michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: /* michael@0: * certt.h - public data structures for the certificate library michael@0: */ michael@0: #ifndef _CERTT_H_ michael@0: #define _CERTT_H_ michael@0: michael@0: #include "prclist.h" michael@0: #include "pkcs11t.h" michael@0: #include "seccomon.h" michael@0: #include "secmodt.h" michael@0: #include "secoidt.h" michael@0: #include "plarena.h" michael@0: #include "prcvar.h" michael@0: #include "nssilock.h" michael@0: #include "prio.h" michael@0: #include "prmon.h" michael@0: michael@0: /* Stan data types */ michael@0: struct NSSCertificateStr; michael@0: struct NSSTrustDomainStr; michael@0: michael@0: /* Non-opaque objects */ michael@0: typedef struct CERTAVAStr CERTAVA; michael@0: typedef struct CERTAttributeStr CERTAttribute; michael@0: typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess; michael@0: typedef struct CERTAuthKeyIDStr CERTAuthKeyID; michael@0: typedef struct CERTBasicConstraintsStr CERTBasicConstraints; michael@0: typedef struct NSSTrustDomainStr CERTCertDBHandle; michael@0: typedef struct CERTCertExtensionStr CERTCertExtension; michael@0: typedef struct CERTCertKeyStr CERTCertKey; michael@0: typedef struct CERTCertListStr CERTCertList; michael@0: typedef struct CERTCertListNodeStr CERTCertListNode; michael@0: typedef struct CERTCertNicknamesStr CERTCertNicknames; michael@0: typedef struct CERTCertTrustStr CERTCertTrust; michael@0: typedef struct CERTCertificateStr CERTCertificate; michael@0: typedef struct CERTCertificateListStr CERTCertificateList; michael@0: typedef struct CERTCertificateRequestStr CERTCertificateRequest; michael@0: typedef struct CERTCrlStr CERTCrl; michael@0: typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints; michael@0: typedef struct CERTCrlEntryStr CERTCrlEntry; michael@0: typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode; michael@0: typedef struct CERTCrlKeyStr CERTCrlKey; michael@0: typedef struct CERTCrlNodeStr CERTCrlNode; michael@0: typedef struct CERTDERCertsStr CERTDERCerts; michael@0: typedef struct CERTDistNamesStr CERTDistNames; michael@0: typedef struct CERTGeneralNameStr CERTGeneralName; michael@0: typedef struct CERTGeneralNameListStr CERTGeneralNameList; michael@0: typedef struct CERTIssuerAndSNStr CERTIssuerAndSN; michael@0: typedef struct CERTNameStr CERTName; michael@0: typedef struct CERTNameConstraintStr CERTNameConstraint; michael@0: typedef struct CERTNameConstraintsStr CERTNameConstraints; michael@0: typedef struct CERTOKDomainNameStr CERTOKDomainName; michael@0: typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod; michael@0: typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge; michael@0: typedef struct CERTRDNStr CERTRDN; michael@0: typedef struct CERTSignedCrlStr CERTSignedCrl; michael@0: typedef struct CERTSignedDataStr CERTSignedData; michael@0: typedef struct CERTStatusConfigStr CERTStatusConfig; michael@0: typedef struct CERTSubjectListStr CERTSubjectList; michael@0: typedef struct CERTSubjectNodeStr CERTSubjectNode; michael@0: typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; michael@0: typedef struct CERTValidityStr CERTValidity; michael@0: typedef struct CERTVerifyLogStr CERTVerifyLog; michael@0: typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode; michael@0: typedef struct CRLDistributionPointStr CRLDistributionPoint; michael@0: michael@0: /* CRL extensions type */ michael@0: typedef unsigned long CERTCrlNumber; michael@0: michael@0: /* michael@0: ** An X.500 AVA object michael@0: */ michael@0: struct CERTAVAStr { michael@0: SECItem type; michael@0: SECItem value; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.500 RDN object michael@0: */ michael@0: struct CERTRDNStr { michael@0: CERTAVA **avas; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.500 name object michael@0: */ michael@0: struct CERTNameStr { michael@0: PLArenaPool *arena; michael@0: CERTRDN **rdns; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.509 validity object michael@0: */ michael@0: struct CERTValidityStr { michael@0: PLArenaPool *arena; michael@0: SECItem notBefore; michael@0: SECItem notAfter; michael@0: }; michael@0: michael@0: /* michael@0: * A serial number and issuer name, which is used as a database key michael@0: */ michael@0: struct CERTCertKeyStr { michael@0: SECItem serialNumber; michael@0: SECItem derIssuer; michael@0: }; michael@0: michael@0: /* michael@0: ** A signed data object. Used to implement the "signed" macro used michael@0: ** in the X.500 specs. michael@0: */ michael@0: struct CERTSignedDataStr { michael@0: SECItem data; michael@0: SECAlgorithmID signatureAlgorithm; michael@0: SECItem signature; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.509 subject-public-key-info object michael@0: */ michael@0: struct CERTSubjectPublicKeyInfoStr { michael@0: PLArenaPool *arena; michael@0: SECAlgorithmID algorithm; michael@0: SECItem subjectPublicKey; michael@0: }; michael@0: michael@0: struct CERTPublicKeyAndChallengeStr { michael@0: SECItem spki; michael@0: SECItem challenge; michael@0: }; michael@0: michael@0: struct CERTCertTrustStr { michael@0: unsigned int sslFlags; michael@0: unsigned int emailFlags; michael@0: unsigned int objectSigningFlags; michael@0: }; michael@0: michael@0: /* michael@0: * defined the types of trust that exist michael@0: */ michael@0: typedef enum SECTrustTypeEnum { michael@0: trustSSL = 0, michael@0: trustEmail = 1, michael@0: trustObjectSigning = 2, michael@0: trustTypeNone = 3 michael@0: } SECTrustType; michael@0: michael@0: #define SEC_GET_TRUST_FLAGS(trust,type) \ michael@0: (((type)==trustSSL)?((trust)->sslFlags): \ michael@0: (((type)==trustEmail)?((trust)->emailFlags): \ michael@0: (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0))) michael@0: michael@0: /* michael@0: ** An X.509.3 certificate extension michael@0: */ michael@0: struct CERTCertExtensionStr { michael@0: SECItem id; michael@0: SECItem critical; michael@0: SECItem value; michael@0: }; michael@0: michael@0: struct CERTSubjectNodeStr { michael@0: struct CERTSubjectNodeStr *next; michael@0: struct CERTSubjectNodeStr *prev; michael@0: SECItem certKey; michael@0: SECItem keyID; michael@0: }; michael@0: michael@0: struct CERTSubjectListStr { michael@0: PLArenaPool *arena; michael@0: int ncerts; michael@0: char *emailAddr; michael@0: CERTSubjectNode *head; michael@0: CERTSubjectNode *tail; /* do we need tail? */ michael@0: void *entry; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.509 certificate object (the unsigned form) michael@0: */ michael@0: struct CERTCertificateStr { michael@0: /* the arena is used to allocate any data structures that have the same michael@0: * lifetime as the cert. This is all stuff that hangs off of the cert michael@0: * structure, and is all freed at the same time. I is used when the michael@0: * cert is decoded, destroyed, and at some times when it changes michael@0: * state michael@0: */ michael@0: PLArenaPool *arena; michael@0: michael@0: /* The following fields are static after the cert has been decoded */ michael@0: char *subjectName; michael@0: char *issuerName; michael@0: CERTSignedData signatureWrap; /* XXX */ michael@0: SECItem derCert; /* original DER for the cert */ michael@0: SECItem derIssuer; /* DER for issuer name */ michael@0: SECItem derSubject; /* DER for subject name */ michael@0: SECItem derPublicKey; /* DER for the public key */ michael@0: SECItem certKey; /* database key for this cert */ michael@0: SECItem version; michael@0: SECItem serialNumber; michael@0: SECAlgorithmID signature; michael@0: CERTName issuer; michael@0: CERTValidity validity; michael@0: CERTName subject; michael@0: CERTSubjectPublicKeyInfo subjectPublicKeyInfo; michael@0: SECItem issuerID; michael@0: SECItem subjectID; michael@0: CERTCertExtension **extensions; michael@0: char *emailAddr; michael@0: CERTCertDBHandle *dbhandle; michael@0: SECItem subjectKeyID; /* x509v3 subject key identifier */ michael@0: PRBool keyIDGenerated; /* was the keyid generated? */ michael@0: unsigned int keyUsage; /* what uses are allowed for this cert */ michael@0: unsigned int rawKeyUsage; /* value of the key usage extension */ michael@0: PRBool keyUsagePresent; /* was the key usage extension present */ michael@0: PRUint32 nsCertType; /* value of the ns cert type extension */ michael@0: /* must be 32-bit for PR_ATOMIC_SET */ michael@0: michael@0: /* these values can be set by the application to bypass certain checks michael@0: * or to keep the cert in memory for an entire session. michael@0: * XXX - need an api to set these michael@0: */ michael@0: PRBool keepSession; /* keep this cert for entire session*/ michael@0: PRBool timeOK; /* is the bad validity time ok? */ michael@0: CERTOKDomainName *domainOK; /* these domain names are ok */ michael@0: michael@0: /* michael@0: * these values can change when the cert changes state. These state michael@0: * changes include transitions from temp to perm or vice-versa, and michael@0: * changes of trust flags michael@0: */ michael@0: PRBool isperm; michael@0: PRBool istemp; michael@0: char *nickname; michael@0: char *dbnickname; michael@0: struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */ michael@0: CERTCertTrust *trust; michael@0: michael@0: /* the reference count is modified whenever someone looks up, dups michael@0: * or destroys a certificate michael@0: */ michael@0: int referenceCount; michael@0: michael@0: /* The subject list is a list of all certs with the same subject name. michael@0: * It can be modified any time a cert is added or deleted from either michael@0: * the in-memory(temporary) or on-disk(permanent) database. michael@0: */ michael@0: CERTSubjectList *subjectList; michael@0: michael@0: /* these belong in the static section, but are here to maintain michael@0: * the structure's integrity michael@0: */ michael@0: CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */ michael@0: PRBool isRoot; /* cert is the end of a chain */ michael@0: michael@0: /* these fields are used by client GUI code to keep track of ssl sockets michael@0: * that are blocked waiting on GUI feedback related to this cert. michael@0: * XXX - these should be moved into some sort of application specific michael@0: * data structure. They are only used by the browser right now. michael@0: */ michael@0: union { michael@0: void* apointer; /* was struct SECSocketNode* authsocketlist */ michael@0: struct { michael@0: unsigned int hasUnsupportedCriticalExt :1; michael@0: /* add any new option bits needed here */ michael@0: } bits; michael@0: } options; michael@0: int series; /* was int authsocketcount; record the series of the pkcs11ID */ michael@0: michael@0: /* This is PKCS #11 stuff. */ michael@0: PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ michael@0: CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ michael@0: PRBool ownSlot; /*true if the cert owns the slot reference */ michael@0: }; michael@0: #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ michael@0: #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ michael@0: #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ michael@0: michael@0: #define SEC_CRL_VERSION_1 0 /* default */ michael@0: #define SEC_CRL_VERSION_2 1 /* v2 extensions */ michael@0: michael@0: /* michael@0: * used to identify class of cert in mime stream code michael@0: */ michael@0: #define SEC_CERT_CLASS_CA 1 michael@0: #define SEC_CERT_CLASS_SERVER 2 michael@0: #define SEC_CERT_CLASS_USER 3 michael@0: #define SEC_CERT_CLASS_EMAIL 4 michael@0: michael@0: struct CERTDERCertsStr { michael@0: PLArenaPool *arena; michael@0: int numcerts; michael@0: SECItem *rawCerts; michael@0: }; michael@0: michael@0: /* michael@0: ** A PKCS ? Attribute michael@0: ** XXX this is duplicated through out the code, it *should* be moved michael@0: ** to a central location. Where would be appropriate? michael@0: */ michael@0: struct CERTAttributeStr { michael@0: SECItem attrType; michael@0: SECItem **attrValue; michael@0: }; michael@0: michael@0: /* michael@0: ** A PKCS#10 certificate-request object (the unsigned form) michael@0: */ michael@0: struct CERTCertificateRequestStr { michael@0: PLArenaPool *arena; michael@0: SECItem version; michael@0: CERTName subject; michael@0: CERTSubjectPublicKeyInfo subjectPublicKeyInfo; michael@0: CERTAttribute **attributes; michael@0: }; michael@0: #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */ michael@0: michael@0: michael@0: /* michael@0: ** A certificate list object. michael@0: */ michael@0: struct CERTCertificateListStr { michael@0: SECItem *certs; michael@0: int len; /* number of certs */ michael@0: PLArenaPool *arena; michael@0: }; michael@0: michael@0: struct CERTCertListNodeStr { michael@0: PRCList links; michael@0: CERTCertificate *cert; michael@0: void *appData; michael@0: }; michael@0: michael@0: struct CERTCertListStr { michael@0: PRCList list; michael@0: PLArenaPool *arena; michael@0: }; michael@0: michael@0: #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list)) michael@0: #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) michael@0: #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next) michael@0: #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list)) michael@0: #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l) michael@0: michael@0: struct CERTCrlEntryStr { michael@0: SECItem serialNumber; michael@0: SECItem revocationDate; michael@0: CERTCertExtension **extensions; michael@0: }; michael@0: michael@0: struct CERTCrlStr { michael@0: PLArenaPool *arena; michael@0: SECItem version; michael@0: SECAlgorithmID signatureAlg; michael@0: SECItem derName; michael@0: CERTName name; michael@0: SECItem lastUpdate; michael@0: SECItem nextUpdate; /* optional for x.509 CRL */ michael@0: CERTCrlEntry **entries; michael@0: CERTCertExtension **extensions; michael@0: /* can't add anything there for binary backwards compatibility reasons */ michael@0: }; michael@0: michael@0: struct CERTCrlKeyStr { michael@0: SECItem derName; michael@0: SECItem dummy; /* The decoder can not skip a primitive, michael@0: this serves as a place holder for the michael@0: decoder to finish its task only michael@0: */ michael@0: }; michael@0: michael@0: struct CERTSignedCrlStr { michael@0: PLArenaPool *arena; michael@0: CERTCrl crl; michael@0: void *reserved1; michael@0: PRBool reserved2; michael@0: PRBool isperm; michael@0: PRBool istemp; michael@0: int referenceCount; michael@0: CERTCertDBHandle *dbhandle; michael@0: CERTSignedData signatureWrap; /* XXX */ michael@0: char *url; michael@0: SECItem *derCrl; michael@0: PK11SlotInfo *slot; michael@0: CK_OBJECT_HANDLE pkcs11ID; michael@0: void* opaque; /* do not touch */ michael@0: }; michael@0: michael@0: michael@0: struct CERTCrlHeadNodeStr { michael@0: PLArenaPool *arena; michael@0: CERTCertDBHandle *dbhandle; michael@0: CERTCrlNode *first; michael@0: CERTCrlNode *last; michael@0: }; michael@0: michael@0: michael@0: struct CERTCrlNodeStr { michael@0: CERTCrlNode *next; michael@0: int type; michael@0: CERTSignedCrl *crl; michael@0: }; michael@0: michael@0: michael@0: /* michael@0: * Array of X.500 Distinguished Names michael@0: */ michael@0: struct CERTDistNamesStr { michael@0: PLArenaPool *arena; michael@0: int nnames; michael@0: SECItem *names; michael@0: void *head; /* private */ michael@0: }; michael@0: michael@0: michael@0: #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ michael@0: #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ michael@0: #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ michael@0: #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ michael@0: #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ michael@0: #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ michael@0: #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ michael@0: #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ michael@0: michael@0: #define EXT_KEY_USAGE_TIME_STAMP (0x8000) michael@0: #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000) michael@0: michael@0: #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \ michael@0: NS_CERT_TYPE_SSL_SERVER | \ michael@0: NS_CERT_TYPE_EMAIL | \ michael@0: NS_CERT_TYPE_OBJECT_SIGNING ) michael@0: michael@0: #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \ michael@0: NS_CERT_TYPE_EMAIL_CA | \ michael@0: NS_CERT_TYPE_OBJECT_SIGNING_CA | \ michael@0: EXT_KEY_USAGE_STATUS_RESPONDER ) michael@0: typedef enum SECCertUsageEnum { michael@0: certUsageSSLClient = 0, michael@0: certUsageSSLServer = 1, michael@0: certUsageSSLServerWithStepUp = 2, michael@0: certUsageSSLCA = 3, michael@0: certUsageEmailSigner = 4, michael@0: certUsageEmailRecipient = 5, michael@0: certUsageObjectSigner = 6, michael@0: certUsageUserCertImport = 7, michael@0: certUsageVerifyCA = 8, michael@0: certUsageProtectedObjectSigner = 9, michael@0: certUsageStatusResponder = 10, michael@0: certUsageAnyCA = 11 michael@0: } SECCertUsage; michael@0: michael@0: typedef PRInt64 SECCertificateUsage; michael@0: michael@0: #define certificateUsageCheckAllUsages (0x0000) michael@0: #define certificateUsageSSLClient (0x0001) michael@0: #define certificateUsageSSLServer (0x0002) michael@0: #define certificateUsageSSLServerWithStepUp (0x0004) michael@0: #define certificateUsageSSLCA (0x0008) michael@0: #define certificateUsageEmailSigner (0x0010) michael@0: #define certificateUsageEmailRecipient (0x0020) michael@0: #define certificateUsageObjectSigner (0x0040) michael@0: #define certificateUsageUserCertImport (0x0080) michael@0: #define certificateUsageVerifyCA (0x0100) michael@0: #define certificateUsageProtectedObjectSigner (0x0200) michael@0: #define certificateUsageStatusResponder (0x0400) michael@0: #define certificateUsageAnyCA (0x0800) michael@0: michael@0: #define certificateUsageHighest certificateUsageAnyCA michael@0: michael@0: /* michael@0: * Does the cert belong to the user, a peer, or a CA. michael@0: */ michael@0: typedef enum CERTCertOwnerEnum { michael@0: certOwnerUser = 0, michael@0: certOwnerPeer = 1, michael@0: certOwnerCA = 2 michael@0: } CERTCertOwner; michael@0: michael@0: /* michael@0: * This enum represents the state of validity times of a certificate michael@0: */ michael@0: typedef enum SECCertTimeValidityEnum { michael@0: secCertTimeValid = 0, michael@0: secCertTimeExpired = 1, michael@0: secCertTimeNotValidYet = 2, michael@0: secCertTimeUndetermined = 3 /* validity could not be decoded from the michael@0: cert, most likely because it was NULL */ michael@0: } SECCertTimeValidity; michael@0: michael@0: /* michael@0: * This is used as return status in functions that compare the validity michael@0: * periods of two certificates A and B, currently only michael@0: * CERT_CompareValidityTimes. michael@0: */ michael@0: michael@0: typedef enum CERTCompareValidityStatusEnum michael@0: { michael@0: certValidityUndetermined = 0, /* the function is unable to select one cert michael@0: over another */ michael@0: certValidityChooseB = 1, /* cert B should be preferred */ michael@0: certValidityEqual = 2, /* both certs have the same validity period */ michael@0: certValidityChooseA = 3 /* cert A should be preferred */ michael@0: } CERTCompareValidityStatus; michael@0: michael@0: /* michael@0: * Interface for getting certificate nickname strings out of the database michael@0: */ michael@0: michael@0: /* these are values for the what argument below */ michael@0: #define SEC_CERT_NICKNAMES_ALL 1 michael@0: #define SEC_CERT_NICKNAMES_USER 2 michael@0: #define SEC_CERT_NICKNAMES_SERVER 3 michael@0: #define SEC_CERT_NICKNAMES_CA 4 michael@0: michael@0: struct CERTCertNicknamesStr { michael@0: PLArenaPool *arena; michael@0: void *head; michael@0: int numnicknames; michael@0: char **nicknames; michael@0: int what; michael@0: int totallen; michael@0: }; michael@0: michael@0: struct CERTIssuerAndSNStr { michael@0: SECItem derIssuer; michael@0: CERTName issuer; michael@0: SECItem serialNumber; michael@0: }; michael@0: michael@0: michael@0: /* X.509 v3 Key Usage Extension flags */ michael@0: #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ michael@0: #define KU_NON_REPUDIATION (0x40) /* bit 1 */ michael@0: #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ michael@0: #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ michael@0: #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ michael@0: #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ michael@0: #define KU_CRL_SIGN (0x02) /* bit 6 */ michael@0: #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */ michael@0: #define KU_ALL (KU_DIGITAL_SIGNATURE | \ michael@0: KU_NON_REPUDIATION | \ michael@0: KU_KEY_ENCIPHERMENT | \ michael@0: KU_DATA_ENCIPHERMENT | \ michael@0: KU_KEY_AGREEMENT | \ michael@0: KU_KEY_CERT_SIGN | \ michael@0: KU_CRL_SIGN | \ michael@0: KU_ENCIPHER_ONLY) michael@0: michael@0: /* This value will not occur in certs. It is used internally for the case michael@0: * when either digital signature or non-repudiation is the correct value. michael@0: */ michael@0: #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000) michael@0: michael@0: /* This value will not occur in certs. It is used internally for the case michael@0: * when the key type is not know ahead of time and either key agreement or michael@0: * key encipherment are the correct value based on key type michael@0: */ michael@0: #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000) michael@0: michael@0: /* internal bits that do not match bits in the x509v3 spec, but are used michael@0: * for similar purposes michael@0: */ michael@0: #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/ michael@0: /* michael@0: * x.509 v3 Basic Constraints Extension michael@0: * If isCA is false, the pathLenConstraint is ignored. michael@0: * Otherwise, the following pathLenConstraint values will apply: michael@0: * < 0 - there is no limit to the certificate path michael@0: * 0 - CA can issues end-entity certificates only michael@0: * > 0 - the number of certificates in the certificate path is michael@0: * limited to this number michael@0: */ michael@0: #define CERT_UNLIMITED_PATH_CONSTRAINT -2 michael@0: michael@0: struct CERTBasicConstraintsStr { michael@0: PRBool isCA; /* on if is CA */ michael@0: int pathLenConstraint; /* maximum number of certificates that can be michael@0: in the cert path. Only applies to a CA michael@0: certificate; otherwise, it's ignored. michael@0: */ michael@0: }; michael@0: michael@0: /* Maximum length of a certificate chain */ michael@0: #define CERT_MAX_CERT_CHAIN 20 michael@0: michael@0: #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */ michael@0: #define CERT_MAX_DN_BYTES 4096 /* arbitrary */ michael@0: michael@0: /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */ michael@0: #define RF_UNUSED (0x80) /* bit 0 */ michael@0: #define RF_KEY_COMPROMISE (0x40) /* bit 1 */ michael@0: #define RF_CA_COMPROMISE (0x20) /* bit 2 */ michael@0: #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */ michael@0: #define RF_SUPERSEDED (0x08) /* bit 4 */ michael@0: #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */ michael@0: #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */ michael@0: michael@0: /* enum for CRL Entry Reason Code */ michael@0: typedef enum CERTCRLEntryReasonCodeEnum { michael@0: crlEntryReasonUnspecified = 0, michael@0: crlEntryReasonKeyCompromise = 1, michael@0: crlEntryReasonCaCompromise = 2, michael@0: crlEntryReasonAffiliationChanged = 3, michael@0: crlEntryReasonSuperseded = 4, michael@0: crlEntryReasonCessationOfOperation = 5, michael@0: crlEntryReasoncertificatedHold = 6, michael@0: crlEntryReasonRemoveFromCRL = 8, michael@0: crlEntryReasonPrivilegeWithdrawn = 9, michael@0: crlEntryReasonAaCompromise = 10 michael@0: } CERTCRLEntryReasonCode; michael@0: michael@0: /* If we needed to extract the general name field, use this */ michael@0: /* General Name types */ michael@0: typedef enum CERTGeneralNameTypeEnum { michael@0: certOtherName = 1, michael@0: certRFC822Name = 2, michael@0: certDNSName = 3, michael@0: certX400Address = 4, michael@0: certDirectoryName = 5, michael@0: certEDIPartyName = 6, michael@0: certURI = 7, michael@0: certIPAddress = 8, michael@0: certRegisterID = 9 michael@0: } CERTGeneralNameType; michael@0: michael@0: michael@0: typedef struct OtherNameStr { michael@0: SECItem name; michael@0: SECItem oid; michael@0: }OtherName; michael@0: michael@0: michael@0: michael@0: struct CERTGeneralNameStr { michael@0: CERTGeneralNameType type; /* name type */ michael@0: union { michael@0: CERTName directoryName; /* distinguish name */ michael@0: OtherName OthName; /* Other Name */ michael@0: SECItem other; /* the rest of the name forms */ michael@0: }name; michael@0: SECItem derDirectoryName; /* this is saved to simplify directory name michael@0: comparison */ michael@0: PRCList l; michael@0: }; michael@0: michael@0: struct CERTGeneralNameListStr { michael@0: PLArenaPool *arena; michael@0: CERTGeneralName *name; michael@0: int refCount; michael@0: int len; michael@0: PZLock *lock; michael@0: }; michael@0: michael@0: struct CERTNameConstraintStr { michael@0: CERTGeneralName name; michael@0: SECItem DERName; michael@0: SECItem min; michael@0: SECItem max; michael@0: PRCList l; michael@0: }; michael@0: michael@0: michael@0: struct CERTNameConstraintsStr { michael@0: CERTNameConstraint *permited; michael@0: CERTNameConstraint *excluded; michael@0: SECItem **DERPermited; michael@0: SECItem **DERExcluded; michael@0: }; michael@0: michael@0: michael@0: /* Private Key Usage Period extension struct. */ michael@0: struct CERTPrivKeyUsagePeriodStr { michael@0: SECItem notBefore; michael@0: SECItem notAfter; michael@0: PLArenaPool *arena; michael@0: }; michael@0: michael@0: /* X.509 v3 Authority Key Identifier extension. For the authority certificate michael@0: issuer field, we only support URI now. michael@0: */ michael@0: struct CERTAuthKeyIDStr { michael@0: SECItem keyID; /* unique key identifier */ michael@0: CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */ michael@0: SECItem authCertSerialNumber; /* CA's certificate serial number */ michael@0: SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of michael@0: the authCertIssuer field. It is used michael@0: by the encoding engine. It should be michael@0: used as a read only field by the caller. michael@0: */ michael@0: }; michael@0: michael@0: /* x.509 v3 CRL Distributeion Point */ michael@0: michael@0: /* michael@0: * defined the types of CRL Distribution points michael@0: */ michael@0: typedef enum DistributionPointTypesEnum { michael@0: generalName = 1, /* only support this for now */ michael@0: relativeDistinguishedName = 2 michael@0: } DistributionPointTypes; michael@0: michael@0: struct CRLDistributionPointStr { michael@0: DistributionPointTypes distPointType; michael@0: union { michael@0: CERTGeneralName *fullName; michael@0: CERTRDN relativeName; michael@0: } distPoint; michael@0: SECItem reasons; michael@0: CERTGeneralName *crlIssuer; michael@0: michael@0: /* Reserved for internal use only*/ michael@0: SECItem derDistPoint; michael@0: SECItem derRelativeName; michael@0: SECItem **derCrlIssuer; michael@0: SECItem **derFullName; michael@0: SECItem bitsmap; michael@0: }; michael@0: michael@0: struct CERTCrlDistributionPointsStr { michael@0: CRLDistributionPoint **distPoints; michael@0: }; michael@0: michael@0: /* michael@0: * This structure is used to keep a log of errors when verifying michael@0: * a cert chain. This allows multiple errors to be reported all at michael@0: * once. michael@0: */ michael@0: struct CERTVerifyLogNodeStr { michael@0: CERTCertificate *cert; /* what cert had the error */ michael@0: long error; /* what error was it? */ michael@0: unsigned int depth; /* how far up the chain are we */ michael@0: void *arg; /* error specific argument */ michael@0: struct CERTVerifyLogNodeStr *next; /* next in the list */ michael@0: struct CERTVerifyLogNodeStr *prev; /* next in the list */ michael@0: }; michael@0: michael@0: michael@0: struct CERTVerifyLogStr { michael@0: PLArenaPool *arena; michael@0: unsigned int count; michael@0: struct CERTVerifyLogNodeStr *head; michael@0: struct CERTVerifyLogNodeStr *tail; michael@0: }; michael@0: michael@0: michael@0: struct CERTOKDomainNameStr { michael@0: CERTOKDomainName *next; michael@0: char name[1]; /* actual length may be longer. */ michael@0: }; michael@0: michael@0: michael@0: typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle, michael@0: CERTCertificate *cert, michael@0: PRTime time, michael@0: void *pwArg); michael@0: michael@0: typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle); michael@0: michael@0: struct CERTStatusConfigStr { michael@0: CERTStatusChecker statusChecker; /* NULL means no checking enabled */ michael@0: CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */ michael@0: void *statusContext; /* cx specific to checking protocol */ michael@0: }; michael@0: michael@0: struct CERTAuthInfoAccessStr { michael@0: SECItem method; michael@0: SECItem derLocation; michael@0: CERTGeneralName *location; /* decoded location */ michael@0: }; michael@0: michael@0: michael@0: /* This is the typedef for the callback passed to CERT_OpenCertDB() */ michael@0: /* callback to return database name based on version number */ michael@0: typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion); michael@0: michael@0: /* michael@0: * types of cert packages that we can decode michael@0: */ michael@0: typedef enum CERTPackageTypeEnum { michael@0: certPackageNone = 0, michael@0: certPackageCert = 1, michael@0: certPackagePKCS7 = 2, michael@0: certPackageNSCertSeq = 3, michael@0: certPackageNSCertWrap = 4 michael@0: } CERTPackageType; michael@0: michael@0: /* michael@0: * these types are for the PKIX Certificate Policies extension michael@0: */ michael@0: typedef struct { michael@0: SECOidTag oid; michael@0: SECItem qualifierID; michael@0: SECItem qualifierValue; michael@0: } CERTPolicyQualifier; michael@0: michael@0: typedef struct { michael@0: SECOidTag oid; michael@0: SECItem policyID; michael@0: CERTPolicyQualifier **policyQualifiers; michael@0: } CERTPolicyInfo; michael@0: michael@0: typedef struct { michael@0: PLArenaPool *arena; michael@0: CERTPolicyInfo **policyInfos; michael@0: } CERTCertificatePolicies; michael@0: michael@0: typedef struct { michael@0: SECItem organization; michael@0: SECItem **noticeNumbers; michael@0: } CERTNoticeReference; michael@0: michael@0: typedef struct { michael@0: PLArenaPool *arena; michael@0: CERTNoticeReference noticeReference; michael@0: SECItem derNoticeReference; michael@0: SECItem displayText; michael@0: } CERTUserNotice; michael@0: michael@0: typedef struct { michael@0: PLArenaPool *arena; michael@0: SECItem **oids; michael@0: } CERTOidSequence; michael@0: michael@0: /* michael@0: * these types are for the PKIX Policy Mappings extension michael@0: */ michael@0: typedef struct { michael@0: SECItem issuerDomainPolicy; michael@0: SECItem subjectDomainPolicy; michael@0: } CERTPolicyMap; michael@0: michael@0: typedef struct { michael@0: PLArenaPool *arena; michael@0: CERTPolicyMap **policyMaps; michael@0: } CERTCertificatePolicyMappings; michael@0: michael@0: /* michael@0: * these types are for the PKIX inhibitAnyPolicy extension michael@0: */ michael@0: typedef struct { michael@0: SECItem inhibitAnySkipCerts; michael@0: } CERTCertificateInhibitAny; michael@0: michael@0: /* michael@0: * these types are for the PKIX Policy Constraints extension michael@0: */ michael@0: typedef struct { michael@0: SECItem explicitPolicySkipCerts; michael@0: SECItem inhibitMappingSkipCerts; michael@0: } CERTCertificatePolicyConstraints; michael@0: michael@0: /* michael@0: * These types are for the validate chain callback param. michael@0: * michael@0: * CERTChainVerifyCallback is an application-supplied callback that can be used michael@0: * to augment libpkix's certificate chain validation with additional michael@0: * application-specific checks. It may be called multiple times if there are michael@0: * multiple potentially-valid paths for the certificate being validated. This michael@0: * callback is called before revocation checking is done on the certificates in michael@0: * the given chain. michael@0: * michael@0: * - isValidChainArg contains the application-provided opaque argument michael@0: * - currentChain is the currently validated chain. It is ordered with the leaf michael@0: * certificate at the head and the trust anchor at the tail. michael@0: * michael@0: * The callback should set *chainOK = PR_TRUE and return SECSuccess if the michael@0: * certificate chain is acceptable. It should set *chainOK = PR_FALSE and michael@0: * return SECSuccess if the chain is unacceptable, to indicate that the given michael@0: * chain is bad and path building should continue. It should return SECFailure michael@0: * to indicate an fatal error that will cause path validation to fail michael@0: * immediately. michael@0: */ michael@0: typedef SECStatus (*CERTChainVerifyCallbackFunc) michael@0: (void *isChainValidArg, michael@0: const CERTCertList *currentChain, michael@0: PRBool *chainOK); michael@0: michael@0: /* michael@0: * Note: If extending this structure, it will be necessary to change the michael@0: * associated CERTValParamInType michael@0: */ michael@0: typedef struct { michael@0: CERTChainVerifyCallbackFunc isChainValid; michael@0: void *isChainValidArg; michael@0: } CERTChainVerifyCallback; michael@0: michael@0: /* michael@0: * these types are for the CERT_PKIX* Verification functions michael@0: * These are all optional parameters. michael@0: */ michael@0: michael@0: typedef enum { michael@0: cert_pi_end = 0, /* SPECIAL: signifies end of array of michael@0: * CERTValParam* */ michael@0: cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to michael@0: * resume a session. If this argument is michael@0: * specified, no other arguments should be. michael@0: * Specified in value.pointer.p. If the michael@0: * operation completes the context will be michael@0: * freed. */ michael@0: cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an michael@0: * existing operation which the caller wants michael@0: * to abort. If this argument is michael@0: * specified, no other arguments should be. michael@0: * Specified in value.pointer.p. If the michael@0: * operation succeeds the context will be michael@0: * freed. */ michael@0: cert_pi_certList = 3, /* specify the chain to validate against. If michael@0: * this value is given, then the path michael@0: * construction step in the validation is michael@0: * skipped. Specified in value.pointer.chain */ michael@0: cert_pi_policyOID = 4, /* validate certificate for policy OID. michael@0: * Specified in value.array.oids. Cert must michael@0: * be good for at least one OID in order michael@0: * to validate. Default is that the user is not michael@0: * concerned about certificate policy. */ michael@0: cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID. michael@0: * Specified in value.scalar.ul. Policy flags michael@0: * apply to all specified oids. michael@0: * Use CERT_POLICY_FLAG_* macros below. If not michael@0: * specified policy flags default to 0 */ michael@0: cert_pi_keyusage = 6, /* specify what the keyusages the certificate michael@0: * will be evaluated against, specified in michael@0: * value.scalar.ui. The cert must validate for michael@0: * at least one of the specified key usages. michael@0: * Values match the KU_ bit flags defined michael@0: * in this file. Default is derived from michael@0: * the 'usages' function argument */ michael@0: cert_pi_extendedKeyusage= 7, /* specify what the required extended key michael@0: * usage of the certificate. Specified as michael@0: * an array of oidTags in value.array.oids. michael@0: * The cert must validate for at least one michael@0: * of the specified extended key usages. michael@0: * If not specified, no extended key usages michael@0: * will be checked. */ michael@0: cert_pi_date = 8, /* validate certificate is valid as of date michael@0: * specified in value.scalar.time. A special michael@0: * value '0' indicates 'now'. default is '0' */ michael@0: cert_pi_revocationFlags = 9, /* Specify what revocation checking to do. michael@0: * See CERT_REV_FLAG_* macros below michael@0: * Set in value.pointer.revocation */ michael@0: cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below) michael@0: * Set in value.scalar.ui */ michael@0: cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to michael@0: * validate against. michael@0: * The default set of trusted roots, these are michael@0: * root CA certs from libnssckbi.so or CA michael@0: * certs trusted by user, are used in any of michael@0: * the following cases: michael@0: * * when the parameter is not set. michael@0: * * when the list of trust anchors is empty. michael@0: * Note that this handling can be further altered by altering the michael@0: * cert_pi_useOnlyTrustAnchors flag michael@0: * Specified in value.pointer.chain */ michael@0: cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension. michael@0: * In NSS 3.12.1 or later. Default is off. michael@0: * Value is in value.scalar.b */ michael@0: cert_pi_chainVerifyCallback = 13, michael@0: /* The callback container for doing extra michael@0: * validation on the currently calculated chain. michael@0: * Value is in value.pointer.chainVerifyCallback */ michael@0: cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any michael@0: * certificates other than the ones passed in via cert_pi_trustAnchors. michael@0: * If false, then the certificates specified via cert_pi_trustAnchors michael@0: * will be combined with the pre-existing trusted roots, but only for michael@0: * the certificate validation being performed. michael@0: * If no value has been supplied via cert_pi_trustAnchors, this has no michael@0: * effect. michael@0: * The default value is true, meaning if this is not supplied, only michael@0: * trust anchors supplied via cert_pi_trustAnchors are trusted. michael@0: * Specified in value.scalar.b */ michael@0: cert_pi_max /* SPECIAL: signifies maximum allowed value, michael@0: * can increase in future releases */ michael@0: } CERTValParamInType; michael@0: michael@0: /* michael@0: * for all out parameters: michael@0: * out parameters are only returned if the caller asks for them in michael@0: * the CERTValOutParam array. Caller is responsible for the CERTValOutParam michael@0: * array itself. The pkix verify function will allocate and other arrays michael@0: * pointers, or objects. The Caller is responsible for freeing those results. michael@0: * If SECWouldBlock is returned, only cert_pi_nbioContext is returned. michael@0: */ michael@0: typedef enum { michael@0: cert_po_end = 0, /* SPECIAL: signifies end of array of michael@0: * CERTValParam* */ michael@0: cert_po_nbioContext = 1, /* Return a nonblocking context. If no michael@0: * non-blocking context is specified, then michael@0: * blocking IO will be used. michael@0: * Returned in value.pointer.p. The context is michael@0: * freed after an abort or a complete operation. michael@0: * This value is only returned on SECWouldBlock. michael@0: */ michael@0: cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that michael@0: * was validated. Returned in michael@0: * value.pointer.cert, this value is only michael@0: * returned on SECSuccess. */ michael@0: cert_po_certList = 3, /* Return the entire chain that was validated. michael@0: * Returned in value.pointer.certList. If no michael@0: * chain could be constructed, this value michael@0: * would be NULL. */ michael@0: cert_po_policyOID = 4, /* Return the policies that were found to be michael@0: * valid. Returned in value.array.oids as an michael@0: * array. This is only returned on michael@0: * SECSuccess. */ michael@0: cert_po_errorLog = 5, /* Return a log of problems with the chain. michael@0: * Returned in value.pointer.log */ michael@0: cert_po_usages = 6, /* Return what usages the certificate is valid michael@0: for. Returned in value.scalar.usages */ michael@0: cert_po_keyUsage = 7, /* Return what key usages the certificate michael@0: * is valid for. michael@0: * Returned in value.scalar.usage */ michael@0: cert_po_extendedKeyusage= 8, /* Return what extended key usages the michael@0: * certificate is valid for. michael@0: * Returned in value.array.oids */ michael@0: cert_po_max /* SPECIAL: signifies maximum allowed value, michael@0: * can increase in future releases */ michael@0: michael@0: } CERTValParamOutType; michael@0: michael@0: typedef enum { michael@0: cert_revocation_method_crl = 0, michael@0: cert_revocation_method_ocsp, michael@0: cert_revocation_method_count michael@0: } CERTRevocationMethodIndex; michael@0: michael@0: michael@0: /* michael@0: * The following flags are supposed to be used to control bits in michael@0: * each integer contained in the array pointed to be: michael@0: * CERTRevocationTests.cert_rev_flags_per_method michael@0: * All Flags are prefixed by CERT_REV_M_, where _M_ indicates michael@0: * this is a method dependent flag. michael@0: */ michael@0: michael@0: /* michael@0: * Whether or not to use a method for revocation testing. michael@0: * If set to "do not test", then all other flags are ignored. michael@0: */ michael@0: #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL michael@0: #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL michael@0: michael@0: /* michael@0: * Whether or not NSS is allowed to attempt to fetch fresh information michael@0: * from the network. michael@0: * (Although fetching will never happen if fresh information for the michael@0: * method is already locally available.) michael@0: */ michael@0: #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL michael@0: #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL michael@0: michael@0: /* michael@0: * Example for an implicit default source: michael@0: * The globally configured default OCSP responder. michael@0: * IGNORE means: michael@0: * ignore the implicit default source, whether it's configured or not. michael@0: * ALLOW means: michael@0: * if an implicit default source is configured, michael@0: * then it overrides any available or missing source in the cert. michael@0: * if no implicit default source is configured, michael@0: * then we continue to use what's available (or not available) michael@0: * in the certs. michael@0: */ michael@0: #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL michael@0: #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL michael@0: michael@0: /* michael@0: * Defines the behavior if no fresh information is available, michael@0: * fetching from the network is allowed, but the source of revocation michael@0: * information is unknown (even after considering implicit sources, michael@0: * if allowed by other flags). michael@0: * SKIPT_TEST means: michael@0: * We ignore that no fresh information is available and michael@0: * skip this test. michael@0: * REQUIRE_INFO means: michael@0: * We still require that fresh information is available. michael@0: * Other flags define what happens on missing fresh info. michael@0: */ michael@0: #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL michael@0: #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL michael@0: michael@0: /* michael@0: * Defines the behavior if we are unable to obtain fresh information. michael@0: * INGORE means: michael@0: * Return "cert status unknown" michael@0: * FAIL means: michael@0: * Return "cert revoked". michael@0: */ michael@0: #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL michael@0: #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL michael@0: michael@0: /* michael@0: * What should happen if we were able to find fresh information using michael@0: * this method, and the data indicated the cert is good? michael@0: * STOP_TESTING means: michael@0: * Our success is sufficient, do not continue testing michael@0: * other methods. michael@0: * CONTINUE_TESTING means: michael@0: * We will continue and test the next allowed michael@0: * specified method. michael@0: */ michael@0: #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL michael@0: #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL michael@0: michael@0: /* When this flag is used, libpkix will never attempt to use the GET HTTP michael@0: * method for OCSP requests; it will always use POST. michael@0: */ michael@0: #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL michael@0: michael@0: /* michael@0: * The following flags are supposed to be used to control bits in michael@0: * CERTRevocationTests.cert_rev_method_independent_flags michael@0: * All Flags are prefixed by CERT_REV_M_, where _M_ indicates michael@0: * this is a method independent flag. michael@0: */ michael@0: michael@0: /* michael@0: * This defines the order to checking. michael@0: * EACH_METHOD_SEPARATELY means: michael@0: * Do all tests related to a particular allowed method michael@0: * (both local information and network fetching) in a single step. michael@0: * Only after testing for a particular method is done, michael@0: * then switching to the next method will happen. michael@0: * ALL_LOCAL_INFORMATION_FIRST means: michael@0: * Start by testing the information for all allowed methods michael@0: * which are already locally available. Only after that is done michael@0: * consider to fetch from the network (as allowed by other flags). michael@0: */ michael@0: #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL michael@0: #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL michael@0: michael@0: /* michael@0: * Use this flag to specify that it's necessary that fresh information michael@0: * is available for at least one of the allowed methods, but it's michael@0: * irrelevant which of the mechanisms succeeded. michael@0: * NO_OVERALL_INFO_REQUIREMENT means: michael@0: * We strictly follow the requirements for each individual method. michael@0: * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: michael@0: * After the individual tests have been executed, we must have michael@0: * been able to find fresh information using at least one method. michael@0: * If we were unable to find fresh info, it's a failure. michael@0: * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO michael@0: * flag on all methods. michael@0: */ michael@0: #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL michael@0: #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL michael@0: michael@0: michael@0: typedef struct { michael@0: /* michael@0: * The size of the array that cert_rev_flags_per_method points to, michael@0: * meaning, the number of methods that are known and defined michael@0: * by the caller. michael@0: */ michael@0: PRUint32 number_of_defined_methods; michael@0: michael@0: /* michael@0: * A pointer to an array of integers. michael@0: * Each integer defines revocation checking for a single method, michael@0: * by having individual CERT_REV_M_* bits set or not set. michael@0: * The meaning of index numbers into this array are defined by michael@0: * enum CERTRevocationMethodIndex michael@0: * The size of the array must be specified by the caller in the separate michael@0: * variable number_of_defined_methods. michael@0: * The size of the array may be smaller than michael@0: * cert_revocation_method_count, it can happen if a caller michael@0: * is not yet aware of the latest revocation methods michael@0: * (or does not want to use them). michael@0: */ michael@0: PRUint64 *cert_rev_flags_per_method; michael@0: michael@0: /* michael@0: * How many preferred methods are specified? michael@0: * This is equivalent to the size of the array that michael@0: * preferred_revocation_methods points to. michael@0: * It's allowed to set this value to zero, michael@0: * then NSS will decide which methods to prefer. michael@0: */ michael@0: PRUint32 number_of_preferred_methods; michael@0: michael@0: /* Array that may specify an optional order of preferred methods. michael@0: * Each array entry shall contain a method identifier as defined michael@0: * by CERTRevocationMethodIndex. michael@0: * The entry at index [0] specifies the method with highest preferrence. michael@0: * These methods will be tested first for locally available information. michael@0: * Methods allowed for downloading will be attempted in the same order. michael@0: */ michael@0: CERTRevocationMethodIndex *preferred_methods; michael@0: michael@0: /* michael@0: * An integer which defines certain aspects of revocation checking michael@0: * (independent of individual methods) by having individual michael@0: * CERT_REV_MI_* bits set or not set. michael@0: */ michael@0: PRUint64 cert_rev_method_independent_flags; michael@0: } CERTRevocationTests; michael@0: michael@0: typedef struct { michael@0: CERTRevocationTests leafTests; michael@0: CERTRevocationTests chainTests; michael@0: } CERTRevocationFlags; michael@0: michael@0: typedef struct CERTValParamInValueStr { michael@0: union { michael@0: PRBool b; michael@0: PRInt32 i; michael@0: PRUint32 ui; michael@0: PRInt64 l; michael@0: PRUint64 ul; michael@0: PRTime time; michael@0: } scalar; michael@0: union { michael@0: const void* p; michael@0: const char* s; michael@0: const CERTCertificate* cert; michael@0: const CERTCertList *chain; michael@0: const CERTRevocationFlags *revocation; michael@0: const CERTChainVerifyCallback *chainVerifyCallback; michael@0: } pointer; michael@0: union { michael@0: const PRInt32 *pi; michael@0: const PRUint32 *pui; michael@0: const PRInt64 *pl; michael@0: const PRUint64 *pul; michael@0: const SECOidTag *oids; michael@0: } array; michael@0: int arraySize; michael@0: } CERTValParamInValue; michael@0: michael@0: michael@0: typedef struct CERTValParamOutValueStr { michael@0: union { michael@0: PRBool b; michael@0: PRInt32 i; michael@0: PRUint32 ui; michael@0: PRInt64 l; michael@0: PRUint64 ul; michael@0: SECCertificateUsage usages; michael@0: } scalar; michael@0: union { michael@0: void* p; michael@0: char* s; michael@0: CERTVerifyLog *log; michael@0: CERTCertificate* cert; michael@0: CERTCertList *chain; michael@0: } pointer; michael@0: union { michael@0: void *p; michael@0: SECOidTag *oids; michael@0: } array; michael@0: int arraySize; michael@0: } CERTValParamOutValue; michael@0: michael@0: typedef struct { michael@0: CERTValParamInType type; michael@0: CERTValParamInValue value; michael@0: } CERTValInParam; michael@0: michael@0: typedef struct { michael@0: CERTValParamOutType type; michael@0: CERTValParamOutValue value; michael@0: } CERTValOutParam; michael@0: michael@0: /* michael@0: * Levels of standards conformance strictness for CERT_NameToAsciiInvertible michael@0: */ michael@0: typedef enum CertStrictnessLevels { michael@0: CERT_N2A_READABLE = 0, /* maximum human readability */ michael@0: CERT_N2A_STRICT = 10, /* strict RFC compliance */ michael@0: CERT_N2A_INVERTIBLE = 20 /* maximum invertibility, michael@0: all DirectoryStrings encoded in hex */ michael@0: } CertStrictnessLevel; michael@0: michael@0: /* michael@0: * policy flag defines michael@0: */ michael@0: #define CERT_POLICY_FLAG_NO_MAPPING 1 michael@0: #define CERT_POLICY_FLAG_EXPLICIT 2 michael@0: #define CERT_POLICY_FLAG_NO_ANY 4 michael@0: michael@0: /* michael@0: * CertStore flags michael@0: */ michael@0: #define CERT_ENABLE_LDAP_FETCH 1 michael@0: #define CERT_ENABLE_HTTP_FETCH 2 michael@0: michael@0: /* This functin pointer type may be used for any function that takes michael@0: * a CERTCertificate * and returns an allocated string, which must be michael@0: * freed by a call to PORT_Free. michael@0: */ michael@0: typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert); michael@0: michael@0: /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ michael@0: michael@0: #include "secasn1t.h" /* way down here because I expect template stuff to michael@0: * move out of here anyway */ michael@0: michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: extern const SEC_ASN1Template CERT_CertificateRequestTemplate[]; michael@0: extern const SEC_ASN1Template CERT_CertificateTemplate[]; michael@0: extern const SEC_ASN1Template SEC_SignedCertificateTemplate[]; michael@0: extern const SEC_ASN1Template CERT_CertExtensionTemplate[]; michael@0: extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[]; michael@0: extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[]; michael@0: extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[]; michael@0: extern const SEC_ASN1Template CERT_TimeChoiceTemplate[]; michael@0: extern const SEC_ASN1Template CERT_ValidityTemplate[]; michael@0: extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[]; michael@0: extern const SEC_ASN1Template SEC_CertSequenceTemplate[]; michael@0: michael@0: extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[]; michael@0: extern const SEC_ASN1Template CERT_NameTemplate[]; michael@0: extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[]; michael@0: extern const SEC_ASN1Template CERT_RDNTemplate[]; michael@0: extern const SEC_ASN1Template CERT_SignedDataTemplate[]; michael@0: extern const SEC_ASN1Template CERT_CrlTemplate[]; michael@0: extern const SEC_ASN1Template CERT_SignedCrlTemplate[]; michael@0: michael@0: /* michael@0: ** XXX should the attribute stuff be centralized for all of ns/security? michael@0: */ michael@0: extern const SEC_ASN1Template CERT_AttributeTemplate[]; michael@0: extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[]; michael@0: michael@0: /* These functions simply return the address of the above-declared templates. michael@0: ** This is necessary for Windows DLLs. Sigh. michael@0: */ michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate) michael@0: SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate) michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: #endif /* _CERTT_H_ */