The Tor Browser / file revision

 /* This Source Code Form is subject to the terms of the Mozilla Public

  * License, v. 2.0. If a copy of the MPL was not distributed with this

  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 /*

  * This file defines functions associated with the various parameters used

  * by the top-level functions.

  *

  */

 #ifndef _PKIX_PARAMS_H

 #define _PKIX_PARAMS_H

 #include "pkixt.h"

 #ifdef __cplusplus

 extern "C" {

 #endif

 /* General

  *

  * Please refer to the libpkix Programmer's Guide for detailed information

  * about how to use the libpkix library. Certain key warnings and notices from

  * that document are repeated here for emphasis.

  *

  * All identifiers in this file (and all public identifiers defined in

  * libpkix) begin with "PKIX_". Private identifiers only intended for use

  * within the library begin with "pkix_".

  *

  * A function returns NULL upon success, and a PKIX_Error pointer upon failure.

  *

  * Unless otherwise noted, for all accessor (gettor) functions that return a

  * PKIX_PL_Object pointer, callers should assume that this pointer refers to a

  * shared object. Therefore, the caller should treat this shared object as

  * read-only and should not modify this shared object. When done using the

  * shared object, the caller should release the reference to the object by

  * using the PKIX_PL_Object_DecRef function.

  *

  * While a function is executing, if its arguments (or anything referred to by

  * its arguments) are modified, free'd, or destroyed, the function's behavior

  * is undefined.

  *

  */

 /* PKIX_ProcessingParams

  *

  * PKIX_ProcessingParams are parameters used when validating or building a

  * chain of certificates. Using the parameters, the caller can specify several

  * things, including the various inputs to the PKIX chain validation

  * algorithm (such as trust anchors, initial policies, etc), any customized

  * functionality (such as CertChainCheckers, RevocationCheckers, CertStores),

  * and whether revocation checking should be disabled.

  *

  * Once the caller has created the ProcessingParams object, the caller then

  * passes it to PKIX_ValidateChain or PKIX_BuildChain, which uses it to call

  * the user's callback functions as needed during the validation or building

  * process.

  *

  * If a parameter is not set (or is set to NULL), it will be set to the

  * default value for that parameter. The default value for the Date parameter

  * is NULL, which indicates the current time when the path is validated. The

  * default for the remaining parameters is the least constrained.

  */

 /*

  * FUNCTION: PKIX_ProcessingParams_Create

  * DESCRIPTION:

  *

  *  Creates a new ProcessingParams object. Trust anchor list is set to

  *  newly created empty list of trust. In this case trust anchors will

  *  be taken from provided cert store. Pointed to the created

  *  ProcessingParams object is stored in "pParams".

  *

  * PARAMETERS:

  *  "anchors"

  *      Address of List of (non-empty) TrustAnchors to be used.

  *      Must be non-NULL.

  *  "pParams"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_Create(

         PKIX_ProcessingParams **pParams,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetCertChainCheckers

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of CertChainCheckers (if any) that are set

  *  in the ProcessingParams pointed to by "params" and stores it at

  *  "pCheckers". Each CertChainChecker represents a custom certificate

  *  validation check used by PKIX_ValidateChain or PKIX_BuildChain as needed

  *  during the validation or building process. If "params" does not have any

  *  CertChainCheckers, this function stores an empty List at "pCheckers".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of CertChainCheckers (if any)

  *      are to be stored. Must be non-NULL.

  *  "pCheckers"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetCertChainCheckers(

         PKIX_ProcessingParams *params,

         PKIX_List **pCheckers, /* list of PKIX_CertChainChecker */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetCertChainCheckers

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a List of

  *  CertChainCheckers pointed to by "checkers". Each CertChainChecker

  *  represents a custom certificate validation check used by

  *  PKIX_ValidateChain or PKIX_BuildChain as needed during the validation or

  *  building process. If "checkers" is NULL, no CertChainCheckers will be used.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of CertChainCheckers is to be

  *      set. Must be non-NULL.

  *  "checkers"

  *      Address of List of CertChainCheckers to be set. If NULL, no

  *      CertChainCheckers will be used.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params" and "checkers"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetCertChainCheckers(

         PKIX_ProcessingParams *params,

         PKIX_List *checkers,  /* list of PKIX_CertChainChecker */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_AddCertChainChecker

  * DESCRIPTION:

  *

  *  Adds the CertChainChecker pointed to by "checker" to the ProcessingParams

  *  pointed to by "params". The CertChainChecker represents a custom

  *  certificate validation check used by PKIX_ValidateChain or PKIX_BuildChain

  *  as needed during the validation or building process.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams to be added to. Must be non-NULL.

  *  "checker"

  *      Address of CertChainChecker to be added. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_AddCertChainChecker(

         PKIX_ProcessingParams *params,

         PKIX_CertChainChecker *checker,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetRevocationChecker

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the RevocationChecker that are set

  *  in the ProcessingParams pointed to by "params" and stores it at

  *  "pRevChecker". Each RevocationChecker represents a revocation

  *  check used by PKIX_ValidateChain or PKIX_BuildChain as needed during the

  *  validation or building process. If "params" does not have any

  *  RevocationCheckers, this function stores an empty List at "pRevChecker".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of RevocationCheckers

  *      is to be stored. Must be non-NULL.

  *  "pRevChecker"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetRevocationChecker(

         PKIX_ProcessingParams *params,

         PKIX_RevocationChecker **pChecker,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetRevocationChecker

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a 

  *  RevocationChecker pointed to by "revChecker". Revocation

  *  checker object should be created and assigned to processing

  *  parameters before chain build or validation can begin.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of RevocationCheckers is to be

  *      set. Must be non-NULL.

  *  "revChecker"

  *      Address of RevocationChecker to be set. Must be set before chain

  *      building or validation.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetRevocationChecker(

         PKIX_ProcessingParams *params,

         PKIX_RevocationChecker *revChecker,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetCertStores

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of CertStores (if any) that are set in the

  *  ProcessingParams pointed to by "params" and stores it at "pStores". Each

  *  CertStore represents a particular repository from which certificates and

  *  CRLs can be retrieved by PKIX_ValidateChain or PKIX_BuildChain as needed

  *  during the validation or building process. If "params" does not have any

  *  CertStores, this function stores an empty List at "pStores".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of CertStores (if any) are to

  *      be stored. Must be non-NULL.

  *  "pStores"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetCertStores(

         PKIX_ProcessingParams *params,

         PKIX_List **pStores,  /* list of PKIX_CertStore */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetCertStores

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a List of CertStores

  *  pointed to by "stores". Each CertStore represents a particular repository

  *  from which certificates and CRLs can be retrieved by PKIX_ValidateChain or

  *  PKIX_BuildChain as needed during the validation or building process. If

  *  "stores" is NULL, no CertStores will be used.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of CertStores is to be set.

  *      Must be non-NULL.

  *  "stores"

  *      Address of List of CertStores to be set. If NULL, no CertStores will

  *      be used.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetCertStores(

         PKIX_ProcessingParams *params,

         PKIX_List *stores,  /* list of PKIX_CertStore */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_AddCertStore

  * DESCRIPTION:

  *

  *  Adds the CertStore pointed to by "store" to the ProcessingParams pointed

  *  to by "params". The CertStore represents a particular repository from

  *  which certificates and CRLs can be retrieved by PKIX_ValidateChain or

  *  PKIX_BuildChain as needed during the validation or building process.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams to be added to. Must be non-NULL.

  *  "store"

  *      Address of CertStore to be added.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_AddCertStore(

         PKIX_ProcessingParams *params,

         PKIX_CertStore *store,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetDate

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the Date (if any) that is set in the

  *  ProcessingParams pointed to by "params" and stores it at "pDate". The

  *  Date represents the time for which the validation of the certificate chain

  *  should be determined. If "params" does not have any Date set, this function

  *  stores NULL at "pDate".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose Date (if any) is to be stored.

  *      Must be non-NULL.

  *  "pDate"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetDate(

         PKIX_ProcessingParams *params,

         PKIX_PL_Date **pDate,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetDate

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a Date pointed to by

  *  "date". The Date represents the time for which the validation of the

  *  certificate chain should be determined. If "date" is NULL, the current

  *  time is used during validation.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose Date is to be set. Must be non-NULL.

  *  "date"

  *      Address of Date to be set. If NULL, current time is used.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetDate(

         PKIX_ProcessingParams *params,

         PKIX_PL_Date *date,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetInitialPolicies

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of OIDs (if any) that are set in the

  *  ProcessingParams pointed to by "params" and stores it at "pInitPolicies".

  *  Each OID represents an initial policy identifier, indicating that any

  *  one of these policies would be acceptable to the certificate user for

  *  the purposes of certification path processing. If "params" does not have

  *  any initial policies, this function stores an empty List at

  *  "pInitPolicies".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of OIDs (if any) are to be

  *      stored. Must be non-NULL.

  *  "pInitPolicies"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetInitialPolicies(

         PKIX_ProcessingParams *params,

         PKIX_List **pInitPolicies,    /* list of PKIX_PL_OID */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetInitialPolicies

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a List of OIDs

  *  pointed to by "initPolicies".

  *

  *  Each OID represents an initial policy identifier, indicating that any

  *  one of these policies would be acceptable to the certificate user for

  *  the purposes of certification path processing. By default, any policy

  *  is acceptable (i.e. all policies), so a user that wants to allow any

  *  policy as acceptable does not need to call this method. Similarly, if

  *  initPolicies is NULL or points to an empty List, all policies are

  *  acceptable.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of OIDs is to be set.

  *      Must be non-NULL.

  *  "initPolicies"

  *      Address of List of OIDs to be set. If NULL or if pointing to an empty

  *      List, all policies are acceptable.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetInitialPolicies(

         PKIX_ProcessingParams *params,

         PKIX_List *initPolicies,    /* list of PKIX_PL_OID */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetPolicyQualifiersRejected

  * DESCRIPTION:

  *

  *  Checks whether the ProcessingParams pointed to by "params" indicate that

  *  policy qualifiers should be rejected and stores the Boolean result at

  *  "pRejected".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams used to determine whether or not policy

  *      qualifiers should be rejected. Must be non-NULL.

  *  "pRejected"

  *      Address where Boolean will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetPolicyQualifiersRejected(

         PKIX_ProcessingParams *params,

         PKIX_Boolean *pRejected,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetPolicyQualifiersRejected

  * DESCRIPTION:

  *

  *  Specifies in the ProcessingParams pointed to by "params" whether policy

  *  qualifiers are rejected using the Boolean value of "rejected".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams to be set. Must be non-NULL.

  *  "rejected"

  *      Boolean value indicating whether policy qualifiers are to be rejected.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetPolicyQualifiersRejected(

         PKIX_ProcessingParams *params,

         PKIX_Boolean rejected,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetTargetCertConstraints

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the CertSelector (if any) that is set in the

  *  ProcessingParams pointed to by "params" and stores it at "pConstraints".

  *  The CertSelector represents the constraints to be placed on the target

  *  certificate. If "params" does not have any CertSelector set, this function

  *  stores NULL at "pConstraints".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose CertSelector (if any) is to be

  *      stored. Must be non-NULL.

  *  "pConstraints"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetTargetCertConstraints(

         PKIX_ProcessingParams *params,

         PKIX_CertSelector **pConstraints,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetTargetCertConstraints

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a CertSelector

  *  pointed to by "constraints". The CertSelector represents the constraints

  *  to be placed on the target certificate. If "constraints" is NULL, no

  *  constraints are defined.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose CertSelector is to be set.

  *      Must be non-NULL.

  *  "constraints"

  *      Address of CertSelector to be set. If NULL, no constraints are defined.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetTargetCertConstraints(

         PKIX_ProcessingParams *params,

         PKIX_CertSelector *constraints,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetTrustAnchors

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of TrustAnchors that are set in

  *  the ProcessingParams pointed to by "params" and stores it at "pAnchors".

  *  If the function succeeds, the pointer to the List is guaranteed to be

  *  non-NULL and the List is guaranteed to be non-empty.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of TrustAnchors are to

  *      be stored. Must be non-NULL.

  *  "pAnchors"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetTrustAnchors(

         PKIX_ProcessingParams *params,

         PKIX_List **pAnchors,  /* list of TrustAnchor */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors

  * DESCRIPTION:

  *

  * Sets user defined set of trust anchors. The handling of the trust anchors

  * may be furthered alter via PKIX_ProcessingParams_SetUseOnlyTrustAnchors.

  * By default, a certificate will be considered invalid if it does not chain

  * to a trusted anchor from this list.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of TrustAnchors are to

  *      be stored. Must be non-NULL.

  *  "anchors"

  *      Address of the trust anchors list object. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetTrustAnchors(

         PKIX_ProcessingParams *params,

         PKIX_List *pAnchors,  /* list of TrustAnchor */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetUseOnlyTrustAnchors

  * DESCRIPTION:

  *

  * Retrieves a pointer to the Boolean. The boolean value represents

  * the switch value that is used to identify whether trust anchors, if

  * specified, should be the exclusive source of trust information.

  * If the function succeeds, the pointer to the Boolean is guaranteed to be

  * non-NULL.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams. Must be non-NULL.

  *  "pUseOnlyTrustAnchors"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetUseOnlyTrustAnchors(

         PKIX_ProcessingParams *params,

         PKIX_Boolean *pUseOnlyTrustAnchors,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors

  * DESCRIPTION:

  *

  * Configures whether trust anchors are used as the exclusive source of trust.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams. Must be non-NULL.

  *  "useOnlyTrustAnchors"

  *      If true, indicates that trust anchors should be used exclusively when

  *      they have been specified via PKIX_ProcessingParams_SetTrustAnchors. A

  *      certificate will be considered invalid if it does not chain to a

  *      trusted anchor from that list.

  *      If false, indicates that the trust anchors are additive to whatever

  *      existing trust stores are configured. A certificate is considered

  *      valid if it chains to EITHER a trusted anchor from that list OR a

  *      certificate marked trusted in a trust store.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetUseOnlyTrustAnchors(

         PKIX_ProcessingParams *params,

         PKIX_Boolean useOnlyTrustAnchors,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetUseAIAForCertFetching

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the Boolean. The boolean value represents

  *  the switch value that is used to identify if url in cert AIA extension

  *  may be used for cert fetching.

  *  If the function succeeds, the pointer to the Boolean is guaranteed to be

  *  non-NULL.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams. Must be non-NULL.

  *  "pUseAIA"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetUseAIAForCertFetching(

         PKIX_ProcessingParams *params,

         PKIX_Boolean *pUseAIA,  /* list of TrustAnchor */

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors

  * DESCRIPTION:

  *

  * Sets switch value that defines if url in cert AIA extension

  * may be used for cert fetching.

  * 

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams.

  *  "useAIA"

  *      Address of the trust anchors list object. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetUseAIAForCertFetching(

         PKIX_ProcessingParams *params,

         PKIX_Boolean useAIA,  

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert

  * DESCRIPTION:

  *

  * Sets a boolean value that tells if libpkix needs to check that

  * the target certificate satisfies the conditions set in processing

  * parameters. Includes but not limited to date, ku and eku checks.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of TrustAnchors are to

  *      be stored. Must be non-NULL.

  *  "qualifyTargetCert"

  *      boolean value if set to true will trigger qualification of the

  *      target certificate.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetQualifyTargetCert(

         PKIX_ProcessingParams *params,

         PKIX_Boolean qualifyTargetCert,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetHintCerts

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a List of Certs supplied by the user as a suggested

  *  partial CertChain (subject to verification), that are set in the

  *  ProcessingParams pointed to by "params", and stores it at "pHintCerts".

  *  The List returned may be empty or NULL.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of TrustAnchors are to

  *      be stored. Must be non-NULL.

  *  "pHintCerts"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetHintCerts(

         PKIX_ProcessingParams *params,

         PKIX_List **pHintCerts,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetHintCerts

  * DESCRIPTION:

  *

  *  Stores a pointer to a List of Certs supplied by the user as a suggested

  *  partial CertChain (subject to verification), as an element in the

  *  ProcessingParams pointed to by "params". The List may be empty or NULL.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose List of HintCerts is to be stored.

  *      Must be non-NULL.

  *  "hintCerts"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetHintCerts(

         PKIX_ProcessingParams *params,

         PKIX_List *hintCerts,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_GetResourceLimits

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the ResourceLimits (if any) that is set in the

  *  ProcessingParams pointed to by "params" and stores it at "pResourceLimits".

  *  The ResourceLimits represent the maximum resource usage that the caller 

  *  desires (such as MaxTime). The ValidateChain or BuildChain call will not

  *  exceed these maximum limits. If "params" does not have any ResourceLimits

  *  set, this function stores NULL at "pResourceLimits".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose ResourceLimits (if any) are to be

  *      stored. Must be non-NULL.

  *  "pResourceLimits"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_GetResourceLimits(

         PKIX_ProcessingParams *params,

         PKIX_ResourceLimits **pResourceLimits,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetResourceLimits

  * DESCRIPTION:

  *

  *  Sets the ProcessingParams pointed to by "params" with a ResourceLimits

  *  object pointed to by "resourceLimits". The ResourceLimits represent the

  *  maximum resource usage that the caller desires (such as MaxTime). The

  *  ValidateChain or BuildChain call will not exceed these maximum limits.

  *  If "resourceLimits" is NULL, no ResourceLimits are defined.

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams whose ResourceLimits are to be set.

  *      Must be non-NULL.

  *  "resourceLimits"

  *      Address of ResourceLimits to be set. If NULL, no limits are defined.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetResourceLimits(

         PKIX_ProcessingParams *params,

         PKIX_ResourceLimits *resourceLimits,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_IsAnyPolicyInhibited

  * DESCRIPTION:

  *

  *  Checks whether the ProcessingParams pointed to by "params" indicate that

  *  anyPolicy is inhibited and stores the Boolean result at "pInhibited".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams used to determine whether or not anyPolicy

  *      inhibited. Must be non-NULL.

  *  "pInhibited"

  *      Address where Boolean will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_IsAnyPolicyInhibited(

         PKIX_ProcessingParams *params,

         PKIX_Boolean *pInhibited,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetAnyPolicyInhibited

  * DESCRIPTION:

  *

  *  Specifies in the ProcessingParams pointed to by "params" whether anyPolicy

  *  is inhibited using the Boolean value of "inhibited".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams to be set. Must be non-NULL.

  *  "inhibited"

  *      Boolean value indicating whether anyPolicy is to be inhibited.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetAnyPolicyInhibited(

         PKIX_ProcessingParams *params,

         PKIX_Boolean inhibited,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_IsExplicitPolicyRequired

  * DESCRIPTION:

  *

  *  Checks whether the ProcessingParams pointed to by "params" indicate that

  *  explicit policies are required and stores the Boolean result at

  *  "pRequired".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams used to determine whether or not explicit

  *      policies are required. Must be non-NULL.

  *  "pRequired"

  *      Address where Boolean will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_IsExplicitPolicyRequired(

         PKIX_ProcessingParams *params,

         PKIX_Boolean *pRequired,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetExplicitPolicyRequired

  * DESCRIPTION:

  *

  *  Specifies in the ProcessingParams pointed to by "params" whether explicit

  *  policies are required using the Boolean value of "required".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams to be set. Must be non-NULL.

  *  "required"

  *      Boolean value indicating whether explicit policies are to be required.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetExplicitPolicyRequired(

         PKIX_ProcessingParams *params,

         PKIX_Boolean required,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_IsPolicyMappingInhibited

  * DESCRIPTION:

  *

  *  Checks whether the ProcessingParams pointed to by "params" indicate that

  *  policyMapping is inhibited and stores the Boolean result at "pInhibited".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams used to determine whether or not policy

  *      mappings are inhibited. Must be non-NULL.

  *  "pInhibited"

  *      Address where Boolean will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_IsPolicyMappingInhibited(

         PKIX_ProcessingParams *params,

         PKIX_Boolean *pInhibited,

         void *plContext);

 /*

  * FUNCTION: PKIX_ProcessingParams_SetPolicyMappingInhibited

  * DESCRIPTION:

  *

  *  Specifies in the ProcessingParams pointed to by "params" whether policy

  *  mapping is inhibited using the Boolean value of "inhibited".

  *

  * PARAMETERS:

  *  "params"

  *      Address of ProcessingParams to be set. Must be non-NULL.

  *  "inhibited"

  *      Boolean value indicating whether policy mapping is to be inhibited.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ProcessingParams_SetPolicyMappingInhibited(

         PKIX_ProcessingParams *params,

         PKIX_Boolean inhibited,

         void *plContext);

 /* PKIX_ValidateParams

  *

  * PKIX_ValidateParams consists of a ProcessingParams object as well as the

  * List of Certs (certChain) that the caller is trying to validate.

  */

 /*

  * FUNCTION: PKIX_ValidateParams_Create

  * DESCRIPTION:

  *

  *  Creates a new ValidateParams object and stores it at "pParams".

  *

  * PARAMETERS:

  *  "procParams"

  *      Address of ProcessingParams to be used. Must be non-NULL.

  *  "chain"

  *      Address of List of Certs (certChain) to be validated. Must be non-NULL.

  *  "pParams"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ValidateParams_Create(

         PKIX_ProcessingParams *procParams,

         PKIX_List *chain,

         PKIX_ValidateParams **pParams,

         void *plContext);

 /*

  * FUNCTION: PKIX_ValidateParams_GetProcessingParams

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the ProcessingParams that represent the basic

  *  certificate processing parameters used during chain validation and chain

  *  building from the ValidateParams pointed to by "valParams" and stores it

  *  at "pProcParams". If the function succeeds, the pointer to the

  *  ProcessingParams is guaranteed to be non-NULL.

  *

  * PARAMETERS:

  *  "valParams"

  *      Address of ValidateParams whose ProcessingParams are to be stored.

  *      Must be non-NULL.

  *  "pProcParams"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ValidateParams_GetProcessingParams(

         PKIX_ValidateParams *valParams,

         PKIX_ProcessingParams **pProcParams,

         void *plContext);

 /*

  * FUNCTION: PKIX_ValidateParams_GetCertChain

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of Certs (certChain) that is set in the

  *  ValidateParams pointed to by "valParams" and stores it at "pChain". If the

  *  function succeeds, the pointer to the CertChain is guaranteed to be

  *  non-NULL.

  *

  * PARAMETERS:

  *  "valParams"

  *      Address of ValidateParams whose CertChain is to be stored.

  *      Must be non-NULL.

  *  "pChain"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ValidateParams_GetCertChain(

         PKIX_ValidateParams *valParams,

         PKIX_List **pChain,

         void *plContext);

 /* PKIX_TrustAnchor

  *

  * A PKIX_TrustAnchor represents a trusted entity and can be specified using a

  * self-signed certificate or using the trusted CA's name and public key. In

  * order to limit the trust in the trusted entity, name constraints can also

  * be imposed on the trust anchor.

  */

 /*

  * FUNCTION: PKIX_TrustAnchor_CreateWithCert

  * DESCRIPTION:

  *

  *  Creates a new TrustAnchor object using the Cert pointed to by "cert" as

  *  the trusted certificate and stores it at "pAnchor". Once created, a

  *  TrustAnchor is immutable.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert to use as trusted certificate. Must be non-NULL.

  *  "pAnchor"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_TrustAnchor_CreateWithCert(

         PKIX_PL_Cert *cert,

         PKIX_TrustAnchor **pAnchor,

         void *plContext);

 /*

  * FUNCTION: PKIX_TrustAnchor_CreateWithNameKeyPair

  * DESCRIPTION:

  *

  *  Creates a new TrustAnchor object using the X500Name pointed to by "name",

  *  and the PublicKey pointed to by "pubKey" and stores it at "pAnchor". The

  *  CertNameConstraints pointed to by "nameConstraints" (if any) are used to

  *  limit the trust placed in this trust anchor. To indicate that name

  *  constraints don't apply, set "nameConstraints" to NULL. Once created, a

  *  TrustAnchor is immutable.

  *

  * PARAMETERS:

  *  "name"

  *      Address of X500Name to use as name of trusted CA. Must be non-NULL.

  *  "pubKey"

  *      Address of PublicKey to use as trusted public key. Must be non-NULL.

  *  "nameConstraints"

  *      Address of CertNameConstraints to use as initial name constraints.

  *      If NULL, no name constraints are applied.

  *  "pAnchor"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_TrustAnchor_CreateWithNameKeyPair(

         PKIX_PL_X500Name *name,

         PKIX_PL_PublicKey *pubKey,

         PKIX_PL_CertNameConstraints *nameConstraints,

         PKIX_TrustAnchor **pAnchor,

         void *plContext);

 /*

  * FUNCTION: PKIX_TrustAnchor_GetTrustedCert

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the Cert that is set in the TrustAnchor pointed to

  *  by "anchor" and stores it at "pCert". If "anchor" does not have a Cert

  *  set, this function stores NULL at "pCert".

  *

  * PARAMETERS:

  *  "anchor"

  *      Address of TrustAnchor whose Cert is to be stored. Must be non-NULL.

  *  "pChain"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_TrustAnchor_GetTrustedCert(

         PKIX_TrustAnchor *anchor,

         PKIX_PL_Cert **pCert,

         void *plContext);

 /*

  * FUNCTION: PKIX_TrustAnchor_GetCAName

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the CA's X500Name (if any) that is set in the

  *  TrustAnchor pointed to by "anchor" and stores it at "pCAName". If "anchor"

  *  does not have an X500Name set, this function stores NULL at "pCAName".

  *

  * PARAMETERS:

  *  "anchor"

  *      Address of TrustAnchor whose CA Name is to be stored. Must be non-NULL.

  *  "pCAName"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_TrustAnchor_GetCAName(

         PKIX_TrustAnchor *anchor,

         PKIX_PL_X500Name **pCAName,

         void *plContext);

 /*

  * FUNCTION: PKIX_TrustAnchor_GetCAPublicKey

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the CA's PublicKey (if any) that is set in the

  *  TrustAnchor pointed to by "anchor" and stores it at "pPubKey". If "anchor"

  *  does not have a PublicKey set, this function stores NULL at "pPubKey".

  *

  * PARAMETERS:

  *  "anchor"

  *      Address of TrustAnchor whose CA PublicKey is to be stored.

  *      Must be non-NULL.

  *  "pPubKey"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_TrustAnchor_GetCAPublicKey(

         PKIX_TrustAnchor *anchor,

         PKIX_PL_PublicKey **pPubKey,

         void *plContext);

 /*

  * FUNCTION: PKIX_TrustAnchor_GetNameConstraints

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the CertNameConstraints (if any) set in the

  *  TrustAnchor pointed to by "anchor" and stores it at "pConstraints". If

  *  "anchor" does not have any CertNameConstraints set, this function stores

  *  NULL at "pConstraints".

  *

  * PARAMETERS:

  *  "anchor"

  *      Address of TrustAnchor whose CertNameConstraints are to be stored.

  *      Must be non-NULL.

  *  "pConstraints"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Params Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_TrustAnchor_GetNameConstraints(

         PKIX_TrustAnchor *anchor,

         PKIX_PL_CertNameConstraints **pNameConstraints,

         void *plContext);

 /* PKIX_ResourceLimits

  *

  *  A PKIX_ResourceLimits object represents the maximum resource usage that

  *  the caller desires. The ValidateChain or BuildChain call

  *  will not exceed these maximum limits. For example, the caller may want

  *  a timeout value of 1 minute, meaning that if the ValidateChain or

  *  BuildChain function is unable to finish in 1 minute, it should abort

  *  with an Error.

  */

 /*

  * FUNCTION: PKIX_ResourceLimits_Create

  * DESCRIPTION:

  *

  *  Creates a new ResourceLimits object and stores it at "pResourceLimits".

  *

  * PARAMETERS:

  *  "pResourceLimits"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_Create(

         PKIX_ResourceLimits **pResourceLimits,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_GetMaxTime

  * DESCRIPTION:

  *

  *  Retrieves a PKIX_UInt32 (if any) representing the maximum time that is

  *  set in the ResourceLimits object pointed to by "resourceLimits" and stores

  *  it at "pMaxTime". This maximum time (in seconds) should not be exceeded

  *  by the function whose ProcessingParams contain this ResourceLimits object

  *  (typically ValidateChain or BuildChain). It essentially functions as a

  *  time-out value and is only appropriate if blocking I/O is being used.

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum time (in seconds) is

  *      to be stored. Must be non-NULL.

  *  "pMaxTime"

  *      Address where PKIX_UInt32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_GetMaxTime(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 *pMaxTime,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_SetMaxTime

  * DESCRIPTION:

  *

  *  Sets the maximum time of the ResourceLimits object pointed to by

  *  "resourceLimits" using the PKIX_UInt32 value of "maxTime". This

  *  maximum time (in seconds) should not be exceeded by the function

  *  whose ProcessingParams contain this ResourceLimits object

  *  (typically ValidateChain or BuildChain). It essentially functions as a

  *  time-out value and is only appropriate if blocking I/O is being used.

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum time (in seconds) is

  *      to be set. Must be non-NULL.

  *  "maxTime"

  *      Value of PKIX_UInt32 representing the maximum time (in seconds)

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_SetMaxTime(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 maxTime,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_GetMaxFanout

  * DESCRIPTION:

  *

  *  Retrieves a PKIX_UInt32 (if any) representing the maximum fanout that is

  *  set in the ResourceLimits object pointed to by "resourceLimits" and stores

  *  it at "pMaxFanout". This maximum fanout (number of certs) should not be

  *  exceeded by the function whose ProcessingParams contain this ResourceLimits

  *  object (typically ValidateChain or BuildChain). If the builder encounters

  *  more than this maximum number of certificates when searching for the next

  *  candidate certificate, it should abort and return an error. This

  *  parameter is only relevant for ValidateChain if it needs to internally call

  *  BuildChain (e.g. in order to build the chain to a CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum fanout (number of certs)

  *      is to be stored. Must be non-NULL.

  *  "pMaxFanout"

  *      Address where PKIX_UInt32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_GetMaxFanout(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 *pMaxFanout,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_SetMaxFanout

  * DESCRIPTION:

  *

  *  Sets the maximum fanout of the ResourceLimits object pointed to by

  *  "resourceLimits" using the PKIX_UInt32 value of "maxFanout". This maximum

  *  fanout (number of certs) should not be exceeded by the function whose

  *  ProcessingParams contain this ResourceLimits object (typically ValidateChain

  *  or BuildChain). If the builder encounters more than this maximum number of

  *  certificates when searching for the next candidate certificate, it should

  *  abort and return an Error. This parameter is only relevant for ValidateChain

  *  if it needs to internally call BuildChain (e.g. in order to build the

  *  chain to a CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum fanout (number of certs)

  *      is to be set. Must be non-NULL.

  *  "maxFanout"

  *      Value of PKIX_UInt32 representing the maximum fanout (number of certs)

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_SetMaxFanout(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 maxFanout,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_GetMaxDepth

  * DESCRIPTION:

  *

  *  Retrieves a PKIX_UInt32 (if any) representing the maximum depth that is

  *  set in the ResourceLimits object pointed to by "resourceLimits" and stores

  *  it at "pMaxDepth". This maximum depth (number of certs) should not be

  *  exceeded by the function whose ProcessingParams contain this ResourceLimits

  *  object (typically ValidateChain or BuildChain). If the builder encounters

  *  more than this maximum number of certificates when searching for the next

  *  candidate certificate, it should abort and return an error. This

  *  parameter is only relevant for ValidateChain if it needs to internally call

  *  BuildChain (e.g. in order to build the chain to a CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum depth (number of certs)

  *      is to be stored. Must be non-NULL.

  *  "pMaxDepth"

  *      Address where PKIX_UInt32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_GetMaxDepth(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 *pMaxDepth,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_SetMaxDepth

  * DESCRIPTION:

  *

  *  Sets the maximum depth of the ResourceLimits object pointed to by

  *  "resourceLimits" using the PKIX_UInt32 value of "maxDepth". This maximum

  *  depth (number of certs) should not be exceeded by the function whose

  *  ProcessingParams contain this ResourceLimits object (typically ValidateChain

  *  or BuildChain). If the builder encounters more than this maximum number of

  *  certificates when searching for the next candidate certificate, it should

  *  abort and return an Error. This parameter is only relevant for ValidateChain

  *  if it needs to internally call BuildChain (e.g. in order to build the

  *  chain to a CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum depth (number of certs)

  *      is to be set. Must be non-NULL.

  *  "maxDepth"

  *      Value of PKIX_UInt32 representing the maximum depth (number of certs)

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_SetMaxDepth(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 maxDepth,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCerts

  * DESCRIPTION:

  *

  *  Retrieves a PKIX_UInt32 (if any) representing the maximum number of traversed

  *  certs that is set in the ResourceLimits object pointed to by "resourceLimits"

  *  and stores it at "pMaxNumber". This maximum number of traversed certs should

  *  not be exceeded by the function whose ProcessingParams contain this ResourceLimits

  *  object (typically ValidateChain or BuildChain). If the builder traverses more

  *  than this number of certs during the build process, it should abort and

  *  return an Error. This parameter is only relevant for ValidateChain if it

  *  needs to internally call BuildChain (e.g. in order to build the chain to a

  *  CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum number of traversed certs

  *      is to be stored. Must be non-NULL.

  *  "pMaxNumber"

  *      Address where PKIX_UInt32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_GetMaxNumberOfCerts(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 *pMaxNumber,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCerts

  * DESCRIPTION:

  *

  *  Sets the maximum number of traversed certs of the ResourceLimits object

  *  pointed to by "resourceLimits" using the PKIX_UInt32 value of "maxNumber".

  *  This maximum number of traversed certs should not be exceeded by the function 

  *  whose ProcessingParams contain this ResourceLimits object (typically ValidateChain

  *  or BuildChain). If the builder traverses more than this number of certs

  *  during the build process, it should abort and return an Error. This parameter

  *  is only relevant for ValidateChain if it needs to internally call BuildChain

  *  (e.g. in order to build the chain to a CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum number of traversed certs

  *      is to be set. Must be non-NULL.

  *  "maxNumber"

  *      Value of PKIX_UInt32 representing the maximum number of traversed certs

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_SetMaxNumberOfCerts(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 maxNumber,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCRLs

  * DESCRIPTION:

  *

  *  Retrieves a PKIX_UInt32 (if any) representing the maximum number of traversed

  *  CRLs that is set in the ResourceLimits object pointed to by "resourceLimits"

  *  and stores it at "pMaxNumber". This maximum number of traversed CRLs should

  *  not be exceeded by the function whose ProcessingParams contain this ResourceLimits

  *  object (typically ValidateChain or BuildChain). If the builder traverses more

  *  than this number of CRLs during the build process, it should abort and

  *  return an Error. This parameter is only relevant for ValidateChain if it

  *  needs to internally call BuildChain (e.g. in order to build the chain to a

  *  CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum number of traversed CRLs

  *      is to be stored. Must be non-NULL.

  *  "pMaxNumber"

  *      Address where PKIX_UInt32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Conditionally Thread Safe

  *      (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_GetMaxNumberOfCRLs(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 *pMaxNumber,

         void *plContext);

 /*

  * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCRLs

  * DESCRIPTION:

  *

  *  Sets the maximum number of traversed CRLs of the ResourceLimits object

  *  pointed to by "resourceLimits" using the PKIX_UInt32 value of "maxNumber".

  *  This maximum number of traversed CRLs should not be exceeded by the function 

  *  whose ProcessingParams contain this ResourceLimits object (typically ValidateChain

  *  or BuildChain). If the builder traverses more than this number of CRLs

  *  during the build process, it should abort and return an Error. This parameter

  *  is only relevant for ValidateChain if it needs to internally call BuildChain

  *  (e.g. in order to build the chain to a CRL's issuer).

  *

  * PARAMETERS:

  *  "resourceLimits"

  *      Address of ResourceLimits object whose maximum number of traversed CRLs

  *      is to be set. Must be non-NULL.

  *  "maxNumber"

  *      Value of PKIX_UInt32 representing the maximum number of traversed CRLs

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Not Thread Safe - assumes exclusive access to "params"

  *  (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a ResourceLimits Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_ResourceLimits_SetMaxNumberOfCRLs(

         PKIX_ResourceLimits *resourceLimits,

         PKIX_UInt32 maxNumber,

         void *plContext);

 #ifdef __cplusplus

 }

 #endif

 #endif /* _PKIX_PARAMS_H */