Mercurial > trustbridge > nss-cmake-static
comparison nss/lib/softoken/legacydb/pcertt.h @ 3:150b72113545
Add DBM and legacydb support
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Tue, 05 Aug 2014 18:32:02 +0200 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
2:a945361df361 | 3:150b72113545 |
---|---|
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * certt.h - public data structures for the certificate library | |
6 */ | |
7 #ifndef _PCERTT_H_ | |
8 #define _PCERTT_H_ | |
9 | |
10 #include "prclist.h" | |
11 #include "pkcs11t.h" | |
12 #include "seccomon.h" | |
13 #include "secoidt.h" | |
14 #include "plarena.h" | |
15 #include "prcvar.h" | |
16 #include "nssilock.h" | |
17 #include "prio.h" | |
18 #include "prmon.h" | |
19 | |
20 /* Non-opaque objects */ | |
21 typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; | |
22 typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; | |
23 | |
24 typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust; | |
25 typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; | |
26 typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; | |
27 typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; | |
28 typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN; | |
29 typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData; | |
30 typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo; | |
31 typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity; | |
32 | |
33 /* | |
34 ** An X.509 validity object | |
35 */ | |
36 struct NSSLOWCERTValidityStr { | |
37 PLArenaPool *arena; | |
38 SECItem notBefore; | |
39 SECItem notAfter; | |
40 }; | |
41 | |
42 /* | |
43 * A serial number and issuer name, which is used as a database key | |
44 */ | |
45 struct NSSLOWCERTCertKeyStr { | |
46 SECItem serialNumber; | |
47 SECItem derIssuer; | |
48 }; | |
49 | |
50 /* | |
51 ** A signed data object. Used to implement the "signed" macro used | |
52 ** in the X.500 specs. | |
53 */ | |
54 struct NSSLOWCERTSignedDataStr { | |
55 SECItem data; | |
56 SECAlgorithmID signatureAlgorithm; | |
57 SECItem signature; | |
58 }; | |
59 | |
60 /* | |
61 ** An X.509 subject-public-key-info object | |
62 */ | |
63 struct NSSLOWCERTSubjectPublicKeyInfoStr { | |
64 PLArenaPool *arena; | |
65 SECAlgorithmID algorithm; | |
66 SECItem subjectPublicKey; | |
67 }; | |
68 | |
69 typedef struct _certDBEntryCert certDBEntryCert; | |
70 typedef struct _certDBEntryRevocation certDBEntryRevocation; | |
71 | |
72 struct NSSLOWCERTCertTrustStr { | |
73 unsigned int sslFlags; | |
74 unsigned int emailFlags; | |
75 unsigned int objectSigningFlags; | |
76 }; | |
77 | |
78 /* | |
79 ** PKCS11 Trust representation | |
80 */ | |
81 struct NSSLOWCERTTrustStr { | |
82 NSSLOWCERTTrust *next; | |
83 NSSLOWCERTCertDBHandle *dbhandle; | |
84 SECItem dbKey; /* database key for this cert */ | |
85 certDBEntryCert *dbEntry; /* database entry struct */ | |
86 NSSLOWCERTCertTrust *trust; | |
87 SECItem *derCert; /* original DER for the cert */ | |
88 unsigned char dbKeySpace[512]; | |
89 }; | |
90 | |
91 /* | |
92 ** An X.509 certificate object (the unsigned form) | |
93 */ | |
94 struct NSSLOWCERTCertificateStr { | |
95 /* the arena is used to allocate any data structures that have the same | |
96 * lifetime as the cert. This is all stuff that hangs off of the cert | |
97 * structure, and is all freed at the same time. I is used when the | |
98 * cert is decoded, destroyed, and at some times when it changes | |
99 * state | |
100 */ | |
101 NSSLOWCERTCertificate *next; | |
102 NSSLOWCERTCertDBHandle *dbhandle; | |
103 | |
104 SECItem derCert; /* original DER for the cert */ | |
105 SECItem derIssuer; /* DER for issuer name */ | |
106 SECItem derSN; | |
107 SECItem serialNumber; | |
108 SECItem derSubject; /* DER for subject name */ | |
109 SECItem derSubjKeyInfo; | |
110 NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo; | |
111 SECItem certKey; /* database key for this cert */ | |
112 SECItem validity; | |
113 certDBEntryCert *dbEntry; /* database entry struct */ | |
114 SECItem subjectKeyID; /* x509v3 subject key identifier */ | |
115 SECItem extensions; | |
116 char *nickname; | |
117 char *emailAddr; | |
118 NSSLOWCERTCertTrust *trust; | |
119 | |
120 /* the reference count is modified whenever someone looks up, dups | |
121 * or destroys a certificate | |
122 */ | |
123 int referenceCount; | |
124 | |
125 char nicknameSpace[200]; | |
126 char emailAddrSpace[200]; | |
127 unsigned char certKeySpace[512]; | |
128 }; | |
129 | |
130 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ | |
131 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ | |
132 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ | |
133 | |
134 #define SEC_CRL_VERSION_1 0 /* default */ | |
135 #define SEC_CRL_VERSION_2 1 /* v2 extensions */ | |
136 | |
137 #define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024) | |
138 | |
139 struct NSSLOWCERTIssuerAndSNStr { | |
140 SECItem derIssuer; | |
141 SECItem serialNumber; | |
142 }; | |
143 | |
144 typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg); | |
145 | |
146 /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */ | |
147 /* callback to return database name based on version number */ | |
148 typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion); | |
149 | |
150 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ | |
151 | |
152 #include "secasn1t.h" /* way down here because I expect template stuff to | |
153 * move out of here anyway */ | |
154 | |
155 /* | |
156 * Certificate Database related definitions and data structures | |
157 */ | |
158 | |
159 /* version number of certificate database */ | |
160 #define CERT_DB_FILE_VERSION 8 | |
161 #define CERT_DB_V7_FILE_VERSION 7 | |
162 #define CERT_DB_CONTENT_VERSION 2 | |
163 | |
164 #define SEC_DB_ENTRY_HEADER_LEN 3 | |
165 #define SEC_DB_KEY_HEADER_LEN 1 | |
166 | |
167 /* All database entries have this form: | |
168 * | |
169 * byte offset field | |
170 * ----------- ----- | |
171 * 0 version | |
172 * 1 type | |
173 * 2 flags | |
174 */ | |
175 | |
176 /* database entry types */ | |
177 typedef enum { | |
178 certDBEntryTypeVersion = 0, | |
179 certDBEntryTypeCert = 1, | |
180 certDBEntryTypeNickname = 2, | |
181 certDBEntryTypeSubject = 3, | |
182 certDBEntryTypeRevocation = 4, | |
183 certDBEntryTypeKeyRevocation = 5, | |
184 certDBEntryTypeSMimeProfile = 6, | |
185 certDBEntryTypeContentVersion = 7, | |
186 certDBEntryTypeBlob = 8 | |
187 } certDBEntryType; | |
188 | |
189 typedef struct { | |
190 certDBEntryType type; | |
191 unsigned int version; | |
192 unsigned int flags; | |
193 PLArenaPool *arena; | |
194 } certDBEntryCommon; | |
195 | |
196 /* | |
197 * Certificate entry: | |
198 * | |
199 * byte offset field | |
200 * ----------- ----- | |
201 * 0 sslFlags-msb | |
202 * 1 sslFlags-lsb | |
203 * 2 emailFlags-msb | |
204 * 3 emailFlags-lsb | |
205 * 4 objectSigningFlags-msb | |
206 * 5 objectSigningFlags-lsb | |
207 * 6 derCert-len-msb | |
208 * 7 derCert-len-lsb | |
209 * 8 nickname-len-msb | |
210 * 9 nickname-len-lsb | |
211 * ... derCert | |
212 * ... nickname | |
213 * | |
214 * NOTE: the nickname string as stored in the database is null terminated, | |
215 * in other words, the last byte of the db entry is always 0 | |
216 * if a nickname is present. | |
217 * NOTE: if nickname is not present, then nickname-len-msb and | |
218 * nickname-len-lsb will both be zero. | |
219 */ | |
220 struct _certDBEntryCert { | |
221 certDBEntryCommon common; | |
222 certDBEntryCert *next; | |
223 NSSLOWCERTCertTrust trust; | |
224 SECItem derCert; | |
225 char *nickname; | |
226 char nicknameSpace[200]; | |
227 unsigned char derCertSpace[2048]; | |
228 }; | |
229 | |
230 /* | |
231 * Certificate Nickname entry: | |
232 * | |
233 * byte offset field | |
234 * ----------- ----- | |
235 * 0 subjectname-len-msb | |
236 * 1 subjectname-len-lsb | |
237 * 2... subjectname | |
238 * | |
239 * The database key for this type of entry is a nickname string | |
240 * The "subjectname" value is the DER encoded DN of the identity | |
241 * that matches this nickname. | |
242 */ | |
243 typedef struct { | |
244 certDBEntryCommon common; | |
245 char *nickname; | |
246 SECItem subjectName; | |
247 } certDBEntryNickname; | |
248 | |
249 #define DB_NICKNAME_ENTRY_HEADER_LEN 2 | |
250 | |
251 /* | |
252 * Certificate Subject entry: | |
253 * | |
254 * byte offset field | |
255 * ----------- ----- | |
256 * 0 ncerts-msb | |
257 * 1 ncerts-lsb | |
258 * 2 nickname-msb | |
259 * 3 nickname-lsb | |
260 * 4 emailAddr-msb | |
261 * 5 emailAddr-lsb | |
262 * ... nickname | |
263 * ... emailAddr | |
264 * ...+2*i certkey-len-msb | |
265 * ...+1+2*i certkey-len-lsb | |
266 * ...+2*ncerts+2*i keyid-len-msb | |
267 * ...+1+2*ncerts+2*i keyid-len-lsb | |
268 * ... certkeys | |
269 * ... keyids | |
270 * | |
271 * The database key for this type of entry is the DER encoded subject name | |
272 * The "certkey" value is an array of certificate database lookup keys that | |
273 * points to the database entries for the certificates that matche | |
274 * this subject. | |
275 * | |
276 */ | |
277 typedef struct _certDBEntrySubject { | |
278 certDBEntryCommon common; | |
279 SECItem derSubject; | |
280 unsigned int ncerts; | |
281 char *nickname; | |
282 SECItem *certKeys; | |
283 SECItem *keyIDs; | |
284 char **emailAddrs; | |
285 unsigned int nemailAddrs; | |
286 } certDBEntrySubject; | |
287 | |
288 #define DB_SUBJECT_ENTRY_HEADER_LEN 6 | |
289 | |
290 /* | |
291 * Certificate SMIME profile entry: | |
292 * | |
293 * byte offset field | |
294 * ----------- ----- | |
295 * 0 subjectname-len-msb | |
296 * 1 subjectname-len-lsb | |
297 * 2 smimeoptions-len-msb | |
298 * 3 smimeoptions-len-lsb | |
299 * 4 options-date-len-msb | |
300 * 5 options-date-len-lsb | |
301 * 6... subjectname | |
302 * ... smimeoptions | |
303 * ... options-date | |
304 * | |
305 * The database key for this type of entry is the email address string | |
306 * The "subjectname" value is the DER encoded DN of the identity | |
307 * that matches this nickname. | |
308 * The "smimeoptions" value is a string that represents the algorithm | |
309 * capabilities on the remote user. | |
310 * The "options-date" is the date that the smime options value was created. | |
311 * This is generally the signing time of the signed message that contained | |
312 * the options. It is a UTCTime value. | |
313 */ | |
314 typedef struct { | |
315 certDBEntryCommon common; | |
316 char *emailAddr; | |
317 SECItem subjectName; | |
318 SECItem smimeOptions; | |
319 SECItem optionsDate; | |
320 } certDBEntrySMime; | |
321 | |
322 #define DB_SMIME_ENTRY_HEADER_LEN 6 | |
323 | |
324 /* | |
325 * Crl/krl entry: | |
326 * | |
327 * byte offset field | |
328 * ----------- ----- | |
329 * 0 derCert-len-msb | |
330 * 1 derCert-len-lsb | |
331 * 2 url-len-msb | |
332 * 3 url-len-lsb | |
333 * ... derCert | |
334 * ... url | |
335 * | |
336 * NOTE: the url string as stored in the database is null terminated, | |
337 * in other words, the last byte of the db entry is always 0 | |
338 * if a nickname is present. | |
339 * NOTE: if url is not present, then url-len-msb and | |
340 * url-len-lsb will both be zero. | |
341 */ | |
342 #define DB_CRL_ENTRY_HEADER_LEN 4 | |
343 struct _certDBEntryRevocation { | |
344 certDBEntryCommon common; | |
345 SECItem derCrl; | |
346 char *url; /* where to load the crl from */ | |
347 }; | |
348 | |
349 /* | |
350 * Database Version Entry: | |
351 * | |
352 * byte offset field | |
353 * ----------- ----- | |
354 * only the low level header... | |
355 * | |
356 * The database key for this type of entry is the string "Version" | |
357 */ | |
358 typedef struct { | |
359 certDBEntryCommon common; | |
360 } certDBEntryVersion; | |
361 | |
362 #define SEC_DB_VERSION_KEY "Version" | |
363 #define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY) | |
364 | |
365 /* | |
366 * Database Content Version Entry: | |
367 * | |
368 * byte offset field | |
369 * ----------- ----- | |
370 * 0 contentVersion | |
371 * | |
372 * The database key for this type of entry is the string "ContentVersion" | |
373 */ | |
374 typedef struct { | |
375 certDBEntryCommon common; | |
376 char contentVersion; | |
377 } certDBEntryContentVersion; | |
378 | |
379 #define SEC_DB_CONTENT_VERSION_KEY "ContentVersion" | |
380 #define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY) | |
381 | |
382 typedef union { | |
383 certDBEntryCommon common; | |
384 certDBEntryCert cert; | |
385 certDBEntryContentVersion content; | |
386 certDBEntryNickname nickname; | |
387 certDBEntryRevocation revocation; | |
388 certDBEntrySMime smime; | |
389 certDBEntrySubject subject; | |
390 certDBEntryVersion version; | |
391 } certDBEntry; | |
392 | |
393 /* length of the fixed part of a database entry */ | |
394 #define DBCERT_V4_HEADER_LEN 7 | |
395 #define DB_CERT_V5_ENTRY_HEADER_LEN 7 | |
396 #define DB_CERT_V6_ENTRY_HEADER_LEN 7 | |
397 #define DB_CERT_ENTRY_HEADER_LEN 10 | |
398 | |
399 /* common flags for all types of certificates */ | |
400 #define CERTDB_TERMINAL_RECORD (1u<<0) | |
401 #define CERTDB_TRUSTED (1u<<1) | |
402 #define CERTDB_SEND_WARN (1u<<2) | |
403 #define CERTDB_VALID_CA (1u<<3) | |
404 #define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */ | |
405 #define CERTDB_NS_TRUSTED_CA (1u<<5) | |
406 #define CERTDB_USER (1u<<6) | |
407 #define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */ | |
408 #define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */ | |
409 #define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */ | |
410 #define CERTDB_MUST_VERIFY (1u<<10) /* explicitly don't trust this cert */ | |
411 #define CERTDB_TRUSTED_UNKNOWN (1u<<11) /* accept trust from another source */ | |
412 | |
413 /* bits not affected by the CKO_NETSCAPE_TRUST object */ | |
414 #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ | |
415 CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \ | |
416 CERTDB_GOVT_APPROVED_CA) | |
417 | |
418 #endif /* _PCERTT_H_ */ |