andre@3: /* This Source Code Form is subject to the terms of the Mozilla Public andre@3: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@3: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@3: /* andre@3: * certt.h - public data structures for the certificate library andre@3: */ andre@3: #ifndef _PCERTT_H_ andre@3: #define _PCERTT_H_ andre@3: andre@3: #include "prclist.h" andre@3: #include "pkcs11t.h" andre@3: #include "seccomon.h" andre@3: #include "secoidt.h" andre@3: #include "plarena.h" andre@3: #include "prcvar.h" andre@3: #include "nssilock.h" andre@3: #include "prio.h" andre@3: #include "prmon.h" andre@3: andre@3: /* Non-opaque objects */ andre@3: typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; andre@3: typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; andre@3: andre@3: typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust; andre@3: typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; andre@3: typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; andre@3: typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; andre@3: typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN; andre@3: typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData; andre@3: typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo; andre@3: typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity; andre@3: andre@3: /* andre@3: ** An X.509 validity object andre@3: */ andre@3: struct NSSLOWCERTValidityStr { andre@3: PLArenaPool *arena; andre@3: SECItem notBefore; andre@3: SECItem notAfter; andre@3: }; andre@3: andre@3: /* andre@3: * A serial number and issuer name, which is used as a database key andre@3: */ andre@3: struct NSSLOWCERTCertKeyStr { andre@3: SECItem serialNumber; andre@3: SECItem derIssuer; andre@3: }; andre@3: andre@3: /* andre@3: ** A signed data object. Used to implement the "signed" macro used andre@3: ** in the X.500 specs. andre@3: */ andre@3: struct NSSLOWCERTSignedDataStr { andre@3: SECItem data; andre@3: SECAlgorithmID signatureAlgorithm; andre@3: SECItem signature; andre@3: }; andre@3: andre@3: /* andre@3: ** An X.509 subject-public-key-info object andre@3: */ andre@3: struct NSSLOWCERTSubjectPublicKeyInfoStr { andre@3: PLArenaPool *arena; andre@3: SECAlgorithmID algorithm; andre@3: SECItem subjectPublicKey; andre@3: }; andre@3: andre@3: typedef struct _certDBEntryCert certDBEntryCert; andre@3: typedef struct _certDBEntryRevocation certDBEntryRevocation; andre@3: andre@3: struct NSSLOWCERTCertTrustStr { andre@3: unsigned int sslFlags; andre@3: unsigned int emailFlags; andre@3: unsigned int objectSigningFlags; andre@3: }; andre@3: andre@3: /* andre@3: ** PKCS11 Trust representation andre@3: */ andre@3: struct NSSLOWCERTTrustStr { andre@3: NSSLOWCERTTrust *next; andre@3: NSSLOWCERTCertDBHandle *dbhandle; andre@3: SECItem dbKey; /* database key for this cert */ andre@3: certDBEntryCert *dbEntry; /* database entry struct */ andre@3: NSSLOWCERTCertTrust *trust; andre@3: SECItem *derCert; /* original DER for the cert */ andre@3: unsigned char dbKeySpace[512]; andre@3: }; andre@3: andre@3: /* andre@3: ** An X.509 certificate object (the unsigned form) andre@3: */ andre@3: struct NSSLOWCERTCertificateStr { andre@3: /* the arena is used to allocate any data structures that have the same andre@3: * lifetime as the cert. This is all stuff that hangs off of the cert andre@3: * structure, and is all freed at the same time. I is used when the andre@3: * cert is decoded, destroyed, and at some times when it changes andre@3: * state andre@3: */ andre@3: NSSLOWCERTCertificate *next; andre@3: NSSLOWCERTCertDBHandle *dbhandle; andre@3: andre@3: SECItem derCert; /* original DER for the cert */ andre@3: SECItem derIssuer; /* DER for issuer name */ andre@3: SECItem derSN; andre@3: SECItem serialNumber; andre@3: SECItem derSubject; /* DER for subject name */ andre@3: SECItem derSubjKeyInfo; andre@3: NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo; andre@3: SECItem certKey; /* database key for this cert */ andre@3: SECItem validity; andre@3: certDBEntryCert *dbEntry; /* database entry struct */ andre@3: SECItem subjectKeyID; /* x509v3 subject key identifier */ andre@3: SECItem extensions; andre@3: char *nickname; andre@3: char *emailAddr; andre@3: NSSLOWCERTCertTrust *trust; andre@3: andre@3: /* the reference count is modified whenever someone looks up, dups andre@3: * or destroys a certificate andre@3: */ andre@3: int referenceCount; andre@3: andre@3: char nicknameSpace[200]; andre@3: char emailAddrSpace[200]; andre@3: unsigned char certKeySpace[512]; andre@3: }; andre@3: andre@3: #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ andre@3: #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ andre@3: #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ andre@3: andre@3: #define SEC_CRL_VERSION_1 0 /* default */ andre@3: #define SEC_CRL_VERSION_2 1 /* v2 extensions */ andre@3: andre@3: #define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024) andre@3: andre@3: struct NSSLOWCERTIssuerAndSNStr { andre@3: SECItem derIssuer; andre@3: SECItem serialNumber; andre@3: }; andre@3: andre@3: typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg); andre@3: andre@3: /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */ andre@3: /* callback to return database name based on version number */ andre@3: typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion); andre@3: andre@3: /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ andre@3: andre@3: #include "secasn1t.h" /* way down here because I expect template stuff to andre@3: * move out of here anyway */ andre@3: andre@3: /* andre@3: * Certificate Database related definitions and data structures andre@3: */ andre@3: andre@3: /* version number of certificate database */ andre@3: #define CERT_DB_FILE_VERSION 8 andre@3: #define CERT_DB_V7_FILE_VERSION 7 andre@3: #define CERT_DB_CONTENT_VERSION 2 andre@3: andre@3: #define SEC_DB_ENTRY_HEADER_LEN 3 andre@3: #define SEC_DB_KEY_HEADER_LEN 1 andre@3: andre@3: /* All database entries have this form: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 version andre@3: * 1 type andre@3: * 2 flags andre@3: */ andre@3: andre@3: /* database entry types */ andre@3: typedef enum { andre@3: certDBEntryTypeVersion = 0, andre@3: certDBEntryTypeCert = 1, andre@3: certDBEntryTypeNickname = 2, andre@3: certDBEntryTypeSubject = 3, andre@3: certDBEntryTypeRevocation = 4, andre@3: certDBEntryTypeKeyRevocation = 5, andre@3: certDBEntryTypeSMimeProfile = 6, andre@3: certDBEntryTypeContentVersion = 7, andre@3: certDBEntryTypeBlob = 8 andre@3: } certDBEntryType; andre@3: andre@3: typedef struct { andre@3: certDBEntryType type; andre@3: unsigned int version; andre@3: unsigned int flags; andre@3: PLArenaPool *arena; andre@3: } certDBEntryCommon; andre@3: andre@3: /* andre@3: * Certificate entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 sslFlags-msb andre@3: * 1 sslFlags-lsb andre@3: * 2 emailFlags-msb andre@3: * 3 emailFlags-lsb andre@3: * 4 objectSigningFlags-msb andre@3: * 5 objectSigningFlags-lsb andre@3: * 6 derCert-len-msb andre@3: * 7 derCert-len-lsb andre@3: * 8 nickname-len-msb andre@3: * 9 nickname-len-lsb andre@3: * ... derCert andre@3: * ... nickname andre@3: * andre@3: * NOTE: the nickname string as stored in the database is null terminated, andre@3: * in other words, the last byte of the db entry is always 0 andre@3: * if a nickname is present. andre@3: * NOTE: if nickname is not present, then nickname-len-msb and andre@3: * nickname-len-lsb will both be zero. andre@3: */ andre@3: struct _certDBEntryCert { andre@3: certDBEntryCommon common; andre@3: certDBEntryCert *next; andre@3: NSSLOWCERTCertTrust trust; andre@3: SECItem derCert; andre@3: char *nickname; andre@3: char nicknameSpace[200]; andre@3: unsigned char derCertSpace[2048]; andre@3: }; andre@3: andre@3: /* andre@3: * Certificate Nickname entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 subjectname-len-msb andre@3: * 1 subjectname-len-lsb andre@3: * 2... subjectname andre@3: * andre@3: * The database key for this type of entry is a nickname string andre@3: * The "subjectname" value is the DER encoded DN of the identity andre@3: * that matches this nickname. andre@3: */ andre@3: typedef struct { andre@3: certDBEntryCommon common; andre@3: char *nickname; andre@3: SECItem subjectName; andre@3: } certDBEntryNickname; andre@3: andre@3: #define DB_NICKNAME_ENTRY_HEADER_LEN 2 andre@3: andre@3: /* andre@3: * Certificate Subject entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 ncerts-msb andre@3: * 1 ncerts-lsb andre@3: * 2 nickname-msb andre@3: * 3 nickname-lsb andre@3: * 4 emailAddr-msb andre@3: * 5 emailAddr-lsb andre@3: * ... nickname andre@3: * ... emailAddr andre@3: * ...+2*i certkey-len-msb andre@3: * ...+1+2*i certkey-len-lsb andre@3: * ...+2*ncerts+2*i keyid-len-msb andre@3: * ...+1+2*ncerts+2*i keyid-len-lsb andre@3: * ... certkeys andre@3: * ... keyids andre@3: * andre@3: * The database key for this type of entry is the DER encoded subject name andre@3: * The "certkey" value is an array of certificate database lookup keys that andre@3: * points to the database entries for the certificates that matche andre@3: * this subject. andre@3: * andre@3: */ andre@3: typedef struct _certDBEntrySubject { andre@3: certDBEntryCommon common; andre@3: SECItem derSubject; andre@3: unsigned int ncerts; andre@3: char *nickname; andre@3: SECItem *certKeys; andre@3: SECItem *keyIDs; andre@3: char **emailAddrs; andre@3: unsigned int nemailAddrs; andre@3: } certDBEntrySubject; andre@3: andre@3: #define DB_SUBJECT_ENTRY_HEADER_LEN 6 andre@3: andre@3: /* andre@3: * Certificate SMIME profile entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 subjectname-len-msb andre@3: * 1 subjectname-len-lsb andre@3: * 2 smimeoptions-len-msb andre@3: * 3 smimeoptions-len-lsb andre@3: * 4 options-date-len-msb andre@3: * 5 options-date-len-lsb andre@3: * 6... subjectname andre@3: * ... smimeoptions andre@3: * ... options-date andre@3: * andre@3: * The database key for this type of entry is the email address string andre@3: * The "subjectname" value is the DER encoded DN of the identity andre@3: * that matches this nickname. andre@3: * The "smimeoptions" value is a string that represents the algorithm andre@3: * capabilities on the remote user. andre@3: * The "options-date" is the date that the smime options value was created. andre@3: * This is generally the signing time of the signed message that contained andre@3: * the options. It is a UTCTime value. andre@3: */ andre@3: typedef struct { andre@3: certDBEntryCommon common; andre@3: char *emailAddr; andre@3: SECItem subjectName; andre@3: SECItem smimeOptions; andre@3: SECItem optionsDate; andre@3: } certDBEntrySMime; andre@3: andre@3: #define DB_SMIME_ENTRY_HEADER_LEN 6 andre@3: andre@3: /* andre@3: * Crl/krl entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 derCert-len-msb andre@3: * 1 derCert-len-lsb andre@3: * 2 url-len-msb andre@3: * 3 url-len-lsb andre@3: * ... derCert andre@3: * ... url andre@3: * andre@3: * NOTE: the url string as stored in the database is null terminated, andre@3: * in other words, the last byte of the db entry is always 0 andre@3: * if a nickname is present. andre@3: * NOTE: if url is not present, then url-len-msb and andre@3: * url-len-lsb will both be zero. andre@3: */ andre@3: #define DB_CRL_ENTRY_HEADER_LEN 4 andre@3: struct _certDBEntryRevocation { andre@3: certDBEntryCommon common; andre@3: SECItem derCrl; andre@3: char *url; /* where to load the crl from */ andre@3: }; andre@3: andre@3: /* andre@3: * Database Version Entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * only the low level header... andre@3: * andre@3: * The database key for this type of entry is the string "Version" andre@3: */ andre@3: typedef struct { andre@3: certDBEntryCommon common; andre@3: } certDBEntryVersion; andre@3: andre@3: #define SEC_DB_VERSION_KEY "Version" andre@3: #define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY) andre@3: andre@3: /* andre@3: * Database Content Version Entry: andre@3: * andre@3: * byte offset field andre@3: * ----------- ----- andre@3: * 0 contentVersion andre@3: * andre@3: * The database key for this type of entry is the string "ContentVersion" andre@3: */ andre@3: typedef struct { andre@3: certDBEntryCommon common; andre@3: char contentVersion; andre@3: } certDBEntryContentVersion; andre@3: andre@3: #define SEC_DB_CONTENT_VERSION_KEY "ContentVersion" andre@3: #define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY) andre@3: andre@3: typedef union { andre@3: certDBEntryCommon common; andre@3: certDBEntryCert cert; andre@3: certDBEntryContentVersion content; andre@3: certDBEntryNickname nickname; andre@3: certDBEntryRevocation revocation; andre@3: certDBEntrySMime smime; andre@3: certDBEntrySubject subject; andre@3: certDBEntryVersion version; andre@3: } certDBEntry; andre@3: andre@3: /* length of the fixed part of a database entry */ andre@3: #define DBCERT_V4_HEADER_LEN 7 andre@3: #define DB_CERT_V5_ENTRY_HEADER_LEN 7 andre@3: #define DB_CERT_V6_ENTRY_HEADER_LEN 7 andre@3: #define DB_CERT_ENTRY_HEADER_LEN 10 andre@3: andre@3: /* common flags for all types of certificates */ andre@3: #define CERTDB_TERMINAL_RECORD (1u<<0) andre@3: #define CERTDB_TRUSTED (1u<<1) andre@3: #define CERTDB_SEND_WARN (1u<<2) andre@3: #define CERTDB_VALID_CA (1u<<3) andre@3: #define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */ andre@3: #define CERTDB_NS_TRUSTED_CA (1u<<5) andre@3: #define CERTDB_USER (1u<<6) andre@3: #define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */ andre@3: #define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */ andre@3: #define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */ andre@3: #define CERTDB_MUST_VERIFY (1u<<10) /* explicitly don't trust this cert */ andre@3: #define CERTDB_TRUSTED_UNKNOWN (1u<<11) /* accept trust from another source */ andre@3: andre@3: /* bits not affected by the CKO_NETSCAPE_TRUST object */ andre@3: #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ andre@3: CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \ andre@3: CERTDB_GOVT_APPROVED_CA) andre@3: andre@3: #endif /* _PCERTT_H_ */