michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: /* michael@0: * certt.h - public data structures for the certificate library michael@0: */ michael@0: #ifndef _PCERTT_H_ michael@0: #define _PCERTT_H_ michael@0: michael@0: #include "prclist.h" michael@0: #include "pkcs11t.h" michael@0: #include "seccomon.h" michael@0: #include "secoidt.h" michael@0: #include "plarena.h" michael@0: #include "prcvar.h" michael@0: #include "nssilock.h" michael@0: #include "prio.h" michael@0: #include "prmon.h" michael@0: michael@0: /* Non-opaque objects */ michael@0: typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; michael@0: typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; michael@0: michael@0: typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust; michael@0: typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; michael@0: typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; michael@0: typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; michael@0: typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN; michael@0: typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData; michael@0: typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo; michael@0: typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity; michael@0: michael@0: /* michael@0: ** An X.509 validity object michael@0: */ michael@0: struct NSSLOWCERTValidityStr { michael@0: PLArenaPool *arena; michael@0: SECItem notBefore; michael@0: SECItem notAfter; michael@0: }; michael@0: michael@0: /* michael@0: * A serial number and issuer name, which is used as a database key michael@0: */ michael@0: struct NSSLOWCERTCertKeyStr { michael@0: SECItem serialNumber; michael@0: SECItem derIssuer; michael@0: }; michael@0: michael@0: /* michael@0: ** A signed data object. Used to implement the "signed" macro used michael@0: ** in the X.500 specs. michael@0: */ michael@0: struct NSSLOWCERTSignedDataStr { michael@0: SECItem data; michael@0: SECAlgorithmID signatureAlgorithm; michael@0: SECItem signature; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.509 subject-public-key-info object michael@0: */ michael@0: struct NSSLOWCERTSubjectPublicKeyInfoStr { michael@0: PLArenaPool *arena; michael@0: SECAlgorithmID algorithm; michael@0: SECItem subjectPublicKey; michael@0: }; michael@0: michael@0: typedef struct _certDBEntryCert certDBEntryCert; michael@0: typedef struct _certDBEntryRevocation certDBEntryRevocation; michael@0: michael@0: struct NSSLOWCERTCertTrustStr { michael@0: unsigned int sslFlags; michael@0: unsigned int emailFlags; michael@0: unsigned int objectSigningFlags; michael@0: }; michael@0: michael@0: /* michael@0: ** PKCS11 Trust representation michael@0: */ michael@0: struct NSSLOWCERTTrustStr { michael@0: NSSLOWCERTTrust *next; michael@0: NSSLOWCERTCertDBHandle *dbhandle; michael@0: SECItem dbKey; /* database key for this cert */ michael@0: certDBEntryCert *dbEntry; /* database entry struct */ michael@0: NSSLOWCERTCertTrust *trust; michael@0: SECItem *derCert; /* original DER for the cert */ michael@0: unsigned char dbKeySpace[512]; michael@0: }; michael@0: michael@0: /* michael@0: ** An X.509 certificate object (the unsigned form) michael@0: */ michael@0: struct NSSLOWCERTCertificateStr { michael@0: /* the arena is used to allocate any data structures that have the same michael@0: * lifetime as the cert. This is all stuff that hangs off of the cert michael@0: * structure, and is all freed at the same time. I is used when the michael@0: * cert is decoded, destroyed, and at some times when it changes michael@0: * state michael@0: */ michael@0: NSSLOWCERTCertificate *next; michael@0: NSSLOWCERTCertDBHandle *dbhandle; michael@0: michael@0: SECItem derCert; /* original DER for the cert */ michael@0: SECItem derIssuer; /* DER for issuer name */ michael@0: SECItem derSN; michael@0: SECItem serialNumber; michael@0: SECItem derSubject; /* DER for subject name */ michael@0: SECItem derSubjKeyInfo; michael@0: NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo; michael@0: SECItem certKey; /* database key for this cert */ michael@0: SECItem validity; michael@0: certDBEntryCert *dbEntry; /* database entry struct */ michael@0: SECItem subjectKeyID; /* x509v3 subject key identifier */ michael@0: SECItem extensions; michael@0: char *nickname; michael@0: char *emailAddr; michael@0: NSSLOWCERTCertTrust *trust; michael@0: michael@0: /* the reference count is modified whenever someone looks up, dups michael@0: * or destroys a certificate michael@0: */ michael@0: int referenceCount; michael@0: michael@0: char nicknameSpace[200]; michael@0: char emailAddrSpace[200]; michael@0: unsigned char certKeySpace[512]; michael@0: }; michael@0: michael@0: #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ michael@0: #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ michael@0: #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ michael@0: michael@0: #define SEC_CRL_VERSION_1 0 /* default */ michael@0: #define SEC_CRL_VERSION_2 1 /* v2 extensions */ michael@0: michael@0: #define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024) michael@0: michael@0: struct NSSLOWCERTIssuerAndSNStr { michael@0: SECItem derIssuer; michael@0: SECItem serialNumber; michael@0: }; michael@0: michael@0: typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg); michael@0: michael@0: /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */ michael@0: /* callback to return database name based on version number */ michael@0: typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion); michael@0: michael@0: /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ michael@0: michael@0: #include "secasn1t.h" /* way down here because I expect template stuff to michael@0: * move out of here anyway */ michael@0: michael@0: /* michael@0: * Certificate Database related definitions and data structures michael@0: */ michael@0: michael@0: /* version number of certificate database */ michael@0: #define CERT_DB_FILE_VERSION 8 michael@0: #define CERT_DB_V7_FILE_VERSION 7 michael@0: #define CERT_DB_CONTENT_VERSION 2 michael@0: michael@0: #define SEC_DB_ENTRY_HEADER_LEN 3 michael@0: #define SEC_DB_KEY_HEADER_LEN 1 michael@0: michael@0: /* All database entries have this form: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 version michael@0: * 1 type michael@0: * 2 flags michael@0: */ michael@0: michael@0: /* database entry types */ michael@0: typedef enum { michael@0: certDBEntryTypeVersion = 0, michael@0: certDBEntryTypeCert = 1, michael@0: certDBEntryTypeNickname = 2, michael@0: certDBEntryTypeSubject = 3, michael@0: certDBEntryTypeRevocation = 4, michael@0: certDBEntryTypeKeyRevocation = 5, michael@0: certDBEntryTypeSMimeProfile = 6, michael@0: certDBEntryTypeContentVersion = 7, michael@0: certDBEntryTypeBlob = 8 michael@0: } certDBEntryType; michael@0: michael@0: typedef struct { michael@0: certDBEntryType type; michael@0: unsigned int version; michael@0: unsigned int flags; michael@0: PLArenaPool *arena; michael@0: } certDBEntryCommon; michael@0: michael@0: /* michael@0: * Certificate entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 sslFlags-msb michael@0: * 1 sslFlags-lsb michael@0: * 2 emailFlags-msb michael@0: * 3 emailFlags-lsb michael@0: * 4 objectSigningFlags-msb michael@0: * 5 objectSigningFlags-lsb michael@0: * 6 derCert-len-msb michael@0: * 7 derCert-len-lsb michael@0: * 8 nickname-len-msb michael@0: * 9 nickname-len-lsb michael@0: * ... derCert michael@0: * ... nickname michael@0: * michael@0: * NOTE: the nickname string as stored in the database is null terminated, michael@0: * in other words, the last byte of the db entry is always 0 michael@0: * if a nickname is present. michael@0: * NOTE: if nickname is not present, then nickname-len-msb and michael@0: * nickname-len-lsb will both be zero. michael@0: */ michael@0: struct _certDBEntryCert { michael@0: certDBEntryCommon common; michael@0: certDBEntryCert *next; michael@0: NSSLOWCERTCertTrust trust; michael@0: SECItem derCert; michael@0: char *nickname; michael@0: char nicknameSpace[200]; michael@0: unsigned char derCertSpace[2048]; michael@0: }; michael@0: michael@0: /* michael@0: * Certificate Nickname entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 subjectname-len-msb michael@0: * 1 subjectname-len-lsb michael@0: * 2... subjectname michael@0: * michael@0: * The database key for this type of entry is a nickname string michael@0: * The "subjectname" value is the DER encoded DN of the identity michael@0: * that matches this nickname. michael@0: */ michael@0: typedef struct { michael@0: certDBEntryCommon common; michael@0: char *nickname; michael@0: SECItem subjectName; michael@0: } certDBEntryNickname; michael@0: michael@0: #define DB_NICKNAME_ENTRY_HEADER_LEN 2 michael@0: michael@0: /* michael@0: * Certificate Subject entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 ncerts-msb michael@0: * 1 ncerts-lsb michael@0: * 2 nickname-msb michael@0: * 3 nickname-lsb michael@0: * 4 emailAddr-msb michael@0: * 5 emailAddr-lsb michael@0: * ... nickname michael@0: * ... emailAddr michael@0: * ...+2*i certkey-len-msb michael@0: * ...+1+2*i certkey-len-lsb michael@0: * ...+2*ncerts+2*i keyid-len-msb michael@0: * ...+1+2*ncerts+2*i keyid-len-lsb michael@0: * ... certkeys michael@0: * ... keyids michael@0: * michael@0: * The database key for this type of entry is the DER encoded subject name michael@0: * The "certkey" value is an array of certificate database lookup keys that michael@0: * points to the database entries for the certificates that matche michael@0: * this subject. michael@0: * michael@0: */ michael@0: typedef struct _certDBEntrySubject { michael@0: certDBEntryCommon common; michael@0: SECItem derSubject; michael@0: unsigned int ncerts; michael@0: char *nickname; michael@0: SECItem *certKeys; michael@0: SECItem *keyIDs; michael@0: char **emailAddrs; michael@0: unsigned int nemailAddrs; michael@0: } certDBEntrySubject; michael@0: michael@0: #define DB_SUBJECT_ENTRY_HEADER_LEN 6 michael@0: michael@0: /* michael@0: * Certificate SMIME profile entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 subjectname-len-msb michael@0: * 1 subjectname-len-lsb michael@0: * 2 smimeoptions-len-msb michael@0: * 3 smimeoptions-len-lsb michael@0: * 4 options-date-len-msb michael@0: * 5 options-date-len-lsb michael@0: * 6... subjectname michael@0: * ... smimeoptions michael@0: * ... options-date michael@0: * michael@0: * The database key for this type of entry is the email address string michael@0: * The "subjectname" value is the DER encoded DN of the identity michael@0: * that matches this nickname. michael@0: * The "smimeoptions" value is a string that represents the algorithm michael@0: * capabilities on the remote user. michael@0: * The "options-date" is the date that the smime options value was created. michael@0: * This is generally the signing time of the signed message that contained michael@0: * the options. It is a UTCTime value. michael@0: */ michael@0: typedef struct { michael@0: certDBEntryCommon common; michael@0: char *emailAddr; michael@0: SECItem subjectName; michael@0: SECItem smimeOptions; michael@0: SECItem optionsDate; michael@0: } certDBEntrySMime; michael@0: michael@0: #define DB_SMIME_ENTRY_HEADER_LEN 6 michael@0: michael@0: /* michael@0: * Crl/krl entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 derCert-len-msb michael@0: * 1 derCert-len-lsb michael@0: * 2 url-len-msb michael@0: * 3 url-len-lsb michael@0: * ... derCert michael@0: * ... url michael@0: * michael@0: * NOTE: the url string as stored in the database is null terminated, michael@0: * in other words, the last byte of the db entry is always 0 michael@0: * if a nickname is present. michael@0: * NOTE: if url is not present, then url-len-msb and michael@0: * url-len-lsb will both be zero. michael@0: */ michael@0: #define DB_CRL_ENTRY_HEADER_LEN 4 michael@0: struct _certDBEntryRevocation { michael@0: certDBEntryCommon common; michael@0: SECItem derCrl; michael@0: char *url; /* where to load the crl from */ michael@0: }; michael@0: michael@0: /* michael@0: * Database Version Entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * only the low level header... michael@0: * michael@0: * The database key for this type of entry is the string "Version" michael@0: */ michael@0: typedef struct { michael@0: certDBEntryCommon common; michael@0: } certDBEntryVersion; michael@0: michael@0: #define SEC_DB_VERSION_KEY "Version" michael@0: #define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY) michael@0: michael@0: /* michael@0: * Database Content Version Entry: michael@0: * michael@0: * byte offset field michael@0: * ----------- ----- michael@0: * 0 contentVersion michael@0: * michael@0: * The database key for this type of entry is the string "ContentVersion" michael@0: */ michael@0: typedef struct { michael@0: certDBEntryCommon common; michael@0: char contentVersion; michael@0: } certDBEntryContentVersion; michael@0: michael@0: #define SEC_DB_CONTENT_VERSION_KEY "ContentVersion" michael@0: #define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY) michael@0: michael@0: typedef union { michael@0: certDBEntryCommon common; michael@0: certDBEntryCert cert; michael@0: certDBEntryContentVersion content; michael@0: certDBEntryNickname nickname; michael@0: certDBEntryRevocation revocation; michael@0: certDBEntrySMime smime; michael@0: certDBEntrySubject subject; michael@0: certDBEntryVersion version; michael@0: } certDBEntry; michael@0: michael@0: /* length of the fixed part of a database entry */ michael@0: #define DBCERT_V4_HEADER_LEN 7 michael@0: #define DB_CERT_V5_ENTRY_HEADER_LEN 7 michael@0: #define DB_CERT_V6_ENTRY_HEADER_LEN 7 michael@0: #define DB_CERT_ENTRY_HEADER_LEN 10 michael@0: michael@0: /* common flags for all types of certificates */ michael@0: #define CERTDB_TERMINAL_RECORD (1u<<0) michael@0: #define CERTDB_TRUSTED (1u<<1) michael@0: #define CERTDB_SEND_WARN (1u<<2) michael@0: #define CERTDB_VALID_CA (1u<<3) michael@0: #define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */ michael@0: #define CERTDB_NS_TRUSTED_CA (1u<<5) michael@0: #define CERTDB_USER (1u<<6) michael@0: #define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */ michael@0: #define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */ michael@0: #define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */ michael@0: #define CERTDB_MUST_VERIFY (1u<<10) /* explicitly don't trust this cert */ michael@0: #define CERTDB_TRUSTED_UNKNOWN (1u<<11) /* accept trust from another source */ michael@0: michael@0: /* bits not affected by the CKO_NETSCAPE_TRUST object */ michael@0: #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ michael@0: CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \ michael@0: CERTDB_GOVT_APPROVED_CA) michael@0: michael@0: #endif /* _PCERTT_H_ */