OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * certi.h - private data structures for the certificate library | |
6 */ | |
7 #ifndef _CERTI_H_ | |
8 #define _CERTI_H_ | |
9 | |
10 #include "certt.h" | |
11 #include "nssrwlkt.h" | |
12 | |
13 /* | |
14 #define GLOBAL_RWLOCK 1 | |
15 */ | |
16 | |
17 #define DPC_RWLOCK 1 | |
18 | |
19 /* all definitions in this file are subject to change */ | |
20 | |
21 typedef struct OpaqueCRLFieldsStr OpaqueCRLFields; | |
22 typedef struct CRLEntryCacheStr CRLEntryCache; | |
23 typedef struct CRLDPCacheStr CRLDPCache; | |
24 typedef struct CRLIssuerCacheStr CRLIssuerCache; | |
25 typedef struct CRLCacheStr CRLCache; | |
26 typedef struct CachedCrlStr CachedCrl; | |
27 typedef struct NamedCRLCacheStr NamedCRLCache; | |
28 typedef struct NamedCRLCacheEntryStr NamedCRLCacheEntry; | |
29 | |
30 struct OpaqueCRLFieldsStr { | |
31 PRBool partial; | |
32 PRBool decodingError; | |
33 PRBool badEntries; | |
34 PRBool badDER; | |
35 PRBool badExtensions; | |
36 PRBool heapDER; | |
37 }; | |
38 | |
39 typedef struct PreAllocatorStr PreAllocator; | |
40 | |
41 struct PreAllocatorStr { | |
42 PRSize len; | |
43 void* data; | |
44 PRSize used; | |
45 PLArenaPool* arena; | |
46 PRSize extra; | |
47 }; | |
48 | |
49 /* CRL entry cache. | |
50 This is the same as an entry plus the next/prev pointers for the hash table | |
51 */ | |
52 | |
53 struct CRLEntryCacheStr { | |
54 CERTCrlEntry entry; | |
55 CRLEntryCache *prev, *next; | |
56 }; | |
57 | |
58 #define CRL_CACHE_INVALID_CRLS 0x0001 /* this state will be set | |
59 if we have CRL objects with an invalid DER or signature. Can be | |
60 cleared if the invalid objects are deleted from the token */ | |
61 #define CRL_CACHE_LAST_FETCH_FAILED 0x0002 /* this state will be set | |
62 if the last CRL fetch encountered an error. Can be cleared if a | |
63 new fetch succeeds */ | |
64 | |
65 #define CRL_CACHE_OUT_OF_MEMORY 0x0004 /* this state will be set | |
66 if we don't have enough memory to build the hash table of entries */ | |
67 | |
68 typedef enum { | |
69 CRL_OriginToken = 0, /* CRL came from PKCS#11 token */ | |
70 CRL_OriginExplicit = 1 /* CRL was explicitly added to the cache, from RAM */ | |
71 } CRLOrigin; | |
72 | |
73 typedef enum { | |
74 dpcacheNoEntry = 0, /* no entry found for this SN */ | |
75 dpcacheFoundEntry = 1, /* entry found for this SN */ | |
76 dpcacheCallerError = 2, /* invalid args */ | |
77 dpcacheInvalidCacheError = 3, /* CRL in cache may be bad DER */ | |
78 /* or unverified */ | |
79 dpcacheEmpty = 4, /* no CRL in cache */ | |
80 dpcacheLookupError = 5 /* internal error */ | |
81 } dpcacheStatus; | |
82 | |
83 struct CachedCrlStr { | |
84 CERTSignedCrl* crl; | |
85 CRLOrigin origin; | |
86 /* hash table of entries. We use a PLHashTable and pre-allocate the | |
87 required amount of memory in one shot, so that our allocator can | |
88 simply pass offsets into it when hashing. | |
89 | |
90 This won't work anymore when we support delta CRLs and iCRLs, because | |
91 the size of the hash table will vary over time. At that point, the best | |
92 solution will be to allocate large CRLEntry structures by modifying | |
93 the DER decoding template. The extra space would be for next/prev | |
94 pointers. This would allow entries from different CRLs to be mixed in | |
95 the same hash table. | |
96 */ | |
97 PLHashTable* entries; | |
98 PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */ | |
99 PRBool sigChecked; /* this CRL signature has already been checked */ | |
100 PRBool sigValid; /* signature verification status . | |
101 Only meaningful if checked is PR_TRUE . */ | |
102 PRBool unbuildable; /* Avoid using assosiated CRL is it fails | |
103 * a decoding step */ | |
104 }; | |
105 | |
106 /* CRL distribution point cache object | |
107 This is a cache of CRL entries for a given distribution point of an issuer | |
108 It is built from a collection of one full and 0 or more delta CRLs. | |
109 */ | |
110 | |
111 struct CRLDPCacheStr { | |
112 #ifdef DPC_RWLOCK | |
113 NSSRWLock* lock; | |
114 #else | |
115 PRLock* lock; | |
116 #endif | |
117 SECItem* issuerDERCert; /* issuer DER cert. Don't hold a reference | |
118 to the actual cert so the trust can be | |
119 updated on the cert automatically. | |
120 XXX there may be multiple issuer certs, | |
121 with different validity dates. Also | |
122 need to deal with SKID/AKID . See | |
123 bugzilla 217387, 233118 */ | |
124 | |
125 CERTCertDBHandle* dbHandle; | |
126 | |
127 SECItem* subject; /* DER of issuer subject */ | |
128 SECItem* distributionPoint; /* DER of distribution point. This may be | |
129 NULL when distribution points aren't | |
130 in use (ie. the CA has a single CRL). | |
131 Currently not used. */ | |
132 | |
133 /* array of full CRLs matching this distribution point */ | |
134 PRUint32 ncrls; /* total number of CRLs in crls */ | |
135 CachedCrl** crls; /* array of all matching CRLs */ | |
136 /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several | |
137 issuers. In the future, we'll need to globally recycle the CRL in a | |
138 separate list in order to avoid extra lookups, decodes, and copies */ | |
139 | |
140 /* pointers to good decoded CRLs used to build the cache */ | |
141 CachedCrl* selected; /* full CRL selected for use in the cache */ | |
142 #if 0 | |
143 /* for future use */ | |
144 PRInt32 numdeltas; /* number of delta CRLs used for the cache */ | |
145 CachedCrl** deltas; /* delta CRLs used for the cache */ | |
146 #endif | |
147 /* cache invalidity bitflag */ | |
148 PRUint16 invalid; /* this state will be set if either | |
149 CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set. | |
150 In those cases, all certs are considered to have unknown status. | |
151 The invalid state can only be cleared during an update if all | |
152 error states are cleared */ | |
153 PRBool refresh; /* manual refresh from tokens has been forced */ | |
154 PRBool mustchoose; /* trigger reselection algorithm, for case when | |
155 RAM CRL objects are dropped from the cache */ | |
156 PRTime lastfetch; /* time a CRL token fetch was last performed */ | |
157 PRTime lastcheck; /* time CRL token objects were last checked for | |
158 existence */ | |
159 }; | |
160 | |
161 /* CRL issuer cache object | |
162 This object tracks all the distribution point caches for a given issuer. | |
163 XCRL once we support multiple issuing distribution points, this object | |
164 will be a hash table. For now, it just holds the single CRL distribution | |
165 point cache structure. | |
166 */ | |
167 | |
168 struct CRLIssuerCacheStr { | |
169 SECItem* subject; /* DER of issuer subject */ | |
170 CRLDPCache* dpp; | |
171 }; | |
172 | |
173 /* CRL revocation cache object | |
174 This object tracks all the issuer caches | |
175 */ | |
176 | |
177 struct CRLCacheStr { | |
178 #ifdef GLOBAL_RWLOCK | |
179 NSSRWLock* lock; | |
180 #else | |
181 PRLock* lock; | |
182 #endif | |
183 /* hash table of issuer to CRLIssuerCacheStr, | |
184 indexed by issuer DER subject */ | |
185 PLHashTable* issuers; | |
186 }; | |
187 | |
188 SECStatus InitCRLCache(void); | |
189 SECStatus ShutdownCRLCache(void); | |
190 | |
191 /* Returns a pointer to an environment-like string, a series of | |
192 ** null-terminated strings, terminated by a zero-length string. | |
193 ** This function is intended to be internal to NSS. | |
194 */ | |
195 extern char* cert_GetCertificateEmailAddresses(CERTCertificate* cert); | |
196 | |
197 /* | |
198 * These functions are used to map subjectKeyID extension values to certs | |
199 * and to keep track of the checks for user certificates in each slot | |
200 */ | |
201 SECStatus cert_CreateSubjectKeyIDHashTable(void); | |
202 | |
203 SECStatus cert_AddSubjectKeyIDMapping(SECItem* subjKeyID, | |
204 CERTCertificate* cert); | |
205 | |
206 SECStatus cert_UpdateSubjectKeyIDSlotCheck(SECItem* slotid, int series); | |
207 | |
208 int cert_SubjectKeyIDSlotCheckSeries(SECItem* slotid); | |
209 | |
210 /* | |
211 * Call this function to remove an entry from the mapping table. | |
212 */ | |
213 SECStatus cert_RemoveSubjectKeyIDMapping(SECItem* subjKeyID); | |
214 | |
215 SECStatus cert_DestroySubjectKeyIDHashTable(void); | |
216 | |
217 SECItem* cert_FindDERCertBySubjectKeyID(SECItem* subjKeyID); | |
218 | |
219 /* return maximum length of AVA value based on its type OID tag. */ | |
220 extern int cert_AVAOidTagToMaxLen(SECOidTag tag); | |
221 | |
222 /* Make an AVA, allocated from pool, from OID and DER encoded value */ | |
223 extern CERTAVA* CERT_CreateAVAFromRaw(PLArenaPool* pool, const SECItem* OID, | |
224 const SECItem* value); | |
225 | |
226 /* Make an AVA from binary input specified by SECItem */ | |
227 extern CERTAVA* CERT_CreateAVAFromSECItem(PLArenaPool* arena, SECOidTag kind, | |
228 int valueType, SECItem* value); | |
229 | |
230 /* | |
231 * get a DPCache object for the given issuer subject and dp | |
232 * Automatically creates the cache object if it doesn't exist yet. | |
233 */ | |
234 SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject, | |
235 const SECItem* dp, PRTime t, void* wincx, | |
236 CRLDPCache** dpcache, PRBool* writeLocked); | |
237 | |
238 /* check if a particular SN is in the CRL cache and return its entry */ | |
239 dpcacheStatus DPCache_Lookup(CRLDPCache* cache, const SECItem* sn, | |
240 CERTCrlEntry** returned); | |
241 | |
242 /* release a DPCache object that was previously acquired */ | |
243 void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked); | |
244 | |
245 /* | |
246 * map Stan errors into NSS errors | |
247 * This function examines the stan error stack and automatically sets | |
248 * PORT_SetError(); to the appropriate SEC_ERROR value. | |
249 */ | |
250 void CERT_MapStanError(); | |
251 | |
252 /* Like CERT_VerifyCert, except with an additional argument, flags. The | |
253 * flags are defined immediately below. | |
254 */ | |
255 SECStatus cert_VerifyCertWithFlags(CERTCertDBHandle* handle, | |
256 CERTCertificate* cert, PRBool checkSig, | |
257 SECCertUsage certUsage, PRTime t, | |
258 PRUint32 flags, void* wincx, | |
259 CERTVerifyLog* log); | |
260 | |
261 /* Use the default settings. | |
262 * cert_VerifyCertWithFlags(..., CERT_VERIFYCERT_USE_DEFAULTS, ...) is | |
263 * equivalent to CERT_VerifyCert(...); | |
264 */ | |
265 #define CERT_VERIFYCERT_USE_DEFAULTS 0 | |
266 | |
267 /* Skip all the OCSP checks during certificate verification, regardless of | |
268 * the global OCSP settings. By default, certificate |cert| will have its | |
269 * revocation status checked via OCSP according to the global OCSP settings. | |
270 * | |
271 * OCSP checking is always skipped when certUsage is certUsageStatusResponder. | |
272 */ | |
273 #define CERT_VERIFYCERT_SKIP_OCSP 1 | |
274 | |
275 /* Interface function for libpkix cert validation engine: | |
276 * cert_verify wrapper. */ | |
277 SECStatus cert_VerifyCertChainPkix(CERTCertificate* cert, PRBool checkSig, | |
278 SECCertUsage requiredUsage, PRTime time, | |
279 void* wincx, CERTVerifyLog* log, | |
280 PRBool* sigError, PRBool* revoked); | |
281 | |
282 SECStatus cert_InitLocks(void); | |
283 | |
284 SECStatus cert_DestroyLocks(void); | |
285 | |
286 /* | |
287 * fill in nsCertType field of the cert based on the cert extension | |
288 */ | |
289 extern SECStatus cert_GetCertType(CERTCertificate* cert); | |
290 | |
291 /* | |
292 * compute and return the value of nsCertType for cert, but do not | |
293 * update the CERTCertificate. | |
294 */ | |
295 extern PRUint32 cert_ComputeCertType(CERTCertificate* cert); | |
296 | |
297 void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert, | |
298 long errorCode, unsigned int depth, void* arg); | |
299 | |
300 /* Insert a DER CRL into the CRL cache, and take ownership of it. | |
301 * | |
302 * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument | |
303 * completely. crl must be freeable by SECITEM_FreeItem. It will be freed | |
304 * immediately if it is rejected from the CRL cache, or later during cache | |
305 * updates when a new crl is available, or at shutdown time. | |
306 * | |
307 * canonicalizedName represents the source of the CRL, a GeneralName. | |
308 * The format of the encoding is not restricted, but all callers of | |
309 * cert_CacheCRLByGeneralName and cert_FindCRLByGeneralName must use | |
310 * the same encoding. To facilitate X.500 name matching, a canonicalized | |
311 * encoding of the GeneralName should be used, if available. | |
312 */ | |
313 | |
314 SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl, | |
315 const SECItem* canonicalizedName); | |
316 | |
317 struct NamedCRLCacheStr { | |
318 PRLock* lock; | |
319 PLHashTable* entries; | |
320 }; | |
321 | |
322 /* NamedCRLCacheEntryStr is filled in by cert_CacheCRLByGeneralName, | |
323 * and read by cert_FindCRLByGeneralName */ | |
324 struct NamedCRLCacheEntryStr { | |
325 SECItem* canonicalizedName; | |
326 SECItem* crl; /* DER, kept only if CRL | |
327 * is successfully cached */ | |
328 PRBool inCRLCache; | |
329 PRTime successfulInsertionTime; /* insertion time */ | |
330 PRTime lastAttemptTime; /* time of last call to | |
331 cert_CacheCRLByGeneralName with this name */ | |
332 PRBool badDER; /* ASN.1 error */ | |
333 PRBool dupe; /* matching DER CRL already in CRL cache */ | |
334 PRBool unsupported; /* IDP, delta, any other reason */ | |
335 }; | |
336 | |
337 typedef enum { | |
338 certRevocationStatusRevoked = 0, | |
339 certRevocationStatusValid = 1, | |
340 certRevocationStatusUnknown = 2 | |
341 } CERTRevocationStatus; | |
342 | |
343 /* Returns detailed status of the cert(revStatus variable). Tells if | |
344 * issuer cache has OriginFetchedWithTimeout crl in it. */ | |
345 SECStatus cert_CheckCertRevocationStatus(CERTCertificate* cert, | |
346 CERTCertificate* issuer, | |
347 const SECItem* dp, PRTime t, | |
348 void* wincx, | |
349 CERTRevocationStatus* revStatus, | |
350 CERTCRLEntryReasonCode* revReason); | |
351 | |
352 SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned); | |
353 | |
354 /* cert_FindCRLByGeneralName must be called only while the named cache is | |
355 * acquired, and the entry is only valid until cache is released. | |
356 */ | |
357 SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc, | |
358 const SECItem* canonicalizedName, | |
359 NamedCRLCacheEntry** retEntry); | |
360 | |
361 SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc); | |
362 | |
363 /* This is private for now. Maybe shoule be public. */ | |
364 CERTGeneralName* cert_GetSubjectAltNameList(const CERTCertificate* cert, | |
365 PLArenaPool* arena); | |
366 | |
367 /* Count DNS names and IP addresses in a list of GeneralNames */ | |
368 PRUint32 cert_CountDNSPatterns(CERTGeneralName* firstName); | |
369 | |
370 /* | |
371 * returns the trust status of the leaf certificate based on usage. | |
372 * If the leaf is explicitly untrusted, this function will fail and | |
373 * failedFlags will be set to the trust bit value that lead to the failure. | |
374 * If the leaf is trusted, isTrusted is set to true and the function returns | |
375 * SECSuccess. This function does not check if the cert is fit for a | |
376 * particular usage. | |
377 */ | |
378 SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, | |
379 unsigned int* failedFlags, PRBool* isTrusted); | |
380 | |
381 #endif /* _CERTI_H_ */ | |
OLD | NEW |