Change the NSS and NSPR source tree to the new directory structure to be

mozilla/security/nss/lib/certdb/cert.h

-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * cert.h - public data structures and prototypes for the certificate library
- *
- * $Id: cert.h,v 1.91 2012/09/28 16:05:02 wtc%google.com Exp $
- */
-
-#ifndef _CERT_H_
-#define _CERT_H_
-
-#include "utilrename.h"
-#include "plarena.h"
-#include "plhash.h"
-#include "prlong.h"
-#include "prlog.h"
-
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "keyt.h"
-#include "certt.h"
-
-SEC_BEGIN_PROTOS
-   
-/****************************************************************************
- *
- * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
- *
- ****************************************************************************/
-
-/*
-** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
-*/
-extern CERTName *CERT_AsciiToName(const char *string);
-
-/*
-** Convert an CERTName into its RFC1485 encoded equivalent.
-** Returns a string that must be freed with PORT_Free().
-** This version produces a string for maximum human readability,
-** not for strict RFC compliance.
-*/
-extern char *CERT_NameToAscii(CERTName *name);
-
-/*
-** Convert an CERTName into its RFC1485 encoded equivalent.
-** Returns a string that must be freed with PORT_Free().
-** Caller chooses encoding rules.
-*/
-extern char *CERT_NameToAsciiInvertible(CERTName *name, 
-                                        CertStrictnessLevel strict);
-
-extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
-
-/* convert an OID to dotted-decimal representation */
-/* Returns a string that must be freed with PR_smprintf_free(). */
-extern char * CERT_GetOidString(const SECItem *oid);
-
-/*
-** Examine an AVA and return the tag that refers to it. The AVA tags are
-** defined as SEC_OID_AVA*.
-*/
-extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
-
-/*
-** Compare two AVA's, returning the difference between them.
-*/
-extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
-
-/*
-** Create an RDN (relative-distinguished-name). The argument list is a
-** NULL terminated list of AVA's.
-*/
-extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
-
-/*
-** Make a copy of "src" storing it in "dest".
-*/
-extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
-
-/*
-** Destory an RDN object.
-**      "rdn" the RDN to destroy
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyRDN(CERTRDN *rdn, PRBool freeit);
-
-/*
-** Add an AVA to an RDN.
-**      "rdn" the RDN to add to
-**      "ava" the AVA to add
-*/
-extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
-
-/*
-** Compare two RDN's, returning the difference between them.
-*/
-extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b);
-
-/*
-** Create an X.500 style name using a NULL terminated list of RDN's.
-*/
-extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
-
-/*
-** Make a copy of "src" storing it in "dest". Memory is allocated in
-** "dest" for each of the appropriate sub objects. Memory is not freed in
-** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
-** do that).
-*/
-extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, CERTName *src);
-
-/*
-** Destroy a Name object.
-**      "name" the CERTName to destroy
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyName(CERTName *name);
-
-/*
-** Add an RDN to a name.
-**      "name" the name to add the RDN to
-**      "rdn" the RDN to add to name
-*/
-extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
-
-/*
-** Compare two names, returning the difference between them.
-*/
-extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b);
-
-/*
-** Convert a CERTName into something readable
-*/
-extern char *CERT_FormatName (CERTName *name);
-
-/*
-** Convert a der-encoded integer to a hex printable string form.
-** Perhaps this should be a SEC function but it's only used for certs.
-*/
-extern char *CERT_Hexify (SECItem *i, int do_colon);
-
-/*
-** Converts DER string (with explicit length) into zString, if destination 
-** buffer is big enough to receive it.  Does quoting and/or escaping as 
-** specified in RFC 1485.  Input string must be single or multi-byte DER
-** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set.
-** Returns SECSuccess or SECFailure with error code set. If output buffer
-** is too small, sets error code SEC_ERROR_OUTPUT_LEN.
-*/
-extern SECStatus
-CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen);
-
-/******************************************************************************
- *
- * Certificate handling operations
- *
- *****************************************************************************/
-
-/*
-** Create a new validity object given two unix time values.
-**      "notBefore" the time before which the validity is not valid
-**      "notAfter" the time after which the validity is not valid
-*/
-extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
-
-/*
-** Destroy a validity object.
-**      "v" the validity to destroy
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyValidity(CERTValidity *v);
-
-/*
-** Copy the "src" object to "dest". Memory is allocated in "dest" for
-** each of the appropriate sub-objects. Memory in "dest" is not freed
-** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
-** that).
-*/
-extern SECStatus CERT_CopyValidity
-   (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src);
-
-/*
-** The cert lib considers a cert or CRL valid if the "notBefore" time is
-** in the not-too-distant future, e.g. within the next 24 hours. This 
-** prevents freshly issued certificates from being considered invalid
-** because the local system's time zone is incorrectly set.  
-** The amount of "pending slop time" is adjustable by the application.
-** Units of SlopTime are seconds.  Default is 86400  (24 hours).
-** Negative SlopTime values are not allowed.
-*/
-PRInt32 CERT_GetSlopTime(void);
-
-SECStatus CERT_SetSlopTime(PRInt32 slop);
-
-/*
-** Create a new certificate object. The result must be wrapped with an
-** CERTSignedData to create a signed certificate.
-**      "serialNumber" the serial number
-**      "issuer" the name of the certificate issuer
-**      "validity" the validity period of the certificate
-**      "req" the certificate request that prompted the certificate issuance
-*/
-extern CERTCertificate *
-CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
-                        CERTValidity *validity, CERTCertificateRequest *req);
-
-/*
-** Destroy a certificate object
-**      "cert" the certificate to destroy
-** NOTE: certificate's are reference counted. This call decrements the
-** reference count, and if the result is zero, then the object is destroyed
-** and optionally freed.
-*/
-extern void CERT_DestroyCertificate(CERTCertificate *cert);
-
-/*
-** Make a shallow copy of a certificate "c". Just increments the
-** reference count on "c".
-*/
-extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
-
-/*
-** Create a new certificate request. This result must be wrapped with an
-** CERTSignedData to create a signed certificate request.
-**      "name" the subject name (who the certificate request is from)
-**      "spki" describes/defines the public key the certificate is for
-**      "attributes" if non-zero, some optional attribute data
-*/
-extern CERTCertificateRequest *
-CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
-                               SECItem **attributes);
-
-/*
-** Destroy a certificate-request object
-**      "r" the certificate-request to destroy
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
-
-/*
-** Start adding extensions to a certificate request.
-*/
-void *
-CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
-
-/*
-** Reformat the certificate extension list into a CertificateRequest
-** attribute list.
-*/
-SECStatus
-CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
-
-/*
-** Extract the Extension Requests from a DER CertRequest attribute list.
-*/
-SECStatus
-CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
-                                     CERTCertExtension ***exts);
-
-/*
-** Extract a public key object from a certificate
-*/
-extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
-
-/*
-** Retrieve the Key Type associated with the cert we're dealing with
-*/
-
-extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
-
-/*
-** Initialize the certificate database.  This is called to create
-**  the initial list of certificates in the database.
-*/
-extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
-
-extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
-
-/*
-** Default certificate database routines
-*/
-extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
-
-extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
-
-extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, 
-                                               PRTime time, 
-                                               SECCertUsage usage);
-extern CERTCertificate *
-CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
-                         char *nickname, PRBool isperm, PRBool copyDER);
-
-
-/******************************************************************************
- *
- * X.500 Name handling operations
- *
- *****************************************************************************/
-
-/*
-** Create an AVA (attribute-value-assertion)
-**      "arena" the memory arena to alloc from
-**      "kind" is one of SEC_OID_AVA_*
-**      "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
-**         DER_T61_STRING
-**      "value" is the null terminated string containing the value
-*/
-extern CERTAVA *CERT_CreateAVA
-   (PLArenaPool *arena, SECOidTag kind, int valueType, char *value);
-
-/*
-** Extract the Distinguished Name from a DER encoded certificate
-**      "derCert" is the DER encoded certificate
-**      "derName" is the SECItem that the name is returned in
-*/
-extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
-
-/*
-** Extract the Issuers Distinguished Name from a DER encoded certificate
-**      "derCert" is the DER encoded certificate
-**      "derName" is the SECItem that the name is returned in
-*/
-extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, 
-                                            SECItem *derName);
-
-extern SECItem *
-CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
-                       PLArenaPool *arena);
-
-extern CERTGeneralName *
-CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName,
-                       CERTGeneralName  *genName);
-
-
-
-/*
-** Generate a database search key for a certificate, based on the
-** issuer and serial number.
-**      "arena" the memory arena to alloc from
-**      "derCert" the DER encoded certificate
-**      "key" the returned key
-*/
-extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
-                                     SECItem *key);
-
-extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
-                                         SECItem *sn, SECItem *key);
-
-extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, 
-                                                SECItem *derName);
-
-
-/*
-** Generate a database search key for a crl, based on the
-** issuer.
-**      "arena" the memory arena to alloc from
-**      "derCrl" the DER encoded crl
-**      "key" the returned key
-*/
-extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key);
-
-/*
-** Open the certificate database.  Use callback to get name of database.
-*/
-extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
-                                 CERTDBNameFunc namecb, void *cbarg);
-
-/* Open the certificate database.  Use given filename for database. */
-extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
-                                         char *certdbname, PRBool readOnly);
-
-/*
-** Open and initialize a cert database that is entirely in memory.  This
-** can be used when the permanent database can not be opened or created.
-*/
-extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
-
-/*
-** Extract the list of host names, host name patters, IP address strings
-** this cert is valid for.
-** This function does NOT return nicknames.
-** Type CERTCertNicknames is being used because it's a convenient 
-** data structure to carry a list of strings and its count.
-*/
-extern CERTCertNicknames *
-  CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert);
-
-/*
-** Check the hostname to make sure that it matches the shexp that
-** is given in the common name of the certificate.
-*/
-extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
-
-/*
-** Add a domain name to the list of names that the user has explicitly
-** allowed (despite cert name mismatches) for use with a server cert.
-*/
-extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
-
-/*
-** Decode a DER encoded certificate into an CERTCertificate structure
-**      "derSignedCert" is the DER encoded signed certificate
-**      "copyDER" is true if the DER should be copied, false if the
-**              existing copy should be referenced
-**      "nickname" is the nickname to use in the database.  If it is NULL
-**              then a temporary nickname is generated.
-*/
-extern CERTCertificate *
-CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
-/*
-** Decode a DER encoded CRL into a CERTSignedCrl structure
-**      "derSignedCrl" is the DER encoded signed CRL.
-**      "type" must be SEC_CRL_TYPE.
-*/
-#define SEC_CRL_TYPE    1
-#define SEC_KRL_TYPE    0 /* deprecated */
-
-extern CERTSignedCrl *
-CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
-
-/*
- * same as CERT_DecodeDERCrl, plus allow options to be passed in
- */
-
-extern CERTSignedCrl *
-CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl,
-                          int type, PRInt32 options);
-
-/* CRL options to pass */
-
-#define CRL_DECODE_DEFAULT_OPTIONS          0x00000000
-
-/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
-   application must then keep derSignedCrl until it destroys the
-   CRL . Ideally, it should allocate derSignedCrl in an arena
-   and pass that arena in as the first argument to
-   CERT_DecodeDERCrlWithFlags */
-
-#define CRL_DECODE_DONT_COPY_DER            0x00000001
-#define CRL_DECODE_SKIP_ENTRIES             0x00000002
-#define CRL_DECODE_KEEP_BAD_CRL             0x00000004
-#define CRL_DECODE_ADOPT_HEAP_DER           0x00000008
-
-/* complete the decoding of a partially decoded CRL, ie. decode the
-   entries. Note that entries is an optional field in a CRL, so the
-   "entries" pointer in CERTCrlStr may still be NULL even after
-   function returns SECSuccess */
-
-extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl);
-
-/* Validate CRL then import it to the dbase.  If there is already a CRL with the
- * same CA in the dbase, it will be replaced if derCRL is more up to date.  
- * If the process successes, a CRL will be returned.  Otherwise, a NULL will 
- * be returned. The caller should call PORT_GetError() for the exactly error 
- * code.
- */
-extern CERTSignedCrl *
-CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, 
-                                                int type, void * wincx);
-
-extern void CERT_DestroyCrl (CERTSignedCrl *crl);
-
-/* this is a hint to flush the CRL cache. crlKey is the DER subject of
-   the issuer (CA). */
-void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey);
-
-/* add the specified DER CRL object to the CRL cache. Doing so will allow
-   certificate verification functions (such as CERT_VerifyCertificate)
-   to automatically find and make use of this CRL object.
-   Once a CRL is added to the CRL cache, the application must hold on to
-   the object's memory, because the cache will reference it directly. The
-   application can only free the object after it calls CERT_UncacheCRL to
-   remove it from the CRL cache.
-*/
-SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
-
-/* remove a previously added CRL object from the CRL cache. It is OK
-   for the application to free the memory after a successful removal
-*/
-SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
-
-/*
-** Find a certificate in the database
-**      "key" is the database key to look for
-*/
-extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
-
-/*
-** Find a certificate in the database by name
-**      "name" is the distinguished name to look up
-*/
-extern CERTCertificate *
-CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
-
-/*
-** Find a certificate in the database by name
-**      "name" is the distinguished name to look up (in ascii)
-*/
-extern CERTCertificate *
-CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
-
-/*
-** Find a certificate in the database by name and keyid
-**      "name" is the distinguished name to look up
-**      "keyID" is the value of the subjectKeyID to match
-*/
-extern CERTCertificate *
-CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
-
-/*
-** Generate a certificate key from the issuer and serialnumber, then look it
-** up in the database.  Return the cert if found.
-**      "issuerAndSN" is the issuer and serial number to look for
-*/
-extern CERTCertificate *
-CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
-
-/*
-** Find a certificate in the database by a subject key ID
-**      "subjKeyID" is the subject Key ID to look for
-*/
-extern CERTCertificate *
-CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
-
-/*
-** Encode Certificate SKID (Subject Key ID) extension.
-**
-*/
-extern SECStatus 
-CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString,
-                        SECItem *encodedValue);
-
-/*
-** Find a certificate in the database by a nickname
-**      "nickname" is the ascii string nickname to look for
-*/
-extern CERTCertificate *
-CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname);
-
-/*
-** Find a certificate in the database by a DER encoded certificate
-**      "derCert" is the DER encoded certificate
-*/
-extern CERTCertificate *
-CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
-
-/*
-** Find a certificate in the database by a email address
-**      "emailAddr" is the email address to look up
-*/
-CERTCertificate *
-CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
-
-/*
-** Find a certificate in the database by a email address or nickname
-**      "name" is the email address or nickname to look up
-*/
-CERTCertificate *
-CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name);
-
-/*
-** Find a certificate in the database by a email address or nickname
-** and require it to have the given usage.
-**      "name" is the email address or nickname to look up
-*/
-CERTCertificate *
-CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
-                                           const char *name, 
-                                           SECCertUsage lookingForUsage);
-
-/*
-** Find a certificate in the database by a digest of a subject public key
-**      "spkDigest" is the digest to look up
-*/
-extern CERTCertificate *
-CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
-
-/*
- * Find the issuer of a cert
- */
-CERTCertificate *
-CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage);
-
-/*
-** Check the validity times of a certificate vs. time 't', allowing
-** some slop for broken clocks and stuff.
-**      "cert" is the certificate to be checked
-**      "t" is the time to check against
-**      "allowOverride" if true then check to see if the invalidity has
-**              been overridden by the user.
-*/
-extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
-                                                    PRTime t,
-                                                    PRBool allowOverride);
-
-/*
-** WARNING - this function is deprecated, and will either go away or have
-**              a new API in the near future.
-**
-** Check the validity times of a certificate vs. the current time, allowing
-** some slop for broken clocks and stuff.
-**      "cert" is the certificate to be checked
-*/
-extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
-
-/*
-** Extract the validity times from a certificate
-**      "c" is the certificate
-**      "notBefore" is the start of the validity period
-**      "notAfter" is the end of the validity period
-*/
-extern SECStatus
-CERT_GetCertTimes (CERTCertificate *c, PRTime *notBefore, PRTime *notAfter);
-
-/*
-** Extract the issuer and serial number from a certificate
-*/
-extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, 
-                                                        CERTCertificate *);
-
-/*
-** verify the signature of a signed data object with a given certificate
-**      "sd" the signed data object to be verified
-**      "cert" the certificate to use to check the signature
-*/
-extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
-                                       CERTCertificate *cert,
-                                       PRTime t,
-                                       void *wincx);
-/*
-** verify the signature of a signed data object with the given DER publickey
-*/
-extern SECStatus
-CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
-                                       CERTSubjectPublicKeyInfo *pubKeyInfo,
-                                       void *wincx);
-
-/*
-** verify the signature of a signed data object with a SECKEYPublicKey.
-*/
-extern SECStatus
-CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd,
-                                   SECKEYPublicKey *pubKey, void *wincx);
-
-/*
-** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
-** verify a certificate by checking validity times against a certain time,
-** that we trust the issuer, and that the signature on the certificate is
-** valid.
-**      "cert" the certificate to verify
-**      "checkSig" only check signatures if true
-*/
-extern SECStatus
-CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
-                PRBool checkSig, SECCertificateUsage requiredUsages,
-                PRTime t, void *wincx, CERTVerifyLog *log,
-                SECCertificateUsage* returnedUsages);
-
-/* same as above, but uses current time */
-extern SECStatus
-CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-                   PRBool checkSig, SECCertificateUsage requiredUsages,
-                   void *wincx, SECCertificateUsage* returnedUsages);
-
-/*
-** Verify that a CA cert can certify some (unspecified) leaf cert for a given
-** purpose. This is used by UI code to help identify where a chain may be
-** broken and why. This takes identical parameters to CERT_VerifyCert
-*/
-extern SECStatus
-CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
-                PRBool checkSig, SECCertUsage certUsage, PRTime t,
-                void *wincx, CERTVerifyLog *log);
-
-/*
-** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
-** verify a certificate by checking validity times against a certain time,
-** that we trust the issuer, and that the signature on the certificate is
-** valid.
-**      "cert" the certificate to verify
-**      "checkSig" only check signatures if true
-*/
-extern SECStatus
-CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-                PRBool checkSig, SECCertUsage certUsage, PRTime t,
-                void *wincx, CERTVerifyLog *log);
-
-/* same as above, but uses current time */
-extern SECStatus
-CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-                   PRBool checkSig, SECCertUsage certUsage, void *wincx);
-
-SECStatus
-CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
-                     PRBool checkSig, SECCertUsage certUsage, PRTime t,
-                     void *wincx, CERTVerifyLog *log);
-
-/*
-** Read a base64 ascii encoded DER certificate and convert it to our
-** internal format.
-**      "certstr" is a null-terminated string containing the certificate
-*/
-extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
-
-/*
-** Read a certificate in some foreign format, and convert it to our
-** internal format.
-**      "certbuf" is the buffer containing the certificate
-**      "certlen" is the length of the buffer
-** NOTE - currently supports netscape base64 ascii encoded raw certs
-**  and netscape binary DER typed files.
-*/
-extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
-
-extern SECStatus
-CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
-
-extern SECStatus
-CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
-
-/*
-** Read a certificate chain in some foreign format, and pass it to a 
-** callback function.
-**      "certbuf" is the buffer containing the certificate
-**      "certlen" is the length of the buffer
-**      "f" is the callback function
-**      "arg" is the callback argument
-*/
-typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
-   (void *arg, SECItem **certs, int numcerts);
-
-extern SECStatus
-CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
-                       void *arg);
-
-/* 
-** Returns the value of an AVA.  This was a formerly static 
-** function that has been exposed due to the need to decode
-** and convert unicode strings to UTF8.  
-**
-** XXX This function resides in certhtml.c, should it be
-** moved elsewhere?
-*/
-extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
-
-
-
-/*
-** extract various element strings from a distinguished name.
-**      "name" the distinguished name
-*/
-
-extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
-
-extern char *CERT_GetCertEmailAddress(CERTName *name);
-
-extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
-
-extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, 
-                                             const char * prev);
-
-/* The return value must be freed with PORT_Free. */
-extern char *CERT_GetCommonName(CERTName *name);
-
-extern char *CERT_GetCountryName(CERTName *name);
-
-extern char *CERT_GetLocalityName(CERTName *name);
-
-extern char *CERT_GetStateName(CERTName *name);
-
-extern char *CERT_GetOrgName(CERTName *name);
-
-extern char *CERT_GetOrgUnitName(CERTName *name);
-
-extern char *CERT_GetDomainComponentName(CERTName *name);
-
-extern char *CERT_GetCertUid(CERTName *name);
-
-/* manipulate the trust parameters of a certificate */
-
-extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
-
-extern SECStatus
-CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
-                      CERTCertTrust *trust);
-
-extern SECStatus
-CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
-                            SECCertUsage usage);
-
-/*************************************************************************
- *
- * manipulate the extensions of a certificate
- *
- ************************************************************************/
-
-/*
-** Set up a cert for adding X509v3 extensions.  Returns an opaque handle
-** used by the next two routines.
-**      "cert" is the certificate we are adding extensions to
-*/
-extern void *CERT_StartCertExtensions(CERTCertificate *cert);
-
-/*
-** Add an extension to a certificate.
-**      "exthandle" is the handle returned by the previous function
-**      "idtag" is the integer tag for the OID that should ID this extension
-**      "value" is the value of the extension
-**      "critical" is the critical extension flag
-**      "copyData" is a flag indicating whether the value data should be
-**              copied.
-*/
-extern SECStatus CERT_AddExtension (void *exthandle, int idtag, 
-                        SECItem *value, PRBool critical, PRBool copyData);
-
-extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
-                         SECItem *value, PRBool critical, PRBool copyData);
-
-extern SECStatus CERT_EncodeAndAddExtension
-   (void *exthandle, int idtag, void *value, PRBool critical,
-    const SEC_ASN1Template *atemplate);
-
-extern SECStatus CERT_EncodeAndAddBitStrExtension
-   (void *exthandle, int idtag, SECItem *value, PRBool critical);
-
-
-extern SECStatus
-CERT_EncodeAltNameExtension(PLArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
-
-
-/*
-** Finish adding cert extensions.  Does final processing on extension
-** data, putting it in the right format, and freeing any temporary
-** storage.
-**      "exthandle" is the handle used to add extensions to a certificate
-*/
-extern SECStatus CERT_FinishExtensions(void *exthandle);
-
-/*
-** Merge an external list of extensions into a cert's extension list, adding one
-** only when its OID matches none of the cert's existing extensions. Call this
-** immediately before calling CERT_FinishExtensions().
-*/
-SECStatus
-CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
-
-/* If the extension is found, return its criticality and value.
-** This allocate storage for the returning extension value.
-*/
-extern SECStatus CERT_GetExtenCriticality
-   (CERTCertExtension **extensions, int tag, PRBool *isCritical);
-
-extern void
-CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
-
-/****************************************************************************
- *
- * DER encode and decode extension values
- *
- ****************************************************************************/
-
-/* Encode the value of the basicConstraint extension.
-**      arena - where to allocate memory for the encoded value.
-**      value - extension value to encode
-**      encodedValue - output encoded value
-*/
-extern SECStatus CERT_EncodeBasicConstraintValue
-   (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
-
-/*
-** Encode the value of the authorityKeyIdentifier extension.
-*/
-extern SECStatus CERT_EncodeAuthKeyID
-   (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
-
-/*
-** Encode the value of the crlDistributionPoints extension.
-*/
-extern SECStatus CERT_EncodeCRLDistributionPoints
-   (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
-
-/*
-** Decodes a DER encoded basicConstaint extension value into a readable format
-**      value - decoded value
-**      encodedValue - value to decoded
-*/
-extern SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue);
-
-/* Decodes a DER encoded authorityKeyIdentifier extension value into a
-** readable format.
-**      arena - where to allocate memory for the decoded value
-**      encodedValue - value to be decoded
-**      Returns a CERTAuthKeyID structure which contains the decoded value
-*/
-extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
-                        (PLArenaPool *arena, SECItem *encodedValue);
-
-
-/* Decodes a DER encoded crlDistributionPoints extension value into a 
-** readable format.
-**      arena - where to allocate memory for the decoded value
-**      der - value to be decoded
-**      Returns a CERTCrlDistributionPoints structure which contains the 
-**          decoded value
-*/
-extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
-   (PLArenaPool *arena, SECItem *der);
-
-/* Extract certain name type from a generalName */
-extern void *CERT_GetGeneralNameByType
-   (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
-
-
-extern CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem);
-
-
-
-
-/****************************************************************************
- *
- * Find extension values of a certificate 
- *
- ***************************************************************************/
-
-extern SECStatus CERT_FindCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
-extern SECStatus CERT_FindNSCertTypeExtension
-   (CERTCertificate *cert, SECItem *value);
-
-extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
-
-extern SECStatus CERT_FindIssuerCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
-extern SECStatus CERT_FindCertExtensionByOID
-   (CERTCertificate *cert, SECItem *oid, SECItem *value);
-
-extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
-                                                                int catag);
-
-/* Returns the decoded value of the authKeyID extension.
-**   Note that this uses passed in the arena to allocate storage for the result
-*/
-extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert);
-
-/* Returns the decoded value of the basicConstraint extension.
- */
-extern SECStatus CERT_FindBasicConstraintExten
-   (CERTCertificate *cert, CERTBasicConstraints *value);
-
-/* Returns the decoded value of the crlDistributionPoints extension.
-**  Note that the arena in cert is used to allocate storage for the result
-*/
-extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
-   (CERTCertificate *cert);
-
-/* Returns value of the keyUsage extension.  This uses PR_Alloc to allocate 
-** buffer for the decoded value. The caller should free up the storage 
-** allocated in value->data.
-*/
-extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, 
-                                                        SECItem *value);
-
-/* Return the decoded value of the subjectKeyID extension. The caller should 
-** free up the storage allocated in retItem->data.
-*/
-extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, 
-                                                           SECItem *retItem);
-
-/*
-** If cert is a v3 certificate, and a critical keyUsage extension is included,
-** then check the usage against the extension value.  If a non-critical 
-** keyUsage extension is included, this will return SECSuccess without 
-** checking, since the extension is an advisory field, not a restriction.  
-** If cert is not a v3 certificate, this will return SECSuccess.
-**      cert - certificate
-**      usage - one of the x.509 v3 the Key Usage Extension flags
-*/
-extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, 
-                                                        unsigned char usage);
-
-/****************************************************************************
- *
- *  CRL v2 Extensions supported routines
- *
- ****************************************************************************/
-
-extern SECStatus CERT_FindCRLExtensionByOID
-   (CERTCrl *crl, SECItem *oid, SECItem *value);
-
-extern SECStatus CERT_FindCRLExtension
-   (CERTCrl *crl, int tag, SECItem *value);
-
-extern SECStatus
-   CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value);
-
-/*
-** Set up a crl for adding X509v3 extensions.  Returns an opaque handle
-** used by routines that take an exthandle (void*) argument .
-**      "crl" is the CRL we are adding extensions to
-*/
-extern void *CERT_StartCRLExtensions(CERTCrl *crl);
-
-/*
-** Set up a crl entry for adding X509v3 extensions.  Returns an opaque handle
-** used by routines that take an exthandle (void*) argument .
-**      "crl" is the crl we are adding certs entries to
-**      "entry" is the crl entry we are adding extensions to
-*/
-extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
-
-extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
-                                                 int what, void *wincx);
-
-/*
-** Finds the crlNumber extension and decodes its value into 'value'
-*/
-extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
-                                          SECItem *value);
-
-extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
-                                               CERTCRLEntryReasonCode *value);
-
-extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
-
-extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
-
-extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
-                                                         CERTCertificate *c2);
-
-/*
-** Generate an array of the Distinguished Names that the given cert database
-** "trusts"
-*/
-extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
-
-extern void CERT_FreeDistNames(CERTDistNames *names);
-
-/* Duplicate distinguished name array */
-extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig);
-
-/*
-** Generate an array of Distinguished names from an array of nicknames
-*/
-extern CERTDistNames *CERT_DistNamesFromNicknames
-   (CERTCertDBHandle *handle, char **nicknames, int nnames);
-
-/*
-** Generate an array of Distinguished names from a list of certs.
-*/
-extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list);
-
-/*
-** Generate a certificate chain from a certificate.
-*/
-extern CERTCertificateList *
-CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
-                       PRBool includeRoot);
-
-extern CERTCertificateList *
-CERT_CertListFromCert(CERTCertificate *cert);
-
-extern CERTCertificateList *
-CERT_DupCertList(const CERTCertificateList * oldList);
-
-extern void CERT_DestroyCertificateList(CERTCertificateList *list);
-
-/*
-** is cert a user cert? i.e. does it have CERTDB_USER trust,
-** i.e. a private key?
-*/
-PRBool CERT_IsUserCert(CERTCertificate* cert);
-
-/* is cert a newer than cert b? */
-PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
-
-/* currently a stub for address book */
-PRBool
-CERT_IsCertRevoked(CERTCertificate *cert);
-
-void
-CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
-
-/* convert an email address to lower case */
-char *CERT_FixupEmailAddr(const char *emailAddr);
-
-/* decode string representation of trust flags into trust struct */
-SECStatus
-CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts);
-
-/* encode trust struct into string representation of trust flags */
-char *
-CERT_EncodeTrustString(CERTCertTrust *trust);
-
-/* find the next or prev cert in a subject list */
-CERTCertificate *
-CERT_PrevSubjectCert(CERTCertificate *cert);
-CERTCertificate *
-CERT_NextSubjectCert(CERTCertificate *cert);
-
-/*
- * import a collection of certs into the temporary or permanent cert
- * database
- */
-SECStatus
-CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
-                 unsigned int ncerts, SECItem **derCerts,
-                 CERTCertificate ***retCerts, PRBool keepCerts,
-                 PRBool caOnly, char *nickname);
-
-char *
-CERT_MakeCANickname(CERTCertificate *cert);
-
-PRBool
-CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
-
-PRBool
-CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
-
-PRBool
-CERT_IsRootDERCert(SECItem *derCert);
-
-SECStatus
-CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
-                      SECItem *profileTime);
-
-/*
- * find the smime symmetric capabilities profile for a given cert
- */
-SECItem *
-CERT_FindSMimeProfile(CERTCertificate *cert);
-
-SECStatus
-CERT_AddNewCerts(CERTCertDBHandle *handle);
-
-CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
-
-void
-CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
-
-CERTCertificatePolicyMappings *
-CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
-
-SECStatus
-CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
-
-SECStatus
-CERT_DecodePolicyConstraintsExtension(
-    CERTCertificatePolicyConstraints *decodedValue, SECItem *encodedValue);
-
-SECStatus CERT_DecodeInhibitAnyExtension
-    (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
-
-CERTUserNotice *
-CERT_DecodeUserNotice(SECItem *noticeItem);
-
-extern CERTGeneralName *
-CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName);
-
-extern CERTNameConstraints *
-CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, 
-                                    SECItem *encodedConstraints);
-
-/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
-extern CERTAuthInfoAccess **
-CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
-                                   SECItem     *encodedExtension);
-
-extern CERTPrivKeyUsagePeriod *
-CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
-
-extern CERTGeneralName *
-CERT_GetNextGeneralName(CERTGeneralName *current);
-
-extern CERTGeneralName *
-CERT_GetPrevGeneralName(CERTGeneralName *current);
-
-CERTNameConstraint *
-CERT_GetNextNameConstraint(CERTNameConstraint *current);
-
-CERTNameConstraint *
-CERT_GetPrevNameConstraint(CERTNameConstraint *current);
-
-void
-CERT_DestroyUserNotice(CERTUserNotice *userNotice);
-
-typedef char * (* CERTPolicyStringCallback)(char *org,
-                                               unsigned long noticeNumber,
-                                               void *arg);
-void
-CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
-
-char *
-CERT_GetCertCommentString(CERTCertificate *cert);
-
-PRBool
-CERT_GovtApprovedBitSet(CERTCertificate *cert);
-
-SECStatus
-CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
-
-CERTCertList *
-CERT_MatchUserCert(CERTCertDBHandle *handle,
-                   SECCertUsage usage,
-                   int nCANames, char **caNames,
-                   void *proto_win);
-
-CERTCertList *
-CERT_NewCertList(void);
-
-void
-CERT_DestroyCertList(CERTCertList *certs);
-
-/* remove the node and free the cert */
-void
-CERT_RemoveCertListNode(CERTCertListNode *node);
-
-SECStatus
-CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
-
-SECStatus
-CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
-
-SECStatus
-CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
-                                                         void *appData);
-
-SECStatus
-CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
-                                                         void *appData);
-
-typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
-                                    CERTCertificate *certb,
-                                    void *arg);
-SECStatus
-CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
-                         CERTSortCallback f, void *arg);
-
-/* callback for CERT_AddCertToListSorted that sorts based on validity
- * period and a given time.
- */
-PRBool
-CERT_SortCBValidity(CERTCertificate *certa,
-                    CERTCertificate *certb,
-                    void *arg);
-
-SECStatus
-CERT_CheckForEvilCert(CERTCertificate *cert);
-
-CERTGeneralName *
-CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
-
-CERTGeneralName *
-CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena,
-                                    PRBool includeSubjectCommonName);
-
-/*
- * Creates or adds to a list of all certs with a give subject name, sorted by
- * validity time, newest first.  Invalid certs are considered older than
- * valid certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-                           SECItem *name, PRTime sorttime, PRBool validOnly);
-
-/*
- * remove certs from a list that don't have keyUsage and certType
- * that match the given usage.
- */
-SECStatus
-CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
-                           PRBool ca);
-
-/*
- * check the key usage of a cert against a set of required values
- */
-SECStatus
-CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
-
-/*
- * return required key usage and cert type based on cert usage
- */
-SECStatus
-CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
-                                 PRBool ca,
-                                 unsigned int *retKeyUsage,
-                                 unsigned int *retCertType);
-/*
- * return required trust flags for various cert usages for CAs
- */
-SECStatus
-CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
-                              unsigned int *retFlags,
-                              SECTrustType *retTrustType);
-
-/*
- * Find all user certificates that match the given criteria.
- * 
- *      "handle" - database to search
- *      "usage" - certificate usage to match
- *      "oneCertPerName" - if set then only return the "best" cert per
- *                      name
- *      "validOnly" - only return certs that are curently valid
- *      "proto_win" - window handle passed to pkcs11
- */
-CERTCertList *
-CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
-                          SECCertUsage usage,
-                          PRBool oneCertPerName,
-                          PRBool validOnly,
-                          void *proto_win);
-
-/*
- * Find a user certificate that matchs the given criteria.
- * 
- *      "handle" - database to search
- *      "nickname" - nickname to match
- *      "usage" - certificate usage to match
- *      "validOnly" - only return certs that are curently valid
- *      "proto_win" - window handle passed to pkcs11
- */
-CERTCertificate *
-CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
-                         const char *nickname,
-                         SECCertUsage usage,
-                         PRBool validOnly,
-                         void *proto_win);
-
-/*
- * Filter a list of certificates, removing those certs that do not have
- * one of the named CA certs somewhere in their cert chain.
- *
- *      "certList" - the list of certificates to filter
- *      "nCANames" - number of CA names
- *      "caNames" - array of CA names in string(rfc 1485) form
- *      "usage" - what use the certs are for, this is used when
- *              selecting CA certs
- */
-SECStatus
-CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
-                             char **caNames, SECCertUsage usage);
-
-/*
- * Filter a list of certificates, removing those certs that aren't user certs
- */
-SECStatus
-CERT_FilterCertListForUserCerts(CERTCertList *certList);
-
-/*
- * Collect the nicknames from all certs in a CertList.  If the cert is not
- * valid, append a string to that nickname.
- *
- * "certList" - the list of certificates
- * "expiredString" - the string to append to the nickname of any expired cert
- * "notYetGoodString" - the string to append to the nickname of any cert
- *              that is not yet valid
- */
-CERTCertNicknames *
-CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
-                                 char *notYetGoodString);
-
-/*
- * Extract the nickname from a nickmake string that may have either
- * expiredString or notYetGoodString appended.
- *
- * Args:
- *      "namestring" - the string containing the nickname, and possibly
- *              one of the validity label strings
- *      "expiredString" - the expired validity label string
- *      "notYetGoodString" - the not yet good validity label string
- *
- * Returns the raw nickname
- */
-char *
-CERT_ExtractNicknameString(char *namestring, char *expiredString,
-                           char *notYetGoodString);
-
-/*
- * Given a certificate, return a string containing the nickname, and possibly
- * one of the validity strings, based on the current validity state of the
- * certificate.
- *
- * "arena" - arena to allocate returned string from.  If NULL, then heap
- *      is used.
- * "cert" - the cert to get nickname from
- * "expiredString" - the string to append to the nickname if the cert is
- *              expired.
- * "notYetGoodString" - the string to append to the nickname if the cert is
- *              not yet good.
- */
-char *
-CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
-                                 char *expiredString, char *notYetGoodString);
-
-/*
- * Return the string representation of a DER encoded distinguished name
- * "dername" - The DER encoded name to convert
- */
-char *
-CERT_DerNameToAscii(SECItem *dername);
-
-/*
- * Supported usage values and types:
- *      certUsageSSLClient
- *      certUsageSSLServer
- *      certUsageSSLServerWithStepUp
- *      certUsageEmailSigner
- *      certUsageEmailRecipient
- *      certUsageObjectSigner
- */
-
-CERTCertificate *
-CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
-                      CERTCertOwner owner, SECCertUsage usage,
-                      PRBool preferTrusted, PRTime validTime, PRBool validOnly);
-
-/*
- * Acquire the global lock on the cert database.
- * This lock is currently used for the following operations:
- *      adding or deleting a cert to either the temp or perm databases
- *      converting a temp to perm or perm to temp
- *      changing(maybe just adding?) the trust of a cert
- *      adjusting the reference count of a cert
- */
-void
-CERT_LockDB(CERTCertDBHandle *handle);
-
-/*
- * Free the global cert database lock.
- */
-void
-CERT_UnlockDB(CERTCertDBHandle *handle);
-
-/*
- * Get the certificate status checking configuratino data for
- * the certificate database
- */
-CERTStatusConfig *
-CERT_GetStatusConfig(CERTCertDBHandle *handle);
-
-/*
- * Set the certificate status checking information for the
- * database.  The input structure becomes part of the certificate
- * database and will be freed by calling the 'Destroy' function in
- * the configuration object.
- */
-void
-CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
-
-
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertRefCount(CERTCertificate *cert);
-
-/*
- * Free the cert reference count lock
- */
-void
-CERT_UnlockCertRefCount(CERTCertificate *cert);
-
-/*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertTrust(CERTCertificate *cert);
-
-/*
- * Free the cert trust lock
- */
-void
-CERT_UnlockCertTrust(CERTCertificate *cert);
-
-/*
- * Digest the cert's subject public key using the specified algorithm.
- * The necessary storage for the digest data is allocated.  If "fill" is
- * non-null, the data is put there, otherwise a SECItem is allocated.
- * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
- * results in a NULL being returned (and an appropriate error set).
- */ 
-extern SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
-                   SECOidTag digestAlg, SECItem *fill);
-
-
-SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
-                        const SECItem* dp, PRTime t, void* wincx);
-
-
-/*
- * Add a CERTNameConstraint to the CERTNameConstraint list
- */
-extern CERTNameConstraint *
-CERT_AddNameConstraint(CERTNameConstraint *list, 
-                       CERTNameConstraint *constraint);
-
-/*
- * Allocate space and copy CERTNameConstraint from src to dest.
- * Arena is used to allocate result(if dest eq NULL) and its members
- * SECItem data.
- */
-extern CERTNameConstraint *
-CERT_CopyNameConstraint(PLArenaPool         *arena, 
-                        CERTNameConstraint  *dest, 
-                        CERTNameConstraint  *src);
-
-/*
- * Verify name against all the constraints relevant to that type of
- * the name.
- */
-extern SECStatus
-CERT_CheckNameSpace(PLArenaPool          *arena,
-                    CERTNameConstraints  *constraints,
-                    CERTGeneralName      *currentName);
-
-/*
- * Extract and allocate the name constraints extension from the CA cert.
- */
-extern SECStatus
-CERT_FindNameConstraintsExten(PLArenaPool      *arena,
-                              CERTCertificate  *cert,
-                              CERTNameConstraints **constraints);
-
-/*
- * Initialize a new GERTGeneralName fields (link)
- */
-extern CERTGeneralName *
-CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type);
-
-/*
- * PKIX extension encoding routines
- */
-extern SECStatus
-CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
-                                      CERTCertificatePolicyConstraints *constr,
-                                      SECItem *dest);
-extern SECStatus
-CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
-                               CERTCertificateInhibitAny *inhibitAny,
-                               SECItem *dest);
-extern SECStatus
-CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
-                                  CERTCertificatePolicyMappings *maps,
-                                  SECItem *dest);
-
-extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
-                                                    CERTAuthInfoAccess **info,
-                                                    SECItem *dest);
-extern SECStatus
-CERT_EncodeUserNotice(PLArenaPool *arena,
-                      CERTUserNotice *notice,
-                      SECItem *dest);
-
-extern SECStatus
-CERT_EncodeDisplayText(PLArenaPool *arena,
-                       SECItem *text,
-                       SECItem *dest);
-
-extern SECStatus
-CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
-                                 CERTPolicyInfo **info,
-                                 SECItem *dest);
-extern SECStatus
-CERT_EncodeNoticeReference(PLArenaPool *arena,
-                           CERTNoticeReference *reference,
-                           SECItem *dest);
-
-/*
- * Returns a pointer to a static structure.
- */
-extern const CERTRevocationFlags*
-CERT_GetPKIXVerifyNistRevocationPolicy(void);
-
-/*
- * Returns a pointer to a static structure.
- */
-extern const CERTRevocationFlags*
-CERT_GetClassicOCSPEnabledSoftFailurePolicy(void);
-
-/*
- * Returns a pointer to a static structure.
- */
-extern const CERTRevocationFlags*
-CERT_GetClassicOCSPEnabledHardFailurePolicy(void);
-
-/*
- * Returns a pointer to a static structure.
- */
-extern const CERTRevocationFlags*
-CERT_GetClassicOCSPDisabledPolicy(void);
-
-/*
- * Verify a Cert with libpkix
- *  paramsIn control the verification options. If a value isn't specified
- *   in paramsIn, it reverts to the application default.
- *  paramsOut specifies the parameters the caller would like to get back.
- *   the caller may pass NULL, in which case no parameters are returned.
- */
-extern SECStatus CERT_PKIXVerifyCert(
-        CERTCertificate *cert,
-        SECCertificateUsage usages,
-        CERTValInParam *paramsIn,
-        CERTValOutParam *paramsOut,
-        void *wincx);
-
-/* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
- * to use libpkix validation engine. The function should be called ones at
- * application initialization time.
- * Function is not thread safe.*/
-extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
-
-/* The function return PR_TRUE if cert validation should use
- * libpkix cert validation engine. */
-extern PRBool CERT_GetUsePKIXForValidation(void);
-
-/*
- * Allocate a parameter container of type CERTRevocationFlags,
- * and allocate the inner arrays of the given sizes.
- * To cleanup call CERT_DestroyCERTRevocationFlags.
- */
-extern CERTRevocationFlags *
-CERT_AllocCERTRevocationFlags(
-    PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
-    PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods);
-
-/*
- * Destroy the arrays inside flags,
- * and destroy the object pointed to by flags, too.
- */
-extern void
-CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags);
-
-SEC_END_PROTOS
-
-#endif /* _CERT_H_ */