Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Side by Side Diff: nss/lib/certdb/certt.h

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « nss/lib/certdb/certi.h ('k') | nss/lib/certdb/certv3.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * certt.h - public data structures for the certificate library
6 */
7 #ifndef _CERTT_H_
8 #define _CERTT_H_
9
10 #include "prclist.h"
11 #include "pkcs11t.h"
12 #include "seccomon.h"
13 #include "secmodt.h"
14 #include "secoidt.h"
15 #include "plarena.h"
16 #include "prcvar.h"
17 #include "nssilock.h"
18 #include "prio.h"
19 #include "prmon.h"
20
21 /* Stan data types */
22 struct NSSCertificateStr;
23 struct NSSTrustDomainStr;
24
25 /* Non-opaque objects */
26 typedef struct CERTAVAStr CERTAVA;
27 typedef struct CERTAttributeStr CERTAttribute;
28 typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
29 typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
30 typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
31 typedef struct NSSTrustDomainStr CERTCertDBHandle;
32 typedef struct CERTCertExtensionStr CERTCertExtension;
33 typedef struct CERTCertKeyStr CERTCertKey;
34 typedef struct CERTCertListStr CERTCertList;
35 typedef struct CERTCertListNodeStr CERTCertListNode;
36 typedef struct CERTCertNicknamesStr CERTCertNicknames;
37 typedef struct CERTCertTrustStr CERTCertTrust;
38 typedef struct CERTCertificateStr CERTCertificate;
39 typedef struct CERTCertificateListStr CERTCertificateList;
40 typedef struct CERTCertificateRequestStr CERTCertificateRequest;
41 typedef struct CERTCrlStr CERTCrl;
42 typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
43 typedef struct CERTCrlEntryStr CERTCrlEntry;
44 typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
45 typedef struct CERTCrlKeyStr CERTCrlKey;
46 typedef struct CERTCrlNodeStr CERTCrlNode;
47 typedef struct CERTDERCertsStr CERTDERCerts;
48 typedef struct CERTDistNamesStr CERTDistNames;
49 typedef struct CERTGeneralNameStr CERTGeneralName;
50 typedef struct CERTGeneralNameListStr CERTGeneralNameList;
51 typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
52 typedef struct CERTNameStr CERTName;
53 typedef struct CERTNameConstraintStr CERTNameConstraint;
54 typedef struct CERTNameConstraintsStr CERTNameConstraints;
55 typedef struct CERTOKDomainNameStr CERTOKDomainName;
56 typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
57 typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
58 typedef struct CERTRDNStr CERTRDN;
59 typedef struct CERTSignedCrlStr CERTSignedCrl;
60 typedef struct CERTSignedDataStr CERTSignedData;
61 typedef struct CERTStatusConfigStr CERTStatusConfig;
62 typedef struct CERTSubjectListStr CERTSubjectList;
63 typedef struct CERTSubjectNodeStr CERTSubjectNode;
64 typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
65 typedef struct CERTValidityStr CERTValidity;
66 typedef struct CERTVerifyLogStr CERTVerifyLog;
67 typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
68 typedef struct CRLDistributionPointStr CRLDistributionPoint;
69
70 /* CRL extensions type */
71 typedef unsigned long CERTCrlNumber;
72
73 /*
74 ** An X.500 AVA object
75 */
76 struct CERTAVAStr {
77 SECItem type;
78 SECItem value;
79 };
80
81 /*
82 ** An X.500 RDN object
83 */
84 struct CERTRDNStr {
85 CERTAVA **avas;
86 };
87
88 /*
89 ** An X.500 name object
90 */
91 struct CERTNameStr {
92 PLArenaPool *arena;
93 CERTRDN **rdns;
94 };
95
96 /*
97 ** An X.509 validity object
98 */
99 struct CERTValidityStr {
100 PLArenaPool *arena;
101 SECItem notBefore;
102 SECItem notAfter;
103 };
104
105 /*
106 * A serial number and issuer name, which is used as a database key
107 */
108 struct CERTCertKeyStr {
109 SECItem serialNumber;
110 SECItem derIssuer;
111 };
112
113 /*
114 ** A signed data object. Used to implement the "signed" macro used
115 ** in the X.500 specs.
116 */
117 struct CERTSignedDataStr {
118 SECItem data;
119 SECAlgorithmID signatureAlgorithm;
120 SECItem signature;
121 };
122
123 /*
124 ** An X.509 subject-public-key-info object
125 */
126 struct CERTSubjectPublicKeyInfoStr {
127 PLArenaPool *arena;
128 SECAlgorithmID algorithm;
129 SECItem subjectPublicKey;
130 };
131
132 struct CERTPublicKeyAndChallengeStr {
133 SECItem spki;
134 SECItem challenge;
135 };
136
137 struct CERTCertTrustStr {
138 unsigned int sslFlags;
139 unsigned int emailFlags;
140 unsigned int objectSigningFlags;
141 };
142
143 /*
144 * defined the types of trust that exist
145 */
146 typedef enum SECTrustTypeEnum {
147 trustSSL = 0,
148 trustEmail = 1,
149 trustObjectSigning = 2,
150 trustTypeNone = 3
151 } SECTrustType;
152
153 #define SEC_GET_TRUST_FLAGS(trust, type) \
154 (((type) == trustSSL) \
155 ? ((trust)->sslFlags) \
156 : (((type) == trustEmail) ? ((trust)->emailFlags) \
157 : (((type) == trustObjectSigning) \
158 ? ((trust)->objectSigningFlags) \
159 : 0)))
160
161 /*
162 ** An X.509.3 certificate extension
163 */
164 struct CERTCertExtensionStr {
165 SECItem id;
166 SECItem critical;
167 SECItem value;
168 };
169
170 struct CERTSubjectNodeStr {
171 struct CERTSubjectNodeStr *next;
172 struct CERTSubjectNodeStr *prev;
173 SECItem certKey;
174 SECItem keyID;
175 };
176
177 struct CERTSubjectListStr {
178 PLArenaPool *arena;
179 int ncerts;
180 char *emailAddr;
181 CERTSubjectNode *head;
182 CERTSubjectNode *tail; /* do we need tail? */
183 void *entry;
184 };
185
186 /*
187 ** An X.509 certificate object (the unsigned form)
188 */
189 struct CERTCertificateStr {
190 /* the arena is used to allocate any data structures that have the same
191 * lifetime as the cert. This is all stuff that hangs off of the cert
192 * structure, and is all freed at the same time. It is used when the
193 * cert is decoded, destroyed, and at some times when it changes
194 * state
195 */
196 PLArenaPool *arena;
197
198 /* The following fields are static after the cert has been decoded */
199 char *subjectName;
200 char *issuerName;
201 CERTSignedData signatureWrap; /* XXX */
202 SECItem derCert; /* original DER for the cert */
203 SECItem derIssuer; /* DER for issuer name */
204 SECItem derSubject; /* DER for subject name */
205 SECItem derPublicKey; /* DER for the public key */
206 SECItem certKey; /* database key for this cert */
207 SECItem version;
208 SECItem serialNumber;
209 SECAlgorithmID signature;
210 CERTName issuer;
211 CERTValidity validity;
212 CERTName subject;
213 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
214 SECItem issuerID;
215 SECItem subjectID;
216 CERTCertExtension **extensions;
217 char *emailAddr;
218 CERTCertDBHandle *dbhandle;
219 SECItem subjectKeyID; /* x509v3 subject key identifier */
220 PRBool keyIDGenerated; /* was the keyid generated? */
221 unsigned int keyUsage; /* what uses are allowed for this cert */
222 unsigned int rawKeyUsage; /* value of the key usage extension */
223 PRBool keyUsagePresent; /* was the key usage extension present */
224 PRUint32 nsCertType; /* value of the ns cert type extension */
225 /* must be 32-bit for PR_ATOMIC_SET */
226
227 /* these values can be set by the application to bypass certain checks
228 * or to keep the cert in memory for an entire session.
229 * XXX - need an api to set these
230 */
231 PRBool keepSession; /* keep this cert for entire session*/
232 PRBool timeOK; /* is the bad validity time ok? */
233 CERTOKDomainName *domainOK; /* these domain names are ok */
234
235 /*
236 * these values can change when the cert changes state. These state
237 * changes include transitions from temp to perm or vice-versa, and
238 * changes of trust flags
239 */
240 PRBool isperm;
241 PRBool istemp;
242 char *nickname;
243 char *dbnickname;
244 struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
245 CERTCertTrust *trust;
246
247 /* the reference count is modified whenever someone looks up, dups
248 * or destroys a certificate
249 */
250 int referenceCount;
251
252 /* The subject list is a list of all certs with the same subject name.
253 * It can be modified any time a cert is added or deleted from either
254 * the in-memory(temporary) or on-disk(permanent) database.
255 */
256 CERTSubjectList *subjectList;
257
258 /* these belong in the static section, but are here to maintain
259 * the structure's integrity
260 */
261 CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */
262 PRBool isRoot; /* cert is the end of a chain */
263
264 /* these fields are used by client GUI code to keep track of ssl sockets
265 * that are blocked waiting on GUI feedback related to this cert.
266 * XXX - these should be moved into some sort of application specific
267 * data structure. They are only used by the browser right now.
268 */
269 union {
270 void *apointer; /* was struct SECSocketNode* authsocketlist */
271 struct {
272 unsigned int hasUnsupportedCriticalExt : 1;
273 /* add any new option bits needed here */
274 } bits;
275 } options;
276 int series; /* was int authsocketcount; record the series of the pkcs11ID */
277
278 /* This is PKCS #11 stuff. */
279 PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
280 CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
281 PRBool ownSlot; /*true if the cert owns the slot reference */
282 };
283 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
284 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
285 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
286
287 #define SEC_CRL_VERSION_1 0 /* default */
288 #define SEC_CRL_VERSION_2 1 /* v2 extensions */
289
290 /*
291 * used to identify class of cert in mime stream code
292 */
293 #define SEC_CERT_CLASS_CA 1
294 #define SEC_CERT_CLASS_SERVER 2
295 #define SEC_CERT_CLASS_USER 3
296 #define SEC_CERT_CLASS_EMAIL 4
297
298 struct CERTDERCertsStr {
299 PLArenaPool *arena;
300 int numcerts;
301 SECItem *rawCerts;
302 };
303
304 /*
305 ** A PKCS ? Attribute
306 ** XXX this is duplicated through out the code, it *should* be moved
307 ** to a central location. Where would be appropriate?
308 */
309 struct CERTAttributeStr {
310 SECItem attrType;
311 SECItem **attrValue;
312 };
313
314 /*
315 ** A PKCS#10 certificate-request object (the unsigned form)
316 */
317 struct CERTCertificateRequestStr {
318 PLArenaPool *arena;
319 SECItem version;
320 CERTName subject;
321 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
322 CERTAttribute **attributes;
323 };
324 #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
325
326 /*
327 ** A certificate list object.
328 */
329 struct CERTCertificateListStr {
330 SECItem *certs;
331 int len; /* number of certs */
332 PLArenaPool *arena;
333 };
334
335 struct CERTCertListNodeStr {
336 PRCList links;
337 CERTCertificate *cert;
338 void *appData;
339 };
340
341 struct CERTCertListStr {
342 PRCList list;
343 PLArenaPool *arena;
344 };
345
346 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
347 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
348 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
349 #define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
350 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
351
352 struct CERTCrlEntryStr {
353 SECItem serialNumber;
354 SECItem revocationDate;
355 CERTCertExtension **extensions;
356 };
357
358 struct CERTCrlStr {
359 PLArenaPool *arena;
360 SECItem version;
361 SECAlgorithmID signatureAlg;
362 SECItem derName;
363 CERTName name;
364 SECItem lastUpdate;
365 SECItem nextUpdate; /* optional for x.509 CRL */
366 CERTCrlEntry **entries;
367 CERTCertExtension **extensions;
368 /* can't add anything there for binary backwards compatibility reasons */
369 };
370
371 struct CERTCrlKeyStr {
372 SECItem derName;
373 SECItem dummy; /* The decoder can not skip a primitive,
374 this serves as a place holder for the
375 decoder to finish its task only
376 */
377 };
378
379 struct CERTSignedCrlStr {
380 PLArenaPool *arena;
381 CERTCrl crl;
382 void *reserved1;
383 PRBool reserved2;
384 PRBool isperm;
385 PRBool istemp;
386 int referenceCount;
387 CERTCertDBHandle *dbhandle;
388 CERTSignedData signatureWrap; /* XXX */
389 char *url;
390 SECItem *derCrl;
391 PK11SlotInfo *slot;
392 CK_OBJECT_HANDLE pkcs11ID;
393 void *opaque; /* do not touch */
394 };
395
396 struct CERTCrlHeadNodeStr {
397 PLArenaPool *arena;
398 CERTCertDBHandle *dbhandle;
399 CERTCrlNode *first;
400 CERTCrlNode *last;
401 };
402
403 struct CERTCrlNodeStr {
404 CERTCrlNode *next;
405 int type;
406 CERTSignedCrl *crl;
407 };
408
409 /*
410 * Array of X.500 Distinguished Names
411 */
412 struct CERTDistNamesStr {
413 PLArenaPool *arena;
414 int nnames;
415 SECItem *names;
416 void *head; /* private */
417 };
418
419 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
420 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
421 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
422 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
423 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
424 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
425 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
426 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
427
428 #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
429 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
430
431 #define NS_CERT_TYPE_APP \
432 (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
433 NS_CERT_TYPE_OBJECT_SIGNING)
434
435 #define NS_CERT_TYPE_CA \
436 (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \
437 NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER)
438 typedef enum SECCertUsageEnum {
439 certUsageSSLClient = 0,
440 certUsageSSLServer = 1,
441 certUsageSSLServerWithStepUp = 2,
442 certUsageSSLCA = 3,
443 certUsageEmailSigner = 4,
444 certUsageEmailRecipient = 5,
445 certUsageObjectSigner = 6,
446 certUsageUserCertImport = 7,
447 certUsageVerifyCA = 8,
448 certUsageProtectedObjectSigner = 9,
449 certUsageStatusResponder = 10,
450 certUsageAnyCA = 11
451 } SECCertUsage;
452
453 typedef PRInt64 SECCertificateUsage;
454
455 #define certificateUsageCheckAllUsages (0x0000)
456 #define certificateUsageSSLClient (0x0001)
457 #define certificateUsageSSLServer (0x0002)
458 #define certificateUsageSSLServerWithStepUp (0x0004)
459 #define certificateUsageSSLCA (0x0008)
460 #define certificateUsageEmailSigner (0x0010)
461 #define certificateUsageEmailRecipient (0x0020)
462 #define certificateUsageObjectSigner (0x0040)
463 #define certificateUsageUserCertImport (0x0080)
464 #define certificateUsageVerifyCA (0x0100)
465 #define certificateUsageProtectedObjectSigner (0x0200)
466 #define certificateUsageStatusResponder (0x0400)
467 #define certificateUsageAnyCA (0x0800)
468
469 #define certificateUsageHighest certificateUsageAnyCA
470
471 /*
472 * Does the cert belong to the user, a peer, or a CA.
473 */
474 typedef enum CERTCertOwnerEnum {
475 certOwnerUser = 0,
476 certOwnerPeer = 1,
477 certOwnerCA = 2
478 } CERTCertOwner;
479
480 /*
481 * This enum represents the state of validity times of a certificate
482 */
483 typedef enum SECCertTimeValidityEnum {
484 secCertTimeValid = 0,
485 secCertTimeExpired = 1,
486 secCertTimeNotValidYet = 2,
487 secCertTimeUndetermined = 3 /* validity could not be decoded from the
488 cert, most likely because it was NULL */
489 } SECCertTimeValidity;
490
491 /*
492 * This is used as return status in functions that compare the validity
493 * periods of two certificates A and B, currently only
494 * CERT_CompareValidityTimes.
495 */
496
497 typedef enum CERTCompareValidityStatusEnum {
498 certValidityUndetermined = 0, /* the function is unable to select one cert
499 over another */
500 certValidityChooseB = 1, /* cert B should be preferred */
501 certValidityEqual = 2, /* both certs have the same validity period */
502 certValidityChooseA = 3 /* cert A should be preferred */
503 } CERTCompareValidityStatus;
504
505 /*
506 * Interface for getting certificate nickname strings out of the database
507 */
508
509 /* these are values for the what argument below */
510 #define SEC_CERT_NICKNAMES_ALL 1
511 #define SEC_CERT_NICKNAMES_USER 2
512 #define SEC_CERT_NICKNAMES_SERVER 3
513 #define SEC_CERT_NICKNAMES_CA 4
514
515 struct CERTCertNicknamesStr {
516 PLArenaPool *arena;
517 void *head;
518 int numnicknames;
519 char **nicknames;
520 int what;
521 int totallen;
522 };
523
524 struct CERTIssuerAndSNStr {
525 SECItem derIssuer;
526 CERTName issuer;
527 SECItem serialNumber;
528 };
529
530 /* X.509 v3 Key Usage Extension flags */
531 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
532 #define KU_NON_REPUDIATION (0x40) /* bit 1 */
533 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
534 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
535 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
536 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
537 #define KU_CRL_SIGN (0x02) /* bit 6 */
538 #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
539 #define KU_ALL \
540 (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \
541 KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN | \
542 KU_CRL_SIGN | KU_ENCIPHER_ONLY)
543
544 /* This value will not occur in certs. It is used internally for the case
545 * when either digital signature or non-repudiation is the correct value.
546 */
547 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
548
549 /* This value will not occur in certs. It is used internally for the case
550 * when the key type is not know ahead of time and either key agreement or
551 * key encipherment are the correct value based on key type
552 */
553 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
554
555 /* internal bits that do not match bits in the x509v3 spec, but are used
556 * for similar purposes
557 */
558 #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
559 /*
560 * x.509 v3 Basic Constraints Extension
561 * If isCA is false, the pathLenConstraint is ignored.
562 * Otherwise, the following pathLenConstraint values will apply:
563 * < 0 - there is no limit to the certificate path
564 * 0 - CA can issues end-entity certificates only
565 * > 0 - the number of certificates in the certificate path is
566 * limited to this number
567 */
568 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
569
570 struct CERTBasicConstraintsStr {
571 PRBool isCA; /* on if is CA */
572 int pathLenConstraint; /* maximum number of certificates that can be
573 in the cert path. Only applies to a CA
574 certificate; otherwise, it's ignored.
575 */
576 };
577
578 /* Maximum length of a certificate chain */
579 #define CERT_MAX_CERT_CHAIN 20
580
581 #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
582 #define CERT_MAX_DN_BYTES 4096 /* arbitrary */
583
584 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
585 #define RF_UNUSED (0x80) /* bit 0 */
586 #define RF_KEY_COMPROMISE (0x40) /* bit 1 */
587 #define RF_CA_COMPROMISE (0x20) /* bit 2 */
588 #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
589 #define RF_SUPERSEDED (0x08) /* bit 4 */
590 #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
591 #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
592
593 /* enum for CRL Entry Reason Code */
594 typedef enum CERTCRLEntryReasonCodeEnum {
595 crlEntryReasonUnspecified = 0,
596 crlEntryReasonKeyCompromise = 1,
597 crlEntryReasonCaCompromise = 2,
598 crlEntryReasonAffiliationChanged = 3,
599 crlEntryReasonSuperseded = 4,
600 crlEntryReasonCessationOfOperation = 5,
601 crlEntryReasoncertificatedHold = 6,
602 crlEntryReasonRemoveFromCRL = 8,
603 crlEntryReasonPrivilegeWithdrawn = 9,
604 crlEntryReasonAaCompromise = 10
605 } CERTCRLEntryReasonCode;
606
607 /* If we needed to extract the general name field, use this */
608 /* General Name types */
609 typedef enum CERTGeneralNameTypeEnum {
610 certOtherName = 1,
611 certRFC822Name = 2,
612 certDNSName = 3,
613 certX400Address = 4,
614 certDirectoryName = 5,
615 certEDIPartyName = 6,
616 certURI = 7,
617 certIPAddress = 8,
618 certRegisterID = 9
619 } CERTGeneralNameType;
620
621 typedef struct OtherNameStr {
622 SECItem name;
623 SECItem oid;
624 } OtherName;
625
626 struct CERTGeneralNameStr {
627 CERTGeneralNameType type; /* name type */
628 union {
629 CERTName directoryName; /* distinguish name */
630 OtherName OthName; /* Other Name */
631 SECItem other; /* the rest of the name forms */
632 } name;
633 SECItem derDirectoryName; /* this is saved to simplify directory name
634 comparison */
635 PRCList l;
636 };
637
638 struct CERTGeneralNameListStr {
639 PLArenaPool *arena;
640 CERTGeneralName *name;
641 int refCount;
642 int len;
643 PZLock *lock;
644 };
645
646 struct CERTNameConstraintStr {
647 CERTGeneralName name;
648 SECItem DERName;
649 SECItem min;
650 SECItem max;
651 PRCList l;
652 };
653
654 struct CERTNameConstraintsStr {
655 CERTNameConstraint *permited;
656 CERTNameConstraint *excluded;
657 SECItem **DERPermited;
658 SECItem **DERExcluded;
659 };
660
661 /* Private Key Usage Period extension struct. */
662 struct CERTPrivKeyUsagePeriodStr {
663 SECItem notBefore;
664 SECItem notAfter;
665 PLArenaPool *arena;
666 };
667
668 /* X.509 v3 Authority Key Identifier extension. For the authority certificate
669 issuer field, we only support URI now.
670 */
671 struct CERTAuthKeyIDStr {
672 SECItem keyID; /* unique key identifier */
673 CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
674 SECItem authCertSerialNumber; /* CA's certificate serial number */
675 SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
676 the authCertIssuer field. It is used
677 by the encoding engine. It should be
678 used as a read only field by the caller.
679 */
680 };
681
682 /* x.509 v3 CRL Distributeion Point */
683
684 /*
685 * defined the types of CRL Distribution points
686 */
687 typedef enum DistributionPointTypesEnum {
688 generalName = 1, /* only support this for now */
689 relativeDistinguishedName = 2
690 } DistributionPointTypes;
691
692 struct CRLDistributionPointStr {
693 DistributionPointTypes distPointType;
694 union {
695 CERTGeneralName *fullName;
696 CERTRDN relativeName;
697 } distPoint;
698 SECItem reasons;
699 CERTGeneralName *crlIssuer;
700
701 /* Reserved for internal use only*/
702 SECItem derDistPoint;
703 SECItem derRelativeName;
704 SECItem **derCrlIssuer;
705 SECItem **derFullName;
706 SECItem bitsmap;
707 };
708
709 struct CERTCrlDistributionPointsStr {
710 CRLDistributionPoint **distPoints;
711 };
712
713 /*
714 * This structure is used to keep a log of errors when verifying
715 * a cert chain. This allows multiple errors to be reported all at
716 * once.
717 */
718 struct CERTVerifyLogNodeStr {
719 CERTCertificate *cert; /* what cert had the error */
720 long error; /* what error was it? */
721 unsigned int depth; /* how far up the chain are we */
722 void *arg; /* error specific argument */
723 struct CERTVerifyLogNodeStr *next; /* next in the list */
724 struct CERTVerifyLogNodeStr *prev; /* next in the list */
725 };
726
727 struct CERTVerifyLogStr {
728 PLArenaPool *arena;
729 unsigned int count;
730 struct CERTVerifyLogNodeStr *head;
731 struct CERTVerifyLogNodeStr *tail;
732 };
733
734 struct CERTOKDomainNameStr {
735 CERTOKDomainName *next;
736 char name[1]; /* actual length may be longer. */
737 };
738
739 typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle,
740 CERTCertificate *cert,
741 PRTime time, void *pwArg);
742
743 typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle);
744
745 struct CERTStatusConfigStr {
746 CERTStatusChecker statusChecker; /* NULL means no checking enabled */
747 CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
748 void *statusContext; /* cx specific to checking protocol */
749 };
750
751 struct CERTAuthInfoAccessStr {
752 SECItem method;
753 SECItem derLocation;
754 CERTGeneralName *location; /* decoded location */
755 };
756
757 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
758 /* callback to return database name based on version number */
759 typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion);
760
761 /*
762 * types of cert packages that we can decode
763 */
764 typedef enum CERTPackageTypeEnum {
765 certPackageNone = 0,
766 certPackageCert = 1,
767 certPackagePKCS7 = 2,
768 certPackageNSCertSeq = 3,
769 certPackageNSCertWrap = 4
770 } CERTPackageType;
771
772 /*
773 * these types are for the PKIX Certificate Policies extension
774 */
775 typedef struct {
776 SECOidTag oid;
777 SECItem qualifierID;
778 SECItem qualifierValue;
779 } CERTPolicyQualifier;
780
781 typedef struct {
782 SECOidTag oid;
783 SECItem policyID;
784 CERTPolicyQualifier **policyQualifiers;
785 } CERTPolicyInfo;
786
787 typedef struct {
788 PLArenaPool *arena;
789 CERTPolicyInfo **policyInfos;
790 } CERTCertificatePolicies;
791
792 typedef struct {
793 SECItem organization;
794 SECItem **noticeNumbers;
795 } CERTNoticeReference;
796
797 typedef struct {
798 PLArenaPool *arena;
799 CERTNoticeReference noticeReference;
800 SECItem derNoticeReference;
801 SECItem displayText;
802 } CERTUserNotice;
803
804 typedef struct {
805 PLArenaPool *arena;
806 SECItem **oids;
807 } CERTOidSequence;
808
809 /*
810 * these types are for the PKIX Policy Mappings extension
811 */
812 typedef struct {
813 SECItem issuerDomainPolicy;
814 SECItem subjectDomainPolicy;
815 } CERTPolicyMap;
816
817 typedef struct {
818 PLArenaPool *arena;
819 CERTPolicyMap **policyMaps;
820 } CERTCertificatePolicyMappings;
821
822 /*
823 * these types are for the PKIX inhibitAnyPolicy extension
824 */
825 typedef struct {
826 SECItem inhibitAnySkipCerts;
827 } CERTCertificateInhibitAny;
828
829 /*
830 * these types are for the PKIX Policy Constraints extension
831 */
832 typedef struct {
833 SECItem explicitPolicySkipCerts;
834 SECItem inhibitMappingSkipCerts;
835 } CERTCertificatePolicyConstraints;
836
837 /*
838 * These types are for the validate chain callback param.
839 *
840 * CERTChainVerifyCallback is an application-supplied callback that can be used
841 * to augment libpkix's certificate chain validation with additional
842 * application-specific checks. It may be called multiple times if there are
843 * multiple potentially-valid paths for the certificate being validated. This
844 * callback is called before revocation checking is done on the certificates in
845 * the given chain.
846 *
847 * - isValidChainArg contains the application-provided opaque argument
848 * - currentChain is the currently validated chain. It is ordered with the leaf
849 * certificate at the head and the trust anchor at the tail.
850 *
851 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
852 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
853 * return SECSuccess if the chain is unacceptable, to indicate that the given
854 * chain is bad and path building should continue. It should return SECFailure
855 * to indicate an fatal error that will cause path validation to fail
856 * immediately.
857 */
858 typedef SECStatus (*CERTChainVerifyCallbackFunc)(
859 void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK);
860
861 /*
862 * Note: If extending this structure, it will be necessary to change the
863 * associated CERTValParamInType
864 */
865 typedef struct {
866 CERTChainVerifyCallbackFunc isChainValid;
867 void *isChainValidArg;
868 } CERTChainVerifyCallback;
869
870 /*
871 * these types are for the CERT_PKIX* Verification functions
872 * These are all optional parameters.
873 */
874
875 typedef enum {
876 cert_pi_end = 0, /* SPECIAL: signifies end of array of
877 * CERTValParam* */
878 cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
879 * resume a session. If this argument is
880 * specified, no other arguments should be.
881 * Specified in value.pointer.p. If the
882 * operation completes the context will be
883 * freed. */
884 cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
885 * existing operation which the caller wants
886 * to abort. If this argument is
887 * specified, no other arguments should be.
888 * Specified in value.pointer.p. If the
889 * operation succeeds the context will be
890 * freed. */
891 cert_pi_certList = 3, /* specify the chain to validate against. If
892 * this value is given, then the path
893 * construction step in the validation is
894 * skipped. Specified in value.pointer.chain */
895 cert_pi_policyOID = 4, /* validate certificate for policy OID.
896 * Specified in value.array.oids. Cert must
897 * be good for at least one OID in order
898 * to validate. Default is that the user is not
899 * concerned about certificate policy. */
900 cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
901 * Specified in value.scalar.ul. Policy flags
902 * apply to all specified oids.
903 * Use CERT_POLICY_FLAG_* macros below. If not
904 * specified policy flags default to 0 */
905 cert_pi_keyusage = 6, /* specify what the keyusages the certificate
906 * will be evaluated against, specified in
907 * value.scalar.ui. The cert must validate for
908 * at least one of the specified key usages.
909 * Values match the KU_ bit flags defined
910 * in this file. Default is derived from
911 * the 'usages' function argument */
912 cert_pi_extendedKeyusage = 7, /* specify what the required extended key
913 * usage of the certificate. Specified as
914 * an array of oidTags in value.array.oids.
915 * The cert must validate for at least one
916 * of the specified extended key usages.
917 * If not specified, no extended key usages
918 * will be checked. */
919 cert_pi_date = 8, /* validate certificate is valid as of date
920 * specified in value.scalar.time. A special
921 * value '0' indicates 'now'. default is '0' * /
922 cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
923 * See CERT_REV_FLAG_* macros below
924 * Set in value.pointer.revocation */
925 cert_pi_certStores = 10, /* Bitmask of Cert Store flags (see below)
926 * Set in value.scalar.ui */
927 cert_pi_trustAnchors =
928 11, /* Specify the list of trusted roots to
929 * validate against.
930 * The default set of trusted roots, these are
931 * root CA certs from libnssckbi.so or CA
932 * certs trusted by user, are used in any of
933 * the following cases:
934 * * when the parameter is not set.
935 * * when the list of trust anchors is
936 * empty.
937 * Note that this handling can be further
938 * altered by altering the
939 * cert_pi_useOnlyTrustAnchors flag
940 * Specified in value.pointer.chain */
941 cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
942 * In NSS 3.12.1 or later. Default is off.
943 * Value is in value.scalar.b */
944 cert_pi_chainVerifyCallback = 13,
945 /* The callback container for doing extra
946 * validation on the currently calculated chain.
947 * Value is in value.pointer.chainVerifyCallback */
948 cert_pi_useOnlyTrustAnchors = 14,
949 /* If true, disables trusting any
950 * certificates other than the ones passed in via cert_pi_trustAnchors.
951 * If false, then the certificates specified via cert_pi_trustAnchors
952 * will be combined with the pre-existing trusted roots, but only
953 * for the certificate validation being performed.
954 * If no value has been supplied via cert_pi_trustAnchors, this has
955 * no effect.
956 * The default value is true, meaning if this is not supplied, only
957 * trust anchors supplied via cert_pi_trustAnchors are trusted.
958 * Specified in value.scalar.b */
959 cert_pi_max /* SPECIAL: signifies maximum allowed value,
960 * can increase in future releases */
961 } CERTValParamInType;
962
963 /*
964 * for all out parameters:
965 * out parameters are only returned if the caller asks for them in
966 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
967 * array itself. The pkix verify function will allocate and other arrays
968 * pointers, or objects. The Caller is responsible for freeing those results.
969 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
970 */
971 typedef enum {
972 cert_po_end = 0, /* SPECIAL: signifies end of array of
973 * CERTValParam* */
974 cert_po_nbioContext = 1, /* Return a nonblocking context. If no
975 * non-blocking context is specified, then
976 * blocking IO will be used.
977 * Returned in value.pointer.p. The context is
978 * freed after an abort or a complete operatio n.
979 * This value is only returned on SECWouldBloc k.
980 */
981 cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
982 * was validated. Returned in
983 * value.pointer.cert, this value is only
984 * returned on SECSuccess. */
985 cert_po_certList = 3, /* Return the entire chain that was validated.
986 * Returned in value.pointer.certList. If no
987 * chain could be constructed, this value
988 * would be NULL. */
989 cert_po_policyOID = 4, /* Return the policies that were found to be
990 * valid. Returned in value.array.oids as an
991 * array. This is only returned on
992 * SECSuccess. */
993 cert_po_errorLog = 5, /* Return a log of problems with the chain.
994 * Returned in value.pointer.log */
995 cert_po_usages = 6, /* Return what usages the certificate is valid
996 for. Returned in value.scalar.usages */
997 cert_po_keyUsage = 7, /* Return what key usages the certificate
998 * is valid for.
999 * Returned in value.scalar.usage */
1000 cert_po_extendedKeyusage = 8, /* Return what extended key usages the
1001 * certificate is valid for.
1002 * Returned in value.array.oids */
1003 cert_po_max /* SPECIAL: signifies maximum allowed value,
1004 * can increase in future releases */
1005
1006 } CERTValParamOutType;
1007
1008 typedef enum {
1009 cert_revocation_method_crl = 0,
1010 cert_revocation_method_ocsp,
1011 cert_revocation_method_count
1012 } CERTRevocationMethodIndex;
1013
1014 /*
1015 * The following flags are supposed to be used to control bits in
1016 * each integer contained in the array pointed to be:
1017 * CERTRevocationTests.cert_rev_flags_per_method
1018 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1019 * this is a method dependent flag.
1020 */
1021
1022 /*
1023 * Whether or not to use a method for revocation testing.
1024 * If set to "do not test", then all other flags are ignored.
1025 */
1026 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1027 #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1028
1029 /*
1030 * Whether or not NSS is allowed to attempt to fetch fresh information
1031 * from the network.
1032 * (Although fetching will never happen if fresh information for the
1033 * method is already locally available.)
1034 */
1035 #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1036 #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1037
1038 /*
1039 * Example for an implicit default source:
1040 * The globally configured default OCSP responder.
1041 * IGNORE means:
1042 * ignore the implicit default source, whether it's configured or not.
1043 * ALLOW means:
1044 * if an implicit default source is configured,
1045 * then it overrides any available or missing source in the cert.
1046 * if no implicit default source is configured,
1047 * then we continue to use what's available (or not available)
1048 * in the certs.
1049 */
1050 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1051 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1052
1053 /*
1054 * Defines the behavior if no fresh information is available,
1055 * fetching from the network is allowed, but the source of revocation
1056 * information is unknown (even after considering implicit sources,
1057 * if allowed by other flags).
1058 * SKIPT_TEST means:
1059 * We ignore that no fresh information is available and
1060 * skip this test.
1061 * REQUIRE_INFO means:
1062 * We still require that fresh information is available.
1063 * Other flags define what happens on missing fresh info.
1064 */
1065 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1066 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1067
1068 /*
1069 * Defines the behavior if we are unable to obtain fresh information.
1070 * INGORE means:
1071 * Return "cert status unknown"
1072 * FAIL means:
1073 * Return "cert revoked".
1074 */
1075 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1076 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1077
1078 /*
1079 * What should happen if we were able to find fresh information using
1080 * this method, and the data indicated the cert is good?
1081 * STOP_TESTING means:
1082 * Our success is sufficient, do not continue testing
1083 * other methods.
1084 * CONTINUE_TESTING means:
1085 * We will continue and test the next allowed
1086 * specified method.
1087 */
1088 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1089 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1090
1091 /* When this flag is used, libpkix will never attempt to use the GET HTTP
1092 * method for OCSP requests; it will always use POST.
1093 */
1094 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1095
1096 /*
1097 * The following flags are supposed to be used to control bits in
1098 * CERTRevocationTests.cert_rev_method_independent_flags
1099 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1100 * this is a method independent flag.
1101 */
1102
1103 /*
1104 * This defines the order to checking.
1105 * EACH_METHOD_SEPARATELY means:
1106 * Do all tests related to a particular allowed method
1107 * (both local information and network fetching) in a single step.
1108 * Only after testing for a particular method is done,
1109 * then switching to the next method will happen.
1110 * ALL_LOCAL_INFORMATION_FIRST means:
1111 * Start by testing the information for all allowed methods
1112 * which are already locally available. Only after that is done
1113 * consider to fetch from the network (as allowed by other flags).
1114 */
1115 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1116 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1117
1118 /*
1119 * Use this flag to specify that it's necessary that fresh information
1120 * is available for at least one of the allowed methods, but it's
1121 * irrelevant which of the mechanisms succeeded.
1122 * NO_OVERALL_INFO_REQUIREMENT means:
1123 * We strictly follow the requirements for each individual method.
1124 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1125 * After the individual tests have been executed, we must have
1126 * been able to find fresh information using at least one method.
1127 * If we were unable to find fresh info, it's a failure.
1128 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1129 * flag on all methods.
1130 */
1131 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1132 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1133
1134 typedef struct {
1135 /*
1136 * The size of the array that cert_rev_flags_per_method points to,
1137 * meaning, the number of methods that are known and defined
1138 * by the caller.
1139 */
1140 PRUint32 number_of_defined_methods;
1141
1142 /*
1143 * A pointer to an array of integers.
1144 * Each integer defines revocation checking for a single method,
1145 * by having individual CERT_REV_M_* bits set or not set.
1146 * The meaning of index numbers into this array are defined by
1147 * enum CERTRevocationMethodIndex
1148 * The size of the array must be specified by the caller in the separate
1149 * variable number_of_defined_methods.
1150 * The size of the array may be smaller than
1151 * cert_revocation_method_count, it can happen if a caller
1152 * is not yet aware of the latest revocation methods
1153 * (or does not want to use them).
1154 */
1155 PRUint64 *cert_rev_flags_per_method;
1156
1157 /*
1158 * How many preferred methods are specified?
1159 * This is equivalent to the size of the array that
1160 * preferred_methods points to.
1161 * It's allowed to set this value to zero,
1162 * then NSS will decide which methods to prefer.
1163 */
1164 PRUint32 number_of_preferred_methods;
1165
1166 /* Array that may specify an optional order of preferred methods.
1167 * Each array entry shall contain a method identifier as defined
1168 * by CERTRevocationMethodIndex.
1169 * The entry at index [0] specifies the method with highest preference.
1170 * These methods will be tested first for locally available information.
1171 * Methods allowed for downloading will be attempted in the same order.
1172 */
1173 CERTRevocationMethodIndex *preferred_methods;
1174
1175 /*
1176 * An integer which defines certain aspects of revocation checking
1177 * (independent of individual methods) by having individual
1178 * CERT_REV_MI_* bits set or not set.
1179 */
1180 PRUint64 cert_rev_method_independent_flags;
1181 } CERTRevocationTests;
1182
1183 typedef struct {
1184 CERTRevocationTests leafTests;
1185 CERTRevocationTests chainTests;
1186 } CERTRevocationFlags;
1187
1188 typedef struct CERTValParamInValueStr {
1189 union {
1190 PRBool b;
1191 PRInt32 i;
1192 PRUint32 ui;
1193 PRInt64 l;
1194 PRUint64 ul;
1195 PRTime time;
1196 } scalar;
1197 union {
1198 const void *p;
1199 const char *s;
1200 const CERTCertificate *cert;
1201 const CERTCertList *chain;
1202 const CERTRevocationFlags *revocation;
1203 const CERTChainVerifyCallback *chainVerifyCallback;
1204 } pointer;
1205 union {
1206 const PRInt32 *pi;
1207 const PRUint32 *pui;
1208 const PRInt64 *pl;
1209 const PRUint64 *pul;
1210 const SECOidTag *oids;
1211 } array;
1212 int arraySize;
1213 } CERTValParamInValue;
1214
1215 typedef struct CERTValParamOutValueStr {
1216 union {
1217 PRBool b;
1218 PRInt32 i;
1219 PRUint32 ui;
1220 PRInt64 l;
1221 PRUint64 ul;
1222 SECCertificateUsage usages;
1223 } scalar;
1224 union {
1225 void *p;
1226 char *s;
1227 CERTVerifyLog *log;
1228 CERTCertificate *cert;
1229 CERTCertList *chain;
1230 } pointer;
1231 union {
1232 void *p;
1233 SECOidTag *oids;
1234 } array;
1235 int arraySize;
1236 } CERTValParamOutValue;
1237
1238 typedef struct {
1239 CERTValParamInType type;
1240 CERTValParamInValue value;
1241 } CERTValInParam;
1242
1243 typedef struct {
1244 CERTValParamOutType type;
1245 CERTValParamOutValue value;
1246 } CERTValOutParam;
1247
1248 /*
1249 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1250 */
1251 typedef enum CertStrictnessLevels {
1252 CERT_N2A_READABLE = 0, /* maximum human readability */
1253 CERT_N2A_STRICT = 10, /* strict RFC compliance */
1254 CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
1255 all DirectoryStrings encoded in hex */
1256 } CertStrictnessLevel;
1257
1258 /*
1259 * policy flag defines
1260 */
1261 #define CERT_POLICY_FLAG_NO_MAPPING 1
1262 #define CERT_POLICY_FLAG_EXPLICIT 2
1263 #define CERT_POLICY_FLAG_NO_ANY 4
1264
1265 /*
1266 * CertStore flags
1267 */
1268 #define CERT_ENABLE_LDAP_FETCH 1
1269 #define CERT_ENABLE_HTTP_FETCH 2
1270
1271 /* This functin pointer type may be used for any function that takes
1272 * a CERTCertificate * and returns an allocated string, which must be
1273 * freed by a call to PORT_Free.
1274 */
1275 typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert);
1276
1277 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1278
1279 #include "secasn1t.h" /* way down here because I expect template stuff to
1280 * move out of here anyway */
1281
1282 SEC_BEGIN_PROTOS
1283
1284 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1285 extern const SEC_ASN1Template CERT_CertificateTemplate[];
1286 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1287 extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1288 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1289 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1290 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1291 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1292 extern const SEC_ASN1Template CERT_ValidityTemplate[];
1293 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1294 extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1295
1296 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1297 extern const SEC_ASN1Template CERT_NameTemplate[];
1298 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1299 extern const SEC_ASN1Template CERT_RDNTemplate[];
1300 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1301 extern const SEC_ASN1Template CERT_CrlTemplate[];
1302 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1303
1304 /*
1305 ** XXX should the attribute stuff be centralized for all of ns/security?
1306 */
1307 extern const SEC_ASN1Template CERT_AttributeTemplate[];
1308 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1309
1310 /* These functions simply return the address of the above-declared templates.
1311 ** This is necessary for Windows DLLs. Sigh.
1312 */
1313 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1314 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1315 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1316 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1317 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1318 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1319 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1320 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1321 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1322 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1323 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1324 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1325
1326 SEC_END_PROTOS
1327
1328 #endif /* _CERTT_H_ */
OLDNEW
« no previous file with comments | « nss/lib/certdb/certi.h ('k') | nss/lib/certdb/certv3.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698