andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* andre@0: * This file defines the public API for libpkix. These are the top-level andre@0: * functions in the library. They perform the primary operations of this andre@0: * library: building and validating chains of X.509 certificates. andre@0: * andre@0: */ andre@0: andre@0: #ifndef _PKIX_H andre@0: #define _PKIX_H andre@0: andre@0: #include "pkixt.h" andre@0: #include "pkix_util.h" andre@0: #include "pkix_results.h" andre@0: #include "pkix_certstore.h" andre@0: #include "pkix_certsel.h" andre@0: #include "pkix_crlsel.h" andre@0: #include "pkix_checker.h" andre@0: #include "pkix_revchecker.h" andre@0: #include "pkix_pl_system.h" andre@0: #include "pkix_pl_pki.h" andre@0: #include "pkix_params.h" andre@0: andre@0: #ifdef __cplusplus andre@0: extern "C" { andre@0: #endif andre@0: andre@0: /* General andre@0: * andre@0: * Please refer to the libpkix Programmer's Guide for detailed information andre@0: * about how to use the libpkix library. Certain key warnings and notices from andre@0: * that document are repeated here for emphasis. andre@0: * andre@0: * All identifiers in this file (and all public identifiers defined in andre@0: * libpkix) begin with "PKIX_". Private identifiers only intended for use andre@0: * within the library begin with "pkix_". andre@0: * andre@0: * A function returns NULL upon success, and a PKIX_Error pointer upon failure. andre@0: * andre@0: * Unless otherwise noted, for all accessor (gettor) functions that return a andre@0: * PKIX_PL_Object pointer, callers should assume that this pointer refers to a andre@0: * shared object. Therefore, the caller should treat this shared object as andre@0: * read-only and should not modify this shared object. When done using the andre@0: * shared object, the caller should release the reference to the object by andre@0: * using the PKIX_PL_Object_DecRef function. andre@0: * andre@0: * While a function is executing, if its arguments (or anything referred to by andre@0: * its arguments) are modified, free'd, or destroyed, the function's behavior andre@0: * is undefined. andre@0: * andre@0: */ andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_Initialize andre@0: * DESCRIPTION: andre@0: * andre@0: * No PKIX_* types and functions should be used before this function is called andre@0: * and returns successfully. This function should only be called once. If it andre@0: * is called more than once, the behavior is undefined. andre@0: * andre@0: * NSS applications are expected to call NSS_Init, and need not know that andre@0: * NSS will call this function (with "platformInitNeeded" set to PKIX_FALSE). andre@0: * PKIX applications are expected instead to call this function with andre@0: * "platformInitNeeded" set to PKIX_TRUE. andre@0: * andre@0: * This function initializes data structures critical to the operation of andre@0: * libpkix. It also ensures that the API version (major.minor) desired by the andre@0: * caller (the "desiredMajorVersion", "minDesiredMinorVersion", and andre@0: * "maxDesiredMinorVersion") is compatible with the API version supported by andre@0: * the library. As such, the library must support the "desiredMajorVersion" andre@0: * of the API and must support a minor version that falls between andre@0: * "minDesiredMinorVersion" and "maxDesiredMinorVersion", inclusive. If andre@0: * compatibility exists, the function returns NULL and stores the library's andre@0: * actual minor version at "pActualMinorVersion" (which may be greater than andre@0: * "desiredMinorVersion"). If no compatibility exists, the function returns a andre@0: * PKIX_Error pointer. If the caller wishes to specify that the largest andre@0: * minor version available should be used, then maxDesiredMinorVersion should andre@0: * be set to the macro PKIX_MAX_MINOR_VERSION (defined in pkixt.h). andre@0: * andre@0: * PARAMETERS: andre@0: * "platformInitNeeded" andre@0: * Boolean indicating whether the platform layer initialization code andre@0: * has previously been run, or should be called from this function. andre@0: * "desiredMajorVersion" andre@0: * The major version of the libpkix API the application wishes to use. andre@0: * "minDesiredMinorVersion" andre@0: * The minimum minor version of the libpkix API the application wishes andre@0: * to use. andre@0: * "maxDesiredMinorVersion" andre@0: * The maximum minor version of the libpkix API the application wishes andre@0: * to use. andre@0: * "pActualMinorVersion" andre@0: * Address where PKIX_UInt32 will be stored. Must be non-NULL. andre@0: * "pPlContext" andre@0: * Address at which platform-specific context pointer is stored. Must andre@0: * be non-NULL. andre@0: * THREAD SAFETY: andre@0: * Not Thread Safe andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns an Initialize Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: PKIX_Error * andre@0: PKIX_Initialize( andre@0: PKIX_Boolean platformInitNeeded, andre@0: PKIX_UInt32 desiredMajorVersion, andre@0: PKIX_UInt32 minDesiredMinorVersion, andre@0: PKIX_UInt32 maxDesiredMinorVersion, andre@0: PKIX_UInt32 *pActualMinorVersion, andre@0: void **pPlContext); andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_Shutdown andre@0: * DESCRIPTION: andre@0: * andre@0: * This function deallocates any memory used by libpkix and shuts down any andre@0: * ongoing operations. This function should only be called once. If it is andre@0: * called more than once, the behavior is undefined. andre@0: * andre@0: * No PKIX_* types and functions should be used after this function is called andre@0: * and returns successfully. andre@0: * PARAMETERS: andre@0: * "plContext" - Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Not Thread Safe andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: PKIX_Error * andre@0: PKIX_Shutdown(void *plContext); andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_ValidateChain andre@0: * DESCRIPTION: andre@0: * andre@0: * This function attempts to validate the CertChain that has been set in the andre@0: * ValidateParams pointed to by "params" using an RFC 3280-compliant andre@0: * algorithm. If successful, this function returns NULL and stores the andre@0: * ValidateResult at "pResult", which holds additional information, such as andre@0: * the policy tree and the target's public key. If unsuccessful, an Error is andre@0: * returned. Note: This function does not currently support non-blocking I/O. andre@0: * andre@0: * If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which andre@0: * tracks the results of the validation. That is, either each node in the andre@0: * chain has a NULL Error component, or the last node contains an Error andre@0: * which indicates why the validation failed. andre@0: * andre@0: * PARAMETERS: andre@0: * "params" andre@0: * Address of ValidateParams used to validate CertChain. Must be non-NULL. andre@0: * "pResult" andre@0: * Address where object pointer will be stored. Must be non-NULL. andre@0: * "pVerifyTree" andre@0: * Address where a VerifyTree is stored, if non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (See Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: PKIX_Error * andre@0: PKIX_ValidateChain( andre@0: PKIX_ValidateParams *params, andre@0: PKIX_ValidateResult **pResult, andre@0: PKIX_VerifyNode **pVerifyTree, andre@0: void *plContext); andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_ValidateChain_NB andre@0: * DESCRIPTION: andre@0: * andre@0: * This function is the equivalent of PKIX_ValidateChain, except that it andre@0: * supports non-blocking I/O. When called with "pNBIOContext" pointing to NULL andre@0: * it initiates a new chain validation as in PKIX_ValidateChain, ignoring the andre@0: * value in all input variables except "params". If forced to suspend andre@0: * processing by a WOULDBLOCK return from some operation, such as a CertStore andre@0: * request, it stores the platform-dependent I/O context at "pNBIOContext" and andre@0: * stores other intermediate variables at "pCertIndex", "pAnchorIndex", andre@0: * "pCheckerIndex", "pRevChecking", and "pCheckers". andre@0: * andre@0: * When called subsequently with that non-NULL value at "pNBIOContext", it andre@0: * relies on those intermediate values to be untouched, and it resumes chain andre@0: * validation where it left off. Its behavior is undefined if any of the andre@0: * intermediate values was not preserved. andre@0: * andre@0: * PARAMETERS: andre@0: * "params" andre@0: * Address of ValidateParams used to validate CertChain. Must be non-NULL. andre@0: * "pCertIndex" andre@0: * The UInt32 value of the index to the Cert chain, indicating which Cert andre@0: * is currently being processed. andre@0: * "pAnchorIndex" andre@0: * The UInt32 value of the index to the Anchor chain, indicating which andre@0: * Trust Anchor is currently being processed. andre@0: * "pCheckerIndex" andre@0: * The UInt32 value of the index to the List of CertChainCheckers, andre@0: * indicating which Checker is currently processing. andre@0: * "pRevChecking" andre@0: * The Boolean flag indicating whether normal checking or revocation andre@0: * checking is occurring for the Cert indicated by "pCertIndex". andre@0: * "pCheckers" andre@0: * The address of the List of CertChainCheckers. Must be non-NULL. andre@0: * "pNBIOContext" andre@0: * The address of the platform-dependend I/O context. Must be a non-NULL andre@0: * pointer to a NULL value for the call to initiate chain validation. andre@0: * "pResult" andre@0: * Address where ValidateResult object pointer will be stored. Must be andre@0: * non-NULL. andre@0: * "pVerifyTree" andre@0: * Address where a VerifyTree is stored, if non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a VALIDATE Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */PKIX_Error * andre@0: PKIX_ValidateChain_NB( andre@0: PKIX_ValidateParams *params, andre@0: PKIX_UInt32 *pCertIndex, andre@0: PKIX_UInt32 *pAnchorIndex, andre@0: PKIX_UInt32 *pCheckerIndex, andre@0: PKIX_Boolean *pRevChecking, andre@0: PKIX_List **pCheckers, andre@0: void **pNBIOContext, andre@0: PKIX_ValidateResult **pResult, andre@0: PKIX_VerifyNode **pVerifyTree, andre@0: void *plContext); andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_BuildChain andre@0: * DESCRIPTION: andre@0: * andre@0: * If called with a NULL "state", this function attempts to build and validate andre@0: * a CertChain according to the ProcessingParams pointed to by "params", using andre@0: * an RFC 3280-compliant validation algorithm. If successful, this function andre@0: * returns NULL and stores the BuildResult at "pResult", which holds the built andre@0: * CertChain, as well as additional information, such as the policy tree and andre@0: * the target's public key. If unsuccessful, an Error is returned. andre@0: * andre@0: * If the chain building is blocked by a CertStore using non-blocking I/O, this andre@0: * function stores platform-dependent non-blocking I/O context at andre@0: * "pNBIOContext", its state at "pState", and NULL at "pResult". The caller andre@0: * may be able to determine, in a platform-dependent way, when the I/O has andre@0: * completed. In any case, calling the function again with "pState" containing andre@0: * the returned value will allow the chain building to resume. andre@0: * andre@0: * If chain building is completed, either successfully or unsuccessfully, NULL andre@0: * is stored at "pNBIOContext". andre@0: * andre@0: * If "pVerifyTree" is non-NULL, a tree of VerifyNodes is created which andre@0: * tracks the results of the building. That is, each node of the tree either andre@0: * has a NULL Error component, or it is a leaf node and it contains an Error andre@0: * which indicates why the chain building could not proceed on this branch. andre@0: * andre@0: * PARAMETERS: andre@0: * "params" andre@0: * Address of ProcessingParams used to build and validate CertChain. andre@0: * Must be non-NULL. andre@0: * "pNBIOContext" andre@0: * Address where platform-dependent information is store if the build andre@0: * is suspended waiting for non-blocking I/O. Must be non-NULL. andre@0: * "pState" andre@0: * Address of BuildChain state. Must be NULL on initial call, and the andre@0: * value previously returned on subsequent calls. andre@0: * "pResult" andre@0: * Address where object pointer will be stored. Must be non-NULL. andre@0: * "pVerifyTree" andre@0: * Address where a VerifyTree is stored, if non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (See Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Build Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: PKIX_Error * andre@0: PKIX_BuildChain( andre@0: PKIX_ProcessingParams *params, andre@0: void **pNBIOContext, andre@0: void **pState, andre@0: PKIX_BuildResult **pResult, andre@0: PKIX_VerifyNode **pVerifyNode, andre@0: void *plContext); andre@0: andre@0: #ifdef __cplusplus andre@0: } andre@0: #endif andre@0: andre@0: #endif /* _PKIX_H */