/src/nss/lib/certdb/certt.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* This Source Code Form is subject to the terms of the Mozilla Public |
2 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | | /* |
5 | | * certt.h - public data structures for the certificate library |
6 | | */ |
7 | | #ifndef _CERTT_H_ |
8 | | #define _CERTT_H_ |
9 | | |
10 | | #include "prclist.h" |
11 | | #include "pkcs11t.h" |
12 | | #include "seccomon.h" |
13 | | #include "secmodt.h" |
14 | | #include "secoidt.h" |
15 | | #include "plarena.h" |
16 | | #include "prcvar.h" |
17 | | #include "nssilock.h" |
18 | | #include "prio.h" |
19 | | #include "prmon.h" |
20 | | |
21 | | /* Stan data types */ |
22 | | struct NSSCertificateStr; |
23 | | struct NSSTrustDomainStr; |
24 | | |
25 | | /* Non-opaque objects */ |
26 | | typedef struct CERTAVAStr CERTAVA; |
27 | | typedef struct CERTAttributeStr CERTAttribute; |
28 | | typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess; |
29 | | typedef struct CERTAuthKeyIDStr CERTAuthKeyID; |
30 | | typedef struct CERTBasicConstraintsStr CERTBasicConstraints; |
31 | | typedef struct NSSTrustDomainStr CERTCertDBHandle; |
32 | | typedef struct CERTCertExtensionStr CERTCertExtension; |
33 | | typedef struct CERTCertKeyStr CERTCertKey; |
34 | | typedef struct CERTCertListStr CERTCertList; |
35 | | typedef struct CERTCertListNodeStr CERTCertListNode; |
36 | | typedef struct CERTCertNicknamesStr CERTCertNicknames; |
37 | | typedef struct CERTCertTrustStr CERTCertTrust; |
38 | | typedef struct CERTCertDistrustStr CERTCertDistrust; |
39 | | typedef struct CERTCertificateStr CERTCertificate; |
40 | | typedef struct CERTCertificateListStr CERTCertificateList; |
41 | | typedef struct CERTCertificateRequestStr CERTCertificateRequest; |
42 | | typedef struct CERTCrlStr CERTCrl; |
43 | | typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints; |
44 | | typedef struct CERTCrlEntryStr CERTCrlEntry; |
45 | | typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode; |
46 | | typedef struct CERTCrlKeyStr CERTCrlKey; |
47 | | typedef struct CERTCrlNodeStr CERTCrlNode; |
48 | | typedef struct CERTDERCertsStr CERTDERCerts; |
49 | | typedef struct CERTDistNamesStr CERTDistNames; |
50 | | typedef struct CERTGeneralNameStr CERTGeneralName; |
51 | | typedef struct CERTGeneralNameListStr CERTGeneralNameList; |
52 | | typedef struct CERTIssuerAndSNStr CERTIssuerAndSN; |
53 | | typedef struct CERTNameStr CERTName; |
54 | | typedef struct CERTNameConstraintStr CERTNameConstraint; |
55 | | typedef struct CERTNameConstraintsStr CERTNameConstraints; |
56 | | typedef struct CERTOKDomainNameStr CERTOKDomainName; |
57 | | typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod; |
58 | | typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge; |
59 | | typedef struct CERTRDNStr CERTRDN; |
60 | | typedef struct CERTSignedCrlStr CERTSignedCrl; |
61 | | typedef struct CERTSignedDataStr CERTSignedData; |
62 | | typedef struct CERTStatusConfigStr CERTStatusConfig; |
63 | | typedef struct CERTSubjectListStr CERTSubjectList; |
64 | | typedef struct CERTSubjectNodeStr CERTSubjectNode; |
65 | | typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; |
66 | | typedef struct CERTValidityStr CERTValidity; |
67 | | typedef struct CERTVerifyLogStr CERTVerifyLog; |
68 | | typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode; |
69 | | typedef struct CRLDistributionPointStr CRLDistributionPoint; |
70 | | |
71 | | /* CRL extensions type */ |
72 | | typedef unsigned long CERTCrlNumber; |
73 | | |
74 | | /* |
75 | | ** An X.500 AVA object |
76 | | */ |
77 | | struct CERTAVAStr { |
78 | | SECItem type; |
79 | | SECItem value; |
80 | | }; |
81 | | |
82 | | /* |
83 | | ** An X.500 RDN object |
84 | | */ |
85 | | struct CERTRDNStr { |
86 | | CERTAVA **avas; |
87 | | }; |
88 | | |
89 | | /* |
90 | | ** An X.500 name object |
91 | | */ |
92 | | struct CERTNameStr { |
93 | | PLArenaPool *arena; |
94 | | CERTRDN **rdns; |
95 | | }; |
96 | | |
97 | | /* |
98 | | ** An X.509 validity object |
99 | | */ |
100 | | struct CERTValidityStr { |
101 | | PLArenaPool *arena; |
102 | | SECItem notBefore; |
103 | | SECItem notAfter; |
104 | | }; |
105 | | |
106 | | /* |
107 | | * A serial number and issuer name, which is used as a database key |
108 | | */ |
109 | | struct CERTCertKeyStr { |
110 | | SECItem serialNumber; |
111 | | SECItem derIssuer; |
112 | | }; |
113 | | |
114 | | /* |
115 | | ** A signed data object. Used to implement the "signed" macro used |
116 | | ** in the X.500 specs. |
117 | | */ |
118 | | struct CERTSignedDataStr { |
119 | | SECItem data; |
120 | | SECAlgorithmID signatureAlgorithm; |
121 | | SECItem signature; |
122 | | }; |
123 | | |
124 | | /* |
125 | | ** An X.509 subject-public-key-info object |
126 | | */ |
127 | | struct CERTSubjectPublicKeyInfoStr { |
128 | | PLArenaPool *arena; |
129 | | SECAlgorithmID algorithm; |
130 | | SECItem subjectPublicKey; |
131 | | }; |
132 | | |
133 | | struct CERTPublicKeyAndChallengeStr { |
134 | | SECItem spki; |
135 | | SECItem challenge; |
136 | | }; |
137 | | |
138 | | struct CERTCertTrustStr { |
139 | | unsigned int sslFlags; |
140 | | unsigned int emailFlags; |
141 | | unsigned int objectSigningFlags; |
142 | | }; |
143 | | |
144 | | /* |
145 | | * Distrust dates for specific certificate usages. |
146 | | * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be |
147 | | * compatible with the format of certdata.txt, other date fields in certs and |
148 | | * existing functions to read these dates. Clients should check the distrust |
149 | | * date in certificates to avoid trusting a CA for service they have ceased to |
150 | | * support */ |
151 | | struct CERTCertDistrustStr { |
152 | | SECItem serverDistrustAfter; |
153 | | SECItem emailDistrustAfter; |
154 | | }; |
155 | | |
156 | | /* |
157 | | * defined the types of trust that exist |
158 | | */ |
159 | | typedef enum SECTrustTypeEnum { |
160 | | trustSSL = 0, |
161 | | trustEmail = 1, |
162 | | trustObjectSigning = 2, |
163 | | trustTypeNone = 3 |
164 | | } SECTrustType; |
165 | | |
166 | | #define SEC_GET_TRUST_FLAGS(trust, type) \ |
167 | | (((type) == trustSSL) \ |
168 | | ? ((trust)->sslFlags) \ |
169 | | : (((type) == trustEmail) ? ((trust)->emailFlags) \ |
170 | | : (((type) == trustObjectSigning) \ |
171 | | ? ((trust)->objectSigningFlags) \ |
172 | | : 0))) |
173 | | |
174 | | /* |
175 | | ** An X.509.3 certificate extension |
176 | | */ |
177 | | struct CERTCertExtensionStr { |
178 | | SECItem id; |
179 | | SECItem critical; |
180 | | SECItem value; |
181 | | }; |
182 | | |
183 | | struct CERTSubjectNodeStr { |
184 | | struct CERTSubjectNodeStr *next; |
185 | | struct CERTSubjectNodeStr *prev; |
186 | | SECItem certKey; |
187 | | SECItem keyID; |
188 | | }; |
189 | | |
190 | | struct CERTSubjectListStr { |
191 | | PLArenaPool *arena; |
192 | | int ncerts; |
193 | | char *emailAddr; |
194 | | CERTSubjectNode *head; |
195 | | CERTSubjectNode *tail; /* do we need tail? */ |
196 | | void *entry; |
197 | | }; |
198 | | |
199 | | /* |
200 | | ** An X.509 certificate object (the unsigned form) |
201 | | */ |
202 | | struct CERTCertificateStr { |
203 | | /* the arena is used to allocate any data structures that have the same |
204 | | * lifetime as the cert. This is all stuff that hangs off of the cert |
205 | | * structure, and is all freed at the same time. It is used when the |
206 | | * cert is decoded, destroyed, and at some times when it changes |
207 | | * state |
208 | | */ |
209 | | PLArenaPool *arena; |
210 | | |
211 | | /* The following fields are static after the cert has been decoded */ |
212 | | char *subjectName; |
213 | | char *issuerName; |
214 | | CERTSignedData signatureWrap; /* XXX */ |
215 | | SECItem derCert; /* original DER for the cert */ |
216 | | SECItem derIssuer; /* DER for issuer name */ |
217 | | SECItem derSubject; /* DER for subject name */ |
218 | | SECItem derPublicKey; /* DER for the public key */ |
219 | | SECItem certKey; /* database key for this cert */ |
220 | | SECItem version; |
221 | | SECItem serialNumber; |
222 | | SECAlgorithmID signature; |
223 | | CERTName issuer; |
224 | | CERTValidity validity; |
225 | | CERTName subject; |
226 | | CERTSubjectPublicKeyInfo subjectPublicKeyInfo; |
227 | | SECItem issuerID; |
228 | | SECItem subjectID; |
229 | | CERTCertExtension **extensions; |
230 | | char *emailAddr; |
231 | | CERTCertDBHandle *dbhandle; |
232 | | SECItem subjectKeyID; /* x509v3 subject key identifier */ |
233 | | PRBool keyIDGenerated; /* was the keyid generated? */ |
234 | | unsigned int keyUsage; /* what uses are allowed for this cert */ |
235 | | unsigned int rawKeyUsage; /* value of the key usage extension */ |
236 | | PRBool keyUsagePresent; /* was the key usage extension present */ |
237 | | PRUint32 nsCertType; /* value of the ns cert type extension */ |
238 | | /* must be 32-bit for PR_ATOMIC_SET */ |
239 | | |
240 | | /* these values can be set by the application to bypass certain checks |
241 | | * or to keep the cert in memory for an entire session. |
242 | | * XXX - need an api to set these |
243 | | */ |
244 | | PRBool keepSession; /* keep this cert for entire session*/ |
245 | | PRBool timeOK; /* is the bad validity time ok? */ |
246 | | CERTOKDomainName *domainOK; /* these domain names are ok */ |
247 | | |
248 | | /* |
249 | | * these values can change when the cert changes state. These state |
250 | | * changes include transitions from temp to perm or vice-versa, and |
251 | | * changes of trust flags |
252 | | */ |
253 | | PRBool isperm; |
254 | | PRBool istemp; |
255 | | char *nickname; |
256 | | char *dbnickname; |
257 | | struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */ |
258 | | CERTCertTrust *trust; |
259 | | |
260 | | /* the reference count is modified whenever someone looks up, dups |
261 | | * or destroys a certificate |
262 | | */ |
263 | | int referenceCount; |
264 | | |
265 | | /* The subject list is a list of all certs with the same subject name. |
266 | | * It can be modified any time a cert is added or deleted from either |
267 | | * the in-memory(temporary) or on-disk(permanent) database. |
268 | | */ |
269 | | CERTSubjectList *subjectList; |
270 | | |
271 | | /* these belong in the static section, but are here to maintain |
272 | | * the structure's integrity |
273 | | */ |
274 | | CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */ |
275 | | PRBool isRoot; /* cert is the end of a chain */ |
276 | | |
277 | | /* these fields are used by client GUI code to keep track of ssl sockets |
278 | | * that are blocked waiting on GUI feedback related to this cert. |
279 | | * XXX - these should be moved into some sort of application specific |
280 | | * data structure. They are only used by the browser right now. |
281 | | */ |
282 | | union { |
283 | | void *apointer; /* was struct SECSocketNode* authsocketlist */ |
284 | | struct { |
285 | | unsigned int hasUnsupportedCriticalExt : 1; |
286 | | /* add any new option bits needed here */ |
287 | | } bits; |
288 | | } options; |
289 | | int series; /* was int authsocketcount; record the series of the pkcs11ID */ |
290 | | |
291 | | /* This is PKCS #11 stuff. */ |
292 | | PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ |
293 | | CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ |
294 | | PRBool ownSlot; /*true if the cert owns the slot reference */ |
295 | | /* These fields are used in nssckbi/builtins CAs. */ |
296 | | CERTCertDistrust *distrust; |
297 | | }; |
298 | | #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ |
299 | | #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ |
300 | 0 | #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ |
301 | | |
302 | 0 | #define SEC_CRL_VERSION_1 0 /* default */ |
303 | 0 | #define SEC_CRL_VERSION_2 1 /* v2 extensions */ |
304 | | |
305 | | /* |
306 | | * used to identify class of cert in mime stream code |
307 | | */ |
308 | | #define SEC_CERT_CLASS_CA 1 |
309 | | #define SEC_CERT_CLASS_SERVER 2 |
310 | | #define SEC_CERT_CLASS_USER 3 |
311 | | #define SEC_CERT_CLASS_EMAIL 4 |
312 | | |
313 | | struct CERTDERCertsStr { |
314 | | PLArenaPool *arena; |
315 | | int numcerts; |
316 | | SECItem *rawCerts; |
317 | | }; |
318 | | |
319 | | /* |
320 | | ** A PKCS ? Attribute |
321 | | ** XXX this is duplicated through out the code, it *should* be moved |
322 | | ** to a central location. Where would be appropriate? |
323 | | */ |
324 | | struct CERTAttributeStr { |
325 | | SECItem attrType; |
326 | | SECItem **attrValue; |
327 | | }; |
328 | | |
329 | | /* |
330 | | ** A PKCS#10 certificate-request object (the unsigned form) |
331 | | */ |
332 | | struct CERTCertificateRequestStr { |
333 | | PLArenaPool *arena; |
334 | | SECItem version; |
335 | | CERTName subject; |
336 | | CERTSubjectPublicKeyInfo subjectPublicKeyInfo; |
337 | | CERTAttribute **attributes; |
338 | | }; |
339 | | #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */ |
340 | | |
341 | | /* |
342 | | ** A certificate list object. |
343 | | */ |
344 | | struct CERTCertificateListStr { |
345 | | SECItem *certs; |
346 | | int len; /* number of certs */ |
347 | | PLArenaPool *arena; |
348 | | }; |
349 | | |
350 | | struct CERTCertListNodeStr { |
351 | | PRCList links; |
352 | | CERTCertificate *cert; |
353 | | void *appData; |
354 | | }; |
355 | | |
356 | | struct CERTCertListStr { |
357 | | PRCList list; |
358 | | PLArenaPool *arena; |
359 | | }; |
360 | | |
361 | 0 | #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list)) |
362 | | #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) |
363 | 0 | #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next) |
364 | 0 | #define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list)) |
365 | 0 | #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l) |
366 | | |
367 | | struct CERTCrlEntryStr { |
368 | | SECItem serialNumber; |
369 | | SECItem revocationDate; |
370 | | CERTCertExtension **extensions; |
371 | | }; |
372 | | |
373 | | struct CERTCrlStr { |
374 | | PLArenaPool *arena; |
375 | | SECItem version; |
376 | | SECAlgorithmID signatureAlg; |
377 | | SECItem derName; |
378 | | CERTName name; |
379 | | SECItem lastUpdate; |
380 | | SECItem nextUpdate; /* optional for x.509 CRL */ |
381 | | CERTCrlEntry **entries; |
382 | | CERTCertExtension **extensions; |
383 | | /* can't add anything there for binary backwards compatibility reasons */ |
384 | | }; |
385 | | |
386 | | struct CERTCrlKeyStr { |
387 | | SECItem derName; |
388 | | SECItem dummy; /* The decoder can not skip a primitive, |
389 | | this serves as a place holder for the |
390 | | decoder to finish its task only |
391 | | */ |
392 | | }; |
393 | | |
394 | | struct CERTSignedCrlStr { |
395 | | PLArenaPool *arena; |
396 | | CERTCrl crl; |
397 | | void *reserved1; |
398 | | PRBool reserved2; |
399 | | PRBool isperm; |
400 | | PRBool istemp; |
401 | | int referenceCount; |
402 | | CERTCertDBHandle *dbhandle; |
403 | | CERTSignedData signatureWrap; /* XXX */ |
404 | | char *url; |
405 | | SECItem *derCrl; |
406 | | PK11SlotInfo *slot; |
407 | | CK_OBJECT_HANDLE pkcs11ID; |
408 | | void *opaque; /* do not touch */ |
409 | | }; |
410 | | |
411 | | struct CERTCrlHeadNodeStr { |
412 | | PLArenaPool *arena; |
413 | | CERTCertDBHandle *dbhandle; |
414 | | CERTCrlNode *first; |
415 | | CERTCrlNode *last; |
416 | | }; |
417 | | |
418 | | struct CERTCrlNodeStr { |
419 | | CERTCrlNode *next; |
420 | | int type; |
421 | | CERTSignedCrl *crl; |
422 | | }; |
423 | | |
424 | | /* |
425 | | * Array of X.500 Distinguished Names |
426 | | */ |
427 | | struct CERTDistNamesStr { |
428 | | PLArenaPool *arena; |
429 | | int nnames; |
430 | | SECItem *names; |
431 | | void *head; /* private */ |
432 | | }; |
433 | | |
434 | | /* |
435 | | * NS_CERT_TYPE defines are used in two areas: |
436 | | * 1) The old NSS Cert Type Extension, which is a certificate extension in the |
437 | | * actual cert. It was created before the x509 Extended Key Usage Extension, |
438 | | * which has now taken over it's function. This field is only 8 bits wide |
439 | | * 2) The nsCertType entry in the CERTCertificate structure. This field is |
440 | | * 32 bits wide. |
441 | | * Any entries in this table greater than 0x80 will not be able to be encoded |
442 | | * in an NSS Cert Type Extension, but can still be represented internally in |
443 | | * the nsCertType field. |
444 | | */ |
445 | 0 | #define NS_CERT_TYPE_IPSEC_CA (0x200) /* outside the NS Cert Type Extenstion */ |
446 | 0 | #define NS_CERT_TYPE_IPSEC (0x100) /* outside the NS Cert Type Extenstion */ |
447 | 0 | #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ |
448 | 0 | #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ |
449 | 0 | #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ |
450 | 0 | #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ |
451 | | #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ |
452 | 0 | #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ |
453 | 0 | #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ |
454 | 0 | #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ |
455 | | |
456 | 0 | #define EXT_KEY_USAGE_TIME_STAMP (0x8000) |
457 | 0 | #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000) |
458 | | |
459 | | #define NS_CERT_TYPE_APP \ |
460 | | (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ |
461 | | NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING) |
462 | | |
463 | | #define NS_CERT_TYPE_CA \ |
464 | | (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \ |
465 | | NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \ |
466 | | NS_CERT_TYPE_IPSEC_CA) |
467 | | typedef enum SECCertUsageEnum { |
468 | | certUsageSSLClient = 0, |
469 | | certUsageSSLServer = 1, |
470 | | certUsageSSLServerWithStepUp = 2, |
471 | | certUsageSSLCA = 3, |
472 | | certUsageEmailSigner = 4, |
473 | | certUsageEmailRecipient = 5, |
474 | | certUsageObjectSigner = 6, |
475 | | certUsageUserCertImport = 7, |
476 | | certUsageVerifyCA = 8, |
477 | | certUsageProtectedObjectSigner = 9, |
478 | | certUsageStatusResponder = 10, |
479 | | certUsageAnyCA = 11, |
480 | | certUsageIPsec = 12 |
481 | | } SECCertUsage; |
482 | | |
483 | | typedef PRInt64 SECCertificateUsage; |
484 | | |
485 | | #define certificateUsageCheckAllUsages (0x0000) |
486 | | #define certificateUsageSSLClient (0x0001) |
487 | | #define certificateUsageSSLServer (0x0002) |
488 | | #define certificateUsageSSLServerWithStepUp (0x0004) |
489 | | #define certificateUsageSSLCA (0x0008) |
490 | | #define certificateUsageEmailSigner (0x0010) |
491 | | #define certificateUsageEmailRecipient (0x0020) |
492 | | #define certificateUsageObjectSigner (0x0040) |
493 | | #define certificateUsageUserCertImport (0x0080) |
494 | | #define certificateUsageVerifyCA (0x0100) |
495 | | #define certificateUsageProtectedObjectSigner (0x0200) |
496 | | #define certificateUsageStatusResponder (0x0400) |
497 | | #define certificateUsageAnyCA (0x0800) |
498 | | #define certificateUsageIPsec (0x1000) |
499 | | |
500 | | #define certificateUsageHighest certificateUsageIPsec |
501 | | |
502 | | /* |
503 | | * Does the cert belong to the user, a peer, or a CA. |
504 | | */ |
505 | | typedef enum CERTCertOwnerEnum { |
506 | | certOwnerUser = 0, |
507 | | certOwnerPeer = 1, |
508 | | certOwnerCA = 2 |
509 | | } CERTCertOwner; |
510 | | |
511 | | /* |
512 | | * This enum represents the state of validity times of a certificate |
513 | | */ |
514 | | typedef enum SECCertTimeValidityEnum { |
515 | | secCertTimeValid = 0, |
516 | | secCertTimeExpired = 1, |
517 | | secCertTimeNotValidYet = 2, |
518 | | secCertTimeUndetermined = 3 /* validity could not be decoded from the |
519 | | cert, most likely because it was NULL */ |
520 | | } SECCertTimeValidity; |
521 | | |
522 | | /* |
523 | | * This is used as return status in functions that compare the validity |
524 | | * periods of two certificates A and B, currently only |
525 | | * CERT_CompareValidityTimes. |
526 | | */ |
527 | | |
528 | | typedef enum CERTCompareValidityStatusEnum { |
529 | | certValidityUndetermined = 0, /* the function is unable to select one cert |
530 | | over another */ |
531 | | certValidityChooseB = 1, /* cert B should be preferred */ |
532 | | certValidityEqual = 2, /* both certs have the same validity period */ |
533 | | certValidityChooseA = 3 /* cert A should be preferred */ |
534 | | } CERTCompareValidityStatus; |
535 | | |
536 | | /* |
537 | | * Interface for getting certificate nickname strings out of the database |
538 | | */ |
539 | | |
540 | | /* these are values for the what argument below */ |
541 | | #define SEC_CERT_NICKNAMES_ALL 1 |
542 | | #define SEC_CERT_NICKNAMES_USER 2 |
543 | | #define SEC_CERT_NICKNAMES_SERVER 3 |
544 | | #define SEC_CERT_NICKNAMES_CA 4 |
545 | | |
546 | | struct CERTCertNicknamesStr { |
547 | | PLArenaPool *arena; |
548 | | void *head; |
549 | | int numnicknames; |
550 | | char **nicknames; |
551 | | int what; |
552 | | int totallen; |
553 | | }; |
554 | | |
555 | | struct CERTIssuerAndSNStr { |
556 | | SECItem derIssuer; |
557 | | CERTName issuer; |
558 | | SECItem serialNumber; |
559 | | }; |
560 | | |
561 | | /* X.509 v3 Key Usage Extension flags */ |
562 | 0 | #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ |
563 | 0 | #define KU_NON_REPUDIATION (0x40) /* bit 1 */ |
564 | 0 | #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ |
565 | 0 | #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ |
566 | 0 | #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ |
567 | 0 | #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ |
568 | 0 | #define KU_CRL_SIGN (0x02) /* bit 6 */ |
569 | 0 | #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */ |
570 | | #define KU_ALL \ |
571 | 0 | (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \ |
572 | 0 | KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN | \ |
573 | 0 | KU_CRL_SIGN | KU_ENCIPHER_ONLY) |
574 | | |
575 | | /* This value will not occur in certs. It is used internally for the case |
576 | | * when either digital signature or non-repudiation is the correct value. |
577 | | */ |
578 | 0 | #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000) |
579 | | |
580 | | /* This value will not occur in certs. It is used internally for the case |
581 | | * when the key type is not know ahead of time and either key agreement or |
582 | | * key encipherment are the correct value based on key type |
583 | | */ |
584 | 0 | #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000) |
585 | | |
586 | | /* internal bits that do not match bits in the x509v3 spec, but are used |
587 | | * for similar purposes |
588 | | */ |
589 | 0 | #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/ |
590 | | /* |
591 | | * x.509 v3 Basic Constraints Extension |
592 | | * If isCA is false, the pathLenConstraint is ignored. |
593 | | * Otherwise, the following pathLenConstraint values will apply: |
594 | | * < 0 - there is no limit to the certificate path |
595 | | * 0 - CA can issues end-entity certificates only |
596 | | * > 0 - the number of certificates in the certificate path is |
597 | | * limited to this number |
598 | | */ |
599 | 0 | #define CERT_UNLIMITED_PATH_CONSTRAINT -2 |
600 | | |
601 | | struct CERTBasicConstraintsStr { |
602 | | PRBool isCA; /* on if is CA */ |
603 | | int pathLenConstraint; /* maximum number of certificates that can be |
604 | | in the cert path. Only applies to a CA |
605 | | certificate; otherwise, it's ignored. |
606 | | */ |
607 | | }; |
608 | | |
609 | | /* Maximum length of a certificate chain */ |
610 | | #define CERT_MAX_CERT_CHAIN 20 |
611 | | |
612 | | #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */ |
613 | | #define CERT_MAX_DN_BYTES 4096 /* arbitrary */ |
614 | | |
615 | | /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */ |
616 | | #define RF_UNUSED (0x80) /* bit 0 */ |
617 | | #define RF_KEY_COMPROMISE (0x40) /* bit 1 */ |
618 | | #define RF_CA_COMPROMISE (0x20) /* bit 2 */ |
619 | | #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */ |
620 | | #define RF_SUPERSEDED (0x08) /* bit 4 */ |
621 | | #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */ |
622 | | #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */ |
623 | | |
624 | | /* enum for CRL Entry Reason Code */ |
625 | | typedef enum CERTCRLEntryReasonCodeEnum { |
626 | | crlEntryReasonUnspecified = 0, |
627 | | crlEntryReasonKeyCompromise = 1, |
628 | | crlEntryReasonCaCompromise = 2, |
629 | | crlEntryReasonAffiliationChanged = 3, |
630 | | crlEntryReasonSuperseded = 4, |
631 | | crlEntryReasonCessationOfOperation = 5, |
632 | | crlEntryReasoncertificatedHold = 6, |
633 | | crlEntryReasonRemoveFromCRL = 8, |
634 | | crlEntryReasonPrivilegeWithdrawn = 9, |
635 | | crlEntryReasonAaCompromise = 10 |
636 | | } CERTCRLEntryReasonCode; |
637 | | |
638 | | /* If we needed to extract the general name field, use this */ |
639 | | /* General Name types */ |
640 | | typedef enum CERTGeneralNameTypeEnum { |
641 | | certOtherName = 1, |
642 | | certRFC822Name = 2, |
643 | | certDNSName = 3, |
644 | | certX400Address = 4, |
645 | | certDirectoryName = 5, |
646 | | certEDIPartyName = 6, |
647 | | certURI = 7, |
648 | | certIPAddress = 8, |
649 | | certRegisterID = 9 |
650 | | } CERTGeneralNameType; |
651 | | |
652 | | typedef struct OtherNameStr { |
653 | | SECItem name; |
654 | | SECItem oid; |
655 | | } OtherName; |
656 | | |
657 | | struct CERTGeneralNameStr { |
658 | | CERTGeneralNameType type; /* name type */ |
659 | | union { |
660 | | CERTName directoryName; /* distinguish name */ |
661 | | OtherName OthName; /* Other Name */ |
662 | | SECItem other; /* the rest of the name forms */ |
663 | | } name; |
664 | | SECItem derDirectoryName; /* this is saved to simplify directory name |
665 | | comparison */ |
666 | | PRCList l; |
667 | | }; |
668 | | |
669 | | struct CERTGeneralNameListStr { |
670 | | PLArenaPool *arena; |
671 | | CERTGeneralName *name; |
672 | | int refCount; |
673 | | int len; |
674 | | PZLock *lock; |
675 | | }; |
676 | | |
677 | | struct CERTNameConstraintStr { |
678 | | CERTGeneralName name; |
679 | | SECItem DERName; |
680 | | SECItem min; |
681 | | SECItem max; |
682 | | PRCList l; |
683 | | }; |
684 | | |
685 | | struct CERTNameConstraintsStr { |
686 | | CERTNameConstraint *permited; |
687 | | CERTNameConstraint *excluded; |
688 | | SECItem **DERPermited; |
689 | | SECItem **DERExcluded; |
690 | | }; |
691 | | |
692 | | /* Private Key Usage Period extension struct. */ |
693 | | struct CERTPrivKeyUsagePeriodStr { |
694 | | SECItem notBefore; |
695 | | SECItem notAfter; |
696 | | PLArenaPool *arena; |
697 | | }; |
698 | | |
699 | | /* X.509 v3 Authority Key Identifier extension. For the authority certificate |
700 | | issuer field, we only support URI now. |
701 | | */ |
702 | | struct CERTAuthKeyIDStr { |
703 | | SECItem keyID; /* unique key identifier */ |
704 | | CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */ |
705 | | SECItem authCertSerialNumber; /* CA's certificate serial number */ |
706 | | SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of |
707 | | the authCertIssuer field. It is used |
708 | | by the encoding engine. It should be |
709 | | used as a read only field by the caller. |
710 | | */ |
711 | | }; |
712 | | |
713 | | /* x.509 v3 CRL Distributeion Point */ |
714 | | |
715 | | /* |
716 | | * defined the types of CRL Distribution points |
717 | | */ |
718 | | typedef enum DistributionPointTypesEnum { |
719 | | generalName = 1, /* only support this for now */ |
720 | | relativeDistinguishedName = 2 |
721 | | } DistributionPointTypes; |
722 | | |
723 | | struct CRLDistributionPointStr { |
724 | | DistributionPointTypes distPointType; |
725 | | union { |
726 | | CERTGeneralName *fullName; |
727 | | CERTRDN relativeName; |
728 | | } distPoint; |
729 | | SECItem reasons; |
730 | | CERTGeneralName *crlIssuer; |
731 | | |
732 | | /* Reserved for internal use only*/ |
733 | | SECItem derDistPoint; |
734 | | SECItem derRelativeName; |
735 | | SECItem **derCrlIssuer; |
736 | | SECItem **derFullName; |
737 | | SECItem bitsmap; |
738 | | }; |
739 | | |
740 | | struct CERTCrlDistributionPointsStr { |
741 | | CRLDistributionPoint **distPoints; |
742 | | }; |
743 | | |
744 | | /* |
745 | | * This structure is used to keep a log of errors when verifying |
746 | | * a cert chain. This allows multiple errors to be reported all at |
747 | | * once. |
748 | | */ |
749 | | struct CERTVerifyLogNodeStr { |
750 | | CERTCertificate *cert; /* what cert had the error */ |
751 | | long error; /* what error was it? */ |
752 | | unsigned int depth; /* how far up the chain are we */ |
753 | | void *arg; /* error specific argument */ |
754 | | struct CERTVerifyLogNodeStr *next; /* next in the list */ |
755 | | struct CERTVerifyLogNodeStr *prev; /* next in the list */ |
756 | | }; |
757 | | |
758 | | struct CERTVerifyLogStr { |
759 | | PLArenaPool *arena; |
760 | | unsigned int count; |
761 | | struct CERTVerifyLogNodeStr *head; |
762 | | struct CERTVerifyLogNodeStr *tail; |
763 | | }; |
764 | | |
765 | | struct CERTOKDomainNameStr { |
766 | | CERTOKDomainName *next; |
767 | | char *name; |
768 | | }; |
769 | | |
770 | | typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle, |
771 | | CERTCertificate *cert, |
772 | | PRTime time, void *pwArg); |
773 | | |
774 | | typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle); |
775 | | |
776 | | struct CERTStatusConfigStr { |
777 | | CERTStatusChecker statusChecker; /* NULL means no checking enabled */ |
778 | | CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */ |
779 | | void *statusContext; /* cx specific to checking protocol */ |
780 | | }; |
781 | | |
782 | | struct CERTAuthInfoAccessStr { |
783 | | SECItem method; |
784 | | SECItem derLocation; |
785 | | CERTGeneralName *location; /* decoded location */ |
786 | | }; |
787 | | |
788 | | /* This is the typedef for the callback passed to CERT_OpenCertDB() */ |
789 | | /* callback to return database name based on version number */ |
790 | | typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion); |
791 | | |
792 | | /* |
793 | | * types of cert packages that we can decode |
794 | | */ |
795 | | typedef enum CERTPackageTypeEnum { |
796 | | certPackageNone = 0, |
797 | | certPackageCert = 1, |
798 | | certPackagePKCS7 = 2, |
799 | | certPackageNSCertSeq = 3, |
800 | | certPackageNSCertWrap = 4 |
801 | | } CERTPackageType; |
802 | | |
803 | | /* |
804 | | * these types are for the PKIX Certificate Policies extension |
805 | | */ |
806 | | typedef struct { |
807 | | SECOidTag oid; |
808 | | SECItem qualifierID; |
809 | | SECItem qualifierValue; |
810 | | } CERTPolicyQualifier; |
811 | | |
812 | | typedef struct { |
813 | | SECOidTag oid; |
814 | | SECItem policyID; |
815 | | CERTPolicyQualifier **policyQualifiers; |
816 | | } CERTPolicyInfo; |
817 | | |
818 | | typedef struct { |
819 | | PLArenaPool *arena; |
820 | | CERTPolicyInfo **policyInfos; |
821 | | } CERTCertificatePolicies; |
822 | | |
823 | | typedef struct { |
824 | | SECItem organization; |
825 | | SECItem **noticeNumbers; |
826 | | } CERTNoticeReference; |
827 | | |
828 | | typedef struct { |
829 | | PLArenaPool *arena; |
830 | | CERTNoticeReference noticeReference; |
831 | | SECItem derNoticeReference; |
832 | | SECItem displayText; |
833 | | } CERTUserNotice; |
834 | | |
835 | | typedef struct { |
836 | | PLArenaPool *arena; |
837 | | SECItem **oids; |
838 | | } CERTOidSequence; |
839 | | |
840 | | /* |
841 | | * these types are for the PKIX Policy Mappings extension |
842 | | */ |
843 | | typedef struct { |
844 | | SECItem issuerDomainPolicy; |
845 | | SECItem subjectDomainPolicy; |
846 | | } CERTPolicyMap; |
847 | | |
848 | | typedef struct { |
849 | | PLArenaPool *arena; |
850 | | CERTPolicyMap **policyMaps; |
851 | | } CERTCertificatePolicyMappings; |
852 | | |
853 | | /* |
854 | | * these types are for the PKIX inhibitAnyPolicy extension |
855 | | */ |
856 | | typedef struct { |
857 | | SECItem inhibitAnySkipCerts; |
858 | | } CERTCertificateInhibitAny; |
859 | | |
860 | | /* |
861 | | * these types are for the PKIX Policy Constraints extension |
862 | | */ |
863 | | typedef struct { |
864 | | SECItem explicitPolicySkipCerts; |
865 | | SECItem inhibitMappingSkipCerts; |
866 | | } CERTCertificatePolicyConstraints; |
867 | | |
868 | | /* |
869 | | * These types are for the validate chain callback param. |
870 | | * |
871 | | * CERTChainVerifyCallback is an application-supplied callback that can be used |
872 | | * to augment libpkix's certificate chain validation with additional |
873 | | * application-specific checks. It may be called multiple times if there are |
874 | | * multiple potentially-valid paths for the certificate being validated. This |
875 | | * callback is called before revocation checking is done on the certificates in |
876 | | * the given chain. |
877 | | * |
878 | | * - isValidChainArg contains the application-provided opaque argument |
879 | | * - currentChain is the currently validated chain. It is ordered with the leaf |
880 | | * certificate at the head and the trust anchor at the tail. |
881 | | * |
882 | | * The callback should set *chainOK = PR_TRUE and return SECSuccess if the |
883 | | * certificate chain is acceptable. It should set *chainOK = PR_FALSE and |
884 | | * return SECSuccess if the chain is unacceptable, to indicate that the given |
885 | | * chain is bad and path building should continue. It should return SECFailure |
886 | | * to indicate an fatal error that will cause path validation to fail |
887 | | * immediately. |
888 | | */ |
889 | | typedef SECStatus (*CERTChainVerifyCallbackFunc)( |
890 | | void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK); |
891 | | |
892 | | /* |
893 | | * Note: If extending this structure, it will be necessary to change the |
894 | | * associated CERTValParamInType |
895 | | */ |
896 | | typedef struct { |
897 | | CERTChainVerifyCallbackFunc isChainValid; |
898 | | void *isChainValidArg; |
899 | | } CERTChainVerifyCallback; |
900 | | |
901 | | /* |
902 | | * these types are for the CERT_PKIX* Verification functions |
903 | | * These are all optional parameters. |
904 | | */ |
905 | | |
906 | | typedef enum { |
907 | | cert_pi_end = 0, /* SPECIAL: signifies end of array of |
908 | | * CERTValParam* */ |
909 | | cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to |
910 | | * resume a session. If this argument is |
911 | | * specified, no other arguments should be. |
912 | | * Specified in value.pointer.p. If the |
913 | | * operation completes the context will be |
914 | | * freed. */ |
915 | | cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an |
916 | | * existing operation which the caller wants |
917 | | * to abort. If this argument is |
918 | | * specified, no other arguments should be. |
919 | | * Specified in value.pointer.p. If the |
920 | | * operation succeeds the context will be |
921 | | * freed. */ |
922 | | cert_pi_certList = 3, /* specify the chain to validate against. If |
923 | | * this value is given, then the path |
924 | | * construction step in the validation is |
925 | | * skipped. Specified in value.pointer.chain */ |
926 | | cert_pi_policyOID = 4, /* validate certificate for policy OID. |
927 | | * Specified in value.array.oids. Cert must |
928 | | * be good for at least one OID in order |
929 | | * to validate. Default is that the user is not |
930 | | * concerned about certificate policy. */ |
931 | | cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID. |
932 | | * Specified in value.scalar.ul. Policy flags |
933 | | * apply to all specified oids. |
934 | | * Use CERT_POLICY_FLAG_* macros below. If not |
935 | | * specified policy flags default to 0 */ |
936 | | cert_pi_keyusage = 6, /* specify what the keyusages the certificate |
937 | | * will be evaluated against, specified in |
938 | | * value.scalar.ui. The cert must validate for |
939 | | * at least one of the specified key usages. |
940 | | * Values match the KU_ bit flags defined |
941 | | * in this file. Default is derived from |
942 | | * the 'usages' function argument */ |
943 | | cert_pi_extendedKeyusage = 7, /* specify what the required extended key |
944 | | * usage of the certificate. Specified as |
945 | | * an array of oidTags in value.array.oids. |
946 | | * The cert must validate for at least one |
947 | | * of the specified extended key usages. |
948 | | * If not specified, no extended key usages |
949 | | * will be checked. */ |
950 | | cert_pi_date = 8, /* validate certificate is valid as of date |
951 | | * specified in value.scalar.time. A special |
952 | | * value '0' indicates 'now'. default is '0' */ |
953 | | cert_pi_revocationFlags = 9, /* Specify what revocation checking to do. |
954 | | * See CERT_REV_FLAG_* macros below |
955 | | * Set in value.pointer.revocation */ |
956 | | cert_pi_certStores = 10, /* Bitmask of Cert Store flags (see below) |
957 | | * Set in value.scalar.ui */ |
958 | | cert_pi_trustAnchors = |
959 | | 11, /* Specify the list of trusted roots to |
960 | | * validate against. |
961 | | * The default set of trusted roots, these are |
962 | | * root CA certs from libnssckbi.so or CA |
963 | | * certs trusted by user, are used in any of |
964 | | * the following cases: |
965 | | * * when the parameter is not set. |
966 | | * * when the list of trust anchors is |
967 | | * empty. |
968 | | * Note that this handling can be further |
969 | | * altered by altering the |
970 | | * cert_pi_useOnlyTrustAnchors flag |
971 | | * Specified in value.pointer.chain */ |
972 | | cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension. |
973 | | * In NSS 3.12.1 or later. Default is off. |
974 | | * Value is in value.scalar.b */ |
975 | | cert_pi_chainVerifyCallback = 13, |
976 | | /* The callback container for doing extra |
977 | | * validation on the currently calculated chain. |
978 | | * Value is in value.pointer.chainVerifyCallback */ |
979 | | cert_pi_useOnlyTrustAnchors = 14, |
980 | | /* If true, disables trusting any |
981 | | * certificates other than the ones passed in via cert_pi_trustAnchors. |
982 | | * If false, then the certificates specified via cert_pi_trustAnchors |
983 | | * will be combined with the pre-existing trusted roots, but only |
984 | | * for the certificate validation being performed. |
985 | | * If no value has been supplied via cert_pi_trustAnchors, this has |
986 | | * no effect. |
987 | | * The default value is true, meaning if this is not supplied, only |
988 | | * trust anchors supplied via cert_pi_trustAnchors are trusted. |
989 | | * Specified in value.scalar.b */ |
990 | | cert_pi_max /* SPECIAL: signifies maximum allowed value, |
991 | | * can increase in future releases */ |
992 | | } CERTValParamInType; |
993 | | |
994 | | /* |
995 | | * for all out parameters: |
996 | | * out parameters are only returned if the caller asks for them in |
997 | | * the CERTValOutParam array. Caller is responsible for the CERTValOutParam |
998 | | * array itself. The pkix verify function will allocate and other arrays |
999 | | * pointers, or objects. The Caller is responsible for freeing those results. |
1000 | | * If SECWouldBlock is returned, only cert_pi_nbioContext is returned. |
1001 | | */ |
1002 | | typedef enum { |
1003 | | cert_po_end = 0, /* SPECIAL: signifies end of array of |
1004 | | * CERTValParam* */ |
1005 | | cert_po_nbioContext = 1, /* Return a nonblocking context. If no |
1006 | | * non-blocking context is specified, then |
1007 | | * blocking IO will be used. |
1008 | | * Returned in value.pointer.p. The context is |
1009 | | * freed after an abort or a complete operation. |
1010 | | * This value is only returned on SECWouldBlock. |
1011 | | */ |
1012 | | cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that |
1013 | | * was validated. Returned in |
1014 | | * value.pointer.cert, this value is only |
1015 | | * returned on SECSuccess. */ |
1016 | | cert_po_certList = 3, /* Return the entire chain that was validated. |
1017 | | * Returned in value.pointer.certList. If no |
1018 | | * chain could be constructed, this value |
1019 | | * would be NULL. */ |
1020 | | cert_po_policyOID = 4, /* Return the policies that were found to be |
1021 | | * valid. Returned in value.array.oids as an |
1022 | | * array. This is only returned on |
1023 | | * SECSuccess. */ |
1024 | | cert_po_errorLog = 5, /* Return a log of problems with the chain. |
1025 | | * Returned in value.pointer.log */ |
1026 | | cert_po_usages = 6, /* Return what usages the certificate is valid |
1027 | | for. Returned in value.scalar.usages */ |
1028 | | cert_po_keyUsage = 7, /* Return what key usages the certificate |
1029 | | * is valid for. |
1030 | | * Returned in value.scalar.usage */ |
1031 | | cert_po_extendedKeyusage = 8, /* Return what extended key usages the |
1032 | | * certificate is valid for. |
1033 | | * Returned in value.array.oids */ |
1034 | | cert_po_max /* SPECIAL: signifies maximum allowed value, |
1035 | | * can increase in future releases */ |
1036 | | |
1037 | | } CERTValParamOutType; |
1038 | | |
1039 | | typedef enum { |
1040 | | cert_revocation_method_crl = 0, |
1041 | | cert_revocation_method_ocsp, |
1042 | | cert_revocation_method_count |
1043 | | } CERTRevocationMethodIndex; |
1044 | | |
1045 | | /* |
1046 | | * The following flags are supposed to be used to control bits in |
1047 | | * each integer contained in the array pointed to be: |
1048 | | * CERTRevocationTests.cert_rev_flags_per_method |
1049 | | * All Flags are prefixed by CERT_REV_M_, where _M_ indicates |
1050 | | * this is a method dependent flag. |
1051 | | */ |
1052 | | |
1053 | | /* |
1054 | | * Whether or not to use a method for revocation testing. |
1055 | | * If set to "do not test", then all other flags are ignored. |
1056 | | */ |
1057 | | #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL |
1058 | | #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL |
1059 | | |
1060 | | /* |
1061 | | * Whether or not NSS is allowed to attempt to fetch fresh information |
1062 | | * from the network. |
1063 | | * (Although fetching will never happen if fresh information for the |
1064 | | * method is already locally available.) |
1065 | | */ |
1066 | | #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL |
1067 | | #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL |
1068 | | |
1069 | | /* |
1070 | | * Example for an implicit default source: |
1071 | | * The globally configured default OCSP responder. |
1072 | | * IGNORE means: |
1073 | | * ignore the implicit default source, whether it's configured or not. |
1074 | | * ALLOW means: |
1075 | | * if an implicit default source is configured, |
1076 | | * then it overrides any available or missing source in the cert. |
1077 | | * if no implicit default source is configured, |
1078 | | * then we continue to use what's available (or not available) |
1079 | | * in the certs. |
1080 | | */ |
1081 | | #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL |
1082 | | #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL |
1083 | | |
1084 | | /* |
1085 | | * Defines the behavior if no fresh information is available, |
1086 | | * fetching from the network is allowed, but the source of revocation |
1087 | | * information is unknown (even after considering implicit sources, |
1088 | | * if allowed by other flags). |
1089 | | * SKIPT_TEST means: |
1090 | | * We ignore that no fresh information is available and |
1091 | | * skip this test. |
1092 | | * REQUIRE_INFO means: |
1093 | | * We still require that fresh information is available. |
1094 | | * Other flags define what happens on missing fresh info. |
1095 | | */ |
1096 | | #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL |
1097 | | #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL |
1098 | | |
1099 | | /* |
1100 | | * Defines the behavior if we are unable to obtain fresh information. |
1101 | | * INGORE means: |
1102 | | * Return "cert status unknown" |
1103 | | * FAIL means: |
1104 | | * Return "cert revoked". |
1105 | | */ |
1106 | | #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL |
1107 | | #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL |
1108 | | |
1109 | | /* |
1110 | | * What should happen if we were able to find fresh information using |
1111 | | * this method, and the data indicated the cert is good? |
1112 | | * STOP_TESTING means: |
1113 | | * Our success is sufficient, do not continue testing |
1114 | | * other methods. |
1115 | | * CONTINUE_TESTING means: |
1116 | | * We will continue and test the next allowed |
1117 | | * specified method. |
1118 | | */ |
1119 | | #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL |
1120 | | #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL |
1121 | | |
1122 | | /* When this flag is used, libpkix will never attempt to use the GET HTTP |
1123 | | * method for OCSP requests; it will always use POST. |
1124 | | */ |
1125 | | #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL |
1126 | | |
1127 | | /* |
1128 | | * The following flags are supposed to be used to control bits in |
1129 | | * CERTRevocationTests.cert_rev_method_independent_flags |
1130 | | * All Flags are prefixed by CERT_REV_M_, where _M_ indicates |
1131 | | * this is a method independent flag. |
1132 | | */ |
1133 | | |
1134 | | /* |
1135 | | * This defines the order to checking. |
1136 | | * EACH_METHOD_SEPARATELY means: |
1137 | | * Do all tests related to a particular allowed method |
1138 | | * (both local information and network fetching) in a single step. |
1139 | | * Only after testing for a particular method is done, |
1140 | | * then switching to the next method will happen. |
1141 | | * ALL_LOCAL_INFORMATION_FIRST means: |
1142 | | * Start by testing the information for all allowed methods |
1143 | | * which are already locally available. Only after that is done |
1144 | | * consider to fetch from the network (as allowed by other flags). |
1145 | | */ |
1146 | | #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL |
1147 | | #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL |
1148 | | |
1149 | | /* |
1150 | | * Use this flag to specify that it's necessary that fresh information |
1151 | | * is available for at least one of the allowed methods, but it's |
1152 | | * irrelevant which of the mechanisms succeeded. |
1153 | | * NO_OVERALL_INFO_REQUIREMENT means: |
1154 | | * We strictly follow the requirements for each individual method. |
1155 | | * REQUIRE_SOME_FRESH_INFO_AVAILABLE means: |
1156 | | * After the individual tests have been executed, we must have |
1157 | | * been able to find fresh information using at least one method. |
1158 | | * If we were unable to find fresh info, it's a failure. |
1159 | | * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
1160 | | * flag on all methods. |
1161 | | */ |
1162 | | #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL |
1163 | | #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL |
1164 | | |
1165 | | typedef struct { |
1166 | | /* |
1167 | | * The size of the array that cert_rev_flags_per_method points to, |
1168 | | * meaning, the number of methods that are known and defined |
1169 | | * by the caller. |
1170 | | */ |
1171 | | PRUint32 number_of_defined_methods; |
1172 | | |
1173 | | /* |
1174 | | * A pointer to an array of integers. |
1175 | | * Each integer defines revocation checking for a single method, |
1176 | | * by having individual CERT_REV_M_* bits set or not set. |
1177 | | * The meaning of index numbers into this array are defined by |
1178 | | * enum CERTRevocationMethodIndex |
1179 | | * The size of the array must be specified by the caller in the separate |
1180 | | * variable number_of_defined_methods. |
1181 | | * The size of the array may be smaller than |
1182 | | * cert_revocation_method_count, it can happen if a caller |
1183 | | * is not yet aware of the latest revocation methods |
1184 | | * (or does not want to use them). |
1185 | | */ |
1186 | | PRUint64 *cert_rev_flags_per_method; |
1187 | | |
1188 | | /* |
1189 | | * How many preferred methods are specified? |
1190 | | * This is equivalent to the size of the array that |
1191 | | * preferred_methods points to. |
1192 | | * It's allowed to set this value to zero, |
1193 | | * then NSS will decide which methods to prefer. |
1194 | | */ |
1195 | | PRUint32 number_of_preferred_methods; |
1196 | | |
1197 | | /* Array that may specify an optional order of preferred methods. |
1198 | | * Each array entry shall contain a method identifier as defined |
1199 | | * by CERTRevocationMethodIndex. |
1200 | | * The entry at index [0] specifies the method with highest preference. |
1201 | | * These methods will be tested first for locally available information. |
1202 | | * Methods allowed for downloading will be attempted in the same order. |
1203 | | */ |
1204 | | CERTRevocationMethodIndex *preferred_methods; |
1205 | | |
1206 | | /* |
1207 | | * An integer which defines certain aspects of revocation checking |
1208 | | * (independent of individual methods) by having individual |
1209 | | * CERT_REV_MI_* bits set or not set. |
1210 | | */ |
1211 | | PRUint64 cert_rev_method_independent_flags; |
1212 | | } CERTRevocationTests; |
1213 | | |
1214 | | typedef struct { |
1215 | | CERTRevocationTests leafTests; |
1216 | | CERTRevocationTests chainTests; |
1217 | | } CERTRevocationFlags; |
1218 | | |
1219 | | typedef struct CERTValParamInValueStr { |
1220 | | union { |
1221 | | PRBool b; |
1222 | | PRInt32 i; |
1223 | | PRUint32 ui; |
1224 | | PRInt64 l; |
1225 | | PRUint64 ul; |
1226 | | PRTime time; |
1227 | | } scalar; |
1228 | | union { |
1229 | | const void *p; |
1230 | | const char *s; |
1231 | | const CERTCertificate *cert; |
1232 | | const CERTCertList *chain; |
1233 | | const CERTRevocationFlags *revocation; |
1234 | | const CERTChainVerifyCallback *chainVerifyCallback; |
1235 | | } pointer; |
1236 | | union { |
1237 | | const PRInt32 *pi; |
1238 | | const PRUint32 *pui; |
1239 | | const PRInt64 *pl; |
1240 | | const PRUint64 *pul; |
1241 | | const SECOidTag *oids; |
1242 | | } array; |
1243 | | int arraySize; |
1244 | | } CERTValParamInValue; |
1245 | | |
1246 | | typedef struct CERTValParamOutValueStr { |
1247 | | union { |
1248 | | PRBool b; |
1249 | | PRInt32 i; |
1250 | | PRUint32 ui; |
1251 | | PRInt64 l; |
1252 | | PRUint64 ul; |
1253 | | SECCertificateUsage usages; |
1254 | | } scalar; |
1255 | | union { |
1256 | | void *p; |
1257 | | char *s; |
1258 | | CERTVerifyLog *log; |
1259 | | CERTCertificate *cert; |
1260 | | CERTCertList *chain; |
1261 | | } pointer; |
1262 | | union { |
1263 | | void *p; |
1264 | | SECOidTag *oids; |
1265 | | } array; |
1266 | | int arraySize; |
1267 | | } CERTValParamOutValue; |
1268 | | |
1269 | | typedef struct { |
1270 | | CERTValParamInType type; |
1271 | | CERTValParamInValue value; |
1272 | | } CERTValInParam; |
1273 | | |
1274 | | typedef struct { |
1275 | | CERTValParamOutType type; |
1276 | | CERTValParamOutValue value; |
1277 | | } CERTValOutParam; |
1278 | | |
1279 | | /* |
1280 | | * Levels of standards conformance strictness for CERT_NameToAsciiInvertible |
1281 | | */ |
1282 | | typedef enum CertStrictnessLevels { |
1283 | | CERT_N2A_READABLE = 0, /* maximum human readability */ |
1284 | | CERT_N2A_STRICT = 10, /* strict RFC compliance */ |
1285 | | CERT_N2A_INVERTIBLE = 20 /* maximum invertibility, |
1286 | | all DirectoryStrings encoded in hex */ |
1287 | | } CertStrictnessLevel; |
1288 | | |
1289 | | /* |
1290 | | * policy flag defines |
1291 | | */ |
1292 | | #define CERT_POLICY_FLAG_NO_MAPPING 1 |
1293 | | #define CERT_POLICY_FLAG_EXPLICIT 2 |
1294 | | #define CERT_POLICY_FLAG_NO_ANY 4 |
1295 | | |
1296 | | /* |
1297 | | * CertStore flags |
1298 | | */ |
1299 | | #define CERT_ENABLE_LDAP_FETCH 1 |
1300 | | #define CERT_ENABLE_HTTP_FETCH 2 |
1301 | | |
1302 | | /* This functin pointer type may be used for any function that takes |
1303 | | * a CERTCertificate * and returns an allocated string, which must be |
1304 | | * freed by a call to PORT_Free. |
1305 | | */ |
1306 | | typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert); |
1307 | | |
1308 | | /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ |
1309 | | |
1310 | | #include "secasn1t.h" /* way down here because I expect template stuff to |
1311 | | * move out of here anyway */ |
1312 | | |
1313 | | SEC_BEGIN_PROTOS |
1314 | | |
1315 | | extern const SEC_ASN1Template CERT_CertificateRequestTemplate[]; |
1316 | | extern const SEC_ASN1Template CERT_CertificateTemplate[]; |
1317 | | extern const SEC_ASN1Template SEC_SignedCertificateTemplate[]; |
1318 | | extern const SEC_ASN1Template CERT_CertExtensionTemplate[]; |
1319 | | extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[]; |
1320 | | extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[]; |
1321 | | extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[]; |
1322 | | extern const SEC_ASN1Template CERT_TimeChoiceTemplate[]; |
1323 | | extern const SEC_ASN1Template CERT_ValidityTemplate[]; |
1324 | | extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[]; |
1325 | | extern const SEC_ASN1Template SEC_CertSequenceTemplate[]; |
1326 | | |
1327 | | extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[]; |
1328 | | extern const SEC_ASN1Template CERT_NameTemplate[]; |
1329 | | extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[]; |
1330 | | extern const SEC_ASN1Template CERT_RDNTemplate[]; |
1331 | | extern const SEC_ASN1Template CERT_SignedDataTemplate[]; |
1332 | | extern const SEC_ASN1Template CERT_CrlTemplate[]; |
1333 | | extern const SEC_ASN1Template CERT_SignedCrlTemplate[]; |
1334 | | |
1335 | | /* |
1336 | | ** XXX should the attribute stuff be centralized for all of ns/security? |
1337 | | */ |
1338 | | extern const SEC_ASN1Template CERT_AttributeTemplate[]; |
1339 | | extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[]; |
1340 | | |
1341 | | /* These functions simply return the address of the above-declared templates. |
1342 | | ** This is necessary for Windows DLLs. Sigh. |
1343 | | */ |
1344 | | SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate) |
1345 | | SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate) |
1346 | | SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate) |
1347 | | SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate) |
1348 | | SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate) |
1349 | | SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate) |
1350 | | SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate) |
1351 | | SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate) |
1352 | | SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate) |
1353 | | SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate) |
1354 | | SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate) |
1355 | | SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate) |
1356 | | |
1357 | | SEC_END_PROTOS |
1358 | | |
1359 | | #endif /* _CERTT_H_ */ |