The Tor Browser / file revision

 /* This Source Code Form is subject to the terms of the Mozilla Public

  * License, v. 2.0. If a copy of the MPL was not distributed with this

  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 /*

  * This file defines functions associated with CertStore types.

  *

  */

 #ifndef _PKIX_SAMPLEMODULES_H

 #define _PKIX_SAMPLEMODULES_H

 #include "pkix_pl_common.h"

 #ifdef __cplusplus

 extern "C" {

 #endif

 /* General

  *

  * Please refer to the libpkix Programmer's Guide for detailed information

  * about how to use the libpkix library. Certain key warnings and notices from

  * that document are repeated here for emphasis.

  *

  * All identifiers in this file (and all public identifiers defined in

  * libpkix) begin with "PKIX_". Private identifiers only intended for use

  * within the library begin with "pkix_".

  *

  * A function returns NULL upon success, and a PKIX_Error pointer upon failure.

  *

  * Unless otherwise noted, for all accessor (gettor) functions that return a

  * PKIX_PL_Object pointer, callers should assume that this pointer refers to a

  * shared object. Therefore, the caller should treat this shared object as

  * read-only and should not modify this shared object. When done using the

  * shared object, the caller should release the reference to the object by

  * using the PKIX_PL_Object_DecRef function.

  *

  * While a function is executing, if its arguments (or anything referred to by

  * its arguments) are modified, free'd, or destroyed, the function's behavior

  * is undefined.

  *

  */

 /* PKIX_PL_CollectionCertStore

  *

  * A PKIX_CollectionCertStore provides an example for showing how to retrieve

  * certificates and CRLs from a repository, such as a directory in the system.

  * It is expected the directory is an absolute directory which contains CRL

  * and Cert data files.  CRL files are expected to have the suffix of .crl

  * and Cert files are expected to have the suffix of .crt .

  *

  * Once the caller has created the CollectionCertStoreContext object, the caller

  * then can call pkix_pl_CollectionCertStore_GetCert or

  * pkix_pl_CollectionCertStore_GetCRL to obtain Lists of PKIX_PL_Cert or

  * PKIX_PL_CRL objects, respectively.

  */

 /*

  * FUNCTION: PKIX_PL_CollectionCertStore_Create

  * DESCRIPTION:

  *

  *  Creates a new CollectionCertStore and returns it at

  *      "pColCertStore".

  *

  * PARAMETERS:

  *  "storeDir"

  *      The absolute path where *.crl files are located.

  *  "pColCertStoreContext"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CollectionCertStoreContext Error if the function fails in

  *      a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_CollectionCertStore_Create(

         PKIX_PL_String *storeDir,

         PKIX_CertStore **pCertStore,

         void *plContext);

 /* PKIX_PL_PK11CertStore

  *

  * A PKIX_PL_PK11CertStore retrieves certificates and CRLs from a PKCS11

  * database. The directory that contains the cert8.db, key3.db, and secmod.db

  * files that comprise a PKCS11 database are specified in NSS initialization.

  *

  * Once the caller has created the Pk11CertStore object, the caller can call

  * pkix_pl_Pk11CertStore_GetCert or pkix_pl_Pk11CertStore_GetCert to obtain

  * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively.

  */

 /*

  * FUNCTION: PKIX_PL_Pk11CertStore_Create

  * DESCRIPTION:

  *

  *  Creates a new Pk11CertStore and returns it at "pPk11CertStore".

  *

  * PARAMETERS:

  *  "pPk11CertStore"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CertStore Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_Pk11CertStore_Create(

         PKIX_CertStore **pPk11CertStore,

         void *plContext);

 #ifndef NSS_PKIX_NO_LDAP

 /* PKIX_PL_LdapCertStore

  *

  * A PKIX_PL_LdapCertStore retrieves certificates and CRLs from an LDAP server

  * over a socket connection. It used the LDAP protocol as described in RFC1777.

  *

  * Once the caller has created the LdapCertStore object, the caller can call

  * pkix_pl_LdapCertStore_GetCert or pkix_pl_LdapCertStore_GetCert to obtain

  * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively.

  */

 /*

  * FUNCTION: PKIX_PL_LdapDefaultClient_Create

  * DESCRIPTION:

  *

  *  Creates an LdapDefaultClient using the PRNetAddr poined to by "sockaddr",

  *  with a timeout value of "timeout", and a BindAPI pointed to by "bindAPI";

  *  and stores the address of the default LdapClient at "pClient".

  *

  *  At the time of this version, there are unresolved questions about the LDAP

  *  protocol. Although RFC1777 describes a BIND and UNBIND message, it is not

  *  clear whether they are appropriate to this application. We have tested only

  *  using servers that do not expect authentication, and that reject BIND

  *  messages. It is not clear what values might be appropriate for the bindname

  *  and authentication fields, which are currently implemented as char strings

  *  supplied by the caller. (If this changes, the API and possibly the templates

  *  will have to change.) Therefore the Client_Create API contains a BindAPI

  *  structure, a union, which will have to be revised and extended when this

  *  area of the protocol is better understood.

  *

  * PARAMETERS:

  *  "sockaddr"

  *      Address of the PRNetAddr to be used for the socket connection. Must be

  *      non-NULL.

  *  "timeout"

  *      The PRIntervalTime value to be used as a timeout value in socket calls;

  *      a zero value indicates non-blocking I/O is to be used.

  *  "bindAPI"

  *      The address of a BindAPI to be used if a BIND message is required. If

  *      this argument is NULL, no Bind (or Unbind) will be sent.

  *  "pClient"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CertStore Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_LdapDefaultClient_Create(

         PRNetAddr *sockaddr,

         PRIntervalTime timeout,

         LDAPBindAPI *bindAPI,

         PKIX_PL_LdapDefaultClient **pClient,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_LdapDefaultClient_CreateByName

  * DESCRIPTION:

  *

  *  Creates an LdapDefaultClient using the hostname poined to by "hostname",

  *  with a timeout value of "timeout", and a BindAPI pointed to by "bindAPI";

  *  and stores the address of the default LdapClient at "pClient".

  *

  *  At the time of this version, there are unresolved questions about the LDAP

  *  protocol. Although RFC1777 describes a BIND and UNBIND message, it is not

  *  clear whether they are appropriate to this application. We have tested only

  *  using servers that do not expect authentication, and that reject BIND

  *  messages. It is not clear what values might be appropriate for the bindname

  *  and authentication fields, which are currently implemented as char strings

  *  supplied by the caller. (If this changes, the API and possibly the templates

  *  will have to change.) Therefore the Client_Create API contains a BindAPI

  *  structure, a union, which will have to be revised and extended when this

  *  area of the protocol is better understood.

  *

  * PARAMETERS:

  *  "hostname"

  *      Address of the hostname to be used for the socket connection. Must be

  *      non-NULL.

  *  "timeout"

  *      The PRIntervalTime value to be used as a timeout value in socket calls;

  *      a zero value indicates non-blocking I/O is to be used.

  *  "bindAPI"

  *      The address of a BindAPI to be used if a BIND message is required. If

  *      this argument is NULL, no Bind (or Unbind) will be sent.

  *  "pClient"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CertStore Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_LdapDefaultClient_CreateByName(

         char *hostname,

         PRIntervalTime timeout,

         LDAPBindAPI *bindAPI,

         PKIX_PL_LdapDefaultClient **pClient,

         void *plContext);

 /*

  * FUNCTION: PKIX_PL_LdapCertStore_Create

  * DESCRIPTION:

  *

  *  Creates a new LdapCertStore using the LdapClient pointed to by "client",

  *  and stores the address of the CertStore at "pCertStore".

  *

  * PARAMETERS:

  *  "client"

  *      Address of the LdapClient to be used. Must be non-NULL.

  *  "pCertStore"

  *      Address where object pointer will be stored. Must be non-NULL.

  *  "plContext"

  *      Platform-specific context pointer.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a CertStore Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_LdapCertStore_Create(

         PKIX_PL_LdapClient *client,

         PKIX_CertStore **pCertStore,

         void *plContext);

 #endif /* !NSS_PKIX_NO_LDAP */

 /* PKIX_PL_NssContext

  *

  * A PKIX_PL_NssContext provides an example showing how the "plContext"

  * argument, that is part of every libpkix function call, can be used.

  * The "plContext" is the Portability Layer Context, which can be used

  * to communicate layer-specific information from the application to the

  * underlying Portability Layer (while bypassing the Portable Code, which

  * blindly passes the plContext on to every function call).

  *

  * In this case, NSS serves as both the application and the Portability Layer.

  * We define an NSS-specific structure, which includes an arena and a number

  * of SECCertificateUsage bit flags encoded as a PKIX_UInt32. A third argument,

  * wincx, is used on Windows platforms for PKCS11 access, and should be set to

  * NULL for other platforms.

  * Before calling any of the libpkix functions, the caller should create the NSS

  * context, by calling PKIX_PL_NssContext_Create, and provide that NSS context

  * as the "plContext" argument in every libpkix function call the caller makes.

  * When the caller is finished using the NSS context (usually just after he

  * calls PKIX_Shutdown), the caller should call PKIX_PL_NssContext_Destroy to

  * free the NSS context structure.

  */

 /*

  * FUNCTION: PKIX_PL_NssContext_Create

  * DESCRIPTION:

  *

  *  Creates a new NssContext using the certificate usage(s) specified by

  *  "certUsage" and stores it at "pNssContext". This function also internally

  *  creates an arena and stores it as part of the NssContext structure. Unlike

  *  most other libpkix API functions, this function does not take a "plContext"

  *  parameter.

  *

  * PARAMETERS:

  *  "certUsage"

  *      The desired SECCertificateUsage(s).

  *  "useNssArena"

  *      Boolean flag indicates NSS Arena is used for memory allocation.

  *  "wincx"

  *      A Windows-dependent pointer for PKCS11 token handling.

  *  "pNssContext"

  *      Address where object pointer will be stored. Must be non-NULL.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Context Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_NssContext_Create(

         PKIX_UInt32 certificateUsage,

         PKIX_Boolean useNssArena,

         void *wincx,

         void **pNssContext);

 /*

  * FUNCTION: PKIX_PL_NssContext_Destroy

  * DESCRIPTION:

  *

  *  Frees the structure pointed to by "nssContext" along with any of its

  *  associated memory. Unlike most other libpkix API functions, this function

  *  does not take a "plContext" parameter.

  *

  * PARAMETERS:

  *  "nssContext"

  *      Address of NssContext to be destroyed. Must be non-NULL.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Context Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_NssContext_Destroy(

         void *nssContext);

 /*

  * FUNCTION: PKIX_PL_NssContext_SetTimeout

  * DESCRIPTION:

  *

  * Sets IO timeout for network operations like OCSP response and cert

  * fetching.

  *

  * PARAMETERS:

  *  "nssContext"

  *      Address of NssContext to be destroyed. Must be non-NULL.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Context Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_NssContext_SetTimeout(PKIX_UInt32 timeout, PKIX_PL_NssContext *nssContext);

 /*

  * FUNCTION: PKIX_PL_NssContext_SetMaxResponseLen

  * DESCRIPTION:

  *

  * Sets maximum responce length allowed during network IO operations.

  *

  * PARAMETERS:

  *  "nssContext"

  *      Address of NssContext to be destroyed. Must be non-NULL.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Context Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_NssContext_SetMaxResponseLen(PKIX_UInt32 len, PKIX_PL_NssContext *nssContext);

 /*

  * FUNCTION: PKIX_PL_NssContext_SetCrlReloadDelay

  * DESCRIPTION:

  *

  * Sets user defined timeout between attempts to load crl using

  * CRLDP.

  *

  * PARAMETERS:

  *  "delaySeconds"

  *      Reload delay in seconds.

  *  "nssContext"

  *      Address of NssContext to be destroyed. Must be non-NULL.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Context Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_NssContext_SetCrlReloadDelay(PKIX_UInt32 delaySeconds,

                                        PKIX_PL_NssContext *nssContext);

 /*

  * FUNCTION: PKIX_PL_NssContext_SetBadDerCrlReloadDelay

  * DESCRIPTION:

  *

  * Sets user defined timeout between attempts to load crls

  * that failed to decode.

  *

  * PARAMETERS:

  *  "delaySeconds"

  *      Reload delay in seconds.

  *  "nssContext"

  *      Address of NssContext to be destroyed. Must be non-NULL.

  * THREAD SAFETY:

  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)

  * RETURNS:

  *  Returns NULL if the function succeeds.

  *  Returns a Context Error if the function fails in a non-fatal way.

  *  Returns a Fatal Error if the function fails in an unrecoverable way.

  */

 PKIX_Error *

 PKIX_PL_NssContext_SetBadDerCrlReloadDelay(PKIX_UInt32 delaySeconds,

                                            PKIX_PL_NssContext *nssContext);

 #ifdef __cplusplus

 }

 #endif

 #endif /* _PKIX_SAMPLEMODULES_H */