Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(7)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: nss/lib/certdb/cert.h

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « nss/lib/certdb/alg1485.c ('k') | nss/lib/certdb/certdb.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 /*
6 * cert.h - public data structures and prototypes for the certificate library
7 */
8
9 #ifndef _CERT_H_
10 #define _CERT_H_
11
12 #include "utilrename.h"
13 #include "plarena.h"
14 #include "plhash.h"
15 #include "prlong.h"
16 #include "prlog.h"
17
18 #include "seccomon.h"
19 #include "secdert.h"
20 #include "secoidt.h"
21 #include "keyt.h"
22 #include "certt.h"
23
24 SEC_BEGIN_PROTOS
25
26 /****************************************************************************
27 *
28 * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
29 *
30 ****************************************************************************/
31
32 /*
33 ** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
34 */
35 extern CERTName *CERT_AsciiToName(const char *string);
36
37 /*
38 ** Convert an CERTName into its RFC1485 encoded equivalent.
39 ** Returns a string that must be freed with PORT_Free().
40 ** This version produces a string for maximum human readability,
41 ** not for strict RFC compliance.
42 */
43 extern char *CERT_NameToAscii(CERTName *name);
44
45 /*
46 ** Convert an CERTName into its RFC1485 encoded equivalent.
47 ** Returns a string that must be freed with PORT_Free().
48 ** Caller chooses encoding rules.
49 */
50 extern char *CERT_NameToAsciiInvertible(CERTName *name,
51 CertStrictnessLevel strict);
52
53 extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
54
55 /* convert an OID to dotted-decimal representation */
56 /* Returns a string that must be freed with PR_smprintf_free(). */
57 extern char *CERT_GetOidString(const SECItem *oid);
58
59 /*
60 ** Examine an AVA and return the tag that refers to it. The AVA tags are
61 ** defined as SEC_OID_AVA*.
62 */
63 extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
64
65 /*
66 ** Compare two AVA's, returning the difference between them.
67 */
68 extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
69
70 /*
71 ** Create an RDN (relative-distinguished-name). The argument list is a
72 ** NULL terminated list of AVA's.
73 */
74 extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
75
76 /*
77 ** Make a copy of "src" storing it in "dest".
78 */
79 extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
80
81 /*
82 ** Add an AVA to an RDN.
83 ** "rdn" the RDN to add to
84 ** "ava" the AVA to add
85 */
86 extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
87
88 /*
89 ** Compare two RDN's, returning the difference between them.
90 */
91 extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b);
92
93 /*
94 ** Create an X.500 style name using a NULL terminated list of RDN's.
95 */
96 extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
97
98 /*
99 ** Make a copy of "src" storing it in "dest". Memory is allocated in
100 ** "dest" for each of the appropriate sub objects. Memory is not freed in
101 ** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
102 ** do that).
103 */
104 extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest,
105 const CERTName *src);
106
107 /*
108 ** Destroy a Name object.
109 ** "name" the CERTName to destroy
110 ** "freeit" if PR_TRUE then free the object as well as its sub-objects
111 */
112 extern void CERT_DestroyName(CERTName *name);
113
114 /*
115 ** Add an RDN to a name.
116 ** "name" the name to add the RDN to
117 ** "rdn" the RDN to add to name
118 */
119 extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
120
121 /*
122 ** Compare two names, returning the difference between them.
123 */
124 extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b);
125
126 /*
127 ** Convert a CERTName into something readable
128 */
129 extern char *CERT_FormatName(CERTName *name);
130
131 /*
132 ** Convert a der-encoded integer to a hex printable string form.
133 ** Perhaps this should be a SEC function but it's only used for certs.
134 */
135 extern char *CERT_Hexify(SECItem *i, int do_colon);
136
137 /*
138 ** Converts DER string (with explicit length) into zString, if destination
139 ** buffer is big enough to receive it. Does quoting and/or escaping as
140 ** specified in RFC 1485. Input string must be single or multi-byte DER
141 ** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set.
142 ** Returns SECSuccess or SECFailure with error code set. If output buffer
143 ** is too small, sets error code SEC_ERROR_OUTPUT_LEN.
144 */
145 extern SECStatus CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src,
146 int srclen);
147
148 /******************************************************************************
149 *
150 * Certificate handling operations
151 *
152 *****************************************************************************/
153
154 /*
155 ** Create a new validity object given two unix time values.
156 ** "notBefore" the time before which the validity is not valid
157 ** "notAfter" the time after which the validity is not valid
158 */
159 extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
160
161 /*
162 ** Destroy a validity object.
163 ** "v" the validity to destroy
164 ** "freeit" if PR_TRUE then free the object as well as its sub-objects
165 */
166 extern void CERT_DestroyValidity(CERTValidity *v);
167
168 /*
169 ** Copy the "src" object to "dest". Memory is allocated in "dest" for
170 ** each of the appropriate sub-objects. Memory in "dest" is not freed
171 ** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
172 ** that).
173 */
174 extern SECStatus CERT_CopyValidity(PLArenaPool *arena, CERTValidity *dest,
175 CERTValidity *src);
176
177 /*
178 ** The cert lib considers a cert or CRL valid if the "notBefore" time is
179 ** in the not-too-distant future, e.g. within the next 24 hours. This
180 ** prevents freshly issued certificates from being considered invalid
181 ** because the local system's time zone is incorrectly set.
182 ** The amount of "pending slop time" is adjustable by the application.
183 ** Units of SlopTime are seconds. Default is 86400 (24 hours).
184 ** Negative SlopTime values are not allowed.
185 */
186 PRInt32 CERT_GetSlopTime(void);
187
188 SECStatus CERT_SetSlopTime(PRInt32 slop);
189
190 /*
191 ** Create a new certificate object. The result must be wrapped with an
192 ** CERTSignedData to create a signed certificate.
193 ** "serialNumber" the serial number
194 ** "issuer" the name of the certificate issuer
195 ** "validity" the validity period of the certificate
196 ** "req" the certificate request that prompted the certificate issuance
197 */
198 extern CERTCertificate *CERT_CreateCertificate(unsigned long serialNumber,
199 CERTName *issuer,
200 CERTValidity *validity,
201 CERTCertificateRequest *req);
202
203 /*
204 ** Destroy a certificate object
205 ** "cert" the certificate to destroy
206 ** NOTE: certificate's are reference counted. This call decrements the
207 ** reference count, and if the result is zero, then the object is destroyed
208 ** and optionally freed.
209 */
210 extern void CERT_DestroyCertificate(CERTCertificate *cert);
211
212 /*
213 ** Make a shallow copy of a certificate "c". Just increments the
214 ** reference count on "c".
215 */
216 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
217
218 /*
219 ** Create a new certificate request. This result must be wrapped with an
220 ** CERTSignedData to create a signed certificate request.
221 ** "name" the subject name (who the certificate request is from)
222 ** "spki" describes/defines the public key the certificate is for
223 ** "attributes" if non-zero, some optional attribute data
224 */
225 extern CERTCertificateRequest *CERT_CreateCertificateRequest(
226 CERTName *name, CERTSubjectPublicKeyInfo *spki, SECItem **attributes);
227
228 /*
229 ** Destroy a certificate-request object
230 ** "r" the certificate-request to destroy
231 ** "freeit" if PR_TRUE then free the object as well as its sub-objects
232 */
233 extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
234
235 /*
236 ** Start adding extensions to a certificate request.
237 */
238 void *CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
239
240 /*
241 ** Reformat the certificate extension list into a CertificateRequest
242 ** attribute list.
243 */
244 SECStatus CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
245
246 /*
247 ** Extract the Extension Requests from a DER CertRequest attribute list.
248 */
249 SECStatus CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
250 CERTCertExtension ***exts);
251
252 /*
253 ** Extract a public key object from a certificate
254 */
255 extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
256
257 /*
258 ** Retrieve the Key Type associated with the cert we're dealing with
259 */
260
261 extern KeyType CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki);
262
263 /*
264 ** Initialize the certificate database. This is called to create
265 ** the initial list of certificates in the database.
266 */
267 extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
268
269 extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
270
271 /*
272 ** Default certificate database routines
273 */
274 extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
275
276 extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
277
278 extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert,
279 PRTime time, SECCertUsage usage);
280 extern CERTCertificate *CERT_NewTempCertificate(CERTCertDBHandle *handle,
281 SECItem *derCert,
282 char *nickname, PRBool isperm,
283 PRBool copyDER);
284
285 /******************************************************************************
286 *
287 * X.500 Name handling operations
288 *
289 *****************************************************************************/
290
291 /*
292 ** Create an AVA (attribute-value-assertion)
293 ** "arena" the memory arena to alloc from
294 ** "kind" is one of SEC_OID_AVA_*
295 ** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
296 ** DER_T61_STRING
297 ** "value" is the null terminated string containing the value
298 */
299 extern CERTAVA *CERT_CreateAVA(PLArenaPool *arena, SECOidTag kind,
300 int valueType, char *value);
301
302 /*
303 ** Extract the Distinguished Name from a DER encoded certificate
304 ** "derCert" is the DER encoded certificate
305 ** "derName" is the SECItem that the name is returned in
306 */
307 extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
308
309 /*
310 ** Extract the Issuers Distinguished Name from a DER encoded certificate
311 ** "derCert" is the DER encoded certificate
312 ** "derName" is the SECItem that the name is returned in
313 */
314 extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName);
315
316 extern SECItem *CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
317 PLArenaPool *arena);
318
319 extern CERTGeneralName *CERT_DecodeGeneralName(PLArenaPool *reqArena,
320 SECItem *encodedName,
321 CERTGeneralName *genName);
322
323 /*
324 ** Generate a database search key for a certificate, based on the
325 ** issuer and serial number.
326 ** "arena" the memory arena to alloc from
327 ** "derCert" the DER encoded certificate
328 ** "key" the returned key
329 */
330 extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
331 SECItem *key);
332
333 extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
334 SECItem *sn, SECItem *key);
335
336 extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert,
337 SECItem *derName);
338
339 /*
340 ** Generate a database search key for a crl, based on the
341 ** issuer.
342 ** "arena" the memory arena to alloc from
343 ** "derCrl" the DER encoded crl
344 ** "key" the returned key
345 */
346 extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl,
347 SECItem *key);
348
349 /*
350 ** Open the certificate database. Use callback to get name of database.
351 */
352 extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
353 CERTDBNameFunc namecb, void *cbarg);
354
355 /* Open the certificate database. Use given filename for database. */
356 extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
357 char *certdbname, PRBool readOnly);
358
359 /*
360 ** Open and initialize a cert database that is entirely in memory. This
361 ** can be used when the permanent database can not be opened or created.
362 */
363 extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
364
365 /*
366 ** Extract the list of host names, host name patters, IP address strings
367 ** this cert is valid for.
368 ** This function does NOT return nicknames.
369 ** Type CERTCertNicknames is being used because it's a convenient
370 ** data structure to carry a list of strings and its count.
371 */
372 extern CERTCertNicknames *CERT_GetValidDNSPatternsFromCert(
373 CERTCertificate *cert);
374
375 /*
376 ** Check the hostname to make sure that it matches the shexp that
377 ** is given in the common name of the certificate.
378 */
379 extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert,
380 const char *hostname);
381
382 /*
383 ** Add a domain name to the list of names that the user has explicitly
384 ** allowed (despite cert name mismatches) for use with a server cert.
385 */
386 extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert,
387 const char *hostname);
388
389 /*
390 ** Decode a DER encoded certificate into an CERTCertificate structure
391 ** "derSignedCert" is the DER encoded signed certificate
392 ** "copyDER" is true if the DER should be copied, false if the
393 ** existing copy should be referenced
394 ** "nickname" is the nickname to use in the database. If it is NULL
395 ** then a temporary nickname is generated.
396 */
397 extern CERTCertificate *CERT_DecodeDERCertificate(SECItem *derSignedCert,
398 PRBool copyDER,
399 char *nickname);
400 /*
401 ** Decode a DER encoded CRL into a CERTSignedCrl structure
402 ** "derSignedCrl" is the DER encoded signed CRL.
403 ** "type" must be SEC_CRL_TYPE.
404 */
405 #define SEC_CRL_TYPE 1
406 #define SEC_KRL_TYPE 0 /* deprecated */
407
408 extern CERTSignedCrl *CERT_DecodeDERCrl(PLArenaPool *arena,
409 SECItem *derSignedCrl, int type);
410
411 /*
412 * same as CERT_DecodeDERCrl, plus allow options to be passed in
413 */
414
415 extern CERTSignedCrl *CERT_DecodeDERCrlWithFlags(PLArenaPool *narena,
416 SECItem *derSignedCrl,
417 int type, PRInt32 options);
418
419 /* CRL options to pass */
420
421 #define CRL_DECODE_DEFAULT_OPTIONS 0x00000000
422
423 /* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
424 application must then keep derSignedCrl until it destroys the
425 CRL . Ideally, it should allocate derSignedCrl in an arena
426 and pass that arena in as the first argument to
427 CERT_DecodeDERCrlWithFlags */
428
429 #define CRL_DECODE_DONT_COPY_DER 0x00000001
430 #define CRL_DECODE_SKIP_ENTRIES 0x00000002
431 #define CRL_DECODE_KEEP_BAD_CRL 0x00000004
432 #define CRL_DECODE_ADOPT_HEAP_DER 0x00000008
433
434 /* complete the decoding of a partially decoded CRL, ie. decode the
435 entries. Note that entries is an optional field in a CRL, so the
436 "entries" pointer in CERTCrlStr may still be NULL even after
437 function returns SECSuccess */
438
439 extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl *crl);
440
441 /* Validate CRL then import it to the dbase. If there is already a CRL with the
442 * same CA in the dbase, it will be replaced if derCRL is more up to date.
443 * If the process successes, a CRL will be returned. Otherwise, a NULL will
444 * be returned. The caller should call PORT_GetError() for the exactly error
445 * code.
446 */
447 extern CERTSignedCrl *CERT_ImportCRL(CERTCertDBHandle *handle, SECItem *derCRL,
448 char *url, int type, void *wincx);
449
450 extern void CERT_DestroyCrl(CERTSignedCrl *crl);
451
452 /* this is a hint to flush the CRL cache. crlKey is the DER subject of
453 the issuer (CA). */
454 void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle *dbhandle, SECItem *crlKey);
455
456 /* add the specified DER CRL object to the CRL cache. Doing so will allow
457 certificate verification functions (such as CERT_VerifyCertificate)
458 to automatically find and make use of this CRL object.
459 Once a CRL is added to the CRL cache, the application must hold on to
460 the object's memory, because the cache will reference it directly. The
461 application can only free the object after it calls CERT_UncacheCRL to
462 remove it from the CRL cache.
463 */
464 SECStatus CERT_CacheCRL(CERTCertDBHandle *dbhandle, SECItem *newcrl);
465
466 /* remove a previously added CRL object from the CRL cache. It is OK
467 for the application to free the memory after a successful removal
468 */
469 SECStatus CERT_UncacheCRL(CERTCertDBHandle *dbhandle, SECItem *oldcrl);
470
471 /*
472 ** Find a certificate in the database
473 ** "key" is the database key to look for
474 */
475 extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle,
476 SECItem *key);
477
478 /*
479 ** Find a certificate in the database by name
480 ** "name" is the distinguished name to look up
481 */
482 extern CERTCertificate *CERT_FindCertByName(CERTCertDBHandle *handle,
483 SECItem *name);
484
485 /*
486 ** Find a certificate in the database by name
487 ** "name" is the distinguished name to look up (in ascii)
488 */
489 extern CERTCertificate *CERT_FindCertByNameString(CERTCertDBHandle *handle,
490 char *name);
491
492 /*
493 ** Find a certificate in the database by name and keyid
494 ** "name" is the distinguished name to look up
495 ** "keyID" is the value of the subjectKeyID to match
496 */
497 extern CERTCertificate *CERT_FindCertByKeyID(CERTCertDBHandle *handle,
498 SECItem *name, SECItem *keyID);
499
500 /*
501 ** Generate a certificate key from the issuer and serialnumber, then look it
502 ** up in the database. Return the cert if found.
503 ** "issuerAndSN" is the issuer and serial number to look for
504 */
505 extern CERTCertificate *CERT_FindCertByIssuerAndSN(
506 CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
507
508 /*
509 ** Find a certificate in the database by a subject key ID
510 ** "subjKeyID" is the subject Key ID to look for
511 */
512 extern CERTCertificate *CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle,
513 SECItem *subjKeyID);
514
515 /*
516 ** Encode Certificate SKID (Subject Key ID) extension.
517 **
518 */
519 extern SECStatus CERT_EncodeSubjectKeyID(PLArenaPool *arena,
520 const SECItem *srcString,
521 SECItem *encodedValue);
522
523 /*
524 ** Find a certificate in the database by a nickname
525 ** "nickname" is the ascii string nickname to look for
526 */
527 extern CERTCertificate *CERT_FindCertByNickname(CERTCertDBHandle *handle,
528 const char *nickname);
529
530 /*
531 ** Find a certificate in the database by a DER encoded certificate
532 ** "derCert" is the DER encoded certificate
533 */
534 extern CERTCertificate *CERT_FindCertByDERCert(CERTCertDBHandle *handle,
535 SECItem *derCert);
536
537 /*
538 ** Find a certificate in the database by a email address
539 ** "emailAddr" is the email address to look up
540 */
541 CERTCertificate *CERT_FindCertByEmailAddr(CERTCertDBHandle *handle,
542 char *emailAddr);
543
544 /*
545 ** Find a certificate in the database by a email address or nickname
546 ** "name" is the email address or nickname to look up
547 */
548 CERTCertificate *CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle,
549 const char *name);
550
551 /*
552 ** Find a certificate in the database by a email address or nickname
553 ** and require it to have the given usage.
554 ** "name" is the email address or nickname to look up
555 */
556 CERTCertificate *CERT_FindCertByNicknameOrEmailAddrForUsage(
557 CERTCertDBHandle *handle, const char *name, SECCertUsage lookingForUsage);
558
559 /*
560 ** Find a certificate in the database by a digest of a subject public key
561 ** "spkDigest" is the digest to look up
562 */
563 extern CERTCertificate *CERT_FindCertBySPKDigest(CERTCertDBHandle *handle,
564 SECItem *spkDigest);
565
566 /*
567 * Find the issuer of a cert
568 */
569 CERTCertificate *CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime,
570 SECCertUsage usage);
571
572 /*
573 ** Check the validity times of a certificate vs. time 't', allowing
574 ** some slop for broken clocks and stuff.
575 ** "cert" is the certificate to be checked
576 ** "t" is the time to check against
577 ** "allowOverride" if true then check to see if the invalidity has
578 ** been overridden by the user.
579 */
580 extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert,
581 PRTime t,
582 PRBool allowOverride);
583
584 /*
585 ** WARNING - this function is deprecated, and will either go away or have
586 ** a new API in the near future.
587 **
588 ** Check the validity times of a certificate vs. the current time, allowing
589 ** some slop for broken clocks and stuff.
590 ** "cert" is the certificate to be checked
591 */
592 extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
593
594 /*
595 ** Extract the validity times from a certificate
596 ** "c" is the certificate
597 ** "notBefore" is the start of the validity period
598 ** "notAfter" is the end of the validity period
599 */
600 extern SECStatus CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore,
601 PRTime *notAfter);
602
603 /*
604 ** Extract the issuer and serial number from a certificate
605 */
606 extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *,
607 CERTCertificate *);
608
609 /*
610 ** verify the signature of a signed data object with a given certificate
611 ** "sd" the signed data object to be verified
612 ** "cert" the certificate to use to check the signature
613 */
614 extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
615 CERTCertificate *cert, PRTime t,
616 void *wincx);
617 /*
618 ** verify the signature of a signed data object with the given DER publickey
619 */
620 extern SECStatus CERT_VerifySignedDataWithPublicKeyInfo(
621 CERTSignedData *sd, CERTSubjectPublicKeyInfo *pubKeyInfo, void *wincx);
622
623 /*
624 ** verify the signature of a signed data object with a SECKEYPublicKey.
625 */
626 extern SECStatus CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
627 SECKEYPublicKey *pubKey,
628 void *wincx);
629
630 /*
631 ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
632 ** verify a certificate by checking validity times against a certain time,
633 ** that we trust the issuer, and that the signature on the certificate is
634 ** valid.
635 ** "cert" the certificate to verify
636 ** "checkSig" only check signatures if true
637 */
638 extern SECStatus CERT_VerifyCertificate(CERTCertDBHandle *handle,
639 CERTCertificate *cert, PRBool checkSig,
640 SECCertificateUsage requiredUsages,
641 PRTime t, void *wincx,
642 CERTVerifyLog *log,
643 SECCertificateUsage *returnedUsages);
644
645 /* same as above, but uses current time */
646 extern SECStatus CERT_VerifyCertificateNow(CERTCertDBHandle *handle,
647 CERTCertificate *cert,
648 PRBool checkSig,
649 SECCertificateUsage requiredUsages,
650 void *wincx,
651 SECCertificateUsage *returnedUsages);
652
653 /*
654 ** Verify that a CA cert can certify some (unspecified) leaf cert for a given
655 ** purpose. This is used by UI code to help identify where a chain may be
656 ** broken and why. This takes identical parameters to CERT_VerifyCert
657 */
658 extern SECStatus CERT_VerifyCACertForUsage(CERTCertDBHandle *handle,
659 CERTCertificate *cert,
660 PRBool checkSig,
661 SECCertUsage certUsage, PRTime t,
662 void *wincx, CERTVerifyLog *log);
663
664 /*
665 ** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
666 ** verify a certificate by checking validity times against a certain time,
667 ** that we trust the issuer, and that the signature on the certificate is
668 ** valid.
669 ** "cert" the certificate to verify
670 ** "checkSig" only check signatures if true
671 */
672 extern SECStatus CERT_VerifyCert(CERTCertDBHandle *handle,
673 CERTCertificate *cert, PRBool checkSig,
674 SECCertUsage certUsage, PRTime t, void *wincx,
675 CERTVerifyLog *log);
676
677 /* same as above, but uses current time */
678 extern SECStatus CERT_VerifyCertNow(CERTCertDBHandle *handle,
679 CERTCertificate *cert, PRBool checkSig,
680 SECCertUsage certUsage, void *wincx);
681
682 SECStatus CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
683 PRBool checkSig, SECCertUsage certUsage,
684 PRTime t, void *wincx, CERTVerifyLog *log);
685
686 /*
687 ** Read a base64 ascii encoded DER certificate and convert it to our
688 ** internal format.
689 ** "certstr" is a null-terminated string containing the certificate
690 */
691 extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
692
693 /*
694 ** Read a certificate in some foreign format, and convert it to our
695 ** internal format.
696 ** "certbuf" is the buffer containing the certificate
697 ** "certlen" is the length of the buffer
698 ** NOTE - currently supports netscape base64 ascii encoded raw certs
699 ** and netscape binary DER typed files.
700 */
701 extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
702
703 extern SECStatus CERT_ImportCAChain(SECItem *certs, int numcerts,
704 SECCertUsage certUsage);
705
706 extern SECStatus CERT_ImportCAChainTrusted(SECItem *certs, int numcerts,
707 SECCertUsage certUsage);
708
709 /*
710 ** Read a certificate chain in some foreign format, and pass it to a
711 ** callback function.
712 ** "certbuf" is the buffer containing the certificate
713 ** "certlen" is the length of the buffer
714 ** "f" is the callback function
715 ** "arg" is the callback argument
716 */
717 typedef SECStatus(PR_CALLBACK *CERTImportCertificateFunc)(void *arg,
718 SECItem **certs,
719 int numcerts);
720
721 extern SECStatus CERT_DecodeCertPackage(char *certbuf, int certlen,
722 CERTImportCertificateFunc f, void *arg);
723
724 /*
725 ** Returns the value of an AVA. This was a formerly static
726 ** function that has been exposed due to the need to decode
727 ** and convert unicode strings to UTF8.
728 **
729 ** XXX This function resides in certhtml.c, should it be
730 ** moved elsewhere?
731 */
732 extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
733
734 /*
735 ** extract various element strings from a distinguished name.
736 ** "name" the distinguished name
737 */
738
739 extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
740
741 extern char *CERT_GetCertEmailAddress(const CERTName *name);
742
743 extern const char *CERT_GetFirstEmailAddress(CERTCertificate *cert);
744
745 extern const char *CERT_GetNextEmailAddress(CERTCertificate *cert,
746 const char *prev);
747
748 /* The return value must be freed with PORT_Free. */
749 extern char *CERT_GetCommonName(const CERTName *name);
750
751 extern char *CERT_GetCountryName(const CERTName *name);
752
753 extern char *CERT_GetLocalityName(const CERTName *name);
754
755 extern char *CERT_GetStateName(const CERTName *name);
756
757 extern char *CERT_GetOrgName(const CERTName *name);
758
759 extern char *CERT_GetOrgUnitName(const CERTName *name);
760
761 extern char *CERT_GetDomainComponentName(const CERTName *name);
762
763 extern char *CERT_GetCertUid(const CERTName *name);
764
765 /* manipulate the trust parameters of a certificate */
766
767 extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert,
768 CERTCertTrust *trust);
769
770 extern SECStatus CERT_ChangeCertTrust(CERTCertDBHandle *handle,
771 CERTCertificate *cert,
772 CERTCertTrust *trust);
773
774 extern SECStatus CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb,
775 CERTCertificate *cert,
776 SECCertUsage usage);
777
778 /*************************************************************************
779 *
780 * manipulate the extensions of a certificate
781 *
782 ************************************************************************/
783
784 /*
785 ** Set up a cert for adding X509v3 extensions. Returns an opaque handle
786 ** used by the next two routines.
787 ** "cert" is the certificate we are adding extensions to
788 */
789 extern void *CERT_StartCertExtensions(CERTCertificate *cert);
790
791 /*
792 ** Add an extension to a certificate.
793 ** "exthandle" is the handle returned by the previous function
794 ** "idtag" is the integer tag for the OID that should ID this extension
795 ** "value" is the value of the extension
796 ** "critical" is the critical extension flag
797 ** "copyData" is a flag indicating whether the value data should be
798 ** copied.
799 */
800 extern SECStatus CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
801 PRBool critical, PRBool copyData);
802
803 extern SECStatus CERT_AddExtensionByOID(void *exthandle, SECItem *oid,
804 SECItem *value, PRBool critical,
805 PRBool copyData);
806
807 extern SECStatus CERT_EncodeAndAddExtension(void *exthandle, int idtag,
808 void *value, PRBool critical,
809 const SEC_ASN1Template *atemplate);
810
811 extern SECStatus CERT_EncodeAndAddBitStrExtension(void *exthandle, int idtag,
812 SECItem *value,
813 PRBool critical);
814
815 extern SECStatus CERT_EncodeAltNameExtension(PLArenaPool *arena,
816 CERTGeneralName *value,
817 SECItem *encodedValue);
818
819 /*
820 ** Finish adding cert extensions. Does final processing on extension
821 ** data, putting it in the right format, and freeing any temporary
822 ** storage.
823 ** "exthandle" is the handle used to add extensions to a certificate
824 */
825 extern SECStatus CERT_FinishExtensions(void *exthandle);
826
827 /*
828 ** Merge an external list of extensions into a cert's extension list, adding one
829 ** only when its OID matches none of the cert's existing extensions. Call this
830 ** immediately before calling CERT_FinishExtensions().
831 */
832 SECStatus CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
833
834 /* If the extension is found, return its criticality and value.
835 ** This allocate storage for the returning extension value.
836 */
837 extern SECStatus CERT_GetExtenCriticality(CERTCertExtension **extensions,
838 int tag, PRBool *isCritical);
839
840 extern void CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
841
842 /****************************************************************************
843 *
844 * DER encode and decode extension values
845 *
846 ****************************************************************************/
847
848 /* Encode the value of the basicConstraint extension.
849 ** arena - where to allocate memory for the encoded value.
850 ** value - extension value to encode
851 ** encodedValue - output encoded value
852 */
853 extern SECStatus CERT_EncodeBasicConstraintValue(PLArenaPool *arena,
854 CERTBasicConstraints *value,
855 SECItem *encodedValue);
856
857 /*
858 ** Encode the value of the authorityKeyIdentifier extension.
859 */
860 extern SECStatus CERT_EncodeAuthKeyID(PLArenaPool *arena, CERTAuthKeyID *value,
861 SECItem *encodedValue);
862
863 /*
864 ** Encode the value of the crlDistributionPoints extension.
865 */
866 extern SECStatus CERT_EncodeCRLDistributionPoints(
867 PLArenaPool *arena, CERTCrlDistributionPoints *value, SECItem *derValue);
868
869 /*
870 ** Decodes a DER encoded basicConstaint extension value into a readable format
871 ** value - decoded value
872 ** encodedValue - value to decoded
873 */
874 extern SECStatus CERT_DecodeBasicConstraintValue(CERTBasicConstraints *value,
875 const SECItem *encodedValue);
876
877 /* Decodes a DER encoded authorityKeyIdentifier extension value into a
878 ** readable format.
879 ** arena - where to allocate memory for the decoded value
880 ** encodedValue - value to be decoded
881 ** Returns a CERTAuthKeyID structure which contains the decoded value
882 */
883 extern CERTAuthKeyID *CERT_DecodeAuthKeyID(PLArenaPool *arena,
884 const SECItem *encodedValue);
885
886 /* Decodes a DER encoded crlDistributionPoints extension value into a
887 ** readable format.
888 ** arena - where to allocate memory for the decoded value
889 ** der - value to be decoded
890 ** Returns a CERTCrlDistributionPoints structure which contains the
891 ** decoded value
892 */
893 extern CERTCrlDistributionPoints *CERT_DecodeCRLDistributionPoints(
894 PLArenaPool *arena, SECItem *der);
895
896 /* Extract certain name type from a generalName */
897 extern void *CERT_GetGeneralNameByType(CERTGeneralName *genNames,
898 CERTGeneralNameType type,
899 PRBool derFormat);
900
901 extern CERTOidSequence *CERT_DecodeOidSequence(const SECItem *seqItem);
902
903 /****************************************************************************
904 *
905 * Find extension values of a certificate
906 *
907 ***************************************************************************/
908
909 extern SECStatus CERT_FindCertExtension(const CERTCertificate *cert, int tag,
910 SECItem *value);
911
912 extern SECStatus CERT_FindNSCertTypeExtension(CERTCertificate *cert,
913 SECItem *value);
914
915 extern char *CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag);
916
917 extern SECStatus CERT_FindCertExtensionByOID(CERTCertificate *cert,
918 SECItem *oid, SECItem *value);
919
920 /* Returns the decoded value of the authKeyID extension.
921 ** Note that this uses passed in the arena to allocate storage for the result
922 */
923 extern CERTAuthKeyID *CERT_FindAuthKeyIDExten(PLArenaPool *arena,
924 CERTCertificate *cert);
925
926 /* Returns the decoded value of the basicConstraint extension.
927 */
928 extern SECStatus CERT_FindBasicConstraintExten(CERTCertificate *cert,
929 CERTBasicConstraints *value);
930
931 /* Returns the decoded value of the crlDistributionPoints extension.
932 ** Note that the arena in cert is used to allocate storage for the result
933 */
934 extern CERTCrlDistributionPoints *CERT_FindCRLDistributionPoints(
935 CERTCertificate *cert);
936
937 /* Returns value of the keyUsage extension. This uses PR_Alloc to allocate
938 ** buffer for the decoded value. The caller should free up the storage
939 ** allocated in value->data.
940 */
941 extern SECStatus CERT_FindKeyUsageExtension(CERTCertificate *cert,
942 SECItem *value);
943
944 /* Return the decoded value of the subjectKeyID extension. The caller should
945 ** free up the storage allocated in retItem->data.
946 */
947 extern SECStatus CERT_FindSubjectKeyIDExtension(CERTCertificate *cert,
948 SECItem *retItem);
949
950 /*
951 ** If cert is a v3 certificate, and a critical keyUsage extension is included,
952 ** then check the usage against the extension value. If a non-critical
953 ** keyUsage extension is included, this will return SECSuccess without
954 ** checking, since the extension is an advisory field, not a restriction.
955 ** If cert is not a v3 certificate, this will return SECSuccess.
956 ** cert - certificate
957 ** usage - one of the x.509 v3 the Key Usage Extension flags
958 */
959 extern SECStatus CERT_CheckCertUsage(CERTCertificate *cert,
960 unsigned char usage);
961
962 /****************************************************************************
963 *
964 * CRL v2 Extensions supported routines
965 *
966 ****************************************************************************/
967
968 extern SECStatus CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid,
969 SECItem *value);
970
971 extern SECStatus CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value);
972
973 extern SECStatus CERT_FindInvalidDateExten(CERTCrl *crl, PRTime *value);
974
975 /*
976 ** Set up a crl for adding X509v3 extensions. Returns an opaque handle
977 ** used by routines that take an exthandle (void*) argument .
978 ** "crl" is the CRL we are adding extensions to
979 */
980 extern void *CERT_StartCRLExtensions(CERTCrl *crl);
981
982 /*
983 ** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle
984 ** used by routines that take an exthandle (void*) argument .
985 ** "crl" is the crl we are adding certs entries to
986 ** "entry" is the crl entry we are adding extensions to
987 */
988 extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
989
990 extern CERTCertNicknames *CERT_GetCertNicknames(CERTCertDBHandle *handle,
991 int what, void *wincx);
992
993 /*
994 ** Finds the crlNumber extension and decodes its value into 'value'
995 */
996 extern SECStatus CERT_FindCRLNumberExten(PLArenaPool *arena, CERTCrl *crl,
997 SECItem *value);
998
999 extern SECStatus CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry,
1000 CERTCRLEntryReasonCode *value);
1001
1002 extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
1003
1004 extern PRBool CERT_CompareCerts(const CERTCertificate *c1,
1005 const CERTCertificate *c2);
1006
1007 extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
1008 CERTCertificate *c2);
1009
1010 /*
1011 ** Generate an array of the Distinguished Names that the given cert database
1012 ** "trusts"
1013 */
1014 extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
1015
1016 extern void CERT_FreeDistNames(CERTDistNames *names);
1017
1018 /* Duplicate distinguished name array */
1019 extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig);
1020
1021 /*
1022 ** Generate an array of Distinguished names from an array of nicknames
1023 */
1024 extern CERTDistNames *CERT_DistNamesFromNicknames(CERTCertDBHandle *handle,
1025 char **nicknames, int nnames);
1026
1027 /*
1028 ** Generate an array of Distinguished names from a list of certs.
1029 */
1030 extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list);
1031
1032 /*
1033 ** Generate a certificate chain from a certificate.
1034 */
1035 extern CERTCertificateList *CERT_CertChainFromCert(CERTCertificate *cert,
1036 SECCertUsage usage,
1037 PRBool includeRoot);
1038
1039 extern CERTCertificateList *CERT_CertListFromCert(CERTCertificate *cert);
1040
1041 extern CERTCertificateList *CERT_DupCertList(
1042 const CERTCertificateList *oldList);
1043
1044 extern void CERT_DestroyCertificateList(CERTCertificateList *list);
1045
1046 /*
1047 ** is cert a user cert? i.e. does it have CERTDB_USER trust,
1048 ** i.e. a private key?
1049 */
1050 PRBool CERT_IsUserCert(CERTCertificate *cert);
1051
1052 /* is cert a newer than cert b? */
1053 PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
1054
1055 /* currently a stub for address book */
1056 PRBool CERT_IsCertRevoked(CERTCertificate *cert);
1057
1058 void CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
1059
1060 /* convert an email address to lower case */
1061 char *CERT_FixupEmailAddr(const char *emailAddr);
1062
1063 /* decode string representation of trust flags into trust struct */
1064 SECStatus CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts);
1065
1066 /* encode trust struct into string representation of trust flags */
1067 char *CERT_EncodeTrustString(CERTCertTrust *trust);
1068
1069 /* find the next or prev cert in a subject list */
1070 CERTCertificate *CERT_PrevSubjectCert(CERTCertificate *cert);
1071 CERTCertificate *CERT_NextSubjectCert(CERTCertificate *cert);
1072
1073 /*
1074 * import a collection of certs into the temporary or permanent cert
1075 * database
1076 */
1077 SECStatus CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
1078 unsigned int ncerts, SECItem **derCerts,
1079 CERTCertificate ***retCerts, PRBool keepCerts,
1080 PRBool caOnly, char *nickname);
1081
1082 char *CERT_MakeCANickname(CERTCertificate *cert);
1083
1084 PRBool CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
1085
1086 PRBool CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
1087
1088 PRBool CERT_IsRootDERCert(SECItem *derCert);
1089
1090 SECStatus CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
1091 SECItem *profileTime);
1092
1093 /*
1094 * find the smime symmetric capabilities profile for a given cert
1095 */
1096 SECItem *CERT_FindSMimeProfile(CERTCertificate *cert);
1097
1098 SECStatus CERT_AddNewCerts(CERTCertDBHandle *handle);
1099
1100 CERTCertificatePolicies *CERT_DecodeCertificatePoliciesExtension(
1101 const SECItem *extnValue);
1102
1103 void CERT_DestroyCertificatePoliciesExtension(
1104 CERTCertificatePolicies *policies);
1105
1106 CERTCertificatePolicyMappings *CERT_DecodePolicyMappingsExtension(
1107 SECItem *encodedCertPolicyMaps);
1108
1109 SECStatus CERT_DestroyPolicyMappingsExtension(
1110 CERTCertificatePolicyMappings *mappings);
1111
1112 SECStatus CERT_DecodePolicyConstraintsExtension(
1113 CERTCertificatePolicyConstraints *decodedValue,
1114 const SECItem *encodedValue);
1115
1116 SECStatus CERT_DecodeInhibitAnyExtension(
1117 CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
1118
1119 CERTUserNotice *CERT_DecodeUserNotice(SECItem *noticeItem);
1120
1121 extern CERTGeneralName *CERT_DecodeAltNameExtension(PLArenaPool *reqArena,
1122 SECItem *EncodedAltName);
1123
1124 extern CERTNameConstraints *CERT_DecodeNameConstraintsExtension(
1125 PLArenaPool *arena, const SECItem *encodedConstraints);
1126
1127 /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
1128 extern CERTAuthInfoAccess **CERT_DecodeAuthInfoAccessExtension(
1129 PLArenaPool *reqArena, const SECItem *encodedExtension);
1130
1131 extern CERTPrivKeyUsagePeriod *CERT_DecodePrivKeyUsagePeriodExtension(
1132 PLArenaPool *arena, SECItem *extnValue);
1133
1134 extern CERTGeneralName *CERT_GetNextGeneralName(CERTGeneralName *current);
1135
1136 extern CERTGeneralName *CERT_GetPrevGeneralName(CERTGeneralName *current);
1137
1138 /*
1139 * Look up name constraints for some certs that do not include name constraints
1140 * (Most importantly, root certificates)
1141 *
1142 * If a matching subject is found, |extensions| will be populated with a copy of
1143 * the
1144 * DER-encoded name constraints extension. The data in |extensions| will point
1145 * to
1146 * memory that the caller owns.
1147 *
1148 * There is no mechanism to configure imposed name constraints right now. All
1149 * imposed name constraints are built into NSS.
1150 */
1151 SECStatus CERT_GetImposedNameConstraints(const SECItem *derSubject,
1152 SECItem *extensions);
1153
1154 CERTNameConstraint *CERT_GetNextNameConstraint(CERTNameConstraint *current);
1155
1156 CERTNameConstraint *CERT_GetPrevNameConstraint(CERTNameConstraint *current);
1157
1158 void CERT_DestroyUserNotice(CERTUserNotice *userNotice);
1159
1160 typedef char *(*CERTPolicyStringCallback)(char *org, unsigned long noticeNumber,
1161 void *arg);
1162 void CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
1163
1164 char *CERT_GetCertCommentString(CERTCertificate *cert);
1165
1166 PRBool CERT_GovtApprovedBitSet(CERTCertificate *cert);
1167
1168 SECStatus CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
1169
1170 CERTCertList *CERT_MatchUserCert(CERTCertDBHandle *handle, SECCertUsage usage,
1171 int nCANames, char **caNames, void *proto_win);
1172
1173 CERTCertList *CERT_NewCertList(void);
1174
1175 /* free the cert list and all the certs in the list */
1176 void CERT_DestroyCertList(CERTCertList *certs);
1177
1178 /* remove the node and free the cert */
1179 void CERT_RemoveCertListNode(CERTCertListNode *node);
1180
1181 /* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */
1182 SECStatus CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
1183
1184 /* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */
1185 SECStatus CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
1186
1187 /*
1188 * The new cert list node takes ownership of "cert". "cert" is freed
1189 * when the list node is removed.
1190 */
1191 SECStatus CERT_AddCertToListTailWithData(CERTCertList *certs,
1192 CERTCertificate *cert, void *appData);
1193
1194 /*
1195 * The new cert list node takes ownership of "cert". "cert" is freed
1196 * when the list node is removed.
1197 */
1198 SECStatus CERT_AddCertToListHeadWithData(CERTCertList *certs,
1199 CERTCertificate *cert, void *appData);
1200
1201 typedef PRBool (*CERTSortCallback)(CERTCertificate *certa,
1202 CERTCertificate *certb, void *arg);
1203 SECStatus CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
1204 CERTSortCallback f, void *arg);
1205
1206 /* callback for CERT_AddCertToListSorted that sorts based on validity
1207 * period and a given time.
1208 */
1209 PRBool CERT_SortCBValidity(CERTCertificate *certa, CERTCertificate *certb,
1210 void *arg);
1211
1212 SECStatus CERT_CheckForEvilCert(CERTCertificate *cert);
1213
1214 CERTGeneralName *CERT_GetCertificateNames(CERTCertificate *cert,
1215 PLArenaPool *arena);
1216
1217 CERTGeneralName *CERT_GetConstrainedCertificateNames(
1218 const CERTCertificate *cert, PLArenaPool *arena,
1219 PRBool includeSubjectCommonName);
1220
1221 /*
1222 * Creates or adds to a list of all certs with a give subject name, sorted by
1223 * validity time, newest first. Invalid certs are considered older than
1224 * valid certs. If validOnly is set, do not include invalid certs on list.
1225 */
1226 CERTCertList *CERT_CreateSubjectCertList(CERTCertList *certList,
1227 CERTCertDBHandle *handle,
1228 const SECItem *name, PRTime sorttime,
1229 PRBool validOnly);
1230
1231 /*
1232 * remove certs from a list that don't have keyUsage and certType
1233 * that match the given usage.
1234 */
1235 SECStatus CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
1236 PRBool ca);
1237
1238 /*
1239 * check the key usage of a cert against a set of required values
1240 */
1241 SECStatus CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
1242
1243 /*
1244 * return required key usage and cert type based on cert usage
1245 */
1246 SECStatus CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
1247 unsigned int *retKeyUsage,
1248 unsigned int *retCertType);
1249 /*
1250 * return required trust flags for various cert usages for CAs
1251 */
1252 SECStatus CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
1253 unsigned int *retFlags,
1254 SECTrustType *retTrustType);
1255
1256 /*
1257 * Find all user certificates that match the given criteria.
1258 *
1259 * "handle" - database to search
1260 * "usage" - certificate usage to match
1261 * "oneCertPerName" - if set then only return the "best" cert per
1262 * name
1263 * "validOnly" - only return certs that are curently valid
1264 * "proto_win" - window handle passed to pkcs11
1265 */
1266 CERTCertList *CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
1267 SECCertUsage usage,
1268 PRBool oneCertPerName, PRBool validOnly,
1269 void *proto_win);
1270
1271 /*
1272 * Find a user certificate that matchs the given criteria.
1273 *
1274 * "handle" - database to search
1275 * "nickname" - nickname to match
1276 * "usage" - certificate usage to match
1277 * "validOnly" - only return certs that are curently valid
1278 * "proto_win" - window handle passed to pkcs11
1279 */
1280 CERTCertificate *CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
1281 const char *nickname,
1282 SECCertUsage usage, PRBool validOnly,
1283 void *proto_win);
1284
1285 /*
1286 * Filter a list of certificates, removing those certs that do not have
1287 * one of the named CA certs somewhere in their cert chain.
1288 *
1289 * "certList" - the list of certificates to filter
1290 * "nCANames" - number of CA names
1291 * "caNames" - array of CA names in string(rfc 1485) form
1292 * "usage" - what use the certs are for, this is used when
1293 * selecting CA certs
1294 */
1295 SECStatus CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
1296 char **caNames, SECCertUsage usage);
1297
1298 /*
1299 * Filter a list of certificates, removing those certs that aren't user certs
1300 */
1301 SECStatus CERT_FilterCertListForUserCerts(CERTCertList *certList);
1302
1303 /*
1304 * Collect the nicknames from all certs in a CertList. If the cert is not
1305 * valid, append a string to that nickname.
1306 *
1307 * "certList" - the list of certificates
1308 * "expiredString" - the string to append to the nickname of any expired cert
1309 * "notYetGoodString" - the string to append to the nickname of any cert
1310 * that is not yet valid
1311 */
1312 CERTCertNicknames *CERT_NicknameStringsFromCertList(CERTCertList *certList,
1313 char *expiredString,
1314 char *notYetGoodString);
1315
1316 /*
1317 * Extract the nickname from a nickmake string that may have either
1318 * expiredString or notYetGoodString appended.
1319 *
1320 * Args:
1321 * "namestring" - the string containing the nickname, and possibly
1322 * one of the validity label strings
1323 * "expiredString" - the expired validity label string
1324 * "notYetGoodString" - the not yet good validity label string
1325 *
1326 * Returns the raw nickname
1327 */
1328 char *CERT_ExtractNicknameString(char *namestring, char *expiredString,
1329 char *notYetGoodString);
1330
1331 /*
1332 * Given a certificate, return a string containing the nickname, and possibly
1333 * one of the validity strings, based on the current validity state of the
1334 * certificate.
1335 *
1336 * "arena" - arena to allocate returned string from. If NULL, then heap
1337 * is used.
1338 * "cert" - the cert to get nickname from
1339 * "expiredString" - the string to append to the nickname if the cert is
1340 * expired.
1341 * "notYetGoodString" - the string to append to the nickname if the cert is
1342 * not yet good.
1343 */
1344 char *CERT_GetCertNicknameWithValidity(PLArenaPool *arena,
1345 CERTCertificate *cert,
1346 char *expiredString,
1347 char *notYetGoodString);
1348
1349 /*
1350 * Return the string representation of a DER encoded distinguished name
1351 * "dername" - The DER encoded name to convert
1352 */
1353 char *CERT_DerNameToAscii(SECItem *dername);
1354
1355 /*
1356 * Supported usage values and types:
1357 * certUsageSSLClient
1358 * certUsageSSLServer
1359 * certUsageSSLServerWithStepUp
1360 * certUsageEmailSigner
1361 * certUsageEmailRecipient
1362 * certUsageObjectSigner
1363 */
1364
1365 CERTCertificate *CERT_FindMatchingCert(CERTCertDBHandle *handle,
1366 SECItem *derName, CERTCertOwner owner,
1367 SECCertUsage usage, PRBool preferTrusted,
1368 PRTime validTime, PRBool validOnly);
1369
1370 /*
1371 * Acquire the global lock on the cert database.
1372 * This lock is currently used for the following operations:
1373 * adding or deleting a cert to either the temp or perm databases
1374 * converting a temp to perm or perm to temp
1375 * changing(maybe just adding?) the trust of a cert
1376 * adjusting the reference count of a cert
1377 */
1378 void CERT_LockDB(CERTCertDBHandle *handle);
1379
1380 /*
1381 * Free the global cert database lock.
1382 */
1383 void CERT_UnlockDB(CERTCertDBHandle *handle);
1384
1385 /*
1386 * Get the certificate status checking configuratino data for
1387 * the certificate database
1388 */
1389 CERTStatusConfig *CERT_GetStatusConfig(CERTCertDBHandle *handle);
1390
1391 /*
1392 * Set the certificate status checking information for the
1393 * database. The input structure becomes part of the certificate
1394 * database and will be freed by calling the 'Destroy' function in
1395 * the configuration object.
1396 */
1397 void CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
1398
1399 /*
1400 * Acquire the cert reference count lock
1401 * There is currently one global lock for all certs, but I'm putting a cert
1402 * arg here so that it will be easy to make it per-cert in the future if
1403 * that turns out to be necessary.
1404 */
1405 void CERT_LockCertRefCount(CERTCertificate *cert);
1406
1407 /*
1408 * Free the cert reference count lock
1409 */
1410 void CERT_UnlockCertRefCount(CERTCertificate *cert);
1411
1412 /*
1413 * Acquire the cert trust lock
1414 * There is currently one global lock for all certs, but I'm putting a cert
1415 * arg here so that it will be easy to make it per-cert in the future if
1416 * that turns out to be necessary.
1417 */
1418 void CERT_LockCertTrust(const CERTCertificate *cert);
1419
1420 /*
1421 * Free the cert trust lock
1422 */
1423 void CERT_UnlockCertTrust(const CERTCertificate *cert);
1424
1425 /*
1426 * Digest the cert's subject public key using the specified algorithm.
1427 * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
1428 * the tag, length, and number of unused bits) rather than the whole
1429 * subjectPublicKeyInfo field.
1430 *
1431 * The necessary storage for the digest data is allocated. If "fill" is
1432 * non-null, the data is put there, otherwise a SECItem is allocated.
1433 * Allocation from "arena" if it is non-null, heap otherwise. Any problem
1434 * results in a NULL being returned (and an appropriate error set).
1435 */
1436 extern SECItem *CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena,
1437 const CERTCertificate *cert,
1438 SECOidTag digestAlg,
1439 SECItem *fill);
1440
1441 /*
1442 * Digest the cert's subject name using the specified algorithm.
1443 */
1444 extern SECItem *CERT_GetSubjectNameDigest(PLArenaPool *arena,
1445 const CERTCertificate *cert,
1446 SECOidTag digestAlg, SECItem *fill);
1447
1448 SECStatus CERT_CheckCRL(CERTCertificate *cert, CERTCertificate *issuer,
1449 const SECItem *dp, PRTime t, void *wincx);
1450
1451 /*
1452 * Add a CERTNameConstraint to the CERTNameConstraint list
1453 */
1454 extern CERTNameConstraint *CERT_AddNameConstraint(
1455 CERTNameConstraint *list, CERTNameConstraint *constraint);
1456
1457 /*
1458 * Allocate space and copy CERTNameConstraint from src to dest.
1459 * Arena is used to allocate result(if dest eq NULL) and its members
1460 * SECItem data.
1461 */
1462 extern CERTNameConstraint *CERT_CopyNameConstraint(PLArenaPool *arena,
1463 CERTNameConstraint *dest,
1464 CERTNameConstraint *src);
1465
1466 /*
1467 * Verify name against all the constraints relevant to that type of
1468 * the name.
1469 */
1470 extern SECStatus CERT_CheckNameSpace(PLArenaPool *arena,
1471 const CERTNameConstraints *constraints,
1472 const CERTGeneralName *currentName);
1473
1474 /*
1475 * Extract and allocate the name constraints extension from the CA cert.
1476 * If the certificate contains no name constraints extension, but
1477 * CERT_GetImposedNameConstraints returns a name constraints extension
1478 * for the subject of the certificate, then that extension will be returned.
1479 */
1480 extern SECStatus CERT_FindNameConstraintsExten(
1481 PLArenaPool *arena, CERTCertificate *cert,
1482 CERTNameConstraints **constraints);
1483
1484 /*
1485 * Initialize a new GERTGeneralName fields (link)
1486 */
1487 extern CERTGeneralName *CERT_NewGeneralName(PLArenaPool *arena,
1488 CERTGeneralNameType type);
1489
1490 /*
1491 * Lookup a CERTGeneralNameType constant by its human readable string.
1492 */
1493 extern CERTGeneralNameType CERT_GetGeneralNameTypeFromString(
1494 const char *string);
1495
1496 /*
1497 * PKIX extension encoding routines
1498 */
1499 extern SECStatus CERT_EncodePolicyConstraintsExtension(
1500 PLArenaPool *arena, CERTCertificatePolicyConstraints *constr,
1501 SECItem *dest);
1502 extern SECStatus CERT_EncodeInhibitAnyExtension(
1503 PLArenaPool *arena, CERTCertificateInhibitAny *inhibitAny, SECItem *dest);
1504 extern SECStatus CERT_EncodePolicyMappingExtension(
1505 PLArenaPool *arena, CERTCertificatePolicyMappings *maps, SECItem *dest);
1506
1507 extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
1508 CERTAuthInfoAccess **info,
1509 SECItem *dest);
1510 extern SECStatus CERT_EncodeUserNotice(PLArenaPool *arena,
1511 CERTUserNotice *notice, SECItem *dest);
1512
1513 extern SECStatus CERT_EncodeDisplayText(PLArenaPool *arena, SECItem *text,
1514 SECItem *dest);
1515
1516 extern SECStatus CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
1517 CERTPolicyInfo **info,
1518 SECItem *dest);
1519 extern SECStatus CERT_EncodeNoticeReference(PLArenaPool *arena,
1520 CERTNoticeReference *reference,
1521 SECItem *dest);
1522
1523 /*
1524 * Returns a pointer to a static structure.
1525 */
1526 extern const CERTRevocationFlags *CERT_GetPKIXVerifyNistRevocationPolicy(void);
1527
1528 /*
1529 * Returns a pointer to a static structure.
1530 */
1531 extern const CERTRevocationFlags *CERT_GetClassicOCSPEnabledSoftFailurePolicy(
1532 void);
1533
1534 /*
1535 * Returns a pointer to a static structure.
1536 */
1537 extern const CERTRevocationFlags *CERT_GetClassicOCSPEnabledHardFailurePolicy(
1538 void);
1539
1540 /*
1541 * Returns a pointer to a static structure.
1542 */
1543 extern const CERTRevocationFlags *CERT_GetClassicOCSPDisabledPolicy(void);
1544
1545 /*
1546 * Verify a Cert with libpkix
1547 * paramsIn control the verification options. If a value isn't specified
1548 * in paramsIn, it reverts to the application default.
1549 * paramsOut specifies the parameters the caller would like to get back.
1550 * the caller may pass NULL, in which case no parameters are returned.
1551 */
1552 extern SECStatus CERT_PKIXVerifyCert(CERTCertificate *cert,
1553 SECCertificateUsage usages,
1554 CERTValInParam *paramsIn,
1555 CERTValOutParam *paramsOut, void *wincx);
1556
1557 /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
1558 * to use libpkix validation engine. The function should be called ones at
1559 * application initialization time.
1560 * Function is not thread safe.*/
1561 extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
1562
1563 /* The function return PR_TRUE if cert validation should use
1564 * libpkix cert validation engine. */
1565 extern PRBool CERT_GetUsePKIXForValidation(void);
1566
1567 /*
1568 * Allocate a parameter container of type CERTRevocationFlags,
1569 * and allocate the inner arrays of the given sizes.
1570 * To cleanup call CERT_DestroyCERTRevocationFlags.
1571 */
1572 extern CERTRevocationFlags *CERT_AllocCERTRevocationFlags(
1573 PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
1574 PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods);
1575
1576 /*
1577 * Destroy the arrays inside flags,
1578 * and destroy the object pointed to by flags, too.
1579 */
1580 extern void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags);
1581
1582 SEC_END_PROTOS
1583
1584 #endif /* _CERT_H_ */
OLDNEW
« no previous file with comments | « nss/lib/certdb/alg1485.c ('k') | nss/lib/certdb/certdb.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698