andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* andre@0: * certt.h - public data structures for the certificate library andre@0: */ andre@0: #ifndef _CERTT_H_ andre@0: #define _CERTT_H_ andre@0: andre@0: #include "prclist.h" andre@0: #include "pkcs11t.h" andre@0: #include "seccomon.h" andre@0: #include "secmodt.h" andre@0: #include "secoidt.h" andre@0: #include "plarena.h" andre@0: #include "prcvar.h" andre@0: #include "nssilock.h" andre@0: #include "prio.h" andre@0: #include "prmon.h" andre@0: andre@0: /* Stan data types */ andre@0: struct NSSCertificateStr; andre@0: struct NSSTrustDomainStr; andre@0: andre@0: /* Non-opaque objects */ andre@0: typedef struct CERTAVAStr CERTAVA; andre@0: typedef struct CERTAttributeStr CERTAttribute; andre@0: typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess; andre@0: typedef struct CERTAuthKeyIDStr CERTAuthKeyID; andre@0: typedef struct CERTBasicConstraintsStr CERTBasicConstraints; andre@0: typedef struct NSSTrustDomainStr CERTCertDBHandle; andre@0: typedef struct CERTCertExtensionStr CERTCertExtension; andre@0: typedef struct CERTCertKeyStr CERTCertKey; andre@0: typedef struct CERTCertListStr CERTCertList; andre@0: typedef struct CERTCertListNodeStr CERTCertListNode; andre@0: typedef struct CERTCertNicknamesStr CERTCertNicknames; andre@0: typedef struct CERTCertTrustStr CERTCertTrust; andre@0: typedef struct CERTCertificateStr CERTCertificate; andre@0: typedef struct CERTCertificateListStr CERTCertificateList; andre@0: typedef struct CERTCertificateRequestStr CERTCertificateRequest; andre@0: typedef struct CERTCrlStr CERTCrl; andre@0: typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints; andre@0: typedef struct CERTCrlEntryStr CERTCrlEntry; andre@0: typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode; andre@0: typedef struct CERTCrlKeyStr CERTCrlKey; andre@0: typedef struct CERTCrlNodeStr CERTCrlNode; andre@0: typedef struct CERTDERCertsStr CERTDERCerts; andre@0: typedef struct CERTDistNamesStr CERTDistNames; andre@0: typedef struct CERTGeneralNameStr CERTGeneralName; andre@0: typedef struct CERTGeneralNameListStr CERTGeneralNameList; andre@0: typedef struct CERTIssuerAndSNStr CERTIssuerAndSN; andre@0: typedef struct CERTNameStr CERTName; andre@0: typedef struct CERTNameConstraintStr CERTNameConstraint; andre@0: typedef struct CERTNameConstraintsStr CERTNameConstraints; andre@0: typedef struct CERTOKDomainNameStr CERTOKDomainName; andre@0: typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod; andre@0: typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge; andre@0: typedef struct CERTRDNStr CERTRDN; andre@0: typedef struct CERTSignedCrlStr CERTSignedCrl; andre@0: typedef struct CERTSignedDataStr CERTSignedData; andre@0: typedef struct CERTStatusConfigStr CERTStatusConfig; andre@0: typedef struct CERTSubjectListStr CERTSubjectList; andre@0: typedef struct CERTSubjectNodeStr CERTSubjectNode; andre@0: typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; andre@0: typedef struct CERTValidityStr CERTValidity; andre@0: typedef struct CERTVerifyLogStr CERTVerifyLog; andre@0: typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode; andre@0: typedef struct CRLDistributionPointStr CRLDistributionPoint; andre@0: andre@0: /* CRL extensions type */ andre@0: typedef unsigned long CERTCrlNumber; andre@0: andre@0: /* andre@0: ** An X.500 AVA object andre@0: */ andre@0: struct CERTAVAStr { andre@0: SECItem type; andre@0: SECItem value; andre@0: }; andre@0: andre@0: /* andre@0: ** An X.500 RDN object andre@0: */ andre@0: struct CERTRDNStr { andre@0: CERTAVA **avas; andre@0: }; andre@0: andre@0: /* andre@0: ** An X.500 name object andre@0: */ andre@0: struct CERTNameStr { andre@0: PLArenaPool *arena; andre@0: CERTRDN **rdns; andre@0: }; andre@0: andre@0: /* andre@0: ** An X.509 validity object andre@0: */ andre@0: struct CERTValidityStr { andre@0: PLArenaPool *arena; andre@0: SECItem notBefore; andre@0: SECItem notAfter; andre@0: }; andre@0: andre@0: /* andre@0: * A serial number and issuer name, which is used as a database key andre@0: */ andre@0: struct CERTCertKeyStr { andre@0: SECItem serialNumber; andre@0: SECItem derIssuer; andre@0: }; andre@0: andre@0: /* andre@0: ** A signed data object. Used to implement the "signed" macro used andre@0: ** in the X.500 specs. andre@0: */ andre@0: struct CERTSignedDataStr { andre@0: SECItem data; andre@0: SECAlgorithmID signatureAlgorithm; andre@0: SECItem signature; andre@0: }; andre@0: andre@0: /* andre@0: ** An X.509 subject-public-key-info object andre@0: */ andre@0: struct CERTSubjectPublicKeyInfoStr { andre@0: PLArenaPool *arena; andre@0: SECAlgorithmID algorithm; andre@0: SECItem subjectPublicKey; andre@0: }; andre@0: andre@0: struct CERTPublicKeyAndChallengeStr { andre@0: SECItem spki; andre@0: SECItem challenge; andre@0: }; andre@0: andre@0: struct CERTCertTrustStr { andre@0: unsigned int sslFlags; andre@0: unsigned int emailFlags; andre@0: unsigned int objectSigningFlags; andre@0: }; andre@0: andre@0: /* andre@0: * defined the types of trust that exist andre@0: */ andre@0: typedef enum SECTrustTypeEnum { andre@0: trustSSL = 0, andre@0: trustEmail = 1, andre@0: trustObjectSigning = 2, andre@0: trustTypeNone = 3 andre@0: } SECTrustType; andre@0: andre@0: #define SEC_GET_TRUST_FLAGS(trust,type) \ andre@0: (((type)==trustSSL)?((trust)->sslFlags): \ andre@0: (((type)==trustEmail)?((trust)->emailFlags): \ andre@0: (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0))) andre@0: andre@0: /* andre@0: ** An X.509.3 certificate extension andre@0: */ andre@0: struct CERTCertExtensionStr { andre@0: SECItem id; andre@0: SECItem critical; andre@0: SECItem value; andre@0: }; andre@0: andre@0: struct CERTSubjectNodeStr { andre@0: struct CERTSubjectNodeStr *next; andre@0: struct CERTSubjectNodeStr *prev; andre@0: SECItem certKey; andre@0: SECItem keyID; andre@0: }; andre@0: andre@0: struct CERTSubjectListStr { andre@0: PLArenaPool *arena; andre@0: int ncerts; andre@0: char *emailAddr; andre@0: CERTSubjectNode *head; andre@0: CERTSubjectNode *tail; /* do we need tail? */ andre@0: void *entry; andre@0: }; andre@0: andre@0: /* andre@0: ** An X.509 certificate object (the unsigned form) andre@0: */ andre@0: struct CERTCertificateStr { andre@0: /* the arena is used to allocate any data structures that have the same andre@0: * lifetime as the cert. This is all stuff that hangs off of the cert andre@0: * structure, and is all freed at the same time. I is used when the andre@0: * cert is decoded, destroyed, and at some times when it changes andre@0: * state andre@0: */ andre@0: PLArenaPool *arena; andre@0: andre@0: /* The following fields are static after the cert has been decoded */ andre@0: char *subjectName; andre@0: char *issuerName; andre@0: CERTSignedData signatureWrap; /* XXX */ andre@0: SECItem derCert; /* original DER for the cert */ andre@0: SECItem derIssuer; /* DER for issuer name */ andre@0: SECItem derSubject; /* DER for subject name */ andre@0: SECItem derPublicKey; /* DER for the public key */ andre@0: SECItem certKey; /* database key for this cert */ andre@0: SECItem version; andre@0: SECItem serialNumber; andre@0: SECAlgorithmID signature; andre@0: CERTName issuer; andre@0: CERTValidity validity; andre@0: CERTName subject; andre@0: CERTSubjectPublicKeyInfo subjectPublicKeyInfo; andre@0: SECItem issuerID; andre@0: SECItem subjectID; andre@0: CERTCertExtension **extensions; andre@0: char *emailAddr; andre@0: CERTCertDBHandle *dbhandle; andre@0: SECItem subjectKeyID; /* x509v3 subject key identifier */ andre@0: PRBool keyIDGenerated; /* was the keyid generated? */ andre@0: unsigned int keyUsage; /* what uses are allowed for this cert */ andre@0: unsigned int rawKeyUsage; /* value of the key usage extension */ andre@0: PRBool keyUsagePresent; /* was the key usage extension present */ andre@0: PRUint32 nsCertType; /* value of the ns cert type extension */ andre@0: /* must be 32-bit for PR_ATOMIC_SET */ andre@0: andre@0: /* these values can be set by the application to bypass certain checks andre@0: * or to keep the cert in memory for an entire session. andre@0: * XXX - need an api to set these andre@0: */ andre@0: PRBool keepSession; /* keep this cert for entire session*/ andre@0: PRBool timeOK; /* is the bad validity time ok? */ andre@0: CERTOKDomainName *domainOK; /* these domain names are ok */ andre@0: andre@0: /* andre@0: * these values can change when the cert changes state. These state andre@0: * changes include transitions from temp to perm or vice-versa, and andre@0: * changes of trust flags andre@0: */ andre@0: PRBool isperm; andre@0: PRBool istemp; andre@0: char *nickname; andre@0: char *dbnickname; andre@0: struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */ andre@0: CERTCertTrust *trust; andre@0: andre@0: /* the reference count is modified whenever someone looks up, dups andre@0: * or destroys a certificate andre@0: */ andre@0: int referenceCount; andre@0: andre@0: /* The subject list is a list of all certs with the same subject name. andre@0: * It can be modified any time a cert is added or deleted from either andre@0: * the in-memory(temporary) or on-disk(permanent) database. andre@0: */ andre@0: CERTSubjectList *subjectList; andre@0: andre@0: /* these belong in the static section, but are here to maintain andre@0: * the structure's integrity andre@0: */ andre@0: CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */ andre@0: PRBool isRoot; /* cert is the end of a chain */ andre@0: andre@0: /* these fields are used by client GUI code to keep track of ssl sockets andre@0: * that are blocked waiting on GUI feedback related to this cert. andre@0: * XXX - these should be moved into some sort of application specific andre@0: * data structure. They are only used by the browser right now. andre@0: */ andre@0: union { andre@0: void* apointer; /* was struct SECSocketNode* authsocketlist */ andre@0: struct { andre@0: unsigned int hasUnsupportedCriticalExt :1; andre@0: /* add any new option bits needed here */ andre@0: } bits; andre@0: } options; andre@0: int series; /* was int authsocketcount; record the series of the pkcs11ID */ andre@0: andre@0: /* This is PKCS #11 stuff. */ andre@0: PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ andre@0: CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ andre@0: PRBool ownSlot; /*true if the cert owns the slot reference */ andre@0: }; andre@0: #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ andre@0: #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ andre@0: #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ andre@0: andre@0: #define SEC_CRL_VERSION_1 0 /* default */ andre@0: #define SEC_CRL_VERSION_2 1 /* v2 extensions */ andre@0: andre@0: /* andre@0: * used to identify class of cert in mime stream code andre@0: */ andre@0: #define SEC_CERT_CLASS_CA 1 andre@0: #define SEC_CERT_CLASS_SERVER 2 andre@0: #define SEC_CERT_CLASS_USER 3 andre@0: #define SEC_CERT_CLASS_EMAIL 4 andre@0: andre@0: struct CERTDERCertsStr { andre@0: PLArenaPool *arena; andre@0: int numcerts; andre@0: SECItem *rawCerts; andre@0: }; andre@0: andre@0: /* andre@0: ** A PKCS ? Attribute andre@0: ** XXX this is duplicated through out the code, it *should* be moved andre@0: ** to a central location. Where would be appropriate? andre@0: */ andre@0: struct CERTAttributeStr { andre@0: SECItem attrType; andre@0: SECItem **attrValue; andre@0: }; andre@0: andre@0: /* andre@0: ** A PKCS#10 certificate-request object (the unsigned form) andre@0: */ andre@0: struct CERTCertificateRequestStr { andre@0: PLArenaPool *arena; andre@0: SECItem version; andre@0: CERTName subject; andre@0: CERTSubjectPublicKeyInfo subjectPublicKeyInfo; andre@0: CERTAttribute **attributes; andre@0: }; andre@0: #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */ andre@0: andre@0: andre@0: /* andre@0: ** A certificate list object. andre@0: */ andre@0: struct CERTCertificateListStr { andre@0: SECItem *certs; andre@0: int len; /* number of certs */ andre@0: PLArenaPool *arena; andre@0: }; andre@0: andre@0: struct CERTCertListNodeStr { andre@0: PRCList links; andre@0: CERTCertificate *cert; andre@0: void *appData; andre@0: }; andre@0: andre@0: struct CERTCertListStr { andre@0: PRCList list; andre@0: PLArenaPool *arena; andre@0: }; andre@0: andre@0: #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list)) andre@0: #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) andre@0: #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next) andre@0: #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list)) andre@0: #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l) andre@0: andre@0: struct CERTCrlEntryStr { andre@0: SECItem serialNumber; andre@0: SECItem revocationDate; andre@0: CERTCertExtension **extensions; andre@0: }; andre@0: andre@0: struct CERTCrlStr { andre@0: PLArenaPool *arena; andre@0: SECItem version; andre@0: SECAlgorithmID signatureAlg; andre@0: SECItem derName; andre@0: CERTName name; andre@0: SECItem lastUpdate; andre@0: SECItem nextUpdate; /* optional for x.509 CRL */ andre@0: CERTCrlEntry **entries; andre@0: CERTCertExtension **extensions; andre@0: /* can't add anything there for binary backwards compatibility reasons */ andre@0: }; andre@0: andre@0: struct CERTCrlKeyStr { andre@0: SECItem derName; andre@0: SECItem dummy; /* The decoder can not skip a primitive, andre@0: this serves as a place holder for the andre@0: decoder to finish its task only andre@0: */ andre@0: }; andre@0: andre@0: struct CERTSignedCrlStr { andre@0: PLArenaPool *arena; andre@0: CERTCrl crl; andre@0: void *reserved1; andre@0: PRBool reserved2; andre@0: PRBool isperm; andre@0: PRBool istemp; andre@0: int referenceCount; andre@0: CERTCertDBHandle *dbhandle; andre@0: CERTSignedData signatureWrap; /* XXX */ andre@0: char *url; andre@0: SECItem *derCrl; andre@0: PK11SlotInfo *slot; andre@0: CK_OBJECT_HANDLE pkcs11ID; andre@0: void* opaque; /* do not touch */ andre@0: }; andre@0: andre@0: andre@0: struct CERTCrlHeadNodeStr { andre@0: PLArenaPool *arena; andre@0: CERTCertDBHandle *dbhandle; andre@0: CERTCrlNode *first; andre@0: CERTCrlNode *last; andre@0: }; andre@0: andre@0: andre@0: struct CERTCrlNodeStr { andre@0: CERTCrlNode *next; andre@0: int type; andre@0: CERTSignedCrl *crl; andre@0: }; andre@0: andre@0: andre@0: /* andre@0: * Array of X.500 Distinguished Names andre@0: */ andre@0: struct CERTDistNamesStr { andre@0: PLArenaPool *arena; andre@0: int nnames; andre@0: SECItem *names; andre@0: void *head; /* private */ andre@0: }; andre@0: andre@0: andre@0: #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ andre@0: #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ andre@0: #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ andre@0: #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ andre@0: #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ andre@0: #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ andre@0: #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ andre@0: #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ andre@0: andre@0: #define EXT_KEY_USAGE_TIME_STAMP (0x8000) andre@0: #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000) andre@0: andre@0: #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \ andre@0: NS_CERT_TYPE_SSL_SERVER | \ andre@0: NS_CERT_TYPE_EMAIL | \ andre@0: NS_CERT_TYPE_OBJECT_SIGNING ) andre@0: andre@0: #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \ andre@0: NS_CERT_TYPE_EMAIL_CA | \ andre@0: NS_CERT_TYPE_OBJECT_SIGNING_CA | \ andre@0: EXT_KEY_USAGE_STATUS_RESPONDER ) andre@0: typedef enum SECCertUsageEnum { andre@0: certUsageSSLClient = 0, andre@0: certUsageSSLServer = 1, andre@0: certUsageSSLServerWithStepUp = 2, andre@0: certUsageSSLCA = 3, andre@0: certUsageEmailSigner = 4, andre@0: certUsageEmailRecipient = 5, andre@0: certUsageObjectSigner = 6, andre@0: certUsageUserCertImport = 7, andre@0: certUsageVerifyCA = 8, andre@0: certUsageProtectedObjectSigner = 9, andre@0: certUsageStatusResponder = 10, andre@0: certUsageAnyCA = 11 andre@0: } SECCertUsage; andre@0: andre@0: typedef PRInt64 SECCertificateUsage; andre@0: andre@0: #define certificateUsageCheckAllUsages (0x0000) andre@0: #define certificateUsageSSLClient (0x0001) andre@0: #define certificateUsageSSLServer (0x0002) andre@0: #define certificateUsageSSLServerWithStepUp (0x0004) andre@0: #define certificateUsageSSLCA (0x0008) andre@0: #define certificateUsageEmailSigner (0x0010) andre@0: #define certificateUsageEmailRecipient (0x0020) andre@0: #define certificateUsageObjectSigner (0x0040) andre@0: #define certificateUsageUserCertImport (0x0080) andre@0: #define certificateUsageVerifyCA (0x0100) andre@0: #define certificateUsageProtectedObjectSigner (0x0200) andre@0: #define certificateUsageStatusResponder (0x0400) andre@0: #define certificateUsageAnyCA (0x0800) andre@0: andre@0: #define certificateUsageHighest certificateUsageAnyCA andre@0: andre@0: /* andre@0: * Does the cert belong to the user, a peer, or a CA. andre@0: */ andre@0: typedef enum CERTCertOwnerEnum { andre@0: certOwnerUser = 0, andre@0: certOwnerPeer = 1, andre@0: certOwnerCA = 2 andre@0: } CERTCertOwner; andre@0: andre@0: /* andre@0: * This enum represents the state of validity times of a certificate andre@0: */ andre@0: typedef enum SECCertTimeValidityEnum { andre@0: secCertTimeValid = 0, andre@0: secCertTimeExpired = 1, andre@0: secCertTimeNotValidYet = 2, andre@0: secCertTimeUndetermined = 3 /* validity could not be decoded from the andre@0: cert, most likely because it was NULL */ andre@0: } SECCertTimeValidity; andre@0: andre@0: /* andre@0: * This is used as return status in functions that compare the validity andre@0: * periods of two certificates A and B, currently only andre@0: * CERT_CompareValidityTimes. andre@0: */ andre@0: andre@0: typedef enum CERTCompareValidityStatusEnum andre@0: { andre@0: certValidityUndetermined = 0, /* the function is unable to select one cert andre@0: over another */ andre@0: certValidityChooseB = 1, /* cert B should be preferred */ andre@0: certValidityEqual = 2, /* both certs have the same validity period */ andre@0: certValidityChooseA = 3 /* cert A should be preferred */ andre@0: } CERTCompareValidityStatus; andre@0: andre@0: /* andre@0: * Interface for getting certificate nickname strings out of the database andre@0: */ andre@0: andre@0: /* these are values for the what argument below */ andre@0: #define SEC_CERT_NICKNAMES_ALL 1 andre@0: #define SEC_CERT_NICKNAMES_USER 2 andre@0: #define SEC_CERT_NICKNAMES_SERVER 3 andre@0: #define SEC_CERT_NICKNAMES_CA 4 andre@0: andre@0: struct CERTCertNicknamesStr { andre@0: PLArenaPool *arena; andre@0: void *head; andre@0: int numnicknames; andre@0: char **nicknames; andre@0: int what; andre@0: int totallen; andre@0: }; andre@0: andre@0: struct CERTIssuerAndSNStr { andre@0: SECItem derIssuer; andre@0: CERTName issuer; andre@0: SECItem serialNumber; andre@0: }; andre@0: andre@0: andre@0: /* X.509 v3 Key Usage Extension flags */ andre@0: #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ andre@0: #define KU_NON_REPUDIATION (0x40) /* bit 1 */ andre@0: #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ andre@0: #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ andre@0: #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ andre@0: #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ andre@0: #define KU_CRL_SIGN (0x02) /* bit 6 */ andre@0: #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */ andre@0: #define KU_ALL (KU_DIGITAL_SIGNATURE | \ andre@0: KU_NON_REPUDIATION | \ andre@0: KU_KEY_ENCIPHERMENT | \ andre@0: KU_DATA_ENCIPHERMENT | \ andre@0: KU_KEY_AGREEMENT | \ andre@0: KU_KEY_CERT_SIGN | \ andre@0: KU_CRL_SIGN | \ andre@0: KU_ENCIPHER_ONLY) andre@0: andre@0: /* This value will not occur in certs. It is used internally for the case andre@0: * when either digital signature or non-repudiation is the correct value. andre@0: */ andre@0: #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000) andre@0: andre@0: /* This value will not occur in certs. It is used internally for the case andre@0: * when the key type is not know ahead of time and either key agreement or andre@0: * key encipherment are the correct value based on key type andre@0: */ andre@0: #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000) andre@0: andre@0: /* internal bits that do not match bits in the x509v3 spec, but are used andre@0: * for similar purposes andre@0: */ andre@0: #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/ andre@0: /* andre@0: * x.509 v3 Basic Constraints Extension andre@0: * If isCA is false, the pathLenConstraint is ignored. andre@0: * Otherwise, the following pathLenConstraint values will apply: andre@0: * < 0 - there is no limit to the certificate path andre@0: * 0 - CA can issues end-entity certificates only andre@0: * > 0 - the number of certificates in the certificate path is andre@0: * limited to this number andre@0: */ andre@0: #define CERT_UNLIMITED_PATH_CONSTRAINT -2 andre@0: andre@0: struct CERTBasicConstraintsStr { andre@0: PRBool isCA; /* on if is CA */ andre@0: int pathLenConstraint; /* maximum number of certificates that can be andre@0: in the cert path. Only applies to a CA andre@0: certificate; otherwise, it's ignored. andre@0: */ andre@0: }; andre@0: andre@0: /* Maximum length of a certificate chain */ andre@0: #define CERT_MAX_CERT_CHAIN 20 andre@0: andre@0: #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */ andre@0: #define CERT_MAX_DN_BYTES 4096 /* arbitrary */ andre@0: andre@0: /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */ andre@0: #define RF_UNUSED (0x80) /* bit 0 */ andre@0: #define RF_KEY_COMPROMISE (0x40) /* bit 1 */ andre@0: #define RF_CA_COMPROMISE (0x20) /* bit 2 */ andre@0: #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */ andre@0: #define RF_SUPERSEDED (0x08) /* bit 4 */ andre@0: #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */ andre@0: #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */ andre@0: andre@0: /* enum for CRL Entry Reason Code */ andre@0: typedef enum CERTCRLEntryReasonCodeEnum { andre@0: crlEntryReasonUnspecified = 0, andre@0: crlEntryReasonKeyCompromise = 1, andre@0: crlEntryReasonCaCompromise = 2, andre@0: crlEntryReasonAffiliationChanged = 3, andre@0: crlEntryReasonSuperseded = 4, andre@0: crlEntryReasonCessationOfOperation = 5, andre@0: crlEntryReasoncertificatedHold = 6, andre@0: crlEntryReasonRemoveFromCRL = 8, andre@0: crlEntryReasonPrivilegeWithdrawn = 9, andre@0: crlEntryReasonAaCompromise = 10 andre@0: } CERTCRLEntryReasonCode; andre@0: andre@0: /* If we needed to extract the general name field, use this */ andre@0: /* General Name types */ andre@0: typedef enum CERTGeneralNameTypeEnum { andre@0: certOtherName = 1, andre@0: certRFC822Name = 2, andre@0: certDNSName = 3, andre@0: certX400Address = 4, andre@0: certDirectoryName = 5, andre@0: certEDIPartyName = 6, andre@0: certURI = 7, andre@0: certIPAddress = 8, andre@0: certRegisterID = 9 andre@0: } CERTGeneralNameType; andre@0: andre@0: andre@0: typedef struct OtherNameStr { andre@0: SECItem name; andre@0: SECItem oid; andre@0: }OtherName; andre@0: andre@0: andre@0: andre@0: struct CERTGeneralNameStr { andre@0: CERTGeneralNameType type; /* name type */ andre@0: union { andre@0: CERTName directoryName; /* distinguish name */ andre@0: OtherName OthName; /* Other Name */ andre@0: SECItem other; /* the rest of the name forms */ andre@0: }name; andre@0: SECItem derDirectoryName; /* this is saved to simplify directory name andre@0: comparison */ andre@0: PRCList l; andre@0: }; andre@0: andre@0: struct CERTGeneralNameListStr { andre@0: PLArenaPool *arena; andre@0: CERTGeneralName *name; andre@0: int refCount; andre@0: int len; andre@0: PZLock *lock; andre@0: }; andre@0: andre@0: struct CERTNameConstraintStr { andre@0: CERTGeneralName name; andre@0: SECItem DERName; andre@0: SECItem min; andre@0: SECItem max; andre@0: PRCList l; andre@0: }; andre@0: andre@0: andre@0: struct CERTNameConstraintsStr { andre@0: CERTNameConstraint *permited; andre@0: CERTNameConstraint *excluded; andre@0: SECItem **DERPermited; andre@0: SECItem **DERExcluded; andre@0: }; andre@0: andre@0: andre@0: /* Private Key Usage Period extension struct. */ andre@0: struct CERTPrivKeyUsagePeriodStr { andre@0: SECItem notBefore; andre@0: SECItem notAfter; andre@0: PLArenaPool *arena; andre@0: }; andre@0: andre@0: /* X.509 v3 Authority Key Identifier extension. For the authority certificate andre@0: issuer field, we only support URI now. andre@0: */ andre@0: struct CERTAuthKeyIDStr { andre@0: SECItem keyID; /* unique key identifier */ andre@0: CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */ andre@0: SECItem authCertSerialNumber; /* CA's certificate serial number */ andre@0: SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of andre@0: the authCertIssuer field. It is used andre@0: by the encoding engine. It should be andre@0: used as a read only field by the caller. andre@0: */ andre@0: }; andre@0: andre@0: /* x.509 v3 CRL Distributeion Point */ andre@0: andre@0: /* andre@0: * defined the types of CRL Distribution points andre@0: */ andre@0: typedef enum DistributionPointTypesEnum { andre@0: generalName = 1, /* only support this for now */ andre@0: relativeDistinguishedName = 2 andre@0: } DistributionPointTypes; andre@0: andre@0: struct CRLDistributionPointStr { andre@0: DistributionPointTypes distPointType; andre@0: union { andre@0: CERTGeneralName *fullName; andre@0: CERTRDN relativeName; andre@0: } distPoint; andre@0: SECItem reasons; andre@0: CERTGeneralName *crlIssuer; andre@0: andre@0: /* Reserved for internal use only*/ andre@0: SECItem derDistPoint; andre@0: SECItem derRelativeName; andre@0: SECItem **derCrlIssuer; andre@0: SECItem **derFullName; andre@0: SECItem bitsmap; andre@0: }; andre@0: andre@0: struct CERTCrlDistributionPointsStr { andre@0: CRLDistributionPoint **distPoints; andre@0: }; andre@0: andre@0: /* andre@0: * This structure is used to keep a log of errors when verifying andre@0: * a cert chain. This allows multiple errors to be reported all at andre@0: * once. andre@0: */ andre@0: struct CERTVerifyLogNodeStr { andre@0: CERTCertificate *cert; /* what cert had the error */ andre@0: long error; /* what error was it? */ andre@0: unsigned int depth; /* how far up the chain are we */ andre@0: void *arg; /* error specific argument */ andre@0: struct CERTVerifyLogNodeStr *next; /* next in the list */ andre@0: struct CERTVerifyLogNodeStr *prev; /* next in the list */ andre@0: }; andre@0: andre@0: andre@0: struct CERTVerifyLogStr { andre@0: PLArenaPool *arena; andre@0: unsigned int count; andre@0: struct CERTVerifyLogNodeStr *head; andre@0: struct CERTVerifyLogNodeStr *tail; andre@0: }; andre@0: andre@0: andre@0: struct CERTOKDomainNameStr { andre@0: CERTOKDomainName *next; andre@0: char name[1]; /* actual length may be longer. */ andre@0: }; andre@0: andre@0: andre@0: typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle, andre@0: CERTCertificate *cert, andre@0: PRTime time, andre@0: void *pwArg); andre@0: andre@0: typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle); andre@0: andre@0: struct CERTStatusConfigStr { andre@0: CERTStatusChecker statusChecker; /* NULL means no checking enabled */ andre@0: CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */ andre@0: void *statusContext; /* cx specific to checking protocol */ andre@0: }; andre@0: andre@0: struct CERTAuthInfoAccessStr { andre@0: SECItem method; andre@0: SECItem derLocation; andre@0: CERTGeneralName *location; /* decoded location */ andre@0: }; andre@0: andre@0: andre@0: /* This is the typedef for the callback passed to CERT_OpenCertDB() */ andre@0: /* callback to return database name based on version number */ andre@0: typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion); andre@0: andre@0: /* andre@0: * types of cert packages that we can decode andre@0: */ andre@0: typedef enum CERTPackageTypeEnum { andre@0: certPackageNone = 0, andre@0: certPackageCert = 1, andre@0: certPackagePKCS7 = 2, andre@0: certPackageNSCertSeq = 3, andre@0: certPackageNSCertWrap = 4 andre@0: } CERTPackageType; andre@0: andre@0: /* andre@0: * these types are for the PKIX Certificate Policies extension andre@0: */ andre@0: typedef struct { andre@0: SECOidTag oid; andre@0: SECItem qualifierID; andre@0: SECItem qualifierValue; andre@0: } CERTPolicyQualifier; andre@0: andre@0: typedef struct { andre@0: SECOidTag oid; andre@0: SECItem policyID; andre@0: CERTPolicyQualifier **policyQualifiers; andre@0: } CERTPolicyInfo; andre@0: andre@0: typedef struct { andre@0: PLArenaPool *arena; andre@0: CERTPolicyInfo **policyInfos; andre@0: } CERTCertificatePolicies; andre@0: andre@0: typedef struct { andre@0: SECItem organization; andre@0: SECItem **noticeNumbers; andre@0: } CERTNoticeReference; andre@0: andre@0: typedef struct { andre@0: PLArenaPool *arena; andre@0: CERTNoticeReference noticeReference; andre@0: SECItem derNoticeReference; andre@0: SECItem displayText; andre@0: } CERTUserNotice; andre@0: andre@0: typedef struct { andre@0: PLArenaPool *arena; andre@0: SECItem **oids; andre@0: } CERTOidSequence; andre@0: andre@0: /* andre@0: * these types are for the PKIX Policy Mappings extension andre@0: */ andre@0: typedef struct { andre@0: SECItem issuerDomainPolicy; andre@0: SECItem subjectDomainPolicy; andre@0: } CERTPolicyMap; andre@0: andre@0: typedef struct { andre@0: PLArenaPool *arena; andre@0: CERTPolicyMap **policyMaps; andre@0: } CERTCertificatePolicyMappings; andre@0: andre@0: /* andre@0: * these types are for the PKIX inhibitAnyPolicy extension andre@0: */ andre@0: typedef struct { andre@0: SECItem inhibitAnySkipCerts; andre@0: } CERTCertificateInhibitAny; andre@0: andre@0: /* andre@0: * these types are for the PKIX Policy Constraints extension andre@0: */ andre@0: typedef struct { andre@0: SECItem explicitPolicySkipCerts; andre@0: SECItem inhibitMappingSkipCerts; andre@0: } CERTCertificatePolicyConstraints; andre@0: andre@0: /* andre@0: * These types are for the validate chain callback param. andre@0: * andre@0: * CERTChainVerifyCallback is an application-supplied callback that can be used andre@0: * to augment libpkix's certificate chain validation with additional andre@0: * application-specific checks. It may be called multiple times if there are andre@0: * multiple potentially-valid paths for the certificate being validated. This andre@0: * callback is called before revocation checking is done on the certificates in andre@0: * the given chain. andre@0: * andre@0: * - isValidChainArg contains the application-provided opaque argument andre@0: * - currentChain is the currently validated chain. It is ordered with the leaf andre@0: * certificate at the head and the trust anchor at the tail. andre@0: * andre@0: * The callback should set *chainOK = PR_TRUE and return SECSuccess if the andre@0: * certificate chain is acceptable. It should set *chainOK = PR_FALSE and andre@0: * return SECSuccess if the chain is unacceptable, to indicate that the given andre@0: * chain is bad and path building should continue. It should return SECFailure andre@0: * to indicate an fatal error that will cause path validation to fail andre@0: * immediately. andre@0: */ andre@0: typedef SECStatus (*CERTChainVerifyCallbackFunc) andre@0: (void *isChainValidArg, andre@0: const CERTCertList *currentChain, andre@0: PRBool *chainOK); andre@0: andre@0: /* andre@0: * Note: If extending this structure, it will be necessary to change the andre@0: * associated CERTValParamInType andre@0: */ andre@0: typedef struct { andre@0: CERTChainVerifyCallbackFunc isChainValid; andre@0: void *isChainValidArg; andre@0: } CERTChainVerifyCallback; andre@0: andre@0: /* andre@0: * these types are for the CERT_PKIX* Verification functions andre@0: * These are all optional parameters. andre@0: */ andre@0: andre@0: typedef enum { andre@0: cert_pi_end = 0, /* SPECIAL: signifies end of array of andre@0: * CERTValParam* */ andre@0: cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to andre@0: * resume a session. If this argument is andre@0: * specified, no other arguments should be. andre@0: * Specified in value.pointer.p. If the andre@0: * operation completes the context will be andre@0: * freed. */ andre@0: cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an andre@0: * existing operation which the caller wants andre@0: * to abort. If this argument is andre@0: * specified, no other arguments should be. andre@0: * Specified in value.pointer.p. If the andre@0: * operation succeeds the context will be andre@0: * freed. */ andre@0: cert_pi_certList = 3, /* specify the chain to validate against. If andre@0: * this value is given, then the path andre@0: * construction step in the validation is andre@0: * skipped. Specified in value.pointer.chain */ andre@0: cert_pi_policyOID = 4, /* validate certificate for policy OID. andre@0: * Specified in value.array.oids. Cert must andre@0: * be good for at least one OID in order andre@0: * to validate. Default is that the user is not andre@0: * concerned about certificate policy. */ andre@0: cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID. andre@0: * Specified in value.scalar.ul. Policy flags andre@0: * apply to all specified oids. andre@0: * Use CERT_POLICY_FLAG_* macros below. If not andre@0: * specified policy flags default to 0 */ andre@0: cert_pi_keyusage = 6, /* specify what the keyusages the certificate andre@0: * will be evaluated against, specified in andre@0: * value.scalar.ui. The cert must validate for andre@0: * at least one of the specified key usages. andre@0: * Values match the KU_ bit flags defined andre@0: * in this file. Default is derived from andre@0: * the 'usages' function argument */ andre@0: cert_pi_extendedKeyusage= 7, /* specify what the required extended key andre@0: * usage of the certificate. Specified as andre@0: * an array of oidTags in value.array.oids. andre@0: * The cert must validate for at least one andre@0: * of the specified extended key usages. andre@0: * If not specified, no extended key usages andre@0: * will be checked. */ andre@0: cert_pi_date = 8, /* validate certificate is valid as of date andre@0: * specified in value.scalar.time. A special andre@0: * value '0' indicates 'now'. default is '0' */ andre@0: cert_pi_revocationFlags = 9, /* Specify what revocation checking to do. andre@0: * See CERT_REV_FLAG_* macros below andre@0: * Set in value.pointer.revocation */ andre@0: cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below) andre@0: * Set in value.scalar.ui */ andre@0: cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to andre@0: * validate against. andre@0: * The default set of trusted roots, these are andre@0: * root CA certs from libnssckbi.so or CA andre@0: * certs trusted by user, are used in any of andre@0: * the following cases: andre@0: * * when the parameter is not set. andre@0: * * when the list of trust anchors is empty. andre@0: * Note that this handling can be further altered by altering the andre@0: * cert_pi_useOnlyTrustAnchors flag andre@0: * Specified in value.pointer.chain */ andre@0: cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension. andre@0: * In NSS 3.12.1 or later. Default is off. andre@0: * Value is in value.scalar.b */ andre@0: cert_pi_chainVerifyCallback = 13, andre@0: /* The callback container for doing extra andre@0: * validation on the currently calculated chain. andre@0: * Value is in value.pointer.chainVerifyCallback */ andre@0: cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any andre@0: * certificates other than the ones passed in via cert_pi_trustAnchors. andre@0: * If false, then the certificates specified via cert_pi_trustAnchors andre@0: * will be combined with the pre-existing trusted roots, but only for andre@0: * the certificate validation being performed. andre@0: * If no value has been supplied via cert_pi_trustAnchors, this has no andre@0: * effect. andre@0: * The default value is true, meaning if this is not supplied, only andre@0: * trust anchors supplied via cert_pi_trustAnchors are trusted. andre@0: * Specified in value.scalar.b */ andre@0: cert_pi_max /* SPECIAL: signifies maximum allowed value, andre@0: * can increase in future releases */ andre@0: } CERTValParamInType; andre@0: andre@0: /* andre@0: * for all out parameters: andre@0: * out parameters are only returned if the caller asks for them in andre@0: * the CERTValOutParam array. Caller is responsible for the CERTValOutParam andre@0: * array itself. The pkix verify function will allocate and other arrays andre@0: * pointers, or objects. The Caller is responsible for freeing those results. andre@0: * If SECWouldBlock is returned, only cert_pi_nbioContext is returned. andre@0: */ andre@0: typedef enum { andre@0: cert_po_end = 0, /* SPECIAL: signifies end of array of andre@0: * CERTValParam* */ andre@0: cert_po_nbioContext = 1, /* Return a nonblocking context. If no andre@0: * non-blocking context is specified, then andre@0: * blocking IO will be used. andre@0: * Returned in value.pointer.p. The context is andre@0: * freed after an abort or a complete operation. andre@0: * This value is only returned on SECWouldBlock. andre@0: */ andre@0: cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that andre@0: * was validated. Returned in andre@0: * value.pointer.cert, this value is only andre@0: * returned on SECSuccess. */ andre@0: cert_po_certList = 3, /* Return the entire chain that was validated. andre@0: * Returned in value.pointer.certList. If no andre@0: * chain could be constructed, this value andre@0: * would be NULL. */ andre@0: cert_po_policyOID = 4, /* Return the policies that were found to be andre@0: * valid. Returned in value.array.oids as an andre@0: * array. This is only returned on andre@0: * SECSuccess. */ andre@0: cert_po_errorLog = 5, /* Return a log of problems with the chain. andre@0: * Returned in value.pointer.log */ andre@0: cert_po_usages = 6, /* Return what usages the certificate is valid andre@0: for. Returned in value.scalar.usages */ andre@0: cert_po_keyUsage = 7, /* Return what key usages the certificate andre@0: * is valid for. andre@0: * Returned in value.scalar.usage */ andre@0: cert_po_extendedKeyusage= 8, /* Return what extended key usages the andre@0: * certificate is valid for. andre@0: * Returned in value.array.oids */ andre@0: cert_po_max /* SPECIAL: signifies maximum allowed value, andre@0: * can increase in future releases */ andre@0: andre@0: } CERTValParamOutType; andre@0: andre@0: typedef enum { andre@0: cert_revocation_method_crl = 0, andre@0: cert_revocation_method_ocsp, andre@0: cert_revocation_method_count andre@0: } CERTRevocationMethodIndex; andre@0: andre@0: andre@0: /* andre@0: * The following flags are supposed to be used to control bits in andre@0: * each integer contained in the array pointed to be: andre@0: * CERTRevocationTests.cert_rev_flags_per_method andre@0: * All Flags are prefixed by CERT_REV_M_, where _M_ indicates andre@0: * this is a method dependent flag. andre@0: */ andre@0: andre@0: /* andre@0: * Whether or not to use a method for revocation testing. andre@0: * If set to "do not test", then all other flags are ignored. andre@0: */ andre@0: #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL andre@0: #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL andre@0: andre@0: /* andre@0: * Whether or not NSS is allowed to attempt to fetch fresh information andre@0: * from the network. andre@0: * (Although fetching will never happen if fresh information for the andre@0: * method is already locally available.) andre@0: */ andre@0: #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL andre@0: #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL andre@0: andre@0: /* andre@0: * Example for an implicit default source: andre@0: * The globally configured default OCSP responder. andre@0: * IGNORE means: andre@0: * ignore the implicit default source, whether it's configured or not. andre@0: * ALLOW means: andre@0: * if an implicit default source is configured, andre@0: * then it overrides any available or missing source in the cert. andre@0: * if no implicit default source is configured, andre@0: * then we continue to use what's available (or not available) andre@0: * in the certs. andre@0: */ andre@0: #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL andre@0: #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL andre@0: andre@0: /* andre@0: * Defines the behavior if no fresh information is available, andre@0: * fetching from the network is allowed, but the source of revocation andre@0: * information is unknown (even after considering implicit sources, andre@0: * if allowed by other flags). andre@0: * SKIPT_TEST means: andre@0: * We ignore that no fresh information is available and andre@0: * skip this test. andre@0: * REQUIRE_INFO means: andre@0: * We still require that fresh information is available. andre@0: * Other flags define what happens on missing fresh info. andre@0: */ andre@0: #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL andre@0: #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL andre@0: andre@0: /* andre@0: * Defines the behavior if we are unable to obtain fresh information. andre@0: * INGORE means: andre@0: * Return "cert status unknown" andre@0: * FAIL means: andre@0: * Return "cert revoked". andre@0: */ andre@0: #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL andre@0: #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL andre@0: andre@0: /* andre@0: * What should happen if we were able to find fresh information using andre@0: * this method, and the data indicated the cert is good? andre@0: * STOP_TESTING means: andre@0: * Our success is sufficient, do not continue testing andre@0: * other methods. andre@0: * CONTINUE_TESTING means: andre@0: * We will continue and test the next allowed andre@0: * specified method. andre@0: */ andre@0: #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL andre@0: #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL andre@0: andre@0: /* When this flag is used, libpkix will never attempt to use the GET HTTP andre@0: * method for OCSP requests; it will always use POST. andre@0: */ andre@0: #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL andre@0: andre@0: /* andre@0: * The following flags are supposed to be used to control bits in andre@0: * CERTRevocationTests.cert_rev_method_independent_flags andre@0: * All Flags are prefixed by CERT_REV_M_, where _M_ indicates andre@0: * this is a method independent flag. andre@0: */ andre@0: andre@0: /* andre@0: * This defines the order to checking. andre@0: * EACH_METHOD_SEPARATELY means: andre@0: * Do all tests related to a particular allowed method andre@0: * (both local information and network fetching) in a single step. andre@0: * Only after testing for a particular method is done, andre@0: * then switching to the next method will happen. andre@0: * ALL_LOCAL_INFORMATION_FIRST means: andre@0: * Start by testing the information for all allowed methods andre@0: * which are already locally available. Only after that is done andre@0: * consider to fetch from the network (as allowed by other flags). andre@0: */ andre@0: #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL andre@0: #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL andre@0: andre@0: /* andre@0: * Use this flag to specify that it's necessary that fresh information andre@0: * is available for at least one of the allowed methods, but it's andre@0: * irrelevant which of the mechanisms succeeded. andre@0: * NO_OVERALL_INFO_REQUIREMENT means: andre@0: * We strictly follow the requirements for each individual method. andre@0: * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: andre@0: * After the individual tests have been executed, we must have andre@0: * been able to find fresh information using at least one method. andre@0: * If we were unable to find fresh info, it's a failure. andre@0: * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO andre@0: * flag on all methods. andre@0: */ andre@0: #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL andre@0: #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL andre@0: andre@0: andre@0: typedef struct { andre@0: /* andre@0: * The size of the array that cert_rev_flags_per_method points to, andre@0: * meaning, the number of methods that are known and defined andre@0: * by the caller. andre@0: */ andre@0: PRUint32 number_of_defined_methods; andre@0: andre@0: /* andre@0: * A pointer to an array of integers. andre@0: * Each integer defines revocation checking for a single method, andre@0: * by having individual CERT_REV_M_* bits set or not set. andre@0: * The meaning of index numbers into this array are defined by andre@0: * enum CERTRevocationMethodIndex andre@0: * The size of the array must be specified by the caller in the separate andre@0: * variable number_of_defined_methods. andre@0: * The size of the array may be smaller than andre@0: * cert_revocation_method_count, it can happen if a caller andre@0: * is not yet aware of the latest revocation methods andre@0: * (or does not want to use them). andre@0: */ andre@0: PRUint64 *cert_rev_flags_per_method; andre@0: andre@0: /* andre@0: * How many preferred methods are specified? andre@0: * This is equivalent to the size of the array that andre@0: * preferred_revocation_methods points to. andre@0: * It's allowed to set this value to zero, andre@0: * then NSS will decide which methods to prefer. andre@0: */ andre@0: PRUint32 number_of_preferred_methods; andre@0: andre@0: /* Array that may specify an optional order of preferred methods. andre@0: * Each array entry shall contain a method identifier as defined andre@0: * by CERTRevocationMethodIndex. andre@0: * The entry at index [0] specifies the method with highest preferrence. andre@0: * These methods will be tested first for locally available information. andre@0: * Methods allowed for downloading will be attempted in the same order. andre@0: */ andre@0: CERTRevocationMethodIndex *preferred_methods; andre@0: andre@0: /* andre@0: * An integer which defines certain aspects of revocation checking andre@0: * (independent of individual methods) by having individual andre@0: * CERT_REV_MI_* bits set or not set. andre@0: */ andre@0: PRUint64 cert_rev_method_independent_flags; andre@0: } CERTRevocationTests; andre@0: andre@0: typedef struct { andre@0: CERTRevocationTests leafTests; andre@0: CERTRevocationTests chainTests; andre@0: } CERTRevocationFlags; andre@0: andre@0: typedef struct CERTValParamInValueStr { andre@0: union { andre@0: PRBool b; andre@0: PRInt32 i; andre@0: PRUint32 ui; andre@0: PRInt64 l; andre@0: PRUint64 ul; andre@0: PRTime time; andre@0: } scalar; andre@0: union { andre@0: const void* p; andre@0: const char* s; andre@0: const CERTCertificate* cert; andre@0: const CERTCertList *chain; andre@0: const CERTRevocationFlags *revocation; andre@0: const CERTChainVerifyCallback *chainVerifyCallback; andre@0: } pointer; andre@0: union { andre@0: const PRInt32 *pi; andre@0: const PRUint32 *pui; andre@0: const PRInt64 *pl; andre@0: const PRUint64 *pul; andre@0: const SECOidTag *oids; andre@0: } array; andre@0: int arraySize; andre@0: } CERTValParamInValue; andre@0: andre@0: andre@0: typedef struct CERTValParamOutValueStr { andre@0: union { andre@0: PRBool b; andre@0: PRInt32 i; andre@0: PRUint32 ui; andre@0: PRInt64 l; andre@0: PRUint64 ul; andre@0: SECCertificateUsage usages; andre@0: } scalar; andre@0: union { andre@0: void* p; andre@0: char* s; andre@0: CERTVerifyLog *log; andre@0: CERTCertificate* cert; andre@0: CERTCertList *chain; andre@0: } pointer; andre@0: union { andre@0: void *p; andre@0: SECOidTag *oids; andre@0: } array; andre@0: int arraySize; andre@0: } CERTValParamOutValue; andre@0: andre@0: typedef struct { andre@0: CERTValParamInType type; andre@0: CERTValParamInValue value; andre@0: } CERTValInParam; andre@0: andre@0: typedef struct { andre@0: CERTValParamOutType type; andre@0: CERTValParamOutValue value; andre@0: } CERTValOutParam; andre@0: andre@0: /* andre@0: * Levels of standards conformance strictness for CERT_NameToAsciiInvertible andre@0: */ andre@0: typedef enum CertStrictnessLevels { andre@0: CERT_N2A_READABLE = 0, /* maximum human readability */ andre@0: CERT_N2A_STRICT = 10, /* strict RFC compliance */ andre@0: CERT_N2A_INVERTIBLE = 20 /* maximum invertibility, andre@0: all DirectoryStrings encoded in hex */ andre@0: } CertStrictnessLevel; andre@0: andre@0: /* andre@0: * policy flag defines andre@0: */ andre@0: #define CERT_POLICY_FLAG_NO_MAPPING 1 andre@0: #define CERT_POLICY_FLAG_EXPLICIT 2 andre@0: #define CERT_POLICY_FLAG_NO_ANY 4 andre@0: andre@0: /* andre@0: * CertStore flags andre@0: */ andre@0: #define CERT_ENABLE_LDAP_FETCH 1 andre@0: #define CERT_ENABLE_HTTP_FETCH 2 andre@0: andre@0: /* This functin pointer type may be used for any function that takes andre@0: * a CERTCertificate * and returns an allocated string, which must be andre@0: * freed by a call to PORT_Free. andre@0: */ andre@0: typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert); andre@0: andre@0: /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ andre@0: andre@0: #include "secasn1t.h" /* way down here because I expect template stuff to andre@0: * move out of here anyway */ andre@0: andre@0: SEC_BEGIN_PROTOS andre@0: andre@0: extern const SEC_ASN1Template CERT_CertificateRequestTemplate[]; andre@0: extern const SEC_ASN1Template CERT_CertificateTemplate[]; andre@0: extern const SEC_ASN1Template SEC_SignedCertificateTemplate[]; andre@0: extern const SEC_ASN1Template CERT_CertExtensionTemplate[]; andre@0: extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[]; andre@0: extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[]; andre@0: extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[]; andre@0: extern const SEC_ASN1Template CERT_TimeChoiceTemplate[]; andre@0: extern const SEC_ASN1Template CERT_ValidityTemplate[]; andre@0: extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[]; andre@0: extern const SEC_ASN1Template SEC_CertSequenceTemplate[]; andre@0: andre@0: extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[]; andre@0: extern const SEC_ASN1Template CERT_NameTemplate[]; andre@0: extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[]; andre@0: extern const SEC_ASN1Template CERT_RDNTemplate[]; andre@0: extern const SEC_ASN1Template CERT_SignedDataTemplate[]; andre@0: extern const SEC_ASN1Template CERT_CrlTemplate[]; andre@0: extern const SEC_ASN1Template CERT_SignedCrlTemplate[]; andre@0: andre@0: /* andre@0: ** XXX should the attribute stuff be centralized for all of ns/security? andre@0: */ andre@0: extern const SEC_ASN1Template CERT_AttributeTemplate[]; andre@0: extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[]; andre@0: andre@0: /* These functions simply return the address of the above-declared templates. andre@0: ** This is necessary for Windows DLLs. Sigh. andre@0: */ andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate) andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate) andre@0: andre@0: SEC_END_PROTOS andre@0: andre@0: #endif /* _CERTT_H_ */