Delete bundled copy of NSS and replace with README.

nss/lib/certdb/certt.h

-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/*
- * certt.h - public data structures for the certificate library
- */
-#ifndef _CERTT_H_
-#define _CERTT_H_
-
-#include "prclist.h"
-#include "pkcs11t.h"
-#include "seccomon.h"
-#include "secmodt.h"
-#include "secoidt.h"
-#include "plarena.h"
-#include "prcvar.h"
-#include "nssilock.h"
-#include "prio.h"
-#include "prmon.h"
-
-/* Stan data types */
-struct NSSCertificateStr;
-struct NSSTrustDomainStr;
-
-/* Non-opaque objects */
-typedef struct CERTAVAStr CERTAVA;
-typedef struct CERTAttributeStr CERTAttribute;
-typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
-typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
-typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
-typedef struct NSSTrustDomainStr CERTCertDBHandle;
-typedef struct CERTCertExtensionStr CERTCertExtension;
-typedef struct CERTCertKeyStr CERTCertKey;
-typedef struct CERTCertListStr CERTCertList;
-typedef struct CERTCertListNodeStr CERTCertListNode;
-typedef struct CERTCertNicknamesStr CERTCertNicknames;
-typedef struct CERTCertTrustStr CERTCertTrust;
-typedef struct CERTCertificateStr CERTCertificate;
-typedef struct CERTCertificateListStr CERTCertificateList;
-typedef struct CERTCertificateRequestStr CERTCertificateRequest;
-typedef struct CERTCrlStr CERTCrl;
-typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
-typedef struct CERTCrlEntryStr CERTCrlEntry;
-typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
-typedef struct CERTCrlKeyStr CERTCrlKey;
-typedef struct CERTCrlNodeStr CERTCrlNode;
-typedef struct CERTDERCertsStr CERTDERCerts;
-typedef struct CERTDistNamesStr CERTDistNames;
-typedef struct CERTGeneralNameStr CERTGeneralName;
-typedef struct CERTGeneralNameListStr CERTGeneralNameList;
-typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
-typedef struct CERTNameStr CERTName;
-typedef struct CERTNameConstraintStr CERTNameConstraint;
-typedef struct CERTNameConstraintsStr CERTNameConstraints;
-typedef struct CERTOKDomainNameStr CERTOKDomainName;
-typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
-typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
-typedef struct CERTRDNStr CERTRDN;
-typedef struct CERTSignedCrlStr CERTSignedCrl;
-typedef struct CERTSignedDataStr CERTSignedData;
-typedef struct CERTStatusConfigStr CERTStatusConfig;
-typedef struct CERTSubjectListStr CERTSubjectList;
-typedef struct CERTSubjectNodeStr CERTSubjectNode;
-typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
-typedef struct CERTValidityStr CERTValidity;
-typedef struct CERTVerifyLogStr CERTVerifyLog;
-typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
-typedef struct CRLDistributionPointStr CRLDistributionPoint;
-
-/* CRL extensions type */
-typedef unsigned long CERTCrlNumber;
-
-/*
-** An X.500 AVA object
-*/
-struct CERTAVAStr {
-    SECItem type;
-    SECItem value;
-};
-
-/*
-** An X.500 RDN object
-*/
-struct CERTRDNStr {
-    CERTAVA **avas;
-};
-
-/*
-** An X.500 name object
-*/
-struct CERTNameStr {
-    PLArenaPool *arena;
-    CERTRDN **rdns;
-};
-
-/*
-** An X.509 validity object
-*/
-struct CERTValidityStr {
-    PLArenaPool *arena;
-    SECItem notBefore;
-    SECItem notAfter;
-};
-
-/*
- * A serial number and issuer name, which is used as a database key
- */
-struct CERTCertKeyStr {
-    SECItem serialNumber;
-    SECItem derIssuer;
-};
-
-/*
-** A signed data object. Used to implement the "signed" macro used
-** in the X.500 specs.
-*/
-struct CERTSignedDataStr {
-    SECItem data;
-    SECAlgorithmID signatureAlgorithm;
-    SECItem signature;
-};
-
-/*
-** An X.509 subject-public-key-info object
-*/
-struct CERTSubjectPublicKeyInfoStr {
-    PLArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem subjectPublicKey;
-};
-
-struct CERTPublicKeyAndChallengeStr {
-    SECItem spki;
-    SECItem challenge;
-};
-
-struct CERTCertTrustStr {
-    unsigned int sslFlags;
-    unsigned int emailFlags;
-    unsigned int objectSigningFlags;
-};
-
-/*
- * defined the types of trust that exist
- */
-typedef enum SECTrustTypeEnum {
-    trustSSL = 0,
-    trustEmail = 1,
-    trustObjectSigning = 2,
-    trustTypeNone = 3
-} SECTrustType;
-
-#define SEC_GET_TRUST_FLAGS(trust, type)                                       \
-    (((type) == trustSSL)                                                      \
-         ? ((trust)->sslFlags)                                                 \
-         : (((type) == trustEmail) ? ((trust)->emailFlags)                     \
-                                   : (((type) == trustObjectSigning)           \
-                                          ? ((trust)->objectSigningFlags)      \
-                                          : 0)))
-
-/*
-** An X.509.3 certificate extension
-*/
-struct CERTCertExtensionStr {
-    SECItem id;
-    SECItem critical;
-    SECItem value;
-};
-
-struct CERTSubjectNodeStr {
-    struct CERTSubjectNodeStr *next;
-    struct CERTSubjectNodeStr *prev;
-    SECItem certKey;
-    SECItem keyID;
-};
-
-struct CERTSubjectListStr {
-    PLArenaPool *arena;
-    int ncerts;
-    char *emailAddr;
-    CERTSubjectNode *head;
-    CERTSubjectNode *tail; /* do we need tail? */
-    void *entry;
-};
-
-/*
-** An X.509 certificate object (the unsigned form)
-*/
-struct CERTCertificateStr {
-    /* the arena is used to allocate any data structures that have the same
-     * lifetime as the cert.  This is all stuff that hangs off of the cert
-     * structure, and is all freed at the same time.  It is used when the
-     * cert is decoded, destroyed, and at some times when it changes
-     * state
-     */
-    PLArenaPool *arena;
-
-    /* The following fields are static after the cert has been decoded */
-    char *subjectName;
-    char *issuerName;
-    CERTSignedData signatureWrap; /* XXX */
-    SECItem derCert;              /* original DER for the cert */
-    SECItem derIssuer;            /* DER for issuer name */
-    SECItem derSubject;           /* DER for subject name */
-    SECItem derPublicKey;         /* DER for the public key */
-    SECItem certKey;              /* database key for this cert */
-    SECItem version;
-    SECItem serialNumber;
-    SECAlgorithmID signature;
-    CERTName issuer;
-    CERTValidity validity;
-    CERTName subject;
-    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
-    SECItem issuerID;
-    SECItem subjectID;
-    CERTCertExtension **extensions;
-    char *emailAddr;
-    CERTCertDBHandle *dbhandle;
-    SECItem subjectKeyID;     /* x509v3 subject key identifier */
-    PRBool keyIDGenerated;    /* was the keyid generated? */
-    unsigned int keyUsage;    /* what uses are allowed for this cert */
-    unsigned int rawKeyUsage; /* value of the key usage extension */
-    PRBool keyUsagePresent;   /* was the key usage extension present */
-    PRUint32 nsCertType;      /* value of the ns cert type extension */
-                              /* must be 32-bit for PR_ATOMIC_SET */
-
-    /* these values can be set by the application to bypass certain checks
-     * or to keep the cert in memory for an entire session.
-     * XXX - need an api to set these
-     */
-    PRBool keepSession;         /* keep this cert for entire session*/
-    PRBool timeOK;              /* is the bad validity time ok? */
-    CERTOKDomainName *domainOK; /* these domain names are ok */
-
-    /*
-     * these values can change when the cert changes state.  These state
-     * changes include transitions from temp to perm or vice-versa, and
-     * changes of trust flags
-     */
-    PRBool isperm;
-    PRBool istemp;
-    char *nickname;
-    char *dbnickname;
-    struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
-    CERTCertTrust *trust;
-
-    /* the reference count is modified whenever someone looks up, dups
-     * or destroys a certificate
-     */
-    int referenceCount;
-
-    /* The subject list is a list of all certs with the same subject name.
-     * It can be modified any time a cert is added or deleted from either
-     * the in-memory(temporary) or on-disk(permanent) database.
-     */
-    CERTSubjectList *subjectList;
-
-    /* these belong in the static section, but are here to maintain
-     * the structure's integrity
-     */
-    CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */
-    PRBool isRoot;            /* cert is the end of a chain */
-
-    /* these fields are used by client GUI code to keep track of ssl sockets
-     * that are blocked waiting on GUI feedback related to this cert.
-     * XXX - these should be moved into some sort of application specific
-     *       data structure.  They are only used by the browser right now.
-     */
-    union {
-        void *apointer; /* was struct SECSocketNode* authsocketlist */
-        struct {
-            unsigned int hasUnsupportedCriticalExt : 1;
-            /* add any new option bits needed here */
-        } bits;
-    } options;
-    int series; /* was int authsocketcount; record the series of the pkcs11ID */
-
-    /* This is PKCS #11 stuff. */
-    PK11SlotInfo *slot;        /*if this cert came of a token, which is it*/
-    CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
-    PRBool ownSlot;            /*true if the cert owns the slot reference */
-};
-#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
-#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
-#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
-
-#define SEC_CRL_VERSION_1 0 /* default */
-#define SEC_CRL_VERSION_2 1 /* v2 extensions */
-
-/*
- * used to identify class of cert in mime stream code
- */
-#define SEC_CERT_CLASS_CA 1
-#define SEC_CERT_CLASS_SERVER 2
-#define SEC_CERT_CLASS_USER 3
-#define SEC_CERT_CLASS_EMAIL 4
-
-struct CERTDERCertsStr {
-    PLArenaPool *arena;
-    int numcerts;
-    SECItem *rawCerts;
-};
-
-/*
-** A PKCS ? Attribute
-** XXX this is duplicated through out the code, it *should* be moved
-** to a central location.  Where would be appropriate?
-*/
-struct CERTAttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-
-/*
-** A PKCS#10 certificate-request object (the unsigned form)
-*/
-struct CERTCertificateRequestStr {
-    PLArenaPool *arena;
-    SECItem version;
-    CERTName subject;
-    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
-    CERTAttribute **attributes;
-};
-#define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
-
-/*
-** A certificate list object.
-*/
-struct CERTCertificateListStr {
-    SECItem *certs;
-    int len; /* number of certs */
-    PLArenaPool *arena;
-};
-
-struct CERTCertListNodeStr {
-    PRCList links;
-    CERTCertificate *cert;
-    void *appData;
-};
-
-struct CERTCertListStr {
-    PRCList list;
-    PLArenaPool *arena;
-};
-
-#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
-#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
-#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
-#define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
-#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
-
-struct CERTCrlEntryStr {
-    SECItem serialNumber;
-    SECItem revocationDate;
-    CERTCertExtension **extensions;
-};
-
-struct CERTCrlStr {
-    PLArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID signatureAlg;
-    SECItem derName;
-    CERTName name;
-    SECItem lastUpdate;
-    SECItem nextUpdate; /* optional for x.509 CRL  */
-    CERTCrlEntry **entries;
-    CERTCertExtension **extensions;
-    /* can't add anything there for binary backwards compatibility reasons */
-};
-
-struct CERTCrlKeyStr {
-    SECItem derName;
-    SECItem dummy; /* The decoder can not skip a primitive,
-                      this serves as a place holder for the
-                      decoder to finish its task only
-                   */
-};
-
-struct CERTSignedCrlStr {
-    PLArenaPool *arena;
-    CERTCrl crl;
-    void *reserved1;
-    PRBool reserved2;
-    PRBool isperm;
-    PRBool istemp;
-    int referenceCount;
-    CERTCertDBHandle *dbhandle;
-    CERTSignedData signatureWrap; /* XXX */
-    char *url;
-    SECItem *derCrl;
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE pkcs11ID;
-    void *opaque; /* do not touch */
-};
-
-struct CERTCrlHeadNodeStr {
-    PLArenaPool *arena;
-    CERTCertDBHandle *dbhandle;
-    CERTCrlNode *first;
-    CERTCrlNode *last;
-};
-
-struct CERTCrlNodeStr {
-    CERTCrlNode *next;
-    int type;
-    CERTSignedCrl *crl;
-};
-
-/*
- * Array of X.500 Distinguished Names
- */
-struct CERTDistNamesStr {
-    PLArenaPool *arena;
-    int nnames;
-    SECItem *names;
-    void *head; /* private */
-};
-
-#define NS_CERT_TYPE_SSL_CLIENT (0x80)        /* bit 0 */
-#define NS_CERT_TYPE_SSL_SERVER (0x40)        /* bit 1 */
-#define NS_CERT_TYPE_EMAIL (0x20)             /* bit 2 */
-#define NS_CERT_TYPE_OBJECT_SIGNING (0x10)    /* bit 3 */
-#define NS_CERT_TYPE_RESERVED (0x08)          /* bit 4 */
-#define NS_CERT_TYPE_SSL_CA (0x04)            /* bit 5 */
-#define NS_CERT_TYPE_EMAIL_CA (0x02)          /* bit 6 */
-#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
-
-#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
-#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
-
-#define NS_CERT_TYPE_APP                                                       \
-    (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL |  \
-     NS_CERT_TYPE_OBJECT_SIGNING)
-
-#define NS_CERT_TYPE_CA                                                        \
-    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |                             \
-     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER)
-typedef enum SECCertUsageEnum {
-    certUsageSSLClient = 0,
-    certUsageSSLServer = 1,
-    certUsageSSLServerWithStepUp = 2,
-    certUsageSSLCA = 3,
-    certUsageEmailSigner = 4,
-    certUsageEmailRecipient = 5,
-    certUsageObjectSigner = 6,
-    certUsageUserCertImport = 7,
-    certUsageVerifyCA = 8,
-    certUsageProtectedObjectSigner = 9,
-    certUsageStatusResponder = 10,
-    certUsageAnyCA = 11
-} SECCertUsage;
-
-typedef PRInt64 SECCertificateUsage;
-
-#define certificateUsageCheckAllUsages (0x0000)
-#define certificateUsageSSLClient (0x0001)
-#define certificateUsageSSLServer (0x0002)
-#define certificateUsageSSLServerWithStepUp (0x0004)
-#define certificateUsageSSLCA (0x0008)
-#define certificateUsageEmailSigner (0x0010)
-#define certificateUsageEmailRecipient (0x0020)
-#define certificateUsageObjectSigner (0x0040)
-#define certificateUsageUserCertImport (0x0080)
-#define certificateUsageVerifyCA (0x0100)
-#define certificateUsageProtectedObjectSigner (0x0200)
-#define certificateUsageStatusResponder (0x0400)
-#define certificateUsageAnyCA (0x0800)
-
-#define certificateUsageHighest certificateUsageAnyCA
-
-/*
- * Does the cert belong to the user, a peer, or a CA.
- */
-typedef enum CERTCertOwnerEnum {
-    certOwnerUser = 0,
-    certOwnerPeer = 1,
-    certOwnerCA = 2
-} CERTCertOwner;
-
-/*
- * This enum represents the state of validity times of a certificate
- */
-typedef enum SECCertTimeValidityEnum {
-    secCertTimeValid = 0,
-    secCertTimeExpired = 1,
-    secCertTimeNotValidYet = 2,
-    secCertTimeUndetermined = 3 /* validity could not be decoded from the
-                                   cert, most likely because it was NULL */
-} SECCertTimeValidity;
-
-/*
- * This is used as return status in functions that compare the validity
- * periods of two certificates A and B, currently only
- * CERT_CompareValidityTimes.
- */
-
-typedef enum CERTCompareValidityStatusEnum {
-    certValidityUndetermined = 0, /* the function is unable to select one cert
-                                     over another */
-    certValidityChooseB = 1,      /* cert B should be preferred */
-    certValidityEqual = 2,        /* both certs have the same validity period */
-    certValidityChooseA = 3       /* cert A should be preferred */
-} CERTCompareValidityStatus;
-
-/*
- * Interface for getting certificate nickname strings out of the database
- */
-
-/* these are values for the what argument below */
-#define SEC_CERT_NICKNAMES_ALL 1
-#define SEC_CERT_NICKNAMES_USER 2
-#define SEC_CERT_NICKNAMES_SERVER 3
-#define SEC_CERT_NICKNAMES_CA 4
-
-struct CERTCertNicknamesStr {
-    PLArenaPool *arena;
-    void *head;
-    int numnicknames;
-    char **nicknames;
-    int what;
-    int totallen;
-};
-
-struct CERTIssuerAndSNStr {
-    SECItem derIssuer;
-    CERTName issuer;
-    SECItem serialNumber;
-};
-
-/* X.509 v3 Key Usage Extension flags */
-#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
-#define KU_NON_REPUDIATION (0x40)   /* bit 1 */
-#define KU_KEY_ENCIPHERMENT (0x20)  /* bit 2 */
-#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
-#define KU_KEY_AGREEMENT (0x08)     /* bit 4 */
-#define KU_KEY_CERT_SIGN (0x04)     /* bit 5 */
-#define KU_CRL_SIGN (0x02)          /* bit 6 */
-#define KU_ENCIPHER_ONLY (0x01)     /* bit 7 */
-#define KU_ALL                                                                 \
-    (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT |         \
-     KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN |              \
-     KU_CRL_SIGN | KU_ENCIPHER_ONLY)
-
-/* This value will not occur in certs.  It is used internally for the case
- * when either digital signature or non-repudiation is the correct value.
- */
-#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
-
-/* This value will not occur in certs.  It is used internally for the case
- * when the key type is not know ahead of time and either key agreement or
- * key encipherment are the correct value based on key type
- */
-#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
-
-/* internal bits that do not match bits in the x509v3 spec, but are used
- * for similar purposes
- */
-#define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
-/*
-* x.509 v3 Basic Constraints Extension
-* If isCA is false, the pathLenConstraint is ignored.
-* Otherwise, the following pathLenConstraint values will apply:
-*       < 0 - there is no limit to the certificate path
-*       0   - CA can issues end-entity certificates only
-*       > 0 - the number of certificates in the certificate path is
-*             limited to this number
-*/
-#define CERT_UNLIMITED_PATH_CONSTRAINT -2
-
-struct CERTBasicConstraintsStr {
-    PRBool isCA;           /* on if is CA */
-    int pathLenConstraint; /* maximum number of certificates that can be
-                              in the cert path.  Only applies to a CA
-                              certificate; otherwise, it's ignored.
-                            */
-};
-
-/* Maximum length of a certificate chain */
-#define CERT_MAX_CERT_CHAIN 20
-
-#define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
-#define CERT_MAX_DN_BYTES 4096          /* arbitrary */
-
-/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
-#define RF_UNUSED (0x80)                 /* bit 0 */
-#define RF_KEY_COMPROMISE (0x40)         /* bit 1 */
-#define RF_CA_COMPROMISE (0x20)          /* bit 2 */
-#define RF_AFFILIATION_CHANGED (0x10)    /* bit 3 */
-#define RF_SUPERSEDED (0x08)             /* bit 4 */
-#define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
-#define RF_CERTIFICATE_HOLD (0x02)       /* bit 6 */
-
-/* enum for CRL Entry Reason Code */
-typedef enum CERTCRLEntryReasonCodeEnum {
-    crlEntryReasonUnspecified = 0,
-    crlEntryReasonKeyCompromise = 1,
-    crlEntryReasonCaCompromise = 2,
-    crlEntryReasonAffiliationChanged = 3,
-    crlEntryReasonSuperseded = 4,
-    crlEntryReasonCessationOfOperation = 5,
-    crlEntryReasoncertificatedHold = 6,
-    crlEntryReasonRemoveFromCRL = 8,
-    crlEntryReasonPrivilegeWithdrawn = 9,
-    crlEntryReasonAaCompromise = 10
-} CERTCRLEntryReasonCode;
-
-/* If we needed to extract the general name field, use this */
-/* General Name types */
-typedef enum CERTGeneralNameTypeEnum {
-    certOtherName = 1,
-    certRFC822Name = 2,
-    certDNSName = 3,
-    certX400Address = 4,
-    certDirectoryName = 5,
-    certEDIPartyName = 6,
-    certURI = 7,
-    certIPAddress = 8,
-    certRegisterID = 9
-} CERTGeneralNameType;
-
-typedef struct OtherNameStr {
-    SECItem name;
-    SECItem oid;
-} OtherName;
-
-struct CERTGeneralNameStr {
-    CERTGeneralNameType type; /* name type */
-    union {
-        CERTName directoryName; /* distinguish name */
-        OtherName OthName;      /* Other Name */
-        SECItem other;          /* the rest of the name forms */
-    } name;
-    SECItem derDirectoryName; /* this is saved to simplify directory name
-                                 comparison */
-    PRCList l;
-};
-
-struct CERTGeneralNameListStr {
-    PLArenaPool *arena;
-    CERTGeneralName *name;
-    int refCount;
-    int len;
-    PZLock *lock;
-};
-
-struct CERTNameConstraintStr {
-    CERTGeneralName name;
-    SECItem DERName;
-    SECItem min;
-    SECItem max;
-    PRCList l;
-};
-
-struct CERTNameConstraintsStr {
-    CERTNameConstraint *permited;
-    CERTNameConstraint *excluded;
-    SECItem **DERPermited;
-    SECItem **DERExcluded;
-};
-
-/* Private Key Usage Period extension struct. */
-struct CERTPrivKeyUsagePeriodStr {
-    SECItem notBefore;
-    SECItem notAfter;
-    PLArenaPool *arena;
-};
-
-/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
-   issuer field, we only support URI now.
- */
-struct CERTAuthKeyIDStr {
-    SECItem keyID;                   /* unique key identifier */
-    CERTGeneralName *authCertIssuer; /* CA's issuer name.  End with a NULL */
-    SECItem authCertSerialNumber;    /* CA's certificate serial number */
-    SECItem **DERAuthCertIssuer;     /* This holds the DER encoded format of
-                                        the authCertIssuer field. It is used
-                                        by the encoding engine. It should be
-                                        used as a read only field by the caller.
-                                     */
-};
-
-/* x.509 v3 CRL Distributeion Point */
-
-/*
- * defined the types of CRL Distribution points
- */
-typedef enum DistributionPointTypesEnum {
-    generalName = 1, /* only support this for now */
-    relativeDistinguishedName = 2
-} DistributionPointTypes;
-
-struct CRLDistributionPointStr {
-    DistributionPointTypes distPointType;
-    union {
-        CERTGeneralName *fullName;
-        CERTRDN relativeName;
-    } distPoint;
-    SECItem reasons;
-    CERTGeneralName *crlIssuer;
-
-    /* Reserved for internal use only*/
-    SECItem derDistPoint;
-    SECItem derRelativeName;
-    SECItem **derCrlIssuer;
-    SECItem **derFullName;
-    SECItem bitsmap;
-};
-
-struct CERTCrlDistributionPointsStr {
-    CRLDistributionPoint **distPoints;
-};
-
-/*
- * This structure is used to keep a log of errors when verifying
- * a cert chain.  This allows multiple errors to be reported all at
- * once.
- */
-struct CERTVerifyLogNodeStr {
-    CERTCertificate *cert;             /* what cert had the error */
-    long error;                        /* what error was it? */
-    unsigned int depth;                /* how far up the chain are we */
-    void *arg;                         /* error specific argument */
-    struct CERTVerifyLogNodeStr *next; /* next in the list */
-    struct CERTVerifyLogNodeStr *prev; /* next in the list */
-};
-
-struct CERTVerifyLogStr {
-    PLArenaPool *arena;
-    unsigned int count;
-    struct CERTVerifyLogNodeStr *head;
-    struct CERTVerifyLogNodeStr *tail;
-};
-
-struct CERTOKDomainNameStr {
-    CERTOKDomainName *next;
-    char name[1]; /* actual length may be longer. */
-};
-
-typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle,
-                                                  CERTCertificate *cert,
-                                                  PRTime time, void *pwArg);
-
-typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle);
-
-struct CERTStatusConfigStr {
-    CERTStatusChecker statusChecker; /* NULL means no checking enabled */
-    CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
-    void *statusContext;             /* cx specific to checking protocol */
-};
-
-struct CERTAuthInfoAccessStr {
-    SECItem method;
-    SECItem derLocation;
-    CERTGeneralName *location; /* decoded location */
-};
-
-/* This is the typedef for the callback passed to CERT_OpenCertDB() */
-/* callback to return database name based on version number */
-typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion);
-
-/*
- * types of cert packages that we can decode
- */
-typedef enum CERTPackageTypeEnum {
-    certPackageNone = 0,
-    certPackageCert = 1,
-    certPackagePKCS7 = 2,
-    certPackageNSCertSeq = 3,
-    certPackageNSCertWrap = 4
-} CERTPackageType;
-
-/*
- * these types are for the PKIX Certificate Policies extension
- */
-typedef struct {
-    SECOidTag oid;
-    SECItem qualifierID;
-    SECItem qualifierValue;
-} CERTPolicyQualifier;
-
-typedef struct {
-    SECOidTag oid;
-    SECItem policyID;
-    CERTPolicyQualifier **policyQualifiers;
-} CERTPolicyInfo;
-
-typedef struct {
-    PLArenaPool *arena;
-    CERTPolicyInfo **policyInfos;
-} CERTCertificatePolicies;
-
-typedef struct {
-    SECItem organization;
-    SECItem **noticeNumbers;
-} CERTNoticeReference;
-
-typedef struct {
-    PLArenaPool *arena;
-    CERTNoticeReference noticeReference;
-    SECItem derNoticeReference;
-    SECItem displayText;
-} CERTUserNotice;
-
-typedef struct {
-    PLArenaPool *arena;
-    SECItem **oids;
-} CERTOidSequence;
-
-/*
- * these types are for the PKIX Policy Mappings extension
- */
-typedef struct {
-    SECItem issuerDomainPolicy;
-    SECItem subjectDomainPolicy;
-} CERTPolicyMap;
-
-typedef struct {
-    PLArenaPool *arena;
-    CERTPolicyMap **policyMaps;
-} CERTCertificatePolicyMappings;
-
-/*
- * these types are for the PKIX inhibitAnyPolicy extension
- */
-typedef struct {
-    SECItem inhibitAnySkipCerts;
-} CERTCertificateInhibitAny;
-
-/*
- * these types are for the PKIX Policy Constraints extension
- */
-typedef struct {
-    SECItem explicitPolicySkipCerts;
-    SECItem inhibitMappingSkipCerts;
-} CERTCertificatePolicyConstraints;
-
-/*
- * These types are for the validate chain callback param.
- *
- * CERTChainVerifyCallback is an application-supplied callback that can be used
- * to augment libpkix's certificate chain validation with additional
- * application-specific checks. It may be called multiple times if there are
- * multiple potentially-valid paths for the certificate being validated. This
- * callback is called before revocation checking is done on the certificates in
- * the given chain.
- *
- * - isValidChainArg contains the application-provided opaque argument
- * - currentChain is the currently validated chain. It is ordered with the leaf
- *   certificate at the head and the trust anchor at the tail.
- *
- * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
- * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
- * return SECSuccess if the chain is unacceptable, to indicate that the given
- * chain is bad and path building should continue. It should return SECFailure
- * to indicate an fatal error that will cause path validation to fail
- * immediately.
- */
-typedef SECStatus (*CERTChainVerifyCallbackFunc)(
-    void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK);
-
-/*
- * Note: If extending this structure, it will be necessary to change the
- * associated CERTValParamInType
- */
-typedef struct {
-    CERTChainVerifyCallbackFunc isChainValid;
-    void *isChainValidArg;
-} CERTChainVerifyCallback;
-
-/*
- * these types are for the CERT_PKIX* Verification functions
- * These are all optional parameters.
- */
-
-typedef enum {
-    cert_pi_end = 0,         /* SPECIAL: signifies end of array of
-                              * CERTValParam* */
-    cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
-                              * resume a session. If this argument is
-                              * specified, no other arguments should be.
-                              * Specified in value.pointer.p. If the
-                              * operation completes the context will be
-                              * freed. */
-    cert_pi_nbioAbort = 2,   /* specify a non-blocking IO context for an
-                              * existing operation which the caller wants
-                              * to abort. If this argument is
-                              * specified, no other arguments should be.
-                              * Specified in value.pointer.p. If the
-                              * operation succeeds the context will be
-                              * freed. */
-    cert_pi_certList = 3,    /* specify the chain to validate against. If
-                              * this value is given, then the path
-                              * construction step in the validation is
-                              * skipped. Specified in value.pointer.chain */
-    cert_pi_policyOID = 4,   /* validate certificate for policy OID.
-                              * Specified in value.array.oids. Cert must
-                              * be good for at least one OID in order
-                              * to validate. Default is that the user is not
-                              * concerned about certificate policy. */
-    cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
-                              * Specified in value.scalar.ul. Policy flags
-                              * apply to all specified oids.
-                              * Use CERT_POLICY_FLAG_* macros below. If not
-                              * specified policy flags default to 0 */
-    cert_pi_keyusage = 6,    /* specify what the keyusages the certificate
-                              * will be evaluated against, specified in
-                              * value.scalar.ui. The cert must validate for
-                              * at least one of the specified key usages.
-                              * Values match the KU_  bit flags defined
-                              * in this file. Default is derived from
-                              * the 'usages' function argument */
-    cert_pi_extendedKeyusage = 7, /* specify what the required extended key
-                                   * usage of the certificate. Specified as
-                                   * an array of oidTags in value.array.oids.
-                                   * The cert must validate for at least one
-                                   * of the specified extended key usages.
-                                   * If not specified, no extended key usages
-                                   * will be checked. */
-    cert_pi_date = 8,             /* validate certificate is valid as of date
-                                   * specified in value.scalar.time. A special
-                                   * value '0' indicates 'now'. default is '0' */
-    cert_pi_revocationFlags = 9,  /* Specify what revocation checking to do.
-                                   * See CERT_REV_FLAG_* macros below
-                                   * Set in value.pointer.revocation */
-    cert_pi_certStores = 10,      /* Bitmask of Cert Store flags (see below)
-                                   * Set in value.scalar.ui */
-    cert_pi_trustAnchors =
-        11,                       /* Specify the list of trusted roots to
-                                   * validate against.
-                                   * The default set of trusted roots, these are
-                                   * root CA certs from libnssckbi.so or CA
-                                   * certs trusted by user, are used in any of
-                                   * the following cases:
-                                   *      * when the parameter is not set.
-                                   *      * when the list of trust anchors is
-                                   *        empty.
-                                   * Note that this handling can be further
-                                   * altered by altering the
-                                   * cert_pi_useOnlyTrustAnchors flag
-                                   * Specified in value.pointer.chain */
-    cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
-                                  * In NSS 3.12.1 or later. Default is off.
-                                  * Value is in value.scalar.b */
-    cert_pi_chainVerifyCallback = 13,
-    /* The callback container for doing extra
-     * validation on the currently calculated chain.
-     * Value is in value.pointer.chainVerifyCallback */
-    cert_pi_useOnlyTrustAnchors = 14,
-        /* If true, disables trusting any
-        * certificates other than the ones passed in via cert_pi_trustAnchors.
-        * If false, then the certificates specified via cert_pi_trustAnchors
-        * will be combined with the pre-existing trusted roots, but only
-        * for the certificate validation being performed.
-        * If no value has been supplied via cert_pi_trustAnchors, this has
-        * no effect.
-        * The default value is true, meaning if this is not supplied, only
-        * trust anchors supplied via cert_pi_trustAnchors are trusted.
-        * Specified in value.scalar.b */
-    cert_pi_max /* SPECIAL: signifies maximum allowed value,
-                 *  can increase in future releases */
-} CERTValParamInType;
-
-/*
- * for all out parameters:
- *  out parameters are only returned if the caller asks for them in
- *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
- *  array itself. The pkix verify function will allocate and other arrays
- *  pointers, or objects. The Caller is responsible for freeing those results.
- * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
- */
-typedef enum {
-    cert_po_end = 0,              /* SPECIAL: signifies end of array of
-                                   * CERTValParam* */
-    cert_po_nbioContext = 1,      /* Return a nonblocking context. If no
-                                   * non-blocking context is specified, then
-                                   * blocking IO will be used.
-                                   * Returned in value.pointer.p. The context is
-                                   * freed after an abort or a complete operation.
-                                   * This value is only returned on SECWouldBlock.
-                                   */
-    cert_po_trustAnchor = 2,      /* Return the trust anchor for the chain that
-                                   * was validated. Returned in
-                                   * value.pointer.cert, this value is only
-                                   * returned on SECSuccess. */
-    cert_po_certList = 3,         /* Return the entire chain that was validated.
-                                   * Returned in value.pointer.certList. If no
-                                   * chain could be constructed, this value
-                                   * would be NULL. */
-    cert_po_policyOID = 4,        /* Return the policies that were found to be
-                                   * valid. Returned in value.array.oids as an
-                                   * array. This is only returned on
-                                   * SECSuccess. */
-    cert_po_errorLog = 5,         /* Return a log of problems with the chain.
-                                   * Returned in value.pointer.log  */
-    cert_po_usages = 6,           /* Return what usages the certificate is valid
-                                     for. Returned in value.scalar.usages */
-    cert_po_keyUsage = 7,         /* Return what key usages the certificate
-                                   * is valid for.
-                                   * Returned in value.scalar.usage */
-    cert_po_extendedKeyusage = 8, /* Return what extended key usages the
-                                   * certificate is valid for.
-                                   * Returned in value.array.oids */
-    cert_po_max                   /* SPECIAL: signifies maximum allowed value,
-                                   *  can increase in future releases */
-
-} CERTValParamOutType;
-
-typedef enum {
-    cert_revocation_method_crl = 0,
-    cert_revocation_method_ocsp,
-    cert_revocation_method_count
-} CERTRevocationMethodIndex;
-
-/*
- * The following flags are supposed to be used to control bits in
- * each integer contained in the array pointed to be:
- *     CERTRevocationTests.cert_rev_flags_per_method
- * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
- * this is a method dependent flag.
- */
-
-/*
- * Whether or not to use a method for revocation testing.
- * If set to "do not test", then all other flags are ignored.
- */
-#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
-#define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
-
-/*
- * Whether or not NSS is allowed to attempt to fetch fresh information
- *         from the network.
- * (Although fetching will never happen if fresh information for the
- *           method is already locally available.)
- */
-#define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
-#define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
-
-/*
- * Example for an implicit default source:
- *         The globally configured default OCSP responder.
- * IGNORE means:
- *        ignore the implicit default source, whether it's configured or not.
- * ALLOW means:
- *       if an implicit default source is configured,
- *          then it overrides any available or missing source in the cert.
- *       if no implicit default source is configured,
- *          then we continue to use what's available (or not available)
- *          in the certs.
- */
-#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
-#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
-
-/*
- * Defines the behavior if no fresh information is available,
- *   fetching from the network is allowed, but the source of revocation
- *   information is unknown (even after considering implicit sources,
- *   if allowed by other flags).
- * SKIPT_TEST means:
- *          We ignore that no fresh information is available and
- *          skip this test.
- * REQUIRE_INFO means:
- *          We still require that fresh information is available.
- *          Other flags define what happens on missing fresh info.
- */
-#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
-#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
-
-/*
- * Defines the behavior if we are unable to obtain fresh information.
- * INGORE means:
- *      Return "cert status unknown"
- * FAIL means:
- *      Return "cert revoked".
- */
-#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
-#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
-
-/*
- * What should happen if we were able to find fresh information using
- * this method, and the data indicated the cert is good?
- * STOP_TESTING means:
- *              Our success is sufficient, do not continue testing
- *              other methods.
- * CONTINUE_TESTING means:
- *                  We will continue and test the next allowed
- *                  specified method.
- */
-#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
-#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
-
-/* When this flag is used, libpkix will never attempt to use the GET HTTP
- * method for OCSP requests; it will always use POST.
- */
-#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
-
-/*
- * The following flags are supposed to be used to control bits in
- *     CERTRevocationTests.cert_rev_method_independent_flags
- * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
- * this is a method independent flag.
- */
-
-/*
- * This defines the order to checking.
- * EACH_METHOD_SEPARATELY means:
- *      Do all tests related to a particular allowed method
- *      (both local information and network fetching) in a single step.
- *      Only after testing for a particular method is done,
- *      then switching to the next method will happen.
- * ALL_LOCAL_INFORMATION_FIRST means:
- *      Start by testing the information for all allowed methods
- *      which are already locally available. Only after that is done
- *      consider to fetch from the network (as allowed by other flags).
- */
-#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
-#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
-
-/*
- * Use this flag to specify that it's necessary that fresh information
- * is available for at least one of the allowed methods, but it's
- * irrelevant which of the mechanisms succeeded.
- * NO_OVERALL_INFO_REQUIREMENT means:
- *     We strictly follow the requirements for each individual method.
- * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
- *     After the individual tests have been executed, we must have
- *     been able to find fresh information using at least one method.
- *     If we were unable to find fresh info, it's a failure.
- *     This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- *     flag on all methods.
- */
-#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
-#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
-
-typedef struct {
-    /*
-     * The size of the array that cert_rev_flags_per_method points to,
-     * meaning, the number of methods that are known and defined
-     * by the caller.
-     */
-    PRUint32 number_of_defined_methods;
-
-    /*
-     * A pointer to an array of integers.
-     * Each integer defines revocation checking for a single method,
-     *      by having individual CERT_REV_M_* bits set or not set.
-     * The meaning of index numbers into this array are defined by
-     *     enum CERTRevocationMethodIndex
-     * The size of the array must be specified by the caller in the separate
-     *     variable number_of_defined_methods.
-     * The size of the array may be smaller than
-     *     cert_revocation_method_count, it can happen if a caller
-     *     is not yet aware of the latest revocation methods
-     *     (or does not want to use them).
-     */
-    PRUint64 *cert_rev_flags_per_method;
-
-    /*
-     * How many preferred methods are specified?
-     * This is equivalent to the size of the array that
-     *      preferred_methods points to.
-     * It's allowed to set this value to zero,
-     *      then NSS will decide which methods to prefer.
-     */
-    PRUint32 number_of_preferred_methods;
-
-    /* Array that may specify an optional order of preferred methods.
-     * Each array entry shall contain a method identifier as defined
-     *   by CERTRevocationMethodIndex.
-     * The entry at index [0] specifies the method with highest preference.
-     * These methods will be tested first for locally available information.
-     * Methods allowed for downloading will be attempted in the same order.
-     */
-    CERTRevocationMethodIndex *preferred_methods;
-
-    /*
-     * An integer which defines certain aspects of revocation checking
-     * (independent of individual methods) by having individual
-     * CERT_REV_MI_* bits set or not set.
-     */
-    PRUint64 cert_rev_method_independent_flags;
-} CERTRevocationTests;
-
-typedef struct {
-    CERTRevocationTests leafTests;
-    CERTRevocationTests chainTests;
-} CERTRevocationFlags;
-
-typedef struct CERTValParamInValueStr {
-    union {
-        PRBool b;
-        PRInt32 i;
-        PRUint32 ui;
-        PRInt64 l;
-        PRUint64 ul;
-        PRTime time;
-    } scalar;
-    union {
-        const void *p;
-        const char *s;
-        const CERTCertificate *cert;
-        const CERTCertList *chain;
-        const CERTRevocationFlags *revocation;
-        const CERTChainVerifyCallback *chainVerifyCallback;
-    } pointer;
-    union {
-        const PRInt32 *pi;
-        const PRUint32 *pui;
-        const PRInt64 *pl;
-        const PRUint64 *pul;
-        const SECOidTag *oids;
-    } array;
-    int arraySize;
-} CERTValParamInValue;
-
-typedef struct CERTValParamOutValueStr {
-    union {
-        PRBool b;
-        PRInt32 i;
-        PRUint32 ui;
-        PRInt64 l;
-        PRUint64 ul;
-        SECCertificateUsage usages;
-    } scalar;
-    union {
-        void *p;
-        char *s;
-        CERTVerifyLog *log;
-        CERTCertificate *cert;
-        CERTCertList *chain;
-    } pointer;
-    union {
-        void *p;
-        SECOidTag *oids;
-    } array;
-    int arraySize;
-} CERTValParamOutValue;
-
-typedef struct {
-    CERTValParamInType type;
-    CERTValParamInValue value;
-} CERTValInParam;
-
-typedef struct {
-    CERTValParamOutType type;
-    CERTValParamOutValue value;
-} CERTValOutParam;
-
-/*
- * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
- */
-typedef enum CertStrictnessLevels {
-    CERT_N2A_READABLE = 0,   /* maximum human readability */
-    CERT_N2A_STRICT = 10,    /* strict RFC compliance    */
-    CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
-                                all DirectoryStrings encoded in hex */
-} CertStrictnessLevel;
-
-/*
- * policy flag defines
- */
-#define CERT_POLICY_FLAG_NO_MAPPING 1
-#define CERT_POLICY_FLAG_EXPLICIT 2
-#define CERT_POLICY_FLAG_NO_ANY 4
-
-/*
- * CertStore flags
- */
-#define CERT_ENABLE_LDAP_FETCH 1
-#define CERT_ENABLE_HTTP_FETCH 2
-
-/* This functin pointer type may be used for any function that takes
- * a CERTCertificate * and returns an allocated string, which must be
- * freed by a call to PORT_Free.
- */
-typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert);
-
-/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
-
-#include "secasn1t.h" /* way down here because I expect template stuff to
-                       * move out of here anyway */
-
-SEC_BEGIN_PROTOS
-
-extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
-extern const SEC_ASN1Template CERT_CertificateTemplate[];
-extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
-extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
-extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
-extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
-extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
-extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
-extern const SEC_ASN1Template CERT_ValidityTemplate[];
-extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
-extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
-
-extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
-extern const SEC_ASN1Template CERT_NameTemplate[];
-extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
-extern const SEC_ASN1Template CERT_RDNTemplate[];
-extern const SEC_ASN1Template CERT_SignedDataTemplate[];
-extern const SEC_ASN1Template CERT_CrlTemplate[];
-extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
-
-/*
-** XXX should the attribute stuff be centralized for all of ns/security?
-*/
-extern const SEC_ASN1Template CERT_AttributeTemplate[];
-extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
-
-/* These functions simply return the address of the above-declared templates.
-** This is necessary for Windows DLLs.  Sigh.
-*/
-SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
-
-SEC_END_PROTOS
-
-#endif /* _CERTT_H_ */