Merge NSS_3_14_2_RTM.

mozilla/security/nss/lib/certdb/certt.h

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.57 2012/09/28 23:40:14 rrelyea%redhat.com Exp $
+ * $Id: certt.h,v 1.58 2013/01/07 03:56:12 ryan.sleevi%gmail.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
 #include "secoidt.h"
 #include "plarena.h"
@@ skipping 930 matching lines @@
    cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
                                  * Set in value.scalar.ui */
    cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to 
                                  * validate against. 
                                  * The default set of trusted roots, these are
                                  * root CA certs from libnssckbi.so or CA
                                  * certs trusted by user, are used in any of
                                  * the following cases:
                                  *      * when the parameter is not set.
                                  *      * when the list of trust anchors is empty.
+                                 * Note that this handling can be further altered by altering the
+                                 * cert_pi_useOnlyTrustAnchors flag
                                  * Specified in value.pointer.chain */
    cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
                                  * In NSS 3.12.1 or later. Default is off.
                                  * Value is in value.scalar.b */
    cert_pi_chainVerifyCallback = 13,
                                 /* The callback container for doing extra
                                  * validation on the currently calculated chain.
                                  * Value is in value.pointer.chainVerifyCallback */
+   cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
+                                 * certificates other than the ones passed in via cert_pi_trustAnchors.
+                                 * If false, then the certificates specified via cert_pi_trustAnchors
+                                 * will be combined with the pre-existing trusted roots, but only for
+                                 * the certificate validation being performed.
+                                 * If no value has been supplied via cert_pi_trustAnchors, this has no
+                                 * effect.
+                                 * The default value is true, meaning if this is not supplied, only
+                                 * trust anchors supplied via cert_pi_trustAnchors are trusted.
+                                 * Specified in value.scalar.b */
    cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
                                  *  can increase in future releases */
 } CERTValParamInType;
 
 /*
  * for all out parameters:
  *  out parameters are only returned if the caller asks for them in
  *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
  *  array itself. The pkix verify function will allocate and other arrays
  *  pointers, or objects. The Caller is responsible for freeing those results.
@@ skipping 348 matching lines @@
 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
 
 SEC_END_PROTOS
 
 #endif /* _CERTT_H_ */