andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: /* andre@0: * cert.h - public data structures and prototypes for the certificate library andre@0: */ andre@0: andre@0: #ifndef _CERT_H_ andre@0: #define _CERT_H_ andre@0: andre@0: #include "utilrename.h" andre@0: #include "plarena.h" andre@0: #include "plhash.h" andre@0: #include "prlong.h" andre@0: #include "prlog.h" andre@0: andre@0: #include "seccomon.h" andre@0: #include "secdert.h" andre@0: #include "secoidt.h" andre@0: #include "keyt.h" andre@0: #include "certt.h" andre@0: andre@0: SEC_BEGIN_PROTOS andre@0: andre@0: /**************************************************************************** andre@0: * andre@0: * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName) andre@0: * andre@0: ****************************************************************************/ andre@0: andre@0: /* andre@0: ** Convert an ascii RFC1485 encoded name into its CERTName equivalent. andre@0: */ andre@0: extern CERTName *CERT_AsciiToName(const char *string); andre@0: andre@0: /* andre@0: ** Convert an CERTName into its RFC1485 encoded equivalent. andre@0: ** Returns a string that must be freed with PORT_Free(). andre@0: ** This version produces a string for maximum human readability, andre@0: ** not for strict RFC compliance. andre@0: */ andre@0: extern char *CERT_NameToAscii(CERTName *name); andre@0: andre@0: /* andre@0: ** Convert an CERTName into its RFC1485 encoded equivalent. andre@0: ** Returns a string that must be freed with PORT_Free(). andre@0: ** Caller chooses encoding rules. andre@0: */ andre@0: extern char *CERT_NameToAsciiInvertible(CERTName *name, andre@0: CertStrictnessLevel strict); andre@0: andre@0: extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src); andre@0: andre@0: /* convert an OID to dotted-decimal representation */ andre@0: /* Returns a string that must be freed with PR_smprintf_free(). */ andre@0: extern char * CERT_GetOidString(const SECItem *oid); andre@0: andre@0: /* andre@0: ** Examine an AVA and return the tag that refers to it. The AVA tags are andre@0: ** defined as SEC_OID_AVA*. andre@0: */ andre@0: extern SECOidTag CERT_GetAVATag(CERTAVA *ava); andre@0: andre@0: /* andre@0: ** Compare two AVA's, returning the difference between them. andre@0: */ andre@0: extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b); andre@0: andre@0: /* andre@0: ** Create an RDN (relative-distinguished-name). The argument list is a andre@0: ** NULL terminated list of AVA's. andre@0: */ andre@0: extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...); andre@0: andre@0: /* andre@0: ** Make a copy of "src" storing it in "dest". andre@0: */ andre@0: extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src); andre@0: andre@0: /* andre@0: ** Add an AVA to an RDN. andre@0: ** "rdn" the RDN to add to andre@0: ** "ava" the AVA to add andre@0: */ andre@0: extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava); andre@0: andre@0: /* andre@0: ** Compare two RDN's, returning the difference between them. andre@0: */ andre@0: extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b); andre@0: andre@0: /* andre@0: ** Create an X.500 style name using a NULL terminated list of RDN's. andre@0: */ andre@0: extern CERTName *CERT_CreateName(CERTRDN *rdn, ...); andre@0: andre@0: /* andre@0: ** Make a copy of "src" storing it in "dest". Memory is allocated in andre@0: ** "dest" for each of the appropriate sub objects. Memory is not freed in andre@0: ** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to andre@0: ** do that). andre@0: */ andre@0: extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, andre@0: const CERTName *src); andre@0: andre@0: /* andre@0: ** Destroy a Name object. andre@0: ** "name" the CERTName to destroy andre@0: ** "freeit" if PR_TRUE then free the object as well as its sub-objects andre@0: */ andre@0: extern void CERT_DestroyName(CERTName *name); andre@0: andre@0: /* andre@0: ** Add an RDN to a name. andre@0: ** "name" the name to add the RDN to andre@0: ** "rdn" the RDN to add to name andre@0: */ andre@0: extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn); andre@0: andre@0: /* andre@0: ** Compare two names, returning the difference between them. andre@0: */ andre@0: extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b); andre@0: andre@0: /* andre@0: ** Convert a CERTName into something readable andre@0: */ andre@0: extern char *CERT_FormatName (CERTName *name); andre@0: andre@0: /* andre@0: ** Convert a der-encoded integer to a hex printable string form. andre@0: ** Perhaps this should be a SEC function but it's only used for certs. andre@0: */ andre@0: extern char *CERT_Hexify (SECItem *i, int do_colon); andre@0: andre@0: /* andre@0: ** Converts DER string (with explicit length) into zString, if destination andre@0: ** buffer is big enough to receive it. Does quoting and/or escaping as andre@0: ** specified in RFC 1485. Input string must be single or multi-byte DER andre@0: ** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set. andre@0: ** Returns SECSuccess or SECFailure with error code set. If output buffer andre@0: ** is too small, sets error code SEC_ERROR_OUTPUT_LEN. andre@0: */ andre@0: extern SECStatus andre@0: CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen); andre@0: andre@0: /****************************************************************************** andre@0: * andre@0: * Certificate handling operations andre@0: * andre@0: *****************************************************************************/ andre@0: andre@0: /* andre@0: ** Create a new validity object given two unix time values. andre@0: ** "notBefore" the time before which the validity is not valid andre@0: ** "notAfter" the time after which the validity is not valid andre@0: */ andre@0: extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter); andre@0: andre@0: /* andre@0: ** Destroy a validity object. andre@0: ** "v" the validity to destroy andre@0: ** "freeit" if PR_TRUE then free the object as well as its sub-objects andre@0: */ andre@0: extern void CERT_DestroyValidity(CERTValidity *v); andre@0: andre@0: /* andre@0: ** Copy the "src" object to "dest". Memory is allocated in "dest" for andre@0: ** each of the appropriate sub-objects. Memory in "dest" is not freed andre@0: ** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do andre@0: ** that). andre@0: */ andre@0: extern SECStatus CERT_CopyValidity andre@0: (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src); andre@0: andre@0: /* andre@0: ** The cert lib considers a cert or CRL valid if the "notBefore" time is andre@0: ** in the not-too-distant future, e.g. within the next 24 hours. This andre@0: ** prevents freshly issued certificates from being considered invalid andre@0: ** because the local system's time zone is incorrectly set. andre@0: ** The amount of "pending slop time" is adjustable by the application. andre@0: ** Units of SlopTime are seconds. Default is 86400 (24 hours). andre@0: ** Negative SlopTime values are not allowed. andre@0: */ andre@0: PRInt32 CERT_GetSlopTime(void); andre@0: andre@0: SECStatus CERT_SetSlopTime(PRInt32 slop); andre@0: andre@0: /* andre@0: ** Create a new certificate object. The result must be wrapped with an andre@0: ** CERTSignedData to create a signed certificate. andre@0: ** "serialNumber" the serial number andre@0: ** "issuer" the name of the certificate issuer andre@0: ** "validity" the validity period of the certificate andre@0: ** "req" the certificate request that prompted the certificate issuance andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer, andre@0: CERTValidity *validity, CERTCertificateRequest *req); andre@0: andre@0: /* andre@0: ** Destroy a certificate object andre@0: ** "cert" the certificate to destroy andre@0: ** NOTE: certificate's are reference counted. This call decrements the andre@0: ** reference count, and if the result is zero, then the object is destroyed andre@0: ** and optionally freed. andre@0: */ andre@0: extern void CERT_DestroyCertificate(CERTCertificate *cert); andre@0: andre@0: /* andre@0: ** Make a shallow copy of a certificate "c". Just increments the andre@0: ** reference count on "c". andre@0: */ andre@0: extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c); andre@0: andre@0: /* andre@0: ** Create a new certificate request. This result must be wrapped with an andre@0: ** CERTSignedData to create a signed certificate request. andre@0: ** "name" the subject name (who the certificate request is from) andre@0: ** "spki" describes/defines the public key the certificate is for andre@0: ** "attributes" if non-zero, some optional attribute data andre@0: */ andre@0: extern CERTCertificateRequest * andre@0: CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki, andre@0: SECItem **attributes); andre@0: andre@0: /* andre@0: ** Destroy a certificate-request object andre@0: ** "r" the certificate-request to destroy andre@0: ** "freeit" if PR_TRUE then free the object as well as its sub-objects andre@0: */ andre@0: extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r); andre@0: andre@0: /* andre@0: ** Start adding extensions to a certificate request. andre@0: */ andre@0: void * andre@0: CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req); andre@0: andre@0: /* andre@0: ** Reformat the certificate extension list into a CertificateRequest andre@0: ** attribute list. andre@0: */ andre@0: SECStatus andre@0: CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req); andre@0: andre@0: /* andre@0: ** Extract the Extension Requests from a DER CertRequest attribute list. andre@0: */ andre@0: SECStatus andre@0: CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, andre@0: CERTCertExtension ***exts); andre@0: andre@0: /* andre@0: ** Extract a public key object from a certificate andre@0: */ andre@0: extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert); andre@0: andre@0: /* andre@0: ** Retrieve the Key Type associated with the cert we're dealing with andre@0: */ andre@0: andre@0: extern KeyType CERT_GetCertKeyType (const CERTSubjectPublicKeyInfo *spki); andre@0: andre@0: /* andre@0: ** Initialize the certificate database. This is called to create andre@0: ** the initial list of certificates in the database. andre@0: */ andre@0: extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle); andre@0: andre@0: extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: ** Default certificate database routines andre@0: */ andre@0: extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle); andre@0: andre@0: extern CERTCertDBHandle *CERT_GetDefaultCertDB(void); andre@0: andre@0: extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, andre@0: PRTime time, andre@0: SECCertUsage usage); andre@0: extern CERTCertificate * andre@0: CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert, andre@0: char *nickname, PRBool isperm, PRBool copyDER); andre@0: andre@0: andre@0: /****************************************************************************** andre@0: * andre@0: * X.500 Name handling operations andre@0: * andre@0: *****************************************************************************/ andre@0: andre@0: /* andre@0: ** Create an AVA (attribute-value-assertion) andre@0: ** "arena" the memory arena to alloc from andre@0: ** "kind" is one of SEC_OID_AVA_* andre@0: ** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or andre@0: ** DER_T61_STRING andre@0: ** "value" is the null terminated string containing the value andre@0: */ andre@0: extern CERTAVA *CERT_CreateAVA andre@0: (PLArenaPool *arena, SECOidTag kind, int valueType, char *value); andre@0: andre@0: /* andre@0: ** Extract the Distinguished Name from a DER encoded certificate andre@0: ** "derCert" is the DER encoded certificate andre@0: ** "derName" is the SECItem that the name is returned in andre@0: */ andre@0: extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName); andre@0: andre@0: /* andre@0: ** Extract the Issuers Distinguished Name from a DER encoded certificate andre@0: ** "derCert" is the DER encoded certificate andre@0: ** "derName" is the SECItem that the name is returned in andre@0: */ andre@0: extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, andre@0: SECItem *derName); andre@0: andre@0: extern SECItem * andre@0: CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, andre@0: PLArenaPool *arena); andre@0: andre@0: extern CERTGeneralName * andre@0: CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName, andre@0: CERTGeneralName *genName); andre@0: andre@0: andre@0: andre@0: /* andre@0: ** Generate a database search key for a certificate, based on the andre@0: ** issuer and serial number. andre@0: ** "arena" the memory arena to alloc from andre@0: ** "derCert" the DER encoded certificate andre@0: ** "key" the returned key andre@0: */ andre@0: extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, andre@0: SECItem *key); andre@0: andre@0: extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, andre@0: SECItem *sn, SECItem *key); andre@0: andre@0: extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, andre@0: SECItem *derName); andre@0: andre@0: andre@0: /* andre@0: ** Generate a database search key for a crl, based on the andre@0: ** issuer. andre@0: ** "arena" the memory arena to alloc from andre@0: ** "derCrl" the DER encoded crl andre@0: ** "key" the returned key andre@0: */ andre@0: extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key); andre@0: andre@0: /* andre@0: ** Open the certificate database. Use callback to get name of database. andre@0: */ andre@0: extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly, andre@0: CERTDBNameFunc namecb, void *cbarg); andre@0: andre@0: /* Open the certificate database. Use given filename for database. */ andre@0: extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle, andre@0: char *certdbname, PRBool readOnly); andre@0: andre@0: /* andre@0: ** Open and initialize a cert database that is entirely in memory. This andre@0: ** can be used when the permanent database can not be opened or created. andre@0: */ andre@0: extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: ** Extract the list of host names, host name patters, IP address strings andre@0: ** this cert is valid for. andre@0: ** This function does NOT return nicknames. andre@0: ** Type CERTCertNicknames is being used because it's a convenient andre@0: ** data structure to carry a list of strings and its count. andre@0: */ andre@0: extern CERTCertNicknames * andre@0: CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert); andre@0: andre@0: /* andre@0: ** Check the hostname to make sure that it matches the shexp that andre@0: ** is given in the common name of the certificate. andre@0: */ andre@0: extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert, andre@0: const char *hostname); andre@0: andre@0: /* andre@0: ** Add a domain name to the list of names that the user has explicitly andre@0: ** allowed (despite cert name mismatches) for use with a server cert. andre@0: */ andre@0: extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname); andre@0: andre@0: /* andre@0: ** Decode a DER encoded certificate into an CERTCertificate structure andre@0: ** "derSignedCert" is the DER encoded signed certificate andre@0: ** "copyDER" is true if the DER should be copied, false if the andre@0: ** existing copy should be referenced andre@0: ** "nickname" is the nickname to use in the database. If it is NULL andre@0: ** then a temporary nickname is generated. andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname); andre@0: /* andre@0: ** Decode a DER encoded CRL into a CERTSignedCrl structure andre@0: ** "derSignedCrl" is the DER encoded signed CRL. andre@0: ** "type" must be SEC_CRL_TYPE. andre@0: */ andre@0: #define SEC_CRL_TYPE 1 andre@0: #define SEC_KRL_TYPE 0 /* deprecated */ andre@0: andre@0: extern CERTSignedCrl * andre@0: CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type); andre@0: andre@0: /* andre@0: * same as CERT_DecodeDERCrl, plus allow options to be passed in andre@0: */ andre@0: andre@0: extern CERTSignedCrl * andre@0: CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl, andre@0: int type, PRInt32 options); andre@0: andre@0: /* CRL options to pass */ andre@0: andre@0: #define CRL_DECODE_DEFAULT_OPTIONS 0x00000000 andre@0: andre@0: /* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The andre@0: application must then keep derSignedCrl until it destroys the andre@0: CRL . Ideally, it should allocate derSignedCrl in an arena andre@0: and pass that arena in as the first argument to andre@0: CERT_DecodeDERCrlWithFlags */ andre@0: andre@0: #define CRL_DECODE_DONT_COPY_DER 0x00000001 andre@0: #define CRL_DECODE_SKIP_ENTRIES 0x00000002 andre@0: #define CRL_DECODE_KEEP_BAD_CRL 0x00000004 andre@0: #define CRL_DECODE_ADOPT_HEAP_DER 0x00000008 andre@0: andre@0: /* complete the decoding of a partially decoded CRL, ie. decode the andre@0: entries. Note that entries is an optional field in a CRL, so the andre@0: "entries" pointer in CERTCrlStr may still be NULL even after andre@0: function returns SECSuccess */ andre@0: andre@0: extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl); andre@0: andre@0: /* Validate CRL then import it to the dbase. If there is already a CRL with the andre@0: * same CA in the dbase, it will be replaced if derCRL is more up to date. andre@0: * If the process successes, a CRL will be returned. Otherwise, a NULL will andre@0: * be returned. The caller should call PORT_GetError() for the exactly error andre@0: * code. andre@0: */ andre@0: extern CERTSignedCrl * andre@0: CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, andre@0: int type, void * wincx); andre@0: andre@0: extern void CERT_DestroyCrl (CERTSignedCrl *crl); andre@0: andre@0: /* this is a hint to flush the CRL cache. crlKey is the DER subject of andre@0: the issuer (CA). */ andre@0: void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey); andre@0: andre@0: /* add the specified DER CRL object to the CRL cache. Doing so will allow andre@0: certificate verification functions (such as CERT_VerifyCertificate) andre@0: to automatically find and make use of this CRL object. andre@0: Once a CRL is added to the CRL cache, the application must hold on to andre@0: the object's memory, because the cache will reference it directly. The andre@0: application can only free the object after it calls CERT_UncacheCRL to andre@0: remove it from the CRL cache. andre@0: */ andre@0: SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl); andre@0: andre@0: /* remove a previously added CRL object from the CRL cache. It is OK andre@0: for the application to free the memory after a successful removal andre@0: */ andre@0: SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl); andre@0: andre@0: /* andre@0: ** Find a certificate in the database andre@0: ** "key" is the database key to look for andre@0: */ andre@0: extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by name andre@0: ** "name" is the distinguished name to look up andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by name andre@0: ** "name" is the distinguished name to look up (in ascii) andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by name and keyid andre@0: ** "name" is the distinguished name to look up andre@0: ** "keyID" is the value of the subjectKeyID to match andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID); andre@0: andre@0: /* andre@0: ** Generate a certificate key from the issuer and serialnumber, then look it andre@0: ** up in the database. Return the cert if found. andre@0: ** "issuerAndSN" is the issuer and serial number to look for andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a subject key ID andre@0: ** "subjKeyID" is the subject Key ID to look for andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID); andre@0: andre@0: /* andre@0: ** Encode Certificate SKID (Subject Key ID) extension. andre@0: ** andre@0: */ andre@0: extern SECStatus andre@0: CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString, andre@0: SECItem *encodedValue); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a nickname andre@0: ** "nickname" is the ascii string nickname to look for andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a DER encoded certificate andre@0: ** "derCert" is the DER encoded certificate andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a email address andre@0: ** "emailAddr" is the email address to look up andre@0: */ andre@0: CERTCertificate * andre@0: CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a email address or nickname andre@0: ** "name" is the email address or nickname to look up andre@0: */ andre@0: CERTCertificate * andre@0: CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a email address or nickname andre@0: ** and require it to have the given usage. andre@0: ** "name" is the email address or nickname to look up andre@0: */ andre@0: CERTCertificate * andre@0: CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, andre@0: const char *name, andre@0: SECCertUsage lookingForUsage); andre@0: andre@0: /* andre@0: ** Find a certificate in the database by a digest of a subject public key andre@0: ** "spkDigest" is the digest to look up andre@0: */ andre@0: extern CERTCertificate * andre@0: CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest); andre@0: andre@0: /* andre@0: * Find the issuer of a cert andre@0: */ andre@0: CERTCertificate * andre@0: CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage); andre@0: andre@0: /* andre@0: ** Check the validity times of a certificate vs. time 't', allowing andre@0: ** some slop for broken clocks and stuff. andre@0: ** "cert" is the certificate to be checked andre@0: ** "t" is the time to check against andre@0: ** "allowOverride" if true then check to see if the invalidity has andre@0: ** been overridden by the user. andre@0: */ andre@0: extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert, andre@0: PRTime t, andre@0: PRBool allowOverride); andre@0: andre@0: /* andre@0: ** WARNING - this function is deprecated, and will either go away or have andre@0: ** a new API in the near future. andre@0: ** andre@0: ** Check the validity times of a certificate vs. the current time, allowing andre@0: ** some slop for broken clocks and stuff. andre@0: ** "cert" is the certificate to be checked andre@0: */ andre@0: extern SECStatus CERT_CertTimesValid(CERTCertificate *cert); andre@0: andre@0: /* andre@0: ** Extract the validity times from a certificate andre@0: ** "c" is the certificate andre@0: ** "notBefore" is the start of the validity period andre@0: ** "notAfter" is the end of the validity period andre@0: */ andre@0: extern SECStatus andre@0: CERT_GetCertTimes (const CERTCertificate *c, PRTime *notBefore, andre@0: PRTime *notAfter); andre@0: andre@0: /* andre@0: ** Extract the issuer and serial number from a certificate andre@0: */ andre@0: extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, andre@0: CERTCertificate *); andre@0: andre@0: /* andre@0: ** verify the signature of a signed data object with a given certificate andre@0: ** "sd" the signed data object to be verified andre@0: ** "cert" the certificate to use to check the signature andre@0: */ andre@0: extern SECStatus CERT_VerifySignedData(CERTSignedData *sd, andre@0: CERTCertificate *cert, andre@0: PRTime t, andre@0: void *wincx); andre@0: /* andre@0: ** verify the signature of a signed data object with the given DER publickey andre@0: */ andre@0: extern SECStatus andre@0: CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, andre@0: CERTSubjectPublicKeyInfo *pubKeyInfo, andre@0: void *wincx); andre@0: andre@0: /* andre@0: ** verify the signature of a signed data object with a SECKEYPublicKey. andre@0: */ andre@0: extern SECStatus andre@0: CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, andre@0: SECKEYPublicKey *pubKey, void *wincx); andre@0: andre@0: /* andre@0: ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use andre@0: ** verify a certificate by checking validity times against a certain time, andre@0: ** that we trust the issuer, and that the signature on the certificate is andre@0: ** valid. andre@0: ** "cert" the certificate to verify andre@0: ** "checkSig" only check signatures if true andre@0: */ andre@0: extern SECStatus andre@0: CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRBool checkSig, SECCertificateUsage requiredUsages, andre@0: PRTime t, void *wincx, CERTVerifyLog *log, andre@0: SECCertificateUsage* returnedUsages); andre@0: andre@0: /* same as above, but uses current time */ andre@0: extern SECStatus andre@0: CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRBool checkSig, SECCertificateUsage requiredUsages, andre@0: void *wincx, SECCertificateUsage* returnedUsages); andre@0: andre@0: /* andre@0: ** Verify that a CA cert can certify some (unspecified) leaf cert for a given andre@0: ** purpose. This is used by UI code to help identify where a chain may be andre@0: ** broken and why. This takes identical parameters to CERT_VerifyCert andre@0: */ andre@0: extern SECStatus andre@0: CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRBool checkSig, SECCertUsage certUsage, PRTime t, andre@0: void *wincx, CERTVerifyLog *log); andre@0: andre@0: /* andre@0: ** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE andre@0: ** verify a certificate by checking validity times against a certain time, andre@0: ** that we trust the issuer, and that the signature on the certificate is andre@0: ** valid. andre@0: ** "cert" the certificate to verify andre@0: ** "checkSig" only check signatures if true andre@0: */ andre@0: extern SECStatus andre@0: CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRBool checkSig, SECCertUsage certUsage, PRTime t, andre@0: void *wincx, CERTVerifyLog *log); andre@0: andre@0: /* same as above, but uses current time */ andre@0: extern SECStatus andre@0: CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRBool checkSig, SECCertUsage certUsage, void *wincx); andre@0: andre@0: SECStatus andre@0: CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: PRBool checkSig, SECCertUsage certUsage, PRTime t, andre@0: void *wincx, CERTVerifyLog *log); andre@0: andre@0: /* andre@0: ** Read a base64 ascii encoded DER certificate and convert it to our andre@0: ** internal format. andre@0: ** "certstr" is a null-terminated string containing the certificate andre@0: */ andre@0: extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr); andre@0: andre@0: /* andre@0: ** Read a certificate in some foreign format, and convert it to our andre@0: ** internal format. andre@0: ** "certbuf" is the buffer containing the certificate andre@0: ** "certlen" is the length of the buffer andre@0: ** NOTE - currently supports netscape base64 ascii encoded raw certs andre@0: ** and netscape binary DER typed files. andre@0: */ andre@0: extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen); andre@0: andre@0: extern SECStatus andre@0: CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage); andre@0: andre@0: extern SECStatus andre@0: CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage); andre@0: andre@0: /* andre@0: ** Read a certificate chain in some foreign format, and pass it to a andre@0: ** callback function. andre@0: ** "certbuf" is the buffer containing the certificate andre@0: ** "certlen" is the length of the buffer andre@0: ** "f" is the callback function andre@0: ** "arg" is the callback argument andre@0: */ andre@0: typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc) andre@0: (void *arg, SECItem **certs, int numcerts); andre@0: andre@0: extern SECStatus andre@0: CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f, andre@0: void *arg); andre@0: andre@0: /* andre@0: ** Returns the value of an AVA. This was a formerly static andre@0: ** function that has been exposed due to the need to decode andre@0: ** and convert unicode strings to UTF8. andre@0: ** andre@0: ** XXX This function resides in certhtml.c, should it be andre@0: ** moved elsewhere? andre@0: */ andre@0: extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue); andre@0: andre@0: andre@0: andre@0: /* andre@0: ** extract various element strings from a distinguished name. andre@0: ** "name" the distinguished name andre@0: */ andre@0: andre@0: extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert); andre@0: andre@0: extern char *CERT_GetCertEmailAddress(const CERTName *name); andre@0: andre@0: extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert); andre@0: andre@0: extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, andre@0: const char * prev); andre@0: andre@0: /* The return value must be freed with PORT_Free. */ andre@0: extern char *CERT_GetCommonName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetCountryName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetLocalityName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetStateName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetOrgName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetOrgUnitName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetDomainComponentName(const CERTName *name); andre@0: andre@0: extern char *CERT_GetCertUid(const CERTName *name); andre@0: andre@0: /* manipulate the trust parameters of a certificate */ andre@0: andre@0: extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert, andre@0: CERTCertTrust *trust); andre@0: andre@0: extern SECStatus andre@0: CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert, andre@0: CERTCertTrust *trust); andre@0: andre@0: extern SECStatus andre@0: CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert, andre@0: SECCertUsage usage); andre@0: andre@0: /************************************************************************* andre@0: * andre@0: * manipulate the extensions of a certificate andre@0: * andre@0: ************************************************************************/ andre@0: andre@0: /* andre@0: ** Set up a cert for adding X509v3 extensions. Returns an opaque handle andre@0: ** used by the next two routines. andre@0: ** "cert" is the certificate we are adding extensions to andre@0: */ andre@0: extern void *CERT_StartCertExtensions(CERTCertificate *cert); andre@0: andre@0: /* andre@0: ** Add an extension to a certificate. andre@0: ** "exthandle" is the handle returned by the previous function andre@0: ** "idtag" is the integer tag for the OID that should ID this extension andre@0: ** "value" is the value of the extension andre@0: ** "critical" is the critical extension flag andre@0: ** "copyData" is a flag indicating whether the value data should be andre@0: ** copied. andre@0: */ andre@0: extern SECStatus CERT_AddExtension (void *exthandle, int idtag, andre@0: SECItem *value, PRBool critical, PRBool copyData); andre@0: andre@0: extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid, andre@0: SECItem *value, PRBool critical, PRBool copyData); andre@0: andre@0: extern SECStatus CERT_EncodeAndAddExtension andre@0: (void *exthandle, int idtag, void *value, PRBool critical, andre@0: const SEC_ASN1Template *atemplate); andre@0: andre@0: extern SECStatus CERT_EncodeAndAddBitStrExtension andre@0: (void *exthandle, int idtag, SECItem *value, PRBool critical); andre@0: andre@0: andre@0: extern SECStatus andre@0: CERT_EncodeAltNameExtension(PLArenaPool *arena, CERTGeneralName *value, SECItem *encodedValue); andre@0: andre@0: andre@0: /* andre@0: ** Finish adding cert extensions. Does final processing on extension andre@0: ** data, putting it in the right format, and freeing any temporary andre@0: ** storage. andre@0: ** "exthandle" is the handle used to add extensions to a certificate andre@0: */ andre@0: extern SECStatus CERT_FinishExtensions(void *exthandle); andre@0: andre@0: /* andre@0: ** Merge an external list of extensions into a cert's extension list, adding one andre@0: ** only when its OID matches none of the cert's existing extensions. Call this andre@0: ** immediately before calling CERT_FinishExtensions(). andre@0: */ andre@0: SECStatus andre@0: CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts); andre@0: andre@0: /* If the extension is found, return its criticality and value. andre@0: ** This allocate storage for the returning extension value. andre@0: */ andre@0: extern SECStatus CERT_GetExtenCriticality andre@0: (CERTCertExtension **extensions, int tag, PRBool *isCritical); andre@0: andre@0: extern void andre@0: CERT_DestroyOidSequence(CERTOidSequence *oidSeq); andre@0: andre@0: /**************************************************************************** andre@0: * andre@0: * DER encode and decode extension values andre@0: * andre@0: ****************************************************************************/ andre@0: andre@0: /* Encode the value of the basicConstraint extension. andre@0: ** arena - where to allocate memory for the encoded value. andre@0: ** value - extension value to encode andre@0: ** encodedValue - output encoded value andre@0: */ andre@0: extern SECStatus CERT_EncodeBasicConstraintValue andre@0: (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue); andre@0: andre@0: /* andre@0: ** Encode the value of the authorityKeyIdentifier extension. andre@0: */ andre@0: extern SECStatus CERT_EncodeAuthKeyID andre@0: (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue); andre@0: andre@0: /* andre@0: ** Encode the value of the crlDistributionPoints extension. andre@0: */ andre@0: extern SECStatus CERT_EncodeCRLDistributionPoints andre@0: (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue); andre@0: andre@0: /* andre@0: ** Decodes a DER encoded basicConstaint extension value into a readable format andre@0: ** value - decoded value andre@0: ** encodedValue - value to decoded andre@0: */ andre@0: extern SECStatus CERT_DecodeBasicConstraintValue andre@0: (CERTBasicConstraints *value, const SECItem *encodedValue); andre@0: andre@0: /* Decodes a DER encoded authorityKeyIdentifier extension value into a andre@0: ** readable format. andre@0: ** arena - where to allocate memory for the decoded value andre@0: ** encodedValue - value to be decoded andre@0: ** Returns a CERTAuthKeyID structure which contains the decoded value andre@0: */ andre@0: extern CERTAuthKeyID *CERT_DecodeAuthKeyID andre@0: (PLArenaPool *arena, const SECItem *encodedValue); andre@0: andre@0: /* Decodes a DER encoded crlDistributionPoints extension value into a andre@0: ** readable format. andre@0: ** arena - where to allocate memory for the decoded value andre@0: ** der - value to be decoded andre@0: ** Returns a CERTCrlDistributionPoints structure which contains the andre@0: ** decoded value andre@0: */ andre@0: extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints andre@0: (PLArenaPool *arena, SECItem *der); andre@0: andre@0: /* Extract certain name type from a generalName */ andre@0: extern void *CERT_GetGeneralNameByType andre@0: (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat); andre@0: andre@0: andre@0: extern CERTOidSequence * andre@0: CERT_DecodeOidSequence(const SECItem *seqItem); andre@0: andre@0: andre@0: andre@0: andre@0: /**************************************************************************** andre@0: * andre@0: * Find extension values of a certificate andre@0: * andre@0: ***************************************************************************/ andre@0: andre@0: extern SECStatus CERT_FindCertExtension andre@0: (const CERTCertificate *cert, int tag, SECItem *value); andre@0: andre@0: extern SECStatus CERT_FindNSCertTypeExtension andre@0: (CERTCertificate *cert, SECItem *value); andre@0: andre@0: extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag); andre@0: andre@0: extern SECStatus CERT_FindIssuerCertExtension andre@0: (CERTCertificate *cert, int tag, SECItem *value); andre@0: andre@0: extern SECStatus CERT_FindCertExtensionByOID andre@0: (CERTCertificate *cert, SECItem *oid, SECItem *value); andre@0: andre@0: extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, andre@0: int catag); andre@0: andre@0: /* Returns the decoded value of the authKeyID extension. andre@0: ** Note that this uses passed in the arena to allocate storage for the result andre@0: */ andre@0: extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert); andre@0: andre@0: /* Returns the decoded value of the basicConstraint extension. andre@0: */ andre@0: extern SECStatus CERT_FindBasicConstraintExten andre@0: (CERTCertificate *cert, CERTBasicConstraints *value); andre@0: andre@0: /* Returns the decoded value of the crlDistributionPoints extension. andre@0: ** Note that the arena in cert is used to allocate storage for the result andre@0: */ andre@0: extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints andre@0: (CERTCertificate *cert); andre@0: andre@0: /* Returns value of the keyUsage extension. This uses PR_Alloc to allocate andre@0: ** buffer for the decoded value. The caller should free up the storage andre@0: ** allocated in value->data. andre@0: */ andre@0: extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, andre@0: SECItem *value); andre@0: andre@0: /* Return the decoded value of the subjectKeyID extension. The caller should andre@0: ** free up the storage allocated in retItem->data. andre@0: */ andre@0: extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, andre@0: SECItem *retItem); andre@0: andre@0: /* andre@0: ** If cert is a v3 certificate, and a critical keyUsage extension is included, andre@0: ** then check the usage against the extension value. If a non-critical andre@0: ** keyUsage extension is included, this will return SECSuccess without andre@0: ** checking, since the extension is an advisory field, not a restriction. andre@0: ** If cert is not a v3 certificate, this will return SECSuccess. andre@0: ** cert - certificate andre@0: ** usage - one of the x.509 v3 the Key Usage Extension flags andre@0: */ andre@0: extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, andre@0: unsigned char usage); andre@0: andre@0: /**************************************************************************** andre@0: * andre@0: * CRL v2 Extensions supported routines andre@0: * andre@0: ****************************************************************************/ andre@0: andre@0: extern SECStatus CERT_FindCRLExtensionByOID andre@0: (CERTCrl *crl, SECItem *oid, SECItem *value); andre@0: andre@0: extern SECStatus CERT_FindCRLExtension andre@0: (CERTCrl *crl, int tag, SECItem *value); andre@0: andre@0: extern SECStatus andre@0: CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value); andre@0: andre@0: /* andre@0: ** Set up a crl for adding X509v3 extensions. Returns an opaque handle andre@0: ** used by routines that take an exthandle (void*) argument . andre@0: ** "crl" is the CRL we are adding extensions to andre@0: */ andre@0: extern void *CERT_StartCRLExtensions(CERTCrl *crl); andre@0: andre@0: /* andre@0: ** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle andre@0: ** used by routines that take an exthandle (void*) argument . andre@0: ** "crl" is the crl we are adding certs entries to andre@0: ** "entry" is the crl entry we are adding extensions to andre@0: */ andre@0: extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry); andre@0: andre@0: extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle, andre@0: int what, void *wincx); andre@0: andre@0: /* andre@0: ** Finds the crlNumber extension and decodes its value into 'value' andre@0: */ andre@0: extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl, andre@0: SECItem *value); andre@0: andre@0: extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry, andre@0: CERTCRLEntryReasonCode *value); andre@0: andre@0: extern void CERT_FreeNicknames(CERTCertNicknames *nicknames); andre@0: andre@0: extern PRBool CERT_CompareCerts(const CERTCertificate *c1, andre@0: const CERTCertificate *c2); andre@0: andre@0: extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1, andre@0: CERTCertificate *c2); andre@0: andre@0: /* andre@0: ** Generate an array of the Distinguished Names that the given cert database andre@0: ** "trusts" andre@0: */ andre@0: extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle); andre@0: andre@0: extern void CERT_FreeDistNames(CERTDistNames *names); andre@0: andre@0: /* Duplicate distinguished name array */ andre@0: extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig); andre@0: andre@0: /* andre@0: ** Generate an array of Distinguished names from an array of nicknames andre@0: */ andre@0: extern CERTDistNames *CERT_DistNamesFromNicknames andre@0: (CERTCertDBHandle *handle, char **nicknames, int nnames); andre@0: andre@0: /* andre@0: ** Generate an array of Distinguished names from a list of certs. andre@0: */ andre@0: extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list); andre@0: andre@0: /* andre@0: ** Generate a certificate chain from a certificate. andre@0: */ andre@0: extern CERTCertificateList * andre@0: CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, andre@0: PRBool includeRoot); andre@0: andre@0: extern CERTCertificateList * andre@0: CERT_CertListFromCert(CERTCertificate *cert); andre@0: andre@0: extern CERTCertificateList * andre@0: CERT_DupCertList(const CERTCertificateList * oldList); andre@0: andre@0: extern void CERT_DestroyCertificateList(CERTCertificateList *list); andre@0: andre@0: /* andre@0: ** is cert a user cert? i.e. does it have CERTDB_USER trust, andre@0: ** i.e. a private key? andre@0: */ andre@0: PRBool CERT_IsUserCert(CERTCertificate* cert); andre@0: andre@0: /* is cert a newer than cert b? */ andre@0: PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb); andre@0: andre@0: /* currently a stub for address book */ andre@0: PRBool andre@0: CERT_IsCertRevoked(CERTCertificate *cert); andre@0: andre@0: void andre@0: CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts); andre@0: andre@0: /* convert an email address to lower case */ andre@0: char *CERT_FixupEmailAddr(const char *emailAddr); andre@0: andre@0: /* decode string representation of trust flags into trust struct */ andre@0: SECStatus andre@0: CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts); andre@0: andre@0: /* encode trust struct into string representation of trust flags */ andre@0: char * andre@0: CERT_EncodeTrustString(CERTCertTrust *trust); andre@0: andre@0: /* find the next or prev cert in a subject list */ andre@0: CERTCertificate * andre@0: CERT_PrevSubjectCert(CERTCertificate *cert); andre@0: CERTCertificate * andre@0: CERT_NextSubjectCert(CERTCertificate *cert); andre@0: andre@0: /* andre@0: * import a collection of certs into the temporary or permanent cert andre@0: * database andre@0: */ andre@0: SECStatus andre@0: CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, andre@0: unsigned int ncerts, SECItem **derCerts, andre@0: CERTCertificate ***retCerts, PRBool keepCerts, andre@0: PRBool caOnly, char *nickname); andre@0: andre@0: char * andre@0: CERT_MakeCANickname(CERTCertificate *cert); andre@0: andre@0: PRBool andre@0: CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype); andre@0: andre@0: PRBool andre@0: CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype); andre@0: andre@0: PRBool andre@0: CERT_IsRootDERCert(SECItem *derCert); andre@0: andre@0: SECStatus andre@0: CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, andre@0: SECItem *profileTime); andre@0: andre@0: /* andre@0: * find the smime symmetric capabilities profile for a given cert andre@0: */ andre@0: SECItem * andre@0: CERT_FindSMimeProfile(CERTCertificate *cert); andre@0: andre@0: SECStatus andre@0: CERT_AddNewCerts(CERTCertDBHandle *handle); andre@0: andre@0: CERTCertificatePolicies * andre@0: CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue); andre@0: andre@0: void andre@0: CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies); andre@0: andre@0: CERTCertificatePolicyMappings * andre@0: CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps); andre@0: andre@0: SECStatus andre@0: CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings); andre@0: andre@0: SECStatus andre@0: CERT_DecodePolicyConstraintsExtension( andre@0: CERTCertificatePolicyConstraints *decodedValue, andre@0: const SECItem *encodedValue); andre@0: andre@0: SECStatus CERT_DecodeInhibitAnyExtension andre@0: (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue); andre@0: andre@0: CERTUserNotice * andre@0: CERT_DecodeUserNotice(SECItem *noticeItem); andre@0: andre@0: extern CERTGeneralName * andre@0: CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName); andre@0: andre@0: extern CERTNameConstraints * andre@0: CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, andre@0: const SECItem *encodedConstraints); andre@0: andre@0: /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */ andre@0: extern CERTAuthInfoAccess ** andre@0: CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena, andre@0: SECItem *encodedExtension); andre@0: andre@0: extern CERTPrivKeyUsagePeriod * andre@0: CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue); andre@0: andre@0: extern CERTGeneralName * andre@0: CERT_GetNextGeneralName(CERTGeneralName *current); andre@0: andre@0: extern CERTGeneralName * andre@0: CERT_GetPrevGeneralName(CERTGeneralName *current); andre@0: andre@0: CERTNameConstraint * andre@0: CERT_GetNextNameConstraint(CERTNameConstraint *current); andre@0: andre@0: CERTNameConstraint * andre@0: CERT_GetPrevNameConstraint(CERTNameConstraint *current); andre@0: andre@0: void andre@0: CERT_DestroyUserNotice(CERTUserNotice *userNotice); andre@0: andre@0: typedef char * (* CERTPolicyStringCallback)(char *org, andre@0: unsigned long noticeNumber, andre@0: void *arg); andre@0: void andre@0: CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg); andre@0: andre@0: char * andre@0: CERT_GetCertCommentString(CERTCertificate *cert); andre@0: andre@0: PRBool andre@0: CERT_GovtApprovedBitSet(CERTCertificate *cert); andre@0: andre@0: SECStatus andre@0: CERT_AddPermNickname(CERTCertificate *cert, char *nickname); andre@0: andre@0: CERTCertList * andre@0: CERT_MatchUserCert(CERTCertDBHandle *handle, andre@0: SECCertUsage usage, andre@0: int nCANames, char **caNames, andre@0: void *proto_win); andre@0: andre@0: CERTCertList * andre@0: CERT_NewCertList(void); andre@0: andre@0: /* free the cert list and all the certs in the list */ andre@0: void andre@0: CERT_DestroyCertList(CERTCertList *certs); andre@0: andre@0: /* remove the node and free the cert */ andre@0: void andre@0: CERT_RemoveCertListNode(CERTCertListNode *node); andre@0: andre@0: /* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */ andre@0: SECStatus andre@0: CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert); andre@0: andre@0: /* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */ andre@0: SECStatus andre@0: CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert); andre@0: andre@0: /* andre@0: * The new cert list node takes ownership of "cert". "cert" is freed andre@0: * when the list node is removed. andre@0: */ andre@0: SECStatus andre@0: CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert, andre@0: void *appData); andre@0: andre@0: /* andre@0: * The new cert list node takes ownership of "cert". "cert" is freed andre@0: * when the list node is removed. andre@0: */ andre@0: SECStatus andre@0: CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert, andre@0: void *appData); andre@0: andre@0: typedef PRBool (* CERTSortCallback)(CERTCertificate *certa, andre@0: CERTCertificate *certb, andre@0: void *arg); andre@0: SECStatus andre@0: CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert, andre@0: CERTSortCallback f, void *arg); andre@0: andre@0: /* callback for CERT_AddCertToListSorted that sorts based on validity andre@0: * period and a given time. andre@0: */ andre@0: PRBool andre@0: CERT_SortCBValidity(CERTCertificate *certa, andre@0: CERTCertificate *certb, andre@0: void *arg); andre@0: andre@0: SECStatus andre@0: CERT_CheckForEvilCert(CERTCertificate *cert); andre@0: andre@0: CERTGeneralName * andre@0: CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena); andre@0: andre@0: CERTGeneralName * andre@0: CERT_GetConstrainedCertificateNames(const CERTCertificate *cert, andre@0: PLArenaPool *arena, andre@0: PRBool includeSubjectCommonName); andre@0: andre@0: /* andre@0: * Creates or adds to a list of all certs with a give subject name, sorted by andre@0: * validity time, newest first. Invalid certs are considered older than andre@0: * valid certs. If validOnly is set, do not include invalid certs on list. andre@0: */ andre@0: CERTCertList * andre@0: CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle, andre@0: const SECItem *name, PRTime sorttime, andre@0: PRBool validOnly); andre@0: andre@0: /* andre@0: * remove certs from a list that don't have keyUsage and certType andre@0: * that match the given usage. andre@0: */ andre@0: SECStatus andre@0: CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage, andre@0: PRBool ca); andre@0: andre@0: /* andre@0: * check the key usage of a cert against a set of required values andre@0: */ andre@0: SECStatus andre@0: CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage); andre@0: andre@0: /* andre@0: * return required key usage and cert type based on cert usage andre@0: */ andre@0: SECStatus andre@0: CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, andre@0: PRBool ca, andre@0: unsigned int *retKeyUsage, andre@0: unsigned int *retCertType); andre@0: /* andre@0: * return required trust flags for various cert usages for CAs andre@0: */ andre@0: SECStatus andre@0: CERT_TrustFlagsForCACertUsage(SECCertUsage usage, andre@0: unsigned int *retFlags, andre@0: SECTrustType *retTrustType); andre@0: andre@0: /* andre@0: * Find all user certificates that match the given criteria. andre@0: * andre@0: * "handle" - database to search andre@0: * "usage" - certificate usage to match andre@0: * "oneCertPerName" - if set then only return the "best" cert per andre@0: * name andre@0: * "validOnly" - only return certs that are curently valid andre@0: * "proto_win" - window handle passed to pkcs11 andre@0: */ andre@0: CERTCertList * andre@0: CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, andre@0: SECCertUsage usage, andre@0: PRBool oneCertPerName, andre@0: PRBool validOnly, andre@0: void *proto_win); andre@0: andre@0: /* andre@0: * Find a user certificate that matchs the given criteria. andre@0: * andre@0: * "handle" - database to search andre@0: * "nickname" - nickname to match andre@0: * "usage" - certificate usage to match andre@0: * "validOnly" - only return certs that are curently valid andre@0: * "proto_win" - window handle passed to pkcs11 andre@0: */ andre@0: CERTCertificate * andre@0: CERT_FindUserCertByUsage(CERTCertDBHandle *handle, andre@0: const char *nickname, andre@0: SECCertUsage usage, andre@0: PRBool validOnly, andre@0: void *proto_win); andre@0: andre@0: /* andre@0: * Filter a list of certificates, removing those certs that do not have andre@0: * one of the named CA certs somewhere in their cert chain. andre@0: * andre@0: * "certList" - the list of certificates to filter andre@0: * "nCANames" - number of CA names andre@0: * "caNames" - array of CA names in string(rfc 1485) form andre@0: * "usage" - what use the certs are for, this is used when andre@0: * selecting CA certs andre@0: */ andre@0: SECStatus andre@0: CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, andre@0: char **caNames, SECCertUsage usage); andre@0: andre@0: /* andre@0: * Filter a list of certificates, removing those certs that aren't user certs andre@0: */ andre@0: SECStatus andre@0: CERT_FilterCertListForUserCerts(CERTCertList *certList); andre@0: andre@0: /* andre@0: * Collect the nicknames from all certs in a CertList. If the cert is not andre@0: * valid, append a string to that nickname. andre@0: * andre@0: * "certList" - the list of certificates andre@0: * "expiredString" - the string to append to the nickname of any expired cert andre@0: * "notYetGoodString" - the string to append to the nickname of any cert andre@0: * that is not yet valid andre@0: */ andre@0: CERTCertNicknames * andre@0: CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString, andre@0: char *notYetGoodString); andre@0: andre@0: /* andre@0: * Extract the nickname from a nickmake string that may have either andre@0: * expiredString or notYetGoodString appended. andre@0: * andre@0: * Args: andre@0: * "namestring" - the string containing the nickname, and possibly andre@0: * one of the validity label strings andre@0: * "expiredString" - the expired validity label string andre@0: * "notYetGoodString" - the not yet good validity label string andre@0: * andre@0: * Returns the raw nickname andre@0: */ andre@0: char * andre@0: CERT_ExtractNicknameString(char *namestring, char *expiredString, andre@0: char *notYetGoodString); andre@0: andre@0: /* andre@0: * Given a certificate, return a string containing the nickname, and possibly andre@0: * one of the validity strings, based on the current validity state of the andre@0: * certificate. andre@0: * andre@0: * "arena" - arena to allocate returned string from. If NULL, then heap andre@0: * is used. andre@0: * "cert" - the cert to get nickname from andre@0: * "expiredString" - the string to append to the nickname if the cert is andre@0: * expired. andre@0: * "notYetGoodString" - the string to append to the nickname if the cert is andre@0: * not yet good. andre@0: */ andre@0: char * andre@0: CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert, andre@0: char *expiredString, char *notYetGoodString); andre@0: andre@0: /* andre@0: * Return the string representation of a DER encoded distinguished name andre@0: * "dername" - The DER encoded name to convert andre@0: */ andre@0: char * andre@0: CERT_DerNameToAscii(SECItem *dername); andre@0: andre@0: /* andre@0: * Supported usage values and types: andre@0: * certUsageSSLClient andre@0: * certUsageSSLServer andre@0: * certUsageSSLServerWithStepUp andre@0: * certUsageEmailSigner andre@0: * certUsageEmailRecipient andre@0: * certUsageObjectSigner andre@0: */ andre@0: andre@0: CERTCertificate * andre@0: CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName, andre@0: CERTCertOwner owner, SECCertUsage usage, andre@0: PRBool preferTrusted, PRTime validTime, PRBool validOnly); andre@0: andre@0: /* andre@0: * Acquire the global lock on the cert database. andre@0: * This lock is currently used for the following operations: andre@0: * adding or deleting a cert to either the temp or perm databases andre@0: * converting a temp to perm or perm to temp andre@0: * changing(maybe just adding?) the trust of a cert andre@0: * adjusting the reference count of a cert andre@0: */ andre@0: void andre@0: CERT_LockDB(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: * Free the global cert database lock. andre@0: */ andre@0: void andre@0: CERT_UnlockDB(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: * Get the certificate status checking configuratino data for andre@0: * the certificate database andre@0: */ andre@0: CERTStatusConfig * andre@0: CERT_GetStatusConfig(CERTCertDBHandle *handle); andre@0: andre@0: /* andre@0: * Set the certificate status checking information for the andre@0: * database. The input structure becomes part of the certificate andre@0: * database and will be freed by calling the 'Destroy' function in andre@0: * the configuration object. andre@0: */ andre@0: void andre@0: CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config); andre@0: andre@0: andre@0: andre@0: /* andre@0: * Acquire the cert reference count lock andre@0: * There is currently one global lock for all certs, but I'm putting a cert andre@0: * arg here so that it will be easy to make it per-cert in the future if andre@0: * that turns out to be necessary. andre@0: */ andre@0: void andre@0: CERT_LockCertRefCount(CERTCertificate *cert); andre@0: andre@0: /* andre@0: * Free the cert reference count lock andre@0: */ andre@0: void andre@0: CERT_UnlockCertRefCount(CERTCertificate *cert); andre@0: andre@0: /* andre@0: * Acquire the cert trust lock andre@0: * There is currently one global lock for all certs, but I'm putting a cert andre@0: * arg here so that it will be easy to make it per-cert in the future if andre@0: * that turns out to be necessary. andre@0: */ andre@0: void andre@0: CERT_LockCertTrust(const CERTCertificate *cert); andre@0: andre@0: /* andre@0: * Free the cert trust lock andre@0: */ andre@0: void andre@0: CERT_UnlockCertTrust(const CERTCertificate *cert); andre@0: andre@0: /* andre@0: * Digest the cert's subject public key using the specified algorithm. andre@0: * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding andre@0: * the tag, length, and number of unused bits) rather than the whole andre@0: * subjectPublicKeyInfo field. andre@0: * andre@0: * The necessary storage for the digest data is allocated. If "fill" is andre@0: * non-null, the data is put there, otherwise a SECItem is allocated. andre@0: * Allocation from "arena" if it is non-null, heap otherwise. Any problem andre@0: * results in a NULL being returned (and an appropriate error set). andre@0: */ andre@0: extern SECItem * andre@0: CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, andre@0: SECOidTag digestAlg, SECItem *fill); andre@0: andre@0: /* andre@0: * Digest the cert's subject name using the specified algorithm. andre@0: */ andre@0: extern SECItem * andre@0: CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert, andre@0: SECOidTag digestAlg, SECItem *fill); andre@0: andre@0: SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, andre@0: const SECItem* dp, PRTime t, void* wincx); andre@0: andre@0: andre@0: /* andre@0: * Add a CERTNameConstraint to the CERTNameConstraint list andre@0: */ andre@0: extern CERTNameConstraint * andre@0: CERT_AddNameConstraint(CERTNameConstraint *list, andre@0: CERTNameConstraint *constraint); andre@0: andre@0: /* andre@0: * Allocate space and copy CERTNameConstraint from src to dest. andre@0: * Arena is used to allocate result(if dest eq NULL) and its members andre@0: * SECItem data. andre@0: */ andre@0: extern CERTNameConstraint * andre@0: CERT_CopyNameConstraint(PLArenaPool *arena, andre@0: CERTNameConstraint *dest, andre@0: CERTNameConstraint *src); andre@0: andre@0: /* andre@0: * Verify name against all the constraints relevant to that type of andre@0: * the name. andre@0: */ andre@0: extern SECStatus andre@0: CERT_CheckNameSpace(PLArenaPool *arena, andre@0: const CERTNameConstraints *constraints, andre@0: const CERTGeneralName *currentName); andre@0: andre@0: /* andre@0: * Extract and allocate the name constraints extension from the CA cert. andre@0: */ andre@0: extern SECStatus andre@0: CERT_FindNameConstraintsExten(PLArenaPool *arena, andre@0: CERTCertificate *cert, andre@0: CERTNameConstraints **constraints); andre@0: andre@0: /* andre@0: * Initialize a new GERTGeneralName fields (link) andre@0: */ andre@0: extern CERTGeneralName * andre@0: CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type); andre@0: andre@0: /* andre@0: * PKIX extension encoding routines andre@0: */ andre@0: extern SECStatus andre@0: CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena, andre@0: CERTCertificatePolicyConstraints *constr, andre@0: SECItem *dest); andre@0: extern SECStatus andre@0: CERT_EncodeInhibitAnyExtension(PLArenaPool *arena, andre@0: CERTCertificateInhibitAny *inhibitAny, andre@0: SECItem *dest); andre@0: extern SECStatus andre@0: CERT_EncodePolicyMappingExtension(PLArenaPool *arena, andre@0: CERTCertificatePolicyMappings *maps, andre@0: SECItem *dest); andre@0: andre@0: extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena, andre@0: CERTAuthInfoAccess **info, andre@0: SECItem *dest); andre@0: extern SECStatus andre@0: CERT_EncodeUserNotice(PLArenaPool *arena, andre@0: CERTUserNotice *notice, andre@0: SECItem *dest); andre@0: andre@0: extern SECStatus andre@0: CERT_EncodeDisplayText(PLArenaPool *arena, andre@0: SECItem *text, andre@0: SECItem *dest); andre@0: andre@0: extern SECStatus andre@0: CERT_EncodeCertPoliciesExtension(PLArenaPool *arena, andre@0: CERTPolicyInfo **info, andre@0: SECItem *dest); andre@0: extern SECStatus andre@0: CERT_EncodeNoticeReference(PLArenaPool *arena, andre@0: CERTNoticeReference *reference, andre@0: SECItem *dest); andre@0: andre@0: /* andre@0: * Returns a pointer to a static structure. andre@0: */ andre@0: extern const CERTRevocationFlags* andre@0: CERT_GetPKIXVerifyNistRevocationPolicy(void); andre@0: andre@0: /* andre@0: * Returns a pointer to a static structure. andre@0: */ andre@0: extern const CERTRevocationFlags* andre@0: CERT_GetClassicOCSPEnabledSoftFailurePolicy(void); andre@0: andre@0: /* andre@0: * Returns a pointer to a static structure. andre@0: */ andre@0: extern const CERTRevocationFlags* andre@0: CERT_GetClassicOCSPEnabledHardFailurePolicy(void); andre@0: andre@0: /* andre@0: * Returns a pointer to a static structure. andre@0: */ andre@0: extern const CERTRevocationFlags* andre@0: CERT_GetClassicOCSPDisabledPolicy(void); andre@0: andre@0: /* andre@0: * Verify a Cert with libpkix andre@0: * paramsIn control the verification options. If a value isn't specified andre@0: * in paramsIn, it reverts to the application default. andre@0: * paramsOut specifies the parameters the caller would like to get back. andre@0: * the caller may pass NULL, in which case no parameters are returned. andre@0: */ andre@0: extern SECStatus CERT_PKIXVerifyCert( andre@0: CERTCertificate *cert, andre@0: SECCertificateUsage usages, andre@0: CERTValInParam *paramsIn, andre@0: CERTValOutParam *paramsOut, andre@0: void *wincx); andre@0: andre@0: /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate) andre@0: * to use libpkix validation engine. The function should be called ones at andre@0: * application initialization time. andre@0: * Function is not thread safe.*/ andre@0: extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable); andre@0: andre@0: /* The function return PR_TRUE if cert validation should use andre@0: * libpkix cert validation engine. */ andre@0: extern PRBool CERT_GetUsePKIXForValidation(void); andre@0: andre@0: /* andre@0: * Allocate a parameter container of type CERTRevocationFlags, andre@0: * and allocate the inner arrays of the given sizes. andre@0: * To cleanup call CERT_DestroyCERTRevocationFlags. andre@0: */ andre@0: extern CERTRevocationFlags * andre@0: CERT_AllocCERTRevocationFlags( andre@0: PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, andre@0: PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods); andre@0: andre@0: /* andre@0: * Destroy the arrays inside flags, andre@0: * and destroy the object pointed to by flags, too. andre@0: */ andre@0: extern void andre@0: CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags); andre@0: andre@0: SEC_END_PROTOS andre@0: andre@0: #endif /* _CERT_H_ */