OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * certt.h - public data structures for the certificate library | |
6 */ | |
7 #ifndef _CERTT_H_ | |
8 #define _CERTT_H_ | |
9 | |
10 #include "prclist.h" | |
11 #include "pkcs11t.h" | |
12 #include "seccomon.h" | |
13 #include "secmodt.h" | |
14 #include "secoidt.h" | |
15 #include "plarena.h" | |
16 #include "prcvar.h" | |
17 #include "nssilock.h" | |
18 #include "prio.h" | |
19 #include "prmon.h" | |
20 | |
21 /* Stan data types */ | |
22 struct NSSCertificateStr; | |
23 struct NSSTrustDomainStr; | |
24 | |
25 /* Non-opaque objects */ | |
26 typedef struct CERTAVAStr CERTAVA; | |
27 typedef struct CERTAttributeStr CERTAttribute; | |
28 typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess; | |
29 typedef struct CERTAuthKeyIDStr CERTAuthKeyID; | |
30 typedef struct CERTBasicConstraintsStr CERTBasicConstraints; | |
31 typedef struct NSSTrustDomainStr CERTCertDBHandle; | |
32 typedef struct CERTCertExtensionStr CERTCertExtension; | |
33 typedef struct CERTCertKeyStr CERTCertKey; | |
34 typedef struct CERTCertListStr CERTCertList; | |
35 typedef struct CERTCertListNodeStr CERTCertListNode; | |
36 typedef struct CERTCertNicknamesStr CERTCertNicknames; | |
37 typedef struct CERTCertTrustStr CERTCertTrust; | |
38 typedef struct CERTCertificateStr CERTCertificate; | |
39 typedef struct CERTCertificateListStr CERTCertificateList; | |
40 typedef struct CERTCertificateRequestStr CERTCertificateRequest; | |
41 typedef struct CERTCrlStr CERTCrl; | |
42 typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints; | |
43 typedef struct CERTCrlEntryStr CERTCrlEntry; | |
44 typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode; | |
45 typedef struct CERTCrlKeyStr CERTCrlKey; | |
46 typedef struct CERTCrlNodeStr CERTCrlNode; | |
47 typedef struct CERTDERCertsStr CERTDERCerts; | |
48 typedef struct CERTDistNamesStr CERTDistNames; | |
49 typedef struct CERTGeneralNameStr CERTGeneralName; | |
50 typedef struct CERTGeneralNameListStr CERTGeneralNameList; | |
51 typedef struct CERTIssuerAndSNStr CERTIssuerAndSN; | |
52 typedef struct CERTNameStr CERTName; | |
53 typedef struct CERTNameConstraintStr CERTNameConstraint; | |
54 typedef struct CERTNameConstraintsStr CERTNameConstraints; | |
55 typedef struct CERTOKDomainNameStr CERTOKDomainName; | |
56 typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod; | |
57 typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge; | |
58 typedef struct CERTRDNStr CERTRDN; | |
59 typedef struct CERTSignedCrlStr CERTSignedCrl; | |
60 typedef struct CERTSignedDataStr CERTSignedData; | |
61 typedef struct CERTStatusConfigStr CERTStatusConfig; | |
62 typedef struct CERTSubjectListStr CERTSubjectList; | |
63 typedef struct CERTSubjectNodeStr CERTSubjectNode; | |
64 typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; | |
65 typedef struct CERTValidityStr CERTValidity; | |
66 typedef struct CERTVerifyLogStr CERTVerifyLog; | |
67 typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode; | |
68 typedef struct CRLDistributionPointStr CRLDistributionPoint; | |
69 | |
70 /* CRL extensions type */ | |
71 typedef unsigned long CERTCrlNumber; | |
72 | |
73 /* | |
74 ** An X.500 AVA object | |
75 */ | |
76 struct CERTAVAStr { | |
77 SECItem type; | |
78 SECItem value; | |
79 }; | |
80 | |
81 /* | |
82 ** An X.500 RDN object | |
83 */ | |
84 struct CERTRDNStr { | |
85 CERTAVA **avas; | |
86 }; | |
87 | |
88 /* | |
89 ** An X.500 name object | |
90 */ | |
91 struct CERTNameStr { | |
92 PLArenaPool *arena; | |
93 CERTRDN **rdns; | |
94 }; | |
95 | |
96 /* | |
97 ** An X.509 validity object | |
98 */ | |
99 struct CERTValidityStr { | |
100 PLArenaPool *arena; | |
101 SECItem notBefore; | |
102 SECItem notAfter; | |
103 }; | |
104 | |
105 /* | |
106 * A serial number and issuer name, which is used as a database key | |
107 */ | |
108 struct CERTCertKeyStr { | |
109 SECItem serialNumber; | |
110 SECItem derIssuer; | |
111 }; | |
112 | |
113 /* | |
114 ** A signed data object. Used to implement the "signed" macro used | |
115 ** in the X.500 specs. | |
116 */ | |
117 struct CERTSignedDataStr { | |
118 SECItem data; | |
119 SECAlgorithmID signatureAlgorithm; | |
120 SECItem signature; | |
121 }; | |
122 | |
123 /* | |
124 ** An X.509 subject-public-key-info object | |
125 */ | |
126 struct CERTSubjectPublicKeyInfoStr { | |
127 PLArenaPool *arena; | |
128 SECAlgorithmID algorithm; | |
129 SECItem subjectPublicKey; | |
130 }; | |
131 | |
132 struct CERTPublicKeyAndChallengeStr { | |
133 SECItem spki; | |
134 SECItem challenge; | |
135 }; | |
136 | |
137 struct CERTCertTrustStr { | |
138 unsigned int sslFlags; | |
139 unsigned int emailFlags; | |
140 unsigned int objectSigningFlags; | |
141 }; | |
142 | |
143 /* | |
144 * defined the types of trust that exist | |
145 */ | |
146 typedef enum SECTrustTypeEnum { | |
147 trustSSL = 0, | |
148 trustEmail = 1, | |
149 trustObjectSigning = 2, | |
150 trustTypeNone = 3 | |
151 } SECTrustType; | |
152 | |
153 #define SEC_GET_TRUST_FLAGS(trust, type) \ | |
154 (((type) == trustSSL) \ | |
155 ? ((trust)->sslFlags) \ | |
156 : (((type) == trustEmail) ? ((trust)->emailFlags) \ | |
157 : (((type) == trustObjectSigning) \ | |
158 ? ((trust)->objectSigningFlags) \ | |
159 : 0))) | |
160 | |
161 /* | |
162 ** An X.509.3 certificate extension | |
163 */ | |
164 struct CERTCertExtensionStr { | |
165 SECItem id; | |
166 SECItem critical; | |
167 SECItem value; | |
168 }; | |
169 | |
170 struct CERTSubjectNodeStr { | |
171 struct CERTSubjectNodeStr *next; | |
172 struct CERTSubjectNodeStr *prev; | |
173 SECItem certKey; | |
174 SECItem keyID; | |
175 }; | |
176 | |
177 struct CERTSubjectListStr { | |
178 PLArenaPool *arena; | |
179 int ncerts; | |
180 char *emailAddr; | |
181 CERTSubjectNode *head; | |
182 CERTSubjectNode *tail; /* do we need tail? */ | |
183 void *entry; | |
184 }; | |
185 | |
186 /* | |
187 ** An X.509 certificate object (the unsigned form) | |
188 */ | |
189 struct CERTCertificateStr { | |
190 /* the arena is used to allocate any data structures that have the same | |
191 * lifetime as the cert. This is all stuff that hangs off of the cert | |
192 * structure, and is all freed at the same time. It is used when the | |
193 * cert is decoded, destroyed, and at some times when it changes | |
194 * state | |
195 */ | |
196 PLArenaPool *arena; | |
197 | |
198 /* The following fields are static after the cert has been decoded */ | |
199 char *subjectName; | |
200 char *issuerName; | |
201 CERTSignedData signatureWrap; /* XXX */ | |
202 SECItem derCert; /* original DER for the cert */ | |
203 SECItem derIssuer; /* DER for issuer name */ | |
204 SECItem derSubject; /* DER for subject name */ | |
205 SECItem derPublicKey; /* DER for the public key */ | |
206 SECItem certKey; /* database key for this cert */ | |
207 SECItem version; | |
208 SECItem serialNumber; | |
209 SECAlgorithmID signature; | |
210 CERTName issuer; | |
211 CERTValidity validity; | |
212 CERTName subject; | |
213 CERTSubjectPublicKeyInfo subjectPublicKeyInfo; | |
214 SECItem issuerID; | |
215 SECItem subjectID; | |
216 CERTCertExtension **extensions; | |
217 char *emailAddr; | |
218 CERTCertDBHandle *dbhandle; | |
219 SECItem subjectKeyID; /* x509v3 subject key identifier */ | |
220 PRBool keyIDGenerated; /* was the keyid generated? */ | |
221 unsigned int keyUsage; /* what uses are allowed for this cert */ | |
222 unsigned int rawKeyUsage; /* value of the key usage extension */ | |
223 PRBool keyUsagePresent; /* was the key usage extension present */ | |
224 PRUint32 nsCertType; /* value of the ns cert type extension */ | |
225 /* must be 32-bit for PR_ATOMIC_SET */ | |
226 | |
227 /* these values can be set by the application to bypass certain checks | |
228 * or to keep the cert in memory for an entire session. | |
229 * XXX - need an api to set these | |
230 */ | |
231 PRBool keepSession; /* keep this cert for entire session*/ | |
232 PRBool timeOK; /* is the bad validity time ok? */ | |
233 CERTOKDomainName *domainOK; /* these domain names are ok */ | |
234 | |
235 /* | |
236 * these values can change when the cert changes state. These state | |
237 * changes include transitions from temp to perm or vice-versa, and | |
238 * changes of trust flags | |
239 */ | |
240 PRBool isperm; | |
241 PRBool istemp; | |
242 char *nickname; | |
243 char *dbnickname; | |
244 struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */ | |
245 CERTCertTrust *trust; | |
246 | |
247 /* the reference count is modified whenever someone looks up, dups | |
248 * or destroys a certificate | |
249 */ | |
250 int referenceCount; | |
251 | |
252 /* The subject list is a list of all certs with the same subject name. | |
253 * It can be modified any time a cert is added or deleted from either | |
254 * the in-memory(temporary) or on-disk(permanent) database. | |
255 */ | |
256 CERTSubjectList *subjectList; | |
257 | |
258 /* these belong in the static section, but are here to maintain | |
259 * the structure's integrity | |
260 */ | |
261 CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */ | |
262 PRBool isRoot; /* cert is the end of a chain */ | |
263 | |
264 /* these fields are used by client GUI code to keep track of ssl sockets | |
265 * that are blocked waiting on GUI feedback related to this cert. | |
266 * XXX - these should be moved into some sort of application specific | |
267 * data structure. They are only used by the browser right now. | |
268 */ | |
269 union { | |
270 void *apointer; /* was struct SECSocketNode* authsocketlist */ | |
271 struct { | |
272 unsigned int hasUnsupportedCriticalExt : 1; | |
273 /* add any new option bits needed here */ | |
274 } bits; | |
275 } options; | |
276 int series; /* was int authsocketcount; record the series of the pkcs11ID */ | |
277 | |
278 /* This is PKCS #11 stuff. */ | |
279 PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ | |
280 CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ | |
281 PRBool ownSlot; /*true if the cert owns the slot reference */ | |
282 }; | |
283 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ | |
284 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ | |
285 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ | |
286 | |
287 #define SEC_CRL_VERSION_1 0 /* default */ | |
288 #define SEC_CRL_VERSION_2 1 /* v2 extensions */ | |
289 | |
290 /* | |
291 * used to identify class of cert in mime stream code | |
292 */ | |
293 #define SEC_CERT_CLASS_CA 1 | |
294 #define SEC_CERT_CLASS_SERVER 2 | |
295 #define SEC_CERT_CLASS_USER 3 | |
296 #define SEC_CERT_CLASS_EMAIL 4 | |
297 | |
298 struct CERTDERCertsStr { | |
299 PLArenaPool *arena; | |
300 int numcerts; | |
301 SECItem *rawCerts; | |
302 }; | |
303 | |
304 /* | |
305 ** A PKCS ? Attribute | |
306 ** XXX this is duplicated through out the code, it *should* be moved | |
307 ** to a central location. Where would be appropriate? | |
308 */ | |
309 struct CERTAttributeStr { | |
310 SECItem attrType; | |
311 SECItem **attrValue; | |
312 }; | |
313 | |
314 /* | |
315 ** A PKCS#10 certificate-request object (the unsigned form) | |
316 */ | |
317 struct CERTCertificateRequestStr { | |
318 PLArenaPool *arena; | |
319 SECItem version; | |
320 CERTName subject; | |
321 CERTSubjectPublicKeyInfo subjectPublicKeyInfo; | |
322 CERTAttribute **attributes; | |
323 }; | |
324 #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */ | |
325 | |
326 /* | |
327 ** A certificate list object. | |
328 */ | |
329 struct CERTCertificateListStr { | |
330 SECItem *certs; | |
331 int len; /* number of certs */ | |
332 PLArenaPool *arena; | |
333 }; | |
334 | |
335 struct CERTCertListNodeStr { | |
336 PRCList links; | |
337 CERTCertificate *cert; | |
338 void *appData; | |
339 }; | |
340 | |
341 struct CERTCertListStr { | |
342 PRCList list; | |
343 PLArenaPool *arena; | |
344 }; | |
345 | |
346 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list)) | |
347 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) | |
348 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next) | |
349 #define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list)) | |
350 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l) | |
351 | |
352 struct CERTCrlEntryStr { | |
353 SECItem serialNumber; | |
354 SECItem revocationDate; | |
355 CERTCertExtension **extensions; | |
356 }; | |
357 | |
358 struct CERTCrlStr { | |
359 PLArenaPool *arena; | |
360 SECItem version; | |
361 SECAlgorithmID signatureAlg; | |
362 SECItem derName; | |
363 CERTName name; | |
364 SECItem lastUpdate; | |
365 SECItem nextUpdate; /* optional for x.509 CRL */ | |
366 CERTCrlEntry **entries; | |
367 CERTCertExtension **extensions; | |
368 /* can't add anything there for binary backwards compatibility reasons */ | |
369 }; | |
370 | |
371 struct CERTCrlKeyStr { | |
372 SECItem derName; | |
373 SECItem dummy; /* The decoder can not skip a primitive, | |
374 this serves as a place holder for the | |
375 decoder to finish its task only | |
376 */ | |
377 }; | |
378 | |
379 struct CERTSignedCrlStr { | |
380 PLArenaPool *arena; | |
381 CERTCrl crl; | |
382 void *reserved1; | |
383 PRBool reserved2; | |
384 PRBool isperm; | |
385 PRBool istemp; | |
386 int referenceCount; | |
387 CERTCertDBHandle *dbhandle; | |
388 CERTSignedData signatureWrap; /* XXX */ | |
389 char *url; | |
390 SECItem *derCrl; | |
391 PK11SlotInfo *slot; | |
392 CK_OBJECT_HANDLE pkcs11ID; | |
393 void *opaque; /* do not touch */ | |
394 }; | |
395 | |
396 struct CERTCrlHeadNodeStr { | |
397 PLArenaPool *arena; | |
398 CERTCertDBHandle *dbhandle; | |
399 CERTCrlNode *first; | |
400 CERTCrlNode *last; | |
401 }; | |
402 | |
403 struct CERTCrlNodeStr { | |
404 CERTCrlNode *next; | |
405 int type; | |
406 CERTSignedCrl *crl; | |
407 }; | |
408 | |
409 /* | |
410 * Array of X.500 Distinguished Names | |
411 */ | |
412 struct CERTDistNamesStr { | |
413 PLArenaPool *arena; | |
414 int nnames; | |
415 SECItem *names; | |
416 void *head; /* private */ | |
417 }; | |
418 | |
419 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ | |
420 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ | |
421 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ | |
422 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ | |
423 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ | |
424 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ | |
425 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ | |
426 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ | |
427 | |
428 #define EXT_KEY_USAGE_TIME_STAMP (0x8000) | |
429 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000) | |
430 | |
431 #define NS_CERT_TYPE_APP \ | |
432 (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ | |
433 NS_CERT_TYPE_OBJECT_SIGNING) | |
434 | |
435 #define NS_CERT_TYPE_CA \ | |
436 (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \ | |
437 NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER) | |
438 typedef enum SECCertUsageEnum { | |
439 certUsageSSLClient = 0, | |
440 certUsageSSLServer = 1, | |
441 certUsageSSLServerWithStepUp = 2, | |
442 certUsageSSLCA = 3, | |
443 certUsageEmailSigner = 4, | |
444 certUsageEmailRecipient = 5, | |
445 certUsageObjectSigner = 6, | |
446 certUsageUserCertImport = 7, | |
447 certUsageVerifyCA = 8, | |
448 certUsageProtectedObjectSigner = 9, | |
449 certUsageStatusResponder = 10, | |
450 certUsageAnyCA = 11 | |
451 } SECCertUsage; | |
452 | |
453 typedef PRInt64 SECCertificateUsage; | |
454 | |
455 #define certificateUsageCheckAllUsages (0x0000) | |
456 #define certificateUsageSSLClient (0x0001) | |
457 #define certificateUsageSSLServer (0x0002) | |
458 #define certificateUsageSSLServerWithStepUp (0x0004) | |
459 #define certificateUsageSSLCA (0x0008) | |
460 #define certificateUsageEmailSigner (0x0010) | |
461 #define certificateUsageEmailRecipient (0x0020) | |
462 #define certificateUsageObjectSigner (0x0040) | |
463 #define certificateUsageUserCertImport (0x0080) | |
464 #define certificateUsageVerifyCA (0x0100) | |
465 #define certificateUsageProtectedObjectSigner (0x0200) | |
466 #define certificateUsageStatusResponder (0x0400) | |
467 #define certificateUsageAnyCA (0x0800) | |
468 | |
469 #define certificateUsageHighest certificateUsageAnyCA | |
470 | |
471 /* | |
472 * Does the cert belong to the user, a peer, or a CA. | |
473 */ | |
474 typedef enum CERTCertOwnerEnum { | |
475 certOwnerUser = 0, | |
476 certOwnerPeer = 1, | |
477 certOwnerCA = 2 | |
478 } CERTCertOwner; | |
479 | |
480 /* | |
481 * This enum represents the state of validity times of a certificate | |
482 */ | |
483 typedef enum SECCertTimeValidityEnum { | |
484 secCertTimeValid = 0, | |
485 secCertTimeExpired = 1, | |
486 secCertTimeNotValidYet = 2, | |
487 secCertTimeUndetermined = 3 /* validity could not be decoded from the | |
488 cert, most likely because it was NULL */ | |
489 } SECCertTimeValidity; | |
490 | |
491 /* | |
492 * This is used as return status in functions that compare the validity | |
493 * periods of two certificates A and B, currently only | |
494 * CERT_CompareValidityTimes. | |
495 */ | |
496 | |
497 typedef enum CERTCompareValidityStatusEnum { | |
498 certValidityUndetermined = 0, /* the function is unable to select one cert | |
499 over another */ | |
500 certValidityChooseB = 1, /* cert B should be preferred */ | |
501 certValidityEqual = 2, /* both certs have the same validity period */ | |
502 certValidityChooseA = 3 /* cert A should be preferred */ | |
503 } CERTCompareValidityStatus; | |
504 | |
505 /* | |
506 * Interface for getting certificate nickname strings out of the database | |
507 */ | |
508 | |
509 /* these are values for the what argument below */ | |
510 #define SEC_CERT_NICKNAMES_ALL 1 | |
511 #define SEC_CERT_NICKNAMES_USER 2 | |
512 #define SEC_CERT_NICKNAMES_SERVER 3 | |
513 #define SEC_CERT_NICKNAMES_CA 4 | |
514 | |
515 struct CERTCertNicknamesStr { | |
516 PLArenaPool *arena; | |
517 void *head; | |
518 int numnicknames; | |
519 char **nicknames; | |
520 int what; | |
521 int totallen; | |
522 }; | |
523 | |
524 struct CERTIssuerAndSNStr { | |
525 SECItem derIssuer; | |
526 CERTName issuer; | |
527 SECItem serialNumber; | |
528 }; | |
529 | |
530 /* X.509 v3 Key Usage Extension flags */ | |
531 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ | |
532 #define KU_NON_REPUDIATION (0x40) /* bit 1 */ | |
533 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ | |
534 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ | |
535 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ | |
536 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ | |
537 #define KU_CRL_SIGN (0x02) /* bit 6 */ | |
538 #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */ | |
539 #define KU_ALL \ | |
540 (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \ | |
541 KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN | \ | |
542 KU_CRL_SIGN | KU_ENCIPHER_ONLY) | |
543 | |
544 /* This value will not occur in certs. It is used internally for the case | |
545 * when either digital signature or non-repudiation is the correct value. | |
546 */ | |
547 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000) | |
548 | |
549 /* This value will not occur in certs. It is used internally for the case | |
550 * when the key type is not know ahead of time and either key agreement or | |
551 * key encipherment are the correct value based on key type | |
552 */ | |
553 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000) | |
554 | |
555 /* internal bits that do not match bits in the x509v3 spec, but are used | |
556 * for similar purposes | |
557 */ | |
558 #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/ | |
559 /* | |
560 * x.509 v3 Basic Constraints Extension | |
561 * If isCA is false, the pathLenConstraint is ignored. | |
562 * Otherwise, the following pathLenConstraint values will apply: | |
563 * < 0 - there is no limit to the certificate path | |
564 * 0 - CA can issues end-entity certificates only | |
565 * > 0 - the number of certificates in the certificate path is | |
566 * limited to this number | |
567 */ | |
568 #define CERT_UNLIMITED_PATH_CONSTRAINT -2 | |
569 | |
570 struct CERTBasicConstraintsStr { | |
571 PRBool isCA; /* on if is CA */ | |
572 int pathLenConstraint; /* maximum number of certificates that can be | |
573 in the cert path. Only applies to a CA | |
574 certificate; otherwise, it's ignored. | |
575 */ | |
576 }; | |
577 | |
578 /* Maximum length of a certificate chain */ | |
579 #define CERT_MAX_CERT_CHAIN 20 | |
580 | |
581 #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */ | |
582 #define CERT_MAX_DN_BYTES 4096 /* arbitrary */ | |
583 | |
584 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */ | |
585 #define RF_UNUSED (0x80) /* bit 0 */ | |
586 #define RF_KEY_COMPROMISE (0x40) /* bit 1 */ | |
587 #define RF_CA_COMPROMISE (0x20) /* bit 2 */ | |
588 #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */ | |
589 #define RF_SUPERSEDED (0x08) /* bit 4 */ | |
590 #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */ | |
591 #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */ | |
592 | |
593 /* enum for CRL Entry Reason Code */ | |
594 typedef enum CERTCRLEntryReasonCodeEnum { | |
595 crlEntryReasonUnspecified = 0, | |
596 crlEntryReasonKeyCompromise = 1, | |
597 crlEntryReasonCaCompromise = 2, | |
598 crlEntryReasonAffiliationChanged = 3, | |
599 crlEntryReasonSuperseded = 4, | |
600 crlEntryReasonCessationOfOperation = 5, | |
601 crlEntryReasoncertificatedHold = 6, | |
602 crlEntryReasonRemoveFromCRL = 8, | |
603 crlEntryReasonPrivilegeWithdrawn = 9, | |
604 crlEntryReasonAaCompromise = 10 | |
605 } CERTCRLEntryReasonCode; | |
606 | |
607 /* If we needed to extract the general name field, use this */ | |
608 /* General Name types */ | |
609 typedef enum CERTGeneralNameTypeEnum { | |
610 certOtherName = 1, | |
611 certRFC822Name = 2, | |
612 certDNSName = 3, | |
613 certX400Address = 4, | |
614 certDirectoryName = 5, | |
615 certEDIPartyName = 6, | |
616 certURI = 7, | |
617 certIPAddress = 8, | |
618 certRegisterID = 9 | |
619 } CERTGeneralNameType; | |
620 | |
621 typedef struct OtherNameStr { | |
622 SECItem name; | |
623 SECItem oid; | |
624 } OtherName; | |
625 | |
626 struct CERTGeneralNameStr { | |
627 CERTGeneralNameType type; /* name type */ | |
628 union { | |
629 CERTName directoryName; /* distinguish name */ | |
630 OtherName OthName; /* Other Name */ | |
631 SECItem other; /* the rest of the name forms */ | |
632 } name; | |
633 SECItem derDirectoryName; /* this is saved to simplify directory name | |
634 comparison */ | |
635 PRCList l; | |
636 }; | |
637 | |
638 struct CERTGeneralNameListStr { | |
639 PLArenaPool *arena; | |
640 CERTGeneralName *name; | |
641 int refCount; | |
642 int len; | |
643 PZLock *lock; | |
644 }; | |
645 | |
646 struct CERTNameConstraintStr { | |
647 CERTGeneralName name; | |
648 SECItem DERName; | |
649 SECItem min; | |
650 SECItem max; | |
651 PRCList l; | |
652 }; | |
653 | |
654 struct CERTNameConstraintsStr { | |
655 CERTNameConstraint *permited; | |
656 CERTNameConstraint *excluded; | |
657 SECItem **DERPermited; | |
658 SECItem **DERExcluded; | |
659 }; | |
660 | |
661 /* Private Key Usage Period extension struct. */ | |
662 struct CERTPrivKeyUsagePeriodStr { | |
663 SECItem notBefore; | |
664 SECItem notAfter; | |
665 PLArenaPool *arena; | |
666 }; | |
667 | |
668 /* X.509 v3 Authority Key Identifier extension. For the authority certificate | |
669 issuer field, we only support URI now. | |
670 */ | |
671 struct CERTAuthKeyIDStr { | |
672 SECItem keyID; /* unique key identifier */ | |
673 CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */ | |
674 SECItem authCertSerialNumber; /* CA's certificate serial number */ | |
675 SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of | |
676 the authCertIssuer field. It is used | |
677 by the encoding engine. It should be | |
678 used as a read only field by the caller. | |
679 */ | |
680 }; | |
681 | |
682 /* x.509 v3 CRL Distributeion Point */ | |
683 | |
684 /* | |
685 * defined the types of CRL Distribution points | |
686 */ | |
687 typedef enum DistributionPointTypesEnum { | |
688 generalName = 1, /* only support this for now */ | |
689 relativeDistinguishedName = 2 | |
690 } DistributionPointTypes; | |
691 | |
692 struct CRLDistributionPointStr { | |
693 DistributionPointTypes distPointType; | |
694 union { | |
695 CERTGeneralName *fullName; | |
696 CERTRDN relativeName; | |
697 } distPoint; | |
698 SECItem reasons; | |
699 CERTGeneralName *crlIssuer; | |
700 | |
701 /* Reserved for internal use only*/ | |
702 SECItem derDistPoint; | |
703 SECItem derRelativeName; | |
704 SECItem **derCrlIssuer; | |
705 SECItem **derFullName; | |
706 SECItem bitsmap; | |
707 }; | |
708 | |
709 struct CERTCrlDistributionPointsStr { | |
710 CRLDistributionPoint **distPoints; | |
711 }; | |
712 | |
713 /* | |
714 * This structure is used to keep a log of errors when verifying | |
715 * a cert chain. This allows multiple errors to be reported all at | |
716 * once. | |
717 */ | |
718 struct CERTVerifyLogNodeStr { | |
719 CERTCertificate *cert; /* what cert had the error */ | |
720 long error; /* what error was it? */ | |
721 unsigned int depth; /* how far up the chain are we */ | |
722 void *arg; /* error specific argument */ | |
723 struct CERTVerifyLogNodeStr *next; /* next in the list */ | |
724 struct CERTVerifyLogNodeStr *prev; /* next in the list */ | |
725 }; | |
726 | |
727 struct CERTVerifyLogStr { | |
728 PLArenaPool *arena; | |
729 unsigned int count; | |
730 struct CERTVerifyLogNodeStr *head; | |
731 struct CERTVerifyLogNodeStr *tail; | |
732 }; | |
733 | |
734 struct CERTOKDomainNameStr { | |
735 CERTOKDomainName *next; | |
736 char name[1]; /* actual length may be longer. */ | |
737 }; | |
738 | |
739 typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle, | |
740 CERTCertificate *cert, | |
741 PRTime time, void *pwArg); | |
742 | |
743 typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle); | |
744 | |
745 struct CERTStatusConfigStr { | |
746 CERTStatusChecker statusChecker; /* NULL means no checking enabled */ | |
747 CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */ | |
748 void *statusContext; /* cx specific to checking protocol */ | |
749 }; | |
750 | |
751 struct CERTAuthInfoAccessStr { | |
752 SECItem method; | |
753 SECItem derLocation; | |
754 CERTGeneralName *location; /* decoded location */ | |
755 }; | |
756 | |
757 /* This is the typedef for the callback passed to CERT_OpenCertDB() */ | |
758 /* callback to return database name based on version number */ | |
759 typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion); | |
760 | |
761 /* | |
762 * types of cert packages that we can decode | |
763 */ | |
764 typedef enum CERTPackageTypeEnum { | |
765 certPackageNone = 0, | |
766 certPackageCert = 1, | |
767 certPackagePKCS7 = 2, | |
768 certPackageNSCertSeq = 3, | |
769 certPackageNSCertWrap = 4 | |
770 } CERTPackageType; | |
771 | |
772 /* | |
773 * these types are for the PKIX Certificate Policies extension | |
774 */ | |
775 typedef struct { | |
776 SECOidTag oid; | |
777 SECItem qualifierID; | |
778 SECItem qualifierValue; | |
779 } CERTPolicyQualifier; | |
780 | |
781 typedef struct { | |
782 SECOidTag oid; | |
783 SECItem policyID; | |
784 CERTPolicyQualifier **policyQualifiers; | |
785 } CERTPolicyInfo; | |
786 | |
787 typedef struct { | |
788 PLArenaPool *arena; | |
789 CERTPolicyInfo **policyInfos; | |
790 } CERTCertificatePolicies; | |
791 | |
792 typedef struct { | |
793 SECItem organization; | |
794 SECItem **noticeNumbers; | |
795 } CERTNoticeReference; | |
796 | |
797 typedef struct { | |
798 PLArenaPool *arena; | |
799 CERTNoticeReference noticeReference; | |
800 SECItem derNoticeReference; | |
801 SECItem displayText; | |
802 } CERTUserNotice; | |
803 | |
804 typedef struct { | |
805 PLArenaPool *arena; | |
806 SECItem **oids; | |
807 } CERTOidSequence; | |
808 | |
809 /* | |
810 * these types are for the PKIX Policy Mappings extension | |
811 */ | |
812 typedef struct { | |
813 SECItem issuerDomainPolicy; | |
814 SECItem subjectDomainPolicy; | |
815 } CERTPolicyMap; | |
816 | |
817 typedef struct { | |
818 PLArenaPool *arena; | |
819 CERTPolicyMap **policyMaps; | |
820 } CERTCertificatePolicyMappings; | |
821 | |
822 /* | |
823 * these types are for the PKIX inhibitAnyPolicy extension | |
824 */ | |
825 typedef struct { | |
826 SECItem inhibitAnySkipCerts; | |
827 } CERTCertificateInhibitAny; | |
828 | |
829 /* | |
830 * these types are for the PKIX Policy Constraints extension | |
831 */ | |
832 typedef struct { | |
833 SECItem explicitPolicySkipCerts; | |
834 SECItem inhibitMappingSkipCerts; | |
835 } CERTCertificatePolicyConstraints; | |
836 | |
837 /* | |
838 * These types are for the validate chain callback param. | |
839 * | |
840 * CERTChainVerifyCallback is an application-supplied callback that can be used | |
841 * to augment libpkix's certificate chain validation with additional | |
842 * application-specific checks. It may be called multiple times if there are | |
843 * multiple potentially-valid paths for the certificate being validated. This | |
844 * callback is called before revocation checking is done on the certificates in | |
845 * the given chain. | |
846 * | |
847 * - isValidChainArg contains the application-provided opaque argument | |
848 * - currentChain is the currently validated chain. It is ordered with the leaf | |
849 * certificate at the head and the trust anchor at the tail. | |
850 * | |
851 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the | |
852 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and | |
853 * return SECSuccess if the chain is unacceptable, to indicate that the given | |
854 * chain is bad and path building should continue. It should return SECFailure | |
855 * to indicate an fatal error that will cause path validation to fail | |
856 * immediately. | |
857 */ | |
858 typedef SECStatus (*CERTChainVerifyCallbackFunc)( | |
859 void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK); | |
860 | |
861 /* | |
862 * Note: If extending this structure, it will be necessary to change the | |
863 * associated CERTValParamInType | |
864 */ | |
865 typedef struct { | |
866 CERTChainVerifyCallbackFunc isChainValid; | |
867 void *isChainValidArg; | |
868 } CERTChainVerifyCallback; | |
869 | |
870 /* | |
871 * these types are for the CERT_PKIX* Verification functions | |
872 * These are all optional parameters. | |
873 */ | |
874 | |
875 typedef enum { | |
876 cert_pi_end = 0, /* SPECIAL: signifies end of array of | |
877 * CERTValParam* */ | |
878 cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to | |
879 * resume a session. If this argument is | |
880 * specified, no other arguments should be. | |
881 * Specified in value.pointer.p. If the | |
882 * operation completes the context will be | |
883 * freed. */ | |
884 cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an | |
885 * existing operation which the caller wants | |
886 * to abort. If this argument is | |
887 * specified, no other arguments should be. | |
888 * Specified in value.pointer.p. If the | |
889 * operation succeeds the context will be | |
890 * freed. */ | |
891 cert_pi_certList = 3, /* specify the chain to validate against. If | |
892 * this value is given, then the path | |
893 * construction step in the validation is | |
894 * skipped. Specified in value.pointer.chain */ | |
895 cert_pi_policyOID = 4, /* validate certificate for policy OID. | |
896 * Specified in value.array.oids. Cert must | |
897 * be good for at least one OID in order | |
898 * to validate. Default is that the user is not | |
899 * concerned about certificate policy. */ | |
900 cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID. | |
901 * Specified in value.scalar.ul. Policy flags | |
902 * apply to all specified oids. | |
903 * Use CERT_POLICY_FLAG_* macros below. If not | |
904 * specified policy flags default to 0 */ | |
905 cert_pi_keyusage = 6, /* specify what the keyusages the certificate | |
906 * will be evaluated against, specified in | |
907 * value.scalar.ui. The cert must validate for | |
908 * at least one of the specified key usages. | |
909 * Values match the KU_ bit flags defined | |
910 * in this file. Default is derived from | |
911 * the 'usages' function argument */ | |
912 cert_pi_extendedKeyusage = 7, /* specify what the required extended key | |
913 * usage of the certificate. Specified as | |
914 * an array of oidTags in value.array.oids. | |
915 * The cert must validate for at least one | |
916 * of the specified extended key usages. | |
917 * If not specified, no extended key usages | |
918 * will be checked. */ | |
919 cert_pi_date = 8, /* validate certificate is valid as of date | |
920 * specified in value.scalar.time. A special | |
921 * value '0' indicates 'now'. default is '0' *
/ | |
922 cert_pi_revocationFlags = 9, /* Specify what revocation checking to do. | |
923 * See CERT_REV_FLAG_* macros below | |
924 * Set in value.pointer.revocation */ | |
925 cert_pi_certStores = 10, /* Bitmask of Cert Store flags (see below) | |
926 * Set in value.scalar.ui */ | |
927 cert_pi_trustAnchors = | |
928 11, /* Specify the list of trusted roots to | |
929 * validate against. | |
930 * The default set of trusted roots, these are | |
931 * root CA certs from libnssckbi.so or CA | |
932 * certs trusted by user, are used in any of | |
933 * the following cases: | |
934 * * when the parameter is not set. | |
935 * * when the list of trust anchors is | |
936 * empty. | |
937 * Note that this handling can be further | |
938 * altered by altering the | |
939 * cert_pi_useOnlyTrustAnchors flag | |
940 * Specified in value.pointer.chain */ | |
941 cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension. | |
942 * In NSS 3.12.1 or later. Default is off. | |
943 * Value is in value.scalar.b */ | |
944 cert_pi_chainVerifyCallback = 13, | |
945 /* The callback container for doing extra | |
946 * validation on the currently calculated chain. | |
947 * Value is in value.pointer.chainVerifyCallback */ | |
948 cert_pi_useOnlyTrustAnchors = 14, | |
949 /* If true, disables trusting any | |
950 * certificates other than the ones passed in via cert_pi_trustAnchors. | |
951 * If false, then the certificates specified via cert_pi_trustAnchors | |
952 * will be combined with the pre-existing trusted roots, but only | |
953 * for the certificate validation being performed. | |
954 * If no value has been supplied via cert_pi_trustAnchors, this has | |
955 * no effect. | |
956 * The default value is true, meaning if this is not supplied, only | |
957 * trust anchors supplied via cert_pi_trustAnchors are trusted. | |
958 * Specified in value.scalar.b */ | |
959 cert_pi_max /* SPECIAL: signifies maximum allowed value, | |
960 * can increase in future releases */ | |
961 } CERTValParamInType; | |
962 | |
963 /* | |
964 * for all out parameters: | |
965 * out parameters are only returned if the caller asks for them in | |
966 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam | |
967 * array itself. The pkix verify function will allocate and other arrays | |
968 * pointers, or objects. The Caller is responsible for freeing those results. | |
969 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned. | |
970 */ | |
971 typedef enum { | |
972 cert_po_end = 0, /* SPECIAL: signifies end of array of | |
973 * CERTValParam* */ | |
974 cert_po_nbioContext = 1, /* Return a nonblocking context. If no | |
975 * non-blocking context is specified, then | |
976 * blocking IO will be used. | |
977 * Returned in value.pointer.p. The context is | |
978 * freed after an abort or a complete operatio
n. | |
979 * This value is only returned on SECWouldBloc
k. | |
980 */ | |
981 cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that | |
982 * was validated. Returned in | |
983 * value.pointer.cert, this value is only | |
984 * returned on SECSuccess. */ | |
985 cert_po_certList = 3, /* Return the entire chain that was validated. | |
986 * Returned in value.pointer.certList. If no | |
987 * chain could be constructed, this value | |
988 * would be NULL. */ | |
989 cert_po_policyOID = 4, /* Return the policies that were found to be | |
990 * valid. Returned in value.array.oids as an | |
991 * array. This is only returned on | |
992 * SECSuccess. */ | |
993 cert_po_errorLog = 5, /* Return a log of problems with the chain. | |
994 * Returned in value.pointer.log */ | |
995 cert_po_usages = 6, /* Return what usages the certificate is valid | |
996 for. Returned in value.scalar.usages */ | |
997 cert_po_keyUsage = 7, /* Return what key usages the certificate | |
998 * is valid for. | |
999 * Returned in value.scalar.usage */ | |
1000 cert_po_extendedKeyusage = 8, /* Return what extended key usages the | |
1001 * certificate is valid for. | |
1002 * Returned in value.array.oids */ | |
1003 cert_po_max /* SPECIAL: signifies maximum allowed value, | |
1004 * can increase in future releases */ | |
1005 | |
1006 } CERTValParamOutType; | |
1007 | |
1008 typedef enum { | |
1009 cert_revocation_method_crl = 0, | |
1010 cert_revocation_method_ocsp, | |
1011 cert_revocation_method_count | |
1012 } CERTRevocationMethodIndex; | |
1013 | |
1014 /* | |
1015 * The following flags are supposed to be used to control bits in | |
1016 * each integer contained in the array pointed to be: | |
1017 * CERTRevocationTests.cert_rev_flags_per_method | |
1018 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates | |
1019 * this is a method dependent flag. | |
1020 */ | |
1021 | |
1022 /* | |
1023 * Whether or not to use a method for revocation testing. | |
1024 * If set to "do not test", then all other flags are ignored. | |
1025 */ | |
1026 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL | |
1027 #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL | |
1028 | |
1029 /* | |
1030 * Whether or not NSS is allowed to attempt to fetch fresh information | |
1031 * from the network. | |
1032 * (Although fetching will never happen if fresh information for the | |
1033 * method is already locally available.) | |
1034 */ | |
1035 #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL | |
1036 #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL | |
1037 | |
1038 /* | |
1039 * Example for an implicit default source: | |
1040 * The globally configured default OCSP responder. | |
1041 * IGNORE means: | |
1042 * ignore the implicit default source, whether it's configured or not. | |
1043 * ALLOW means: | |
1044 * if an implicit default source is configured, | |
1045 * then it overrides any available or missing source in the cert. | |
1046 * if no implicit default source is configured, | |
1047 * then we continue to use what's available (or not available) | |
1048 * in the certs. | |
1049 */ | |
1050 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL | |
1051 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL | |
1052 | |
1053 /* | |
1054 * Defines the behavior if no fresh information is available, | |
1055 * fetching from the network is allowed, but the source of revocation | |
1056 * information is unknown (even after considering implicit sources, | |
1057 * if allowed by other flags). | |
1058 * SKIPT_TEST means: | |
1059 * We ignore that no fresh information is available and | |
1060 * skip this test. | |
1061 * REQUIRE_INFO means: | |
1062 * We still require that fresh information is available. | |
1063 * Other flags define what happens on missing fresh info. | |
1064 */ | |
1065 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL | |
1066 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL | |
1067 | |
1068 /* | |
1069 * Defines the behavior if we are unable to obtain fresh information. | |
1070 * INGORE means: | |
1071 * Return "cert status unknown" | |
1072 * FAIL means: | |
1073 * Return "cert revoked". | |
1074 */ | |
1075 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL | |
1076 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL | |
1077 | |
1078 /* | |
1079 * What should happen if we were able to find fresh information using | |
1080 * this method, and the data indicated the cert is good? | |
1081 * STOP_TESTING means: | |
1082 * Our success is sufficient, do not continue testing | |
1083 * other methods. | |
1084 * CONTINUE_TESTING means: | |
1085 * We will continue and test the next allowed | |
1086 * specified method. | |
1087 */ | |
1088 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL | |
1089 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL | |
1090 | |
1091 /* When this flag is used, libpkix will never attempt to use the GET HTTP | |
1092 * method for OCSP requests; it will always use POST. | |
1093 */ | |
1094 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL | |
1095 | |
1096 /* | |
1097 * The following flags are supposed to be used to control bits in | |
1098 * CERTRevocationTests.cert_rev_method_independent_flags | |
1099 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates | |
1100 * this is a method independent flag. | |
1101 */ | |
1102 | |
1103 /* | |
1104 * This defines the order to checking. | |
1105 * EACH_METHOD_SEPARATELY means: | |
1106 * Do all tests related to a particular allowed method | |
1107 * (both local information and network fetching) in a single step. | |
1108 * Only after testing for a particular method is done, | |
1109 * then switching to the next method will happen. | |
1110 * ALL_LOCAL_INFORMATION_FIRST means: | |
1111 * Start by testing the information for all allowed methods | |
1112 * which are already locally available. Only after that is done | |
1113 * consider to fetch from the network (as allowed by other flags). | |
1114 */ | |
1115 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL | |
1116 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL | |
1117 | |
1118 /* | |
1119 * Use this flag to specify that it's necessary that fresh information | |
1120 * is available for at least one of the allowed methods, but it's | |
1121 * irrelevant which of the mechanisms succeeded. | |
1122 * NO_OVERALL_INFO_REQUIREMENT means: | |
1123 * We strictly follow the requirements for each individual method. | |
1124 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: | |
1125 * After the individual tests have been executed, we must have | |
1126 * been able to find fresh information using at least one method. | |
1127 * If we were unable to find fresh info, it's a failure. | |
1128 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | |
1129 * flag on all methods. | |
1130 */ | |
1131 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL | |
1132 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL | |
1133 | |
1134 typedef struct { | |
1135 /* | |
1136 * The size of the array that cert_rev_flags_per_method points to, | |
1137 * meaning, the number of methods that are known and defined | |
1138 * by the caller. | |
1139 */ | |
1140 PRUint32 number_of_defined_methods; | |
1141 | |
1142 /* | |
1143 * A pointer to an array of integers. | |
1144 * Each integer defines revocation checking for a single method, | |
1145 * by having individual CERT_REV_M_* bits set or not set. | |
1146 * The meaning of index numbers into this array are defined by | |
1147 * enum CERTRevocationMethodIndex | |
1148 * The size of the array must be specified by the caller in the separate | |
1149 * variable number_of_defined_methods. | |
1150 * The size of the array may be smaller than | |
1151 * cert_revocation_method_count, it can happen if a caller | |
1152 * is not yet aware of the latest revocation methods | |
1153 * (or does not want to use them). | |
1154 */ | |
1155 PRUint64 *cert_rev_flags_per_method; | |
1156 | |
1157 /* | |
1158 * How many preferred methods are specified? | |
1159 * This is equivalent to the size of the array that | |
1160 * preferred_methods points to. | |
1161 * It's allowed to set this value to zero, | |
1162 * then NSS will decide which methods to prefer. | |
1163 */ | |
1164 PRUint32 number_of_preferred_methods; | |
1165 | |
1166 /* Array that may specify an optional order of preferred methods. | |
1167 * Each array entry shall contain a method identifier as defined | |
1168 * by CERTRevocationMethodIndex. | |
1169 * The entry at index [0] specifies the method with highest preference. | |
1170 * These methods will be tested first for locally available information. | |
1171 * Methods allowed for downloading will be attempted in the same order. | |
1172 */ | |
1173 CERTRevocationMethodIndex *preferred_methods; | |
1174 | |
1175 /* | |
1176 * An integer which defines certain aspects of revocation checking | |
1177 * (independent of individual methods) by having individual | |
1178 * CERT_REV_MI_* bits set or not set. | |
1179 */ | |
1180 PRUint64 cert_rev_method_independent_flags; | |
1181 } CERTRevocationTests; | |
1182 | |
1183 typedef struct { | |
1184 CERTRevocationTests leafTests; | |
1185 CERTRevocationTests chainTests; | |
1186 } CERTRevocationFlags; | |
1187 | |
1188 typedef struct CERTValParamInValueStr { | |
1189 union { | |
1190 PRBool b; | |
1191 PRInt32 i; | |
1192 PRUint32 ui; | |
1193 PRInt64 l; | |
1194 PRUint64 ul; | |
1195 PRTime time; | |
1196 } scalar; | |
1197 union { | |
1198 const void *p; | |
1199 const char *s; | |
1200 const CERTCertificate *cert; | |
1201 const CERTCertList *chain; | |
1202 const CERTRevocationFlags *revocation; | |
1203 const CERTChainVerifyCallback *chainVerifyCallback; | |
1204 } pointer; | |
1205 union { | |
1206 const PRInt32 *pi; | |
1207 const PRUint32 *pui; | |
1208 const PRInt64 *pl; | |
1209 const PRUint64 *pul; | |
1210 const SECOidTag *oids; | |
1211 } array; | |
1212 int arraySize; | |
1213 } CERTValParamInValue; | |
1214 | |
1215 typedef struct CERTValParamOutValueStr { | |
1216 union { | |
1217 PRBool b; | |
1218 PRInt32 i; | |
1219 PRUint32 ui; | |
1220 PRInt64 l; | |
1221 PRUint64 ul; | |
1222 SECCertificateUsage usages; | |
1223 } scalar; | |
1224 union { | |
1225 void *p; | |
1226 char *s; | |
1227 CERTVerifyLog *log; | |
1228 CERTCertificate *cert; | |
1229 CERTCertList *chain; | |
1230 } pointer; | |
1231 union { | |
1232 void *p; | |
1233 SECOidTag *oids; | |
1234 } array; | |
1235 int arraySize; | |
1236 } CERTValParamOutValue; | |
1237 | |
1238 typedef struct { | |
1239 CERTValParamInType type; | |
1240 CERTValParamInValue value; | |
1241 } CERTValInParam; | |
1242 | |
1243 typedef struct { | |
1244 CERTValParamOutType type; | |
1245 CERTValParamOutValue value; | |
1246 } CERTValOutParam; | |
1247 | |
1248 /* | |
1249 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible | |
1250 */ | |
1251 typedef enum CertStrictnessLevels { | |
1252 CERT_N2A_READABLE = 0, /* maximum human readability */ | |
1253 CERT_N2A_STRICT = 10, /* strict RFC compliance */ | |
1254 CERT_N2A_INVERTIBLE = 20 /* maximum invertibility, | |
1255 all DirectoryStrings encoded in hex */ | |
1256 } CertStrictnessLevel; | |
1257 | |
1258 /* | |
1259 * policy flag defines | |
1260 */ | |
1261 #define CERT_POLICY_FLAG_NO_MAPPING 1 | |
1262 #define CERT_POLICY_FLAG_EXPLICIT 2 | |
1263 #define CERT_POLICY_FLAG_NO_ANY 4 | |
1264 | |
1265 /* | |
1266 * CertStore flags | |
1267 */ | |
1268 #define CERT_ENABLE_LDAP_FETCH 1 | |
1269 #define CERT_ENABLE_HTTP_FETCH 2 | |
1270 | |
1271 /* This functin pointer type may be used for any function that takes | |
1272 * a CERTCertificate * and returns an allocated string, which must be | |
1273 * freed by a call to PORT_Free. | |
1274 */ | |
1275 typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert); | |
1276 | |
1277 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ | |
1278 | |
1279 #include "secasn1t.h" /* way down here because I expect template stuff to | |
1280 * move out of here anyway */ | |
1281 | |
1282 SEC_BEGIN_PROTOS | |
1283 | |
1284 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[]; | |
1285 extern const SEC_ASN1Template CERT_CertificateTemplate[]; | |
1286 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[]; | |
1287 extern const SEC_ASN1Template CERT_CertExtensionTemplate[]; | |
1288 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[]; | |
1289 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[]; | |
1290 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[]; | |
1291 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[]; | |
1292 extern const SEC_ASN1Template CERT_ValidityTemplate[]; | |
1293 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[]; | |
1294 extern const SEC_ASN1Template SEC_CertSequenceTemplate[]; | |
1295 | |
1296 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[]; | |
1297 extern const SEC_ASN1Template CERT_NameTemplate[]; | |
1298 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[]; | |
1299 extern const SEC_ASN1Template CERT_RDNTemplate[]; | |
1300 extern const SEC_ASN1Template CERT_SignedDataTemplate[]; | |
1301 extern const SEC_ASN1Template CERT_CrlTemplate[]; | |
1302 extern const SEC_ASN1Template CERT_SignedCrlTemplate[]; | |
1303 | |
1304 /* | |
1305 ** XXX should the attribute stuff be centralized for all of ns/security? | |
1306 */ | |
1307 extern const SEC_ASN1Template CERT_AttributeTemplate[]; | |
1308 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[]; | |
1309 | |
1310 /* These functions simply return the address of the above-declared templates. | |
1311 ** This is necessary for Windows DLLs. Sigh. | |
1312 */ | |
1313 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate) | |
1314 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate) | |
1315 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate) | |
1316 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate) | |
1317 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate) | |
1318 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate) | |
1319 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate) | |
1320 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate) | |
1321 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate) | |
1322 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate) | |
1323 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate) | |
1324 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate) | |
1325 | |
1326 SEC_END_PROTOS | |
1327 | |
1328 #endif /* _CERTT_H_ */ | |
OLD | NEW |