| Index: nss/lib/certdb/certi.h
|
| diff --git a/nss/lib/certdb/certi.h b/nss/lib/certdb/certi.h
|
| index ff7a7b845f86a1a394919babbcea141ab45f9731..df0d7c5324fe7fc2ada350ac962890338e3e0ab6 100644
|
| --- a/nss/lib/certdb/certi.h
|
| +++ b/nss/lib/certdb/certi.h
|
| @@ -38,8 +38,7 @@ struct OpaqueCRLFieldsStr {
|
|
|
| typedef struct PreAllocatorStr PreAllocator;
|
|
|
| -struct PreAllocatorStr
|
| -{
|
| +struct PreAllocatorStr {
|
| PRSize len;
|
| void* data;
|
| PRSize used;
|
| @@ -56,32 +55,31 @@ struct CRLEntryCacheStr {
|
| CRLEntryCache *prev, *next;
|
| };
|
|
|
| -#define CRL_CACHE_INVALID_CRLS 0x0001 /* this state will be set
|
| - if we have CRL objects with an invalid DER or signature. Can be
|
| - cleared if the invalid objects are deleted from the token */
|
| -#define CRL_CACHE_LAST_FETCH_FAILED 0x0002 /* this state will be set
|
| - if the last CRL fetch encountered an error. Can be cleared if a
|
| - new fetch succeeds */
|
| +#define CRL_CACHE_INVALID_CRLS 0x0001 /* this state will be set
|
| + if we have CRL objects with an invalid DER or signature. Can be
|
| + cleared if the invalid objects are deleted from the token */
|
| +#define CRL_CACHE_LAST_FETCH_FAILED 0x0002 /* this state will be set
|
| + if the last CRL fetch encountered an error. Can be cleared if a
|
| + new fetch succeeds */
|
|
|
| -#define CRL_CACHE_OUT_OF_MEMORY 0x0004 /* this state will be set
|
| - if we don't have enough memory to build the hash table of entries */
|
| +#define CRL_CACHE_OUT_OF_MEMORY 0x0004 /* this state will be set
|
| + if we don't have enough memory to build the hash table of entries */
|
|
|
| typedef enum {
|
| - CRL_OriginToken = 0, /* CRL came from PKCS#11 token */
|
| - CRL_OriginExplicit = 1 /* CRL was explicitly added to the cache, from RAM */
|
| + CRL_OriginToken = 0, /* CRL came from PKCS#11 token */
|
| + CRL_OriginExplicit = 1 /* CRL was explicitly added to the cache, from RAM */
|
| } CRLOrigin;
|
|
|
| typedef enum {
|
| - dpcacheNoEntry = 0, /* no entry found for this SN */
|
| - dpcacheFoundEntry = 1, /* entry found for this SN */
|
| - dpcacheCallerError = 2, /* invalid args */
|
| - dpcacheInvalidCacheError = 3, /* CRL in cache may be bad DER */
|
| - /* or unverified */
|
| - dpcacheEmpty = 4, /* no CRL in cache */
|
| - dpcacheLookupError = 5 /* internal error */
|
| + dpcacheNoEntry = 0, /* no entry found for this SN */
|
| + dpcacheFoundEntry = 1, /* entry found for this SN */
|
| + dpcacheCallerError = 2, /* invalid args */
|
| + dpcacheInvalidCacheError = 3, /* CRL in cache may be bad DER */
|
| + /* or unverified */
|
| + dpcacheEmpty = 4, /* no CRL in cache */
|
| + dpcacheLookupError = 5 /* internal error */
|
| } dpcacheStatus;
|
|
|
| -
|
| struct CachedCrlStr {
|
| CERTSignedCrl* crl;
|
| CRLOrigin origin;
|
| @@ -98,11 +96,11 @@ struct CachedCrlStr {
|
| */
|
| PLHashTable* entries;
|
| PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */
|
| - PRBool sigChecked; /* this CRL signature has already been checked */
|
| - PRBool sigValid; /* signature verification status .
|
| - Only meaningful if checked is PR_TRUE . */
|
| - PRBool unbuildable; /* Avoid using assosiated CRL is it fails
|
| - * a decoding step */
|
| + PRBool sigChecked; /* this CRL signature has already been checked */
|
| + PRBool sigValid; /* signature verification status .
|
| + Only meaningful if checked is PR_TRUE . */
|
| + PRBool unbuildable; /* Avoid using assosiated CRL is it fails
|
| + * a decoding step */
|
| };
|
|
|
| /* CRL distribution point cache object
|
| @@ -116,15 +114,15 @@ struct CRLDPCacheStr {
|
| #else
|
| PRLock* lock;
|
| #endif
|
| - SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
|
| - to the actual cert so the trust can be
|
| - updated on the cert automatically.
|
| - XXX there may be multiple issuer certs,
|
| - with different validity dates. Also
|
| - need to deal with SKID/AKID . See
|
| - bugzilla 217387, 233118 */
|
| + SECItem* issuerDERCert; /* issuer DER cert. Don't hold a reference
|
| + to the actual cert so the trust can be
|
| + updated on the cert automatically.
|
| + XXX there may be multiple issuer certs,
|
| + with different validity dates. Also
|
| + need to deal with SKID/AKID . See
|
| + bugzilla 217387, 233118 */
|
|
|
| - CERTCertDBHandle *dbHandle;
|
| + CERTCertDBHandle* dbHandle;
|
|
|
| SECItem* subject; /* DER of issuer subject */
|
| SECItem* distributionPoint; /* DER of distribution point. This may be
|
| @@ -133,31 +131,31 @@ struct CRLDPCacheStr {
|
| Currently not used. */
|
|
|
| /* array of full CRLs matching this distribution point */
|
| - PRUint32 ncrls; /* total number of CRLs in crls */
|
| - CachedCrl** crls; /* array of all matching CRLs */
|
| + PRUint32 ncrls; /* total number of CRLs in crls */
|
| + CachedCrl** crls; /* array of all matching CRLs */
|
| /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several
|
| issuers. In the future, we'll need to globally recycle the CRL in a
|
| separate list in order to avoid extra lookups, decodes, and copies */
|
|
|
| /* pointers to good decoded CRLs used to build the cache */
|
| - CachedCrl* selected; /* full CRL selected for use in the cache */
|
| + CachedCrl* selected; /* full CRL selected for use in the cache */
|
| #if 0
|
| /* for future use */
|
| PRInt32 numdeltas; /* number of delta CRLs used for the cache */
|
| CachedCrl** deltas; /* delta CRLs used for the cache */
|
| #endif
|
| /* cache invalidity bitflag */
|
| - PRUint16 invalid; /* this state will be set if either
|
| - CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
|
| - In those cases, all certs are considered to have unknown status.
|
| - The invalid state can only be cleared during an update if all
|
| - error states are cleared */
|
| - PRBool refresh; /* manual refresh from tokens has been forced */
|
| - PRBool mustchoose; /* trigger reselection algorithm, for case when
|
| - RAM CRL objects are dropped from the cache */
|
| - PRTime lastfetch; /* time a CRL token fetch was last performed */
|
| - PRTime lastcheck; /* time CRL token objects were last checked for
|
| - existence */
|
| + PRUint16 invalid; /* this state will be set if either
|
| + CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
|
| + In those cases, all certs are considered to have unknown status.
|
| + The invalid state can only be cleared during an update if all
|
| + error states are cleared */
|
| + PRBool refresh; /* manual refresh from tokens has been forced */
|
| + PRBool mustchoose; /* trigger reselection algorithm, for case when
|
| + RAM CRL objects are dropped from the cache */
|
| + PRTime lastfetch; /* time a CRL token fetch was last performed */
|
| + PRTime lastcheck; /* time CRL token objects were last checked for
|
| + existence */
|
| };
|
|
|
| /* CRL issuer cache object
|
| @@ -168,7 +166,7 @@ struct CRLDPCacheStr {
|
| */
|
|
|
| struct CRLIssuerCacheStr {
|
| - SECItem* subject; /* DER of issuer subject */
|
| + SECItem* subject; /* DER of issuer subject */
|
| CRLDPCache* dpp;
|
| };
|
|
|
| @@ -194,46 +192,40 @@ SECStatus ShutdownCRLCache(void);
|
| ** null-terminated strings, terminated by a zero-length string.
|
| ** This function is intended to be internal to NSS.
|
| */
|
| -extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
|
| +extern char* cert_GetCertificateEmailAddresses(CERTCertificate* cert);
|
|
|
| /*
|
| * These functions are used to map subjectKeyID extension values to certs
|
| * and to keep track of the checks for user certificates in each slot
|
| */
|
| -SECStatus
|
| -cert_CreateSubjectKeyIDHashTable(void);
|
| +SECStatus cert_CreateSubjectKeyIDHashTable(void);
|
|
|
| -SECStatus
|
| -cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
|
| +SECStatus cert_AddSubjectKeyIDMapping(SECItem* subjKeyID,
|
| + CERTCertificate* cert);
|
|
|
| -SECStatus
|
| -cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series);
|
| +SECStatus cert_UpdateSubjectKeyIDSlotCheck(SECItem* slotid, int series);
|
|
|
| -int
|
| -cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid);
|
| +int cert_SubjectKeyIDSlotCheckSeries(SECItem* slotid);
|
|
|
| /*
|
| * Call this function to remove an entry from the mapping table.
|
| */
|
| -SECStatus
|
| -cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
|
| +SECStatus cert_RemoveSubjectKeyIDMapping(SECItem* subjKeyID);
|
|
|
| -SECStatus
|
| -cert_DestroySubjectKeyIDHashTable(void);
|
| +SECStatus cert_DestroySubjectKeyIDHashTable(void);
|
|
|
| -SECItem*
|
| -cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID);
|
| +SECItem* cert_FindDERCertBySubjectKeyID(SECItem* subjKeyID);
|
|
|
| /* return maximum length of AVA value based on its type OID tag. */
|
| extern int cert_AVAOidTagToMaxLen(SECOidTag tag);
|
|
|
| /* Make an AVA, allocated from pool, from OID and DER encoded value */
|
| -extern CERTAVA * CERT_CreateAVAFromRaw(PLArenaPool *pool,
|
| - const SECItem * OID, const SECItem * value);
|
| +extern CERTAVA* CERT_CreateAVAFromRaw(PLArenaPool* pool, const SECItem* OID,
|
| + const SECItem* value);
|
|
|
| /* Make an AVA from binary input specified by SECItem */
|
| -extern CERTAVA * CERT_CreateAVAFromSECItem(PLArenaPool *arena, SECOidTag kind,
|
| - int valueType, SECItem *value);
|
| +extern CERTAVA* CERT_CreateAVAFromSECItem(PLArenaPool* arena, SECOidTag kind,
|
| + int valueType, SECItem* value);
|
|
|
| /*
|
| * get a DPCache object for the given issuer subject and dp
|
| @@ -260,10 +252,11 @@ void CERT_MapStanError();
|
| /* Like CERT_VerifyCert, except with an additional argument, flags. The
|
| * flags are defined immediately below.
|
| */
|
| -SECStatus
|
| -cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
|
| - PRBool checkSig, SECCertUsage certUsage, PRTime t,
|
| - PRUint32 flags, void *wincx, CERTVerifyLog *log);
|
| +SECStatus cert_VerifyCertWithFlags(CERTCertDBHandle* handle,
|
| + CERTCertificate* cert, PRBool checkSig,
|
| + SECCertUsage certUsage, PRTime t,
|
| + PRUint32 flags, void* wincx,
|
| + CERTVerifyLog* log);
|
|
|
| /* Use the default settings.
|
| * cert_VerifyCertWithFlags(..., CERT_VERIFYCERT_USE_DEFAULTS, ...) is
|
| @@ -281,15 +274,10 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
|
|
|
| /* Interface function for libpkix cert validation engine:
|
| * cert_verify wrapper. */
|
| -SECStatus
|
| -cert_VerifyCertChainPkix(CERTCertificate *cert,
|
| - PRBool checkSig,
|
| - SECCertUsage requiredUsage,
|
| - PRTime time,
|
| - void *wincx,
|
| - CERTVerifyLog *log,
|
| - PRBool *sigError,
|
| - PRBool *revoked);
|
| +SECStatus cert_VerifyCertChainPkix(CERTCertificate* cert, PRBool checkSig,
|
| + SECCertUsage requiredUsage, PRTime time,
|
| + void* wincx, CERTVerifyLog* log,
|
| + PRBool* sigError, PRBool* revoked);
|
|
|
| SECStatus cert_InitLocks(void);
|
|
|
| @@ -298,17 +286,16 @@ SECStatus cert_DestroyLocks(void);
|
| /*
|
| * fill in nsCertType field of the cert based on the cert extension
|
| */
|
| -extern SECStatus cert_GetCertType(CERTCertificate *cert);
|
| +extern SECStatus cert_GetCertType(CERTCertificate* cert);
|
|
|
| /*
|
| - * compute and return the value of nsCertType for cert, but do not
|
| + * compute and return the value of nsCertType for cert, but do not
|
| * update the CERTCertificate.
|
| */
|
| -extern PRUint32 cert_ComputeCertType(CERTCertificate *cert);
|
| +extern PRUint32 cert_ComputeCertType(CERTCertificate* cert);
|
|
|
| -void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
|
| - long errorCode, unsigned int depth,
|
| - void *arg);
|
| +void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert,
|
| + long errorCode, unsigned int depth, void* arg);
|
|
|
| /* Insert a DER CRL into the CRL cache, and take ownership of it.
|
| *
|
| @@ -323,7 +310,7 @@ void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
|
| * the same encoding. To facilitate X.500 name matching, a canonicalized
|
| * encoding of the GeneralName should be used, if available.
|
| */
|
| -
|
| +
|
| SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
|
| const SECItem* canonicalizedName);
|
|
|
| @@ -336,15 +323,15 @@ struct NamedCRLCacheStr {
|
| * and read by cert_FindCRLByGeneralName */
|
| struct NamedCRLCacheEntryStr {
|
| SECItem* canonicalizedName;
|
| - SECItem* crl; /* DER, kept only if CRL
|
| - * is successfully cached */
|
| + SECItem* crl; /* DER, kept only if CRL
|
| + * is successfully cached */
|
| PRBool inCRLCache;
|
| PRTime successfulInsertionTime; /* insertion time */
|
| PRTime lastAttemptTime; /* time of last call to
|
| cert_CacheCRLByGeneralName with this name */
|
| - PRBool badDER; /* ASN.1 error */
|
| - PRBool dupe; /* matching DER CRL already in CRL cache */
|
| - PRBool unsupported; /* IDP, delta, any other reason */
|
| + PRBool badDER; /* ASN.1 error */
|
| + PRBool dupe; /* matching DER CRL already in CRL cache */
|
| + PRBool unsupported; /* IDP, delta, any other reason */
|
| };
|
|
|
| typedef enum {
|
| @@ -355,12 +342,12 @@ typedef enum {
|
|
|
| /* Returns detailed status of the cert(revStatus variable). Tells if
|
| * issuer cache has OriginFetchedWithTimeout crl in it. */
|
| -SECStatus
|
| -cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
|
| - const SECItem* dp, PRTime t, void *wincx,
|
| - CERTRevocationStatus *revStatus,
|
| - CERTCRLEntryReasonCode *revReason);
|
| -
|
| +SECStatus cert_CheckCertRevocationStatus(CERTCertificate* cert,
|
| + CERTCertificate* issuer,
|
| + const SECItem* dp, PRTime t,
|
| + void* wincx,
|
| + CERTRevocationStatus* revStatus,
|
| + CERTCRLEntryReasonCode* revReason);
|
|
|
| SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned);
|
|
|
| @@ -374,26 +361,21 @@ SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc,
|
| SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc);
|
|
|
| /* This is private for now. Maybe shoule be public. */
|
| -CERTGeneralName *
|
| -cert_GetSubjectAltNameList(const CERTCertificate *cert, PLArenaPool *arena);
|
| +CERTGeneralName* cert_GetSubjectAltNameList(const CERTCertificate* cert,
|
| + PLArenaPool* arena);
|
|
|
| /* Count DNS names and IP addresses in a list of GeneralNames */
|
| -PRUint32
|
| -cert_CountDNSPatterns(CERTGeneralName *firstName);
|
| +PRUint32 cert_CountDNSPatterns(CERTGeneralName* firstName);
|
|
|
| /*
|
| * returns the trust status of the leaf certificate based on usage.
|
| - * If the leaf is explicitly untrusted, this function will fail and
|
| + * If the leaf is explicitly untrusted, this function will fail and
|
| * failedFlags will be set to the trust bit value that lead to the failure.
|
| - * If the leaf is trusted, isTrusted is set to true and the function returns
|
| - * SECSuccess. This function does not check if the cert is fit for a
|
| + * If the leaf is trusted, isTrusted is set to true and the function returns
|
| + * SECSuccess. This function does not check if the cert is fit for a
|
| * particular usage.
|
| */
|
| -SECStatus
|
| -cert_CheckLeafTrust(CERTCertificate *cert,
|
| - SECCertUsage usage,
|
| - unsigned int *failedFlags,
|
| - PRBool *isTrusted);
|
| +SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage,
|
| + unsigned int* failedFlags, PRBool* isTrusted);
|
|
|
| #endif /* _CERTI_H_ */
|
| -
|
|
|
Chromium Code Reviews
Issue 1843333003:
Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master