Mercurial > trustbridge > nss-cmake-static
diff nss/lib/certdb/cert.h @ 0:1e5118fa0cb1
This is NSS with a Cmake Buildsyste
To compile a static NSS library for Windows we've used the
Chromium-NSS fork and added a Cmake buildsystem to compile
it statically for Windows. See README.chromium for chromium
changes and README.trustbridge for our modifications.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Mon, 28 Jul 2014 10:47:06 +0200 |
| parents | |
| children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nss/lib/certdb/cert.h Mon Jul 28 10:47:06 2014 +0200 @@ -0,0 +1,1669 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * cert.h - public data structures and prototypes for the certificate library + */ + +#ifndef _CERT_H_ +#define _CERT_H_ + +#include "utilrename.h" +#include "plarena.h" +#include "plhash.h" +#include "prlong.h" +#include "prlog.h" + +#include "seccomon.h" +#include "secdert.h" +#include "secoidt.h" +#include "keyt.h" +#include "certt.h" + +SEC_BEGIN_PROTOS + +/**************************************************************************** + * + * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName) + * + ****************************************************************************/ + +/* +** Convert an ascii RFC1485 encoded name into its CERTName equivalent. +*/ +extern CERTName *CERT_AsciiToName(const char *string); + +/* +** Convert an CERTName into its RFC1485 encoded equivalent. +** Returns a string that must be freed with PORT_Free(). +** This version produces a string for maximum human readability, +** not for strict RFC compliance. +*/ +extern char *CERT_NameToAscii(CERTName *name); + +/* +** Convert an CERTName into its RFC1485 encoded equivalent. +** Returns a string that must be freed with PORT_Free(). +** Caller chooses encoding rules. +*/ +extern char *CERT_NameToAsciiInvertible(CERTName *name, + CertStrictnessLevel strict); + +extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src); + +/* convert an OID to dotted-decimal representation */ +/* Returns a string that must be freed with PR_smprintf_free(). */ +extern char * CERT_GetOidString(const SECItem *oid); + +/* +** Examine an AVA and return the tag that refers to it. The AVA tags are +** defined as SEC_OID_AVA*. +*/ +extern SECOidTag CERT_GetAVATag(CERTAVA *ava); + +/* +** Compare two AVA's, returning the difference between them. +*/ +extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b); + +/* +** Create an RDN (relative-distinguished-name). The argument list is a +** NULL terminated list of AVA's. +*/ +extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...); + +/* +** Make a copy of "src" storing it in "dest". +*/ +extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src); + +/* +** Add an AVA to an RDN. +** "rdn" the RDN to add to +** "ava" the AVA to add +*/ +extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava); + +/* +** Compare two RDN's, returning the difference between them. +*/ +extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b); + +/* +** Create an X.500 style name using a NULL terminated list of RDN's. +*/ +extern CERTName *CERT_CreateName(CERTRDN *rdn, ...); + +/* +** Make a copy of "src" storing it in "dest". Memory is allocated in +** "dest" for each of the appropriate sub objects. Memory is not freed in +** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to +** do that). +*/ +extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, + const CERTName *src); + +/* +** Destroy a Name object. +** "name" the CERTName to destroy +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void CERT_DestroyName(CERTName *name); + +/* +** Add an RDN to a name. +** "name" the name to add the RDN to +** "rdn" the RDN to add to name +*/ +extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn); + +/* +** Compare two names, returning the difference between them. +*/ +extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b); + +/* +** Convert a CERTName into something readable +*/ +extern char *CERT_FormatName (CERTName *name); + +/* +** Convert a der-encoded integer to a hex printable string form. +** Perhaps this should be a SEC function but it's only used for certs. +*/ +extern char *CERT_Hexify (SECItem *i, int do_colon); + +/* +** Converts DER string (with explicit length) into zString, if destination +** buffer is big enough to receive it. Does quoting and/or escaping as +** specified in RFC 1485. Input string must be single or multi-byte DER +** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set. +** Returns SECSuccess or SECFailure with error code set. If output buffer +** is too small, sets error code SEC_ERROR_OUTPUT_LEN. +*/ +extern SECStatus +CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen); + +/****************************************************************************** + * + * Certificate handling operations + * + *****************************************************************************/ + +/* +** Create a new validity object given two unix time values. +** "notBefore" the time before which the validity is not valid +** "notAfter" the time after which the validity is not valid +*/ +extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter); + +/* +** Destroy a validity object. +** "v" the validity to destroy +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void CERT_DestroyValidity(CERTValidity *v); + +/* +** Copy the "src" object to "dest". Memory is allocated in "dest" for +** each of the appropriate sub-objects. Memory in "dest" is not freed +** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do +** that). +*/ +extern SECStatus CERT_CopyValidity + (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src); + +/* +** The cert lib considers a cert or CRL valid if the "notBefore" time is +** in the not-too-distant future, e.g. within the next 24 hours. This +** prevents freshly issued certificates from being considered invalid +** because the local system's time zone is incorrectly set. +** The amount of "pending slop time" is adjustable by the application. +** Units of SlopTime are seconds. Default is 86400 (24 hours). +** Negative SlopTime values are not allowed. +*/ +PRInt32 CERT_GetSlopTime(void); + +SECStatus CERT_SetSlopTime(PRInt32 slop); + +/* +** Create a new certificate object. The result must be wrapped with an +** CERTSignedData to create a signed certificate. +** "serialNumber" the serial number +** "issuer" the name of the certificate issuer +** "validity" the validity period of the certificate +** "req" the certificate request that prompted the certificate issuance +*/ +extern CERTCertificate * +CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer, + CERTValidity *validity, CERTCertificateRequest *req); + +/* +** Destroy a certificate object +** "cert" the certificate to destroy +** NOTE: certificate's are reference counted. This call decrements the +** reference count, and if the result is zero, then the object is destroyed +** and optionally freed. +*/ +extern void CERT_DestroyCertificate(CERTCertificate *cert); + +/* +** Make a shallow copy of a certificate "c". Just increments the +** reference count on "c". +*/ +extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c); + +/* +** Create a new certificate request. This result must be wrapped with an +** CERTSignedData to create a signed certificate request. +** "name" the subject name (who the certificate request is from) +** "spki" describes/defines the public key the certificate is for +** "attributes" if non-zero, some optional attribute data +*/ +extern CERTCertificateRequest * +CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki, + SECItem **attributes); + +/* +** Destroy a certificate-request object +** "r" the certificate-request to destroy +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r); + +/* +** Start adding extensions to a certificate request. +*/ +void * +CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req); + +/* +** Reformat the certificate extension list into a CertificateRequest +** attribute list. +*/ +SECStatus +CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req); + +/* +** Extract the Extension Requests from a DER CertRequest attribute list. +*/ +SECStatus +CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, + CERTCertExtension ***exts); + +/* +** Extract a public key object from a certificate +*/ +extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert); + +/* +** Retrieve the Key Type associated with the cert we're dealing with +*/ + +extern KeyType CERT_GetCertKeyType (const CERTSubjectPublicKeyInfo *spki); + +/* +** Initialize the certificate database. This is called to create +** the initial list of certificates in the database. +*/ +extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle); + +extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle); + +/* +** Default certificate database routines +*/ +extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle); + +extern CERTCertDBHandle *CERT_GetDefaultCertDB(void); + +extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, + PRTime time, + SECCertUsage usage); +extern CERTCertificate * +CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert, + char *nickname, PRBool isperm, PRBool copyDER); + + +/****************************************************************************** + * + * X.500 Name handling operations + * + *****************************************************************************/ + +/* +** Create an AVA (attribute-value-assertion) +** "arena" the memory arena to alloc from +** "kind" is one of SEC_OID_AVA_* +** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or +** DER_T61_STRING +** "value" is the null terminated string containing the value +*/ +extern CERTAVA *CERT_CreateAVA + (PLArenaPool *arena, SECOidTag kind, int valueType, char *value); + +/* +** Extract the Distinguished Name from a DER encoded certificate +** "derCert" is the DER encoded certificate +** "derName" is the SECItem that the name is returned in +*/ +extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName); + +/* +** Extract the Issuers Distinguished Name from a DER encoded certificate +** "derCert" is the DER encoded certificate +** "derName" is the SECItem that the name is returned in +*/ +extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, + SECItem *derName); + +extern SECItem * +CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, + PLArenaPool *arena); + +extern CERTGeneralName * +CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName, + CERTGeneralName *genName); + + + +/* +** Generate a database search key for a certificate, based on the +** issuer and serial number. +** "arena" the memory arena to alloc from +** "derCert" the DER encoded certificate +** "key" the returned key +*/ +extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, + SECItem *key); + +extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, + SECItem *sn, SECItem *key); + +extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, + SECItem *derName); + + +/* +** Generate a database search key for a crl, based on the +** issuer. +** "arena" the memory arena to alloc from +** "derCrl" the DER encoded crl +** "key" the returned key +*/ +extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key); + +/* +** Open the certificate database. Use callback to get name of database. +*/ +extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly, + CERTDBNameFunc namecb, void *cbarg); + +/* Open the certificate database. Use given filename for database. */ +extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle, + char *certdbname, PRBool readOnly); + +/* +** Open and initialize a cert database that is entirely in memory. This +** can be used when the permanent database can not be opened or created. +*/ +extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle); + +/* +** Extract the list of host names, host name patters, IP address strings +** this cert is valid for. +** This function does NOT return nicknames. +** Type CERTCertNicknames is being used because it's a convenient +** data structure to carry a list of strings and its count. +*/ +extern CERTCertNicknames * + CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert); + +/* +** Check the hostname to make sure that it matches the shexp that +** is given in the common name of the certificate. +*/ +extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert, + const char *hostname); + +/* +** Add a domain name to the list of names that the user has explicitly +** allowed (despite cert name mismatches) for use with a server cert. +*/ +extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname); + +/* +** Decode a DER encoded certificate into an CERTCertificate structure +** "derSignedCert" is the DER encoded signed certificate +** "copyDER" is true if the DER should be copied, false if the +** existing copy should be referenced +** "nickname" is the nickname to use in the database. If it is NULL +** then a temporary nickname is generated. +*/ +extern CERTCertificate * +CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname); +/* +** Decode a DER encoded CRL into a CERTSignedCrl structure +** "derSignedCrl" is the DER encoded signed CRL. +** "type" must be SEC_CRL_TYPE. +*/ +#define SEC_CRL_TYPE 1 +#define SEC_KRL_TYPE 0 /* deprecated */ + +extern CERTSignedCrl * +CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type); + +/* + * same as CERT_DecodeDERCrl, plus allow options to be passed in + */ + +extern CERTSignedCrl * +CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl, + int type, PRInt32 options); + +/* CRL options to pass */ + +#define CRL_DECODE_DEFAULT_OPTIONS 0x00000000 + +/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The + application must then keep derSignedCrl until it destroys the + CRL . Ideally, it should allocate derSignedCrl in an arena + and pass that arena in as the first argument to + CERT_DecodeDERCrlWithFlags */ + +#define CRL_DECODE_DONT_COPY_DER 0x00000001 +#define CRL_DECODE_SKIP_ENTRIES 0x00000002 +#define CRL_DECODE_KEEP_BAD_CRL 0x00000004 +#define CRL_DECODE_ADOPT_HEAP_DER 0x00000008 + +/* complete the decoding of a partially decoded CRL, ie. decode the + entries. Note that entries is an optional field in a CRL, so the + "entries" pointer in CERTCrlStr may still be NULL even after + function returns SECSuccess */ + +extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl); + +/* Validate CRL then import it to the dbase. If there is already a CRL with the + * same CA in the dbase, it will be replaced if derCRL is more up to date. + * If the process successes, a CRL will be returned. Otherwise, a NULL will + * be returned. The caller should call PORT_GetError() for the exactly error + * code. + */ +extern CERTSignedCrl * +CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, + int type, void * wincx); + +extern void CERT_DestroyCrl (CERTSignedCrl *crl); + +/* this is a hint to flush the CRL cache. crlKey is the DER subject of + the issuer (CA). */ +void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey); + +/* add the specified DER CRL object to the CRL cache. Doing so will allow + certificate verification functions (such as CERT_VerifyCertificate) + to automatically find and make use of this CRL object. + Once a CRL is added to the CRL cache, the application must hold on to + the object's memory, because the cache will reference it directly. The + application can only free the object after it calls CERT_UncacheCRL to + remove it from the CRL cache. +*/ +SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl); + +/* remove a previously added CRL object from the CRL cache. It is OK + for the application to free the memory after a successful removal +*/ +SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl); + +/* +** Find a certificate in the database +** "key" is the database key to look for +*/ +extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key); + +/* +** Find a certificate in the database by name +** "name" is the distinguished name to look up +*/ +extern CERTCertificate * +CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name); + +/* +** Find a certificate in the database by name +** "name" is the distinguished name to look up (in ascii) +*/ +extern CERTCertificate * +CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name); + +/* +** Find a certificate in the database by name and keyid +** "name" is the distinguished name to look up +** "keyID" is the value of the subjectKeyID to match +*/ +extern CERTCertificate * +CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID); + +/* +** Generate a certificate key from the issuer and serialnumber, then look it +** up in the database. Return the cert if found. +** "issuerAndSN" is the issuer and serial number to look for +*/ +extern CERTCertificate * +CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN); + +/* +** Find a certificate in the database by a subject key ID +** "subjKeyID" is the subject Key ID to look for +*/ +extern CERTCertificate * +CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID); + +/* +** Encode Certificate SKID (Subject Key ID) extension. +** +*/ +extern SECStatus +CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString, + SECItem *encodedValue); + +/* +** Find a certificate in the database by a nickname +** "nickname" is the ascii string nickname to look for +*/ +extern CERTCertificate * +CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname); + +/* +** Find a certificate in the database by a DER encoded certificate +** "derCert" is the DER encoded certificate +*/ +extern CERTCertificate * +CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert); + +/* +** Find a certificate in the database by a email address +** "emailAddr" is the email address to look up +*/ +CERTCertificate * +CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr); + +/* +** Find a certificate in the database by a email address or nickname +** "name" is the email address or nickname to look up +*/ +CERTCertificate * +CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name); + +/* +** Find a certificate in the database by a email address or nickname +** and require it to have the given usage. +** "name" is the email address or nickname to look up +*/ +CERTCertificate * +CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, + const char *name, + SECCertUsage lookingForUsage); + +/* +** Find a certificate in the database by a digest of a subject public key +** "spkDigest" is the digest to look up +*/ +extern CERTCertificate * +CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest); + +/* + * Find the issuer of a cert + */ +CERTCertificate * +CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage); + +/* +** Check the validity times of a certificate vs. time 't', allowing +** some slop for broken clocks and stuff. +** "cert" is the certificate to be checked +** "t" is the time to check against +** "allowOverride" if true then check to see if the invalidity has +** been overridden by the user. +*/ +extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert, + PRTime t, + PRBool allowOverride); + +/* +** WARNING - this function is deprecated, and will either go away or have +** a new API in the near future. +** +** Check the validity times of a certificate vs. the current time, allowing +** some slop for broken clocks and stuff. +** "cert" is the certificate to be checked +*/ +extern SECStatus CERT_CertTimesValid(CERTCertificate *cert); + +/* +** Extract the validity times from a certificate +** "c" is the certificate +** "notBefore" is the start of the validity period +** "notAfter" is the end of the validity period +*/ +extern SECStatus +CERT_GetCertTimes (const CERTCertificate *c, PRTime *notBefore, + PRTime *notAfter); + +/* +** Extract the issuer and serial number from a certificate +*/ +extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, + CERTCertificate *); + +/* +** verify the signature of a signed data object with a given certificate +** "sd" the signed data object to be verified +** "cert" the certificate to use to check the signature +*/ +extern SECStatus CERT_VerifySignedData(CERTSignedData *sd, + CERTCertificate *cert, + PRTime t, + void *wincx); +/* +** verify the signature of a signed data object with the given DER publickey +*/ +extern SECStatus +CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, + CERTSubjectPublicKeyInfo *pubKeyInfo, + void *wincx); + +/* +** verify the signature of a signed data object with a SECKEYPublicKey. +*/ +extern SECStatus +CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, + SECKEYPublicKey *pubKey, void *wincx); + +/* +** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use +** verify a certificate by checking validity times against a certain time, +** that we trust the issuer, and that the signature on the certificate is +** valid. +** "cert" the certificate to verify +** "checkSig" only check signatures if true +*/ +extern SECStatus +CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertificateUsage requiredUsages, + PRTime t, void *wincx, CERTVerifyLog *log, + SECCertificateUsage* returnedUsages); + +/* same as above, but uses current time */ +extern SECStatus +CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertificateUsage requiredUsages, + void *wincx, SECCertificateUsage* returnedUsages); + +/* +** Verify that a CA cert can certify some (unspecified) leaf cert for a given +** purpose. This is used by UI code to help identify where a chain may be +** broken and why. This takes identical parameters to CERT_VerifyCert +*/ +extern SECStatus +CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertUsage certUsage, PRTime t, + void *wincx, CERTVerifyLog *log); + +/* +** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE +** verify a certificate by checking validity times against a certain time, +** that we trust the issuer, and that the signature on the certificate is +** valid. +** "cert" the certificate to verify +** "checkSig" only check signatures if true +*/ +extern SECStatus +CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertUsage certUsage, PRTime t, + void *wincx, CERTVerifyLog *log); + +/* same as above, but uses current time */ +extern SECStatus +CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertUsage certUsage, void *wincx); + +SECStatus +CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertUsage certUsage, PRTime t, + void *wincx, CERTVerifyLog *log); + +/* +** Read a base64 ascii encoded DER certificate and convert it to our +** internal format. +** "certstr" is a null-terminated string containing the certificate +*/ +extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr); + +/* +** Read a certificate in some foreign format, and convert it to our +** internal format. +** "certbuf" is the buffer containing the certificate +** "certlen" is the length of the buffer +** NOTE - currently supports netscape base64 ascii encoded raw certs +** and netscape binary DER typed files. +*/ +extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen); + +extern SECStatus +CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage); + +extern SECStatus +CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage); + +/* +** Read a certificate chain in some foreign format, and pass it to a +** callback function. +** "certbuf" is the buffer containing the certificate +** "certlen" is the length of the buffer +** "f" is the callback function +** "arg" is the callback argument +*/ +typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc) + (void *arg, SECItem **certs, int numcerts); + +extern SECStatus +CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f, + void *arg); + +/* +** Returns the value of an AVA. This was a formerly static +** function that has been exposed due to the need to decode +** and convert unicode strings to UTF8. +** +** XXX This function resides in certhtml.c, should it be +** moved elsewhere? +*/ +extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue); + + + +/* +** extract various element strings from a distinguished name. +** "name" the distinguished name +*/ + +extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert); + +extern char *CERT_GetCertEmailAddress(const CERTName *name); + +extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert); + +extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, + const char * prev); + +/* The return value must be freed with PORT_Free. */ +extern char *CERT_GetCommonName(const CERTName *name); + +extern char *CERT_GetCountryName(const CERTName *name); + +extern char *CERT_GetLocalityName(const CERTName *name); + +extern char *CERT_GetStateName(const CERTName *name); + +extern char *CERT_GetOrgName(const CERTName *name); + +extern char *CERT_GetOrgUnitName(const CERTName *name); + +extern char *CERT_GetDomainComponentName(const CERTName *name); + +extern char *CERT_GetCertUid(const CERTName *name); + +/* manipulate the trust parameters of a certificate */ + +extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert, + CERTCertTrust *trust); + +extern SECStatus +CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert, + CERTCertTrust *trust); + +extern SECStatus +CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert, + SECCertUsage usage); + +/************************************************************************* + * + * manipulate the extensions of a certificate + * + ************************************************************************/ + +/* +** Set up a cert for adding X509v3 extensions. Returns an opaque handle +** used by the next two routines. +** "cert" is the certificate we are adding extensions to +*/ +extern void *CERT_StartCertExtensions(CERTCertificate *cert); + +/* +** Add an extension to a certificate. +** "exthandle" is the handle returned by the previous function +** "idtag" is the integer tag for the OID that should ID this extension +** "value" is the value of the extension +** "critical" is the critical extension flag +** "copyData" is a flag indicating whether the value data should be +** copied. +*/ +extern SECStatus CERT_AddExtension (void *exthandle, int idtag, + SECItem *value, PRBool critical, PRBool copyData); + +extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid, + SECItem *value, PRBool critical, PRBool copyData); + +extern SECStatus CERT_EncodeAndAddExtension + (void *exthandle, int idtag, void *value, PRBool critical, + const SEC_ASN1Template *atemplate); + +extern SECStatus CERT_EncodeAndAddBitStrExtension + (void *exthandle, int idtag, SECItem *value, PRBool critical); + + +extern SECStatus +CERT_EncodeAltNameExtension(PLArenaPool *arena, CERTGeneralName *value, SECItem *encodedValue); + + +/* +** Finish adding cert extensions. Does final processing on extension +** data, putting it in the right format, and freeing any temporary +** storage. +** "exthandle" is the handle used to add extensions to a certificate +*/ +extern SECStatus CERT_FinishExtensions(void *exthandle); + +/* +** Merge an external list of extensions into a cert's extension list, adding one +** only when its OID matches none of the cert's existing extensions. Call this +** immediately before calling CERT_FinishExtensions(). +*/ +SECStatus +CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts); + +/* If the extension is found, return its criticality and value. +** This allocate storage for the returning extension value. +*/ +extern SECStatus CERT_GetExtenCriticality + (CERTCertExtension **extensions, int tag, PRBool *isCritical); + +extern void +CERT_DestroyOidSequence(CERTOidSequence *oidSeq); + +/**************************************************************************** + * + * DER encode and decode extension values + * + ****************************************************************************/ + +/* Encode the value of the basicConstraint extension. +** arena - where to allocate memory for the encoded value. +** value - extension value to encode +** encodedValue - output encoded value +*/ +extern SECStatus CERT_EncodeBasicConstraintValue + (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue); + +/* +** Encode the value of the authorityKeyIdentifier extension. +*/ +extern SECStatus CERT_EncodeAuthKeyID + (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue); + +/* +** Encode the value of the crlDistributionPoints extension. +*/ +extern SECStatus CERT_EncodeCRLDistributionPoints + (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue); + +/* +** Decodes a DER encoded basicConstaint extension value into a readable format +** value - decoded value +** encodedValue - value to decoded +*/ +extern SECStatus CERT_DecodeBasicConstraintValue + (CERTBasicConstraints *value, const SECItem *encodedValue); + +/* Decodes a DER encoded authorityKeyIdentifier extension value into a +** readable format. +** arena - where to allocate memory for the decoded value +** encodedValue - value to be decoded +** Returns a CERTAuthKeyID structure which contains the decoded value +*/ +extern CERTAuthKeyID *CERT_DecodeAuthKeyID + (PLArenaPool *arena, const SECItem *encodedValue); + +/* Decodes a DER encoded crlDistributionPoints extension value into a +** readable format. +** arena - where to allocate memory for the decoded value +** der - value to be decoded +** Returns a CERTCrlDistributionPoints structure which contains the +** decoded value +*/ +extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints + (PLArenaPool *arena, SECItem *der); + +/* Extract certain name type from a generalName */ +extern void *CERT_GetGeneralNameByType + (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat); + + +extern CERTOidSequence * +CERT_DecodeOidSequence(const SECItem *seqItem); + + + + +/**************************************************************************** + * + * Find extension values of a certificate + * + ***************************************************************************/ + +extern SECStatus CERT_FindCertExtension + (const CERTCertificate *cert, int tag, SECItem *value); + +extern SECStatus CERT_FindNSCertTypeExtension + (CERTCertificate *cert, SECItem *value); + +extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag); + +extern SECStatus CERT_FindIssuerCertExtension + (CERTCertificate *cert, int tag, SECItem *value); + +extern SECStatus CERT_FindCertExtensionByOID + (CERTCertificate *cert, SECItem *oid, SECItem *value); + +extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, + int catag); + +/* Returns the decoded value of the authKeyID extension. +** Note that this uses passed in the arena to allocate storage for the result +*/ +extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert); + +/* Returns the decoded value of the basicConstraint extension. + */ +extern SECStatus CERT_FindBasicConstraintExten + (CERTCertificate *cert, CERTBasicConstraints *value); + +/* Returns the decoded value of the crlDistributionPoints extension. +** Note that the arena in cert is used to allocate storage for the result +*/ +extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints + (CERTCertificate *cert); + +/* Returns value of the keyUsage extension. This uses PR_Alloc to allocate +** buffer for the decoded value. The caller should free up the storage +** allocated in value->data. +*/ +extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, + SECItem *value); + +/* Return the decoded value of the subjectKeyID extension. The caller should +** free up the storage allocated in retItem->data. +*/ +extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, + SECItem *retItem); + +/* +** If cert is a v3 certificate, and a critical keyUsage extension is included, +** then check the usage against the extension value. If a non-critical +** keyUsage extension is included, this will return SECSuccess without +** checking, since the extension is an advisory field, not a restriction. +** If cert is not a v3 certificate, this will return SECSuccess. +** cert - certificate +** usage - one of the x.509 v3 the Key Usage Extension flags +*/ +extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, + unsigned char usage); + +/**************************************************************************** + * + * CRL v2 Extensions supported routines + * + ****************************************************************************/ + +extern SECStatus CERT_FindCRLExtensionByOID + (CERTCrl *crl, SECItem *oid, SECItem *value); + +extern SECStatus CERT_FindCRLExtension + (CERTCrl *crl, int tag, SECItem *value); + +extern SECStatus + CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value); + +/* +** Set up a crl for adding X509v3 extensions. Returns an opaque handle +** used by routines that take an exthandle (void*) argument . +** "crl" is the CRL we are adding extensions to +*/ +extern void *CERT_StartCRLExtensions(CERTCrl *crl); + +/* +** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle +** used by routines that take an exthandle (void*) argument . +** "crl" is the crl we are adding certs entries to +** "entry" is the crl entry we are adding extensions to +*/ +extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry); + +extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle, + int what, void *wincx); + +/* +** Finds the crlNumber extension and decodes its value into 'value' +*/ +extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl, + SECItem *value); + +extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry, + CERTCRLEntryReasonCode *value); + +extern void CERT_FreeNicknames(CERTCertNicknames *nicknames); + +extern PRBool CERT_CompareCerts(const CERTCertificate *c1, + const CERTCertificate *c2); + +extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1, + CERTCertificate *c2); + +/* +** Generate an array of the Distinguished Names that the given cert database +** "trusts" +*/ +extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle); + +extern void CERT_FreeDistNames(CERTDistNames *names); + +/* Duplicate distinguished name array */ +extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig); + +/* +** Generate an array of Distinguished names from an array of nicknames +*/ +extern CERTDistNames *CERT_DistNamesFromNicknames + (CERTCertDBHandle *handle, char **nicknames, int nnames); + +/* +** Generate an array of Distinguished names from a list of certs. +*/ +extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list); + +/* +** Generate a certificate chain from a certificate. +*/ +extern CERTCertificateList * +CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, + PRBool includeRoot); + +extern CERTCertificateList * +CERT_CertListFromCert(CERTCertificate *cert); + +extern CERTCertificateList * +CERT_DupCertList(const CERTCertificateList * oldList); + +extern void CERT_DestroyCertificateList(CERTCertificateList *list); + +/* +** is cert a user cert? i.e. does it have CERTDB_USER trust, +** i.e. a private key? +*/ +PRBool CERT_IsUserCert(CERTCertificate* cert); + +/* is cert a newer than cert b? */ +PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb); + +/* currently a stub for address book */ +PRBool +CERT_IsCertRevoked(CERTCertificate *cert); + +void +CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts); + +/* convert an email address to lower case */ +char *CERT_FixupEmailAddr(const char *emailAddr); + +/* decode string representation of trust flags into trust struct */ +SECStatus +CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts); + +/* encode trust struct into string representation of trust flags */ +char * +CERT_EncodeTrustString(CERTCertTrust *trust); + +/* find the next or prev cert in a subject list */ +CERTCertificate * +CERT_PrevSubjectCert(CERTCertificate *cert); +CERTCertificate * +CERT_NextSubjectCert(CERTCertificate *cert); + +/* + * import a collection of certs into the temporary or permanent cert + * database + */ +SECStatus +CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, + unsigned int ncerts, SECItem **derCerts, + CERTCertificate ***retCerts, PRBool keepCerts, + PRBool caOnly, char *nickname); + +char * +CERT_MakeCANickname(CERTCertificate *cert); + +PRBool +CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype); + +PRBool +CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype); + +PRBool +CERT_IsRootDERCert(SECItem *derCert); + +SECStatus +CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, + SECItem *profileTime); + +/* + * find the smime symmetric capabilities profile for a given cert + */ +SECItem * +CERT_FindSMimeProfile(CERTCertificate *cert); + +SECStatus +CERT_AddNewCerts(CERTCertDBHandle *handle); + +CERTCertificatePolicies * +CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue); + +void +CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies); + +CERTCertificatePolicyMappings * +CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps); + +SECStatus +CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings); + +SECStatus +CERT_DecodePolicyConstraintsExtension( + CERTCertificatePolicyConstraints *decodedValue, + const SECItem *encodedValue); + +SECStatus CERT_DecodeInhibitAnyExtension + (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue); + +CERTUserNotice * +CERT_DecodeUserNotice(SECItem *noticeItem); + +extern CERTGeneralName * +CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName); + +extern CERTNameConstraints * +CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, + const SECItem *encodedConstraints); + +/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */ +extern CERTAuthInfoAccess ** +CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena, + SECItem *encodedExtension); + +extern CERTPrivKeyUsagePeriod * +CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue); + +extern CERTGeneralName * +CERT_GetNextGeneralName(CERTGeneralName *current); + +extern CERTGeneralName * +CERT_GetPrevGeneralName(CERTGeneralName *current); + +CERTNameConstraint * +CERT_GetNextNameConstraint(CERTNameConstraint *current); + +CERTNameConstraint * +CERT_GetPrevNameConstraint(CERTNameConstraint *current); + +void +CERT_DestroyUserNotice(CERTUserNotice *userNotice); + +typedef char * (* CERTPolicyStringCallback)(char *org, + unsigned long noticeNumber, + void *arg); +void +CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg); + +char * +CERT_GetCertCommentString(CERTCertificate *cert); + +PRBool +CERT_GovtApprovedBitSet(CERTCertificate *cert); + +SECStatus +CERT_AddPermNickname(CERTCertificate *cert, char *nickname); + +CERTCertList * +CERT_MatchUserCert(CERTCertDBHandle *handle, + SECCertUsage usage, + int nCANames, char **caNames, + void *proto_win); + +CERTCertList * +CERT_NewCertList(void); + +/* free the cert list and all the certs in the list */ +void +CERT_DestroyCertList(CERTCertList *certs); + +/* remove the node and free the cert */ +void +CERT_RemoveCertListNode(CERTCertListNode *node); + +/* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */ +SECStatus +CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert); + +/* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */ +SECStatus +CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert); + +/* + * The new cert list node takes ownership of "cert". "cert" is freed + * when the list node is removed. + */ +SECStatus +CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert, + void *appData); + +/* + * The new cert list node takes ownership of "cert". "cert" is freed + * when the list node is removed. + */ +SECStatus +CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert, + void *appData); + +typedef PRBool (* CERTSortCallback)(CERTCertificate *certa, + CERTCertificate *certb, + void *arg); +SECStatus +CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert, + CERTSortCallback f, void *arg); + +/* callback for CERT_AddCertToListSorted that sorts based on validity + * period and a given time. + */ +PRBool +CERT_SortCBValidity(CERTCertificate *certa, + CERTCertificate *certb, + void *arg); + +SECStatus +CERT_CheckForEvilCert(CERTCertificate *cert); + +CERTGeneralName * +CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena); + +CERTGeneralName * +CERT_GetConstrainedCertificateNames(const CERTCertificate *cert, + PLArenaPool *arena, + PRBool includeSubjectCommonName); + +/* + * Creates or adds to a list of all certs with a give subject name, sorted by + * validity time, newest first. Invalid certs are considered older than + * valid certs. If validOnly is set, do not include invalid certs on list. + */ +CERTCertList * +CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle, + const SECItem *name, PRTime sorttime, + PRBool validOnly); + +/* + * remove certs from a list that don't have keyUsage and certType + * that match the given usage. + */ +SECStatus +CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage, + PRBool ca); + +/* + * check the key usage of a cert against a set of required values + */ +SECStatus +CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage); + +/* + * return required key usage and cert type based on cert usage + */ +SECStatus +CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, + PRBool ca, + unsigned int *retKeyUsage, + unsigned int *retCertType); +/* + * return required trust flags for various cert usages for CAs + */ +SECStatus +CERT_TrustFlagsForCACertUsage(SECCertUsage usage, + unsigned int *retFlags, + SECTrustType *retTrustType); + +/* + * Find all user certificates that match the given criteria. + * + * "handle" - database to search + * "usage" - certificate usage to match + * "oneCertPerName" - if set then only return the "best" cert per + * name + * "validOnly" - only return certs that are curently valid + * "proto_win" - window handle passed to pkcs11 + */ +CERTCertList * +CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, + SECCertUsage usage, + PRBool oneCertPerName, + PRBool validOnly, + void *proto_win); + +/* + * Find a user certificate that matchs the given criteria. + * + * "handle" - database to search + * "nickname" - nickname to match + * "usage" - certificate usage to match + * "validOnly" - only return certs that are curently valid + * "proto_win" - window handle passed to pkcs11 + */ +CERTCertificate * +CERT_FindUserCertByUsage(CERTCertDBHandle *handle, + const char *nickname, + SECCertUsage usage, + PRBool validOnly, + void *proto_win); + +/* + * Filter a list of certificates, removing those certs that do not have + * one of the named CA certs somewhere in their cert chain. + * + * "certList" - the list of certificates to filter + * "nCANames" - number of CA names + * "caNames" - array of CA names in string(rfc 1485) form + * "usage" - what use the certs are for, this is used when + * selecting CA certs + */ +SECStatus +CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, + char **caNames, SECCertUsage usage); + +/* + * Filter a list of certificates, removing those certs that aren't user certs + */ +SECStatus +CERT_FilterCertListForUserCerts(CERTCertList *certList); + +/* + * Collect the nicknames from all certs in a CertList. If the cert is not + * valid, append a string to that nickname. + * + * "certList" - the list of certificates + * "expiredString" - the string to append to the nickname of any expired cert + * "notYetGoodString" - the string to append to the nickname of any cert + * that is not yet valid + */ +CERTCertNicknames * +CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString, + char *notYetGoodString); + +/* + * Extract the nickname from a nickmake string that may have either + * expiredString or notYetGoodString appended. + * + * Args: + * "namestring" - the string containing the nickname, and possibly + * one of the validity label strings + * "expiredString" - the expired validity label string + * "notYetGoodString" - the not yet good validity label string + * + * Returns the raw nickname + */ +char * +CERT_ExtractNicknameString(char *namestring, char *expiredString, + char *notYetGoodString); + +/* + * Given a certificate, return a string containing the nickname, and possibly + * one of the validity strings, based on the current validity state of the + * certificate. + * + * "arena" - arena to allocate returned string from. If NULL, then heap + * is used. + * "cert" - the cert to get nickname from + * "expiredString" - the string to append to the nickname if the cert is + * expired. + * "notYetGoodString" - the string to append to the nickname if the cert is + * not yet good. + */ +char * +CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert, + char *expiredString, char *notYetGoodString); + +/* + * Return the string representation of a DER encoded distinguished name + * "dername" - The DER encoded name to convert + */ +char * +CERT_DerNameToAscii(SECItem *dername); + +/* + * Supported usage values and types: + * certUsageSSLClient + * certUsageSSLServer + * certUsageSSLServerWithStepUp + * certUsageEmailSigner + * certUsageEmailRecipient + * certUsageObjectSigner + */ + +CERTCertificate * +CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName, + CERTCertOwner owner, SECCertUsage usage, + PRBool preferTrusted, PRTime validTime, PRBool validOnly); + +/* + * Acquire the global lock on the cert database. + * This lock is currently used for the following operations: + * adding or deleting a cert to either the temp or perm databases + * converting a temp to perm or perm to temp + * changing(maybe just adding?) the trust of a cert + * adjusting the reference count of a cert + */ +void +CERT_LockDB(CERTCertDBHandle *handle); + +/* + * Free the global cert database lock. + */ +void +CERT_UnlockDB(CERTCertDBHandle *handle); + +/* + * Get the certificate status checking configuratino data for + * the certificate database + */ +CERTStatusConfig * +CERT_GetStatusConfig(CERTCertDBHandle *handle); + +/* + * Set the certificate status checking information for the + * database. The input structure becomes part of the certificate + * database and will be freed by calling the 'Destroy' function in + * the configuration object. + */ +void +CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config); + + + +/* + * Acquire the cert reference count lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +void +CERT_LockCertRefCount(CERTCertificate *cert); + +/* + * Free the cert reference count lock + */ +void +CERT_UnlockCertRefCount(CERTCertificate *cert); + +/* + * Acquire the cert trust lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +void +CERT_LockCertTrust(const CERTCertificate *cert); + +/* + * Free the cert trust lock + */ +void +CERT_UnlockCertTrust(const CERTCertificate *cert); + +/* + * Digest the cert's subject public key using the specified algorithm. + * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding + * the tag, length, and number of unused bits) rather than the whole + * subjectPublicKeyInfo field. + * + * The necessary storage for the digest data is allocated. If "fill" is + * non-null, the data is put there, otherwise a SECItem is allocated. + * Allocation from "arena" if it is non-null, heap otherwise. Any problem + * results in a NULL being returned (and an appropriate error set). + */ +extern SECItem * +CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, + SECOidTag digestAlg, SECItem *fill); + +/* + * Digest the cert's subject name using the specified algorithm. + */ +extern SECItem * +CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert, + SECOidTag digestAlg, SECItem *fill); + +SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, + const SECItem* dp, PRTime t, void* wincx); + + +/* + * Add a CERTNameConstraint to the CERTNameConstraint list + */ +extern CERTNameConstraint * +CERT_AddNameConstraint(CERTNameConstraint *list, + CERTNameConstraint *constraint); + +/* + * Allocate space and copy CERTNameConstraint from src to dest. + * Arena is used to allocate result(if dest eq NULL) and its members + * SECItem data. + */ +extern CERTNameConstraint * +CERT_CopyNameConstraint(PLArenaPool *arena, + CERTNameConstraint *dest, + CERTNameConstraint *src); + +/* + * Verify name against all the constraints relevant to that type of + * the name. + */ +extern SECStatus +CERT_CheckNameSpace(PLArenaPool *arena, + const CERTNameConstraints *constraints, + const CERTGeneralName *currentName); + +/* + * Extract and allocate the name constraints extension from the CA cert. + */ +extern SECStatus +CERT_FindNameConstraintsExten(PLArenaPool *arena, + CERTCertificate *cert, + CERTNameConstraints **constraints); + +/* + * Initialize a new GERTGeneralName fields (link) + */ +extern CERTGeneralName * +CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type); + +/* + * PKIX extension encoding routines + */ +extern SECStatus +CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena, + CERTCertificatePolicyConstraints *constr, + SECItem *dest); +extern SECStatus +CERT_EncodeInhibitAnyExtension(PLArenaPool *arena, + CERTCertificateInhibitAny *inhibitAny, + SECItem *dest); +extern SECStatus +CERT_EncodePolicyMappingExtension(PLArenaPool *arena, + CERTCertificatePolicyMappings *maps, + SECItem *dest); + +extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena, + CERTAuthInfoAccess **info, + SECItem *dest); +extern SECStatus +CERT_EncodeUserNotice(PLArenaPool *arena, + CERTUserNotice *notice, + SECItem *dest); + +extern SECStatus +CERT_EncodeDisplayText(PLArenaPool *arena, + SECItem *text, + SECItem *dest); + +extern SECStatus +CERT_EncodeCertPoliciesExtension(PLArenaPool *arena, + CERTPolicyInfo **info, + SECItem *dest); +extern SECStatus +CERT_EncodeNoticeReference(PLArenaPool *arena, + CERTNoticeReference *reference, + SECItem *dest); + +/* + * Returns a pointer to a static structure. + */ +extern const CERTRevocationFlags* +CERT_GetPKIXVerifyNistRevocationPolicy(void); + +/* + * Returns a pointer to a static structure. + */ +extern const CERTRevocationFlags* +CERT_GetClassicOCSPEnabledSoftFailurePolicy(void); + +/* + * Returns a pointer to a static structure. + */ +extern const CERTRevocationFlags* +CERT_GetClassicOCSPEnabledHardFailurePolicy(void); + +/* + * Returns a pointer to a static structure. + */ +extern const CERTRevocationFlags* +CERT_GetClassicOCSPDisabledPolicy(void); + +/* + * Verify a Cert with libpkix + * paramsIn control the verification options. If a value isn't specified + * in paramsIn, it reverts to the application default. + * paramsOut specifies the parameters the caller would like to get back. + * the caller may pass NULL, in which case no parameters are returned. + */ +extern SECStatus CERT_PKIXVerifyCert( + CERTCertificate *cert, + SECCertificateUsage usages, + CERTValInParam *paramsIn, + CERTValOutParam *paramsOut, + void *wincx); + +/* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate) + * to use libpkix validation engine. The function should be called ones at + * application initialization time. + * Function is not thread safe.*/ +extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable); + +/* The function return PR_TRUE if cert validation should use + * libpkix cert validation engine. */ +extern PRBool CERT_GetUsePKIXForValidation(void); + +/* + * Allocate a parameter container of type CERTRevocationFlags, + * and allocate the inner arrays of the given sizes. + * To cleanup call CERT_DestroyCERTRevocationFlags. + */ +extern CERTRevocationFlags * +CERT_AllocCERTRevocationFlags( + PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, + PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods); + +/* + * Destroy the arrays inside flags, + * and destroy the object pointed to by flags, too. + */ +extern void +CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags); + +SEC_END_PROTOS + +#endif /* _CERT_H_ */