Back to index

lightning-sunbird  0.9+nobinonly
certi.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 /*
00037  * certi.h - private data structures for the certificate library
00038  *
00039  * $Id: certi.h,v 1.16.24.1 2007/11/10 04:26:11 julien.pierre.boogz%sun.com Exp $
00040  */
00041 #ifndef _CERTI_H_
00042 #define _CERTI_H_
00043 
00044 #include "certt.h"
00045 #include "nssrwlkt.h"
00046 
00047 /*
00048 #define GLOBAL_RWLOCK 1
00049 */
00050 
00051 #define DPC_RWLOCK 1
00052 
00053 /* all definitions in this file are subject to change */
00054 
00055 typedef struct OpaqueCRLFieldsStr OpaqueCRLFields;
00056 typedef struct CRLEntryCacheStr CRLEntryCache;
00057 typedef struct CRLDPCacheStr CRLDPCache;
00058 typedef struct CRLIssuerCacheStr CRLIssuerCache;
00059 typedef struct CRLCacheStr CRLCache;
00060 typedef struct CachedCrlStr CachedCrl;
00061 
00062 struct OpaqueCRLFieldsStr {
00063     PRBool partial;
00064     PRBool decodingError;
00065     PRBool badEntries;
00066     PRBool badDER;
00067     PRBool badExtensions;
00068     PRBool heapDER;
00069 };
00070 
00071 typedef struct PreAllocatorStr PreAllocator;
00072 
00073 struct PreAllocatorStr
00074 {
00075     PRSize len;
00076     void* data;
00077     PRSize used;
00078     PRArenaPool* arena;
00079     PRSize extra;
00080 };
00081 
00082 /*  CRL entry cache.
00083     This is the same as an entry plus the next/prev pointers for the hash table
00084 */
00085 
00086 struct CRLEntryCacheStr {
00087     CERTCrlEntry entry;
00088     CRLEntryCache *prev, *next;
00089 };
00090 
00091 #define CRL_CACHE_INVALID_CRLS              0x0001 /* this state will be set
00092         if we have CRL objects with an invalid DER or signature. Can be
00093         cleared if the invalid objects are deleted from the token */
00094 #define CRL_CACHE_LAST_FETCH_FAILED         0x0002 /* this state will be set
00095         if the last CRL fetch encountered an error. Can be cleared if a
00096         new fetch succeeds */
00097 
00098 #define CRL_CACHE_OUT_OF_MEMORY             0x0004 /* this state will be set
00099         if we don't have enough memory to build the hash table of entries */
00100 
00101 typedef enum {
00102     CRL_OriginToken = 0,    /* CRL came from PKCS#11 token */
00103     CRL_OriginExplicit = 1  /* CRL was explicitly added to the cache, from RAM */
00104 } CRLOrigin;
00105 
00106 struct CachedCrlStr {
00107     CERTSignedCrl* crl;
00108     CRLOrigin origin;
00109     /* hash table of entries. We use a PLHashTable and pre-allocate the
00110        required amount of memory in one shot, so that our allocator can
00111        simply pass offsets into it when hashing.
00112 
00113        This won't work anymore when we support delta CRLs and iCRLs, because
00114        the size of the hash table will vary over time. At that point, the best
00115        solution will be to allocate large CRLEntry structures by modifying
00116        the DER decoding template. The extra space would be for next/prev
00117        pointers. This would allow entries from different CRLs to be mixed in
00118        the same hash table.
00119     */
00120     PLHashTable* entries;
00121     PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */
00122     PRBool sigChecked; /* this CRL signature has already been checked */
00123     PRBool sigValid; /* signature verification status .
00124                      Only meaningful if checked is PR_TRUE . */
00125 };
00126 
00127 /*  CRL distribution point cache object
00128     This is a cache of CRL entries for a given distribution point of an issuer
00129     It is built from a collection of one full and 0 or more delta CRLs.
00130 */
00131 
00132 struct CRLDPCacheStr {
00133 #ifdef DPC_RWLOCK
00134     NSSRWLock* lock;
00135 #else
00136     PRLock* lock;
00137 #endif
00138     CERTCertificate* issuer;    /* cert issuer 
00139                                    XXX there may be multiple issuer certs,
00140                                        with different validity dates. Also
00141                                        need to deal with SKID/AKID . See
00142                                        bugzilla 217387, 233118 */
00143     SECItem* subject;           /* DER of issuer subject */
00144     SECItem* distributionPoint; /* DER of distribution point. This may be
00145                                    NULL when distribution points aren't
00146                                    in use (ie. the CA has a single CRL).
00147                                    Currently not used. */
00148 
00149     /* array of full CRLs matching this distribution point */
00150     PRUint32 ncrls;              /* total number of CRLs in crls */
00151     CachedCrl** crls;            /* array of all matching CRLs */
00152     /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several
00153        issuers. In the future, we'll need to globally recycle the CRL in a
00154        separate list in order to avoid extra lookups, decodes, and copies */
00155 
00156     /* pointers to good decoded CRLs used to build the cache */
00157     CachedCrl* selected;    /* full CRL selected for use in the cache */
00158 #if 0
00159     /* for future use */
00160     PRInt32 numdeltas;      /* number of delta CRLs used for the cache */
00161     CachedCrl** deltas;     /* delta CRLs used for the cache */
00162 #endif
00163     /* cache invalidity bitflag */
00164     PRUint16 invalid;       /* this state will be set if either
00165              CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
00166              In those cases, all certs are considered revoked as a
00167              security precaution. The invalid state can only be cleared
00168              during an update if all error states are cleared */
00169     PRBool refresh;        /* manual refresh from tokens has been forced */
00170     PRBool mustchoose;     /* trigger reselection algorithm, for case when
00171                               RAM CRL objects are dropped from the cache */
00172     PRTime lastfetch;      /* time a CRL token fetch was last performed */
00173     PRTime lastcheck;      /* time CRL token objects were last checked for
00174                               existence */
00175 };
00176 
00177 /*  CRL issuer cache object
00178     This object tracks all the distribution point caches for a given issuer.
00179     XCRL once we support multiple issuing distribution points, this object
00180     will be a hash table. For now, it just holds the single CRL distribution
00181     point cache structure.
00182 */
00183 
00184 struct CRLIssuerCacheStr {
00185     SECItem* subject;           /* DER of issuer subject */
00186     CRLDPCache* dpp;
00187 #if 0
00188     /* XCRL for future use.
00189        We don't need to lock at the moment because we only have one DP,
00190        which gets created at the same time as this object */
00191     NSSRWLock* lock;
00192     CRLDPCache** dps;
00193     PLHashTable* distributionpoints;
00194     CERTCertificate* issuer;
00195 #endif
00196 };
00197 
00198 /*  CRL revocation cache object
00199     This object tracks all the issuer caches
00200 */
00201 
00202 struct CRLCacheStr {
00203 #ifdef GLOBAL_RWLOCK
00204     NSSRWLock* lock;
00205 #else
00206     PRLock* lock;
00207 #endif
00208     /* hash table of issuer to CRLIssuerCacheStr,
00209        indexed by issuer DER subject */
00210     PLHashTable* issuers;
00211 };
00212 
00213 SECStatus InitCRLCache(void);
00214 SECStatus ShutdownCRLCache(void);
00215 
00216 /* Returns a pointer to an environment-like string, a series of
00217 ** null-terminated strings, terminated by a zero-length string.
00218 ** This function is intended to be internal to NSS.
00219 */
00220 extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
00221 
00222 /*
00223  * These functions are used to map subjectKeyID extension values to certs.
00224  */
00225 SECStatus
00226 cert_CreateSubjectKeyIDHashTable(void);
00227 
00228 SECStatus
00229 cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
00230 
00231 /*
00232  * Call this function to remove an entry from the mapping table.
00233  */
00234 SECStatus
00235 cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
00236 
00237 SECStatus
00238 cert_DestroySubjectKeyIDHashTable(void);
00239 
00240 SECItem*
00241 cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID);
00242 
00243 /* return maximum length of AVA value based on its type OID tag. */
00244 extern int cert_AVAOidTagToMaxLen(SECOidTag tag);
00245 
00246 SECStatus cert_InitLocks(void);
00247 
00248 SECStatus cert_DestroyLocks(void);
00249 
00250 #endif /* _CERTI_H_ */
00251