michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* michael@0: * cert.h - public data structures and prototypes for the certificate library michael@0: */ michael@0: michael@0: #ifndef _CERT_H_ michael@0: #define _CERT_H_ michael@0: michael@0: #include "utilrename.h" michael@0: #include "plarena.h" michael@0: #include "plhash.h" michael@0: #include "prlong.h" michael@0: #include "prlog.h" michael@0: michael@0: #include "seccomon.h" michael@0: #include "secdert.h" michael@0: #include "secoidt.h" michael@0: #include "keyt.h" michael@0: #include "certt.h" michael@0: michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: /**************************************************************************** michael@0: * michael@0: * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName) michael@0: * michael@0: ****************************************************************************/ michael@0: michael@0: /* michael@0: ** Convert an ascii RFC1485 encoded name into its CERTName equivalent. michael@0: */ michael@0: extern CERTName *CERT_AsciiToName(const char *string); michael@0: michael@0: /* michael@0: ** Convert an CERTName into its RFC1485 encoded equivalent. michael@0: ** Returns a string that must be freed with PORT_Free(). michael@0: ** This version produces a string for maximum human readability, michael@0: ** not for strict RFC compliance. michael@0: */ michael@0: extern char *CERT_NameToAscii(CERTName *name); michael@0: michael@0: /* michael@0: ** Convert an CERTName into its RFC1485 encoded equivalent. michael@0: ** Returns a string that must be freed with PORT_Free(). michael@0: ** Caller chooses encoding rules. michael@0: */ michael@0: extern char *CERT_NameToAsciiInvertible(CERTName *name, michael@0: CertStrictnessLevel strict); michael@0: michael@0: extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src); michael@0: michael@0: /* convert an OID to dotted-decimal representation */ michael@0: /* Returns a string that must be freed with PR_smprintf_free(). */ michael@0: extern char * CERT_GetOidString(const SECItem *oid); michael@0: michael@0: /* michael@0: ** Examine an AVA and return the tag that refers to it. The AVA tags are michael@0: ** defined as SEC_OID_AVA*. michael@0: */ michael@0: extern SECOidTag CERT_GetAVATag(CERTAVA *ava); michael@0: michael@0: /* michael@0: ** Compare two AVA's, returning the difference between them. michael@0: */ michael@0: extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b); michael@0: michael@0: /* michael@0: ** Create an RDN (relative-distinguished-name). The argument list is a michael@0: ** NULL terminated list of AVA's. michael@0: */ michael@0: extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...); michael@0: michael@0: /* michael@0: ** Make a copy of "src" storing it in "dest". michael@0: */ michael@0: extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src); michael@0: michael@0: /* michael@0: ** Add an AVA to an RDN. michael@0: ** "rdn" the RDN to add to michael@0: ** "ava" the AVA to add michael@0: */ michael@0: extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava); michael@0: michael@0: /* michael@0: ** Compare two RDN's, returning the difference between them. michael@0: */ michael@0: extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b); michael@0: michael@0: /* michael@0: ** Create an X.500 style name using a NULL terminated list of RDN's. michael@0: */ michael@0: extern CERTName *CERT_CreateName(CERTRDN *rdn, ...); michael@0: michael@0: /* michael@0: ** Make a copy of "src" storing it in "dest". Memory is allocated in michael@0: ** "dest" for each of the appropriate sub objects. Memory is not freed in michael@0: ** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to michael@0: ** do that). michael@0: */ michael@0: extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, michael@0: const CERTName *src); michael@0: michael@0: /* michael@0: ** Destroy a Name object. michael@0: ** "name" the CERTName to destroy michael@0: ** "freeit" if PR_TRUE then free the object as well as its sub-objects michael@0: */ michael@0: extern void CERT_DestroyName(CERTName *name); michael@0: michael@0: /* michael@0: ** Add an RDN to a name. michael@0: ** "name" the name to add the RDN to michael@0: ** "rdn" the RDN to add to name michael@0: */ michael@0: extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn); michael@0: michael@0: /* michael@0: ** Compare two names, returning the difference between them. michael@0: */ michael@0: extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b); michael@0: michael@0: /* michael@0: ** Convert a CERTName into something readable michael@0: */ michael@0: extern char *CERT_FormatName (CERTName *name); michael@0: michael@0: /* michael@0: ** Convert a der-encoded integer to a hex printable string form. michael@0: ** Perhaps this should be a SEC function but it's only used for certs. michael@0: */ michael@0: extern char *CERT_Hexify (SECItem *i, int do_colon); michael@0: michael@0: /* michael@0: ** Converts DER string (with explicit length) into zString, if destination michael@0: ** buffer is big enough to receive it. Does quoting and/or escaping as michael@0: ** specified in RFC 1485. Input string must be single or multi-byte DER michael@0: ** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set. michael@0: ** Returns SECSuccess or SECFailure with error code set. If output buffer michael@0: ** is too small, sets error code SEC_ERROR_OUTPUT_LEN. michael@0: */ michael@0: extern SECStatus michael@0: CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen); michael@0: michael@0: /****************************************************************************** michael@0: * michael@0: * Certificate handling operations michael@0: * michael@0: *****************************************************************************/ michael@0: michael@0: /* michael@0: ** Create a new validity object given two unix time values. michael@0: ** "notBefore" the time before which the validity is not valid michael@0: ** "notAfter" the time after which the validity is not valid michael@0: */ michael@0: extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter); michael@0: michael@0: /* michael@0: ** Destroy a validity object. michael@0: ** "v" the validity to destroy michael@0: ** "freeit" if PR_TRUE then free the object as well as its sub-objects michael@0: */ michael@0: extern void CERT_DestroyValidity(CERTValidity *v); michael@0: michael@0: /* michael@0: ** Copy the "src" object to "dest". Memory is allocated in "dest" for michael@0: ** each of the appropriate sub-objects. Memory in "dest" is not freed michael@0: ** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do michael@0: ** that). michael@0: */ michael@0: extern SECStatus CERT_CopyValidity michael@0: (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src); michael@0: michael@0: /* michael@0: ** The cert lib considers a cert or CRL valid if the "notBefore" time is michael@0: ** in the not-too-distant future, e.g. within the next 24 hours. This michael@0: ** prevents freshly issued certificates from being considered invalid michael@0: ** because the local system's time zone is incorrectly set. michael@0: ** The amount of "pending slop time" is adjustable by the application. michael@0: ** Units of SlopTime are seconds. Default is 86400 (24 hours). michael@0: ** Negative SlopTime values are not allowed. michael@0: */ michael@0: PRInt32 CERT_GetSlopTime(void); michael@0: michael@0: SECStatus CERT_SetSlopTime(PRInt32 slop); michael@0: michael@0: /* michael@0: ** Create a new certificate object. The result must be wrapped with an michael@0: ** CERTSignedData to create a signed certificate. michael@0: ** "serialNumber" the serial number michael@0: ** "issuer" the name of the certificate issuer michael@0: ** "validity" the validity period of the certificate michael@0: ** "req" the certificate request that prompted the certificate issuance michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer, michael@0: CERTValidity *validity, CERTCertificateRequest *req); michael@0: michael@0: /* michael@0: ** Destroy a certificate object michael@0: ** "cert" the certificate to destroy michael@0: ** NOTE: certificate's are reference counted. This call decrements the michael@0: ** reference count, and if the result is zero, then the object is destroyed michael@0: ** and optionally freed. michael@0: */ michael@0: extern void CERT_DestroyCertificate(CERTCertificate *cert); michael@0: michael@0: /* michael@0: ** Make a shallow copy of a certificate "c". Just increments the michael@0: ** reference count on "c". michael@0: */ michael@0: extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c); michael@0: michael@0: /* michael@0: ** Create a new certificate request. This result must be wrapped with an michael@0: ** CERTSignedData to create a signed certificate request. michael@0: ** "name" the subject name (who the certificate request is from) michael@0: ** "spki" describes/defines the public key the certificate is for michael@0: ** "attributes" if non-zero, some optional attribute data michael@0: */ michael@0: extern CERTCertificateRequest * michael@0: CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki, michael@0: SECItem **attributes); michael@0: michael@0: /* michael@0: ** Destroy a certificate-request object michael@0: ** "r" the certificate-request to destroy michael@0: ** "freeit" if PR_TRUE then free the object as well as its sub-objects michael@0: */ michael@0: extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r); michael@0: michael@0: /* michael@0: ** Start adding extensions to a certificate request. michael@0: */ michael@0: void * michael@0: CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req); michael@0: michael@0: /* michael@0: ** Reformat the certificate extension list into a CertificateRequest michael@0: ** attribute list. michael@0: */ michael@0: SECStatus michael@0: CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req); michael@0: michael@0: /* michael@0: ** Extract the Extension Requests from a DER CertRequest attribute list. michael@0: */ michael@0: SECStatus michael@0: CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, michael@0: CERTCertExtension ***exts); michael@0: michael@0: /* michael@0: ** Extract a public key object from a certificate michael@0: */ michael@0: extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert); michael@0: michael@0: /* michael@0: ** Retrieve the Key Type associated with the cert we're dealing with michael@0: */ michael@0: michael@0: extern KeyType CERT_GetCertKeyType (const CERTSubjectPublicKeyInfo *spki); michael@0: michael@0: /* michael@0: ** Initialize the certificate database. This is called to create michael@0: ** the initial list of certificates in the database. michael@0: */ michael@0: extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle); michael@0: michael@0: extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: ** Default certificate database routines michael@0: */ michael@0: extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle); michael@0: michael@0: extern CERTCertDBHandle *CERT_GetDefaultCertDB(void); michael@0: michael@0: extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, michael@0: PRTime time, michael@0: SECCertUsage usage); michael@0: extern CERTCertificate * michael@0: CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert, michael@0: char *nickname, PRBool isperm, PRBool copyDER); michael@0: michael@0: michael@0: /****************************************************************************** michael@0: * michael@0: * X.500 Name handling operations michael@0: * michael@0: *****************************************************************************/ michael@0: michael@0: /* michael@0: ** Create an AVA (attribute-value-assertion) michael@0: ** "arena" the memory arena to alloc from michael@0: ** "kind" is one of SEC_OID_AVA_* michael@0: ** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or michael@0: ** DER_T61_STRING michael@0: ** "value" is the null terminated string containing the value michael@0: */ michael@0: extern CERTAVA *CERT_CreateAVA michael@0: (PLArenaPool *arena, SECOidTag kind, int valueType, char *value); michael@0: michael@0: /* michael@0: ** Extract the Distinguished Name from a DER encoded certificate michael@0: ** "derCert" is the DER encoded certificate michael@0: ** "derName" is the SECItem that the name is returned in michael@0: */ michael@0: extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName); michael@0: michael@0: /* michael@0: ** Extract the Issuers Distinguished Name from a DER encoded certificate michael@0: ** "derCert" is the DER encoded certificate michael@0: ** "derName" is the SECItem that the name is returned in michael@0: */ michael@0: extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, michael@0: SECItem *derName); michael@0: michael@0: extern SECItem * michael@0: CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, michael@0: PLArenaPool *arena); michael@0: michael@0: extern CERTGeneralName * michael@0: CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName, michael@0: CERTGeneralName *genName); michael@0: michael@0: michael@0: michael@0: /* michael@0: ** Generate a database search key for a certificate, based on the michael@0: ** issuer and serial number. michael@0: ** "arena" the memory arena to alloc from michael@0: ** "derCert" the DER encoded certificate michael@0: ** "key" the returned key michael@0: */ michael@0: extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, michael@0: SECItem *key); michael@0: michael@0: extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, michael@0: SECItem *sn, SECItem *key); michael@0: michael@0: extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, michael@0: SECItem *derName); michael@0: michael@0: michael@0: /* michael@0: ** Generate a database search key for a crl, based on the michael@0: ** issuer. michael@0: ** "arena" the memory arena to alloc from michael@0: ** "derCrl" the DER encoded crl michael@0: ** "key" the returned key michael@0: */ michael@0: extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key); michael@0: michael@0: /* michael@0: ** Open the certificate database. Use callback to get name of database. michael@0: */ michael@0: extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly, michael@0: CERTDBNameFunc namecb, void *cbarg); michael@0: michael@0: /* Open the certificate database. Use given filename for database. */ michael@0: extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle, michael@0: char *certdbname, PRBool readOnly); michael@0: michael@0: /* michael@0: ** Open and initialize a cert database that is entirely in memory. This michael@0: ** can be used when the permanent database can not be opened or created. michael@0: */ michael@0: extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: ** Extract the list of host names, host name patters, IP address strings michael@0: ** this cert is valid for. michael@0: ** This function does NOT return nicknames. michael@0: ** Type CERTCertNicknames is being used because it's a convenient michael@0: ** data structure to carry a list of strings and its count. michael@0: */ michael@0: extern CERTCertNicknames * michael@0: CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert); michael@0: michael@0: /* michael@0: ** Check the hostname to make sure that it matches the shexp that michael@0: ** is given in the common name of the certificate. michael@0: */ michael@0: extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert, michael@0: const char *hostname); michael@0: michael@0: /* michael@0: ** Add a domain name to the list of names that the user has explicitly michael@0: ** allowed (despite cert name mismatches) for use with a server cert. michael@0: */ michael@0: extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname); michael@0: michael@0: /* michael@0: ** Decode a DER encoded certificate into an CERTCertificate structure michael@0: ** "derSignedCert" is the DER encoded signed certificate michael@0: ** "copyDER" is true if the DER should be copied, false if the michael@0: ** existing copy should be referenced michael@0: ** "nickname" is the nickname to use in the database. If it is NULL michael@0: ** then a temporary nickname is generated. michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname); michael@0: /* michael@0: ** Decode a DER encoded CRL into a CERTSignedCrl structure michael@0: ** "derSignedCrl" is the DER encoded signed CRL. michael@0: ** "type" must be SEC_CRL_TYPE. michael@0: */ michael@0: #define SEC_CRL_TYPE 1 michael@0: #define SEC_KRL_TYPE 0 /* deprecated */ michael@0: michael@0: extern CERTSignedCrl * michael@0: CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type); michael@0: michael@0: /* michael@0: * same as CERT_DecodeDERCrl, plus allow options to be passed in michael@0: */ michael@0: michael@0: extern CERTSignedCrl * michael@0: CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl, michael@0: int type, PRInt32 options); michael@0: michael@0: /* CRL options to pass */ michael@0: michael@0: #define CRL_DECODE_DEFAULT_OPTIONS 0x00000000 michael@0: michael@0: /* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The michael@0: application must then keep derSignedCrl until it destroys the michael@0: CRL . Ideally, it should allocate derSignedCrl in an arena michael@0: and pass that arena in as the first argument to michael@0: CERT_DecodeDERCrlWithFlags */ michael@0: michael@0: #define CRL_DECODE_DONT_COPY_DER 0x00000001 michael@0: #define CRL_DECODE_SKIP_ENTRIES 0x00000002 michael@0: #define CRL_DECODE_KEEP_BAD_CRL 0x00000004 michael@0: #define CRL_DECODE_ADOPT_HEAP_DER 0x00000008 michael@0: michael@0: /* complete the decoding of a partially decoded CRL, ie. decode the michael@0: entries. Note that entries is an optional field in a CRL, so the michael@0: "entries" pointer in CERTCrlStr may still be NULL even after michael@0: function returns SECSuccess */ michael@0: michael@0: extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl); michael@0: michael@0: /* Validate CRL then import it to the dbase. If there is already a CRL with the michael@0: * same CA in the dbase, it will be replaced if derCRL is more up to date. michael@0: * If the process successes, a CRL will be returned. Otherwise, a NULL will michael@0: * be returned. The caller should call PORT_GetError() for the exactly error michael@0: * code. michael@0: */ michael@0: extern CERTSignedCrl * michael@0: CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, michael@0: int type, void * wincx); michael@0: michael@0: extern void CERT_DestroyCrl (CERTSignedCrl *crl); michael@0: michael@0: /* this is a hint to flush the CRL cache. crlKey is the DER subject of michael@0: the issuer (CA). */ michael@0: void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey); michael@0: michael@0: /* add the specified DER CRL object to the CRL cache. Doing so will allow michael@0: certificate verification functions (such as CERT_VerifyCertificate) michael@0: to automatically find and make use of this CRL object. michael@0: Once a CRL is added to the CRL cache, the application must hold on to michael@0: the object's memory, because the cache will reference it directly. The michael@0: application can only free the object after it calls CERT_UncacheCRL to michael@0: remove it from the CRL cache. michael@0: */ michael@0: SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl); michael@0: michael@0: /* remove a previously added CRL object from the CRL cache. It is OK michael@0: for the application to free the memory after a successful removal michael@0: */ michael@0: SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl); michael@0: michael@0: /* michael@0: ** Find a certificate in the database michael@0: ** "key" is the database key to look for michael@0: */ michael@0: extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by name michael@0: ** "name" is the distinguished name to look up michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by name michael@0: ** "name" is the distinguished name to look up (in ascii) michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by name and keyid michael@0: ** "name" is the distinguished name to look up michael@0: ** "keyID" is the value of the subjectKeyID to match michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID); michael@0: michael@0: /* michael@0: ** Generate a certificate key from the issuer and serialnumber, then look it michael@0: ** up in the database. Return the cert if found. michael@0: ** "issuerAndSN" is the issuer and serial number to look for michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a subject key ID michael@0: ** "subjKeyID" is the subject Key ID to look for michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID); michael@0: michael@0: /* michael@0: ** Encode Certificate SKID (Subject Key ID) extension. michael@0: ** michael@0: */ michael@0: extern SECStatus michael@0: CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString, michael@0: SECItem *encodedValue); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a nickname michael@0: ** "nickname" is the ascii string nickname to look for michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a DER encoded certificate michael@0: ** "derCert" is the DER encoded certificate michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a email address michael@0: ** "emailAddr" is the email address to look up michael@0: */ michael@0: CERTCertificate * michael@0: CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a email address or nickname michael@0: ** "name" is the email address or nickname to look up michael@0: */ michael@0: CERTCertificate * michael@0: CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a email address or nickname michael@0: ** and require it to have the given usage. michael@0: ** "name" is the email address or nickname to look up michael@0: */ michael@0: CERTCertificate * michael@0: CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, michael@0: const char *name, michael@0: SECCertUsage lookingForUsage); michael@0: michael@0: /* michael@0: ** Find a certificate in the database by a digest of a subject public key michael@0: ** "spkDigest" is the digest to look up michael@0: */ michael@0: extern CERTCertificate * michael@0: CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest); michael@0: michael@0: /* michael@0: * Find the issuer of a cert michael@0: */ michael@0: CERTCertificate * michael@0: CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage); michael@0: michael@0: /* michael@0: ** Check the validity times of a certificate vs. time 't', allowing michael@0: ** some slop for broken clocks and stuff. michael@0: ** "cert" is the certificate to be checked michael@0: ** "t" is the time to check against michael@0: ** "allowOverride" if true then check to see if the invalidity has michael@0: ** been overridden by the user. michael@0: */ michael@0: extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert, michael@0: PRTime t, michael@0: PRBool allowOverride); michael@0: michael@0: /* michael@0: ** WARNING - this function is deprecated, and will either go away or have michael@0: ** a new API in the near future. michael@0: ** michael@0: ** Check the validity times of a certificate vs. the current time, allowing michael@0: ** some slop for broken clocks and stuff. michael@0: ** "cert" is the certificate to be checked michael@0: */ michael@0: extern SECStatus CERT_CertTimesValid(CERTCertificate *cert); michael@0: michael@0: /* michael@0: ** Extract the validity times from a certificate michael@0: ** "c" is the certificate michael@0: ** "notBefore" is the start of the validity period michael@0: ** "notAfter" is the end of the validity period michael@0: */ michael@0: extern SECStatus michael@0: CERT_GetCertTimes (const CERTCertificate *c, PRTime *notBefore, michael@0: PRTime *notAfter); michael@0: michael@0: /* michael@0: ** Extract the issuer and serial number from a certificate michael@0: */ michael@0: extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, michael@0: CERTCertificate *); michael@0: michael@0: /* michael@0: ** verify the signature of a signed data object with a given certificate michael@0: ** "sd" the signed data object to be verified michael@0: ** "cert" the certificate to use to check the signature michael@0: */ michael@0: extern SECStatus CERT_VerifySignedData(CERTSignedData *sd, michael@0: CERTCertificate *cert, michael@0: PRTime t, michael@0: void *wincx); michael@0: /* michael@0: ** verify the signature of a signed data object with the given DER publickey michael@0: */ michael@0: extern SECStatus michael@0: CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, michael@0: CERTSubjectPublicKeyInfo *pubKeyInfo, michael@0: void *wincx); michael@0: michael@0: /* michael@0: ** verify the signature of a signed data object with a SECKEYPublicKey. michael@0: */ michael@0: extern SECStatus michael@0: CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, michael@0: SECKEYPublicKey *pubKey, void *wincx); michael@0: michael@0: /* michael@0: ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use michael@0: ** verify a certificate by checking validity times against a certain time, michael@0: ** that we trust the issuer, and that the signature on the certificate is michael@0: ** valid. michael@0: ** "cert" the certificate to verify michael@0: ** "checkSig" only check signatures if true michael@0: */ michael@0: extern SECStatus michael@0: CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRBool checkSig, SECCertificateUsage requiredUsages, michael@0: PRTime t, void *wincx, CERTVerifyLog *log, michael@0: SECCertificateUsage* returnedUsages); michael@0: michael@0: /* same as above, but uses current time */ michael@0: extern SECStatus michael@0: CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRBool checkSig, SECCertificateUsage requiredUsages, michael@0: void *wincx, SECCertificateUsage* returnedUsages); michael@0: michael@0: /* michael@0: ** Verify that a CA cert can certify some (unspecified) leaf cert for a given michael@0: ** purpose. This is used by UI code to help identify where a chain may be michael@0: ** broken and why. This takes identical parameters to CERT_VerifyCert michael@0: */ michael@0: extern SECStatus michael@0: CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRBool checkSig, SECCertUsage certUsage, PRTime t, michael@0: void *wincx, CERTVerifyLog *log); michael@0: michael@0: /* michael@0: ** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE michael@0: ** verify a certificate by checking validity times against a certain time, michael@0: ** that we trust the issuer, and that the signature on the certificate is michael@0: ** valid. michael@0: ** "cert" the certificate to verify michael@0: ** "checkSig" only check signatures if true michael@0: */ michael@0: extern SECStatus michael@0: CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRBool checkSig, SECCertUsage certUsage, PRTime t, michael@0: void *wincx, CERTVerifyLog *log); michael@0: michael@0: /* same as above, but uses current time */ michael@0: extern SECStatus michael@0: CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRBool checkSig, SECCertUsage certUsage, void *wincx); michael@0: michael@0: SECStatus michael@0: CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: PRBool checkSig, SECCertUsage certUsage, PRTime t, michael@0: void *wincx, CERTVerifyLog *log); michael@0: michael@0: /* michael@0: ** Read a base64 ascii encoded DER certificate and convert it to our michael@0: ** internal format. michael@0: ** "certstr" is a null-terminated string containing the certificate michael@0: */ michael@0: extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr); michael@0: michael@0: /* michael@0: ** Read a certificate in some foreign format, and convert it to our michael@0: ** internal format. michael@0: ** "certbuf" is the buffer containing the certificate michael@0: ** "certlen" is the length of the buffer michael@0: ** NOTE - currently supports netscape base64 ascii encoded raw certs michael@0: ** and netscape binary DER typed files. michael@0: */ michael@0: extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen); michael@0: michael@0: extern SECStatus michael@0: CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage); michael@0: michael@0: extern SECStatus michael@0: CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage); michael@0: michael@0: /* michael@0: ** Read a certificate chain in some foreign format, and pass it to a michael@0: ** callback function. michael@0: ** "certbuf" is the buffer containing the certificate michael@0: ** "certlen" is the length of the buffer michael@0: ** "f" is the callback function michael@0: ** "arg" is the callback argument michael@0: */ michael@0: typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc) michael@0: (void *arg, SECItem **certs, int numcerts); michael@0: michael@0: extern SECStatus michael@0: CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f, michael@0: void *arg); michael@0: michael@0: /* michael@0: ** Returns the value of an AVA. This was a formerly static michael@0: ** function that has been exposed due to the need to decode michael@0: ** and convert unicode strings to UTF8. michael@0: ** michael@0: ** XXX This function resides in certhtml.c, should it be michael@0: ** moved elsewhere? michael@0: */ michael@0: extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue); michael@0: michael@0: michael@0: michael@0: /* michael@0: ** extract various element strings from a distinguished name. michael@0: ** "name" the distinguished name michael@0: */ michael@0: michael@0: extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert); michael@0: michael@0: extern char *CERT_GetCertEmailAddress(const CERTName *name); michael@0: michael@0: extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert); michael@0: michael@0: extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, michael@0: const char * prev); michael@0: michael@0: /* The return value must be freed with PORT_Free. */ michael@0: extern char *CERT_GetCommonName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetCountryName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetLocalityName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetStateName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetOrgName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetOrgUnitName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetDomainComponentName(const CERTName *name); michael@0: michael@0: extern char *CERT_GetCertUid(const CERTName *name); michael@0: michael@0: /* manipulate the trust parameters of a certificate */ michael@0: michael@0: extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert, michael@0: CERTCertTrust *trust); michael@0: michael@0: extern SECStatus michael@0: CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert, michael@0: CERTCertTrust *trust); michael@0: michael@0: extern SECStatus michael@0: CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert, michael@0: SECCertUsage usage); michael@0: michael@0: /************************************************************************* michael@0: * michael@0: * manipulate the extensions of a certificate michael@0: * michael@0: ************************************************************************/ michael@0: michael@0: /* michael@0: ** Set up a cert for adding X509v3 extensions. Returns an opaque handle michael@0: ** used by the next two routines. michael@0: ** "cert" is the certificate we are adding extensions to michael@0: */ michael@0: extern void *CERT_StartCertExtensions(CERTCertificate *cert); michael@0: michael@0: /* michael@0: ** Add an extension to a certificate. michael@0: ** "exthandle" is the handle returned by the previous function michael@0: ** "idtag" is the integer tag for the OID that should ID this extension michael@0: ** "value" is the value of the extension michael@0: ** "critical" is the critical extension flag michael@0: ** "copyData" is a flag indicating whether the value data should be michael@0: ** copied. michael@0: */ michael@0: extern SECStatus CERT_AddExtension (void *exthandle, int idtag, michael@0: SECItem *value, PRBool critical, PRBool copyData); michael@0: michael@0: extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid, michael@0: SECItem *value, PRBool critical, PRBool copyData); michael@0: michael@0: extern SECStatus CERT_EncodeAndAddExtension michael@0: (void *exthandle, int idtag, void *value, PRBool critical, michael@0: const SEC_ASN1Template *atemplate); michael@0: michael@0: extern SECStatus CERT_EncodeAndAddBitStrExtension michael@0: (void *exthandle, int idtag, SECItem *value, PRBool critical); michael@0: michael@0: michael@0: extern SECStatus michael@0: CERT_EncodeAltNameExtension(PLArenaPool *arena, CERTGeneralName *value, SECItem *encodedValue); michael@0: michael@0: michael@0: /* michael@0: ** Finish adding cert extensions. Does final processing on extension michael@0: ** data, putting it in the right format, and freeing any temporary michael@0: ** storage. michael@0: ** "exthandle" is the handle used to add extensions to a certificate michael@0: */ michael@0: extern SECStatus CERT_FinishExtensions(void *exthandle); michael@0: michael@0: /* michael@0: ** Merge an external list of extensions into a cert's extension list, adding one michael@0: ** only when its OID matches none of the cert's existing extensions. Call this michael@0: ** immediately before calling CERT_FinishExtensions(). michael@0: */ michael@0: SECStatus michael@0: CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts); michael@0: michael@0: /* If the extension is found, return its criticality and value. michael@0: ** This allocate storage for the returning extension value. michael@0: */ michael@0: extern SECStatus CERT_GetExtenCriticality michael@0: (CERTCertExtension **extensions, int tag, PRBool *isCritical); michael@0: michael@0: extern void michael@0: CERT_DestroyOidSequence(CERTOidSequence *oidSeq); michael@0: michael@0: /**************************************************************************** michael@0: * michael@0: * DER encode and decode extension values michael@0: * michael@0: ****************************************************************************/ michael@0: michael@0: /* Encode the value of the basicConstraint extension. michael@0: ** arena - where to allocate memory for the encoded value. michael@0: ** value - extension value to encode michael@0: ** encodedValue - output encoded value michael@0: */ michael@0: extern SECStatus CERT_EncodeBasicConstraintValue michael@0: (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue); michael@0: michael@0: /* michael@0: ** Encode the value of the authorityKeyIdentifier extension. michael@0: */ michael@0: extern SECStatus CERT_EncodeAuthKeyID michael@0: (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue); michael@0: michael@0: /* michael@0: ** Encode the value of the crlDistributionPoints extension. michael@0: */ michael@0: extern SECStatus CERT_EncodeCRLDistributionPoints michael@0: (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue); michael@0: michael@0: /* michael@0: ** Decodes a DER encoded basicConstaint extension value into a readable format michael@0: ** value - decoded value michael@0: ** encodedValue - value to decoded michael@0: */ michael@0: extern SECStatus CERT_DecodeBasicConstraintValue michael@0: (CERTBasicConstraints *value, const SECItem *encodedValue); michael@0: michael@0: /* Decodes a DER encoded authorityKeyIdentifier extension value into a michael@0: ** readable format. michael@0: ** arena - where to allocate memory for the decoded value michael@0: ** encodedValue - value to be decoded michael@0: ** Returns a CERTAuthKeyID structure which contains the decoded value michael@0: */ michael@0: extern CERTAuthKeyID *CERT_DecodeAuthKeyID michael@0: (PLArenaPool *arena, const SECItem *encodedValue); michael@0: michael@0: /* Decodes a DER encoded crlDistributionPoints extension value into a michael@0: ** readable format. michael@0: ** arena - where to allocate memory for the decoded value michael@0: ** der - value to be decoded michael@0: ** Returns a CERTCrlDistributionPoints structure which contains the michael@0: ** decoded value michael@0: */ michael@0: extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints michael@0: (PLArenaPool *arena, SECItem *der); michael@0: michael@0: /* Extract certain name type from a generalName */ michael@0: extern void *CERT_GetGeneralNameByType michael@0: (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat); michael@0: michael@0: michael@0: extern CERTOidSequence * michael@0: CERT_DecodeOidSequence(const SECItem *seqItem); michael@0: michael@0: michael@0: michael@0: michael@0: /**************************************************************************** michael@0: * michael@0: * Find extension values of a certificate michael@0: * michael@0: ***************************************************************************/ michael@0: michael@0: extern SECStatus CERT_FindCertExtension michael@0: (const CERTCertificate *cert, int tag, SECItem *value); michael@0: michael@0: extern SECStatus CERT_FindNSCertTypeExtension michael@0: (CERTCertificate *cert, SECItem *value); michael@0: michael@0: extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag); michael@0: michael@0: extern SECStatus CERT_FindIssuerCertExtension michael@0: (CERTCertificate *cert, int tag, SECItem *value); michael@0: michael@0: extern SECStatus CERT_FindCertExtensionByOID michael@0: (CERTCertificate *cert, SECItem *oid, SECItem *value); michael@0: michael@0: extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, michael@0: int catag); michael@0: michael@0: /* Returns the decoded value of the authKeyID extension. michael@0: ** Note that this uses passed in the arena to allocate storage for the result michael@0: */ michael@0: extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert); michael@0: michael@0: /* Returns the decoded value of the basicConstraint extension. michael@0: */ michael@0: extern SECStatus CERT_FindBasicConstraintExten michael@0: (CERTCertificate *cert, CERTBasicConstraints *value); michael@0: michael@0: /* Returns the decoded value of the crlDistributionPoints extension. michael@0: ** Note that the arena in cert is used to allocate storage for the result michael@0: */ michael@0: extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints michael@0: (CERTCertificate *cert); michael@0: michael@0: /* Returns value of the keyUsage extension. This uses PR_Alloc to allocate michael@0: ** buffer for the decoded value. The caller should free up the storage michael@0: ** allocated in value->data. michael@0: */ michael@0: extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, michael@0: SECItem *value); michael@0: michael@0: /* Return the decoded value of the subjectKeyID extension. The caller should michael@0: ** free up the storage allocated in retItem->data. michael@0: */ michael@0: extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, michael@0: SECItem *retItem); michael@0: michael@0: /* michael@0: ** If cert is a v3 certificate, and a critical keyUsage extension is included, michael@0: ** then check the usage against the extension value. If a non-critical michael@0: ** keyUsage extension is included, this will return SECSuccess without michael@0: ** checking, since the extension is an advisory field, not a restriction. michael@0: ** If cert is not a v3 certificate, this will return SECSuccess. michael@0: ** cert - certificate michael@0: ** usage - one of the x.509 v3 the Key Usage Extension flags michael@0: */ michael@0: extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, michael@0: unsigned char usage); michael@0: michael@0: /**************************************************************************** michael@0: * michael@0: * CRL v2 Extensions supported routines michael@0: * michael@0: ****************************************************************************/ michael@0: michael@0: extern SECStatus CERT_FindCRLExtensionByOID michael@0: (CERTCrl *crl, SECItem *oid, SECItem *value); michael@0: michael@0: extern SECStatus CERT_FindCRLExtension michael@0: (CERTCrl *crl, int tag, SECItem *value); michael@0: michael@0: extern SECStatus michael@0: CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value); michael@0: michael@0: /* michael@0: ** Set up a crl for adding X509v3 extensions. Returns an opaque handle michael@0: ** used by routines that take an exthandle (void*) argument . michael@0: ** "crl" is the CRL we are adding extensions to michael@0: */ michael@0: extern void *CERT_StartCRLExtensions(CERTCrl *crl); michael@0: michael@0: /* michael@0: ** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle michael@0: ** used by routines that take an exthandle (void*) argument . michael@0: ** "crl" is the crl we are adding certs entries to michael@0: ** "entry" is the crl entry we are adding extensions to michael@0: */ michael@0: extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry); michael@0: michael@0: extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle, michael@0: int what, void *wincx); michael@0: michael@0: /* michael@0: ** Finds the crlNumber extension and decodes its value into 'value' michael@0: */ michael@0: extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl, michael@0: SECItem *value); michael@0: michael@0: extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry, michael@0: CERTCRLEntryReasonCode *value); michael@0: michael@0: extern void CERT_FreeNicknames(CERTCertNicknames *nicknames); michael@0: michael@0: extern PRBool CERT_CompareCerts(const CERTCertificate *c1, michael@0: const CERTCertificate *c2); michael@0: michael@0: extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1, michael@0: CERTCertificate *c2); michael@0: michael@0: /* michael@0: ** Generate an array of the Distinguished Names that the given cert database michael@0: ** "trusts" michael@0: */ michael@0: extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle); michael@0: michael@0: extern void CERT_FreeDistNames(CERTDistNames *names); michael@0: michael@0: /* Duplicate distinguished name array */ michael@0: extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig); michael@0: michael@0: /* michael@0: ** Generate an array of Distinguished names from an array of nicknames michael@0: */ michael@0: extern CERTDistNames *CERT_DistNamesFromNicknames michael@0: (CERTCertDBHandle *handle, char **nicknames, int nnames); michael@0: michael@0: /* michael@0: ** Generate an array of Distinguished names from a list of certs. michael@0: */ michael@0: extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list); michael@0: michael@0: /* michael@0: ** Generate a certificate chain from a certificate. michael@0: */ michael@0: extern CERTCertificateList * michael@0: CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, michael@0: PRBool includeRoot); michael@0: michael@0: extern CERTCertificateList * michael@0: CERT_CertListFromCert(CERTCertificate *cert); michael@0: michael@0: extern CERTCertificateList * michael@0: CERT_DupCertList(const CERTCertificateList * oldList); michael@0: michael@0: extern void CERT_DestroyCertificateList(CERTCertificateList *list); michael@0: michael@0: /* michael@0: ** is cert a user cert? i.e. does it have CERTDB_USER trust, michael@0: ** i.e. a private key? michael@0: */ michael@0: PRBool CERT_IsUserCert(CERTCertificate* cert); michael@0: michael@0: /* is cert a newer than cert b? */ michael@0: PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb); michael@0: michael@0: /* currently a stub for address book */ michael@0: PRBool michael@0: CERT_IsCertRevoked(CERTCertificate *cert); michael@0: michael@0: void michael@0: CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts); michael@0: michael@0: /* convert an email address to lower case */ michael@0: char *CERT_FixupEmailAddr(const char *emailAddr); michael@0: michael@0: /* decode string representation of trust flags into trust struct */ michael@0: SECStatus michael@0: CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts); michael@0: michael@0: /* encode trust struct into string representation of trust flags */ michael@0: char * michael@0: CERT_EncodeTrustString(CERTCertTrust *trust); michael@0: michael@0: /* find the next or prev cert in a subject list */ michael@0: CERTCertificate * michael@0: CERT_PrevSubjectCert(CERTCertificate *cert); michael@0: CERTCertificate * michael@0: CERT_NextSubjectCert(CERTCertificate *cert); michael@0: michael@0: /* michael@0: * import a collection of certs into the temporary or permanent cert michael@0: * database michael@0: */ michael@0: SECStatus michael@0: CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, michael@0: unsigned int ncerts, SECItem **derCerts, michael@0: CERTCertificate ***retCerts, PRBool keepCerts, michael@0: PRBool caOnly, char *nickname); michael@0: michael@0: char * michael@0: CERT_MakeCANickname(CERTCertificate *cert); michael@0: michael@0: PRBool michael@0: CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype); michael@0: michael@0: PRBool michael@0: CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype); michael@0: michael@0: PRBool michael@0: CERT_IsRootDERCert(SECItem *derCert); michael@0: michael@0: SECStatus michael@0: CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, michael@0: SECItem *profileTime); michael@0: michael@0: /* michael@0: * find the smime symmetric capabilities profile for a given cert michael@0: */ michael@0: SECItem * michael@0: CERT_FindSMimeProfile(CERTCertificate *cert); michael@0: michael@0: SECStatus michael@0: CERT_AddNewCerts(CERTCertDBHandle *handle); michael@0: michael@0: CERTCertificatePolicies * michael@0: CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue); michael@0: michael@0: void michael@0: CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies); michael@0: michael@0: CERTCertificatePolicyMappings * michael@0: CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps); michael@0: michael@0: SECStatus michael@0: CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings); michael@0: michael@0: SECStatus michael@0: CERT_DecodePolicyConstraintsExtension( michael@0: CERTCertificatePolicyConstraints *decodedValue, michael@0: const SECItem *encodedValue); michael@0: michael@0: SECStatus CERT_DecodeInhibitAnyExtension michael@0: (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue); michael@0: michael@0: CERTUserNotice * michael@0: CERT_DecodeUserNotice(SECItem *noticeItem); michael@0: michael@0: extern CERTGeneralName * michael@0: CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName); michael@0: michael@0: extern CERTNameConstraints * michael@0: CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, michael@0: const SECItem *encodedConstraints); michael@0: michael@0: /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */ michael@0: extern CERTAuthInfoAccess ** michael@0: CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena, michael@0: SECItem *encodedExtension); michael@0: michael@0: extern CERTPrivKeyUsagePeriod * michael@0: CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue); michael@0: michael@0: extern CERTGeneralName * michael@0: CERT_GetNextGeneralName(CERTGeneralName *current); michael@0: michael@0: extern CERTGeneralName * michael@0: CERT_GetPrevGeneralName(CERTGeneralName *current); michael@0: michael@0: CERTNameConstraint * michael@0: CERT_GetNextNameConstraint(CERTNameConstraint *current); michael@0: michael@0: CERTNameConstraint * michael@0: CERT_GetPrevNameConstraint(CERTNameConstraint *current); michael@0: michael@0: void michael@0: CERT_DestroyUserNotice(CERTUserNotice *userNotice); michael@0: michael@0: typedef char * (* CERTPolicyStringCallback)(char *org, michael@0: unsigned long noticeNumber, michael@0: void *arg); michael@0: void michael@0: CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg); michael@0: michael@0: char * michael@0: CERT_GetCertCommentString(CERTCertificate *cert); michael@0: michael@0: PRBool michael@0: CERT_GovtApprovedBitSet(CERTCertificate *cert); michael@0: michael@0: SECStatus michael@0: CERT_AddPermNickname(CERTCertificate *cert, char *nickname); michael@0: michael@0: CERTCertList * michael@0: CERT_MatchUserCert(CERTCertDBHandle *handle, michael@0: SECCertUsage usage, michael@0: int nCANames, char **caNames, michael@0: void *proto_win); michael@0: michael@0: CERTCertList * michael@0: CERT_NewCertList(void); michael@0: michael@0: /* free the cert list and all the certs in the list */ michael@0: void michael@0: CERT_DestroyCertList(CERTCertList *certs); michael@0: michael@0: /* remove the node and free the cert */ michael@0: void michael@0: CERT_RemoveCertListNode(CERTCertListNode *node); michael@0: michael@0: /* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */ michael@0: SECStatus michael@0: CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert); michael@0: michael@0: /* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */ michael@0: SECStatus michael@0: CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert); michael@0: michael@0: /* michael@0: * The new cert list node takes ownership of "cert". "cert" is freed michael@0: * when the list node is removed. michael@0: */ michael@0: SECStatus michael@0: CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert, michael@0: void *appData); michael@0: michael@0: /* michael@0: * The new cert list node takes ownership of "cert". "cert" is freed michael@0: * when the list node is removed. michael@0: */ michael@0: SECStatus michael@0: CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert, michael@0: void *appData); michael@0: michael@0: typedef PRBool (* CERTSortCallback)(CERTCertificate *certa, michael@0: CERTCertificate *certb, michael@0: void *arg); michael@0: SECStatus michael@0: CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert, michael@0: CERTSortCallback f, void *arg); michael@0: michael@0: /* callback for CERT_AddCertToListSorted that sorts based on validity michael@0: * period and a given time. michael@0: */ michael@0: PRBool michael@0: CERT_SortCBValidity(CERTCertificate *certa, michael@0: CERTCertificate *certb, michael@0: void *arg); michael@0: michael@0: SECStatus michael@0: CERT_CheckForEvilCert(CERTCertificate *cert); michael@0: michael@0: CERTGeneralName * michael@0: CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena); michael@0: michael@0: CERTGeneralName * michael@0: CERT_GetConstrainedCertificateNames(const CERTCertificate *cert, michael@0: PLArenaPool *arena, michael@0: PRBool includeSubjectCommonName); michael@0: michael@0: /* michael@0: * Creates or adds to a list of all certs with a give subject name, sorted by michael@0: * validity time, newest first. Invalid certs are considered older than michael@0: * valid certs. If validOnly is set, do not include invalid certs on list. michael@0: */ michael@0: CERTCertList * michael@0: CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle, michael@0: const SECItem *name, PRTime sorttime, michael@0: PRBool validOnly); michael@0: michael@0: /* michael@0: * remove certs from a list that don't have keyUsage and certType michael@0: * that match the given usage. michael@0: */ michael@0: SECStatus michael@0: CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage, michael@0: PRBool ca); michael@0: michael@0: /* michael@0: * check the key usage of a cert against a set of required values michael@0: */ michael@0: SECStatus michael@0: CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage); michael@0: michael@0: /* michael@0: * return required key usage and cert type based on cert usage michael@0: */ michael@0: SECStatus michael@0: CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, michael@0: PRBool ca, michael@0: unsigned int *retKeyUsage, michael@0: unsigned int *retCertType); michael@0: /* michael@0: * return required trust flags for various cert usages for CAs michael@0: */ michael@0: SECStatus michael@0: CERT_TrustFlagsForCACertUsage(SECCertUsage usage, michael@0: unsigned int *retFlags, michael@0: SECTrustType *retTrustType); michael@0: michael@0: /* michael@0: * Find all user certificates that match the given criteria. michael@0: * michael@0: * "handle" - database to search michael@0: * "usage" - certificate usage to match michael@0: * "oneCertPerName" - if set then only return the "best" cert per michael@0: * name michael@0: * "validOnly" - only return certs that are curently valid michael@0: * "proto_win" - window handle passed to pkcs11 michael@0: */ michael@0: CERTCertList * michael@0: CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, michael@0: SECCertUsage usage, michael@0: PRBool oneCertPerName, michael@0: PRBool validOnly, michael@0: void *proto_win); michael@0: michael@0: /* michael@0: * Find a user certificate that matchs the given criteria. michael@0: * michael@0: * "handle" - database to search michael@0: * "nickname" - nickname to match michael@0: * "usage" - certificate usage to match michael@0: * "validOnly" - only return certs that are curently valid michael@0: * "proto_win" - window handle passed to pkcs11 michael@0: */ michael@0: CERTCertificate * michael@0: CERT_FindUserCertByUsage(CERTCertDBHandle *handle, michael@0: const char *nickname, michael@0: SECCertUsage usage, michael@0: PRBool validOnly, michael@0: void *proto_win); michael@0: michael@0: /* michael@0: * Filter a list of certificates, removing those certs that do not have michael@0: * one of the named CA certs somewhere in their cert chain. michael@0: * michael@0: * "certList" - the list of certificates to filter michael@0: * "nCANames" - number of CA names michael@0: * "caNames" - array of CA names in string(rfc 1485) form michael@0: * "usage" - what use the certs are for, this is used when michael@0: * selecting CA certs michael@0: */ michael@0: SECStatus michael@0: CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, michael@0: char **caNames, SECCertUsage usage); michael@0: michael@0: /* michael@0: * Filter a list of certificates, removing those certs that aren't user certs michael@0: */ michael@0: SECStatus michael@0: CERT_FilterCertListForUserCerts(CERTCertList *certList); michael@0: michael@0: /* michael@0: * Collect the nicknames from all certs in a CertList. If the cert is not michael@0: * valid, append a string to that nickname. michael@0: * michael@0: * "certList" - the list of certificates michael@0: * "expiredString" - the string to append to the nickname of any expired cert michael@0: * "notYetGoodString" - the string to append to the nickname of any cert michael@0: * that is not yet valid michael@0: */ michael@0: CERTCertNicknames * michael@0: CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString, michael@0: char *notYetGoodString); michael@0: michael@0: /* michael@0: * Extract the nickname from a nickmake string that may have either michael@0: * expiredString or notYetGoodString appended. michael@0: * michael@0: * Args: michael@0: * "namestring" - the string containing the nickname, and possibly michael@0: * one of the validity label strings michael@0: * "expiredString" - the expired validity label string michael@0: * "notYetGoodString" - the not yet good validity label string michael@0: * michael@0: * Returns the raw nickname michael@0: */ michael@0: char * michael@0: CERT_ExtractNicknameString(char *namestring, char *expiredString, michael@0: char *notYetGoodString); michael@0: michael@0: /* michael@0: * Given a certificate, return a string containing the nickname, and possibly michael@0: * one of the validity strings, based on the current validity state of the michael@0: * certificate. michael@0: * michael@0: * "arena" - arena to allocate returned string from. If NULL, then heap michael@0: * is used. michael@0: * "cert" - the cert to get nickname from michael@0: * "expiredString" - the string to append to the nickname if the cert is michael@0: * expired. michael@0: * "notYetGoodString" - the string to append to the nickname if the cert is michael@0: * not yet good. michael@0: */ michael@0: char * michael@0: CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert, michael@0: char *expiredString, char *notYetGoodString); michael@0: michael@0: /* michael@0: * Return the string representation of a DER encoded distinguished name michael@0: * "dername" - The DER encoded name to convert michael@0: */ michael@0: char * michael@0: CERT_DerNameToAscii(SECItem *dername); michael@0: michael@0: /* michael@0: * Supported usage values and types: michael@0: * certUsageSSLClient michael@0: * certUsageSSLServer michael@0: * certUsageSSLServerWithStepUp michael@0: * certUsageEmailSigner michael@0: * certUsageEmailRecipient michael@0: * certUsageObjectSigner michael@0: */ michael@0: michael@0: CERTCertificate * michael@0: CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName, michael@0: CERTCertOwner owner, SECCertUsage usage, michael@0: PRBool preferTrusted, PRTime validTime, PRBool validOnly); michael@0: michael@0: /* michael@0: * Acquire the global lock on the cert database. michael@0: * This lock is currently used for the following operations: michael@0: * adding or deleting a cert to either the temp or perm databases michael@0: * converting a temp to perm or perm to temp michael@0: * changing(maybe just adding?) the trust of a cert michael@0: * adjusting the reference count of a cert michael@0: */ michael@0: void michael@0: CERT_LockDB(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: * Free the global cert database lock. michael@0: */ michael@0: void michael@0: CERT_UnlockDB(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: * Get the certificate status checking configuratino data for michael@0: * the certificate database michael@0: */ michael@0: CERTStatusConfig * michael@0: CERT_GetStatusConfig(CERTCertDBHandle *handle); michael@0: michael@0: /* michael@0: * Set the certificate status checking information for the michael@0: * database. The input structure becomes part of the certificate michael@0: * database and will be freed by calling the 'Destroy' function in michael@0: * the configuration object. michael@0: */ michael@0: void michael@0: CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config); michael@0: michael@0: michael@0: michael@0: /* michael@0: * Acquire the cert reference count lock michael@0: * There is currently one global lock for all certs, but I'm putting a cert michael@0: * arg here so that it will be easy to make it per-cert in the future if michael@0: * that turns out to be necessary. michael@0: */ michael@0: void michael@0: CERT_LockCertRefCount(CERTCertificate *cert); michael@0: michael@0: /* michael@0: * Free the cert reference count lock michael@0: */ michael@0: void michael@0: CERT_UnlockCertRefCount(CERTCertificate *cert); michael@0: michael@0: /* michael@0: * Acquire the cert trust lock michael@0: * There is currently one global lock for all certs, but I'm putting a cert michael@0: * arg here so that it will be easy to make it per-cert in the future if michael@0: * that turns out to be necessary. michael@0: */ michael@0: void michael@0: CERT_LockCertTrust(const CERTCertificate *cert); michael@0: michael@0: /* michael@0: * Free the cert trust lock michael@0: */ michael@0: void michael@0: CERT_UnlockCertTrust(const CERTCertificate *cert); michael@0: michael@0: /* michael@0: * Digest the cert's subject public key using the specified algorithm. michael@0: * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding michael@0: * the tag, length, and number of unused bits) rather than the whole michael@0: * subjectPublicKeyInfo field. michael@0: * michael@0: * The necessary storage for the digest data is allocated. If "fill" is michael@0: * non-null, the data is put there, otherwise a SECItem is allocated. michael@0: * Allocation from "arena" if it is non-null, heap otherwise. Any problem michael@0: * results in a NULL being returned (and an appropriate error set). michael@0: */ michael@0: extern SECItem * michael@0: CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, michael@0: SECOidTag digestAlg, SECItem *fill); michael@0: michael@0: /* michael@0: * Digest the cert's subject name using the specified algorithm. michael@0: */ michael@0: extern SECItem * michael@0: CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert, michael@0: SECOidTag digestAlg, SECItem *fill); michael@0: michael@0: SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, michael@0: const SECItem* dp, PRTime t, void* wincx); michael@0: michael@0: michael@0: /* michael@0: * Add a CERTNameConstraint to the CERTNameConstraint list michael@0: */ michael@0: extern CERTNameConstraint * michael@0: CERT_AddNameConstraint(CERTNameConstraint *list, michael@0: CERTNameConstraint *constraint); michael@0: michael@0: /* michael@0: * Allocate space and copy CERTNameConstraint from src to dest. michael@0: * Arena is used to allocate result(if dest eq NULL) and its members michael@0: * SECItem data. michael@0: */ michael@0: extern CERTNameConstraint * michael@0: CERT_CopyNameConstraint(PLArenaPool *arena, michael@0: CERTNameConstraint *dest, michael@0: CERTNameConstraint *src); michael@0: michael@0: /* michael@0: * Verify name against all the constraints relevant to that type of michael@0: * the name. michael@0: */ michael@0: extern SECStatus michael@0: CERT_CheckNameSpace(PLArenaPool *arena, michael@0: const CERTNameConstraints *constraints, michael@0: const CERTGeneralName *currentName); michael@0: michael@0: /* michael@0: * Extract and allocate the name constraints extension from the CA cert. michael@0: */ michael@0: extern SECStatus michael@0: CERT_FindNameConstraintsExten(PLArenaPool *arena, michael@0: CERTCertificate *cert, michael@0: CERTNameConstraints **constraints); michael@0: michael@0: /* michael@0: * Initialize a new GERTGeneralName fields (link) michael@0: */ michael@0: extern CERTGeneralName * michael@0: CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type); michael@0: michael@0: /* michael@0: * PKIX extension encoding routines michael@0: */ michael@0: extern SECStatus michael@0: CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena, michael@0: CERTCertificatePolicyConstraints *constr, michael@0: SECItem *dest); michael@0: extern SECStatus michael@0: CERT_EncodeInhibitAnyExtension(PLArenaPool *arena, michael@0: CERTCertificateInhibitAny *inhibitAny, michael@0: SECItem *dest); michael@0: extern SECStatus michael@0: CERT_EncodePolicyMappingExtension(PLArenaPool *arena, michael@0: CERTCertificatePolicyMappings *maps, michael@0: SECItem *dest); michael@0: michael@0: extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena, michael@0: CERTAuthInfoAccess **info, michael@0: SECItem *dest); michael@0: extern SECStatus michael@0: CERT_EncodeUserNotice(PLArenaPool *arena, michael@0: CERTUserNotice *notice, michael@0: SECItem *dest); michael@0: michael@0: extern SECStatus michael@0: CERT_EncodeDisplayText(PLArenaPool *arena, michael@0: SECItem *text, michael@0: SECItem *dest); michael@0: michael@0: extern SECStatus michael@0: CERT_EncodeCertPoliciesExtension(PLArenaPool *arena, michael@0: CERTPolicyInfo **info, michael@0: SECItem *dest); michael@0: extern SECStatus michael@0: CERT_EncodeNoticeReference(PLArenaPool *arena, michael@0: CERTNoticeReference *reference, michael@0: SECItem *dest); michael@0: michael@0: /* michael@0: * Returns a pointer to a static structure. michael@0: */ michael@0: extern const CERTRevocationFlags* michael@0: CERT_GetPKIXVerifyNistRevocationPolicy(void); michael@0: michael@0: /* michael@0: * Returns a pointer to a static structure. michael@0: */ michael@0: extern const CERTRevocationFlags* michael@0: CERT_GetClassicOCSPEnabledSoftFailurePolicy(void); michael@0: michael@0: /* michael@0: * Returns a pointer to a static structure. michael@0: */ michael@0: extern const CERTRevocationFlags* michael@0: CERT_GetClassicOCSPEnabledHardFailurePolicy(void); michael@0: michael@0: /* michael@0: * Returns a pointer to a static structure. michael@0: */ michael@0: extern const CERTRevocationFlags* michael@0: CERT_GetClassicOCSPDisabledPolicy(void); michael@0: michael@0: /* michael@0: * Verify a Cert with libpkix michael@0: * paramsIn control the verification options. If a value isn't specified michael@0: * in paramsIn, it reverts to the application default. michael@0: * paramsOut specifies the parameters the caller would like to get back. michael@0: * the caller may pass NULL, in which case no parameters are returned. michael@0: */ michael@0: extern SECStatus CERT_PKIXVerifyCert( michael@0: CERTCertificate *cert, michael@0: SECCertificateUsage usages, michael@0: CERTValInParam *paramsIn, michael@0: CERTValOutParam *paramsOut, michael@0: void *wincx); michael@0: michael@0: /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate) michael@0: * to use libpkix validation engine. The function should be called ones at michael@0: * application initialization time. michael@0: * Function is not thread safe.*/ michael@0: extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable); michael@0: michael@0: /* The function return PR_TRUE if cert validation should use michael@0: * libpkix cert validation engine. */ michael@0: extern PRBool CERT_GetUsePKIXForValidation(void); michael@0: michael@0: /* michael@0: * Allocate a parameter container of type CERTRevocationFlags, michael@0: * and allocate the inner arrays of the given sizes. michael@0: * To cleanup call CERT_DestroyCERTRevocationFlags. michael@0: */ michael@0: extern CERTRevocationFlags * michael@0: CERT_AllocCERTRevocationFlags( michael@0: PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, michael@0: PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods); michael@0: michael@0: /* michael@0: * Destroy the arrays inside flags, michael@0: * and destroy the object pointed to by flags, too. michael@0: */ michael@0: extern void michael@0: CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags); michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: #endif /* _CERT_H_ */