 */
568 #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
569 /*
570 * x.509 v3 Basic Constraints Extension
571 * If isCA is false, the pathLenConstraint is ignored.
572 * Otherwise, the following pathLenConstraint values will apply:
573 * < 0 - there is no limit to the certificate path
574 * 0 - CA can issues end-entity certificates only
575 * > 0 - the number of certificates in the certificate path is
576 * limited to this number
577 */
578 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
580 struct CERTBasicConstraintsStr {
581 PRBool isCA; /* on if is CA */
582 int pathLenConstraint; /* maximum number of certificates that can be
583 in the cert path. Only applies to a CA
584 certificate; otherwise, it's ignored.
585 */
586 };
588 /* Maximum length of a certificate chain */
589 #define CERT_MAX_CERT_CHAIN 20
591 #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
592 #define CERT_MAX_DN_BYTES 4096 /* arbitrary */
594 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
595 #define RF_UNUSED (0x80) /* bit 0 */
596 #define RF_KEY_COMPROMISE (0x40) /* bit 1 */
597 #define RF_CA_COMPROMISE (0x20) /* bit 2 */
598 #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
599 #define RF_SUPERSEDED (0x08) /* bit 4 */
600 #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
601 #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
603 /* enum for CRL Entry Reason Code */
604 typedef enum CERTCRLEntryReasonCodeEnum {
605 crlEntryReasonUnspecified = 0,
606 crlEntryReasonKeyCompromise = 1,
607 crlEntryReasonCaCompromise = 2,
608 crlEntryReasonAffiliationChanged = 3,
609 crlEntryReasonSuperseded = 4,
610 crlEntryReasonCessationOfOperation = 5,
611 crlEntryReasoncertificatedHold = 6,
612 crlEntryReasonRemoveFromCRL = 8,
613 crlEntryReasonPrivilegeWithdrawn = 9,
614 crlEntryReasonAaCompromise = 10
615 } CERTCRLEntryReasonCode;
617 /* If we needed to extract the general name field, use this */
618 /* General Name types */
619 typedef enum CERTGeneralNameTypeEnum {
620 certOtherName = 1,
621 certRFC822Name = 2,
622 certDNSName = 3,
623 certX400Address = 4,
624 certDirectoryName = 5,
625 certEDIPartyName = 6,
626 certURI = 7,
627 certIPAddress = 8,
628 certRegisterID = 9
629 } CERTGeneralNameType;
632 typedef struct OtherNameStr {
633 SECItem name;
634 SECItem oid;
635 }OtherName;
639 struct CERTGeneralNameStr {
640 CERTGeneralNameType type; /* name type */
641 union {
642 CERTName directoryName; /* distinguish name */
643 OtherName OthName; /* Other Name */
644 SECItem other; /* the rest of the name forms */
645 }name;
646 SECItem derDirectoryName; /* this is saved to simplify directory name
647 comparison */
648 PRCList l;
649 };
651 struct CERTGeneralNameListStr {
652 PLArenaPool *arena;
653 CERTGeneralName *name;
654 int refCount;
655 int len;
656 PZLock *lock;
657 };
659 struct CERTNameConstraintStr {
660 CERTGeneralName name;
661 SECItem DERName;
662 SECItem min;
663 SECItem max;
664 PRCList l;
665 };
668 struct CERTNameConstraintsStr {
669 CERTNameConstraint *permited;
670 CERTNameConstraint *excluded;
671 SECItem **DERPermited;
672 SECItem **DERExcluded;
673 };
676 /* Private Key Usage Period extension struct. */
677 struct CERTPrivKeyUsagePeriodStr {
678 SECItem notBefore;
679 SECItem notAfter;
680 PLArenaPool *arena;
681 };
683 /* X.509 v3 Authority Key Identifier extension. For the authority certificate
684 issuer field, we only support URI now.
685 */
686 struct CERTAuthKeyIDStr {
687 SECItem keyID; /* unique key identifier */
688 CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
689 SECItem authCertSerialNumber; /* CA's certificate serial number */
690 SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
691 the authCertIssuer field. It is used
692 by the encoding engine. It should be
693 used as a read only field by the caller.
694 */
695 };
697 /* x.509 v3 CRL Distributeion Point */
699 /*
700 * defined the types of CRL Distribution points
701 */
702 typedef enum DistributionPointTypesEnum {
703 generalName = 1, /* only support this for now */
704 relativeDistinguishedName = 2
705 } DistributionPointTypes;
707 struct CRLDistributionPointStr {
708 DistributionPointTypes distPointType;
709 union {
710 CERTGeneralName *fullName;
711 CERTRDN relativeName;
712 } distPoint;
713 SECItem reasons;
714 CERTGeneralName *crlIssuer;
716 /* Reserved for internal use only*/
717 SECItem derDistPoint;
718 SECItem derRelativeName;
719 SECItem **derCrlIssuer;
720 SECItem **derFullName;
721 SECItem bitsmap;
722 };
724 struct CERTCrlDistributionPointsStr {
725 CRLDistributionPoint **distPoints;
726 };
728 /*
729 * This structure is used to keep a log of errors when verifying
730 * a cert chain. This allows multiple errors to be reported all at
731 * once.
732 */
733 struct CERTVerifyLogNodeStr {
734 CERTCertificate *cert; /* what cert had the error */
735 long error; /* what error was it? */
736 unsigned int depth; /* how far up the chain are we */
737 void *arg; /* error specific argument */
738 struct CERTVerifyLogNodeStr *next; /* next in the list */
739 struct CERTVerifyLogNodeStr *prev; /* next in the list */
740 };
743 struct CERTVerifyLogStr {
744 PLArenaPool *arena;
745 unsigned int count;
746 struct CERTVerifyLogNodeStr *head;
747 struct CERTVerifyLogNodeStr *tail;
748 };
751 struct CERTOKDomainNameStr {
752 CERTOKDomainName *next;
753 char name[1]; /* actual length may be longer. */
754 };
757 typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
758 CERTCertificate *cert,
759 PRTime time,
760 void *pwArg);
762 typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
764 struct CERTStatusConfigStr {
765 CERTStatusChecker statusChecker; /* NULL means no checking enabled */
766 CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
767 void *statusContext; /* cx specific to checking protocol */
768 };
770 struct CERTAuthInfoAccessStr {
771 SECItem method;
772 SECItem derLocation;
773 CERTGeneralName *location; /* decoded location */
774 };
777 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
778 /* callback to return database name based on version number */
779 typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
781 /*
782 * types of cert packages that we can decode
783 */
784 typedef enum CERTPackageTypeEnum {
785 certPackageNone = 0,
786 certPackageCert = 1,
787 certPackagePKCS7 = 2,
788 certPackageNSCertSeq = 3,
789 certPackageNSCertWrap = 4
790 } CERTPackageType;
792 /*
793 * these types are for the PKIX Certificate Policies extension
794 */
795 typedef struct {
796 SECOidTag oid;
797 SECItem qualifierID;
798 SECItem qualifierValue;
799 } CERTPolicyQualifier;
801 typedef struct {
802 SECOidTag oid;
803 SECItem policyID;
804 CERTPolicyQualifier **policyQualifiers;
805 } CERTPolicyInfo;
807 typedef struct {
808 PLArenaPool *arena;
809 CERTPolicyInfo **policyInfos;
810 } CERTCertificatePolicies;
812 typedef struct {
813 SECItem organization;
814 SECItem **noticeNumbers;
815 } CERTNoticeReference;
817 typedef struct {
818 PLArenaPool *arena;
819 CERTNoticeReference noticeReference;
820 SECItem derNoticeReference;
821 SECItem displayText;
822 } CERTUserNotice;
824 typedef struct {
825 PLArenaPool *arena;
826 SECItem **oids;
827 } CERTOidSequence;
829 /*
830 * these types are for the PKIX Policy Mappings extension
831 */
832 typedef struct {
833 SECItem issuerDomainPolicy;
834 SECItem subjectDomainPolicy;
835 } CERTPolicyMap;
837 typedef struct {
838 PLArenaPool *arena;
839 CERTPolicyMap **policyMaps;
840 } CERTCertificatePolicyMappings;
842 /*
843 * these types are for the PKIX inhibitAnyPolicy extension
844 */
845 typedef struct {
846 SECItem inhibitAnySkipCerts;
847 } CERTCertificateInhibitAny;
849 /*
850 * these types are for the PKIX Policy Constraints extension
851 */
852 typedef struct {
853 SECItem explicitPolicySkipCerts;
854 SECItem inhibitMappingSkipCerts;
855 } CERTCertificatePolicyConstraints;
857 /*
858 * These types are for the validate chain callback param.
859 *
860 * CERTChainVerifyCallback is an application-supplied callback that can be used
861 * to augment libpkix's certificate chain validation with additional
862 * application-specific checks. It may be called multiple times if there are
863 * multiple potentially-valid paths for the certificate being validated. This
864 * callback is called before revocation checking is done on the certificates in
865 * the given chain.
866 *
867 * - isValidChainArg contains the application-provided opaque argument
868 * - currentChain is the currently validated chain. It is ordered with the leaf
869 * certificate at the head and the trust anchor at the tail.
870 *
871 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
872 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
873 * return SECSuccess if the chain is unacceptable, to indicate that the given
874 * chain is bad and path building should continue. It should return SECFailure
875 * to indicate an fatal error that will cause path validation to fail
876 * immediately.
877 */
878 typedef SECStatus (*CERTChainVerifyCallbackFunc)
879 (void *isChainValidArg,
880 const CERTCertList *currentChain,
881 PRBool *chainOK);
883 /*
884 * Note: If extending this structure, it will be necessary to change the
885 * associated CERTValParamInType
886 */
887 typedef struct {
888 CERTChainVerifyCallbackFunc isChainValid;
889 void *isChainValidArg;
890 } CERTChainVerifyCallback;
892 /*
893 * these types are for the CERT_PKIX* Verification functions
894 * These are all optional parameters.
895 */
897 typedef enum {
898 cert_pi_end = 0, /* SPECIAL: signifies end of array of
899 * CERTValParam* */
900 cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
901 * resume a session. If this argument is
902 * specified, no other arguments should be.
903 * Specified in value.pointer.p. If the
904 * operation completes the context will be
905 * freed. */
906 cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
907 * existing operation which the caller wants
908 * to abort. If this argument is
909 * specified, no other arguments should be.
910 * Specified in value.pointer.p. If the
911 * operation succeeds the context will be
912 * freed. */
913 cert_pi_certList = 3, /* specify the chain to validate against. If
914 * this value is given, then the path
915 * construction step in the validation is
916 * skipped. Specified in value.pointer.chain */
917 cert_pi_policyOID = 4, /* validate certificate for policy OID.
918 * Specified in value.array.oids. Cert must
919 * be good for at least one OID in order
920 * to validate. Default is that the user is not
921 * concerned about certificate policy. */
922 cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
923 * Specified in value.scalar.ul. Policy flags
924 * apply to all specified oids.
925 * Use CERT_POLICY_FLAG_* macros below. If not
926 * specified policy flags default to 0 */
927 cert_pi_keyusage = 6, /* specify what the keyusages the certificate
928 * will be evaluated against, specified in
929 * value.scalar.ui. The cert must validate for
930 * at least one of the specified key usages.
931 * Values match the KU_ bit flags defined
932 * in this file. Default is derived from
933 * the 'usages' function argument */
934 cert_pi_extendedKeyusage= 7, /* specify what the required extended key
935 * usage of the certificate. Specified as
936 * an array of oidTags in value.array.oids.
937 * The cert must validate for at least one
938 * of the specified extended key usages.
939 * If not specified, no extended key usages
940 * will be checked. */
941 cert_pi_date = 8, /* validate certificate is valid as of date
942 * specified in value.scalar.time. A special
943 * value '0' indicates 'now'. default is '0' */
944 cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
945 * See CERT_REV_FLAG_* macros below
946 * Set in value.pointer.revocation */
947 cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below)
948 * Set in value.scalar.ui */
949 cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to
950 * validate against.
951 * The default set of trusted roots, these are
952 * root CA certs from libnssckbi.so or CA
953 * certs trusted by user, are used in any of
954 * the following cases:
955 * * when the parameter is not set.
956 * * when the list of trust anchors is empty.
957 * Note that this handling can be further altered by altering the
958 * cert_pi_useOnlyTrustAnchors flag
959 * Specified in value.pointer.chain */
960 cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
961 * In NSS 3.12.1 or later. Default is off.
962 * Value is in value.scalar.b */
963 cert_pi_chainVerifyCallback = 13,
964 /* The callback container for doing extra
965 * validation on the currently calculated chain.
966 * Value is in value.pointer.chainVerifyCallback */
967 cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
968 * certificates other than the ones passed in via cert_pi_trustAnchors.
969 * If false, then the certificates specified via cert_pi_trustAnchors
970 * will be combined with the pre-existing trusted roots, but only for
971 * the certificate validation being performed.
972 * If no value has been supplied via cert_pi_trustAnchors, this has no
973 * effect.
974 * The default value is true, meaning if this is not supplied, only
975 * trust anchors supplied via cert_pi_trustAnchors are trusted.
976 * Specified in value.scalar.b */
977 cert_pi_max /* SPECIAL: signifies maximum allowed value,
978 * can increase in future releases */
979 } CERTValParamInType;
981 /*
982 * for all out parameters:
983 * out parameters are only returned if the caller asks for them in
984 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
985 * array itself. The pkix verify function will allocate and other arrays
986 * pointers, or objects. The Caller is responsible for freeing those results.
987 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
988 */
989 typedef enum {
990 cert_po_end = 0, /* SPECIAL: signifies end of array of
991 * CERTValParam* */
992 cert_po_nbioContext = 1, /* Return a nonblocking context. If no
993 * non-blocking context is specified, then
994 * blocking IO will be used.
995 * Returned in value.pointer.p. The context is
996 * freed after an abort or a complete operation.
997 * This value is only returned on SECWouldBlock.
998 */
999 cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
1000 * was validated. Returned in
1001 * value.pointer.cert, this value is only
1002 * returned on SECSuccess. */
1003 cert_po_certList = 3, /* Return the entire chain that was validated.
1004 * Returned in value.pointer.certList. If no
1005 * chain could be constructed, this value
1006 * would be NULL. */
1007 cert_po_policyOID = 4, /* Return the policies that were found to be
1008 * valid. Returned in value.array.oids as an
1009 * array. This is only returned on
1010 * SECSuccess. */
1011 cert_po_errorLog = 5, /* Return a log of problems with the chain.
1012 * Returned in value.pointer.log */
1013 cert_po_usages = 6, /* Return what usages the certificate is valid
1014 for. Returned in value.scalar.usages */
1015 cert_po_keyUsage = 7, /* Return what key usages the certificate
1016 * is valid for.
1017 * Returned in value.scalar.usage */
1018 cert_po_extendedKeyusage= 8, /* Return what extended key usages the
1019 * certificate is valid for.
1020 * Returned in value.array.oids */
1021 cert_po_max /* SPECIAL: signifies maximum allowed value,
1022 * can increase in future releases */
1024 } CERTValParamOutType;
1026 typedef enum {
1027 cert_revocation_method_crl = 0,
1028 cert_revocation_method_ocsp,
1029 cert_revocation_method_count
1030 } CERTRevocationMethodIndex;
1033 /*
1034 * The following flags are supposed to be used to control bits in
1035 * each integer contained in the array pointed to be:
1036 * CERTRevocationTests.cert_rev_flags_per_method
1037 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1038 * this is a method dependent flag.
1039 */
1041 /*
1042 * Whether or not to use a method for revocation testing.
1043 * If set to "do not test", then all other flags are ignored.
1044 */
1045 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1046 #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1048 /*
1049 * Whether or not NSS is allowed to attempt to fetch fresh information
1050 * from the network.
1051 * (Although fetching will never happen if fresh information for the
1052 * method is already locally available.)
1053 */
1054 #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1055 #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1057 /*
1058 * Example for an implicit default source:
1059 * The globally configured default OCSP responder.
1060 * IGNORE means:
1061 * ignore the implicit default source, whether it's configured or not.
1062 * ALLOW means:
1063 * if an implicit default source is configured,
1064 * then it overrides any available or missing source in the cert.
1065 * if no implicit default source is configured,
1066 * then we continue to use what's available (or not available)
1067 * in the certs.
1068 */
1069 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1070 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1072 /*
1073 * Defines the behavior if no fresh information is available,
1074 * fetching from the network is allowed, but the source of revocation
1075 * information is unknown (even after considering implicit sources,
1076 * if allowed by other flags).
1077 * SKIPT_TEST means:
1078 * We ignore that no fresh information is available and
1079 * skip this test.
1080 * REQUIRE_INFO means:
1081 * We still require that fresh information is available.
1082 * Other flags define what happens on missing fresh info.
1083 */
1084 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1085 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1087 /*
1088 * Defines the behavior if we are unable to obtain fresh information.
1089 * INGORE means:
1090 * Return "cert status unknown"
1091 * FAIL means:
1092 * Return "cert revoked".
1093 */
1094 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1095 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1097 /*
1098 * What should happen if we were able to find fresh information using
1099 * this method, and the data indicated the cert is good?
1100 * STOP_TESTING means:
1101 * Our success is sufficient, do not continue testing
1102 * other methods.
1103 * CONTINUE_TESTING means:
1104 * We will continue and test the next allowed
1105 * specified method.
1106 */
1107 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1108 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1110 /* When this flag is used, libpkix will never attempt to use the GET HTTP
1111 * method for OCSP requests; it will always use POST.
1112 */
1113 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1115 /*
1116 * The following flags are supposed to be used to control bits in
1117 * CERTRevocationTests.cert_rev_method_independent_flags
1118 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1119 * this is a method independent flag.
1120 */
1122 /*
1123 * This defines the order to checking.
1124 * EACH_METHOD_SEPARATELY means:
1125 * Do all tests related to a particular allowed method
1126 * (both local information and network fetching) in a single step.
1127 * Only after testing for a particular method is done,
1128 * then switching to the next method will happen.
1129 * ALL_LOCAL_INFORMATION_FIRST means:
1130 * Start by testing the information for all allowed methods
1131 * which are already locally available. Only after that is done
1132 * consider to fetch from the network (as allowed by other flags).
1133 */
1134 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1135 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1137 /*
1138 * Use this flag to specify that it's necessary that fresh information
1139 * is available for at least one of the allowed methods, but it's
1140 * irrelevant which of the mechanisms succeeded.
1141 * NO_OVERALL_INFO_REQUIREMENT means:
1142 * We strictly follow the requirements for each individual method.
1143 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1144 * After the individual tests have been executed, we must have
1145 * been able to find fresh information using at least one method.
1146 * If we were unable to find fresh info, it's a failure.
1147 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1148 * flag on all methods.
1149 */
1150 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1151 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1154 typedef struct {
1155 /*
1156 * The size of the array that cert_rev_flags_per_method points to,
1157 * meaning, the number of methods that are known and defined
1158 * by the caller.
1159 */
1160 PRUint32 number_of_defined_methods;
1162 /*
1163 * A pointer to an array of integers.
1164 * Each integer defines revocation checking for a single method,
1165 * by having individual CERT_REV_M_* bits set or not set.
1166 * The meaning of index numbers into this array are defined by
1167 * enum CERTRevocationMethodIndex
1168 * The size of the array must be specified by the caller in the separate
1169 * variable number_of_defined_methods.
1170 * The size of the array may be smaller than
1171 * cert_revocation_method_count, it can happen if a caller
1172 * is not yet aware of the latest revocation methods
1173 * (or does not want to use them).
1174 */
1175 PRUint64 *cert_rev_flags_per_method;
1177 /*
1178 * How many preferred methods are specified?
1179 * This is equivalent to the size of the array that
1180 * preferred_revocation_methods points to.
1181 * It's allowed to set this value to zero,
1182 * then NSS will decide which methods to prefer.
1183 */
1184 PRUint32 number_of_preferred_methods;
1186 /* Array that may specify an optional order of preferred methods.
1187 * Each array entry shall contain a method identifier as defined
1188 * by CERTRevocationMethodIndex.
1189 * The entry at index [0] specifies the method with highest preferrence.
1190 * These methods will be tested first for locally available information.
1191 * Methods allowed for downloading will be attempted in the same order.
1192 */
1193 CERTRevocationMethodIndex *preferred_methods;
1195 /*
1196 * An integer which defines certain aspects of revocation checking
1197 * (independent of individual methods) by having individual
1198 * CERT_REV_MI_* bits set or not set.
1199 */
1200 PRUint64 cert_rev_method_independent_flags;
1201 } CERTRevocationTests;
1203 typedef struct {
1204 CERTRevocationTests leafTests;
1205 CERTRevocationTests chainTests;
1206 } CERTRevocationFlags;
1208 typedef struct CERTValParamInValueStr {
1209 union {
1210 PRBool b;
1211 PRInt32 i;
1212 PRUint32 ui;
1213 PRInt64 l;
1214 PRUint64 ul;
1215 PRTime time;
1216 } scalar;
1217 union {
1218 const void* p;
1219 const char* s;
1220 const CERTCertificate* cert;
1221 const CERTCertList *chain;
1222 const CERTRevocationFlags *revocation;
1223 const CERTChainVerifyCallback *chainVerifyCallback;
1224 } pointer;
1225 union {
1226 const PRInt32 *pi;
1227 const PRUint32 *pui;
1228 const PRInt64 *pl;
1229 const PRUint64 *pul;
1230 const SECOidTag *oids;
1231 } array;
1232 int arraySize;
1233 } CERTValParamInValue;
1236 typedef struct CERTValParamOutValueStr {
1237 union {
1238 PRBool b;
1239 PRInt32 i;
1240 PRUint32 ui;
1241 PRInt64 l;
1242 PRUint64 ul;
1243 SECCertificateUsage usages;
1244 } scalar;
1245 union {
1246 void* p;
1247 char* s;
1248 CERTVerifyLog *log;
1249 CERTCertificate* cert;
1250 CERTCertList *chain;
1251 } pointer;
1252 union {
1253 void *p;
1254 SECOidTag *oids;
1255 } array;
1256 int arraySize;
1257 } CERTValParamOutValue;
1259 typedef struct {
1260 CERTValParamInType type;
1261 CERTValParamInValue value;
1262 } CERTValInParam;
1264 typedef struct {
1265 CERTValParamOutType type;
1266 CERTValParamOutValue value;
1267 } CERTValOutParam;
1269 /*
1270 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1271 */
1272 typedef enum CertStrictnessLevels {
1273 CERT_N2A_READABLE = 0, /* maximum human readability */
1274 CERT_N2A_STRICT = 10, /* strict RFC compliance */
1275 CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
1276 all DirectoryStrings encoded in hex */
1277 } CertStrictnessLevel;
1279 /*
1280 * policy flag defines
1281 */
1282 #define CERT_POLICY_FLAG_NO_MAPPING 1
1283 #define CERT_POLICY_FLAG_EXPLICIT 2
1284 #define CERT_POLICY_FLAG_NO_ANY 4
1286 /*
1287 * CertStore flags
1288 */
1289 #define CERT_ENABLE_LDAP_FETCH 1
1290 #define CERT_ENABLE_HTTP_FETCH 2
1292 /* This functin pointer type may be used for any function that takes
1293 * a CERTCertificate * and returns an allocated string, which must be
1294 * freed by a call to PORT_Free.
1295 */
1296 typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
1298 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1300 #include "secasn1t.h" /* way down here because I expect template stuff to
1301 * move out of here anyway */
1303 SEC_BEGIN_PROTOS
1305 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1306 extern const SEC_ASN1Template CERT_CertificateTemplate[];
1307 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1308 extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1309 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1310 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1311 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1312 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1313 extern const SEC_ASN1Template CERT_ValidityTemplate[];
1314 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1315 extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1317 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1318 extern const SEC_ASN1Template CERT_NameTemplate[];
1319 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1320 extern const SEC_ASN1Template CERT_RDNTemplate[];
1321 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1322 extern const SEC_ASN1Template CERT_CrlTemplate[];
1323 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1325 /*
1326 ** XXX should the attribute stuff be centralized for all of ns/security?
1327 */
1328 extern const SEC_ASN1Template CERT_AttributeTemplate[];
1329 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1331 /* These functions simply return the address of the above-declared templates.
1332 ** This is necessary for Windows DLLs. Sigh.
1333 */
1334 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1335 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1336 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1337 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1338 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1339 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1340 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1341 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1342 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1343 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1344 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1345 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1347 SEC_END_PROTOS
1349 #endif /* _CERTT_H_ */
