OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 | |
5 /* | |
6 * cert.h - public data structures and prototypes for the certificate library | |
7 */ | |
8 | |
9 #ifndef _CERT_H_ | |
10 #define _CERT_H_ | |
11 | |
12 #include "utilrename.h" | |
13 #include "plarena.h" | |
14 #include "plhash.h" | |
15 #include "prlong.h" | |
16 #include "prlog.h" | |
17 | |
18 #include "seccomon.h" | |
19 #include "secdert.h" | |
20 #include "secoidt.h" | |
21 #include "keyt.h" | |
22 #include "certt.h" | |
23 | |
24 SEC_BEGIN_PROTOS | |
25 | |
26 /**************************************************************************** | |
27 * | |
28 * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName) | |
29 * | |
30 ****************************************************************************/ | |
31 | |
32 /* | |
33 ** Convert an ascii RFC1485 encoded name into its CERTName equivalent. | |
34 */ | |
35 extern CERTName *CERT_AsciiToName(const char *string); | |
36 | |
37 /* | |
38 ** Convert an CERTName into its RFC1485 encoded equivalent. | |
39 ** Returns a string that must be freed with PORT_Free(). | |
40 ** This version produces a string for maximum human readability, | |
41 ** not for strict RFC compliance. | |
42 */ | |
43 extern char *CERT_NameToAscii(CERTName *name); | |
44 | |
45 /* | |
46 ** Convert an CERTName into its RFC1485 encoded equivalent. | |
47 ** Returns a string that must be freed with PORT_Free(). | |
48 ** Caller chooses encoding rules. | |
49 */ | |
50 extern char *CERT_NameToAsciiInvertible(CERTName *name, | |
51 CertStrictnessLevel strict); | |
52 | |
53 extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src); | |
54 | |
55 /* convert an OID to dotted-decimal representation */ | |
56 /* Returns a string that must be freed with PR_smprintf_free(). */ | |
57 extern char *CERT_GetOidString(const SECItem *oid); | |
58 | |
59 /* | |
60 ** Examine an AVA and return the tag that refers to it. The AVA tags are | |
61 ** defined as SEC_OID_AVA*. | |
62 */ | |
63 extern SECOidTag CERT_GetAVATag(CERTAVA *ava); | |
64 | |
65 /* | |
66 ** Compare two AVA's, returning the difference between them. | |
67 */ | |
68 extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b); | |
69 | |
70 /* | |
71 ** Create an RDN (relative-distinguished-name). The argument list is a | |
72 ** NULL terminated list of AVA's. | |
73 */ | |
74 extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...); | |
75 | |
76 /* | |
77 ** Make a copy of "src" storing it in "dest". | |
78 */ | |
79 extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src); | |
80 | |
81 /* | |
82 ** Add an AVA to an RDN. | |
83 ** "rdn" the RDN to add to | |
84 ** "ava" the AVA to add | |
85 */ | |
86 extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava); | |
87 | |
88 /* | |
89 ** Compare two RDN's, returning the difference between them. | |
90 */ | |
91 extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b); | |
92 | |
93 /* | |
94 ** Create an X.500 style name using a NULL terminated list of RDN's. | |
95 */ | |
96 extern CERTName *CERT_CreateName(CERTRDN *rdn, ...); | |
97 | |
98 /* | |
99 ** Make a copy of "src" storing it in "dest". Memory is allocated in | |
100 ** "dest" for each of the appropriate sub objects. Memory is not freed in | |
101 ** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to | |
102 ** do that). | |
103 */ | |
104 extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, | |
105 const CERTName *src); | |
106 | |
107 /* | |
108 ** Destroy a Name object. | |
109 ** "name" the CERTName to destroy | |
110 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
111 */ | |
112 extern void CERT_DestroyName(CERTName *name); | |
113 | |
114 /* | |
115 ** Add an RDN to a name. | |
116 ** "name" the name to add the RDN to | |
117 ** "rdn" the RDN to add to name | |
118 */ | |
119 extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn); | |
120 | |
121 /* | |
122 ** Compare two names, returning the difference between them. | |
123 */ | |
124 extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b); | |
125 | |
126 /* | |
127 ** Convert a CERTName into something readable | |
128 */ | |
129 extern char *CERT_FormatName(CERTName *name); | |
130 | |
131 /* | |
132 ** Convert a der-encoded integer to a hex printable string form. | |
133 ** Perhaps this should be a SEC function but it's only used for certs. | |
134 */ | |
135 extern char *CERT_Hexify(SECItem *i, int do_colon); | |
136 | |
137 /* | |
138 ** Converts DER string (with explicit length) into zString, if destination | |
139 ** buffer is big enough to receive it. Does quoting and/or escaping as | |
140 ** specified in RFC 1485. Input string must be single or multi-byte DER | |
141 ** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set. | |
142 ** Returns SECSuccess or SECFailure with error code set. If output buffer | |
143 ** is too small, sets error code SEC_ERROR_OUTPUT_LEN. | |
144 */ | |
145 extern SECStatus CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, | |
146 int srclen); | |
147 | |
148 /****************************************************************************** | |
149 * | |
150 * Certificate handling operations | |
151 * | |
152 *****************************************************************************/ | |
153 | |
154 /* | |
155 ** Create a new validity object given two unix time values. | |
156 ** "notBefore" the time before which the validity is not valid | |
157 ** "notAfter" the time after which the validity is not valid | |
158 */ | |
159 extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter); | |
160 | |
161 /* | |
162 ** Destroy a validity object. | |
163 ** "v" the validity to destroy | |
164 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
165 */ | |
166 extern void CERT_DestroyValidity(CERTValidity *v); | |
167 | |
168 /* | |
169 ** Copy the "src" object to "dest". Memory is allocated in "dest" for | |
170 ** each of the appropriate sub-objects. Memory in "dest" is not freed | |
171 ** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do | |
172 ** that). | |
173 */ | |
174 extern SECStatus CERT_CopyValidity(PLArenaPool *arena, CERTValidity *dest, | |
175 CERTValidity *src); | |
176 | |
177 /* | |
178 ** The cert lib considers a cert or CRL valid if the "notBefore" time is | |
179 ** in the not-too-distant future, e.g. within the next 24 hours. This | |
180 ** prevents freshly issued certificates from being considered invalid | |
181 ** because the local system's time zone is incorrectly set. | |
182 ** The amount of "pending slop time" is adjustable by the application. | |
183 ** Units of SlopTime are seconds. Default is 86400 (24 hours). | |
184 ** Negative SlopTime values are not allowed. | |
185 */ | |
186 PRInt32 CERT_GetSlopTime(void); | |
187 | |
188 SECStatus CERT_SetSlopTime(PRInt32 slop); | |
189 | |
190 /* | |
191 ** Create a new certificate object. The result must be wrapped with an | |
192 ** CERTSignedData to create a signed certificate. | |
193 ** "serialNumber" the serial number | |
194 ** "issuer" the name of the certificate issuer | |
195 ** "validity" the validity period of the certificate | |
196 ** "req" the certificate request that prompted the certificate issuance | |
197 */ | |
198 extern CERTCertificate *CERT_CreateCertificate(unsigned long serialNumber, | |
199 CERTName *issuer, | |
200 CERTValidity *validity, | |
201 CERTCertificateRequest *req); | |
202 | |
203 /* | |
204 ** Destroy a certificate object | |
205 ** "cert" the certificate to destroy | |
206 ** NOTE: certificate's are reference counted. This call decrements the | |
207 ** reference count, and if the result is zero, then the object is destroyed | |
208 ** and optionally freed. | |
209 */ | |
210 extern void CERT_DestroyCertificate(CERTCertificate *cert); | |
211 | |
212 /* | |
213 ** Make a shallow copy of a certificate "c". Just increments the | |
214 ** reference count on "c". | |
215 */ | |
216 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c); | |
217 | |
218 /* | |
219 ** Create a new certificate request. This result must be wrapped with an | |
220 ** CERTSignedData to create a signed certificate request. | |
221 ** "name" the subject name (who the certificate request is from) | |
222 ** "spki" describes/defines the public key the certificate is for | |
223 ** "attributes" if non-zero, some optional attribute data | |
224 */ | |
225 extern CERTCertificateRequest *CERT_CreateCertificateRequest( | |
226 CERTName *name, CERTSubjectPublicKeyInfo *spki, SECItem **attributes); | |
227 | |
228 /* | |
229 ** Destroy a certificate-request object | |
230 ** "r" the certificate-request to destroy | |
231 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
232 */ | |
233 extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r); | |
234 | |
235 /* | |
236 ** Start adding extensions to a certificate request. | |
237 */ | |
238 void *CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req); | |
239 | |
240 /* | |
241 ** Reformat the certificate extension list into a CertificateRequest | |
242 ** attribute list. | |
243 */ | |
244 SECStatus CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req); | |
245 | |
246 /* | |
247 ** Extract the Extension Requests from a DER CertRequest attribute list. | |
248 */ | |
249 SECStatus CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, | |
250 CERTCertExtension ***exts); | |
251 | |
252 /* | |
253 ** Extract a public key object from a certificate | |
254 */ | |
255 extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert); | |
256 | |
257 /* | |
258 ** Retrieve the Key Type associated with the cert we're dealing with | |
259 */ | |
260 | |
261 extern KeyType CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki); | |
262 | |
263 /* | |
264 ** Initialize the certificate database. This is called to create | |
265 ** the initial list of certificates in the database. | |
266 */ | |
267 extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle); | |
268 | |
269 extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle); | |
270 | |
271 /* | |
272 ** Default certificate database routines | |
273 */ | |
274 extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle); | |
275 | |
276 extern CERTCertDBHandle *CERT_GetDefaultCertDB(void); | |
277 | |
278 extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, | |
279 PRTime time, SECCertUsage usage); | |
280 extern CERTCertificate *CERT_NewTempCertificate(CERTCertDBHandle *handle, | |
281 SECItem *derCert, | |
282 char *nickname, PRBool isperm, | |
283 PRBool copyDER); | |
284 | |
285 /****************************************************************************** | |
286 * | |
287 * X.500 Name handling operations | |
288 * | |
289 *****************************************************************************/ | |
290 | |
291 /* | |
292 ** Create an AVA (attribute-value-assertion) | |
293 ** "arena" the memory arena to alloc from | |
294 ** "kind" is one of SEC_OID_AVA_* | |
295 ** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or | |
296 ** DER_T61_STRING | |
297 ** "value" is the null terminated string containing the value | |
298 */ | |
299 extern CERTAVA *CERT_CreateAVA(PLArenaPool *arena, SECOidTag kind, | |
300 int valueType, char *value); | |
301 | |
302 /* | |
303 ** Extract the Distinguished Name from a DER encoded certificate | |
304 ** "derCert" is the DER encoded certificate | |
305 ** "derName" is the SECItem that the name is returned in | |
306 */ | |
307 extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName); | |
308 | |
309 /* | |
310 ** Extract the Issuers Distinguished Name from a DER encoded certificate | |
311 ** "derCert" is the DER encoded certificate | |
312 ** "derName" is the SECItem that the name is returned in | |
313 */ | |
314 extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName); | |
315 | |
316 extern SECItem *CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, | |
317 PLArenaPool *arena); | |
318 | |
319 extern CERTGeneralName *CERT_DecodeGeneralName(PLArenaPool *reqArena, | |
320 SECItem *encodedName, | |
321 CERTGeneralName *genName); | |
322 | |
323 /* | |
324 ** Generate a database search key for a certificate, based on the | |
325 ** issuer and serial number. | |
326 ** "arena" the memory arena to alloc from | |
327 ** "derCert" the DER encoded certificate | |
328 ** "key" the returned key | |
329 */ | |
330 extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, | |
331 SECItem *key); | |
332 | |
333 extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, | |
334 SECItem *sn, SECItem *key); | |
335 | |
336 extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, | |
337 SECItem *derName); | |
338 | |
339 /* | |
340 ** Generate a database search key for a crl, based on the | |
341 ** issuer. | |
342 ** "arena" the memory arena to alloc from | |
343 ** "derCrl" the DER encoded crl | |
344 ** "key" the returned key | |
345 */ | |
346 extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, | |
347 SECItem *key); | |
348 | |
349 /* | |
350 ** Open the certificate database. Use callback to get name of database. | |
351 */ | |
352 extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly, | |
353 CERTDBNameFunc namecb, void *cbarg); | |
354 | |
355 /* Open the certificate database. Use given filename for database. */ | |
356 extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle, | |
357 char *certdbname, PRBool readOnly); | |
358 | |
359 /* | |
360 ** Open and initialize a cert database that is entirely in memory. This | |
361 ** can be used when the permanent database can not be opened or created. | |
362 */ | |
363 extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle); | |
364 | |
365 /* | |
366 ** Extract the list of host names, host name patters, IP address strings | |
367 ** this cert is valid for. | |
368 ** This function does NOT return nicknames. | |
369 ** Type CERTCertNicknames is being used because it's a convenient | |
370 ** data structure to carry a list of strings and its count. | |
371 */ | |
372 extern CERTCertNicknames *CERT_GetValidDNSPatternsFromCert( | |
373 CERTCertificate *cert); | |
374 | |
375 /* | |
376 ** Check the hostname to make sure that it matches the shexp that | |
377 ** is given in the common name of the certificate. | |
378 */ | |
379 extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert, | |
380 const char *hostname); | |
381 | |
382 /* | |
383 ** Add a domain name to the list of names that the user has explicitly | |
384 ** allowed (despite cert name mismatches) for use with a server cert. | |
385 */ | |
386 extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, | |
387 const char *hostname); | |
388 | |
389 /* | |
390 ** Decode a DER encoded certificate into an CERTCertificate structure | |
391 ** "derSignedCert" is the DER encoded signed certificate | |
392 ** "copyDER" is true if the DER should be copied, false if the | |
393 ** existing copy should be referenced | |
394 ** "nickname" is the nickname to use in the database. If it is NULL | |
395 ** then a temporary nickname is generated. | |
396 */ | |
397 extern CERTCertificate *CERT_DecodeDERCertificate(SECItem *derSignedCert, | |
398 PRBool copyDER, | |
399 char *nickname); | |
400 /* | |
401 ** Decode a DER encoded CRL into a CERTSignedCrl structure | |
402 ** "derSignedCrl" is the DER encoded signed CRL. | |
403 ** "type" must be SEC_CRL_TYPE. | |
404 */ | |
405 #define SEC_CRL_TYPE 1 | |
406 #define SEC_KRL_TYPE 0 /* deprecated */ | |
407 | |
408 extern CERTSignedCrl *CERT_DecodeDERCrl(PLArenaPool *arena, | |
409 SECItem *derSignedCrl, int type); | |
410 | |
411 /* | |
412 * same as CERT_DecodeDERCrl, plus allow options to be passed in | |
413 */ | |
414 | |
415 extern CERTSignedCrl *CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, | |
416 SECItem *derSignedCrl, | |
417 int type, PRInt32 options); | |
418 | |
419 /* CRL options to pass */ | |
420 | |
421 #define CRL_DECODE_DEFAULT_OPTIONS 0x00000000 | |
422 | |
423 /* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The | |
424 application must then keep derSignedCrl until it destroys the | |
425 CRL . Ideally, it should allocate derSignedCrl in an arena | |
426 and pass that arena in as the first argument to | |
427 CERT_DecodeDERCrlWithFlags */ | |
428 | |
429 #define CRL_DECODE_DONT_COPY_DER 0x00000001 | |
430 #define CRL_DECODE_SKIP_ENTRIES 0x00000002 | |
431 #define CRL_DECODE_KEEP_BAD_CRL 0x00000004 | |
432 #define CRL_DECODE_ADOPT_HEAP_DER 0x00000008 | |
433 | |
434 /* complete the decoding of a partially decoded CRL, ie. decode the | |
435 entries. Note that entries is an optional field in a CRL, so the | |
436 "entries" pointer in CERTCrlStr may still be NULL even after | |
437 function returns SECSuccess */ | |
438 | |
439 extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl *crl); | |
440 | |
441 /* Validate CRL then import it to the dbase. If there is already a CRL with the | |
442 * same CA in the dbase, it will be replaced if derCRL is more up to date. | |
443 * If the process successes, a CRL will be returned. Otherwise, a NULL will | |
444 * be returned. The caller should call PORT_GetError() for the exactly error | |
445 * code. | |
446 */ | |
447 extern CERTSignedCrl *CERT_ImportCRL(CERTCertDBHandle *handle, SECItem *derCRL, | |
448 char *url, int type, void *wincx); | |
449 | |
450 extern void CERT_DestroyCrl(CERTSignedCrl *crl); | |
451 | |
452 /* this is a hint to flush the CRL cache. crlKey is the DER subject of | |
453 the issuer (CA). */ | |
454 void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle *dbhandle, SECItem *crlKey); | |
455 | |
456 /* add the specified DER CRL object to the CRL cache. Doing so will allow | |
457 certificate verification functions (such as CERT_VerifyCertificate) | |
458 to automatically find and make use of this CRL object. | |
459 Once a CRL is added to the CRL cache, the application must hold on to | |
460 the object's memory, because the cache will reference it directly. The | |
461 application can only free the object after it calls CERT_UncacheCRL to | |
462 remove it from the CRL cache. | |
463 */ | |
464 SECStatus CERT_CacheCRL(CERTCertDBHandle *dbhandle, SECItem *newcrl); | |
465 | |
466 /* remove a previously added CRL object from the CRL cache. It is OK | |
467 for the application to free the memory after a successful removal | |
468 */ | |
469 SECStatus CERT_UncacheCRL(CERTCertDBHandle *dbhandle, SECItem *oldcrl); | |
470 | |
471 /* | |
472 ** Find a certificate in the database | |
473 ** "key" is the database key to look for | |
474 */ | |
475 extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, | |
476 SECItem *key); | |
477 | |
478 /* | |
479 ** Find a certificate in the database by name | |
480 ** "name" is the distinguished name to look up | |
481 */ | |
482 extern CERTCertificate *CERT_FindCertByName(CERTCertDBHandle *handle, | |
483 SECItem *name); | |
484 | |
485 /* | |
486 ** Find a certificate in the database by name | |
487 ** "name" is the distinguished name to look up (in ascii) | |
488 */ | |
489 extern CERTCertificate *CERT_FindCertByNameString(CERTCertDBHandle *handle, | |
490 char *name); | |
491 | |
492 /* | |
493 ** Find a certificate in the database by name and keyid | |
494 ** "name" is the distinguished name to look up | |
495 ** "keyID" is the value of the subjectKeyID to match | |
496 */ | |
497 extern CERTCertificate *CERT_FindCertByKeyID(CERTCertDBHandle *handle, | |
498 SECItem *name, SECItem *keyID); | |
499 | |
500 /* | |
501 ** Generate a certificate key from the issuer and serialnumber, then look it | |
502 ** up in the database. Return the cert if found. | |
503 ** "issuerAndSN" is the issuer and serial number to look for | |
504 */ | |
505 extern CERTCertificate *CERT_FindCertByIssuerAndSN( | |
506 CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN); | |
507 | |
508 /* | |
509 ** Find a certificate in the database by a subject key ID | |
510 ** "subjKeyID" is the subject Key ID to look for | |
511 */ | |
512 extern CERTCertificate *CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle, | |
513 SECItem *subjKeyID); | |
514 | |
515 /* | |
516 ** Encode Certificate SKID (Subject Key ID) extension. | |
517 ** | |
518 */ | |
519 extern SECStatus CERT_EncodeSubjectKeyID(PLArenaPool *arena, | |
520 const SECItem *srcString, | |
521 SECItem *encodedValue); | |
522 | |
523 /* | |
524 ** Find a certificate in the database by a nickname | |
525 ** "nickname" is the ascii string nickname to look for | |
526 */ | |
527 extern CERTCertificate *CERT_FindCertByNickname(CERTCertDBHandle *handle, | |
528 const char *nickname); | |
529 | |
530 /* | |
531 ** Find a certificate in the database by a DER encoded certificate | |
532 ** "derCert" is the DER encoded certificate | |
533 */ | |
534 extern CERTCertificate *CERT_FindCertByDERCert(CERTCertDBHandle *handle, | |
535 SECItem *derCert); | |
536 | |
537 /* | |
538 ** Find a certificate in the database by a email address | |
539 ** "emailAddr" is the email address to look up | |
540 */ | |
541 CERTCertificate *CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, | |
542 char *emailAddr); | |
543 | |
544 /* | |
545 ** Find a certificate in the database by a email address or nickname | |
546 ** "name" is the email address or nickname to look up | |
547 */ | |
548 CERTCertificate *CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, | |
549 const char *name); | |
550 | |
551 /* | |
552 ** Find a certificate in the database by a email address or nickname | |
553 ** and require it to have the given usage. | |
554 ** "name" is the email address or nickname to look up | |
555 */ | |
556 CERTCertificate *CERT_FindCertByNicknameOrEmailAddrForUsage( | |
557 CERTCertDBHandle *handle, const char *name, SECCertUsage lookingForUsage); | |
558 | |
559 /* | |
560 ** Find a certificate in the database by a digest of a subject public key | |
561 ** "spkDigest" is the digest to look up | |
562 */ | |
563 extern CERTCertificate *CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, | |
564 SECItem *spkDigest); | |
565 | |
566 /* | |
567 * Find the issuer of a cert | |
568 */ | |
569 CERTCertificate *CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, | |
570 SECCertUsage usage); | |
571 | |
572 /* | |
573 ** Check the validity times of a certificate vs. time 't', allowing | |
574 ** some slop for broken clocks and stuff. | |
575 ** "cert" is the certificate to be checked | |
576 ** "t" is the time to check against | |
577 ** "allowOverride" if true then check to see if the invalidity has | |
578 ** been overridden by the user. | |
579 */ | |
580 extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert, | |
581 PRTime t, | |
582 PRBool allowOverride); | |
583 | |
584 /* | |
585 ** WARNING - this function is deprecated, and will either go away or have | |
586 ** a new API in the near future. | |
587 ** | |
588 ** Check the validity times of a certificate vs. the current time, allowing | |
589 ** some slop for broken clocks and stuff. | |
590 ** "cert" is the certificate to be checked | |
591 */ | |
592 extern SECStatus CERT_CertTimesValid(CERTCertificate *cert); | |
593 | |
594 /* | |
595 ** Extract the validity times from a certificate | |
596 ** "c" is the certificate | |
597 ** "notBefore" is the start of the validity period | |
598 ** "notAfter" is the end of the validity period | |
599 */ | |
600 extern SECStatus CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore, | |
601 PRTime *notAfter); | |
602 | |
603 /* | |
604 ** Extract the issuer and serial number from a certificate | |
605 */ | |
606 extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, | |
607 CERTCertificate *); | |
608 | |
609 /* | |
610 ** verify the signature of a signed data object with a given certificate | |
611 ** "sd" the signed data object to be verified | |
612 ** "cert" the certificate to use to check the signature | |
613 */ | |
614 extern SECStatus CERT_VerifySignedData(CERTSignedData *sd, | |
615 CERTCertificate *cert, PRTime t, | |
616 void *wincx); | |
617 /* | |
618 ** verify the signature of a signed data object with the given DER publickey | |
619 */ | |
620 extern SECStatus CERT_VerifySignedDataWithPublicKeyInfo( | |
621 CERTSignedData *sd, CERTSubjectPublicKeyInfo *pubKeyInfo, void *wincx); | |
622 | |
623 /* | |
624 ** verify the signature of a signed data object with a SECKEYPublicKey. | |
625 */ | |
626 extern SECStatus CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, | |
627 SECKEYPublicKey *pubKey, | |
628 void *wincx); | |
629 | |
630 /* | |
631 ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use | |
632 ** verify a certificate by checking validity times against a certain time, | |
633 ** that we trust the issuer, and that the signature on the certificate is | |
634 ** valid. | |
635 ** "cert" the certificate to verify | |
636 ** "checkSig" only check signatures if true | |
637 */ | |
638 extern SECStatus CERT_VerifyCertificate(CERTCertDBHandle *handle, | |
639 CERTCertificate *cert, PRBool checkSig, | |
640 SECCertificateUsage requiredUsages, | |
641 PRTime t, void *wincx, | |
642 CERTVerifyLog *log, | |
643 SECCertificateUsage *returnedUsages); | |
644 | |
645 /* same as above, but uses current time */ | |
646 extern SECStatus CERT_VerifyCertificateNow(CERTCertDBHandle *handle, | |
647 CERTCertificate *cert, | |
648 PRBool checkSig, | |
649 SECCertificateUsage requiredUsages, | |
650 void *wincx, | |
651 SECCertificateUsage *returnedUsages); | |
652 | |
653 /* | |
654 ** Verify that a CA cert can certify some (unspecified) leaf cert for a given | |
655 ** purpose. This is used by UI code to help identify where a chain may be | |
656 ** broken and why. This takes identical parameters to CERT_VerifyCert | |
657 */ | |
658 extern SECStatus CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, | |
659 CERTCertificate *cert, | |
660 PRBool checkSig, | |
661 SECCertUsage certUsage, PRTime t, | |
662 void *wincx, CERTVerifyLog *log); | |
663 | |
664 /* | |
665 ** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE | |
666 ** verify a certificate by checking validity times against a certain time, | |
667 ** that we trust the issuer, and that the signature on the certificate is | |
668 ** valid. | |
669 ** "cert" the certificate to verify | |
670 ** "checkSig" only check signatures if true | |
671 */ | |
672 extern SECStatus CERT_VerifyCert(CERTCertDBHandle *handle, | |
673 CERTCertificate *cert, PRBool checkSig, | |
674 SECCertUsage certUsage, PRTime t, void *wincx, | |
675 CERTVerifyLog *log); | |
676 | |
677 /* same as above, but uses current time */ | |
678 extern SECStatus CERT_VerifyCertNow(CERTCertDBHandle *handle, | |
679 CERTCertificate *cert, PRBool checkSig, | |
680 SECCertUsage certUsage, void *wincx); | |
681 | |
682 SECStatus CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, | |
683 PRBool checkSig, SECCertUsage certUsage, | |
684 PRTime t, void *wincx, CERTVerifyLog *log); | |
685 | |
686 /* | |
687 ** Read a base64 ascii encoded DER certificate and convert it to our | |
688 ** internal format. | |
689 ** "certstr" is a null-terminated string containing the certificate | |
690 */ | |
691 extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr); | |
692 | |
693 /* | |
694 ** Read a certificate in some foreign format, and convert it to our | |
695 ** internal format. | |
696 ** "certbuf" is the buffer containing the certificate | |
697 ** "certlen" is the length of the buffer | |
698 ** NOTE - currently supports netscape base64 ascii encoded raw certs | |
699 ** and netscape binary DER typed files. | |
700 */ | |
701 extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen); | |
702 | |
703 extern SECStatus CERT_ImportCAChain(SECItem *certs, int numcerts, | |
704 SECCertUsage certUsage); | |
705 | |
706 extern SECStatus CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, | |
707 SECCertUsage certUsage); | |
708 | |
709 /* | |
710 ** Read a certificate chain in some foreign format, and pass it to a | |
711 ** callback function. | |
712 ** "certbuf" is the buffer containing the certificate | |
713 ** "certlen" is the length of the buffer | |
714 ** "f" is the callback function | |
715 ** "arg" is the callback argument | |
716 */ | |
717 typedef SECStatus(PR_CALLBACK *CERTImportCertificateFunc)(void *arg, | |
718 SECItem **certs, | |
719 int numcerts); | |
720 | |
721 extern SECStatus CERT_DecodeCertPackage(char *certbuf, int certlen, | |
722 CERTImportCertificateFunc f, void *arg); | |
723 | |
724 /* | |
725 ** Returns the value of an AVA. This was a formerly static | |
726 ** function that has been exposed due to the need to decode | |
727 ** and convert unicode strings to UTF8. | |
728 ** | |
729 ** XXX This function resides in certhtml.c, should it be | |
730 ** moved elsewhere? | |
731 */ | |
732 extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue); | |
733 | |
734 /* | |
735 ** extract various element strings from a distinguished name. | |
736 ** "name" the distinguished name | |
737 */ | |
738 | |
739 extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert); | |
740 | |
741 extern char *CERT_GetCertEmailAddress(const CERTName *name); | |
742 | |
743 extern const char *CERT_GetFirstEmailAddress(CERTCertificate *cert); | |
744 | |
745 extern const char *CERT_GetNextEmailAddress(CERTCertificate *cert, | |
746 const char *prev); | |
747 | |
748 /* The return value must be freed with PORT_Free. */ | |
749 extern char *CERT_GetCommonName(const CERTName *name); | |
750 | |
751 extern char *CERT_GetCountryName(const CERTName *name); | |
752 | |
753 extern char *CERT_GetLocalityName(const CERTName *name); | |
754 | |
755 extern char *CERT_GetStateName(const CERTName *name); | |
756 | |
757 extern char *CERT_GetOrgName(const CERTName *name); | |
758 | |
759 extern char *CERT_GetOrgUnitName(const CERTName *name); | |
760 | |
761 extern char *CERT_GetDomainComponentName(const CERTName *name); | |
762 | |
763 extern char *CERT_GetCertUid(const CERTName *name); | |
764 | |
765 /* manipulate the trust parameters of a certificate */ | |
766 | |
767 extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert, | |
768 CERTCertTrust *trust); | |
769 | |
770 extern SECStatus CERT_ChangeCertTrust(CERTCertDBHandle *handle, | |
771 CERTCertificate *cert, | |
772 CERTCertTrust *trust); | |
773 | |
774 extern SECStatus CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, | |
775 CERTCertificate *cert, | |
776 SECCertUsage usage); | |
777 | |
778 /************************************************************************* | |
779 * | |
780 * manipulate the extensions of a certificate | |
781 * | |
782 ************************************************************************/ | |
783 | |
784 /* | |
785 ** Set up a cert for adding X509v3 extensions. Returns an opaque handle | |
786 ** used by the next two routines. | |
787 ** "cert" is the certificate we are adding extensions to | |
788 */ | |
789 extern void *CERT_StartCertExtensions(CERTCertificate *cert); | |
790 | |
791 /* | |
792 ** Add an extension to a certificate. | |
793 ** "exthandle" is the handle returned by the previous function | |
794 ** "idtag" is the integer tag for the OID that should ID this extension | |
795 ** "value" is the value of the extension | |
796 ** "critical" is the critical extension flag | |
797 ** "copyData" is a flag indicating whether the value data should be | |
798 ** copied. | |
799 */ | |
800 extern SECStatus CERT_AddExtension(void *exthandle, int idtag, SECItem *value, | |
801 PRBool critical, PRBool copyData); | |
802 | |
803 extern SECStatus CERT_AddExtensionByOID(void *exthandle, SECItem *oid, | |
804 SECItem *value, PRBool critical, | |
805 PRBool copyData); | |
806 | |
807 extern SECStatus CERT_EncodeAndAddExtension(void *exthandle, int idtag, | |
808 void *value, PRBool critical, | |
809 const SEC_ASN1Template *atemplate); | |
810 | |
811 extern SECStatus CERT_EncodeAndAddBitStrExtension(void *exthandle, int idtag, | |
812 SECItem *value, | |
813 PRBool critical); | |
814 | |
815 extern SECStatus CERT_EncodeAltNameExtension(PLArenaPool *arena, | |
816 CERTGeneralName *value, | |
817 SECItem *encodedValue); | |
818 | |
819 /* | |
820 ** Finish adding cert extensions. Does final processing on extension | |
821 ** data, putting it in the right format, and freeing any temporary | |
822 ** storage. | |
823 ** "exthandle" is the handle used to add extensions to a certificate | |
824 */ | |
825 extern SECStatus CERT_FinishExtensions(void *exthandle); | |
826 | |
827 /* | |
828 ** Merge an external list of extensions into a cert's extension list, adding one | |
829 ** only when its OID matches none of the cert's existing extensions. Call this | |
830 ** immediately before calling CERT_FinishExtensions(). | |
831 */ | |
832 SECStatus CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts); | |
833 | |
834 /* If the extension is found, return its criticality and value. | |
835 ** This allocate storage for the returning extension value. | |
836 */ | |
837 extern SECStatus CERT_GetExtenCriticality(CERTCertExtension **extensions, | |
838 int tag, PRBool *isCritical); | |
839 | |
840 extern void CERT_DestroyOidSequence(CERTOidSequence *oidSeq); | |
841 | |
842 /**************************************************************************** | |
843 * | |
844 * DER encode and decode extension values | |
845 * | |
846 ****************************************************************************/ | |
847 | |
848 /* Encode the value of the basicConstraint extension. | |
849 ** arena - where to allocate memory for the encoded value. | |
850 ** value - extension value to encode | |
851 ** encodedValue - output encoded value | |
852 */ | |
853 extern SECStatus CERT_EncodeBasicConstraintValue(PLArenaPool *arena, | |
854 CERTBasicConstraints *value, | |
855 SECItem *encodedValue); | |
856 | |
857 /* | |
858 ** Encode the value of the authorityKeyIdentifier extension. | |
859 */ | |
860 extern SECStatus CERT_EncodeAuthKeyID(PLArenaPool *arena, CERTAuthKeyID *value, | |
861 SECItem *encodedValue); | |
862 | |
863 /* | |
864 ** Encode the value of the crlDistributionPoints extension. | |
865 */ | |
866 extern SECStatus CERT_EncodeCRLDistributionPoints( | |
867 PLArenaPool *arena, CERTCrlDistributionPoints *value, SECItem *derValue); | |
868 | |
869 /* | |
870 ** Decodes a DER encoded basicConstaint extension value into a readable format | |
871 ** value - decoded value | |
872 ** encodedValue - value to decoded | |
873 */ | |
874 extern SECStatus CERT_DecodeBasicConstraintValue(CERTBasicConstraints *value, | |
875 const SECItem *encodedValue); | |
876 | |
877 /* Decodes a DER encoded authorityKeyIdentifier extension value into a | |
878 ** readable format. | |
879 ** arena - where to allocate memory for the decoded value | |
880 ** encodedValue - value to be decoded | |
881 ** Returns a CERTAuthKeyID structure which contains the decoded value | |
882 */ | |
883 extern CERTAuthKeyID *CERT_DecodeAuthKeyID(PLArenaPool *arena, | |
884 const SECItem *encodedValue); | |
885 | |
886 /* Decodes a DER encoded crlDistributionPoints extension value into a | |
887 ** readable format. | |
888 ** arena - where to allocate memory for the decoded value | |
889 ** der - value to be decoded | |
890 ** Returns a CERTCrlDistributionPoints structure which contains the | |
891 ** decoded value | |
892 */ | |
893 extern CERTCrlDistributionPoints *CERT_DecodeCRLDistributionPoints( | |
894 PLArenaPool *arena, SECItem *der); | |
895 | |
896 /* Extract certain name type from a generalName */ | |
897 extern void *CERT_GetGeneralNameByType(CERTGeneralName *genNames, | |
898 CERTGeneralNameType type, | |
899 PRBool derFormat); | |
900 | |
901 extern CERTOidSequence *CERT_DecodeOidSequence(const SECItem *seqItem); | |
902 | |
903 /**************************************************************************** | |
904 * | |
905 * Find extension values of a certificate | |
906 * | |
907 ***************************************************************************/ | |
908 | |
909 extern SECStatus CERT_FindCertExtension(const CERTCertificate *cert, int tag, | |
910 SECItem *value); | |
911 | |
912 extern SECStatus CERT_FindNSCertTypeExtension(CERTCertificate *cert, | |
913 SECItem *value); | |
914 | |
915 extern char *CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag); | |
916 | |
917 extern SECStatus CERT_FindCertExtensionByOID(CERTCertificate *cert, | |
918 SECItem *oid, SECItem *value); | |
919 | |
920 /* Returns the decoded value of the authKeyID extension. | |
921 ** Note that this uses passed in the arena to allocate storage for the result | |
922 */ | |
923 extern CERTAuthKeyID *CERT_FindAuthKeyIDExten(PLArenaPool *arena, | |
924 CERTCertificate *cert); | |
925 | |
926 /* Returns the decoded value of the basicConstraint extension. | |
927 */ | |
928 extern SECStatus CERT_FindBasicConstraintExten(CERTCertificate *cert, | |
929 CERTBasicConstraints *value); | |
930 | |
931 /* Returns the decoded value of the crlDistributionPoints extension. | |
932 ** Note that the arena in cert is used to allocate storage for the result | |
933 */ | |
934 extern CERTCrlDistributionPoints *CERT_FindCRLDistributionPoints( | |
935 CERTCertificate *cert); | |
936 | |
937 /* Returns value of the keyUsage extension. This uses PR_Alloc to allocate | |
938 ** buffer for the decoded value. The caller should free up the storage | |
939 ** allocated in value->data. | |
940 */ | |
941 extern SECStatus CERT_FindKeyUsageExtension(CERTCertificate *cert, | |
942 SECItem *value); | |
943 | |
944 /* Return the decoded value of the subjectKeyID extension. The caller should | |
945 ** free up the storage allocated in retItem->data. | |
946 */ | |
947 extern SECStatus CERT_FindSubjectKeyIDExtension(CERTCertificate *cert, | |
948 SECItem *retItem); | |
949 | |
950 /* | |
951 ** If cert is a v3 certificate, and a critical keyUsage extension is included, | |
952 ** then check the usage against the extension value. If a non-critical | |
953 ** keyUsage extension is included, this will return SECSuccess without | |
954 ** checking, since the extension is an advisory field, not a restriction. | |
955 ** If cert is not a v3 certificate, this will return SECSuccess. | |
956 ** cert - certificate | |
957 ** usage - one of the x.509 v3 the Key Usage Extension flags | |
958 */ | |
959 extern SECStatus CERT_CheckCertUsage(CERTCertificate *cert, | |
960 unsigned char usage); | |
961 | |
962 /**************************************************************************** | |
963 * | |
964 * CRL v2 Extensions supported routines | |
965 * | |
966 ****************************************************************************/ | |
967 | |
968 extern SECStatus CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, | |
969 SECItem *value); | |
970 | |
971 extern SECStatus CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value); | |
972 | |
973 extern SECStatus CERT_FindInvalidDateExten(CERTCrl *crl, PRTime *value); | |
974 | |
975 /* | |
976 ** Set up a crl for adding X509v3 extensions. Returns an opaque handle | |
977 ** used by routines that take an exthandle (void*) argument . | |
978 ** "crl" is the CRL we are adding extensions to | |
979 */ | |
980 extern void *CERT_StartCRLExtensions(CERTCrl *crl); | |
981 | |
982 /* | |
983 ** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle | |
984 ** used by routines that take an exthandle (void*) argument . | |
985 ** "crl" is the crl we are adding certs entries to | |
986 ** "entry" is the crl entry we are adding extensions to | |
987 */ | |
988 extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry); | |
989 | |
990 extern CERTCertNicknames *CERT_GetCertNicknames(CERTCertDBHandle *handle, | |
991 int what, void *wincx); | |
992 | |
993 /* | |
994 ** Finds the crlNumber extension and decodes its value into 'value' | |
995 */ | |
996 extern SECStatus CERT_FindCRLNumberExten(PLArenaPool *arena, CERTCrl *crl, | |
997 SECItem *value); | |
998 | |
999 extern SECStatus CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry, | |
1000 CERTCRLEntryReasonCode *value); | |
1001 | |
1002 extern void CERT_FreeNicknames(CERTCertNicknames *nicknames); | |
1003 | |
1004 extern PRBool CERT_CompareCerts(const CERTCertificate *c1, | |
1005 const CERTCertificate *c2); | |
1006 | |
1007 extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1, | |
1008 CERTCertificate *c2); | |
1009 | |
1010 /* | |
1011 ** Generate an array of the Distinguished Names that the given cert database | |
1012 ** "trusts" | |
1013 */ | |
1014 extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle); | |
1015 | |
1016 extern void CERT_FreeDistNames(CERTDistNames *names); | |
1017 | |
1018 /* Duplicate distinguished name array */ | |
1019 extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig); | |
1020 | |
1021 /* | |
1022 ** Generate an array of Distinguished names from an array of nicknames | |
1023 */ | |
1024 extern CERTDistNames *CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, | |
1025 char **nicknames, int nnames); | |
1026 | |
1027 /* | |
1028 ** Generate an array of Distinguished names from a list of certs. | |
1029 */ | |
1030 extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list); | |
1031 | |
1032 /* | |
1033 ** Generate a certificate chain from a certificate. | |
1034 */ | |
1035 extern CERTCertificateList *CERT_CertChainFromCert(CERTCertificate *cert, | |
1036 SECCertUsage usage, | |
1037 PRBool includeRoot); | |
1038 | |
1039 extern CERTCertificateList *CERT_CertListFromCert(CERTCertificate *cert); | |
1040 | |
1041 extern CERTCertificateList *CERT_DupCertList( | |
1042 const CERTCertificateList *oldList); | |
1043 | |
1044 extern void CERT_DestroyCertificateList(CERTCertificateList *list); | |
1045 | |
1046 /* | |
1047 ** is cert a user cert? i.e. does it have CERTDB_USER trust, | |
1048 ** i.e. a private key? | |
1049 */ | |
1050 PRBool CERT_IsUserCert(CERTCertificate *cert); | |
1051 | |
1052 /* is cert a newer than cert b? */ | |
1053 PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb); | |
1054 | |
1055 /* currently a stub for address book */ | |
1056 PRBool CERT_IsCertRevoked(CERTCertificate *cert); | |
1057 | |
1058 void CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts); | |
1059 | |
1060 /* convert an email address to lower case */ | |
1061 char *CERT_FixupEmailAddr(const char *emailAddr); | |
1062 | |
1063 /* decode string representation of trust flags into trust struct */ | |
1064 SECStatus CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts); | |
1065 | |
1066 /* encode trust struct into string representation of trust flags */ | |
1067 char *CERT_EncodeTrustString(CERTCertTrust *trust); | |
1068 | |
1069 /* find the next or prev cert in a subject list */ | |
1070 CERTCertificate *CERT_PrevSubjectCert(CERTCertificate *cert); | |
1071 CERTCertificate *CERT_NextSubjectCert(CERTCertificate *cert); | |
1072 | |
1073 /* | |
1074 * import a collection of certs into the temporary or permanent cert | |
1075 * database | |
1076 */ | |
1077 SECStatus CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, | |
1078 unsigned int ncerts, SECItem **derCerts, | |
1079 CERTCertificate ***retCerts, PRBool keepCerts, | |
1080 PRBool caOnly, char *nickname); | |
1081 | |
1082 char *CERT_MakeCANickname(CERTCertificate *cert); | |
1083 | |
1084 PRBool CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype); | |
1085 | |
1086 PRBool CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype); | |
1087 | |
1088 PRBool CERT_IsRootDERCert(SECItem *derCert); | |
1089 | |
1090 SECStatus CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, | |
1091 SECItem *profileTime); | |
1092 | |
1093 /* | |
1094 * find the smime symmetric capabilities profile for a given cert | |
1095 */ | |
1096 SECItem *CERT_FindSMimeProfile(CERTCertificate *cert); | |
1097 | |
1098 SECStatus CERT_AddNewCerts(CERTCertDBHandle *handle); | |
1099 | |
1100 CERTCertificatePolicies *CERT_DecodeCertificatePoliciesExtension( | |
1101 const SECItem *extnValue); | |
1102 | |
1103 void CERT_DestroyCertificatePoliciesExtension( | |
1104 CERTCertificatePolicies *policies); | |
1105 | |
1106 CERTCertificatePolicyMappings *CERT_DecodePolicyMappingsExtension( | |
1107 SECItem *encodedCertPolicyMaps); | |
1108 | |
1109 SECStatus CERT_DestroyPolicyMappingsExtension( | |
1110 CERTCertificatePolicyMappings *mappings); | |
1111 | |
1112 SECStatus CERT_DecodePolicyConstraintsExtension( | |
1113 CERTCertificatePolicyConstraints *decodedValue, | |
1114 const SECItem *encodedValue); | |
1115 | |
1116 SECStatus CERT_DecodeInhibitAnyExtension( | |
1117 CERTCertificateInhibitAny *decodedValue, SECItem *extnValue); | |
1118 | |
1119 CERTUserNotice *CERT_DecodeUserNotice(SECItem *noticeItem); | |
1120 | |
1121 extern CERTGeneralName *CERT_DecodeAltNameExtension(PLArenaPool *reqArena, | |
1122 SECItem *EncodedAltName); | |
1123 | |
1124 extern CERTNameConstraints *CERT_DecodeNameConstraintsExtension( | |
1125 PLArenaPool *arena, const SECItem *encodedConstraints); | |
1126 | |
1127 /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */ | |
1128 extern CERTAuthInfoAccess **CERT_DecodeAuthInfoAccessExtension( | |
1129 PLArenaPool *reqArena, const SECItem *encodedExtension); | |
1130 | |
1131 extern CERTPrivKeyUsagePeriod *CERT_DecodePrivKeyUsagePeriodExtension( | |
1132 PLArenaPool *arena, SECItem *extnValue); | |
1133 | |
1134 extern CERTGeneralName *CERT_GetNextGeneralName(CERTGeneralName *current); | |
1135 | |
1136 extern CERTGeneralName *CERT_GetPrevGeneralName(CERTGeneralName *current); | |
1137 | |
1138 /* | |
1139 * Look up name constraints for some certs that do not include name constraints | |
1140 * (Most importantly, root certificates) | |
1141 * | |
1142 * If a matching subject is found, |extensions| will be populated with a copy of | |
1143 * the | |
1144 * DER-encoded name constraints extension. The data in |extensions| will point | |
1145 * to | |
1146 * memory that the caller owns. | |
1147 * | |
1148 * There is no mechanism to configure imposed name constraints right now. All | |
1149 * imposed name constraints are built into NSS. | |
1150 */ | |
1151 SECStatus CERT_GetImposedNameConstraints(const SECItem *derSubject, | |
1152 SECItem *extensions); | |
1153 | |
1154 CERTNameConstraint *CERT_GetNextNameConstraint(CERTNameConstraint *current); | |
1155 | |
1156 CERTNameConstraint *CERT_GetPrevNameConstraint(CERTNameConstraint *current); | |
1157 | |
1158 void CERT_DestroyUserNotice(CERTUserNotice *userNotice); | |
1159 | |
1160 typedef char *(*CERTPolicyStringCallback)(char *org, unsigned long noticeNumber, | |
1161 void *arg); | |
1162 void CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg); | |
1163 | |
1164 char *CERT_GetCertCommentString(CERTCertificate *cert); | |
1165 | |
1166 PRBool CERT_GovtApprovedBitSet(CERTCertificate *cert); | |
1167 | |
1168 SECStatus CERT_AddPermNickname(CERTCertificate *cert, char *nickname); | |
1169 | |
1170 CERTCertList *CERT_MatchUserCert(CERTCertDBHandle *handle, SECCertUsage usage, | |
1171 int nCANames, char **caNames, void *proto_win); | |
1172 | |
1173 CERTCertList *CERT_NewCertList(void); | |
1174 | |
1175 /* free the cert list and all the certs in the list */ | |
1176 void CERT_DestroyCertList(CERTCertList *certs); | |
1177 | |
1178 /* remove the node and free the cert */ | |
1179 void CERT_RemoveCertListNode(CERTCertListNode *node); | |
1180 | |
1181 /* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */ | |
1182 SECStatus CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert); | |
1183 | |
1184 /* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */ | |
1185 SECStatus CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert); | |
1186 | |
1187 /* | |
1188 * The new cert list node takes ownership of "cert". "cert" is freed | |
1189 * when the list node is removed. | |
1190 */ | |
1191 SECStatus CERT_AddCertToListTailWithData(CERTCertList *certs, | |
1192 CERTCertificate *cert, void *appData); | |
1193 | |
1194 /* | |
1195 * The new cert list node takes ownership of "cert". "cert" is freed | |
1196 * when the list node is removed. | |
1197 */ | |
1198 SECStatus CERT_AddCertToListHeadWithData(CERTCertList *certs, | |
1199 CERTCertificate *cert, void *appData); | |
1200 | |
1201 typedef PRBool (*CERTSortCallback)(CERTCertificate *certa, | |
1202 CERTCertificate *certb, void *arg); | |
1203 SECStatus CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert, | |
1204 CERTSortCallback f, void *arg); | |
1205 | |
1206 /* callback for CERT_AddCertToListSorted that sorts based on validity | |
1207 * period and a given time. | |
1208 */ | |
1209 PRBool CERT_SortCBValidity(CERTCertificate *certa, CERTCertificate *certb, | |
1210 void *arg); | |
1211 | |
1212 SECStatus CERT_CheckForEvilCert(CERTCertificate *cert); | |
1213 | |
1214 CERTGeneralName *CERT_GetCertificateNames(CERTCertificate *cert, | |
1215 PLArenaPool *arena); | |
1216 | |
1217 CERTGeneralName *CERT_GetConstrainedCertificateNames( | |
1218 const CERTCertificate *cert, PLArenaPool *arena, | |
1219 PRBool includeSubjectCommonName); | |
1220 | |
1221 /* | |
1222 * Creates or adds to a list of all certs with a give subject name, sorted by | |
1223 * validity time, newest first. Invalid certs are considered older than | |
1224 * valid certs. If validOnly is set, do not include invalid certs on list. | |
1225 */ | |
1226 CERTCertList *CERT_CreateSubjectCertList(CERTCertList *certList, | |
1227 CERTCertDBHandle *handle, | |
1228 const SECItem *name, PRTime sorttime, | |
1229 PRBool validOnly); | |
1230 | |
1231 /* | |
1232 * remove certs from a list that don't have keyUsage and certType | |
1233 * that match the given usage. | |
1234 */ | |
1235 SECStatus CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage, | |
1236 PRBool ca); | |
1237 | |
1238 /* | |
1239 * check the key usage of a cert against a set of required values | |
1240 */ | |
1241 SECStatus CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage); | |
1242 | |
1243 /* | |
1244 * return required key usage and cert type based on cert usage | |
1245 */ | |
1246 SECStatus CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca, | |
1247 unsigned int *retKeyUsage, | |
1248 unsigned int *retCertType); | |
1249 /* | |
1250 * return required trust flags for various cert usages for CAs | |
1251 */ | |
1252 SECStatus CERT_TrustFlagsForCACertUsage(SECCertUsage usage, | |
1253 unsigned int *retFlags, | |
1254 SECTrustType *retTrustType); | |
1255 | |
1256 /* | |
1257 * Find all user certificates that match the given criteria. | |
1258 * | |
1259 * "handle" - database to search | |
1260 * "usage" - certificate usage to match | |
1261 * "oneCertPerName" - if set then only return the "best" cert per | |
1262 * name | |
1263 * "validOnly" - only return certs that are curently valid | |
1264 * "proto_win" - window handle passed to pkcs11 | |
1265 */ | |
1266 CERTCertList *CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, | |
1267 SECCertUsage usage, | |
1268 PRBool oneCertPerName, PRBool validOnly, | |
1269 void *proto_win); | |
1270 | |
1271 /* | |
1272 * Find a user certificate that matchs the given criteria. | |
1273 * | |
1274 * "handle" - database to search | |
1275 * "nickname" - nickname to match | |
1276 * "usage" - certificate usage to match | |
1277 * "validOnly" - only return certs that are curently valid | |
1278 * "proto_win" - window handle passed to pkcs11 | |
1279 */ | |
1280 CERTCertificate *CERT_FindUserCertByUsage(CERTCertDBHandle *handle, | |
1281 const char *nickname, | |
1282 SECCertUsage usage, PRBool validOnly, | |
1283 void *proto_win); | |
1284 | |
1285 /* | |
1286 * Filter a list of certificates, removing those certs that do not have | |
1287 * one of the named CA certs somewhere in their cert chain. | |
1288 * | |
1289 * "certList" - the list of certificates to filter | |
1290 * "nCANames" - number of CA names | |
1291 * "caNames" - array of CA names in string(rfc 1485) form | |
1292 * "usage" - what use the certs are for, this is used when | |
1293 * selecting CA certs | |
1294 */ | |
1295 SECStatus CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, | |
1296 char **caNames, SECCertUsage usage); | |
1297 | |
1298 /* | |
1299 * Filter a list of certificates, removing those certs that aren't user certs | |
1300 */ | |
1301 SECStatus CERT_FilterCertListForUserCerts(CERTCertList *certList); | |
1302 | |
1303 /* | |
1304 * Collect the nicknames from all certs in a CertList. If the cert is not | |
1305 * valid, append a string to that nickname. | |
1306 * | |
1307 * "certList" - the list of certificates | |
1308 * "expiredString" - the string to append to the nickname of any expired cert | |
1309 * "notYetGoodString" - the string to append to the nickname of any cert | |
1310 * that is not yet valid | |
1311 */ | |
1312 CERTCertNicknames *CERT_NicknameStringsFromCertList(CERTCertList *certList, | |
1313 char *expiredString, | |
1314 char *notYetGoodString); | |
1315 | |
1316 /* | |
1317 * Extract the nickname from a nickmake string that may have either | |
1318 * expiredString or notYetGoodString appended. | |
1319 * | |
1320 * Args: | |
1321 * "namestring" - the string containing the nickname, and possibly | |
1322 * one of the validity label strings | |
1323 * "expiredString" - the expired validity label string | |
1324 * "notYetGoodString" - the not yet good validity label string | |
1325 * | |
1326 * Returns the raw nickname | |
1327 */ | |
1328 char *CERT_ExtractNicknameString(char *namestring, char *expiredString, | |
1329 char *notYetGoodString); | |
1330 | |
1331 /* | |
1332 * Given a certificate, return a string containing the nickname, and possibly | |
1333 * one of the validity strings, based on the current validity state of the | |
1334 * certificate. | |
1335 * | |
1336 * "arena" - arena to allocate returned string from. If NULL, then heap | |
1337 * is used. | |
1338 * "cert" - the cert to get nickname from | |
1339 * "expiredString" - the string to append to the nickname if the cert is | |
1340 * expired. | |
1341 * "notYetGoodString" - the string to append to the nickname if the cert is | |
1342 * not yet good. | |
1343 */ | |
1344 char *CERT_GetCertNicknameWithValidity(PLArenaPool *arena, | |
1345 CERTCertificate *cert, | |
1346 char *expiredString, | |
1347 char *notYetGoodString); | |
1348 | |
1349 /* | |
1350 * Return the string representation of a DER encoded distinguished name | |
1351 * "dername" - The DER encoded name to convert | |
1352 */ | |
1353 char *CERT_DerNameToAscii(SECItem *dername); | |
1354 | |
1355 /* | |
1356 * Supported usage values and types: | |
1357 * certUsageSSLClient | |
1358 * certUsageSSLServer | |
1359 * certUsageSSLServerWithStepUp | |
1360 * certUsageEmailSigner | |
1361 * certUsageEmailRecipient | |
1362 * certUsageObjectSigner | |
1363 */ | |
1364 | |
1365 CERTCertificate *CERT_FindMatchingCert(CERTCertDBHandle *handle, | |
1366 SECItem *derName, CERTCertOwner owner, | |
1367 SECCertUsage usage, PRBool preferTrusted, | |
1368 PRTime validTime, PRBool validOnly); | |
1369 | |
1370 /* | |
1371 * Acquire the global lock on the cert database. | |
1372 * This lock is currently used for the following operations: | |
1373 * adding or deleting a cert to either the temp or perm databases | |
1374 * converting a temp to perm or perm to temp | |
1375 * changing(maybe just adding?) the trust of a cert | |
1376 * adjusting the reference count of a cert | |
1377 */ | |
1378 void CERT_LockDB(CERTCertDBHandle *handle); | |
1379 | |
1380 /* | |
1381 * Free the global cert database lock. | |
1382 */ | |
1383 void CERT_UnlockDB(CERTCertDBHandle *handle); | |
1384 | |
1385 /* | |
1386 * Get the certificate status checking configuratino data for | |
1387 * the certificate database | |
1388 */ | |
1389 CERTStatusConfig *CERT_GetStatusConfig(CERTCertDBHandle *handle); | |
1390 | |
1391 /* | |
1392 * Set the certificate status checking information for the | |
1393 * database. The input structure becomes part of the certificate | |
1394 * database and will be freed by calling the 'Destroy' function in | |
1395 * the configuration object. | |
1396 */ | |
1397 void CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config); | |
1398 | |
1399 /* | |
1400 * Acquire the cert reference count lock | |
1401 * There is currently one global lock for all certs, but I'm putting a cert | |
1402 * arg here so that it will be easy to make it per-cert in the future if | |
1403 * that turns out to be necessary. | |
1404 */ | |
1405 void CERT_LockCertRefCount(CERTCertificate *cert); | |
1406 | |
1407 /* | |
1408 * Free the cert reference count lock | |
1409 */ | |
1410 void CERT_UnlockCertRefCount(CERTCertificate *cert); | |
1411 | |
1412 /* | |
1413 * Acquire the cert trust lock | |
1414 * There is currently one global lock for all certs, but I'm putting a cert | |
1415 * arg here so that it will be easy to make it per-cert in the future if | |
1416 * that turns out to be necessary. | |
1417 */ | |
1418 void CERT_LockCertTrust(const CERTCertificate *cert); | |
1419 | |
1420 /* | |
1421 * Free the cert trust lock | |
1422 */ | |
1423 void CERT_UnlockCertTrust(const CERTCertificate *cert); | |
1424 | |
1425 /* | |
1426 * Digest the cert's subject public key using the specified algorithm. | |
1427 * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding | |
1428 * the tag, length, and number of unused bits) rather than the whole | |
1429 * subjectPublicKeyInfo field. | |
1430 * | |
1431 * The necessary storage for the digest data is allocated. If "fill" is | |
1432 * non-null, the data is put there, otherwise a SECItem is allocated. | |
1433 * Allocation from "arena" if it is non-null, heap otherwise. Any problem | |
1434 * results in a NULL being returned (and an appropriate error set). | |
1435 */ | |
1436 extern SECItem *CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, | |
1437 const CERTCertificate *cert, | |
1438 SECOidTag digestAlg, | |
1439 SECItem *fill); | |
1440 | |
1441 /* | |
1442 * Digest the cert's subject name using the specified algorithm. | |
1443 */ | |
1444 extern SECItem *CERT_GetSubjectNameDigest(PLArenaPool *arena, | |
1445 const CERTCertificate *cert, | |
1446 SECOidTag digestAlg, SECItem *fill); | |
1447 | |
1448 SECStatus CERT_CheckCRL(CERTCertificate *cert, CERTCertificate *issuer, | |
1449 const SECItem *dp, PRTime t, void *wincx); | |
1450 | |
1451 /* | |
1452 * Add a CERTNameConstraint to the CERTNameConstraint list | |
1453 */ | |
1454 extern CERTNameConstraint *CERT_AddNameConstraint( | |
1455 CERTNameConstraint *list, CERTNameConstraint *constraint); | |
1456 | |
1457 /* | |
1458 * Allocate space and copy CERTNameConstraint from src to dest. | |
1459 * Arena is used to allocate result(if dest eq NULL) and its members | |
1460 * SECItem data. | |
1461 */ | |
1462 extern CERTNameConstraint *CERT_CopyNameConstraint(PLArenaPool *arena, | |
1463 CERTNameConstraint *dest, | |
1464 CERTNameConstraint *src); | |
1465 | |
1466 /* | |
1467 * Verify name against all the constraints relevant to that type of | |
1468 * the name. | |
1469 */ | |
1470 extern SECStatus CERT_CheckNameSpace(PLArenaPool *arena, | |
1471 const CERTNameConstraints *constraints, | |
1472 const CERTGeneralName *currentName); | |
1473 | |
1474 /* | |
1475 * Extract and allocate the name constraints extension from the CA cert. | |
1476 * If the certificate contains no name constraints extension, but | |
1477 * CERT_GetImposedNameConstraints returns a name constraints extension | |
1478 * for the subject of the certificate, then that extension will be returned. | |
1479 */ | |
1480 extern SECStatus CERT_FindNameConstraintsExten( | |
1481 PLArenaPool *arena, CERTCertificate *cert, | |
1482 CERTNameConstraints **constraints); | |
1483 | |
1484 /* | |
1485 * Initialize a new GERTGeneralName fields (link) | |
1486 */ | |
1487 extern CERTGeneralName *CERT_NewGeneralName(PLArenaPool *arena, | |
1488 CERTGeneralNameType type); | |
1489 | |
1490 /* | |
1491 * Lookup a CERTGeneralNameType constant by its human readable string. | |
1492 */ | |
1493 extern CERTGeneralNameType CERT_GetGeneralNameTypeFromString( | |
1494 const char *string); | |
1495 | |
1496 /* | |
1497 * PKIX extension encoding routines | |
1498 */ | |
1499 extern SECStatus CERT_EncodePolicyConstraintsExtension( | |
1500 PLArenaPool *arena, CERTCertificatePolicyConstraints *constr, | |
1501 SECItem *dest); | |
1502 extern SECStatus CERT_EncodeInhibitAnyExtension( | |
1503 PLArenaPool *arena, CERTCertificateInhibitAny *inhibitAny, SECItem *dest); | |
1504 extern SECStatus CERT_EncodePolicyMappingExtension( | |
1505 PLArenaPool *arena, CERTCertificatePolicyMappings *maps, SECItem *dest); | |
1506 | |
1507 extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena, | |
1508 CERTAuthInfoAccess **info, | |
1509 SECItem *dest); | |
1510 extern SECStatus CERT_EncodeUserNotice(PLArenaPool *arena, | |
1511 CERTUserNotice *notice, SECItem *dest); | |
1512 | |
1513 extern SECStatus CERT_EncodeDisplayText(PLArenaPool *arena, SECItem *text, | |
1514 SECItem *dest); | |
1515 | |
1516 extern SECStatus CERT_EncodeCertPoliciesExtension(PLArenaPool *arena, | |
1517 CERTPolicyInfo **info, | |
1518 SECItem *dest); | |
1519 extern SECStatus CERT_EncodeNoticeReference(PLArenaPool *arena, | |
1520 CERTNoticeReference *reference, | |
1521 SECItem *dest); | |
1522 | |
1523 /* | |
1524 * Returns a pointer to a static structure. | |
1525 */ | |
1526 extern const CERTRevocationFlags *CERT_GetPKIXVerifyNistRevocationPolicy(void); | |
1527 | |
1528 /* | |
1529 * Returns a pointer to a static structure. | |
1530 */ | |
1531 extern const CERTRevocationFlags *CERT_GetClassicOCSPEnabledSoftFailurePolicy( | |
1532 void); | |
1533 | |
1534 /* | |
1535 * Returns a pointer to a static structure. | |
1536 */ | |
1537 extern const CERTRevocationFlags *CERT_GetClassicOCSPEnabledHardFailurePolicy( | |
1538 void); | |
1539 | |
1540 /* | |
1541 * Returns a pointer to a static structure. | |
1542 */ | |
1543 extern const CERTRevocationFlags *CERT_GetClassicOCSPDisabledPolicy(void); | |
1544 | |
1545 /* | |
1546 * Verify a Cert with libpkix | |
1547 * paramsIn control the verification options. If a value isn't specified | |
1548 * in paramsIn, it reverts to the application default. | |
1549 * paramsOut specifies the parameters the caller would like to get back. | |
1550 * the caller may pass NULL, in which case no parameters are returned. | |
1551 */ | |
1552 extern SECStatus CERT_PKIXVerifyCert(CERTCertificate *cert, | |
1553 SECCertificateUsage usages, | |
1554 CERTValInParam *paramsIn, | |
1555 CERTValOutParam *paramsOut, void *wincx); | |
1556 | |
1557 /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate) | |
1558 * to use libpkix validation engine. The function should be called ones at | |
1559 * application initialization time. | |
1560 * Function is not thread safe.*/ | |
1561 extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable); | |
1562 | |
1563 /* The function return PR_TRUE if cert validation should use | |
1564 * libpkix cert validation engine. */ | |
1565 extern PRBool CERT_GetUsePKIXForValidation(void); | |
1566 | |
1567 /* | |
1568 * Allocate a parameter container of type CERTRevocationFlags, | |
1569 * and allocate the inner arrays of the given sizes. | |
1570 * To cleanup call CERT_DestroyCERTRevocationFlags. | |
1571 */ | |
1572 extern CERTRevocationFlags *CERT_AllocCERTRevocationFlags( | |
1573 PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, | |
1574 PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods); | |
1575 | |
1576 /* | |
1577 * Destroy the arrays inside flags, | |
1578 * and destroy the object pointed to by flags, too. | |
1579 */ | |
1580 extern void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags); | |
1581 | |
1582 SEC_END_PROTOS | |
1583 | |
1584 #endif /* _CERT_H_ */ | |
OLD | NEW |