The Tor Browser / file revision

 /* This Source Code Form is subject to the terms of the Mozilla Public

  * License, v. 2.0. If a copy of the MPL was not distributed with this

  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 /*

  * This file defines several platform independent functions to

  * manipulate certificates and CRLs in a portable manner.

  *

  */

 #ifndef _PKIX_PL_PKI_H

 #define _PKIX_PL_PKI_H

 #include "pkixt.h"

 #include "seccomon.h"

 #include "certt.h"

 #ifdef __cplusplus

 extern "C" {

 #endif

 /* General

  *

  * Please refer to the libpkix Programmer's Guide for detailed information

  * about how to use the libpkix library. Certain key warnings and notices from

  * that document are repeated here for emphasis.

  *

  * All identifiers in this file (and all public identifiers defined in

  * libpkix) begin with "PKIX_". Private identifiers only intended for use

  * within the library begin with "pkix_".

  *

  * A function returns NULL upon success, and a PKIX_Error pointer upon failure.

  *

  * Unless otherwise noted, for all accessor (gettor) functions that return a

  * PKIX_PL_Object pointer, callers should assume that this pointer refers to a

  * shared object. Therefore, the caller should treat this shared object as

  * read-only and should not modify this shared object. When done using the

  * shared object, the caller should release the reference to the object by

  * using the PKIX_PL_Object_DecRef function.

  *

  * While a function is executing, if its arguments (or anything referred to by

  * its arguments) are modified, free'd, or destroyed, the function's behavior

  * is undefined.

  *

  */

 /*

  * Cert

  *

  * A Cert represents an X.509 certificate. It can be created using the bytes

  * of a valid ASN.1 DER encoding. Once created, a Cert is immutable. The

  * following functions include accessors (gettors) for the various components

  * of an X.509 certificate. Also included are functions to perform various

  * checks on a certificate, including name constraints, key usage, validity

  * (expiration), and signature verification.

  */

 /*

  * FUNCTION: PKIX_PL_Cert_Create

  * DESCRIPTION:

  *

  *  Creates a new certificate using the bytes in the ByteArray pointed to by

  *  "byteArray" and stores it at "pCert". If the bytes are not a valid ASN.1

  *  DER encoding of a certificate, a PKIX_Error pointer is returned. Once

  *  created, a Cert is immutable.

  *

  *  Certificate  ::=  SEQUENCE  {

  *      tbsCertificate          TBSCertificate,

  *      signatureAlgorithm      AlgorithmIdentifier,

  *      signatureValue          BIT STRING  }

  *

  *  AlgorithmIdentifier  ::=  SEQUENCE  {

  *      algorithm               OBJECT IDENTIFIER,

  *      parameters              ANY DEFINED BY algorithm OPTIONAL  }

  *

  *  TBSCertificate  ::=  SEQUENCE  {

  *      version         [0]  EXPLICIT Version DEFAULT v1,

  *      serialNumber    CertificateSerialNumber,

  *      signature       AlgorithmIdentifier,

  *      issuer          Name,

  *      validity        Validity,

  *      subject         Name,

  *      subjectPublicKeyInfo SubjectPublicKeyInfo,

  *      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,

  *                          -- If present, version MUST be v2 or v3

  *      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,

  *                              -- If present, version MUST be v2 or v3

  *      extensions      [3]  EXPLICIT Extensions OPTIONAL

  *                              -- If present, version MUST be v3

  *      }

  *

  *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  *

  *  CertificateSerialNumber  ::=  INTEGER

  *

  *  Validity ::= SEQUENCE {

  *      notBefore       Time,

  *      notAfter        Time }

  *

  *  Time ::= CHOICE {

  *      utcTime         UTCTime,

  *      generalTime     GeneralizedTime }

  *

  *  UniqueIdentifier  ::=  BIT STRING

  *

  *  SubjectPublicKeyInfo  ::=  SEQUENCE  {

  *      algorithm               AlgorithmIdentifier,

  *      subjectPublicKey        BIT STRING  }

  *

  *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

  *

  *  Extension  ::=  SEQUENCE  {

  *      extnID          OBJECT IDENTIFIER,

  *      critical        BOOLEAN DEFAULT FALSE,

  *      extnValue       OCTET STRING  }

  *

  * PARAMETERS:

  *  "byteArray"

  *      Address of ByteArray representing the CERT's DER encoding.

  *      Must be non-NULL.

  *  "pCert"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_Create(

         PKIX_PL_ByteArray *byteArray,

         PKIX_PL_Cert **pCert,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_CreateFromCERTCertificate

  * DESCRIPTION:

  *

  * Creates a new certificate using passed in CERTCertificate object.

  *

  * PARAMETERS:

  *  "nssCert"

  *      The object that will be used to create new PKIX_PL_Cert.

  *  "pCert"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_CreateFromCERTCertificate(

         const CERTCertificate *nssCert,

         PKIX_PL_Cert **pCert,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetCERTCertificate

  * DESCRIPTION:

  *

  * Returns underlying CERTCertificate structure. Return CERTCertificate

  * object is duplicated and should be destroyed by caller.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of PKIX_PL_Cert. Must be non-NULL.

  *  "pCert"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetCERTCertificate(

         PKIX_PL_Cert *cert,

         CERTCertificate **pnssCert, 

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetVersion

  * DESCRIPTION:

  *

  *  Retrieves the version of the Cert pointed to by "cert" and stores it at

  *  "pVersion". The version number will either be 0, 1, or 2 (corresponding to

  *  v1, v2, or v3, respectively).

  *

  *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose version is to be stored. Must be non-NULL.

  *  "pVersion"

  *      Address where PKIX_UInt32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetVersion(

         PKIX_PL_Cert *cert,

         PKIX_UInt32 *pVersion,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSerialNumber

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the BigInt that represents the serial number of the

  *  Cert pointed to by "cert" and stores it at "pSerialNumber".

  *

  *  CertificateSerialNumber  ::=  INTEGER

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose serial number is to be stored. Must be non-NULL.

  *  "pSerial"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSerialNumber(

         PKIX_PL_Cert *cert,

         PKIX_PL_BigInt **pSerial,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetIssuer

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the X500Name that represents the issuer DN of the

  *  Cert pointed to by "cert" and stores it at "pIssuer".

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose issuer is to be stored. Must be non-NULL.

  *  "pIssuer"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetIssuer(

         PKIX_PL_Cert *cert,

         PKIX_PL_X500Name **pIssuer,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSubject

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the X500Name that represents the subject DN of the

  *  Cert pointed to by "cert" and stores it at "pSubject". If the Cert does not

  *  have a subject DN, this function stores NULL at "pSubject".

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subject is to be stored. Must be non-NULL.

  *  "pSubject"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSubject(

         PKIX_PL_Cert *cert,

         PKIX_PL_X500Name **pSubject,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKeyAlgId

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the OID that represents the subject public key

  *  algorithm of the Cert pointed to by "cert" and stores it at

  *  "pSubjKeyAlgId".

  *

  *  SubjectPublicKeyInfo  ::=  SEQUENCE  {

  *      algorithm               AlgorithmIdentifier,

  *      subjectPublicKey        BIT STRING  }

  *

  *  AlgorithmIdentifier  ::=  SEQUENCE  {

  *      algorithm               OBJECT IDENTIFIER,

  *      parameters              ANY DEFINED BY algorithm OPTIONAL  }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subject public key algorithm OID is to be stored.

  *      Must be non-NULL.

  *  "pSubjKeyAlgId"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSubjectPublicKeyAlgId(

         PKIX_PL_Cert *cert,

         PKIX_PL_OID **pSubjKeyAlgId,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the PublicKey that represents the subject public key

  *  of the Cert pointed to by "cert" and stores it at "pPublicKey".

  *

  *  SubjectPublicKeyInfo  ::=  SEQUENCE  {

  *      algorithm               AlgorithmIdentifier,

  *      subjectPublicKey        BIT STRING  }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subject public key is to be stored.

  *      Must be non-NULL.

  *  "pPublicKey"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSubjectPublicKey(

         PKIX_PL_Cert *cert,

         PKIX_PL_PublicKey **pPublicKey,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_PublicKey_NeedsDSAParameters

  * DESCRIPTION:

  *

  * Determines if the PublicKey pointed to by "pubKey" is a DSA Key with null

  * parameters and stores the result at "pNeedsParams". 

  *

  * PARAMETERS:

  *  "pubKey"

  *      Address of the Public Key of interest. Must be non-NULL.

  *  "pNeedsParams"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a PublicKey Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_PublicKey_NeedsDSAParameters(

         PKIX_PL_PublicKey *pubKey,

         PKIX_Boolean *pNeedsParams,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_PublicKey_MakeInheritedDSAPublicKey

  * DESCRIPTION:

  *

  * This function is used for DSA key parameter inheritance, which allows a

  * first DSA key with omitted parameters (pointed to by "firstKey") to inherit

  * the PQG parameters of a second DSA key that does have parameters. (pointed

  * to by "secondKey"). Once created, a PublicKey is immutable.

  *

  * Specifically, the algorithm used by the function is:

  *

  * If the first PublicKey is not a DSA public key with omitted parameters,

  *      the function stores NULL at "pResultKey". (No Error is returned)

  * Else if the second PublicKey is not a DSA public key with non-NULL,

  *      parameters, the function returns an Error.

  * Else

  *      the function creates a third PublicKey with a "Y" value from the

  *      first PublicKey and the DSA parameters from the second PublicKey,

  *      and stores it at "pResultKey".

  *

  * PARAMETERS:

  *  "firstKey"

  *      Address of a Public Key that needs to inherit DSA parameters.

  *      Must be non-NULL.

  *  "secondKey"

  *      Address of a Public Key that has DSA parameters that will be inherited

  *      by "firstKey". Must be non-NULL.

  *  "pResultKey"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a PublicKey Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(

         PKIX_PL_PublicKey *firstKey,

         PKIX_PL_PublicKey *secondKey,

         PKIX_PL_PublicKey **pResultKey,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetCriticalExtensionOIDs

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of OIDs (each OID corresponding to a

  *  critical extension of the Cert pointed to by "cert") and stores it at

  *  "pExtensions". If "cert" does not have any critical extensions, this

  *  function stores an empty List at "pExtensions".

  *

  *  Note that the List returned by this function is immutable.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose critical extension OIDs are to be stored.

  *      Must be non-NULL.

  *  "pExtensions"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetCriticalExtensionOIDs(

         PKIX_PL_Cert *cert,

         PKIX_List **pExtensions,  /* list of PKIX_PL_OID */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetAuthorityKeyIdentifier

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a ByteArray representing the authority key

  *  identifier extension of the Cert pointed to by "cert" and stores it at

  *  "pAuthKeyId".

  *

  *  Note that this function only retrieves the keyIdentifier component

  *  (OCTET STRING) of the AuthorityKeyIdentifier extension, when present.

  *

  *  If "cert" does not have an AuthorityKeyIdentifier extension or if the

  *  keyIdentifier component of the AuthorityKeyIdentifier extension is not

  *  present, this function stores NULL at "pAuthKeyId".

  *

  *  AuthorityKeyIdentifier ::= SEQUENCE {

  *      keyIdentifier                   [0] KeyIdentifier           OPTIONAL,

  *      authorityCertIssuer             [1] GeneralNames            OPTIONAL,

  *      authorityCertSerialNumber       [2] CertificateSerialNumber OPTIONAL  }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose authority key identifier is to be stored.

  *      Must be non-NULL.

  *  "pAuthKeyId"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetAuthorityKeyIdentifier(

         PKIX_PL_Cert *cert,

         PKIX_PL_ByteArray **pAuthKeyId,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSubjectKeyIdentifier

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a ByteArray representing the subject key identifier

  *  extension of the Cert pointed to by "cert" and stores it at "pSubjKeyId".

  *  If "cert" does not have a SubjectKeyIdentifier extension, this function

  *  stores NULL at "pSubjKeyId".

  *

  *  SubjectKeyIdentifier ::= KeyIdentifier

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subject key identifier is to be stored.

  *      Must be non-NULL.

  *  "pSubjKeyId"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSubjectKeyIdentifier(

         PKIX_PL_Cert *cert,

         PKIX_PL_ByteArray **pSubjKeyId,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSubjectAltNames

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of GeneralNames (each GeneralName

  *  representing a subject alternative name found in the subject alternative

  *  names extension of the Cert pointed to by "cert") and stores it at

  *  "pSubjectAltNames". If "cert" does not have a SubjectAlternativeNames

  *  extension, this function stores NULL at "pSubjectAltNames".

  *

  *  Note that the List returned by this function is immutable.

  *

  *  SubjectAltName ::= GeneralNames

  *

  *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

  *

  *  GeneralName ::= CHOICE {

  *      otherName                       [0]     OtherName,

  *      rfc822Name                      [1]     IA5String,

  *      dNSName                         [2]     IA5String,

  *      x400Address                     [3]     ORAddress,

  *      directoryName                   [4]     Name,

  *      ediPartyName                    [5]     EDIPartyName,

  *      uniformResourceIdentifier       [6]     IA5String,

  *      iPAddress                       [7]     OCTET STRING,

  *      registeredID                    [8]     OBJECT IDENTIFIER }

  *

  *  OtherName ::= SEQUENCE {

  *      type-id                         OBJECT IDENTIFIER,

  *      value                           [0] EXPLICIT ANY DEFINED BY type-id }

  *

  *  EDIPartyName ::= SEQUENCE {

  *      nameAssigner                    [0]     DirectoryString OPTIONAL,

  *      partyName                       [1]     DirectoryString }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subjectAltNames are to be stored.

  *      Must be non-NULL.

  *  "pSubjectAltNames"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSubjectAltNames(

         PKIX_PL_Cert *cert,

         PKIX_List **pSubjectAltNames,  /* list of PKIX_PL_GeneralName */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetAllSubjectNames

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of GeneralNames (each GeneralName

  *  representing a subject DN or a subject alternative name found in the

  *  subject alternative names extension of the Cert pointed to by "cert") and

  *  stores it at "pAllSubjectNames".If the Subject DN of "cert" is empty and

  *  it does not have a SubjectAlternativeNames extension, this function stores

  *  NULL at "pAllSubjectNames".

  *

  *  Note that the List returned by this function is immutable.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subject DN and subjectAltNames are to be stored.

  *      Must be non-NULL.

  *  "pAllSubjectNames"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetAllSubjectNames(

         PKIX_PL_Cert *cert,

         PKIX_List **pAllSubjectNames,  /* list of PKIX_PL_GeneralName */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetExtendedKeyUsage

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a List of OIDs (each OID corresponding to an

  *  extended key usage of the Cert pointed to by "cert") and stores it at

  *  "pKeyUsage". If "cert" does not have an extended key usage extension, this

  *  function stores a NULL at "pKeyUsage".

  *

  *  Note that the List returned by this function is immutable.

  *

  *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

  *

  *  KeyPurposeId ::= OBJECT IDENTIFIER

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose extended key usage OIDs are to be stored.

  *      Must be non-NULL.

  *  "pKeyUsage"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetExtendedKeyUsage(

         PKIX_PL_Cert *cert,

         PKIX_List **pKeyUsage,  /* list of PKIX_PL_OID */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetNameConstraints

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a CertNameConstraints object representing the name

  *  constraints extension of the Cert pointed to by "cert" and stores it at

  *  "pNameConstraints".

  *

  *  If "cert" does not have a name constraints extension, this function stores

  *  NULL at "pNameConstraints".

  *

  *  NameConstraints ::= SEQUENCE {

  *      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,

  *      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

  *

  *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

  *

  *  GeneralSubtree ::= SEQUENCE {

  *      base                    GeneralName,

  *      minimum         [0]     BaseDistance DEFAULT 0,

  *      maximum         [1]     BaseDistance OPTIONAL }

  *

  *  BaseDistance ::= INTEGER (0..MAX)

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose name constraints extension is to be stored.

  *      Must be non-NULL.

  *  "pNameConstraints"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetNameConstraints(

         PKIX_PL_Cert *cert,

         PKIX_PL_CertNameConstraints **pNameConstraints,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetBasicConstraints

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a CertBasicConstraints object representing the basic

  *  constraints extension of the Cert pointed to by "cert" and stores it at

  *  "pBasicConstraints".

  *

  *  If "cert" does not have a basic constraints extension, this function stores

  *  NULL at "pBasicConstraints". Once created, a CertBasicConstraints object

  *  is immutable.

  *

  *  BasicConstraints ::= SEQUENCE {

  *      cA                      BOOLEAN DEFAULT FALSE,

  *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose basic constraints extension is to be stored.

  *      Must be non-NULL.

  *  "pBasicConstraints"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetBasicConstraints(

         PKIX_PL_Cert *cert,

         PKIX_PL_CertBasicConstraints **pBasicConstraints,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_BasicConstraints_GetCAFlag

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a Boolean value representing the cA Flag component

  *  of the CertBasicConstraints object pointed to by "basicConstraints" and

  *  stores it at "pResult".

  *

  *  BasicConstraints ::= SEQUENCE {

  *      cA                      BOOLEAN DEFAULT FALSE,

  *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

  *

  * PARAMETERS:

  *  "basicConstraints"

  *      Address of CertBasicConstraints whose cA Flag is to be stored.

  *      Must be non-NULL.

  *  "pResult"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_BasicConstraints_GetCAFlag(

         PKIX_PL_CertBasicConstraints *basicConstraints,

         PKIX_Boolean *pResult,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_BasicConstraints_GetPathLenConstraint

  * DESCRIPTION:

  *

  *  Retrieves a pointer to an integer value representing the pathLenConstraint

  *  component of the CertBasicConstraints object pointed to by

  *  "basicConstraints" and stores it at "pPathLenConstraint". If the

  *  pathLenConstraint component is not present, this function stores -1 at

  *  "pPathLenConstraint".

  *

  * PARAMETERS:

  *  "basicConstraints"

  *      Address of CertBasicConstraints whose pathLen is to be stored.

  *      Must be non-NULL.

  *  "pPathLenConstraint"

  *      Address where PKIX_Int32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_BasicConstraints_GetPathLenConstraint(

         PKIX_PL_CertBasicConstraints *basicConstraints,

         PKIX_Int32 *pPathLenConstraint,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetPolicyInformation

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a List of CertPolicyInfos found in the certificate

  *  policies extension of the Cert pointed to by "cert" and stores it at

  *  "pPolicyInfo". If "cert" does not have a certificate policies extension,

  *  this function stores NULL at "pPolicyInfo". Once created, a CertPolicyInfo

  *  object is immutable.

  *

  *  Note that the List returned by this function is immutable.

  *

  *  certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

  *

  *  PolicyInformation ::= SEQUENCE {

  *      policyIdentifier   CertPolicyId,

  *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF

  *                              PolicyQualifierInfo OPTIONAL }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose CertPolicyInfos are to be stored.

  *      Must be non-NULL.

  *  "pPolicyInfo"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetPolicyInformation(

         PKIX_PL_Cert *cert,

         PKIX_List **pPolicyInfo, /* list of PKIX_PL_CertPolicyInfo */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolicyId

  * DESCRIPTION:

  *

  *  Retrieves a pointer to an OID representing the policyIdentifier of the

  *  CertPolicyInfo pointed to by "policyInfo" and stores it at "pCertPolicyId".

  *

  *  certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

  *

  *  PolicyInformation ::= SEQUENCE {

  *      policyIdentifier   CertPolicyId,

  *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF

  *                              PolicyQualifierInfo OPTIONAL }

  *

  *  CertPolicyId ::= OBJECT IDENTIFIER

  *

  * PARAMETERS:

  *  "policyInfo"

  *      Address of CertPolicyInfo whose policy identifier is to be stored.

  *      Must be non-NULL.

  *  "pCertPolicyId"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CertPolicyInfo_GetPolicyId(

         PKIX_PL_CertPolicyInfo *policyInfo,

         PKIX_PL_OID **pCertPolicyId,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolQualifiers

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a List of the CertPolicyQualifiers representing

  *  the policyQualifiers of the CertPolicyInfo pointed to by "policyInfo" and

  *  stores it at "pPolicyQualifiers". If "policyInfo" does not have any

  *  policyQualifiers, this function stores NULL at "pPolicyQualifiers". Once

  *  created, a CertPolicyQualifier is immutable.

  *

  *  Note that the List returned by this function is immutable.

  *

  *  certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

  *

  *  PolicyInformation ::= SEQUENCE {

  *      policyIdentifier   CertPolicyId,

  *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF

  *                              PolicyQualifierInfo OPTIONAL }

  *

  *  PolicyQualifierInfo ::= SEQUENCE {

  *      policyQualifierId  PolicyQualifierId,

  *      qualifier       ANY DEFINED BY policyQualifierId }

  *

  * PARAMETERS:

  *  "policyInfo"

  *      Address of CertPolicyInfo whose policy qualifiers List is to be stored.

  *      Must be non-NULL.

  *  "pPolicyQualifiers"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CertPolicyInfo_GetPolQualifiers(

         PKIX_PL_CertPolicyInfo *policyInfo,

         PKIX_List **pPolicyQualifiers, /* list of PKIX_PL_CertPolicyQualifier */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_PolicyQualifier_GetPolicyQualifierId

  * DESCRIPTION:

  *

  *  Retrieves a pointer to an OID representing the policyQualifierId of the

  *  CertPolicyQualifier pointed to by "policyQualifier" and stores it at

  *  "pPolicyQualifierId".

  *

  *  PolicyQualifierInfo ::= SEQUENCE {

  *      policyQualifierId       PolicyQualifierId,

  *      qualifier               ANY DEFINED BY policyQualifierId }

  *

  *  PolicyQualifierId ::=

  *      OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )

  *

  * PARAMETERS:

  *  "policyQualifier"

  *      Address of CertPolQualifier whose policyQualifierId is to be stored.

  *      Must be non-NULL.

  *  "pPolicyQualifierId"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_PolicyQualifier_GetPolicyQualifierId(

         PKIX_PL_CertPolicyQualifier *policyQualifier,

         PKIX_PL_OID **pPolicyQualifierId,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_PolicyQualifier_GetQualifier

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a ByteArray representing the qualifier of the

  *  CertPolicyQualifier pointed to by "policyQualifier" and stores it at

  *  "pQualifier".

  *

  *  PolicyQualifierInfo ::= SEQUENCE {

  *      policyQualifierId       PolicyQualifierId,

  *      qualifier               ANY DEFINED BY policyQualifierId }

  *

  * PARAMETERS:

  *  "policyQualifier"

  *      Address of CertPolicyQualifier whose qualifier is to be stored.

  *      Must be non-NULL.

  *  "pQualifier"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_PolicyQualifier_GetQualifier(

         PKIX_PL_CertPolicyQualifier *policyQualifier,

         PKIX_PL_ByteArray **pQualifier,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetPolicyMappings

  * DESCRIPTION:

  *

  *  Retrieves a pointer to a List of CertPolicyMaps found in the policy

  *  mappings extension of the Cert pointed to by "cert" and stores it at

  *  "pPolicyMappings". If "cert" does not have a policy mappings extension,

  *  this function stores NULL at "pPolicyMappings". Once created, a

  *  CertPolicyMap is immutable.

  *

  *  Note that the List returned by this function is immutable.

  *

  *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {

  *      issuerDomainPolicy      CertPolicyId,

  *      subjectDomainPolicy     CertPolicyId }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose CertPolicyMaps are to be stored.

  *      Must be non-NULL.

  *  "pPolicyMappings"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetPolicyMappings(

         PKIX_PL_Cert *cert,

         PKIX_List **pPolicyMappings, /* list of PKIX_PL_CertPolicyMap */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy

  * DESCRIPTION:

  *

  *  Retrieves a pointer to an OID representing the issuerDomainPolicy of the

  *  CertPolicyMap pointed to by "policyMapping" and stores it at

  *  "pIssuerDomainPolicy".

  *

  *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {

  *      issuerDomainPolicy      CertPolicyId,

  *      subjectDomainPolicy     CertPolicyId }

  *

  * PARAMETERS:

  *  "policyMapping"

  *      Address of CertPolicyMap whose issuerDomainPolicy is to be stored.

  *      Must be non-NULL.

  *  "pIssuerDomainPolicy"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(

         PKIX_PL_CertPolicyMap *policyMapping,

         PKIX_PL_OID **pIssuerDomainPolicy,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy

  * DESCRIPTION:

  *

  *  Retrieves a pointer to an OID representing the subjectDomainPolicy of the

  *  CertPolicyMap pointed to by "policyMapping" and stores it at

  *  "pSubjectDomainPolicy".

  *

  *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {

  *      issuerDomainPolicy      CertPolicyId,

  *      subjectDomainPolicy     CertPolicyId }

  *

  * PARAMETERS:

  *  "policyMapping"

  *      Address of CertPolicyMap whose subjectDomainPolicy is to be stored.

  *      Must be non-NULL.

  *  "pSubjectDomainPolicy"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy(

         PKIX_PL_CertPolicyMap *policyMapping,

         PKIX_PL_OID **pSubjectDomainPolicy,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetRequireExplicitPolicy

  * DESCRIPTION:

  *

  *  Retrieves the requireExplicitPolicy value of the policy constraints

  *  extension of the Cert pointed to by "cert" and stores it at "pSkipCerts".

  *  If "cert" does not have a policy constraints extension or the

  *  requireExplicitPolicy component is not populated, this function stores -1

  *  at "pSkipCerts".

  *

  *  PolicyConstraints ::= SEQUENCE {

  *      requireExplicitPolicy   [0] SkipCerts OPTIONAL,

  *      inhibitPolicyMapping    [1] SkipCerts OPTIONAL }

  *

  *  SkipCerts ::= INTEGER (0..MAX)

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose requireExplicitPolicy value is to be stored.

  *      Must be non-NULL.

  *  "pSkipCerts"

  *      Address where PKIX_Int32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetRequireExplicitPolicy(

         PKIX_PL_Cert *cert,

         PKIX_Int32 *pSkipCerts,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetPolicyMappingInhibited

  * DESCRIPTION:

  *

  *  Retrieves the inhibitPolicyMapping value of the policy constraints

  *  extension of the Cert pointed to by "cert" and stores it at "pSkipCerts".

  *  If "cert" does not have a policy constraints extension or the

  *  inhibitPolicyMapping component is not populated, this function stores -1

  *  at "pSkipCerts".

  *

  *  PolicyConstraints ::= SEQUENCE {

  *      requireExplicitPolicy   [0] SkipCerts OPTIONAL,

  *      inhibitPolicyMapping    [1] SkipCerts OPTIONAL }

  *

  *  SkipCerts ::= INTEGER (0..MAX)

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose requireExplicitPolicy value is to be stored.

  *      Must be non-NULL.

  *  "pSkipCerts"

  *      Address where PKIX_Int32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetPolicyMappingInhibited(

         PKIX_PL_Cert *cert,

         PKIX_Int32 *pSkipCerts,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetInhibitAnyPolicy

  * DESCRIPTION:

  *

  *  Retrieves the value of the inhibit any-policy extension of the Cert

  *  pointed to by "cert" and stores it at "pSkipCerts". If "cert" does not have

  *  an inhibit any-policy extension, this function stores -1 at "pSkipCerts".

  *

  *  InhibitAnyPolicy ::= SkipCerts

  *

  *  SkipCerts ::= INTEGER (0..MAX)

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose inhibit any-policy extensions value is to be

  *      stored. Must be non-NULL.

  *  "pSkipCerts"

  *      Address where PKIX_Int32 will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetInhibitAnyPolicy(

         PKIX_PL_Cert *cert,

         PKIX_Int32 *pSkipCerts,

         void *plContext);

 /* policy processing functions */

 /*

  * FUNCTION: PKIX_PL_Cert_AreCertPoliciesCritical

  * DESCRIPTION:

  *

  *  Checks whether the certificate policies extension of the Cert pointed to

  *  by "cert" is critical and stores the Boolean result at "pCritical". If

  *  "cert" does not have a certificate policies extension, this function

  *  stores NULL at "pCritical".

  *

  *  XXX what distinguishes NULL from PKIX_FALSE?

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose certificate policies extension's criticality is

  *      to be determined. Must be non-NULL.

  *  "pCritical"

  *      Address where PKIX_Boolean will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_AreCertPoliciesCritical(

         PKIX_PL_Cert *cert,

         PKIX_Boolean *pCritical,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_CheckNameConstraints

  * DESCRIPTION:

  *

  *  Checks whether the subject distinguished name and subject alternative names

  *  of the Cert pointed to by "cert" satisfy the CertNameConstraints pointed

  *  to by "nameConstraints". If the CertNameConstraints are not satisfied, a

  *  PKIX_Error pointer is returned. If "nameConstraints" is NULL, the function

  *  does nothing.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose subject names are to be checked.

  *      Must be non-NULL.

  *  "nameConstraints"

  *      Address of CertNameConstraints that need to be satisfied.

  *  "treatCommonNameAsDNSName"

  *      PKIX_TRUE if the subject common name should be considered a dNSName

  *      when evaluating name constraints.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_CheckNameConstraints(

         PKIX_PL_Cert *cert,

         PKIX_PL_CertNameConstraints *nameConstraints,

         PKIX_Boolean treatCommonNameAsDNSName,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_MergeNameConstraints

  * DESCRIPTION:

  *

  *  Merges the CertNameConstraints pointed to by "firstNC" and the

  *  CertNameConstraints pointed to by "secondNC" and stores the merged

  *  CertNameConstraints at "pResultNC". If "secondNC" is NULL, the

  *  CertNameConstraints pointed to by "firstNC" is stored at "pResultNC".

  *

  *  Once created, a CertNameConstraints object is immutable.

  *

  * PARAMETERS:

  *  "firstNC"

  *      Address of first CertNameConstraints to be merged. Must be non-NULL.

  *  "secondNC"

  *      Address of second CertNameConstraints to be merged

  *  "pResultNC"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_MergeNameConstraints(

         PKIX_PL_CertNameConstraints *firstNC,

         PKIX_PL_CertNameConstraints *secondNC,

         PKIX_PL_CertNameConstraints **pResultNC,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage

  * DESCRIPTION:

  *

  *  Verifies that the keyUsage bit(s) specified by "keyUsage" appear in the

  *  keyUsage extension of the Cert pointed to by "cert". The keyUsage bit

  *  values specified in pkixt.h are supported, and can be bitwise or'ed if

  *  multiple bit values are to be verified. If the keyUsages do not all appear

  *  in the keyUsage extension of "cert", a PKIX_Error pointer is returned.

  *

  *  KeyUsage ::= BIT STRING {

  *      digitalSignature        (0),

  *      nonRepudiation          (1),

  *      keyEncipherment         (2),

  *      dataEncipherment        (3),

  *      keyAgreement            (4),

  *      keyCertSign             (5),

  *      cRLSign                 (6),

  *      encipherOnly            (7),

  *      decipherOnly            (8) }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose keyUsage bits are to be verified.

  *      Must be non-NULL.

  *  "keyUsage"

  *      Constant representing keyUsage bit(s) that all must appear in keyUsage

  *      extension of "cert".

  *  "plContext" - Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_VerifyKeyUsage(

         PKIX_PL_Cert *cert,

         PKIX_UInt32 keyUsage,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_VerifyCertAndKeyType

  * DESCRIPTION:

  *

  * Verifies cert and key types against certificate usage that is

  * a part of plContext(pkix_pl_nsscontext) structure. Throws an error

  * if cert or key types does not match.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose keyUsage bits are to be verified.

  *      Must be non-NULL.

  *  "isLeafCert"

  *      What type of a cert has been verified.

  *  "plContext" - Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_VerifyCertAndKeyType(

         PKIX_PL_Cert *cert,

         PKIX_Boolean isChainCert,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_CheckValidity

  * DESCRIPTION:

  *

  *  Checks whether the Cert pointed to by "cert" would be valid at the time

  *  represented by the Date pointed to by "date". If "date" is NULL, then this

  *  function checks whether the Cert would be valid at the current time. If the

  *  Cert would not be valid at the specified Date, a PKIX_Error pointer is

  *  returned.

  *

  *  Validity ::= SEQUENCE {

  *      notBefore       Time,

  *      notAfter        Time }

  *

  *  Time ::= CHOICE {

  *      utcTime         UTCTime,

  *      generalTime     GeneralizedTime }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose validity is to be checked. Must be non-NULL.

  *  "date"

  *      Address of Date at which the Cert is being checked for validity.

  *      If NULL, the current time is used for the Date.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_CheckValidity(

         PKIX_PL_Cert *cert,

         PKIX_PL_Date *date,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetValidityNotAfter

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the Date that represents the notAfter time of the

  *  Certificate pointed to by "cert" and stores it at "pDate".

  *

  *  Validity ::= SEQUENCE {

  *      notBefore       Time,

  *      notAfter        Time }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose validity time is to be retrieved. Must be

  *      non-NULL.

  *  "date"

  *      Address of Date at which the Cert's notAfter time is being retrieved.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetValidityNotAfter(

         PKIX_PL_Cert *cert,

         PKIX_PL_Date **pDate,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_VerifySignature

  * DESCRIPTION:

  *

  *  Verifies the signature on the Cert pointed to by "cert" using the

  *  PublicKey pointed to by "pubKey". If the signature doesn't verify, an

  *  Error pointer is returned.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose signature is to be verified. Must be non-NULL.

  *  "pubKey"

  *      Address of a Public Key used to verify the signature. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_VerifySignature(

         PKIX_PL_Cert *cert,

         PKIX_PL_PublicKey *pubKey,

         void *plContext);

 /* A set of flags to indicate how explicitly configured trust anchors should be

  * handled by PKIX_PL_Cert_IsCertTrusted

  */

 typedef enum PKIX_PL_TrustAnchorModeEnum {

         /* Indicates trust anchors should be ignored; only the underlying

          * platform's trust settings should be used.

          */

         PKIX_PL_TrustAnchorMode_Ignore,

         /* Indicates that explicitly configured trust anchors may be considered

          * trustworthy, if present.

          * Note: If the underlying platform supports marking a certificate as

          *       explicitly untrustworthy, explicitly configured trust anchors

          *       MAY be ignored/rejected.

          */

         PKIX_PL_TrustAnchorMode_Additive,

         /* Indicates that ONLY trust anchors should be considered as

          * trustworthy.

          * Note: If the underlying platform supports marking a certificate as

          *       explicitly untrustworthy, explicitly configured trust anchors

          *       MAY be ignored/rejected.

          */

         PKIX_PL_TrustAnchorMode_Exclusive

 } PKIX_PL_TrustAnchorMode;

 /*

  * FUNCTION: PKIX_PL_Cert_IsCertTrusted

  * DESCRIPTION:

  *

  *  Checks the Cert specified by "cert" to determine, in a manner that depends

  *  on the underlying platform, whether it is trusted, and stores the result in

  *  "pTrusted". If a certificate is trusted it means that a chain built to that

  *  certificate, and satisfying all the usage, policy, validity, and other

  *  tests, is a valid chain and the End Entity certificate from which it was

  *  built can be trusted.

  *

  *  If the Certificate is not intrinsically trustworthy, it still might end up a

  *  component in a successful chain.

  *

  *  If the Certificate is intrinsically untrustworthy, this function will return

  *  an error. 

  *

  * PARAMETERS

  *  "cert"

  *      Address of Cert whose trustworthiness is to be determined. Must be

  *      non-NULL.

  *  "trustAnchorMode"

  *      A PKIX_PL_TrustAnchorMode that indicates how explicitly defined user

  *      trust anchors should be handled.

  *  "pTrusted"

  *      Address where the Boolean value will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CERT Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_IsCertTrusted(

         PKIX_PL_Cert *cert,

         PKIX_PL_TrustAnchorMode trustAnchorMode,

         PKIX_Boolean *pTrusted,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_IsLeafCertTrusted

  * DESCRIPTION:

  *

  *  Checks the Leaf Cert specified by "cert" to determine, in a manner that 

  *  depends on the underlying platform, whether it is trusted, and stores the 

  *  result in "pTrusted". If a certificate is trusted it means that this

  *  End Entify certificate has been marked as trusted for the requested usage,

  *  policy, validity, and other tests.

  *

  *  If the Certificate is not intrinsically trustworthy, we can still try to 

  *  build a successful chain.

  *

  *  If the Certificate is intrinsically untrustworthy, this function will return

  *  an error. 

  *

  * PARAMETERS

  *  "cert"

  *      Address of Cert whose trustworthiness is to be determined. Must be

  *      non-NULL.

  *  "pTrusted"

  *      Address where the Boolean value will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CERT Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_IsLeafCertTrusted(

         PKIX_PL_Cert *cert,

         PKIX_Boolean *pTrusted,

         void *plContext);

 /* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */

 PKIX_Error*

 PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert, 

                               void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetCacheFlag

  * DESCRIPTION:

  *

  *  Retrieves the value of the cache flag in "cert" and return it at address

  *  pointed by "pCacheFlag". The initila cache flag is determined by the

  *  CertStore this "cert" is fetched from. When CertStore is created, user

  *  need to specify if the data should be cached.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose cache flag is fetched. Must be non-NULL.

  *  "pCacheFlag"

  *      Address where PKIX_Boolean will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetCacheFlag(

         PKIX_PL_Cert *cert,

         PKIX_Boolean *pCacheFlag,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_SetCacheFlag

  * DESCRIPTION:

  *

  *  Set the value of the cache flag in "cert" base on the boolean value stored

  *  at "cacheFlag". This function is meant to be used by CertStore after a

  *  Cert is created.

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert where "cacheFlag" is stored. Must be non-NULL.

  *  "cacheFlag"

  *      PKIX_Boolean flag for cache flag.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_SetCacheFlag(

         PKIX_PL_Cert *cert,

         PKIX_Boolean cacheFlag,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetTrustCertStore

  * DESCRIPTION:

  *

  *  Retrieves the value of the CertStore in "cert" and return it at address

  *  pointed by "pCertStore".

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose CertStore is fetched. Must be non-NULL.

  *  "pTrustCertStore"

  *      Address where CertStore will be stored and returned. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetTrustCertStore(

         PKIX_PL_Cert *cert,

         PKIX_CertStore **pTrustCertStore,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_SetTrustCertStore

  * DESCRIPTION:

  *

  *  Set the value of the CertStore "certStore" in "cert".

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert where "certStore" will be stored. Must be non-NULL.

  *  "trustCertStore"

  *      Address where the CertStore is. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_SetTrustCertStore(

         PKIX_PL_Cert *cert,

         PKIX_CertStore *trustCertStore,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetAuthorityInfoAccess

  * DESCRIPTION:

  *

  *  Retrieves the value(s) of the Authority Information Access in "cert" and

  *  returns it in a list at address pointed by "pAuthorityInfoAccess".

  *

  *  SubjectInfoAccess ::=

  *    SEQUENCE SIZE (1..MAX) of AccessDescription

  *    AccessDescription ::= SEQUENCE {

  *        accessMethod     OBJECT IDENTIFIER,

  *        accessLocation   GeneralName

  *    }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose Authority Information Access is fetched.

  *      Must be non-NULL.

  *  "pAuthorityInfoAccess"

  *      Address where Authority InfoAccess will be stored and returned.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetAuthorityInfoAccess(

         PKIX_PL_Cert *cert,

         PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetSubjectInfoAccess

  * DESCRIPTION:

  *

  *  Retrieves the value(s) of the Subject Information Access in "cert" and

  *  returns it in a list at address pointed by "pSubjectInfoAccess".

  *

  *  SubjectInfoAccess ::=

  *    SEQUENCE SIZE (1..MAX) of AccessDescription

  *    AccessDescription ::= SEQUENCE {

  *        accessMethod     OBJECT IDENTIFIER,

  *        accessLocation   GeneralName

  *    }

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose Subject Information Access is fetched.

  *      Must be non-NULL.

  *  "pSubjectInfoAccess"

  *      Address where Subject InfoAccess will be stored and returned.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetSubjectInfoAccess(

         PKIX_PL_Cert *cert,

         PKIX_List **pSiaList, /* of PKIX_PL_InfoAccess */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Cert_GetCrlDp

  * DESCRIPTION:

  *

  *  Retrieves the value(s) of the CRL Distribution Point Extension and

  *  returns it in a list at address pointed by "pDpList".

  *

  * PARAMETERS:

  *  "cert"

  *      Address of Cert whose Subject Information Access is fetched.

  *      Must be non-NULL.

  *  "pDpList"

  *      Address where CRL DP will be stored and returned.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert,

                       PKIX_List **pDpList,

                       void *plContext);

 /*

  * InfoAccess 

  *

  * To hold Authority Information Access or Subject Information Access

  * retrieved from a Certificate.

  */

 #define PKIX_INFOACCESS_OCSP          1

 #define PKIX_INFOACCESS_CA_ISSUERS    2

 #define PKIX_INFOACCESS_TIMESTAMPING  3

 #define PKIX_INFOACCESS_CA_REPOSITORY 5

 #define PKIX_INFOACCESS_LOCATION_UNKNOWN 0

 #define PKIX_INFOACCESS_LOCATION_HTTP    1

 #ifndef NSS_PKIX_NO_LDAP

 #define PKIX_INFOACCESS_LOCATION_LDAP    2

 #endif

 /*

  * FUNCTION: PKIX_PL_InfoAccess_GetMethod

  * DESCRIPTION:

  *

  *  Stores the method of the Information Access from "infoAccess" and

  *  returns in "pMethod".

  *

  *  SubjectInfoAccess ::=

  *    AccessDescription ::= SEQUENCE {

  *        accessMethod     OBJECT IDENTIFIER,

  *        accessLocation   GeneralName

  *    }

  *

  * PARAMETERS:

  *  "infoAccess"

  *      Address of PKIX_PL_InfoAccess that has the access data.

  *      Must be non-NULL.

  *  "pMethod"

  *      Address where access method will be stored and returned.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_InfoAccess_GetMethod(

         PKIX_PL_InfoAccess *infoAccess,

         PKIX_UInt32 *pMethod,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_InfoAccess_GetLocation

  * DESCRIPTION:

  *

  *  Stores the location of the Information Access from "infoAccess" and

  *  returns in "pLocation".

  *

  *  SubjectInfoAccess ::=

  *    AccessDescription ::= SEQUENCE {

  *        accessMethod     OBJECT IDENTIFIER,

  *        accessLocation   GeneralName

  *    }

  *

  * PARAMETERS:

  *  "infoAccess"

  *      Address of PKIX_PL_InfoAccess that has the access data.

  *      Must be non-NULL.

  *  "pLocation"

  *      Address where access location will be stored and returned.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_InfoAccess_GetLocation(

         PKIX_PL_InfoAccess *infoAccess,

         PKIX_PL_GeneralName **pLocation,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_InfoAccess_GetLocationType

  * DESCRIPTION:

  *

  *  Stores the type of location of the Information Access from "infoAccess" and

  *  returns in "pType".

  *

  *  SubjectInfoAccess ::=

  *    AccessDescription ::= SEQUENCE {

  *        accessMethod     OBJECT IDENTIFIER,

  *        accessLocation   GeneralName

  *    }

  *

  * PARAMETERS:

  *  "infoAccess"

  *      Address of PKIX_PL_InfoAccess that has the access data.

  *      Must be non-NULL.

  *  "pType"

  *      Address where access location type will be stored and returned.

  *      Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Cert Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_InfoAccess_GetLocationType(

         PKIX_PL_InfoAccess *infoAccess,

         PKIX_UInt32 *pType,

         void *plContext);

 PKIX_Error *

 pkix_pl_InfoAccess_GetAIACerts(

         PKIX_PL_InfoAccess *ia,

         void **pNBIOContext,

         void **pHandle,

         PKIX_List **pCerts,

         void *plContext);

 /*

  * CRL

  *

  * A CRL represents an X.509 certificate revocation list. It can be created

  * using the bytes of a valid ASN.1 DER encoding. Once created, a CRL is

  * immutable. The following functions include accessors (gettors) for the

  * various components of an X.509 CRL, as well as a function for signature

  * verification.

  */

 /*

  * FUNCTION: PKIX_PL_CRL_Create

  * DESCRIPTION:

  *

  *  Creates a new CRL using the bytes in the ByteArray pointed to by

  *  "byteArray" and stores it at "pCRL". If the bytes are not a valid ASN.1

  *  DER encoding of a CRL, a PKIX_Error pointer is returned. Once created, a

  *  CRL is immutable.

  *

  *  CertificateList  ::=  SEQUENCE  {

  *      tbsCertList             TBSCertList,

  *      signatureAlgorithm      AlgorithmIdentifier,

  *      signatureValue          BIT STRING  }

  *

  *  TBSCertList  ::=  SEQUENCE  {

  *      version                 Version OPTIONAL,

  *                              -- if present, MUST be v2

  *      signature               AlgorithmIdentifier,

  *      issuer                  Name,

  *      thisUpdate              Time,

  *      nextUpdate              Time OPTIONAL,

  *      revokedCertificates     SEQUENCE OF SEQUENCE  {

  *              userCertificate         CertificateSerialNumber,

  *              revocationDate          Time,

  *              crlEntryExtensions      Extensions OPTIONAL

  *                                      -- if present, MUST be v2

  *                              }  OPTIONAL,

  *      crlExtensions           [0]  EXPLICIT Extensions OPTIONAL

  *                                      -- if present, MUST be v2

  *      }

  *

  * PARAMETERS:

  *  "byteArray"

  *      Address of ByteArray representing the CRL's DER encoding.

  *      Must be non-NULL.

  *  "pCRL"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_Create(

         PKIX_PL_ByteArray *byteArray,

         PKIX_PL_CRL **pCRL,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_GetIssuer

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the X500Name that represents the issuer of the CRL

  *  pointed to by "crl" and stores it at "pCRLIssuer".

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose issuer is to be stored. Must be non-NULL.

  *  "pCRLIssuer"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_GetIssuer(

         PKIX_PL_CRL *crl,

         PKIX_PL_X500Name **pCRLIssuer,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_GetCriticalExtensionOIDs

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of OIDs (each OID corresponding to a

  *  critical extension of the CRL pointed to by "crl") and stores it at

  *  "pExtensions". If "crl" does not have any critical extensions, this

  *  function stores an empty List at "pExtensions".

  *

  *  Note that the List returned by this function is immutable.

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose critical extension OIDs are to be stored.

  *      Must be non-NULL.

  *  "pExtensions"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_GetCriticalExtensionOIDs(

         PKIX_PL_CRL *crl,

         PKIX_List **pExtensions,   /* list of PKIX_PL_OID */

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_GetCRLEntryForSerialNumber

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the CRLEntry (found in the CRL pointed to by "crl")

  *  corresponding to the BigInt pointed to by "serialNumber" and stores it at

  *  "pCRLEntry". If there is no such CRLEntry, this functions stores NULL at

  *  "pCRLEntry". Once created, a CRLEntry is immutable.

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose CRL Entries are to be searched. Must be non-NULL.

  *  "serialNumber"

  *      Address of BigInt representing serial number of certificate whose

  *      CRLEntry is to be found. Must be non-NULL.

  *  "pCRLEntry"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_GetCRLEntryForSerialNumber(

         PKIX_PL_CRL *crl,

         PKIX_PL_BigInt *serialNumber,

         PKIX_PL_CRLEntry **pCRLEntry,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_GetCRLNumber

  * DESCRIPTION:

  *  Retrieves the CRL Number from extension. This is non-critical extension.

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose version is to be stored. Must be non-NULL.

  *  "pCrlNumber"

  *      Address where a CRL Number will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_GetCRLNumber(

         PKIX_PL_CRL *crl,

         PKIX_PL_BigInt **pCrlNumber,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_VerifyUpdateTime

  * DESCRIPTION:

  *

  *  Checks whether the CRL pointed to by "crl" would be valid at the time

  *  represented by the Date pointed to by "date" and stores the Boolean result

  *  at "pResult". This check is done only when NIST policy is enforced.

  *

  *  Time ::= CHOICE {

  *      utcTime         UTCTime,

  *      generalTime     GeneralizedTime }

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose validity is to be checked. Must be non-NULL.

  *  "date"

  *      Address of Date at which the CRL is being checked for validity.

  *      Must be non-NULL.

  *  "pResult"

  *      Address of Boolean result. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_VerifyUpdateTime(

         PKIX_PL_CRL *crl,

         PKIX_PL_Date *date,

         PKIX_Boolean *pResult,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_VerifySignature

  * DESCRIPTION:

  *

  *  Verifies the signature on the CRL pointed to by "crl" using the PublicKey

  *  pointed to by "pubKey". If the signature doesn't verify, a PKIX_Error

  *  pointer is returned.

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose signature is to be verified. Must be non-NULL.

  *  "pubKey"

  *      Address of a Public Key used to verify the signature. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_VerifySignature(

         PKIX_PL_CRL *crl,

         PKIX_PL_PublicKey *pubKey,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_ReleaseDerCrl

  * DESCRIPTION:

  *

  * Relinguish the ownership for the crl der. The operation will succeed if

  * a crl owns the der. If the crl was created from existing crl and does not

  * own the der, then the function will return null.

  *

  * PARAMETERS:

  *  "crl"

  *      Address of CRL whose signature is to be verified. Must be non-NULL.

  *  "derCrl"

  *      Pointer to a SECItem that has der crl.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_ReleaseDerCrl(PKIX_PL_CRL *crl,

                          SECItem **derCrl,

                          void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRL_AdoptDerCrl

  * DESCRIPTION:

  *

  * Adopt memory of the der. The secItem that contains der will be

  * freed with destruction of parent pkix crl structure.

  *

  * * PARAMETERS:

  *  "crl"

  *      Address of CRL whose signature is to be verified. Must be non-NULL.

  *  "derCrl"

  *      Pointer to a SECItem that has der crl.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRL_AdoptDerCrl(PKIX_PL_CRL *crl,

                         SECItem *derCrl,

                         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRLEntry_GetCRLEntryReasonCode

  * DESCRIPTION:

  *

  *  Retrieves the value of the reason code extension of the CRLEntry pointed

  *  to by "crlEntry" and stores it at "pReason". If the "crlEntry" has no

  *  reason code extension, this function stores -1 at "pReason".

  *

  *  CRLReason ::= ENUMERATED {

  *      unspecified             (0),

  *      keyCompromise           (1),

  *      cACompromise            (2),

  *      affiliationChanged      (3),

  *      superseded              (4),

  *      cessationOfOperation    (5),

  *      certificateHold         (6),

  *      removeFromCRL           (8),

  *      privilegeWithdrawn      (9),

  *      aACompromise            (10) }

  *

  * PARAMETERS:

  *  "crlEntry"

  *      Address of CRLEntry whose reason code bit values are to be returned

  *      at "pReason". Must be non-NULL.

  *  "pReason"

  *      Address of PKIX_Int32 where reason code is stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRLEntry_GetCRLEntryReasonCode(

         PKIX_PL_CRLEntry *crlEntry,

         PKIX_Int32 *pReason,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_CRLEntry_GetCriticalExtensionOIDs

  * DESCRIPTION:

  *

  *  Retrieves a pointer to the List of OIDs (each OID corresponding to a

  *  critical extension of the CRLEntry pointed to by "crlEntry") and stores it

  *  at "pExtensions". If "crlEntry" does not have any critical extensions, this

  *  function stores an empty List at "pExtensions".

  *

  *  Note that the List returned by this function is immutable.

  *

  * PARAMETERS:

  *  "crlEntry"

  *      Address of CRLEntry whose critical extension OIDs are to be stored.

  *      Must be non-NULL.

  *  "pExtensions"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CRL Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CRLEntry_GetCriticalExtensionOIDs(

         PKIX_PL_CRLEntry *crlEntry,

         PKIX_List **pExtensions,  /* list of PKIX_PL_OID */

         void *plContext);

 #ifdef BUILD_LIBPKIX_TESTS

 /*

  * FUNCTION: PKIX_PL_X500Name_Create

  * DESCRIPTION:

  *

  *  Creates a new X500Name using the UTF8 string representation pointed to by

  *  "stringRep" and stores it at "pName". Once created, an X500Name is

  *  immutable.

  *

  *  Name ::= CHOICE {

  *    RDNSequence }

  *

  *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  *

  *  RelativeDistinguishedName ::=

  *    SET OF AttributeTypeAndValue

  *

  *  AttributeTypeAndValue ::= SEQUENCE {

  *      type    AttributeType,

  *      value   AttributeValue }

  *

  *  AttributeType ::= OBJECT IDENTIFIER

  *

  *  AttributeValue ::= ANY DEFINED BY AttributeType

  *

  *  DirectoryString ::= CHOICE {

  *      teletexString           TeletexString (SIZE (1..MAX)),

  *      printableString         PrintableString (SIZE (1..MAX)),

  *      universalString         UniversalString (SIZE (1..MAX)),

  *      utf8String              UTF8String (SIZE (1..MAX)),

  *      bmpString               BMPString (SIZE (1..MAX)) }

  *

  * PARAMETERS:

  *  "stringRep"

  *      Address of UTF8 String representation of X500Name. Must be non-NULL.

  *  "pName"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns an X500Name Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_X500Name_Create (

         PKIX_PL_String *stringRep,

         PKIX_PL_X500Name **pName,

         void *plContext);

 #endif /* BUILD_LIBPKIX_TESTS */

 /*

  * FUNCTION: PKIX_PL_X500Name_CreateFromCERTName

  * DESCRIPTION:

  * 

  * The function creates x500Name using der encoded DN and/or pointer to

  * CERTName. If arument "name" is NULL, but derName is supplied when

  * the function generates nssDN(CERTName type) from der data. If derName

  * is not supplied, CERTName *name will not be used to generate DN DER

  * encoding.

  *

  * PARAMETERS:

  *  "derName"

  *      Address of DER representation of X500Name. Can be NULL

  *  "name"

  *      Address of CERTName representation of X500Name. Can be NULL

  *  "pName"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns an X500Name Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_X500Name_CreateFromCERTName(

         SECItem *derName,

         CERTName *name,

         PKIX_PL_X500Name **pName,

         void *plContext);

 /*

  * TYPE: PKIX_PL_X500Name_Match

  * DESCRIPTION:

  *  Checks whether the X500Name pointed to by "firstX500Name" MATCHES the

  *  X500Name pointed to by "secondX500Name" and stores the boolean result at

  *  "pResult". Two X500Names MATCH if they meet the conditions specified by

  *  RFC 3280 (section 4.1.2.4). Namely:

  *

  *      "This specification requires only a subset of the name comparison

  *      functionality specified in the X.500 series of specifications.

  *      Conforming implementations are REQUIRED to implement the following

  *      name comparison rules:

  *

  *      (a)  attribute values encoded in different types (e.g., PrintableString

  *      and BMPString) MAY be assumed to represent different strings;

  *

  *      (b) attribute values in types other than PrintableString are case

  *      sensitive (this permits matching of attribute values as binary objects)

  *

  *      (c)  attribute values in PrintableString are not case sensitive

  *      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and

  *

  *      (d)  attribute values in PrintableString are compared after removing

  *      leading and trailing white space and converting internal substrings of

  *      one or more consecutive white space characters to a single space."

  *

  * PARAMETERS:

  *  "firstX500Name"

  *      Address of first X500Name to compare. Must be non-NULL.

  *  "secondX500Name"

  *      Address of second X500Name to compare. Must be non-NULL.

  *  "pResult"

  *      Address of Boolean result. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns an X500Name Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_X500Name_Match(

         PKIX_PL_X500Name *firstX500Name,

         PKIX_PL_X500Name *secondX500Name,

         PKIX_Boolean *pResult,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Date_Create_UTCTime

  * DESCRIPTION:

  *  Creates a new Date of type UTCTime using the string representation pointed

  *  to by "stringRep" and stores it at "pDate". The UTCTime restriction means

  *  that the year can only be specified by the least significant two digits

  *  (YY). As such, Only the years 1950-2049 can be represented. If "stringRep"

  *  is NULL, this function creates a new Date representing the current time

  *  and stores it at "pDate". Once created, a Date is immutable.

  *

  *  If YY is greater than or equal to 50, the year is interpreted as 19YY.

  *  If YY is less than 50, the year is interpreted as 20YY.

  *

  *  The string representation of the date must be in the following form:

  *      "YYMMDDhhmmssZ" where:

  *

  *  YY is the least significant two digits of the year

  *  MM is the month (01 to 12)

  *  DD is the day (01 to 31)

  *  hh is the hour (00 to 23)

  *  mm are the minutes (00 to 59)

  *  ss are the seconds (00 to 59)

  *  Z indicates that local time is GMT

  *

  * PARAMETERS:

  *  "stringRep"

  *      Address of String representation of Date.

  *      If NULL, current time is used.

  *  "pDate"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Date Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Date_Create_UTCTime (

         PKIX_PL_String *stringRep,

         PKIX_PL_Date **pDate,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Date_Create_UTCTime

  * DESCRIPTION:

  *  Creates a new Date from PRTime data.

  *

  * PARAMETERS:

  *  "time"

  *      Represented time in PRTime type.

  *  "pDate"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Date Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Date_CreateFromPRTime(

         PRTime time,

         PKIX_PL_Date **pDate,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_Date_Create_CurrentOffBySeconds

  * DESCRIPTION:

  *  Creates a new Date of type UTCTime for current time with seconds off by

  *  "secondsOffset" and returns it at "pDate".

  *

  * PARAMETERS:

  *  "secondsOffset"

  *      A PKIX_Int32 indicates the time offset from current. If "secondsOffset"

  *      is negative, the time is in past.

  *  "pDate"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Date Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Date_Create_CurrentOffBySeconds(

         PKIX_Int32 secondsOffset,

         PKIX_PL_Date **pDate,

         void *plContext);

 #ifdef BUILD_LIBPKIX_TESTS

 /*

  * FUNCTION: PKIX_PL_GeneralName_Create

  * DESCRIPTION:

  *

  *  Creates a new GeneralName of type "nameType" using the string

  *  representation pointed to by "stringRep" and stores it at "pGName".

  *  All of the GeneralName type format values specified in pkixt.h are

  *  supported, with the exception of PKIX_OTHER_NAME, PKIX_EDIPARTY_NAME,

  *  PKIX_IP_NAME, and PKIX_X400_ADDRESS. A PKIX_ESCASCII string representation

  *  should be used for all supported nameTypes, with the exception of

  *  registeredID and directoryName. For registeredID, the string representation

  *  should be the same as that used by PKIX_PL_OID_Create. For directoryName,

  *  the string representation should be the same as that used by

  *  PKIX_PL_X500Name_Create. If an unsupported name type is used, an Error is

  *  returned. Once created, a GeneralName is immutable.

  *

  *  GeneralName ::= CHOICE {

  *      otherName                       [0]     OtherName,

  *      rfc822Name                      [1]     IA5String,

  *      dNSName                         [2]     IA5String,

  *      x400Address                     [3]     ORAddress,

  *      directoryName                   [4]     Name,

  *      ediPartyName                    [5]     EDIPartyName,

  *      uniformResourceIdentifier       [6]     IA5String,

  *      iPAddress                       [7]     OCTET STRING,

  *      registeredID                    [8]     OBJECT IDENTIFIER }

  *

  *

  * NOTE: This function is allowed to be called only by pkix tests programs.

  * 

  * PARAMETERS:

  *  "nameType"

  *      Type of GeneralName to be created. This must be one of the GeneralName

  *      type format values specified in pkixt.h

  *  "stringRep"

  *      Address of String representation of GeneralName. Must be non-NULL.

  *  "pGName"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a GeneralName Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_GeneralName_Create (

         PKIX_UInt32 nameType,

         PKIX_PL_String *stringRep,

         PKIX_PL_GeneralName **pGName,

         void *plContext);

 #endif /* BUILD_LIBPKIX_TESTS */

 /*

  * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace

  * DESCRIPTION:

  *

  *  This function checks whether names in "nameList" comply with

  *  "nameConstraints". It stores PKIX_TRUE at "pCheckPass" if the names meet the

  *  requirement of the NameConstraints, PKIX_FALSE otherwise.

  *

  * PARAMETERS

  *  "nameList"

  *      List of GeneralNames that are checked for compliance. May be empty

  *      or NULL.

  *  "nameConstraints"

  *      Address of CertNameConstraints that provides lists of permitted

  *      and excluded names. Must be non-NULL.

  *  "pCheckPass"

  *      Address where PKIX_TRUE is returned if the all names in "nameList" are

  *      valid. Must be non-NULL.

  *  "plContext" - Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a NameConstraints Error if the function fails in a

  *  non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(

         PKIX_List *nameList, /* List of PKIX_PL_GeneralName */

         PKIX_PL_CertNameConstraints *nameConstraints,

         PKIX_Boolean *pCheckPass,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_AIAMgr_Create

  * DESCRIPTION:

  *

  *  This function creates an AIAMgr to handle retrieval of Certs and CRLs