Back to index

lightning-sunbird  0.9+nobinonly
certt.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 /*
00037  * certt.h - public data structures for the certificate library
00038  *
00039  * $Id: certt.h,v 1.33.2.1 2006/02/16 00:14:18 julien.pierre.bugs%sun.com Exp $
00040  */
00041 #ifndef _CERTT_H_
00042 #define _CERTT_H_
00043 
00044 #include "prclist.h"
00045 #include "pkcs11t.h"
00046 #include "seccomon.h"
00047 #include "secmodt.h"
00048 #include "secoidt.h"
00049 #include "plarena.h"
00050 #include "prcvar.h"
00051 #include "nssilock.h"
00052 #include "prio.h"
00053 #include "prmon.h"
00054 
00055 /* Stan data types */
00056 struct NSSCertificateStr;
00057 struct NSSTrustDomainStr;
00058 
00059 /* Non-opaque objects */
00060 typedef struct CERTAVAStr                        CERTAVA;
00061 typedef struct CERTAttributeStr                  CERTAttribute;
00062 typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
00063 typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
00064 typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
00065 #ifdef NSS_CLASSIC
00066 typedef struct CERTCertDBHandleStr               CERTCertDBHandle;
00067 #else
00068 typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
00069 #endif
00070 typedef struct CERTCertExtensionStr              CERTCertExtension;
00071 typedef struct CERTCertKeyStr                    CERTCertKey;
00072 typedef struct CERTCertListStr                   CERTCertList;
00073 typedef struct CERTCertListNodeStr               CERTCertListNode;
00074 typedef struct CERTCertNicknamesStr              CERTCertNicknames;
00075 typedef struct CERTCertTrustStr                  CERTCertTrust;
00076 typedef struct CERTCertificateStr                CERTCertificate;
00077 typedef struct CERTCertificateListStr            CERTCertificateList;
00078 typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
00079 typedef struct CERTCrlStr                        CERTCrl;
00080 typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
00081 typedef struct CERTCrlEntryStr                   CERTCrlEntry;
00082 typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
00083 typedef struct CERTCrlKeyStr                     CERTCrlKey;
00084 typedef struct CERTCrlNodeStr                    CERTCrlNode;
00085 typedef struct CERTDERCertsStr                   CERTDERCerts;
00086 typedef struct CERTDistNamesStr                  CERTDistNames;
00087 typedef struct CERTGeneralNameStr                CERTGeneralName;
00088 typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
00089 typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
00090 typedef struct CERTNameStr                       CERTName;
00091 typedef struct CERTNameConstraintStr             CERTNameConstraint;
00092 typedef struct CERTNameConstraintsStr            CERTNameConstraints;
00093 typedef struct CERTOKDomainNameStr               CERTOKDomainName;
00094 typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
00095 typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
00096 typedef struct CERTRDNStr                        CERTRDN;
00097 typedef struct CERTSignedCrlStr                  CERTSignedCrl;
00098 typedef struct CERTSignedDataStr                 CERTSignedData;
00099 typedef struct CERTStatusConfigStr               CERTStatusConfig;
00100 typedef struct CERTSubjectListStr                CERTSubjectList;
00101 typedef struct CERTSubjectNodeStr                CERTSubjectNode;
00102 typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
00103 typedef struct CERTValidityStr                   CERTValidity;
00104 typedef struct CERTVerifyLogStr                  CERTVerifyLog;
00105 typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
00106 typedef struct CRLDistributionPointStr           CRLDistributionPoint;
00107 
00108 /* CRL extensions type */
00109 typedef unsigned long CERTCrlNumber;
00110 
00111 /*
00112 ** An X.500 AVA object
00113 */
00114 struct CERTAVAStr {
00115     SECItem type;
00116     SECItem value;
00117 };
00118 
00119 /*
00120 ** An X.500 RDN object
00121 */
00122 struct CERTRDNStr {
00123     CERTAVA **avas;
00124 };
00125 
00126 /*
00127 ** An X.500 name object
00128 */
00129 struct CERTNameStr {
00130     PRArenaPool *arena;
00131     CERTRDN **rdns;
00132 };
00133 
00134 /*
00135 ** An X.509 validity object
00136 */
00137 struct CERTValidityStr {
00138     PRArenaPool *arena;
00139     SECItem notBefore;
00140     SECItem notAfter;
00141 };
00142 
00143 /*
00144  * A serial number and issuer name, which is used as a database key
00145  */
00146 struct CERTCertKeyStr {
00147     SECItem serialNumber;
00148     SECItem derIssuer;
00149 };
00150 
00151 /*
00152 ** A signed data object. Used to implement the "signed" macro used
00153 ** in the X.500 specs.
00154 */
00155 struct CERTSignedDataStr {
00156     SECItem data;
00157     SECAlgorithmID signatureAlgorithm;
00158     SECItem signature;
00159 };
00160 
00161 /*
00162 ** An X.509 subject-public-key-info object
00163 */
00164 struct CERTSubjectPublicKeyInfoStr {
00165     PRArenaPool *arena;
00166     SECAlgorithmID algorithm;
00167     SECItem subjectPublicKey;
00168 };
00169 
00170 struct CERTPublicKeyAndChallengeStr {
00171     SECItem spki;
00172     SECItem challenge;
00173 };
00174 
00175 struct CERTCertTrustStr {
00176     unsigned int sslFlags;
00177     unsigned int emailFlags;
00178     unsigned int objectSigningFlags;
00179 };
00180 
00181 /*
00182  * defined the types of trust that exist
00183  */
00184 typedef enum SECTrustTypeEnum {
00185     trustSSL = 0,
00186     trustEmail = 1,
00187     trustObjectSigning = 2,
00188     trustTypeNone = 3
00189 } SECTrustType;
00190 
00191 #define SEC_GET_TRUST_FLAGS(trust,type) \
00192         (((type)==trustSSL)?((trust)->sslFlags): \
00193         (((type)==trustEmail)?((trust)->emailFlags): \
00194          (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
00195 
00196 /*
00197 ** An X.509.3 certificate extension
00198 */
00199 struct CERTCertExtensionStr {
00200     SECItem id;
00201     SECItem critical;
00202     SECItem value;
00203 };
00204 
00205 struct CERTSubjectNodeStr {
00206     struct CERTSubjectNodeStr *next;
00207     struct CERTSubjectNodeStr *prev;
00208     SECItem certKey;
00209     SECItem keyID;
00210 };
00211 
00212 struct CERTSubjectListStr {
00213     PRArenaPool *arena;
00214     int ncerts;
00215     char *emailAddr;
00216     CERTSubjectNode *head;
00217     CERTSubjectNode *tail; /* do we need tail? */
00218     void *entry;
00219 };
00220 
00221 /*
00222 ** An X.509 certificate object (the unsigned form)
00223 */
00224 struct CERTCertificateStr {
00225     /* the arena is used to allocate any data structures that have the same
00226      * lifetime as the cert.  This is all stuff that hangs off of the cert
00227      * structure, and is all freed at the same time.  I is used when the
00228      * cert is decoded, destroyed, and at some times when it changes
00229      * state
00230      */
00231     PRArenaPool *arena;
00232 
00233     /* The following fields are static after the cert has been decoded */
00234     char *subjectName;
00235     char *issuerName;
00236     CERTSignedData signatureWrap;  /* XXX */
00237     SECItem derCert;               /* original DER for the cert */
00238     SECItem derIssuer;                    /* DER for issuer name */
00239     SECItem derSubject;                   /* DER for subject name */
00240     SECItem derPublicKey;          /* DER for the public key */
00241     SECItem certKey;               /* database key for this cert */
00242     SECItem version;
00243     SECItem serialNumber;
00244     SECAlgorithmID signature;
00245     CERTName issuer;
00246     CERTValidity validity;
00247     CERTName subject;
00248     CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
00249     SECItem issuerID;
00250     SECItem subjectID;
00251     CERTCertExtension **extensions;
00252     char *emailAddr;
00253     CERTCertDBHandle *dbhandle;
00254     SECItem subjectKeyID;   /* x509v3 subject key identifier */
00255     PRBool keyIDGenerated;  /* was the keyid generated? */
00256     unsigned int keyUsage;  /* what uses are allowed for this cert */
00257     unsigned int rawKeyUsage;      /* value of the key usage extension */
00258     PRBool keyUsagePresent; /* was the key usage extension present */
00259     PRUint32 nsCertType;    /* value of the ns cert type extension */
00260                             /* must be 32-bit for PR_AtomicSet */
00261 
00262     /* these values can be set by the application to bypass certain checks
00263      * or to keep the cert in memory for an entire session.
00264      * XXX - need an api to set these
00265      */
00266     PRBool keepSession;                   /* keep this cert for entire session*/
00267     PRBool timeOK;                 /* is the bad validity time ok? */
00268     CERTOKDomainName *domainOK;           /* these domain names are ok */
00269 
00270     /*
00271      * these values can change when the cert changes state.  These state
00272      * changes include transitions from temp to perm or vice-versa, and
00273      * changes of trust flags
00274      */
00275     PRBool isperm;
00276     PRBool istemp;
00277     char *nickname;
00278     char *dbnickname;
00279     struct NSSCertificateStr *nssCertificate;    /* This is Stan stuff. */
00280     CERTCertTrust *trust;
00281 
00282     /* the reference count is modified whenever someone looks up, dups
00283      * or destroys a certificate
00284      */
00285     int referenceCount;
00286 
00287     /* The subject list is a list of all certs with the same subject name.
00288      * It can be modified any time a cert is added or deleted from either
00289      * the in-memory(temporary) or on-disk(permanent) database.
00290      */
00291     CERTSubjectList *subjectList;
00292 
00293     /* these belong in the static section, but are here to maintain
00294      * the structure's integrity
00295      */
00296     CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
00297     PRBool isRoot;              /* cert is the end of a chain */
00298 
00299     /* these fields are used by client GUI code to keep track of ssl sockets
00300      * that are blocked waiting on GUI feedback related to this cert.
00301      * XXX - these should be moved into some sort of application specific
00302      *       data structure.  They are only used by the browser right now.
00303      */
00304     union {
00305         void* apointer; /* was struct SECSocketNode* authsocketlist */
00306         struct {
00307             unsigned int hasUnsupportedCriticalExt :1;
00308             /* add any new option bits needed here */
00309         } bits;
00310     } options;
00311     int series; /* was int authsocketcount; record the series of the pkcs11ID */
00312 
00313     /* This is PKCS #11 stuff. */
00314     PK11SlotInfo *slot;            /*if this cert came of a token, which is it*/
00315     CK_OBJECT_HANDLE pkcs11ID;     /*and which object on that token is it */
00316     PRBool ownSlot;         /*true if the cert owns the slot reference */
00317 };
00318 #define SEC_CERTIFICATE_VERSION_1         0      /* default created */
00319 #define SEC_CERTIFICATE_VERSION_2         1      /* v2 */
00320 #define SEC_CERTIFICATE_VERSION_3         2      /* v3 extensions */
00321 
00322 #define SEC_CRL_VERSION_1          0      /* default */
00323 #define SEC_CRL_VERSION_2          1      /* v2 extensions */
00324 
00325 /*
00326  * used to identify class of cert in mime stream code
00327  */
00328 #define SEC_CERT_CLASS_CA   1
00329 #define SEC_CERT_CLASS_SERVER      2
00330 #define SEC_CERT_CLASS_USER 3
00331 #define SEC_CERT_CLASS_EMAIL       4
00332 
00333 struct CERTDERCertsStr {
00334     PRArenaPool *arena;
00335     int numcerts;
00336     SECItem *rawCerts;
00337 };
00338 
00339 /*
00340 ** A PKCS ? Attribute
00341 ** XXX this is duplicated through out the code, it *should* be moved
00342 ** to a central location.  Where would be appropriate?
00343 */
00344 struct CERTAttributeStr {
00345     SECItem attrType;
00346     SECItem **attrValue;
00347 };
00348 
00349 /*
00350 ** A PKCS#10 certificate-request object (the unsigned form)
00351 */
00352 struct CERTCertificateRequestStr {
00353     PRArenaPool *arena;
00354     SECItem version;
00355     CERTName subject;
00356     CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
00357     CERTAttribute **attributes;
00358 };
00359 #define SEC_CERTIFICATE_REQUEST_VERSION          0      /* what we *create* */
00360 
00361 
00362 /*
00363 ** A certificate list object.
00364 */
00365 struct CERTCertificateListStr {
00366     SECItem *certs;
00367     int len;                              /* number of certs */
00368     PRArenaPool *arena;
00369 };
00370 
00371 struct CERTCertListNodeStr {
00372     PRCList links;
00373     CERTCertificate *cert;
00374     void *appData;
00375 };
00376 
00377 struct CERTCertListStr {
00378     PRCList list;
00379     PRArenaPool *arena;
00380 };
00381 
00382 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
00383 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
00384 #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
00385 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
00386 
00387 struct CERTCrlEntryStr {
00388     SECItem serialNumber;
00389     SECItem revocationDate;
00390     CERTCertExtension **extensions;    
00391 };
00392 
00393 struct CERTCrlStr {
00394     PRArenaPool *arena;
00395     SECItem version;
00396     SECAlgorithmID signatureAlg;
00397     SECItem derName;
00398     CERTName name;
00399     SECItem lastUpdate;
00400     SECItem nextUpdate;                          /* optional for x.509 CRL  */
00401     CERTCrlEntry **entries;
00402     CERTCertExtension **extensions;    
00403     /* can't add anything there for binary backwards compatibility reasons */
00404 };
00405 
00406 struct CERTCrlKeyStr {
00407     SECItem derName;
00408     SECItem dummy;                 /* The decoder can not skip a primitive,
00409                                       this serves as a place holder for the
00410                                       decoder to finish its task only
00411                                    */
00412 };
00413 
00414 struct CERTSignedCrlStr {
00415     PRArenaPool *arena;
00416     CERTCrl crl;
00417     void *reserved1;
00418     PRBool reserved2;
00419     PRBool isperm;
00420     PRBool istemp;
00421     int referenceCount;
00422     CERTCertDBHandle *dbhandle;
00423     CERTSignedData signatureWrap;  /* XXX */
00424     char *url;
00425     SECItem *derCrl;
00426     PK11SlotInfo *slot;
00427     CK_OBJECT_HANDLE pkcs11ID;
00428     void* opaque; /* do not touch */
00429 };
00430 
00431 
00432 struct CERTCrlHeadNodeStr {
00433     PRArenaPool *arena;
00434     CERTCertDBHandle *dbhandle;
00435     CERTCrlNode *first;
00436     CERTCrlNode *last;
00437 };
00438 
00439 
00440 struct CERTCrlNodeStr {
00441     CERTCrlNode *next;
00442     int       type;
00443     CERTSignedCrl *crl;
00444 };
00445 
00446 
00447 /*
00448  * Array of X.500 Distinguished Names
00449  */
00450 struct CERTDistNamesStr {
00451     PRArenaPool *arena;
00452     int nnames;
00453     SECItem  *names;
00454     void *head; /* private */
00455 };
00456 
00457 
00458 #define NS_CERT_TYPE_SSL_CLIENT           (0x80) /* bit 0 */
00459 #define NS_CERT_TYPE_SSL_SERVER           (0x40)  /* bit 1 */
00460 #define NS_CERT_TYPE_EMAIL         (0x20)  /* bit 2 */
00461 #define NS_CERT_TYPE_OBJECT_SIGNING       (0x10)  /* bit 3 */
00462 #define NS_CERT_TYPE_RESERVED             (0x08)  /* bit 4 */
00463 #define NS_CERT_TYPE_SSL_CA        (0x04)  /* bit 5 */
00464 #define NS_CERT_TYPE_EMAIL_CA             (0x02)  /* bit 6 */
00465 #define NS_CERT_TYPE_OBJECT_SIGNING_CA    (0x01)  /* bit 7 */
00466 
00467 #define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
00468 #define EXT_KEY_USAGE_STATUS_RESPONDER    (0x4000)
00469 
00470 #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
00471                        NS_CERT_TYPE_SSL_SERVER | \
00472                        NS_CERT_TYPE_EMAIL | \
00473                        NS_CERT_TYPE_OBJECT_SIGNING )
00474 
00475 #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
00476                       NS_CERT_TYPE_EMAIL_CA | \
00477                       NS_CERT_TYPE_OBJECT_SIGNING_CA | \
00478                       EXT_KEY_USAGE_STATUS_RESPONDER )
00479 typedef enum SECCertUsageEnum {
00480     certUsageSSLClient = 0,
00481     certUsageSSLServer = 1,
00482     certUsageSSLServerWithStepUp = 2,
00483     certUsageSSLCA = 3,
00484     certUsageEmailSigner = 4,
00485     certUsageEmailRecipient = 5,
00486     certUsageObjectSigner = 6,
00487     certUsageUserCertImport = 7,
00488     certUsageVerifyCA = 8,
00489     certUsageProtectedObjectSigner = 9,
00490     certUsageStatusResponder = 10,
00491     certUsageAnyCA = 11
00492 } SECCertUsage;
00493 
00494 typedef PRInt64 SECCertificateUsage;
00495 
00496 #define certificateUsageSSLClient              (0x0001)
00497 #define certificateUsageSSLServer              (0x0002)
00498 #define certificateUsageSSLServerWithStepUp    (0x0004)
00499 #define certificateUsageSSLCA                  (0x0008)
00500 #define certificateUsageEmailSigner            (0x0010)
00501 #define certificateUsageEmailRecipient         (0x0020)
00502 #define certificateUsageObjectSigner           (0x0040)
00503 #define certificateUsageUserCertImport         (0x0080)
00504 #define certificateUsageVerifyCA               (0x0100)
00505 #define certificateUsageProtectedObjectSigner  (0x0200)
00506 #define certificateUsageStatusResponder        (0x0400)
00507 #define certificateUsageAnyCA                  (0x0800)
00508 
00509 #define certificateUsageHighest certificateUsageAnyCA
00510 
00511 /*
00512  * Does the cert belong to the user, a peer, or a CA.
00513  */
00514 typedef enum CERTCertOwnerEnum {
00515     certOwnerUser = 0,
00516     certOwnerPeer = 1,
00517     certOwnerCA = 2
00518 } CERTCertOwner;
00519 
00520 /*
00521  * This enum represents the state of validity times of a certificate
00522  */
00523 typedef enum SECCertTimeValidityEnum {
00524     secCertTimeValid = 0,
00525     secCertTimeExpired = 1,
00526     secCertTimeNotValidYet = 2,
00527     secCertTimeUndetermined = 3 /* validity could not be decoded from the
00528                                    cert, most likely because it was NULL */
00529 } SECCertTimeValidity;
00530 
00531 /*
00532  * This is used as return status in functions that compare the validity
00533  * periods of two certificates A and B, currently only
00534  * CERT_CompareValidityTimes.
00535  */
00536 
00537 typedef enum CERTCompareValidityStatusEnum
00538 {
00539     certValidityUndetermined = 0, /* the function is unable to select one cert 
00540                                      over another */
00541     certValidityChooseB = 1,      /* cert B should be preferred */
00542     certValidityEqual = 2,        /* both certs have the same validity period */
00543     certValidityChooseA = 3       /* cert A should be preferred */
00544 } CERTCompareValidityStatus;
00545 
00546 /*
00547  * Interface for getting certificate nickname strings out of the database
00548  */
00549 
00550 /* these are values for the what argument below */
00551 #define SEC_CERT_NICKNAMES_ALL            1
00552 #define SEC_CERT_NICKNAMES_USER           2
00553 #define SEC_CERT_NICKNAMES_SERVER  3
00554 #define SEC_CERT_NICKNAMES_CA             4
00555 
00556 struct CERTCertNicknamesStr {
00557     PRArenaPool *arena;
00558     void *head;
00559     int numnicknames;
00560     char **nicknames;
00561     int what;
00562     int totallen;
00563 };
00564 
00565 struct CERTIssuerAndSNStr {
00566     SECItem derIssuer;
00567     CERTName issuer;
00568     SECItem serialNumber;
00569 };
00570 
00571 
00572 /* X.509 v3 Key Usage Extension flags */
00573 #define KU_DIGITAL_SIGNATURE              (0x80) /* bit 0 */
00574 #define KU_NON_REPUDIATION         (0x40)  /* bit 1 */
00575 #define KU_KEY_ENCIPHERMENT        (0x20)  /* bit 2 */
00576 #define KU_DATA_ENCIPHERMENT              (0x10)  /* bit 3 */
00577 #define KU_KEY_AGREEMENT           (0x08)  /* bit 4 */
00578 #define KU_KEY_CERT_SIGN           (0x04)  /* bit 5 */
00579 #define KU_CRL_SIGN                (0x02)  /* bit 6 */
00580 #define KU_ALL                            (KU_DIGITAL_SIGNATURE | \
00581                                     KU_NON_REPUDIATION | \
00582                                     KU_KEY_ENCIPHERMENT | \
00583                                     KU_DATA_ENCIPHERMENT | \
00584                                     KU_KEY_AGREEMENT | \
00585                                     KU_KEY_CERT_SIGN | \
00586                                     KU_CRL_SIGN)
00587 
00588 /* This value will not occur in certs.  It is used internally for the case
00589  * when the key type is not know ahead of time and either key agreement or
00590  * key encipherment are the correct value based on key type
00591  */
00592 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
00593 
00594 /* internal bits that do not match bits in the x509v3 spec, but are used
00595  * for similar purposes
00596  */
00597 #define KU_NS_GOVT_APPROVED        (0x8000) /*don't make part of KU_ALL!*/
00598 /*
00599  * x.509 v3 Basic Constraints Extension
00600  * If isCA is false, the pathLenConstraint is ignored.
00601  * Otherwise, the following pathLenConstraint values will apply:
00602  *     < 0 - there is no limit to the certificate path
00603  *     0   - CA can issues end-entity certificates only
00604  *     > 0 - the number of certificates in the certificate path is
00605  *           limited to this number
00606  */
00607 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
00608 
00609 struct CERTBasicConstraintsStr {
00610     PRBool isCA;                   /* on if is CA */
00611     int pathLenConstraint;         /* maximum number of certificates that can be
00612                                       in the cert path.  Only applies to a CA
00613                                       certificate; otherwise, it's ignored.
00614                                     */
00615 };
00616 
00617 /* Maximum length of a certificate chain */
00618 #define CERT_MAX_CERT_CHAIN 20
00619 
00620 /* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
00621 #define RF_UNUSED                  (0x80) /* bit 0 */
00622 #define RF_KEY_COMPROMISE          (0x40)  /* bit 1 */
00623 #define RF_CA_COMPROMISE           (0x20)  /* bit 2 */
00624 #define RF_AFFILIATION_CHANGED            (0x10)  /* bit 3 */
00625 #define RF_SUPERSEDED                     (0x08)  /* bit 4 */
00626 #define RF_CESSATION_OF_OPERATION  (0x04)  /* bit 5 */
00627 #define RF_CERTIFICATE_HOLD        (0x02)  /* bit 6 */
00628 
00629 /* If we needed to extract the general name field, use this */
00630 /* General Name types */
00631 typedef enum CERTGeneralNameTypeEnum {
00632     certOtherName = 1,
00633     certRFC822Name = 2,
00634     certDNSName = 3,
00635     certX400Address = 4,
00636     certDirectoryName = 5,
00637     certEDIPartyName = 6,
00638     certURI = 7,
00639     certIPAddress = 8,
00640     certRegisterID = 9
00641 } CERTGeneralNameType;
00642 
00643 
00644 typedef struct OtherNameStr {
00645     SECItem          name;
00646     SECItem          oid;
00647 }OtherName;
00648 
00649 
00650 
00651 struct CERTGeneralNameStr {
00652     CERTGeneralNameType type;             /* name type */
00653     union {
00654        CERTName directoryName;         /* distinguish name */
00655        OtherName  OthName;         /* Other Name */
00656        SECItem other;                  /* the rest of the name forms */
00657     }name;
00658     SECItem derDirectoryName;             /* this is saved to simplify directory name
00659                                       comparison */
00660     PRCList l;
00661 };
00662 
00663 struct CERTGeneralNameListStr {
00664     PRArenaPool *arena;
00665     CERTGeneralName *name;
00666     int refCount;
00667     int len;
00668     PZLock *lock;
00669 };
00670 
00671 struct CERTNameConstraintStr {
00672     CERTGeneralName  name;
00673     SECItem          DERName;
00674     SECItem          min;
00675     SECItem          max;
00676     PRCList          l;
00677 };
00678 
00679 
00680 struct CERTNameConstraintsStr {
00681     CERTNameConstraint  *permited;
00682     CERTNameConstraint  *excluded;
00683     SECItem             **DERPermited;
00684     SECItem             **DERExcluded;
00685 };
00686 
00687 
00688 /* Private Key Usage Period extension struct. */
00689 struct CERTPrivKeyUsagePeriodStr {
00690     SECItem notBefore;
00691     SECItem notAfter;
00692     PRArenaPool *arena;
00693 };
00694 
00695 /* X.509 v3 Authority Key Identifier extension.  For the authority certificate
00696    issuer field, we only support URI now.
00697  */
00698 struct CERTAuthKeyIDStr {
00699     SECItem keyID;                 /* unique key identifier */
00700     CERTGeneralName *authCertIssuer;      /* CA's issuer name.  End with a NULL */
00701     SECItem authCertSerialNumber;  /* CA's certificate serial number */
00702     SECItem **DERAuthCertIssuer;   /* This holds the DER encoded format of
00703                                       the authCertIssuer field. It is used
00704                                       by the encoding engine. It should be
00705                                       used as a read only field by the caller.
00706                                    */
00707 };
00708 
00709 /* x.509 v3 CRL Distributeion Point */
00710 
00711 /*
00712  * defined the types of CRL Distribution points
00713  */
00714 typedef enum DistributionPointTypesEnum {
00715     generalName = 1,               /* only support this for now */
00716     relativeDistinguishedName = 2
00717 } DistributionPointTypes;
00718 
00719 struct CRLDistributionPointStr {
00720     DistributionPointTypes distPointType;
00721     union {
00722        CERTGeneralName *fullName;
00723        CERTRDN relativeName;
00724     } distPoint;
00725     SECItem reasons;
00726     CERTGeneralName *crlIssuer;
00727     
00728     /* Reserved for internal use only*/
00729     SECItem derDistPoint;
00730     SECItem derRelativeName;
00731     SECItem **derCrlIssuer;
00732     SECItem **derFullName;
00733     SECItem bitsmap;
00734 };
00735 
00736 struct CERTCrlDistributionPointsStr {
00737     CRLDistributionPoint **distPoints;
00738 };
00739 
00740 /*
00741  * This structure is used to keep a log of errors when verifying
00742  * a cert chain.  This allows multiple errors to be reported all at
00743  * once.
00744  */
00745 struct CERTVerifyLogNodeStr {
00746     CERTCertificate *cert;  /* what cert had the error */
00747     long error;                    /* what error was it? */
00748     unsigned int depth;            /* how far up the chain are we */
00749     void *arg;                     /* error specific argument */
00750     struct CERTVerifyLogNodeStr *next; /* next in the list */
00751     struct CERTVerifyLogNodeStr *prev; /* next in the list */
00752 };
00753 
00754 
00755 struct CERTVerifyLogStr {
00756     PRArenaPool *arena;
00757     unsigned int count;
00758     struct CERTVerifyLogNodeStr *head;
00759     struct CERTVerifyLogNodeStr *tail;
00760 };
00761 
00762 
00763 struct CERTOKDomainNameStr {
00764     CERTOKDomainName *next;
00765     char              name[1]; /* actual length may be longer. */
00766 };
00767 
00768 
00769 typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
00770                                               CERTCertificate *cert,
00771                                               int64 time,
00772                                               void *pwArg);
00773 
00774 typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
00775 
00776 struct CERTStatusConfigStr {
00777     CERTStatusChecker statusChecker;      /* NULL means no checking enabled */
00778     CERTStatusDestroy statusDestroy;      /* enabled or no, will clean up */
00779     void *statusContext;           /* cx specific to checking protocol */
00780 };
00781 
00782 struct CERTAuthInfoAccessStr {
00783     SECItem method;
00784     SECItem derLocation;
00785     CERTGeneralName *location;            /* decoded location */
00786 };
00787 
00788 
00789 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
00790 /* callback to return database name based on version number */
00791 typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
00792 
00793 /*
00794  * types of cert packages that we can decode
00795  */
00796 typedef enum CERTPackageTypeEnum {
00797     certPackageNone = 0,
00798     certPackageCert = 1,
00799     certPackagePKCS7 = 2,
00800     certPackageNSCertSeq = 3,
00801     certPackageNSCertWrap = 4
00802 } CERTPackageType;
00803 
00804 /*
00805  * these types are for the PKIX Certificate Policies extension
00806  */
00807 typedef struct {
00808     SECOidTag oid;
00809     SECItem qualifierID;
00810     SECItem qualifierValue;
00811 } CERTPolicyQualifier;
00812 
00813 typedef struct {
00814     SECOidTag oid;
00815     SECItem policyID;
00816     CERTPolicyQualifier **policyQualifiers;
00817 } CERTPolicyInfo;
00818 
00819 typedef struct {
00820     PRArenaPool *arena;
00821     CERTPolicyInfo **policyInfos;
00822 } CERTCertificatePolicies;
00823 
00824 typedef struct {
00825     SECItem organization;
00826     SECItem **noticeNumbers;
00827 } CERTNoticeReference;
00828 
00829 typedef struct {
00830     PRArenaPool *arena;
00831     CERTNoticeReference noticeReference;
00832     SECItem derNoticeReference;
00833     SECItem displayText;
00834 } CERTUserNotice;
00835 
00836 typedef struct {
00837     PRArenaPool *arena;
00838     SECItem **oids;
00839 } CERTOidSequence;
00840 
00841 
00842 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
00843 
00844 #include "secasn1t.h"       /* way down here because I expect template stuff to
00845                       * move out of here anyway */
00846 
00847 SEC_BEGIN_PROTOS
00848 
00849 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
00850 extern const SEC_ASN1Template CERT_CertificateTemplate[];
00851 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
00852 extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
00853 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
00854 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
00855 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
00856 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
00857 extern const SEC_ASN1Template CERT_ValidityTemplate[];
00858 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
00859 extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
00860 
00861 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
00862 extern const SEC_ASN1Template CERT_NameTemplate[];
00863 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
00864 extern const SEC_ASN1Template CERT_RDNTemplate[];
00865 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
00866 extern const SEC_ASN1Template CERT_CrlTemplate[];
00867 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
00868 
00869 /*
00870 ** XXX should the attribute stuff be centralized for all of ns/security?
00871 */
00872 extern const SEC_ASN1Template CERT_AttributeTemplate[];
00873 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
00874 
00875 /* These functions simply return the address of the above-declared templates.
00876 ** This is necessary for Windows DLLs.  Sigh.
00877 */
00878 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
00879 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
00880 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
00881 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
00882 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
00883 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
00884 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
00885 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
00886 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
00887 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
00888 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
00889 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
00890 
00891 SEC_END_PROTOS
00892 
00893 #endif /* _CERTT_H_ */