Mercurial > trustbridge > nss-cmake-static

comparison nss/lib/certdb/cert.h @ 0:1e5118fa0cb1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 28 Jul 2014 10:47:06 +0200
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:1e5118fa0cb1
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 /*
6 * cert.h - public data structures and prototypes for the certificate library
7 */
8
9 #ifndef _CERT_H_
10 #define _CERT_H_
11
12 #include "utilrename.h"
13 #include "plarena.h"
14 #include "plhash.h"
15 #include "prlong.h"
16 #include "prlog.h"
17
18 #include "seccomon.h"
19 #include "secdert.h"
20 #include "secoidt.h"
21 #include "keyt.h"
22 #include "certt.h"
23
24 SEC_BEGIN_PROTOS
25
26 /****************************************************************************
27 *
28 * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
29 *
30 ****************************************************************************/
31
32 /*
33 ** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
34 */
35 extern CERTName *CERT_AsciiToName(const char *string);
36
37 /*
38 ** Convert an CERTName into its RFC1485 encoded equivalent.
39 ** Returns a string that must be freed with PORT_Free().
40 ** This version produces a string for maximum human readability,
41 ** not for strict RFC compliance.
42 */
43 extern char *CERT_NameToAscii(CERTName *name);
44
45 /*
46 ** Convert an CERTName into its RFC1485 encoded equivalent.
47 ** Returns a string that must be freed with PORT_Free().
48 ** Caller chooses encoding rules.
49 */
50 extern char *CERT_NameToAsciiInvertible(CERTName *name,
51 CertStrictnessLevel strict);
52
53 extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
54
55 /* convert an OID to dotted-decimal representation */
56 /* Returns a string that must be freed with PR_smprintf_free(). */
57 extern char * CERT_GetOidString(const SECItem *oid);
58
59 /*
60 ** Examine an AVA and return the tag that refers to it. The AVA tags are
61 ** defined as SEC_OID_AVA*.
62 */
63 extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
64
65 /*
66 ** Compare two AVA's, returning the difference between them.
67 */
68 extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
69
70 /*
71 ** Create an RDN (relative-distinguished-name). The argument list is a
72 ** NULL terminated list of AVA's.
73 */
74 extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
75
76 /*
77 ** Make a copy of "src" storing it in "dest".
78 */
79 extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
80
81 /*
82 ** Add an AVA to an RDN.
83 ** "rdn" the RDN to add to
84 ** "ava" the AVA to add
85 */
86 extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
87
88 /*
89 ** Compare two RDN's, returning the difference between them.
90 */
91 extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b);
92
93 /*
94 ** Create an X.500 style name using a NULL terminated list of RDN's.
95 */
96 extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
97
98 /*
99 ** Make a copy of "src" storing it in "dest". Memory is allocated in
100 ** "dest" for each of the appropriate sub objects. Memory is not freed in
101 ** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
102 ** do that).
103 */
104 extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest,
105 const CERTName *src);
106
107 /*
108 ** Destroy a Name object.
109 ** "name" the CERTName to destroy
110 ** "freeit" if PR_TRUE then free the object as well as its sub-objects
111 */
112 extern void CERT_DestroyName(CERTName *name);
113
114 /*
115 ** Add an RDN to a name.
116 ** "name" the name to add the RDN to
117 ** "rdn" the RDN to add to name
118 */
119 extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
120
121 /*
122 ** Compare two names, returning the difference between them.
123 */
124 extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b);
125
126 /*
127 ** Convert a CERTName into something readable
128 */
129 extern char *CERT_FormatName (CERTName *name);
130
131 /*
132 ** Convert a der-encoded integer to a hex printable string form.
133 ** Perhaps this should be a SEC function but it's only used for certs.
134 */
135 extern char *CERT_Hexify (SECItem *i, int do_colon);
136
137 /*
138 ** Converts DER string (with explicit length) into zString, if destination
139 ** buffer is big enough to receive it. Does quoting and/or escaping as
140 ** specified in RFC 1485. Input string must be single or multi-byte DER
141 ** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set.
142 ** Returns SECSuccess or SECFailure with error code set. If output buffer
143 ** is too small, sets error code SEC_ERROR_OUTPUT_LEN.
144 */
145 extern SECStatus
146 CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen);
147
148 /******************************************************************************
149 *
150 * Certificate handling operations
151 *
152 *****************************************************************************/
153
154 /*
155 ** Create a new validity object given two unix time values.
156 ** "notBefore" the time before which the validity is not valid
157 ** "notAfter" the time after which the validity is not valid
158 */
159 extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
160
161 /*
162 ** Destroy a validity object.
163 ** "v" the validity to destroy
164 ** "freeit" if PR_TRUE then free the object as well as its sub-objects
165 */
166 extern void CERT_DestroyValidity(CERTValidity *v);
167
168 /*
169 ** Copy the "src" object to "dest". Memory is allocated in "dest" for
170 ** each of the appropriate sub-objects. Memory in "dest" is not freed
171 ** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
172 ** that).
173 */
174 extern SECStatus CERT_CopyValidity
175 (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src);
176
177 /*
178 ** The cert lib considers a cert or CRL valid if the "notBefore" time is
179 ** in the not-too-distant future, e.g. within the next 24 hours. This
180 ** prevents freshly issued certificates from being considered invalid
181 ** because the local system's time zone is incorrectly set.
182 ** The amount of "pending slop time" is adjustable by the application.
183 ** Units of SlopTime are seconds. Default is 86400 (24 hours).
184 ** Negative SlopTime values are not allowed.
185 */
186 PRInt32 CERT_GetSlopTime(void);
187
188 SECStatus CERT_SetSlopTime(PRInt32 slop);
189
190 /*
191 ** Create a new certificate object. The result must be wrapped with an
192 ** CERTSignedData to create a signed certificate.
193 ** "serialNumber" the serial number
194 ** "issuer" the name of the certificate issuer
195 ** "validity" the validity period of the certificate
196 ** "req" the certificate request that prompted the certificate issuance
197 */
198 extern CERTCertificate *
199 CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
200 CERTValidity *validity, CERTCertificateRequest *req);
201
202 /*
203 ** Destroy a certificate object
204 ** "cert" the certificate to destroy
205 ** NOTE: certificate's are reference counted. This call decrements the
206 ** reference count, and if the result is zero, then the object is destroyed
207 ** and optionally freed.
208 */
209 extern void CERT_DestroyCertificate(CERTCertificate *cert);
210
211 /*
212 ** Make a shallow copy of a certificate "c". Just increments the
213 ** reference count on "c".
214 */
215 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
216
217 /*
218 ** Create a new certificate request. This result must be wrapped with an
219 ** CERTSignedData to create a signed certificate request.
220 ** "name" the subject name (who the certificate request is from)
221 ** "spki" describes/defines the public key the certificate is for
222 ** "attributes" if non-zero, some optional attribute data
223 */
224 extern CERTCertificateRequest *
225 CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
226 SECItem **attributes);
227
228 /*
229 ** Destroy a certificate-request object
230 ** "r" the certificate-request to destroy
231 ** "freeit" if PR_TRUE then free the object as well as its sub-objects
232 */
233 extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
234
235 /*
236 ** Start adding extensions to a certificate request.
237 */
238 void *
239 CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
240
241 /*
242 ** Reformat the certificate extension list into a CertificateRequest
243 ** attribute list.
244 */
245 SECStatus
246 CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
247
248 /*
249 ** Extract the Extension Requests from a DER CertRequest attribute list.
250 */
251 SECStatus
252 CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
253 CERTCertExtension ***exts);
254
255 /*
256 ** Extract a public key object from a certificate
257 */
258 extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
259
260 /*
261 ** Retrieve the Key Type associated with the cert we're dealing with
262 */
263
264 extern KeyType CERT_GetCertKeyType (const CERTSubjectPublicKeyInfo *spki);
265
266 /*
267 ** Initialize the certificate database. This is called to create
268 ** the initial list of certificates in the database.
269 */
270 extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
271
272 extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
273
274 /*
275 ** Default certificate database routines
276 */
277 extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
278
279 extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
280
281 extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert,
282 PRTime time,
283 SECCertUsage usage);
284 extern CERTCertificate *
285 CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
286 char *nickname, PRBool isperm, PRBool copyDER);
287
288
289 /******************************************************************************
290 *
291 * X.500 Name handling operations
292 *
293 *****************************************************************************/
294
295 /*
296 ** Create an AVA (attribute-value-assertion)
297 ** "arena" the memory arena to alloc from
298 ** "kind" is one of SEC_OID_AVA_*
299 ** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
300 ** DER_T61_STRING
301 ** "value" is the null terminated string containing the value
302 */
303 extern CERTAVA *CERT_CreateAVA
304 (PLArenaPool *arena, SECOidTag kind, int valueType, char *value);
305
306 /*
307 ** Extract the Distinguished Name from a DER encoded certificate
308 ** "derCert" is the DER encoded certificate
309 ** "derName" is the SECItem that the name is returned in
310 */
311 extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
312
313 /*
314 ** Extract the Issuers Distinguished Name from a DER encoded certificate
315 ** "derCert" is the DER encoded certificate
316 ** "derName" is the SECItem that the name is returned in
317 */
318 extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert,
319 SECItem *derName);
320
321 extern SECItem *
322 CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
323 PLArenaPool *arena);
324
325 extern CERTGeneralName *
326 CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName,
327 CERTGeneralName *genName);
328
329
330
331 /*
332 ** Generate a database search key for a certificate, based on the
333 ** issuer and serial number.
334 ** "arena" the memory arena to alloc from
335 ** "derCert" the DER encoded certificate
336 ** "key" the returned key
337 */
338 extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
339 SECItem *key);
340
341 extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
342 SECItem *sn, SECItem *key);
343
344 extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert,
345 SECItem *derName);
346
347
348 /*
349 ** Generate a database search key for a crl, based on the
350 ** issuer.
351 ** "arena" the memory arena to alloc from
352 ** "derCrl" the DER encoded crl
353 ** "key" the returned key
354 */
355 extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key);
356
357 /*
358 ** Open the certificate database. Use callback to get name of database.
359 */
360 extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
361 CERTDBNameFunc namecb, void *cbarg);
362
363 /* Open the certificate database. Use given filename for database. */
364 extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
365 char *certdbname, PRBool readOnly);
366
367 /*
368 ** Open and initialize a cert database that is entirely in memory. This
369 ** can be used when the permanent database can not be opened or created.
370 */
371 extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
372
373 /*
374 ** Extract the list of host names, host name patters, IP address strings
375 ** this cert is valid for.
376 ** This function does NOT return nicknames.
377 ** Type CERTCertNicknames is being used because it's a convenient
378 ** data structure to carry a list of strings and its count.
379 */
380 extern CERTCertNicknames *
381 CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert);
382
383 /*
384 ** Check the hostname to make sure that it matches the shexp that
385 ** is given in the common name of the certificate.
386 */
387 extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert,
388 const char *hostname);
389
390 /*
391 ** Add a domain name to the list of names that the user has explicitly
392 ** allowed (despite cert name mismatches) for use with a server cert.
393 */
394 extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
395
396 /*
397 ** Decode a DER encoded certificate into an CERTCertificate structure
398 ** "derSignedCert" is the DER encoded signed certificate
399 ** "copyDER" is true if the DER should be copied, false if the
400 ** existing copy should be referenced
401 ** "nickname" is the nickname to use in the database. If it is NULL
402 ** then a temporary nickname is generated.
403 */
404 extern CERTCertificate *
405 CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
406 /*
407 ** Decode a DER encoded CRL into a CERTSignedCrl structure
408 ** "derSignedCrl" is the DER encoded signed CRL.
409 ** "type" must be SEC_CRL_TYPE.
410 */
411 #define SEC_CRL_TYPE 1
412 #define SEC_KRL_TYPE 0 /* deprecated */
413
414 extern CERTSignedCrl *
415 CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
416
417 /*
418 * same as CERT_DecodeDERCrl, plus allow options to be passed in
419 */
420
421 extern CERTSignedCrl *
422 CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl,
423 int type, PRInt32 options);
424
425 /* CRL options to pass */
426
427 #define CRL_DECODE_DEFAULT_OPTIONS 0x00000000
428
429 /* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
430 application must then keep derSignedCrl until it destroys the
431 CRL . Ideally, it should allocate derSignedCrl in an arena
432 and pass that arena in as the first argument to
433 CERT_DecodeDERCrlWithFlags */
434
435 #define CRL_DECODE_DONT_COPY_DER 0x00000001
436 #define CRL_DECODE_SKIP_ENTRIES 0x00000002
437 #define CRL_DECODE_KEEP_BAD_CRL 0x00000004
438 #define CRL_DECODE_ADOPT_HEAP_DER 0x00000008
439
440 /* complete the decoding of a partially decoded CRL, ie. decode the
441 entries. Note that entries is an optional field in a CRL, so the
442 "entries" pointer in CERTCrlStr may still be NULL even after
443 function returns SECSuccess */
444
445 extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl);
446
447 /* Validate CRL then import it to the dbase. If there is already a CRL with the
448 * same CA in the dbase, it will be replaced if derCRL is more up to date.
449 * If the process successes, a CRL will be returned. Otherwise, a NULL will
450 * be returned. The caller should call PORT_GetError() for the exactly error
451 * code.
452 */
453 extern CERTSignedCrl *
454 CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url,
455 int type, void * wincx);
456
457 extern void CERT_DestroyCrl (CERTSignedCrl *crl);
458
459 /* this is a hint to flush the CRL cache. crlKey is the DER subject of
460 the issuer (CA). */
461 void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey);
462
463 /* add the specified DER CRL object to the CRL cache. Doing so will allow
464 certificate verification functions (such as CERT_VerifyCertificate)
465 to automatically find and make use of this CRL object.
466 Once a CRL is added to the CRL cache, the application must hold on to
467 the object's memory, because the cache will reference it directly. The
468 application can only free the object after it calls CERT_UncacheCRL to
469 remove it from the CRL cache.
470 */
471 SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
472
473 /* remove a previously added CRL object from the CRL cache. It is OK
474 for the application to free the memory after a successful removal
475 */
476 SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
477
478 /*
479 ** Find a certificate in the database
480 ** "key" is the database key to look for
481 */
482 extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
483
484 /*
485 ** Find a certificate in the database by name
486 ** "name" is the distinguished name to look up
487 */
488 extern CERTCertificate *
489 CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
490
491 /*
492 ** Find a certificate in the database by name
493 ** "name" is the distinguished name to look up (in ascii)
494 */
495 extern CERTCertificate *
496 CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
497
498 /*
499 ** Find a certificate in the database by name and keyid
500 ** "name" is the distinguished name to look up
501 ** "keyID" is the value of the subjectKeyID to match
502 */
503 extern CERTCertificate *
504 CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
505
506 /*
507 ** Generate a certificate key from the issuer and serialnumber, then look it
508 ** up in the database. Return the cert if found.
509 ** "issuerAndSN" is the issuer and serial number to look for
510 */
511 extern CERTCertificate *
512 CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
513
514 /*
515 ** Find a certificate in the database by a subject key ID
516 ** "subjKeyID" is the subject Key ID to look for
517 */
518 extern CERTCertificate *
519 CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
520
521 /*
522 ** Encode Certificate SKID (Subject Key ID) extension.
523 **
524 */
525 extern SECStatus
526 CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString,
527 SECItem *encodedValue);
528
529 /*
530 ** Find a certificate in the database by a nickname
531 ** "nickname" is the ascii string nickname to look for
532 */
533 extern CERTCertificate *
534 CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname);
535
536 /*
537 ** Find a certificate in the database by a DER encoded certificate
538 ** "derCert" is the DER encoded certificate
539 */
540 extern CERTCertificate *
541 CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
542
543 /*
544 ** Find a certificate in the database by a email address
545 ** "emailAddr" is the email address to look up
546 */
547 CERTCertificate *
548 CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
549
550 /*
551 ** Find a certificate in the database by a email address or nickname
552 ** "name" is the email address or nickname to look up
553 */
554 CERTCertificate *
555 CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name);
556
557 /*
558 ** Find a certificate in the database by a email address or nickname
559 ** and require it to have the given usage.
560 ** "name" is the email address or nickname to look up
561 */
562 CERTCertificate *
563 CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
564 const char *name,
565 SECCertUsage lookingForUsage);
566
567 /*
568 ** Find a certificate in the database by a digest of a subject public key
569 ** "spkDigest" is the digest to look up
570 */
571 extern CERTCertificate *
572 CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
573
574 /*
575 * Find the issuer of a cert
576 */
577 CERTCertificate *
578 CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage);
579
580 /*
581 ** Check the validity times of a certificate vs. time 't', allowing
582 ** some slop for broken clocks and stuff.
583 ** "cert" is the certificate to be checked
584 ** "t" is the time to check against
585 ** "allowOverride" if true then check to see if the invalidity has
586 ** been overridden by the user.
587 */
588 extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert,
589 PRTime t,
590 PRBool allowOverride);
591
592 /*
593 ** WARNING - this function is deprecated, and will either go away or have
594 ** a new API in the near future.
595 **
596 ** Check the validity times of a certificate vs. the current time, allowing
597 ** some slop for broken clocks and stuff.
598 ** "cert" is the certificate to be checked
599 */
600 extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
601
602 /*
603 ** Extract the validity times from a certificate
604 ** "c" is the certificate
605 ** "notBefore" is the start of the validity period
606 ** "notAfter" is the end of the validity period
607 */
608 extern SECStatus
609 CERT_GetCertTimes (const CERTCertificate *c, PRTime *notBefore,
610 PRTime *notAfter);
611
612 /*
613 ** Extract the issuer and serial number from a certificate
614 */
615 extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *,
616 CERTCertificate *);
617
618 /*
619 ** verify the signature of a signed data object with a given certificate
620 ** "sd" the signed data object to be verified
621 ** "cert" the certificate to use to check the signature
622 */
623 extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
624 CERTCertificate *cert,
625 PRTime t,
626 void *wincx);
627 /*
628 ** verify the signature of a signed data object with the given DER publickey
629 */
630 extern SECStatus
631 CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
632 CERTSubjectPublicKeyInfo *pubKeyInfo,
633 void *wincx);
634
635 /*
636 ** verify the signature of a signed data object with a SECKEYPublicKey.
637 */
638 extern SECStatus
639 CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
640 SECKEYPublicKey *pubKey, void *wincx);
641
642 /*
643 ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
644 ** verify a certificate by checking validity times against a certain time,
645 ** that we trust the issuer, and that the signature on the certificate is
646 ** valid.
647 ** "cert" the certificate to verify
648 ** "checkSig" only check signatures if true
649 */
650 extern SECStatus
651 CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
652 PRBool checkSig, SECCertificateUsage requiredUsages,
653 PRTime t, void *wincx, CERTVerifyLog *log,
654 SECCertificateUsage* returnedUsages);
655
656 /* same as above, but uses current time */
657 extern SECStatus
658 CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
659 PRBool checkSig, SECCertificateUsage requiredUsages,
660 void *wincx, SECCertificateUsage* returnedUsages);
661
662 /*
663 ** Verify that a CA cert can certify some (unspecified) leaf cert for a given
664 ** purpose. This is used by UI code to help identify where a chain may be
665 ** broken and why. This takes identical parameters to CERT_VerifyCert
666 */
667 extern SECStatus
668 CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
669 PRBool checkSig, SECCertUsage certUsage, PRTime t,
670 void *wincx, CERTVerifyLog *log);
671
672 /*
673 ** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
674 ** verify a certificate by checking validity times against a certain time,
675 ** that we trust the issuer, and that the signature on the certificate is
676 ** valid.
677 ** "cert" the certificate to verify
678 ** "checkSig" only check signatures if true
679 */
680 extern SECStatus
681 CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
682 PRBool checkSig, SECCertUsage certUsage, PRTime t,
683 void *wincx, CERTVerifyLog *log);
684
685 /* same as above, but uses current time */
686 extern SECStatus
687 CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
688 PRBool checkSig, SECCertUsage certUsage, void *wincx);
689
690 SECStatus
691 CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
692 PRBool checkSig, SECCertUsage certUsage, PRTime t,
693 void *wincx, CERTVerifyLog *log);
694
695 /*
696 ** Read a base64 ascii encoded DER certificate and convert it to our
697 ** internal format.
698 ** "certstr" is a null-terminated string containing the certificate
699 */
700 extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
701
702 /*
703 ** Read a certificate in some foreign format, and convert it to our
704 ** internal format.
705 ** "certbuf" is the buffer containing the certificate
706 ** "certlen" is the length of the buffer
707 ** NOTE - currently supports netscape base64 ascii encoded raw certs
708 ** and netscape binary DER typed files.
709 */
710 extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
711
712 extern SECStatus
713 CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
714
715 extern SECStatus
716 CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
717
718 /*
719 ** Read a certificate chain in some foreign format, and pass it to a
720 ** callback function.
721 ** "certbuf" is the buffer containing the certificate
722 ** "certlen" is the length of the buffer
723 ** "f" is the callback function
724 ** "arg" is the callback argument
725 */
726 typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
727 (void *arg, SECItem **certs, int numcerts);
728
729 extern SECStatus
730 CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
731 void *arg);
732
733 /*
734 ** Returns the value of an AVA. This was a formerly static
735 ** function that has been exposed due to the need to decode
736 ** and convert unicode strings to UTF8.
737 **
738 ** XXX This function resides in certhtml.c, should it be
739 ** moved elsewhere?
740 */
741 extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
742
743
744
745 /*
746 ** extract various element strings from a distinguished name.
747 ** "name" the distinguished name
748 */
749
750 extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
751
752 extern char *CERT_GetCertEmailAddress(const CERTName *name);
753
754 extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
755
756 extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert,
757 const char * prev);
758
759 /* The return value must be freed with PORT_Free. */
760 extern char *CERT_GetCommonName(const CERTName *name);
761
762 extern char *CERT_GetCountryName(const CERTName *name);
763
764 extern char *CERT_GetLocalityName(const CERTName *name);
765
766 extern char *CERT_GetStateName(const CERTName *name);
767
768 extern char *CERT_GetOrgName(const CERTName *name);
769
770 extern char *CERT_GetOrgUnitName(const CERTName *name);
771
772 extern char *CERT_GetDomainComponentName(const CERTName *name);
773
774 extern char *CERT_GetCertUid(const CERTName *name);
775
776 /* manipulate the trust parameters of a certificate */
777
778 extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert,
779 CERTCertTrust *trust);
780
781 extern SECStatus
782 CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
783 CERTCertTrust *trust);
784
785 extern SECStatus
786 CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
787 SECCertUsage usage);
788
789 /*************************************************************************
790 *
791 * manipulate the extensions of a certificate
792 *
793 ************************************************************************/
794
795 /*
796 ** Set up a cert for adding X509v3 extensions. Returns an opaque handle
797 ** used by the next two routines.
798 ** "cert" is the certificate we are adding extensions to
799 */
800 extern void *CERT_StartCertExtensions(CERTCertificate *cert);
801
802 /*
803 ** Add an extension to a certificate.
804 ** "exthandle" is the handle returned by the previous function
805 ** "idtag" is the integer tag for the OID that should ID this extension
806 ** "value" is the value of the extension
807 ** "critical" is the critical extension flag
808 ** "copyData" is a flag indicating whether the value data should be
809 ** copied.
810 */
811 extern SECStatus CERT_AddExtension (void *exthandle, int idtag,
812 SECItem *value, PRBool critical, PRBool copyData);
813
814 extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
815 SECItem *value, PRBool critical, PRBool copyData);
816
817 extern SECStatus CERT_EncodeAndAddExtension
818 (void *exthandle, int idtag, void *value, PRBool critical,
819 const SEC_ASN1Template *atemplate);
820
821 extern SECStatus CERT_EncodeAndAddBitStrExtension
822 (void *exthandle, int idtag, SECItem *value, PRBool critical);
823
824
825 extern SECStatus
826 CERT_EncodeAltNameExtension(PLArenaPool *arena, CERTGeneralName *value, SECItem *encodedValue);
827
828
829 /*
830 ** Finish adding cert extensions. Does final processing on extension
831 ** data, putting it in the right format, and freeing any temporary
832 ** storage.
833 ** "exthandle" is the handle used to add extensions to a certificate
834 */
835 extern SECStatus CERT_FinishExtensions(void *exthandle);
836
837 /*
838 ** Merge an external list of extensions into a cert's extension list, adding one
839 ** only when its OID matches none of the cert's existing extensions. Call this
840 ** immediately before calling CERT_FinishExtensions().
841 */
842 SECStatus
843 CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
844
845 /* If the extension is found, return its criticality and value.
846 ** This allocate storage for the returning extension value.
847 */
848 extern SECStatus CERT_GetExtenCriticality
849 (CERTCertExtension **extensions, int tag, PRBool *isCritical);
850
851 extern void
852 CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
853
854 /****************************************************************************
855 *
856 * DER encode and decode extension values
857 *
858 ****************************************************************************/
859
860 /* Encode the value of the basicConstraint extension.
861 ** arena - where to allocate memory for the encoded value.
862 ** value - extension value to encode
863 ** encodedValue - output encoded value
864 */
865 extern SECStatus CERT_EncodeBasicConstraintValue
866 (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
867
868 /*
869 ** Encode the value of the authorityKeyIdentifier extension.
870 */
871 extern SECStatus CERT_EncodeAuthKeyID
872 (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
873
874 /*
875 ** Encode the value of the crlDistributionPoints extension.
876 */
877 extern SECStatus CERT_EncodeCRLDistributionPoints
878 (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
879
880 /*
881 ** Decodes a DER encoded basicConstaint extension value into a readable format
882 ** value - decoded value
883 ** encodedValue - value to decoded
884 */
885 extern SECStatus CERT_DecodeBasicConstraintValue
886 (CERTBasicConstraints *value, const SECItem *encodedValue);
887
888 /* Decodes a DER encoded authorityKeyIdentifier extension value into a
889 ** readable format.
890 ** arena - where to allocate memory for the decoded value
891 ** encodedValue - value to be decoded
892 ** Returns a CERTAuthKeyID structure which contains the decoded value
893 */
894 extern CERTAuthKeyID *CERT_DecodeAuthKeyID
895 (PLArenaPool *arena, const SECItem *encodedValue);
896
897 /* Decodes a DER encoded crlDistributionPoints extension value into a
898 ** readable format.
899 ** arena - where to allocate memory for the decoded value
900 ** der - value to be decoded
901 ** Returns a CERTCrlDistributionPoints structure which contains the
902 ** decoded value
903 */
904 extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
905 (PLArenaPool *arena, SECItem *der);
906
907 /* Extract certain name type from a generalName */
908 extern void *CERT_GetGeneralNameByType
909 (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
910
911
912 extern CERTOidSequence *
913 CERT_DecodeOidSequence(const SECItem *seqItem);
914
915
916
917
918 /****************************************************************************
919 *
920 * Find extension values of a certificate
921 *
922 ***************************************************************************/
923
924 extern SECStatus CERT_FindCertExtension
925 (const CERTCertificate *cert, int tag, SECItem *value);
926
927 extern SECStatus CERT_FindNSCertTypeExtension
928 (CERTCertificate *cert, SECItem *value);
929
930 extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
931
932 extern SECStatus CERT_FindIssuerCertExtension
933 (CERTCertificate *cert, int tag, SECItem *value);
934
935 extern SECStatus CERT_FindCertExtensionByOID
936 (CERTCertificate *cert, SECItem *oid, SECItem *value);
937
938 extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag,
939 int catag);
940
941 /* Returns the decoded value of the authKeyID extension.
942 ** Note that this uses passed in the arena to allocate storage for the result
943 */
944 extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert);
945
946 /* Returns the decoded value of the basicConstraint extension.
947 */
948 extern SECStatus CERT_FindBasicConstraintExten
949 (CERTCertificate *cert, CERTBasicConstraints *value);
950
951 /* Returns the decoded value of the crlDistributionPoints extension.
952 ** Note that the arena in cert is used to allocate storage for the result
953 */
954 extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
955 (CERTCertificate *cert);
956
957 /* Returns value of the keyUsage extension. This uses PR_Alloc to allocate
958 ** buffer for the decoded value. The caller should free up the storage
959 ** allocated in value->data.
960 */
961 extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert,
962 SECItem *value);
963
964 /* Return the decoded value of the subjectKeyID extension. The caller should
965 ** free up the storage allocated in retItem->data.
966 */
967 extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert,
968 SECItem *retItem);
969
970 /*
971 ** If cert is a v3 certificate, and a critical keyUsage extension is included,
972 ** then check the usage against the extension value. If a non-critical
973 ** keyUsage extension is included, this will return SECSuccess without
974 ** checking, since the extension is an advisory field, not a restriction.
975 ** If cert is not a v3 certificate, this will return SECSuccess.
976 ** cert - certificate
977 ** usage - one of the x.509 v3 the Key Usage Extension flags
978 */
979 extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert,
980 unsigned char usage);
981
982 /****************************************************************************
983 *
984 * CRL v2 Extensions supported routines
985 *
986 ****************************************************************************/
987
988 extern SECStatus CERT_FindCRLExtensionByOID
989 (CERTCrl *crl, SECItem *oid, SECItem *value);
990
991 extern SECStatus CERT_FindCRLExtension
992 (CERTCrl *crl, int tag, SECItem *value);
993
994 extern SECStatus
995 CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value);
996
997 /*
998 ** Set up a crl for adding X509v3 extensions. Returns an opaque handle
999 ** used by routines that take an exthandle (void*) argument .
1000 ** "crl" is the CRL we are adding extensions to
1001 */
1002 extern void *CERT_StartCRLExtensions(CERTCrl *crl);
1003
1004 /*
1005 ** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle
1006 ** used by routines that take an exthandle (void*) argument .
1007 ** "crl" is the crl we are adding certs entries to
1008 ** "entry" is the crl entry we are adding extensions to
1009 */
1010 extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
1011
1012 extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
1013 int what, void *wincx);
1014
1015 /*
1016 ** Finds the crlNumber extension and decodes its value into 'value'
1017 */
1018 extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
1019 SECItem *value);
1020
1021 extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
1022 CERTCRLEntryReasonCode *value);
1023
1024 extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
1025
1026 extern PRBool CERT_CompareCerts(const CERTCertificate *c1,
1027 const CERTCertificate *c2);
1028
1029 extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
1030 CERTCertificate *c2);
1031
1032 /*
1033 ** Generate an array of the Distinguished Names that the given cert database
1034 ** "trusts"
1035 */
1036 extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
1037
1038 extern void CERT_FreeDistNames(CERTDistNames *names);
1039
1040 /* Duplicate distinguished name array */
1041 extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig);
1042
1043 /*
1044 ** Generate an array of Distinguished names from an array of nicknames
1045 */
1046 extern CERTDistNames *CERT_DistNamesFromNicknames
1047 (CERTCertDBHandle *handle, char **nicknames, int nnames);
1048
1049 /*
1050 ** Generate an array of Distinguished names from a list of certs.
1051 */
1052 extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list);
1053
1054 /*
1055 ** Generate a certificate chain from a certificate.
1056 */
1057 extern CERTCertificateList *
1058 CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
1059 PRBool includeRoot);
1060
1061 extern CERTCertificateList *
1062 CERT_CertListFromCert(CERTCertificate *cert);
1063
1064 extern CERTCertificateList *
1065 CERT_DupCertList(const CERTCertificateList * oldList);
1066
1067 extern void CERT_DestroyCertificateList(CERTCertificateList *list);
1068
1069 /*
1070 ** is cert a user cert? i.e. does it have CERTDB_USER trust,
1071 ** i.e. a private key?
1072 */
1073 PRBool CERT_IsUserCert(CERTCertificate* cert);
1074
1075 /* is cert a newer than cert b? */
1076 PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
1077
1078 /* currently a stub for address book */
1079 PRBool
1080 CERT_IsCertRevoked(CERTCertificate *cert);
1081
1082 void
1083 CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
1084
1085 /* convert an email address to lower case */
1086 char *CERT_FixupEmailAddr(const char *emailAddr);
1087
1088 /* decode string representation of trust flags into trust struct */
1089 SECStatus
1090 CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts);
1091
1092 /* encode trust struct into string representation of trust flags */
1093 char *
1094 CERT_EncodeTrustString(CERTCertTrust *trust);
1095
1096 /* find the next or prev cert in a subject list */
1097 CERTCertificate *
1098 CERT_PrevSubjectCert(CERTCertificate *cert);
1099 CERTCertificate *
1100 CERT_NextSubjectCert(CERTCertificate *cert);
1101
1102 /*
1103 * import a collection of certs into the temporary or permanent cert
1104 * database
1105 */
1106 SECStatus
1107 CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
1108 unsigned int ncerts, SECItem **derCerts,
1109 CERTCertificate ***retCerts, PRBool keepCerts,
1110 PRBool caOnly, char *nickname);
1111
1112 char *
1113 CERT_MakeCANickname(CERTCertificate *cert);
1114
1115 PRBool
1116 CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
1117
1118 PRBool
1119 CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
1120
1121 PRBool
1122 CERT_IsRootDERCert(SECItem *derCert);
1123
1124 SECStatus
1125 CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
1126 SECItem *profileTime);
1127
1128 /*
1129 * find the smime symmetric capabilities profile for a given cert
1130 */
1131 SECItem *
1132 CERT_FindSMimeProfile(CERTCertificate *cert);
1133
1134 SECStatus
1135 CERT_AddNewCerts(CERTCertDBHandle *handle);
1136
1137 CERTCertificatePolicies *
1138 CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue);
1139
1140 void
1141 CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
1142
1143 CERTCertificatePolicyMappings *
1144 CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
1145
1146 SECStatus
1147 CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
1148
1149 SECStatus
1150 CERT_DecodePolicyConstraintsExtension(
1151 CERTCertificatePolicyConstraints *decodedValue,
1152 const SECItem *encodedValue);
1153
1154 SECStatus CERT_DecodeInhibitAnyExtension
1155 (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
1156
1157 CERTUserNotice *
1158 CERT_DecodeUserNotice(SECItem *noticeItem);
1159
1160 extern CERTGeneralName *
1161 CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName);
1162
1163 extern CERTNameConstraints *
1164 CERT_DecodeNameConstraintsExtension(PLArenaPool *arena,
1165 const SECItem *encodedConstraints);
1166
1167 /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
1168 extern CERTAuthInfoAccess **
1169 CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
1170 SECItem *encodedExtension);
1171
1172 extern CERTPrivKeyUsagePeriod *
1173 CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
1174
1175 extern CERTGeneralName *
1176 CERT_GetNextGeneralName(CERTGeneralName *current);
1177
1178 extern CERTGeneralName *
1179 CERT_GetPrevGeneralName(CERTGeneralName *current);
1180
1181 CERTNameConstraint *
1182 CERT_GetNextNameConstraint(CERTNameConstraint *current);
1183
1184 CERTNameConstraint *
1185 CERT_GetPrevNameConstraint(CERTNameConstraint *current);
1186
1187 void
1188 CERT_DestroyUserNotice(CERTUserNotice *userNotice);
1189
1190 typedef char * (* CERTPolicyStringCallback)(char *org,
1191 unsigned long noticeNumber,
1192 void *arg);
1193 void
1194 CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
1195
1196 char *
1197 CERT_GetCertCommentString(CERTCertificate *cert);
1198
1199 PRBool
1200 CERT_GovtApprovedBitSet(CERTCertificate *cert);
1201
1202 SECStatus
1203 CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
1204
1205 CERTCertList *
1206 CERT_MatchUserCert(CERTCertDBHandle *handle,
1207 SECCertUsage usage,
1208 int nCANames, char **caNames,
1209 void *proto_win);
1210
1211 CERTCertList *
1212 CERT_NewCertList(void);
1213
1214 /* free the cert list and all the certs in the list */
1215 void
1216 CERT_DestroyCertList(CERTCertList *certs);
1217
1218 /* remove the node and free the cert */
1219 void
1220 CERT_RemoveCertListNode(CERTCertListNode *node);
1221
1222 /* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */
1223 SECStatus
1224 CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
1225
1226 /* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */
1227 SECStatus
1228 CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
1229
1230 /*
1231 * The new cert list node takes ownership of "cert". "cert" is freed
1232 * when the list node is removed.
1233 */
1234 SECStatus
1235 CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
1236 void *appData);
1237
1238 /*
1239 * The new cert list node takes ownership of "cert". "cert" is freed
1240 * when the list node is removed.
1241 */
1242 SECStatus
1243 CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
1244 void *appData);
1245
1246 typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
1247 CERTCertificate *certb,
1248 void *arg);
1249 SECStatus
1250 CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
1251 CERTSortCallback f, void *arg);
1252
1253 /* callback for CERT_AddCertToListSorted that sorts based on validity
1254 * period and a given time.
1255 */
1256 PRBool
1257 CERT_SortCBValidity(CERTCertificate *certa,
1258 CERTCertificate *certb,
1259 void *arg);
1260
1261 SECStatus
1262 CERT_CheckForEvilCert(CERTCertificate *cert);
1263
1264 CERTGeneralName *
1265 CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
1266
1267 CERTGeneralName *
1268 CERT_GetConstrainedCertificateNames(const CERTCertificate *cert,
1269 PLArenaPool *arena,
1270 PRBool includeSubjectCommonName);
1271
1272 /*
1273 * Creates or adds to a list of all certs with a give subject name, sorted by
1274 * validity time, newest first. Invalid certs are considered older than
1275 * valid certs. If validOnly is set, do not include invalid certs on list.
1276 */
1277 CERTCertList *
1278 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1279 const SECItem *name, PRTime sorttime,
1280 PRBool validOnly);
1281
1282 /*
1283 * remove certs from a list that don't have keyUsage and certType
1284 * that match the given usage.
1285 */
1286 SECStatus
1287 CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
1288 PRBool ca);
1289
1290 /*
1291 * check the key usage of a cert against a set of required values
1292 */
1293 SECStatus
1294 CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
1295
1296 /*
1297 * return required key usage and cert type based on cert usage
1298 */
1299 SECStatus
1300 CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
1301 PRBool ca,
1302 unsigned int *retKeyUsage,
1303 unsigned int *retCertType);
1304 /*
1305 * return required trust flags for various cert usages for CAs
1306 */
1307 SECStatus
1308 CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
1309 unsigned int *retFlags,
1310 SECTrustType *retTrustType);
1311
1312 /*
1313 * Find all user certificates that match the given criteria.
1314 *
1315 * "handle" - database to search
1316 * "usage" - certificate usage to match
1317 * "oneCertPerName" - if set then only return the "best" cert per
1318 * name
1319 * "validOnly" - only return certs that are curently valid
1320 * "proto_win" - window handle passed to pkcs11
1321 */
1322 CERTCertList *
1323 CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
1324 SECCertUsage usage,
1325 PRBool oneCertPerName,
1326 PRBool validOnly,
1327 void *proto_win);
1328
1329 /*
1330 * Find a user certificate that matchs the given criteria.
1331 *
1332 * "handle" - database to search
1333 * "nickname" - nickname to match
1334 * "usage" - certificate usage to match
1335 * "validOnly" - only return certs that are curently valid
1336 * "proto_win" - window handle passed to pkcs11
1337 */
1338 CERTCertificate *
1339 CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
1340 const char *nickname,
1341 SECCertUsage usage,
1342 PRBool validOnly,
1343 void *proto_win);
1344
1345 /*
1346 * Filter a list of certificates, removing those certs that do not have
1347 * one of the named CA certs somewhere in their cert chain.
1348 *
1349 * "certList" - the list of certificates to filter
1350 * "nCANames" - number of CA names
1351 * "caNames" - array of CA names in string(rfc 1485) form
1352 * "usage" - what use the certs are for, this is used when
1353 * selecting CA certs
1354 */
1355 SECStatus
1356 CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
1357 char **caNames, SECCertUsage usage);
1358
1359 /*
1360 * Filter a list of certificates, removing those certs that aren't user certs
1361 */
1362 SECStatus
1363 CERT_FilterCertListForUserCerts(CERTCertList *certList);
1364
1365 /*
1366 * Collect the nicknames from all certs in a CertList. If the cert is not
1367 * valid, append a string to that nickname.
1368 *
1369 * "certList" - the list of certificates
1370 * "expiredString" - the string to append to the nickname of any expired cert
1371 * "notYetGoodString" - the string to append to the nickname of any cert
1372 * that is not yet valid
1373 */
1374 CERTCertNicknames *
1375 CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
1376 char *notYetGoodString);
1377
1378 /*
1379 * Extract the nickname from a nickmake string that may have either
1380 * expiredString or notYetGoodString appended.
1381 *
1382 * Args:
1383 * "namestring" - the string containing the nickname, and possibly
1384 * one of the validity label strings
1385 * "expiredString" - the expired validity label string
1386 * "notYetGoodString" - the not yet good validity label string
1387 *
1388 * Returns the raw nickname
1389 */
1390 char *
1391 CERT_ExtractNicknameString(char *namestring, char *expiredString,
1392 char *notYetGoodString);
1393
1394 /*
1395 * Given a certificate, return a string containing the nickname, and possibly
1396 * one of the validity strings, based on the current validity state of the
1397 * certificate.
1398 *
1399 * "arena" - arena to allocate returned string from. If NULL, then heap
1400 * is used.
1401 * "cert" - the cert to get nickname from
1402 * "expiredString" - the string to append to the nickname if the cert is
1403 * expired.
1404 * "notYetGoodString" - the string to append to the nickname if the cert is
1405 * not yet good.
1406 */
1407 char *
1408 CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
1409 char *expiredString, char *notYetGoodString);
1410
1411 /*
1412 * Return the string representation of a DER encoded distinguished name
1413 * "dername" - The DER encoded name to convert
1414 */
1415 char *
1416 CERT_DerNameToAscii(SECItem *dername);
1417
1418 /*
1419 * Supported usage values and types:
1420 * certUsageSSLClient
1421 * certUsageSSLServer
1422 * certUsageSSLServerWithStepUp
1423 * certUsageEmailSigner
1424 * certUsageEmailRecipient
1425 * certUsageObjectSigner
1426 */
1427
1428 CERTCertificate *
1429 CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
1430 CERTCertOwner owner, SECCertUsage usage,
1431 PRBool preferTrusted, PRTime validTime, PRBool validOnly);
1432
1433 /*
1434 * Acquire the global lock on the cert database.
1435 * This lock is currently used for the following operations:
1436 * adding or deleting a cert to either the temp or perm databases
1437 * converting a temp to perm or perm to temp
1438 * changing(maybe just adding?) the trust of a cert
1439 * adjusting the reference count of a cert
1440 */
1441 void
1442 CERT_LockDB(CERTCertDBHandle *handle);
1443
1444 /*
1445 * Free the global cert database lock.
1446 */
1447 void
1448 CERT_UnlockDB(CERTCertDBHandle *handle);
1449
1450 /*
1451 * Get the certificate status checking configuratino data for
1452 * the certificate database
1453 */
1454 CERTStatusConfig *
1455 CERT_GetStatusConfig(CERTCertDBHandle *handle);
1456
1457 /*
1458 * Set the certificate status checking information for the
1459 * database. The input structure becomes part of the certificate
1460 * database and will be freed by calling the 'Destroy' function in
1461 * the configuration object.
1462 */
1463 void
1464 CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
1465
1466
1467
1468 /*
1469 * Acquire the cert reference count lock
1470 * There is currently one global lock for all certs, but I'm putting a cert
1471 * arg here so that it will be easy to make it per-cert in the future if
1472 * that turns out to be necessary.
1473 */
1474 void
1475 CERT_LockCertRefCount(CERTCertificate *cert);
1476
1477 /*
1478 * Free the cert reference count lock
1479 */
1480 void
1481 CERT_UnlockCertRefCount(CERTCertificate *cert);
1482
1483 /*
1484 * Acquire the cert trust lock
1485 * There is currently one global lock for all certs, but I'm putting a cert
1486 * arg here so that it will be easy to make it per-cert in the future if
1487 * that turns out to be necessary.
1488 */
1489 void
1490 CERT_LockCertTrust(const CERTCertificate *cert);
1491
1492 /*
1493 * Free the cert trust lock
1494 */
1495 void
1496 CERT_UnlockCertTrust(const CERTCertificate *cert);
1497
1498 /*
1499 * Digest the cert's subject public key using the specified algorithm.
1500 * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
1501 * the tag, length, and number of unused bits) rather than the whole
1502 * subjectPublicKeyInfo field.
1503 *
1504 * The necessary storage for the digest data is allocated. If "fill" is
1505 * non-null, the data is put there, otherwise a SECItem is allocated.
1506 * Allocation from "arena" if it is non-null, heap otherwise. Any problem
1507 * results in a NULL being returned (and an appropriate error set).
1508 */
1509 extern SECItem *
1510 CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
1511 SECOidTag digestAlg, SECItem *fill);
1512
1513 /*
1514 * Digest the cert's subject name using the specified algorithm.
1515 */
1516 extern SECItem *
1517 CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
1518 SECOidTag digestAlg, SECItem *fill);
1519
1520 SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
1521 const SECItem* dp, PRTime t, void* wincx);
1522
1523
1524 /*
1525 * Add a CERTNameConstraint to the CERTNameConstraint list
1526 */
1527 extern CERTNameConstraint *
1528 CERT_AddNameConstraint(CERTNameConstraint *list,
1529 CERTNameConstraint *constraint);
1530
1531 /*
1532 * Allocate space and copy CERTNameConstraint from src to dest.
1533 * Arena is used to allocate result(if dest eq NULL) and its members
1534 * SECItem data.
1535 */
1536 extern CERTNameConstraint *
1537 CERT_CopyNameConstraint(PLArenaPool *arena,
1538 CERTNameConstraint *dest,
1539 CERTNameConstraint *src);
1540
1541 /*
1542 * Verify name against all the constraints relevant to that type of
1543 * the name.
1544 */
1545 extern SECStatus
1546 CERT_CheckNameSpace(PLArenaPool *arena,
1547 const CERTNameConstraints *constraints,
1548 const CERTGeneralName *currentName);
1549
1550 /*
1551 * Extract and allocate the name constraints extension from the CA cert.
1552 */
1553 extern SECStatus
1554 CERT_FindNameConstraintsExten(PLArenaPool *arena,
1555 CERTCertificate *cert,
1556 CERTNameConstraints **constraints);
1557
1558 /*
1559 * Initialize a new GERTGeneralName fields (link)
1560 */
1561 extern CERTGeneralName *
1562 CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type);
1563
1564 /*
1565 * PKIX extension encoding routines
1566 */
1567 extern SECStatus
1568 CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
1569 CERTCertificatePolicyConstraints *constr,
1570 SECItem *dest);
1571 extern SECStatus
1572 CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
1573 CERTCertificateInhibitAny *inhibitAny,
1574 SECItem *dest);
1575 extern SECStatus
1576 CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
1577 CERTCertificatePolicyMappings *maps,
1578 SECItem *dest);
1579
1580 extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
1581 CERTAuthInfoAccess **info,
1582 SECItem *dest);
1583 extern SECStatus
1584 CERT_EncodeUserNotice(PLArenaPool *arena,
1585 CERTUserNotice *notice,
1586 SECItem *dest);
1587
1588 extern SECStatus
1589 CERT_EncodeDisplayText(PLArenaPool *arena,
1590 SECItem *text,
1591 SECItem *dest);
1592
1593 extern SECStatus
1594 CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
1595 CERTPolicyInfo **info,
1596 SECItem *dest);
1597 extern SECStatus
1598 CERT_EncodeNoticeReference(PLArenaPool *arena,
1599 CERTNoticeReference *reference,
1600 SECItem *dest);
1601
1602 /*
1603 * Returns a pointer to a static structure.
1604 */
1605 extern const CERTRevocationFlags*
1606 CERT_GetPKIXVerifyNistRevocationPolicy(void);
1607
1608 /*
1609 * Returns a pointer to a static structure.
1610 */
1611 extern const CERTRevocationFlags*
1612 CERT_GetClassicOCSPEnabledSoftFailurePolicy(void);
1613
1614 /*
1615 * Returns a pointer to a static structure.
1616 */
1617 extern const CERTRevocationFlags*
1618 CERT_GetClassicOCSPEnabledHardFailurePolicy(void);
1619
1620 /*
1621 * Returns a pointer to a static structure.
1622 */
1623 extern const CERTRevocationFlags*
1624 CERT_GetClassicOCSPDisabledPolicy(void);
1625
1626 /*
1627 * Verify a Cert with libpkix
1628 * paramsIn control the verification options. If a value isn't specified
1629 * in paramsIn, it reverts to the application default.
1630 * paramsOut specifies the parameters the caller would like to get back.
1631 * the caller may pass NULL, in which case no parameters are returned.
1632 */
1633 extern SECStatus CERT_PKIXVerifyCert(
1634 CERTCertificate *cert,
1635 SECCertificateUsage usages,
1636 CERTValInParam *paramsIn,
1637 CERTValOutParam *paramsOut,
1638 void *wincx);
1639
1640 /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
1641 * to use libpkix validation engine. The function should be called ones at
1642 * application initialization time.
1643 * Function is not thread safe.*/
1644 extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
1645
1646 /* The function return PR_TRUE if cert validation should use
1647 * libpkix cert validation engine. */
1648 extern PRBool CERT_GetUsePKIXForValidation(void);
1649
1650 /*
1651 * Allocate a parameter container of type CERTRevocationFlags,
1652 * and allocate the inner arrays of the given sizes.
1653 * To cleanup call CERT_DestroyCERTRevocationFlags.
1654 */
1655 extern CERTRevocationFlags *
1656 CERT_AllocCERTRevocationFlags(
1657 PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
1658 PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods);
1659
1660 /*
1661 * Destroy the arrays inside flags,
1662 * and destroy the object pointed to by flags, too.
1663 */
1664 extern void
1665 CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags);
1666
1667 SEC_END_PROTOS
1668
1669 #endif /* _CERT_H_ */
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)