andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public
andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this
andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
andre@0: /*
andre@0: * certt.h - public data structures for the certificate library
andre@0: */
andre@0: #ifndef _CERTT_H_
andre@0: #define _CERTT_H_
andre@0:
andre@0: #include "prclist.h"
andre@0: #include "pkcs11t.h"
andre@0: #include "seccomon.h"
andre@0: #include "secmodt.h"
andre@0: #include "secoidt.h"
andre@0: #include "plarena.h"
andre@0: #include "prcvar.h"
andre@0: #include "nssilock.h"
andre@0: #include "prio.h"
andre@0: #include "prmon.h"
andre@0:
andre@0: /* Stan data types */
andre@0: struct NSSCertificateStr;
andre@0: struct NSSTrustDomainStr;
andre@0:
andre@0: /* Non-opaque objects */
andre@0: typedef struct CERTAVAStr CERTAVA;
andre@0: typedef struct CERTAttributeStr CERTAttribute;
andre@0: typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
andre@0: typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
andre@0: typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
andre@0: typedef struct NSSTrustDomainStr CERTCertDBHandle;
andre@0: typedef struct CERTCertExtensionStr CERTCertExtension;
andre@0: typedef struct CERTCertKeyStr CERTCertKey;
andre@0: typedef struct CERTCertListStr CERTCertList;
andre@0: typedef struct CERTCertListNodeStr CERTCertListNode;
andre@0: typedef struct CERTCertNicknamesStr CERTCertNicknames;
andre@0: typedef struct CERTCertTrustStr CERTCertTrust;
andre@0: typedef struct CERTCertificateStr CERTCertificate;
andre@0: typedef struct CERTCertificateListStr CERTCertificateList;
andre@0: typedef struct CERTCertificateRequestStr CERTCertificateRequest;
andre@0: typedef struct CERTCrlStr CERTCrl;
andre@0: typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
andre@0: typedef struct CERTCrlEntryStr CERTCrlEntry;
andre@0: typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
andre@0: typedef struct CERTCrlKeyStr CERTCrlKey;
andre@0: typedef struct CERTCrlNodeStr CERTCrlNode;
andre@0: typedef struct CERTDERCertsStr CERTDERCerts;
andre@0: typedef struct CERTDistNamesStr CERTDistNames;
andre@0: typedef struct CERTGeneralNameStr CERTGeneralName;
andre@0: typedef struct CERTGeneralNameListStr CERTGeneralNameList;
andre@0: typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
andre@0: typedef struct CERTNameStr CERTName;
andre@0: typedef struct CERTNameConstraintStr CERTNameConstraint;
andre@0: typedef struct CERTNameConstraintsStr CERTNameConstraints;
andre@0: typedef struct CERTOKDomainNameStr CERTOKDomainName;
andre@0: typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
andre@0: typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
andre@0: typedef struct CERTRDNStr CERTRDN;
andre@0: typedef struct CERTSignedCrlStr CERTSignedCrl;
andre@0: typedef struct CERTSignedDataStr CERTSignedData;
andre@0: typedef struct CERTStatusConfigStr CERTStatusConfig;
andre@0: typedef struct CERTSubjectListStr CERTSubjectList;
andre@0: typedef struct CERTSubjectNodeStr CERTSubjectNode;
andre@0: typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
andre@0: typedef struct CERTValidityStr CERTValidity;
andre@0: typedef struct CERTVerifyLogStr CERTVerifyLog;
andre@0: typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
andre@0: typedef struct CRLDistributionPointStr CRLDistributionPoint;
andre@0:
andre@0: /* CRL extensions type */
andre@0: typedef unsigned long CERTCrlNumber;
andre@0:
andre@0: /*
andre@0: ** An X.500 AVA object
andre@0: */
andre@0: struct CERTAVAStr {
andre@0: SECItem type;
andre@0: SECItem value;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** An X.500 RDN object
andre@0: */
andre@0: struct CERTRDNStr {
andre@0: CERTAVA **avas;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** An X.500 name object
andre@0: */
andre@0: struct CERTNameStr {
andre@0: PLArenaPool *arena;
andre@0: CERTRDN **rdns;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** An X.509 validity object
andre@0: */
andre@0: struct CERTValidityStr {
andre@0: PLArenaPool *arena;
andre@0: SECItem notBefore;
andre@0: SECItem notAfter;
andre@0: };
andre@0:
andre@0: /*
andre@0: * A serial number and issuer name, which is used as a database key
andre@0: */
andre@0: struct CERTCertKeyStr {
andre@0: SECItem serialNumber;
andre@0: SECItem derIssuer;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** A signed data object. Used to implement the "signed" macro used
andre@0: ** in the X.500 specs.
andre@0: */
andre@0: struct CERTSignedDataStr {
andre@0: SECItem data;
andre@0: SECAlgorithmID signatureAlgorithm;
andre@0: SECItem signature;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** An X.509 subject-public-key-info object
andre@0: */
andre@0: struct CERTSubjectPublicKeyInfoStr {
andre@0: PLArenaPool *arena;
andre@0: SECAlgorithmID algorithm;
andre@0: SECItem subjectPublicKey;
andre@0: };
andre@0:
andre@0: struct CERTPublicKeyAndChallengeStr {
andre@0: SECItem spki;
andre@0: SECItem challenge;
andre@0: };
andre@0:
andre@0: struct CERTCertTrustStr {
andre@0: unsigned int sslFlags;
andre@0: unsigned int emailFlags;
andre@0: unsigned int objectSigningFlags;
andre@0: };
andre@0:
andre@0: /*
andre@0: * defined the types of trust that exist
andre@0: */
andre@0: typedef enum SECTrustTypeEnum {
andre@0: trustSSL = 0,
andre@0: trustEmail = 1,
andre@0: trustObjectSigning = 2,
andre@0: trustTypeNone = 3
andre@0: } SECTrustType;
andre@0:
andre@0: #define SEC_GET_TRUST_FLAGS(trust,type) \
andre@0: (((type)==trustSSL)?((trust)->sslFlags): \
andre@0: (((type)==trustEmail)?((trust)->emailFlags): \
andre@0: (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
andre@0:
andre@0: /*
andre@0: ** An X.509.3 certificate extension
andre@0: */
andre@0: struct CERTCertExtensionStr {
andre@0: SECItem id;
andre@0: SECItem critical;
andre@0: SECItem value;
andre@0: };
andre@0:
andre@0: struct CERTSubjectNodeStr {
andre@0: struct CERTSubjectNodeStr *next;
andre@0: struct CERTSubjectNodeStr *prev;
andre@0: SECItem certKey;
andre@0: SECItem keyID;
andre@0: };
andre@0:
andre@0: struct CERTSubjectListStr {
andre@0: PLArenaPool *arena;
andre@0: int ncerts;
andre@0: char *emailAddr;
andre@0: CERTSubjectNode *head;
andre@0: CERTSubjectNode *tail; /* do we need tail? */
andre@0: void *entry;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** An X.509 certificate object (the unsigned form)
andre@0: */
andre@0: struct CERTCertificateStr {
andre@0: /* the arena is used to allocate any data structures that have the same
andre@0: * lifetime as the cert. This is all stuff that hangs off of the cert
andre@0: * structure, and is all freed at the same time. I is used when the
andre@0: * cert is decoded, destroyed, and at some times when it changes
andre@0: * state
andre@0: */
andre@0: PLArenaPool *arena;
andre@0:
andre@0: /* The following fields are static after the cert has been decoded */
andre@0: char *subjectName;
andre@0: char *issuerName;
andre@0: CERTSignedData signatureWrap; /* XXX */
andre@0: SECItem derCert; /* original DER for the cert */
andre@0: SECItem derIssuer; /* DER for issuer name */
andre@0: SECItem derSubject; /* DER for subject name */
andre@0: SECItem derPublicKey; /* DER for the public key */
andre@0: SECItem certKey; /* database key for this cert */
andre@0: SECItem version;
andre@0: SECItem serialNumber;
andre@0: SECAlgorithmID signature;
andre@0: CERTName issuer;
andre@0: CERTValidity validity;
andre@0: CERTName subject;
andre@0: CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
andre@0: SECItem issuerID;
andre@0: SECItem subjectID;
andre@0: CERTCertExtension **extensions;
andre@0: char *emailAddr;
andre@0: CERTCertDBHandle *dbhandle;
andre@0: SECItem subjectKeyID; /* x509v3 subject key identifier */
andre@0: PRBool keyIDGenerated; /* was the keyid generated? */
andre@0: unsigned int keyUsage; /* what uses are allowed for this cert */
andre@0: unsigned int rawKeyUsage; /* value of the key usage extension */
andre@0: PRBool keyUsagePresent; /* was the key usage extension present */
andre@0: PRUint32 nsCertType; /* value of the ns cert type extension */
andre@0: /* must be 32-bit for PR_ATOMIC_SET */
andre@0:
andre@0: /* these values can be set by the application to bypass certain checks
andre@0: * or to keep the cert in memory for an entire session.
andre@0: * XXX - need an api to set these
andre@0: */
andre@0: PRBool keepSession; /* keep this cert for entire session*/
andre@0: PRBool timeOK; /* is the bad validity time ok? */
andre@0: CERTOKDomainName *domainOK; /* these domain names are ok */
andre@0:
andre@0: /*
andre@0: * these values can change when the cert changes state. These state
andre@0: * changes include transitions from temp to perm or vice-versa, and
andre@0: * changes of trust flags
andre@0: */
andre@0: PRBool isperm;
andre@0: PRBool istemp;
andre@0: char *nickname;
andre@0: char *dbnickname;
andre@0: struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
andre@0: CERTCertTrust *trust;
andre@0:
andre@0: /* the reference count is modified whenever someone looks up, dups
andre@0: * or destroys a certificate
andre@0: */
andre@0: int referenceCount;
andre@0:
andre@0: /* The subject list is a list of all certs with the same subject name.
andre@0: * It can be modified any time a cert is added or deleted from either
andre@0: * the in-memory(temporary) or on-disk(permanent) database.
andre@0: */
andre@0: CERTSubjectList *subjectList;
andre@0:
andre@0: /* these belong in the static section, but are here to maintain
andre@0: * the structure's integrity
andre@0: */
andre@0: CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */
andre@0: PRBool isRoot; /* cert is the end of a chain */
andre@0:
andre@0: /* these fields are used by client GUI code to keep track of ssl sockets
andre@0: * that are blocked waiting on GUI feedback related to this cert.
andre@0: * XXX - these should be moved into some sort of application specific
andre@0: * data structure. They are only used by the browser right now.
andre@0: */
andre@0: union {
andre@0: void* apointer; /* was struct SECSocketNode* authsocketlist */
andre@0: struct {
andre@0: unsigned int hasUnsupportedCriticalExt :1;
andre@0: /* add any new option bits needed here */
andre@0: } bits;
andre@0: } options;
andre@0: int series; /* was int authsocketcount; record the series of the pkcs11ID */
andre@0:
andre@0: /* This is PKCS #11 stuff. */
andre@0: PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
andre@0: CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
andre@0: PRBool ownSlot; /*true if the cert owns the slot reference */
andre@0: };
andre@0: #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
andre@0: #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
andre@0: #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
andre@0:
andre@0: #define SEC_CRL_VERSION_1 0 /* default */
andre@0: #define SEC_CRL_VERSION_2 1 /* v2 extensions */
andre@0:
andre@0: /*
andre@0: * used to identify class of cert in mime stream code
andre@0: */
andre@0: #define SEC_CERT_CLASS_CA 1
andre@0: #define SEC_CERT_CLASS_SERVER 2
andre@0: #define SEC_CERT_CLASS_USER 3
andre@0: #define SEC_CERT_CLASS_EMAIL 4
andre@0:
andre@0: struct CERTDERCertsStr {
andre@0: PLArenaPool *arena;
andre@0: int numcerts;
andre@0: SECItem *rawCerts;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** A PKCS ? Attribute
andre@0: ** XXX this is duplicated through out the code, it *should* be moved
andre@0: ** to a central location. Where would be appropriate?
andre@0: */
andre@0: struct CERTAttributeStr {
andre@0: SECItem attrType;
andre@0: SECItem **attrValue;
andre@0: };
andre@0:
andre@0: /*
andre@0: ** A PKCS#10 certificate-request object (the unsigned form)
andre@0: */
andre@0: struct CERTCertificateRequestStr {
andre@0: PLArenaPool *arena;
andre@0: SECItem version;
andre@0: CERTName subject;
andre@0: CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
andre@0: CERTAttribute **attributes;
andre@0: };
andre@0: #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
andre@0:
andre@0:
andre@0: /*
andre@0: ** A certificate list object.
andre@0: */
andre@0: struct CERTCertificateListStr {
andre@0: SECItem *certs;
andre@0: int len; /* number of certs */
andre@0: PLArenaPool *arena;
andre@0: };
andre@0:
andre@0: struct CERTCertListNodeStr {
andre@0: PRCList links;
andre@0: CERTCertificate *cert;
andre@0: void *appData;
andre@0: };
andre@0:
andre@0: struct CERTCertListStr {
andre@0: PRCList list;
andre@0: PLArenaPool *arena;
andre@0: };
andre@0:
andre@0: #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
andre@0: #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
andre@0: #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
andre@0: #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
andre@0: #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
andre@0:
andre@0: struct CERTCrlEntryStr {
andre@0: SECItem serialNumber;
andre@0: SECItem revocationDate;
andre@0: CERTCertExtension **extensions;
andre@0: };
andre@0:
andre@0: struct CERTCrlStr {
andre@0: PLArenaPool *arena;
andre@0: SECItem version;
andre@0: SECAlgorithmID signatureAlg;
andre@0: SECItem derName;
andre@0: CERTName name;
andre@0: SECItem lastUpdate;
andre@0: SECItem nextUpdate; /* optional for x.509 CRL */
andre@0: CERTCrlEntry **entries;
andre@0: CERTCertExtension **extensions;
andre@0: /* can't add anything there for binary backwards compatibility reasons */
andre@0: };
andre@0:
andre@0: struct CERTCrlKeyStr {
andre@0: SECItem derName;
andre@0: SECItem dummy; /* The decoder can not skip a primitive,
andre@0: this serves as a place holder for the
andre@0: decoder to finish its task only
andre@0: */
andre@0: };
andre@0:
andre@0: struct CERTSignedCrlStr {
andre@0: PLArenaPool *arena;
andre@0: CERTCrl crl;
andre@0: void *reserved1;
andre@0: PRBool reserved2;
andre@0: PRBool isperm;
andre@0: PRBool istemp;
andre@0: int referenceCount;
andre@0: CERTCertDBHandle *dbhandle;
andre@0: CERTSignedData signatureWrap; /* XXX */
andre@0: char *url;
andre@0: SECItem *derCrl;
andre@0: PK11SlotInfo *slot;
andre@0: CK_OBJECT_HANDLE pkcs11ID;
andre@0: void* opaque; /* do not touch */
andre@0: };
andre@0:
andre@0:
andre@0: struct CERTCrlHeadNodeStr {
andre@0: PLArenaPool *arena;
andre@0: CERTCertDBHandle *dbhandle;
andre@0: CERTCrlNode *first;
andre@0: CERTCrlNode *last;
andre@0: };
andre@0:
andre@0:
andre@0: struct CERTCrlNodeStr {
andre@0: CERTCrlNode *next;
andre@0: int type;
andre@0: CERTSignedCrl *crl;
andre@0: };
andre@0:
andre@0:
andre@0: /*
andre@0: * Array of X.500 Distinguished Names
andre@0: */
andre@0: struct CERTDistNamesStr {
andre@0: PLArenaPool *arena;
andre@0: int nnames;
andre@0: SECItem *names;
andre@0: void *head; /* private */
andre@0: };
andre@0:
andre@0:
andre@0: #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
andre@0: #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
andre@0: #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
andre@0: #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
andre@0: #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
andre@0: #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
andre@0: #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
andre@0: #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
andre@0:
andre@0: #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
andre@0: #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
andre@0:
andre@0: #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
andre@0: NS_CERT_TYPE_SSL_SERVER | \
andre@0: NS_CERT_TYPE_EMAIL | \
andre@0: NS_CERT_TYPE_OBJECT_SIGNING )
andre@0:
andre@0: #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
andre@0: NS_CERT_TYPE_EMAIL_CA | \
andre@0: NS_CERT_TYPE_OBJECT_SIGNING_CA | \
andre@0: EXT_KEY_USAGE_STATUS_RESPONDER )
andre@0: typedef enum SECCertUsageEnum {
andre@0: certUsageSSLClient = 0,
andre@0: certUsageSSLServer = 1,
andre@0: certUsageSSLServerWithStepUp = 2,
andre@0: certUsageSSLCA = 3,
andre@0: certUsageEmailSigner = 4,
andre@0: certUsageEmailRecipient = 5,
andre@0: certUsageObjectSigner = 6,
andre@0: certUsageUserCertImport = 7,
andre@0: certUsageVerifyCA = 8,
andre@0: certUsageProtectedObjectSigner = 9,
andre@0: certUsageStatusResponder = 10,
andre@0: certUsageAnyCA = 11
andre@0: } SECCertUsage;
andre@0:
andre@0: typedef PRInt64 SECCertificateUsage;
andre@0:
andre@0: #define certificateUsageCheckAllUsages (0x0000)
andre@0: #define certificateUsageSSLClient (0x0001)
andre@0: #define certificateUsageSSLServer (0x0002)
andre@0: #define certificateUsageSSLServerWithStepUp (0x0004)
andre@0: #define certificateUsageSSLCA (0x0008)
andre@0: #define certificateUsageEmailSigner (0x0010)
andre@0: #define certificateUsageEmailRecipient (0x0020)
andre@0: #define certificateUsageObjectSigner (0x0040)
andre@0: #define certificateUsageUserCertImport (0x0080)
andre@0: #define certificateUsageVerifyCA (0x0100)
andre@0: #define certificateUsageProtectedObjectSigner (0x0200)
andre@0: #define certificateUsageStatusResponder (0x0400)
andre@0: #define certificateUsageAnyCA (0x0800)
andre@0:
andre@0: #define certificateUsageHighest certificateUsageAnyCA
andre@0:
andre@0: /*
andre@0: * Does the cert belong to the user, a peer, or a CA.
andre@0: */
andre@0: typedef enum CERTCertOwnerEnum {
andre@0: certOwnerUser = 0,
andre@0: certOwnerPeer = 1,
andre@0: certOwnerCA = 2
andre@0: } CERTCertOwner;
andre@0:
andre@0: /*
andre@0: * This enum represents the state of validity times of a certificate
andre@0: */
andre@0: typedef enum SECCertTimeValidityEnum {
andre@0: secCertTimeValid = 0,
andre@0: secCertTimeExpired = 1,
andre@0: secCertTimeNotValidYet = 2,
andre@0: secCertTimeUndetermined = 3 /* validity could not be decoded from the
andre@0: cert, most likely because it was NULL */
andre@0: } SECCertTimeValidity;
andre@0:
andre@0: /*
andre@0: * This is used as return status in functions that compare the validity
andre@0: * periods of two certificates A and B, currently only
andre@0: * CERT_CompareValidityTimes.
andre@0: */
andre@0:
andre@0: typedef enum CERTCompareValidityStatusEnum
andre@0: {
andre@0: certValidityUndetermined = 0, /* the function is unable to select one cert
andre@0: over another */
andre@0: certValidityChooseB = 1, /* cert B should be preferred */
andre@0: certValidityEqual = 2, /* both certs have the same validity period */
andre@0: certValidityChooseA = 3 /* cert A should be preferred */
andre@0: } CERTCompareValidityStatus;
andre@0:
andre@0: /*
andre@0: * Interface for getting certificate nickname strings out of the database
andre@0: */
andre@0:
andre@0: /* these are values for the what argument below */
andre@0: #define SEC_CERT_NICKNAMES_ALL 1
andre@0: #define SEC_CERT_NICKNAMES_USER 2
andre@0: #define SEC_CERT_NICKNAMES_SERVER 3
andre@0: #define SEC_CERT_NICKNAMES_CA 4
andre@0:
andre@0: struct CERTCertNicknamesStr {
andre@0: PLArenaPool *arena;
andre@0: void *head;
andre@0: int numnicknames;
andre@0: char **nicknames;
andre@0: int what;
andre@0: int totallen;
andre@0: };
andre@0:
andre@0: struct CERTIssuerAndSNStr {
andre@0: SECItem derIssuer;
andre@0: CERTName issuer;
andre@0: SECItem serialNumber;
andre@0: };
andre@0:
andre@0:
andre@0: /* X.509 v3 Key Usage Extension flags */
andre@0: #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
andre@0: #define KU_NON_REPUDIATION (0x40) /* bit 1 */
andre@0: #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
andre@0: #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
andre@0: #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
andre@0: #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
andre@0: #define KU_CRL_SIGN (0x02) /* bit 6 */
andre@0: #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
andre@0: #define KU_ALL (KU_DIGITAL_SIGNATURE | \
andre@0: KU_NON_REPUDIATION | \
andre@0: KU_KEY_ENCIPHERMENT | \
andre@0: KU_DATA_ENCIPHERMENT | \
andre@0: KU_KEY_AGREEMENT | \
andre@0: KU_KEY_CERT_SIGN | \
andre@0: KU_CRL_SIGN | \
andre@0: KU_ENCIPHER_ONLY)
andre@0:
andre@0: /* This value will not occur in certs. It is used internally for the case
andre@0: * when either digital signature or non-repudiation is the correct value.
andre@0: */
andre@0: #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
andre@0:
andre@0: /* This value will not occur in certs. It is used internally for the case
andre@0: * when the key type is not know ahead of time and either key agreement or
andre@0: * key encipherment are the correct value based on key type
andre@0: */
andre@0: #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
andre@0:
andre@0: /* internal bits that do not match bits in the x509v3 spec, but are used
andre@0: * for similar purposes
andre@0: */
andre@0: #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
andre@0: /*
andre@0: * x.509 v3 Basic Constraints Extension
andre@0: * If isCA is false, the pathLenConstraint is ignored.
andre@0: * Otherwise, the following pathLenConstraint values will apply:
andre@0: * < 0 - there is no limit to the certificate path
andre@0: * 0 - CA can issues end-entity certificates only
andre@0: * > 0 - the number of certificates in the certificate path is
andre@0: * limited to this number
andre@0: */
andre@0: #define CERT_UNLIMITED_PATH_CONSTRAINT -2
andre@0:
andre@0: struct CERTBasicConstraintsStr {
andre@0: PRBool isCA; /* on if is CA */
andre@0: int pathLenConstraint; /* maximum number of certificates that can be
andre@0: in the cert path. Only applies to a CA
andre@0: certificate; otherwise, it's ignored.
andre@0: */
andre@0: };
andre@0:
andre@0: /* Maximum length of a certificate chain */
andre@0: #define CERT_MAX_CERT_CHAIN 20
andre@0:
andre@0: #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
andre@0: #define CERT_MAX_DN_BYTES 4096 /* arbitrary */
andre@0:
andre@0: /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
andre@0: #define RF_UNUSED (0x80) /* bit 0 */
andre@0: #define RF_KEY_COMPROMISE (0x40) /* bit 1 */
andre@0: #define RF_CA_COMPROMISE (0x20) /* bit 2 */
andre@0: #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
andre@0: #define RF_SUPERSEDED (0x08) /* bit 4 */
andre@0: #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
andre@0: #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
andre@0:
andre@0: /* enum for CRL Entry Reason Code */
andre@0: typedef enum CERTCRLEntryReasonCodeEnum {
andre@0: crlEntryReasonUnspecified = 0,
andre@0: crlEntryReasonKeyCompromise = 1,
andre@0: crlEntryReasonCaCompromise = 2,
andre@0: crlEntryReasonAffiliationChanged = 3,
andre@0: crlEntryReasonSuperseded = 4,
andre@0: crlEntryReasonCessationOfOperation = 5,
andre@0: crlEntryReasoncertificatedHold = 6,
andre@0: crlEntryReasonRemoveFromCRL = 8,
andre@0: crlEntryReasonPrivilegeWithdrawn = 9,
andre@0: crlEntryReasonAaCompromise = 10
andre@0: } CERTCRLEntryReasonCode;
andre@0:
andre@0: /* If we needed to extract the general name field, use this */
andre@0: /* General Name types */
andre@0: typedef enum CERTGeneralNameTypeEnum {
andre@0: certOtherName = 1,
andre@0: certRFC822Name = 2,
andre@0: certDNSName = 3,
andre@0: certX400Address = 4,
andre@0: certDirectoryName = 5,
andre@0: certEDIPartyName = 6,
andre@0: certURI = 7,
andre@0: certIPAddress = 8,
andre@0: certRegisterID = 9
andre@0: } CERTGeneralNameType;
andre@0:
andre@0:
andre@0: typedef struct OtherNameStr {
andre@0: SECItem name;
andre@0: SECItem oid;
andre@0: }OtherName;
andre@0:
andre@0:
andre@0:
andre@0: struct CERTGeneralNameStr {
andre@0: CERTGeneralNameType type; /* name type */
andre@0: union {
andre@0: CERTName directoryName; /* distinguish name */
andre@0: OtherName OthName; /* Other Name */
andre@0: SECItem other; /* the rest of the name forms */
andre@0: }name;
andre@0: SECItem derDirectoryName; /* this is saved to simplify directory name
andre@0: comparison */
andre@0: PRCList l;
andre@0: };
andre@0:
andre@0: struct CERTGeneralNameListStr {
andre@0: PLArenaPool *arena;
andre@0: CERTGeneralName *name;
andre@0: int refCount;
andre@0: int len;
andre@0: PZLock *lock;
andre@0: };
andre@0:
andre@0: struct CERTNameConstraintStr {
andre@0: CERTGeneralName name;
andre@0: SECItem DERName;
andre@0: SECItem min;
andre@0: SECItem max;
andre@0: PRCList l;
andre@0: };
andre@0:
andre@0:
andre@0: struct CERTNameConstraintsStr {
andre@0: CERTNameConstraint *permited;
andre@0: CERTNameConstraint *excluded;
andre@0: SECItem **DERPermited;
andre@0: SECItem **DERExcluded;
andre@0: };
andre@0:
andre@0:
andre@0: /* Private Key Usage Period extension struct. */
andre@0: struct CERTPrivKeyUsagePeriodStr {
andre@0: SECItem notBefore;
andre@0: SECItem notAfter;
andre@0: PLArenaPool *arena;
andre@0: };
andre@0:
andre@0: /* X.509 v3 Authority Key Identifier extension. For the authority certificate
andre@0: issuer field, we only support URI now.
andre@0: */
andre@0: struct CERTAuthKeyIDStr {
andre@0: SECItem keyID; /* unique key identifier */
andre@0: CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
andre@0: SECItem authCertSerialNumber; /* CA's certificate serial number */
andre@0: SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
andre@0: the authCertIssuer field. It is used
andre@0: by the encoding engine. It should be
andre@0: used as a read only field by the caller.
andre@0: */
andre@0: };
andre@0:
andre@0: /* x.509 v3 CRL Distributeion Point */
andre@0:
andre@0: /*
andre@0: * defined the types of CRL Distribution points
andre@0: */
andre@0: typedef enum DistributionPointTypesEnum {
andre@0: generalName = 1, /* only support this for now */
andre@0: relativeDistinguishedName = 2
andre@0: } DistributionPointTypes;
andre@0:
andre@0: struct CRLDistributionPointStr {
andre@0: DistributionPointTypes distPointType;
andre@0: union {
andre@0: CERTGeneralName *fullName;
andre@0: CERTRDN relativeName;
andre@0: } distPoint;
andre@0: SECItem reasons;
andre@0: CERTGeneralName *crlIssuer;
andre@0:
andre@0: /* Reserved for internal use only*/
andre@0: SECItem derDistPoint;
andre@0: SECItem derRelativeName;
andre@0: SECItem **derCrlIssuer;
andre@0: SECItem **derFullName;
andre@0: SECItem bitsmap;
andre@0: };
andre@0:
andre@0: struct CERTCrlDistributionPointsStr {
andre@0: CRLDistributionPoint **distPoints;
andre@0: };
andre@0:
andre@0: /*
andre@0: * This structure is used to keep a log of errors when verifying
andre@0: * a cert chain. This allows multiple errors to be reported all at
andre@0: * once.
andre@0: */
andre@0: struct CERTVerifyLogNodeStr {
andre@0: CERTCertificate *cert; /* what cert had the error */
andre@0: long error; /* what error was it? */
andre@0: unsigned int depth; /* how far up the chain are we */
andre@0: void *arg; /* error specific argument */
andre@0: struct CERTVerifyLogNodeStr *next; /* next in the list */
andre@0: struct CERTVerifyLogNodeStr *prev; /* next in the list */
andre@0: };
andre@0:
andre@0:
andre@0: struct CERTVerifyLogStr {
andre@0: PLArenaPool *arena;
andre@0: unsigned int count;
andre@0: struct CERTVerifyLogNodeStr *head;
andre@0: struct CERTVerifyLogNodeStr *tail;
andre@0: };
andre@0:
andre@0:
andre@0: struct CERTOKDomainNameStr {
andre@0: CERTOKDomainName *next;
andre@0: char name[1]; /* actual length may be longer. */
andre@0: };
andre@0:
andre@0:
andre@0: typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
andre@0: CERTCertificate *cert,
andre@0: PRTime time,
andre@0: void *pwArg);
andre@0:
andre@0: typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
andre@0:
andre@0: struct CERTStatusConfigStr {
andre@0: CERTStatusChecker statusChecker; /* NULL means no checking enabled */
andre@0: CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
andre@0: void *statusContext; /* cx specific to checking protocol */
andre@0: };
andre@0:
andre@0: struct CERTAuthInfoAccessStr {
andre@0: SECItem method;
andre@0: SECItem derLocation;
andre@0: CERTGeneralName *location; /* decoded location */
andre@0: };
andre@0:
andre@0:
andre@0: /* This is the typedef for the callback passed to CERT_OpenCertDB() */
andre@0: /* callback to return database name based on version number */
andre@0: typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
andre@0:
andre@0: /*
andre@0: * types of cert packages that we can decode
andre@0: */
andre@0: typedef enum CERTPackageTypeEnum {
andre@0: certPackageNone = 0,
andre@0: certPackageCert = 1,
andre@0: certPackagePKCS7 = 2,
andre@0: certPackageNSCertSeq = 3,
andre@0: certPackageNSCertWrap = 4
andre@0: } CERTPackageType;
andre@0:
andre@0: /*
andre@0: * these types are for the PKIX Certificate Policies extension
andre@0: */
andre@0: typedef struct {
andre@0: SECOidTag oid;
andre@0: SECItem qualifierID;
andre@0: SECItem qualifierValue;
andre@0: } CERTPolicyQualifier;
andre@0:
andre@0: typedef struct {
andre@0: SECOidTag oid;
andre@0: SECItem policyID;
andre@0: CERTPolicyQualifier **policyQualifiers;
andre@0: } CERTPolicyInfo;
andre@0:
andre@0: typedef struct {
andre@0: PLArenaPool *arena;
andre@0: CERTPolicyInfo **policyInfos;
andre@0: } CERTCertificatePolicies;
andre@0:
andre@0: typedef struct {
andre@0: SECItem organization;
andre@0: SECItem **noticeNumbers;
andre@0: } CERTNoticeReference;
andre@0:
andre@0: typedef struct {
andre@0: PLArenaPool *arena;
andre@0: CERTNoticeReference noticeReference;
andre@0: SECItem derNoticeReference;
andre@0: SECItem displayText;
andre@0: } CERTUserNotice;
andre@0:
andre@0: typedef struct {
andre@0: PLArenaPool *arena;
andre@0: SECItem **oids;
andre@0: } CERTOidSequence;
andre@0:
andre@0: /*
andre@0: * these types are for the PKIX Policy Mappings extension
andre@0: */
andre@0: typedef struct {
andre@0: SECItem issuerDomainPolicy;
andre@0: SECItem subjectDomainPolicy;
andre@0: } CERTPolicyMap;
andre@0:
andre@0: typedef struct {
andre@0: PLArenaPool *arena;
andre@0: CERTPolicyMap **policyMaps;
andre@0: } CERTCertificatePolicyMappings;
andre@0:
andre@0: /*
andre@0: * these types are for the PKIX inhibitAnyPolicy extension
andre@0: */
andre@0: typedef struct {
andre@0: SECItem inhibitAnySkipCerts;
andre@0: } CERTCertificateInhibitAny;
andre@0:
andre@0: /*
andre@0: * these types are for the PKIX Policy Constraints extension
andre@0: */
andre@0: typedef struct {
andre@0: SECItem explicitPolicySkipCerts;
andre@0: SECItem inhibitMappingSkipCerts;
andre@0: } CERTCertificatePolicyConstraints;
andre@0:
andre@0: /*
andre@0: * These types are for the validate chain callback param.
andre@0: *
andre@0: * CERTChainVerifyCallback is an application-supplied callback that can be used
andre@0: * to augment libpkix's certificate chain validation with additional
andre@0: * application-specific checks. It may be called multiple times if there are
andre@0: * multiple potentially-valid paths for the certificate being validated. This
andre@0: * callback is called before revocation checking is done on the certificates in
andre@0: * the given chain.
andre@0: *
andre@0: * - isValidChainArg contains the application-provided opaque argument
andre@0: * - currentChain is the currently validated chain. It is ordered with the leaf
andre@0: * certificate at the head and the trust anchor at the tail.
andre@0: *
andre@0: * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
andre@0: * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
andre@0: * return SECSuccess if the chain is unacceptable, to indicate that the given
andre@0: * chain is bad and path building should continue. It should return SECFailure
andre@0: * to indicate an fatal error that will cause path validation to fail
andre@0: * immediately.
andre@0: */
andre@0: typedef SECStatus (*CERTChainVerifyCallbackFunc)
andre@0: (void *isChainValidArg,
andre@0: const CERTCertList *currentChain,
andre@0: PRBool *chainOK);
andre@0:
andre@0: /*
andre@0: * Note: If extending this structure, it will be necessary to change the
andre@0: * associated CERTValParamInType
andre@0: */
andre@0: typedef struct {
andre@0: CERTChainVerifyCallbackFunc isChainValid;
andre@0: void *isChainValidArg;
andre@0: } CERTChainVerifyCallback;
andre@0:
andre@0: /*
andre@0: * these types are for the CERT_PKIX* Verification functions
andre@0: * These are all optional parameters.
andre@0: */
andre@0:
andre@0: typedef enum {
andre@0: cert_pi_end = 0, /* SPECIAL: signifies end of array of
andre@0: * CERTValParam* */
andre@0: cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
andre@0: * resume a session. If this argument is
andre@0: * specified, no other arguments should be.
andre@0: * Specified in value.pointer.p. If the
andre@0: * operation completes the context will be
andre@0: * freed. */
andre@0: cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
andre@0: * existing operation which the caller wants
andre@0: * to abort. If this argument is
andre@0: * specified, no other arguments should be.
andre@0: * Specified in value.pointer.p. If the
andre@0: * operation succeeds the context will be
andre@0: * freed. */
andre@0: cert_pi_certList = 3, /* specify the chain to validate against. If
andre@0: * this value is given, then the path
andre@0: * construction step in the validation is
andre@0: * skipped. Specified in value.pointer.chain */
andre@0: cert_pi_policyOID = 4, /* validate certificate for policy OID.
andre@0: * Specified in value.array.oids. Cert must
andre@0: * be good for at least one OID in order
andre@0: * to validate. Default is that the user is not
andre@0: * concerned about certificate policy. */
andre@0: cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
andre@0: * Specified in value.scalar.ul. Policy flags
andre@0: * apply to all specified oids.
andre@0: * Use CERT_POLICY_FLAG_* macros below. If not
andre@0: * specified policy flags default to 0 */
andre@0: cert_pi_keyusage = 6, /* specify what the keyusages the certificate
andre@0: * will be evaluated against, specified in
andre@0: * value.scalar.ui. The cert must validate for
andre@0: * at least one of the specified key usages.
andre@0: * Values match the KU_ bit flags defined
andre@0: * in this file. Default is derived from
andre@0: * the 'usages' function argument */
andre@0: cert_pi_extendedKeyusage= 7, /* specify what the required extended key
andre@0: * usage of the certificate. Specified as
andre@0: * an array of oidTags in value.array.oids.
andre@0: * The cert must validate for at least one
andre@0: * of the specified extended key usages.
andre@0: * If not specified, no extended key usages
andre@0: * will be checked. */
andre@0: cert_pi_date = 8, /* validate certificate is valid as of date
andre@0: * specified in value.scalar.time. A special
andre@0: * value '0' indicates 'now'. default is '0' */
andre@0: cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
andre@0: * See CERT_REV_FLAG_* macros below
andre@0: * Set in value.pointer.revocation */
andre@0: cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below)
andre@0: * Set in value.scalar.ui */
andre@0: cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to
andre@0: * validate against.
andre@0: * The default set of trusted roots, these are
andre@0: * root CA certs from libnssckbi.so or CA
andre@0: * certs trusted by user, are used in any of
andre@0: * the following cases:
andre@0: * * when the parameter is not set.
andre@0: * * when the list of trust anchors is empty.
andre@0: * Note that this handling can be further altered by altering the
andre@0: * cert_pi_useOnlyTrustAnchors flag
andre@0: * Specified in value.pointer.chain */
andre@0: cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
andre@0: * In NSS 3.12.1 or later. Default is off.
andre@0: * Value is in value.scalar.b */
andre@0: cert_pi_chainVerifyCallback = 13,
andre@0: /* The callback container for doing extra
andre@0: * validation on the currently calculated chain.
andre@0: * Value is in value.pointer.chainVerifyCallback */
andre@0: cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
andre@0: * certificates other than the ones passed in via cert_pi_trustAnchors.
andre@0: * If false, then the certificates specified via cert_pi_trustAnchors
andre@0: * will be combined with the pre-existing trusted roots, but only for
andre@0: * the certificate validation being performed.
andre@0: * If no value has been supplied via cert_pi_trustAnchors, this has no
andre@0: * effect.
andre@0: * The default value is true, meaning if this is not supplied, only
andre@0: * trust anchors supplied via cert_pi_trustAnchors are trusted.
andre@0: * Specified in value.scalar.b */
andre@0: cert_pi_max /* SPECIAL: signifies maximum allowed value,
andre@0: * can increase in future releases */
andre@0: } CERTValParamInType;
andre@0:
andre@0: /*
andre@0: * for all out parameters:
andre@0: * out parameters are only returned if the caller asks for them in
andre@0: * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
andre@0: * array itself. The pkix verify function will allocate and other arrays
andre@0: * pointers, or objects. The Caller is responsible for freeing those results.
andre@0: * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
andre@0: */
andre@0: typedef enum {
andre@0: cert_po_end = 0, /* SPECIAL: signifies end of array of
andre@0: * CERTValParam* */
andre@0: cert_po_nbioContext = 1, /* Return a nonblocking context. If no
andre@0: * non-blocking context is specified, then
andre@0: * blocking IO will be used.
andre@0: * Returned in value.pointer.p. The context is
andre@0: * freed after an abort or a complete operation.
andre@0: * This value is only returned on SECWouldBlock.
andre@0: */
andre@0: cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
andre@0: * was validated. Returned in
andre@0: * value.pointer.cert, this value is only
andre@0: * returned on SECSuccess. */
andre@0: cert_po_certList = 3, /* Return the entire chain that was validated.
andre@0: * Returned in value.pointer.certList. If no
andre@0: * chain could be constructed, this value
andre@0: * would be NULL. */
andre@0: cert_po_policyOID = 4, /* Return the policies that were found to be
andre@0: * valid. Returned in value.array.oids as an
andre@0: * array. This is only returned on
andre@0: * SECSuccess. */
andre@0: cert_po_errorLog = 5, /* Return a log of problems with the chain.
andre@0: * Returned in value.pointer.log */
andre@0: cert_po_usages = 6, /* Return what usages the certificate is valid
andre@0: for. Returned in value.scalar.usages */
andre@0: cert_po_keyUsage = 7, /* Return what key usages the certificate
andre@0: * is valid for.
andre@0: * Returned in value.scalar.usage */
andre@0: cert_po_extendedKeyusage= 8, /* Return what extended key usages the
andre@0: * certificate is valid for.
andre@0: * Returned in value.array.oids */
andre@0: cert_po_max /* SPECIAL: signifies maximum allowed value,
andre@0: * can increase in future releases */
andre@0:
andre@0: } CERTValParamOutType;
andre@0:
andre@0: typedef enum {
andre@0: cert_revocation_method_crl = 0,
andre@0: cert_revocation_method_ocsp,
andre@0: cert_revocation_method_count
andre@0: } CERTRevocationMethodIndex;
andre@0:
andre@0:
andre@0: /*
andre@0: * The following flags are supposed to be used to control bits in
andre@0: * each integer contained in the array pointed to be:
andre@0: * CERTRevocationTests.cert_rev_flags_per_method
andre@0: * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
andre@0: * this is a method dependent flag.
andre@0: */
andre@0:
andre@0: /*
andre@0: * Whether or not to use a method for revocation testing.
andre@0: * If set to "do not test", then all other flags are ignored.
andre@0: */
andre@0: #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
andre@0: #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
andre@0:
andre@0: /*
andre@0: * Whether or not NSS is allowed to attempt to fetch fresh information
andre@0: * from the network.
andre@0: * (Although fetching will never happen if fresh information for the
andre@0: * method is already locally available.)
andre@0: */
andre@0: #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
andre@0: #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
andre@0:
andre@0: /*
andre@0: * Example for an implicit default source:
andre@0: * The globally configured default OCSP responder.
andre@0: * IGNORE means:
andre@0: * ignore the implicit default source, whether it's configured or not.
andre@0: * ALLOW means:
andre@0: * if an implicit default source is configured,
andre@0: * then it overrides any available or missing source in the cert.
andre@0: * if no implicit default source is configured,
andre@0: * then we continue to use what's available (or not available)
andre@0: * in the certs.
andre@0: */
andre@0: #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
andre@0: #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
andre@0:
andre@0: /*
andre@0: * Defines the behavior if no fresh information is available,
andre@0: * fetching from the network is allowed, but the source of revocation
andre@0: * information is unknown (even after considering implicit sources,
andre@0: * if allowed by other flags).
andre@0: * SKIPT_TEST means:
andre@0: * We ignore that no fresh information is available and
andre@0: * skip this test.
andre@0: * REQUIRE_INFO means:
andre@0: * We still require that fresh information is available.
andre@0: * Other flags define what happens on missing fresh info.
andre@0: */
andre@0: #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
andre@0: #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
andre@0:
andre@0: /*
andre@0: * Defines the behavior if we are unable to obtain fresh information.
andre@0: * INGORE means:
andre@0: * Return "cert status unknown"
andre@0: * FAIL means:
andre@0: * Return "cert revoked".
andre@0: */
andre@0: #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
andre@0: #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
andre@0:
andre@0: /*
andre@0: * What should happen if we were able to find fresh information using
andre@0: * this method, and the data indicated the cert is good?
andre@0: * STOP_TESTING means:
andre@0: * Our success is sufficient, do not continue testing
andre@0: * other methods.
andre@0: * CONTINUE_TESTING means:
andre@0: * We will continue and test the next allowed
andre@0: * specified method.
andre@0: */
andre@0: #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
andre@0: #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
andre@0:
andre@0: /* When this flag is used, libpkix will never attempt to use the GET HTTP
andre@0: * method for OCSP requests; it will always use POST.
andre@0: */
andre@0: #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
andre@0:
andre@0: /*
andre@0: * The following flags are supposed to be used to control bits in
andre@0: * CERTRevocationTests.cert_rev_method_independent_flags
andre@0: * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
andre@0: * this is a method independent flag.
andre@0: */
andre@0:
andre@0: /*
andre@0: * This defines the order to checking.
andre@0: * EACH_METHOD_SEPARATELY means:
andre@0: * Do all tests related to a particular allowed method
andre@0: * (both local information and network fetching) in a single step.
andre@0: * Only after testing for a particular method is done,
andre@0: * then switching to the next method will happen.
andre@0: * ALL_LOCAL_INFORMATION_FIRST means:
andre@0: * Start by testing the information for all allowed methods
andre@0: * which are already locally available. Only after that is done
andre@0: * consider to fetch from the network (as allowed by other flags).
andre@0: */
andre@0: #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
andre@0: #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
andre@0:
andre@0: /*
andre@0: * Use this flag to specify that it's necessary that fresh information
andre@0: * is available for at least one of the allowed methods, but it's
andre@0: * irrelevant which of the mechanisms succeeded.
andre@0: * NO_OVERALL_INFO_REQUIREMENT means:
andre@0: * We strictly follow the requirements for each individual method.
andre@0: * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
andre@0: * After the individual tests have been executed, we must have
andre@0: * been able to find fresh information using at least one method.
andre@0: * If we were unable to find fresh info, it's a failure.
andre@0: * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
andre@0: * flag on all methods.
andre@0: */
andre@0: #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
andre@0: #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
andre@0:
andre@0:
andre@0: typedef struct {
andre@0: /*
andre@0: * The size of the array that cert_rev_flags_per_method points to,
andre@0: * meaning, the number of methods that are known and defined
andre@0: * by the caller.
andre@0: */
andre@0: PRUint32 number_of_defined_methods;
andre@0:
andre@0: /*
andre@0: * A pointer to an array of integers.
andre@0: * Each integer defines revocation checking for a single method,
andre@0: * by having individual CERT_REV_M_* bits set or not set.
andre@0: * The meaning of index numbers into this array are defined by
andre@0: * enum CERTRevocationMethodIndex
andre@0: * The size of the array must be specified by the caller in the separate
andre@0: * variable number_of_defined_methods.
andre@0: * The size of the array may be smaller than
andre@0: * cert_revocation_method_count, it can happen if a caller
andre@0: * is not yet aware of the latest revocation methods
andre@0: * (or does not want to use them).
andre@0: */
andre@0: PRUint64 *cert_rev_flags_per_method;
andre@0:
andre@0: /*
andre@0: * How many preferred methods are specified?
andre@0: * This is equivalent to the size of the array that
andre@0: * preferred_revocation_methods points to.
andre@0: * It's allowed to set this value to zero,
andre@0: * then NSS will decide which methods to prefer.
andre@0: */
andre@0: PRUint32 number_of_preferred_methods;
andre@0:
andre@0: /* Array that may specify an optional order of preferred methods.
andre@0: * Each array entry shall contain a method identifier as defined
andre@0: * by CERTRevocationMethodIndex.
andre@0: * The entry at index [0] specifies the method with highest preferrence.
andre@0: * These methods will be tested first for locally available information.
andre@0: * Methods allowed for downloading will be attempted in the same order.
andre@0: */
andre@0: CERTRevocationMethodIndex *preferred_methods;
andre@0:
andre@0: /*
andre@0: * An integer which defines certain aspects of revocation checking
andre@0: * (independent of individual methods) by having individual
andre@0: * CERT_REV_MI_* bits set or not set.
andre@0: */
andre@0: PRUint64 cert_rev_method_independent_flags;
andre@0: } CERTRevocationTests;
andre@0:
andre@0: typedef struct {
andre@0: CERTRevocationTests leafTests;
andre@0: CERTRevocationTests chainTests;
andre@0: } CERTRevocationFlags;
andre@0:
andre@0: typedef struct CERTValParamInValueStr {
andre@0: union {
andre@0: PRBool b;
andre@0: PRInt32 i;
andre@0: PRUint32 ui;
andre@0: PRInt64 l;
andre@0: PRUint64 ul;
andre@0: PRTime time;
andre@0: } scalar;
andre@0: union {
andre@0: const void* p;
andre@0: const char* s;
andre@0: const CERTCertificate* cert;
andre@0: const CERTCertList *chain;
andre@0: const CERTRevocationFlags *revocation;
andre@0: const CERTChainVerifyCallback *chainVerifyCallback;
andre@0: } pointer;
andre@0: union {
andre@0: const PRInt32 *pi;
andre@0: const PRUint32 *pui;
andre@0: const PRInt64 *pl;
andre@0: const PRUint64 *pul;
andre@0: const SECOidTag *oids;
andre@0: } array;
andre@0: int arraySize;
andre@0: } CERTValParamInValue;
andre@0:
andre@0:
andre@0: typedef struct CERTValParamOutValueStr {
andre@0: union {
andre@0: PRBool b;
andre@0: PRInt32 i;
andre@0: PRUint32 ui;
andre@0: PRInt64 l;
andre@0: PRUint64 ul;
andre@0: SECCertificateUsage usages;
andre@0: } scalar;
andre@0: union {
andre@0: void* p;
andre@0: char* s;
andre@0: CERTVerifyLog *log;
andre@0: CERTCertificate* cert;
andre@0: CERTCertList *chain;
andre@0: } pointer;
andre@0: union {
andre@0: void *p;
andre@0: SECOidTag *oids;
andre@0: } array;
andre@0: int arraySize;
andre@0: } CERTValParamOutValue;
andre@0:
andre@0: typedef struct {
andre@0: CERTValParamInType type;
andre@0: CERTValParamInValue value;
andre@0: } CERTValInParam;
andre@0:
andre@0: typedef struct {
andre@0: CERTValParamOutType type;
andre@0: CERTValParamOutValue value;
andre@0: } CERTValOutParam;
andre@0:
andre@0: /*
andre@0: * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
andre@0: */
andre@0: typedef enum CertStrictnessLevels {
andre@0: CERT_N2A_READABLE = 0, /* maximum human readability */
andre@0: CERT_N2A_STRICT = 10, /* strict RFC compliance */
andre@0: CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
andre@0: all DirectoryStrings encoded in hex */
andre@0: } CertStrictnessLevel;
andre@0:
andre@0: /*
andre@0: * policy flag defines
andre@0: */
andre@0: #define CERT_POLICY_FLAG_NO_MAPPING 1
andre@0: #define CERT_POLICY_FLAG_EXPLICIT 2
andre@0: #define CERT_POLICY_FLAG_NO_ANY 4
andre@0:
andre@0: /*
andre@0: * CertStore flags
andre@0: */
andre@0: #define CERT_ENABLE_LDAP_FETCH 1
andre@0: #define CERT_ENABLE_HTTP_FETCH 2
andre@0:
andre@0: /* This functin pointer type may be used for any function that takes
andre@0: * a CERTCertificate * and returns an allocated string, which must be
andre@0: * freed by a call to PORT_Free.
andre@0: */
andre@0: typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
andre@0:
andre@0: /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
andre@0:
andre@0: #include "secasn1t.h" /* way down here because I expect template stuff to
andre@0: * move out of here anyway */
andre@0:
andre@0: SEC_BEGIN_PROTOS
andre@0:
andre@0: extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
andre@0: extern const SEC_ASN1Template CERT_CertificateTemplate[];
andre@0: extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
andre@0: extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
andre@0: extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
andre@0: extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
andre@0: extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
andre@0: extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
andre@0: extern const SEC_ASN1Template CERT_ValidityTemplate[];
andre@0: extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
andre@0: extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
andre@0:
andre@0: extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
andre@0: extern const SEC_ASN1Template CERT_NameTemplate[];
andre@0: extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
andre@0: extern const SEC_ASN1Template CERT_RDNTemplate[];
andre@0: extern const SEC_ASN1Template CERT_SignedDataTemplate[];
andre@0: extern const SEC_ASN1Template CERT_CrlTemplate[];
andre@0: extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
andre@0:
andre@0: /*
andre@0: ** XXX should the attribute stuff be centralized for all of ns/security?
andre@0: */
andre@0: extern const SEC_ASN1Template CERT_AttributeTemplate[];
andre@0: extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
andre@0:
andre@0: /* These functions simply return the address of the above-declared templates.
andre@0: ** This is necessary for Windows DLLs. Sigh.
andre@0: */
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
andre@0: SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
andre@0:
andre@0: SEC_END_PROTOS
andre@0:
andre@0: #endif /* _CERTT_H_ */