Back to index

lightning-sunbird  0.9+nobinonly
certt.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 /*
00037  * certt.h - public data structures for the certificate library
00038  *
00039  * $Id: certt.h,v 1.33.2.4 2007/11/21 21:37:05 julien.pierre.boogz%sun.com Exp $
00040  */
00041 #ifndef _CERTT_H_
00042 #define _CERTT_H_
00043 
00044 #include "prclist.h"
00045 #include "pkcs11t.h"
00046 #include "seccomon.h"
00047 #include "secmodt.h"
00048 #include "secoidt.h"
00049 #include "plarena.h"
00050 #include "prcvar.h"
00051 #include "nssilock.h"
00052 #include "prio.h"
00053 #include "prmon.h"
00054 
00055 /* Stan data types */
00056 struct NSSCertificateStr;
00057 struct NSSTrustDomainStr;
00058 
00059 /* Non-opaque objects */
00060 typedef struct CERTAVAStr                        CERTAVA;
00061 typedef struct CERTAttributeStr                  CERTAttribute;
00062 typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
00063 typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
00064 typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
00065 typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
00066 typedef struct CERTCertExtensionStr              CERTCertExtension;
00067 typedef struct CERTCertKeyStr                    CERTCertKey;
00068 typedef struct CERTCertListStr                   CERTCertList;
00069 typedef struct CERTCertListNodeStr               CERTCertListNode;
00070 typedef struct CERTCertNicknamesStr              CERTCertNicknames;
00071 typedef struct CERTCertTrustStr                  CERTCertTrust;
00072 typedef struct CERTCertificateStr                CERTCertificate;
00073 typedef struct CERTCertificateListStr            CERTCertificateList;
00074 typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
00075 typedef struct CERTCrlStr                        CERTCrl;
00076 typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
00077 typedef struct CERTCrlEntryStr                   CERTCrlEntry;
00078 typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
00079 typedef struct CERTCrlKeyStr                     CERTCrlKey;
00080 typedef struct CERTCrlNodeStr                    CERTCrlNode;
00081 typedef struct CERTDERCertsStr                   CERTDERCerts;
00082 typedef struct CERTDistNamesStr                  CERTDistNames;
00083 typedef struct CERTGeneralNameStr                CERTGeneralName;
00084 typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
00085 typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
00086 typedef struct CERTNameStr                       CERTName;
00087 typedef struct CERTNameConstraintStr             CERTNameConstraint;
00088 typedef struct CERTNameConstraintsStr            CERTNameConstraints;
00089 typedef struct CERTOKDomainNameStr               CERTOKDomainName;
00090 typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
00091 typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
00092 typedef struct CERTRDNStr                        CERTRDN;
00093 typedef struct CERTSignedCrlStr                  CERTSignedCrl;
00094 typedef struct CERTSignedDataStr                 CERTSignedData;
00095 typedef struct CERTStatusConfigStr               CERTStatusConfig;
00096 typedef struct CERTSubjectListStr                CERTSubjectList;
00097 typedef struct CERTSubjectNodeStr                CERTSubjectNode;
00098 typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
00099 typedef struct CERTValidityStr                   CERTValidity;
00100 typedef struct CERTVerifyLogStr                  CERTVerifyLog;
00101 typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
00102 typedef struct CRLDistributionPointStr           CRLDistributionPoint;
00103 
00104 /* CRL extensions type */
00105 typedef unsigned long CERTCrlNumber;
00106 
00107 /*
00108 ** An X.500 AVA object
00109 */
00110 struct CERTAVAStr {
00111     SECItem type;
00112     SECItem value;
00113 };
00114 
00115 /*
00116 ** An X.500 RDN object
00117 */
00118 struct CERTRDNStr {
00119     CERTAVA **avas;
00120 };
00121 
00122 /*
00123 ** An X.500 name object
00124 */
00125 struct CERTNameStr {
00126     PRArenaPool *arena;
00127     CERTRDN **rdns;
00128 };
00129 
00130 /*
00131 ** An X.509 validity object
00132 */
00133 struct CERTValidityStr {
00134     PRArenaPool *arena;
00135     SECItem notBefore;
00136     SECItem notAfter;
00137 };
00138 
00139 /*
00140  * A serial number and issuer name, which is used as a database key
00141  */
00142 struct CERTCertKeyStr {
00143     SECItem serialNumber;
00144     SECItem derIssuer;
00145 };
00146 
00147 /*
00148 ** A signed data object. Used to implement the "signed" macro used
00149 ** in the X.500 specs.
00150 */
00151 struct CERTSignedDataStr {
00152     SECItem data;
00153     SECAlgorithmID signatureAlgorithm;
00154     SECItem signature;
00155 };
00156 
00157 /*
00158 ** An X.509 subject-public-key-info object
00159 */
00160 struct CERTSubjectPublicKeyInfoStr {
00161     PRArenaPool *arena;
00162     SECAlgorithmID algorithm;
00163     SECItem subjectPublicKey;
00164 };
00165 
00166 struct CERTPublicKeyAndChallengeStr {
00167     SECItem spki;
00168     SECItem challenge;
00169 };
00170 
00171 struct CERTCertTrustStr {
00172     unsigned int sslFlags;
00173     unsigned int emailFlags;
00174     unsigned int objectSigningFlags;
00175 };
00176 
00177 /*
00178  * defined the types of trust that exist
00179  */
00180 typedef enum SECTrustTypeEnum {
00181     trustSSL = 0,
00182     trustEmail = 1,
00183     trustObjectSigning = 2,
00184     trustTypeNone = 3
00185 } SECTrustType;
00186 
00187 #define SEC_GET_TRUST_FLAGS(trust,type) \
00188         (((type)==trustSSL)?((trust)->sslFlags): \
00189         (((type)==trustEmail)?((trust)->emailFlags): \
00190          (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
00191 
00192 /*
00193 ** An X.509.3 certificate extension
00194 */
00195 struct CERTCertExtensionStr {
00196     SECItem id;
00197     SECItem critical;
00198     SECItem value;
00199 };
00200 
00201 struct CERTSubjectNodeStr {
00202     struct CERTSubjectNodeStr *next;
00203     struct CERTSubjectNodeStr *prev;
00204     SECItem certKey;
00205     SECItem keyID;
00206 };
00207 
00208 struct CERTSubjectListStr {
00209     PRArenaPool *arena;
00210     int ncerts;
00211     char *emailAddr;
00212     CERTSubjectNode *head;
00213     CERTSubjectNode *tail; /* do we need tail? */
00214     void *entry;
00215 };
00216 
00217 /*
00218 ** An X.509 certificate object (the unsigned form)
00219 */
00220 struct CERTCertificateStr {
00221     /* the arena is used to allocate any data structures that have the same
00222      * lifetime as the cert.  This is all stuff that hangs off of the cert
00223      * structure, and is all freed at the same time.  I is used when the
00224      * cert is decoded, destroyed, and at some times when it changes
00225      * state
00226      */
00227     PRArenaPool *arena;
00228 
00229     /* The following fields are static after the cert has been decoded */
00230     char *subjectName;
00231     char *issuerName;
00232     CERTSignedData signatureWrap;  /* XXX */
00233     SECItem derCert;               /* original DER for the cert */
00234     SECItem derIssuer;                    /* DER for issuer name */
00235     SECItem derSubject;                   /* DER for subject name */
00236     SECItem derPublicKey;          /* DER for the public key */
00237     SECItem certKey;               /* database key for this cert */
00238     SECItem version;
00239     SECItem serialNumber;
00240     SECAlgorithmID signature;
00241     CERTName issuer;
00242     CERTValidity validity;
00243     CERTName subject;
00244     CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
00245     SECItem issuerID;
00246     SECItem subjectID;
00247     CERTCertExtension **extensions;
00248     char *emailAddr;
00249     CERTCertDBHandle *dbhandle;
00250     SECItem subjectKeyID;   /* x509v3 subject key identifier */
00251     PRBool keyIDGenerated;  /* was the keyid generated? */
00252     unsigned int keyUsage;  /* what uses are allowed for this cert */
00253     unsigned int rawKeyUsage;      /* value of the key usage extension */
00254     PRBool keyUsagePresent; /* was the key usage extension present */
00255     PRUint32 nsCertType;    /* value of the ns cert type extension */
00256                             /* must be 32-bit for PR_AtomicSet */
00257 
00258     /* these values can be set by the application to bypass certain checks
00259      * or to keep the cert in memory for an entire session.
00260      * XXX - need an api to set these
00261      */
00262     PRBool keepSession;                   /* keep this cert for entire session*/
00263     PRBool timeOK;                 /* is the bad validity time ok? */
00264     CERTOKDomainName *domainOK;           /* these domain names are ok */
00265 
00266     /*
00267      * these values can change when the cert changes state.  These state
00268      * changes include transitions from temp to perm or vice-versa, and
00269      * changes of trust flags
00270      */
00271     PRBool isperm;
00272     PRBool istemp;
00273     char *nickname;
00274     char *dbnickname;
00275     struct NSSCertificateStr *nssCertificate;    /* This is Stan stuff. */
00276     CERTCertTrust *trust;
00277 
00278     /* the reference count is modified whenever someone looks up, dups
00279      * or destroys a certificate
00280      */
00281     int referenceCount;
00282 
00283     /* The subject list is a list of all certs with the same subject name.
00284      * It can be modified any time a cert is added or deleted from either
00285      * the in-memory(temporary) or on-disk(permanent) database.
00286      */
00287     CERTSubjectList *subjectList;
00288 
00289     /* these belong in the static section, but are here to maintain
00290      * the structure's integrity
00291      */
00292     CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
00293     PRBool isRoot;              /* cert is the end of a chain */
00294 
00295     /* these fields are used by client GUI code to keep track of ssl sockets
00296      * that are blocked waiting on GUI feedback related to this cert.
00297      * XXX - these should be moved into some sort of application specific
00298      *       data structure.  They are only used by the browser right now.
00299      */
00300     union {
00301         void* apointer; /* was struct SECSocketNode* authsocketlist */
00302         struct {
00303             unsigned int hasUnsupportedCriticalExt :1;
00304             /* add any new option bits needed here */
00305         } bits;
00306     } options;
00307     int series; /* was int authsocketcount; record the series of the pkcs11ID */
00308 
00309     /* This is PKCS #11 stuff. */
00310     PK11SlotInfo *slot;            /*if this cert came of a token, which is it*/
00311     CK_OBJECT_HANDLE pkcs11ID;     /*and which object on that token is it */
00312     PRBool ownSlot;         /*true if the cert owns the slot reference */
00313 };
00314 #define SEC_CERTIFICATE_VERSION_1         0      /* default created */
00315 #define SEC_CERTIFICATE_VERSION_2         1      /* v2 */
00316 #define SEC_CERTIFICATE_VERSION_3         2      /* v3 extensions */
00317 
00318 #define SEC_CRL_VERSION_1          0      /* default */
00319 #define SEC_CRL_VERSION_2          1      /* v2 extensions */
00320 
00321 /*
00322  * used to identify class of cert in mime stream code
00323  */
00324 #define SEC_CERT_CLASS_CA   1
00325 #define SEC_CERT_CLASS_SERVER      2
00326 #define SEC_CERT_CLASS_USER 3
00327 #define SEC_CERT_CLASS_EMAIL       4
00328 
00329 struct CERTDERCertsStr {
00330     PRArenaPool *arena;
00331     int numcerts;
00332     SECItem *rawCerts;
00333 };
00334 
00335 /*
00336 ** A PKCS ? Attribute
00337 ** XXX this is duplicated through out the code, it *should* be moved
00338 ** to a central location.  Where would be appropriate?
00339 */
00340 struct CERTAttributeStr {
00341     SECItem attrType;
00342     SECItem **attrValue;
00343 };
00344 
00345 /*
00346 ** A PKCS#10 certificate-request object (the unsigned form)
00347 */
00348 struct CERTCertificateRequestStr {
00349     PRArenaPool *arena;
00350     SECItem version;
00351     CERTName subject;
00352     CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
00353     CERTAttribute **attributes;
00354 };
00355 #define SEC_CERTIFICATE_REQUEST_VERSION          0      /* what we *create* */
00356 
00357 
00358 /*
00359 ** A certificate list object.
00360 */
00361 struct CERTCertificateListStr {
00362     SECItem *certs;
00363     int len;                              /* number of certs */
00364     PRArenaPool *arena;
00365 };
00366 
00367 struct CERTCertListNodeStr {
00368     PRCList links;
00369     CERTCertificate *cert;
00370     void *appData;
00371 };
00372 
00373 struct CERTCertListStr {
00374     PRCList list;
00375     PRArenaPool *arena;
00376 };
00377 
00378 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
00379 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
00380 #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
00381 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
00382 
00383 struct CERTCrlEntryStr {
00384     SECItem serialNumber;
00385     SECItem revocationDate;
00386     CERTCertExtension **extensions;    
00387 };
00388 
00389 struct CERTCrlStr {
00390     PRArenaPool *arena;
00391     SECItem version;
00392     SECAlgorithmID signatureAlg;
00393     SECItem derName;
00394     CERTName name;
00395     SECItem lastUpdate;
00396     SECItem nextUpdate;                          /* optional for x.509 CRL  */
00397     CERTCrlEntry **entries;
00398     CERTCertExtension **extensions;    
00399     /* can't add anything there for binary backwards compatibility reasons */
00400 };
00401 
00402 struct CERTCrlKeyStr {
00403     SECItem derName;
00404     SECItem dummy;                 /* The decoder can not skip a primitive,
00405                                       this serves as a place holder for the
00406                                       decoder to finish its task only
00407                                    */
00408 };
00409 
00410 struct CERTSignedCrlStr {
00411     PRArenaPool *arena;
00412     CERTCrl crl;
00413     void *reserved1;
00414     PRBool reserved2;
00415     PRBool isperm;
00416     PRBool istemp;
00417     int referenceCount;
00418     CERTCertDBHandle *dbhandle;
00419     CERTSignedData signatureWrap;  /* XXX */
00420     char *url;
00421     SECItem *derCrl;
00422     PK11SlotInfo *slot;
00423     CK_OBJECT_HANDLE pkcs11ID;
00424     void* opaque; /* do not touch */
00425 };
00426 
00427 
00428 struct CERTCrlHeadNodeStr {
00429     PRArenaPool *arena;
00430     CERTCertDBHandle *dbhandle;
00431     CERTCrlNode *first;
00432     CERTCrlNode *last;
00433 };
00434 
00435 
00436 struct CERTCrlNodeStr {
00437     CERTCrlNode *next;
00438     int       type;
00439     CERTSignedCrl *crl;
00440 };
00441 
00442 
00443 /*
00444  * Array of X.500 Distinguished Names
00445  */
00446 struct CERTDistNamesStr {
00447     PRArenaPool *arena;
00448     int nnames;
00449     SECItem  *names;
00450     void *head; /* private */
00451 };
00452 
00453 
00454 #define NS_CERT_TYPE_SSL_CLIENT           (0x80) /* bit 0 */
00455 #define NS_CERT_TYPE_SSL_SERVER           (0x40)  /* bit 1 */
00456 #define NS_CERT_TYPE_EMAIL         (0x20)  /* bit 2 */
00457 #define NS_CERT_TYPE_OBJECT_SIGNING       (0x10)  /* bit 3 */
00458 #define NS_CERT_TYPE_RESERVED             (0x08)  /* bit 4 */
00459 #define NS_CERT_TYPE_SSL_CA        (0x04)  /* bit 5 */
00460 #define NS_CERT_TYPE_EMAIL_CA             (0x02)  /* bit 6 */
00461 #define NS_CERT_TYPE_OBJECT_SIGNING_CA    (0x01)  /* bit 7 */
00462 
00463 #define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
00464 #define EXT_KEY_USAGE_STATUS_RESPONDER    (0x4000)
00465 
00466 #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
00467                        NS_CERT_TYPE_SSL_SERVER | \
00468                        NS_CERT_TYPE_EMAIL | \
00469                        NS_CERT_TYPE_OBJECT_SIGNING )
00470 
00471 #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
00472                       NS_CERT_TYPE_EMAIL_CA | \
00473                       NS_CERT_TYPE_OBJECT_SIGNING_CA | \
00474                       EXT_KEY_USAGE_STATUS_RESPONDER )
00475 typedef enum SECCertUsageEnum {
00476     certUsageSSLClient = 0,
00477     certUsageSSLServer = 1,
00478     certUsageSSLServerWithStepUp = 2,
00479     certUsageSSLCA = 3,
00480     certUsageEmailSigner = 4,
00481     certUsageEmailRecipient = 5,
00482     certUsageObjectSigner = 6,
00483     certUsageUserCertImport = 7,
00484     certUsageVerifyCA = 8,
00485     certUsageProtectedObjectSigner = 9,
00486     certUsageStatusResponder = 10,
00487     certUsageAnyCA = 11
00488 } SECCertUsage;
00489 
00490 typedef PRInt64 SECCertificateUsage;
00491 
00492 #define certificateUsageCheckAllUsages         (0x0000)
00493 #define certificateUsageSSLClient              (0x0001)
00494 #define certificateUsageSSLServer              (0x0002)
00495 #define certificateUsageSSLServerWithStepUp    (0x0004)
00496 #define certificateUsageSSLCA                  (0x0008)
00497 #define certificateUsageEmailSigner            (0x0010)
00498 #define certificateUsageEmailRecipient         (0x0020)
00499 #define certificateUsageObjectSigner           (0x0040)
00500 #define certificateUsageUserCertImport         (0x0080)
00501 #define certificateUsageVerifyCA               (0x0100)
00502 #define certificateUsageProtectedObjectSigner  (0x0200)
00503 #define certificateUsageStatusResponder        (0x0400)
00504 #define certificateUsageAnyCA                  (0x0800)
00505 
00506 #define certificateUsageHighest certificateUsageAnyCA
00507 
00508 /*
00509  * Does the cert belong to the user, a peer, or a CA.
00510  */
00511 typedef enum CERTCertOwnerEnum {
00512     certOwnerUser = 0,
00513     certOwnerPeer = 1,
00514     certOwnerCA = 2
00515 } CERTCertOwner;
00516 
00517 /*
00518  * This enum represents the state of validity times of a certificate
00519  */
00520 typedef enum SECCertTimeValidityEnum {
00521     secCertTimeValid = 0,
00522     secCertTimeExpired = 1,
00523     secCertTimeNotValidYet = 2,
00524     secCertTimeUndetermined = 3 /* validity could not be decoded from the
00525                                    cert, most likely because it was NULL */
00526 } SECCertTimeValidity;
00527 
00528 /*
00529  * This is used as return status in functions that compare the validity
00530  * periods of two certificates A and B, currently only
00531  * CERT_CompareValidityTimes.
00532  */
00533 
00534 typedef enum CERTCompareValidityStatusEnum
00535 {
00536     certValidityUndetermined = 0, /* the function is unable to select one cert 
00537                                      over another */
00538     certValidityChooseB = 1,      /* cert B should be preferred */
00539     certValidityEqual = 2,        /* both certs have the same validity period */
00540     certValidityChooseA = 3       /* cert A should be preferred */
00541 } CERTCompareValidityStatus;
00542 
00543 /*
00544  * Interface for getting certificate nickname strings out of the database
00545  */
00546 
00547 /* these are values for the what argument below */
00548 #define SEC_CERT_NICKNAMES_ALL            1
00549 #define SEC_CERT_NICKNAMES_USER           2
00550 #define SEC_CERT_NICKNAMES_SERVER  3
00551 #define SEC_CERT_NICKNAMES_CA             4
00552 
00553 struct CERTCertNicknamesStr {
00554     PRArenaPool *arena;
00555     void *head;
00556     int numnicknames;
00557     char **nicknames;
00558     int what;
00559     int totallen;
00560 };
00561 
00562 struct CERTIssuerAndSNStr {
00563     SECItem derIssuer;
00564     CERTName issuer;
00565     SECItem serialNumber;
00566 };
00567 
00568 
00569 /* X.509 v3 Key Usage Extension flags */
00570 #define KU_DIGITAL_SIGNATURE              (0x80) /* bit 0 */
00571 #define KU_NON_REPUDIATION         (0x40)  /* bit 1 */
00572 #define KU_KEY_ENCIPHERMENT        (0x20)  /* bit 2 */
00573 #define KU_DATA_ENCIPHERMENT              (0x10)  /* bit 3 */
00574 #define KU_KEY_AGREEMENT           (0x08)  /* bit 4 */
00575 #define KU_KEY_CERT_SIGN           (0x04)  /* bit 5 */
00576 #define KU_CRL_SIGN                (0x02)  /* bit 6 */
00577 #define KU_ALL                            (KU_DIGITAL_SIGNATURE | \
00578                                     KU_NON_REPUDIATION | \
00579                                     KU_KEY_ENCIPHERMENT | \
00580                                     KU_DATA_ENCIPHERMENT | \
00581                                     KU_KEY_AGREEMENT | \
00582                                     KU_KEY_CERT_SIGN | \
00583                                     KU_CRL_SIGN)
00584 
00585 /* This value will not occur in certs.  It is used internally for the case
00586  * when the key type is not know ahead of time and either key agreement or
00587  * key encipherment are the correct value based on key type
00588  */
00589 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
00590 
00591 /* internal bits that do not match bits in the x509v3 spec, but are used
00592  * for similar purposes
00593  */
00594 #define KU_NS_GOVT_APPROVED        (0x8000) /*don't make part of KU_ALL!*/
00595 /*
00596  * x.509 v3 Basic Constraints Extension
00597  * If isCA is false, the pathLenConstraint is ignored.
00598  * Otherwise, the following pathLenConstraint values will apply:
00599  *     < 0 - there is no limit to the certificate path
00600  *     0   - CA can issues end-entity certificates only
00601  *     > 0 - the number of certificates in the certificate path is
00602  *           limited to this number
00603  */
00604 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
00605 
00606 struct CERTBasicConstraintsStr {
00607     PRBool isCA;                   /* on if is CA */
00608     int pathLenConstraint;         /* maximum number of certificates that can be
00609                                       in the cert path.  Only applies to a CA
00610                                       certificate; otherwise, it's ignored.
00611                                     */
00612 };
00613 
00614 /* Maximum length of a certificate chain */
00615 #define CERT_MAX_CERT_CHAIN 20
00616 
00617 #define CERT_MAX_SERIAL_NUMBER_BYTES  20    /* from RFC 3280 */
00618 #define CERT_MAX_DN_BYTES             4096  /* arbitrary */
00619 
00620 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
00621 #define RF_UNUSED                  (0x80) /* bit 0 */
00622 #define RF_KEY_COMPROMISE          (0x40)  /* bit 1 */
00623 #define RF_CA_COMPROMISE           (0x20)  /* bit 2 */
00624 #define RF_AFFILIATION_CHANGED            (0x10)  /* bit 3 */
00625 #define RF_SUPERSEDED                     (0x08)  /* bit 4 */
00626 #define RF_CESSATION_OF_OPERATION  (0x04)  /* bit 5 */
00627 #define RF_CERTIFICATE_HOLD        (0x02)  /* bit 6 */
00628 
00629 /* If we needed to extract the general name field, use this */
00630 /* General Name types */
00631 typedef enum CERTGeneralNameTypeEnum {
00632     certOtherName = 1,
00633     certRFC822Name = 2,
00634     certDNSName = 3,
00635     certX400Address = 4,
00636     certDirectoryName = 5,
00637     certEDIPartyName = 6,
00638     certURI = 7,
00639     certIPAddress = 8,
00640     certRegisterID = 9
00641 } CERTGeneralNameType;
00642 
00643 
00644 typedef struct OtherNameStr {
00645     SECItem          name;
00646     SECItem          oid;
00647 }OtherName;
00648 
00649 
00650 
00651 struct CERTGeneralNameStr {
00652     CERTGeneralNameType type;             /* name type */
00653     union {
00654        CERTName directoryName;         /* distinguish name */
00655        OtherName  OthName;         /* Other Name */
00656        SECItem other;                  /* the rest of the name forms */
00657     }name;
00658     SECItem derDirectoryName;             /* this is saved to simplify directory name
00659                                       comparison */
00660     PRCList l;
00661 };
00662 
00663 struct CERTGeneralNameListStr {
00664     PRArenaPool *arena;
00665     CERTGeneralName *name;
00666     int refCount;
00667     int len;
00668     PZLock *lock;
00669 };
00670 
00671 struct CERTNameConstraintStr {
00672     CERTGeneralName  name;
00673     SECItem          DERName;
00674     SECItem          min;
00675     SECItem          max;
00676     PRCList          l;
00677 };
00678 
00679 
00680 struct CERTNameConstraintsStr {
00681     CERTNameConstraint  *permited;
00682     CERTNameConstraint  *excluded;
00683     SECItem             **DERPermited;
00684     SECItem             **DERExcluded;
00685 };
00686 
00687 
00688 /* Private Key Usage Period extension struct. */
00689 struct CERTPrivKeyUsagePeriodStr {
00690     SECItem notBefore;
00691     SECItem notAfter;
00692     PRArenaPool *arena;
00693 };
00694 
00695 /* X.509 v3 Authority Key Identifier extension.  For the authority certificate
00696    issuer field, we only support URI now.
00697  */
00698 struct CERTAuthKeyIDStr {
00699     SECItem keyID;                 /* unique key identifier */
00700     CERTGeneralName *authCertIssuer;      /* CA's issuer name.  End with a NULL */
00701     SECItem authCertSerialNumber;  /* CA's certificate serial number */
00702     SECItem **DERAuthCertIssuer;   /* This holds the DER encoded format of
00703                                       the authCertIssuer field. It is used
00704                                       by the encoding engine. It should be
00705                                       used as a read only field by the caller.
00706                                    */
00707 };
00708 
00709 /* x.509 v3 CRL Distributeion Point */
00710 
00711 /*
00712  * defined the types of CRL Distribution points
00713  */
00714 typedef enum DistributionPointTypesEnum {
00715     generalName = 1,               /* only support this for now */
00716     relativeDistinguishedName = 2
00717 } DistributionPointTypes;
00718 
00719 struct CRLDistributionPointStr {
00720     DistributionPointTypes distPointType;
00721     union {
00722        CERTGeneralName *fullName;
00723        CERTRDN relativeName;
00724     } distPoint;
00725     SECItem reasons;
00726     CERTGeneralName *crlIssuer;
00727     
00728     /* Reserved for internal use only*/
00729     SECItem derDistPoint;
00730     SECItem derRelativeName;
00731     SECItem **derCrlIssuer;
00732     SECItem **derFullName;
00733     SECItem bitsmap;
00734 };
00735 
00736 struct CERTCrlDistributionPointsStr {
00737     CRLDistributionPoint **distPoints;
00738 };
00739 
00740 /*
00741  * This structure is used to keep a log of errors when verifying
00742  * a cert chain.  This allows multiple errors to be reported all at
00743  * once.
00744  */
00745 struct CERTVerifyLogNodeStr {
00746     CERTCertificate *cert;  /* what cert had the error */
00747     long error;                    /* what error was it? */
00748     unsigned int depth;            /* how far up the chain are we */
00749     void *arg;                     /* error specific argument */
00750     struct CERTVerifyLogNodeStr *next; /* next in the list */
00751     struct CERTVerifyLogNodeStr *prev; /* next in the list */
00752 };
00753 
00754 
00755 struct CERTVerifyLogStr {
00756     PRArenaPool *arena;
00757     unsigned int count;
00758     struct CERTVerifyLogNodeStr *head;
00759     struct CERTVerifyLogNodeStr *tail;
00760 };
00761 
00762 
00763 struct CERTOKDomainNameStr {
00764     CERTOKDomainName *next;
00765     char              name[1]; /* actual length may be longer. */
00766 };
00767 
00768 
00769 typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
00770                                               CERTCertificate *cert,
00771                                               int64 time,
00772                                               void *pwArg);
00773 
00774 typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
00775 
00776 struct CERTStatusConfigStr {
00777     CERTStatusChecker statusChecker;      /* NULL means no checking enabled */
00778     CERTStatusDestroy statusDestroy;      /* enabled or no, will clean up */
00779     void *statusContext;           /* cx specific to checking protocol */
00780 };
00781 
00782 struct CERTAuthInfoAccessStr {
00783     SECItem method;
00784     SECItem derLocation;
00785     CERTGeneralName *location;            /* decoded location */
00786 };
00787 
00788 
00789 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
00790 /* callback to return database name based on version number */
00791 typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
00792 
00793 /*
00794  * types of cert packages that we can decode
00795  */
00796 typedef enum CERTPackageTypeEnum {
00797     certPackageNone = 0,
00798     certPackageCert = 1,
00799     certPackagePKCS7 = 2,
00800     certPackageNSCertSeq = 3,
00801     certPackageNSCertWrap = 4
00802 } CERTPackageType;
00803 
00804 /*
00805  * these types are for the PKIX Certificate Policies extension
00806  */
00807 typedef struct {
00808     SECOidTag oid;
00809     SECItem qualifierID;
00810     SECItem qualifierValue;
00811 } CERTPolicyQualifier;
00812 
00813 typedef struct {
00814     SECOidTag oid;
00815     SECItem policyID;
00816     CERTPolicyQualifier **policyQualifiers;
00817 } CERTPolicyInfo;
00818 
00819 typedef struct {
00820     PRArenaPool *arena;
00821     CERTPolicyInfo **policyInfos;
00822 } CERTCertificatePolicies;
00823 
00824 typedef struct {
00825     SECItem organization;
00826     SECItem **noticeNumbers;
00827 } CERTNoticeReference;
00828 
00829 typedef struct {
00830     PRArenaPool *arena;
00831     CERTNoticeReference noticeReference;
00832     SECItem derNoticeReference;
00833     SECItem displayText;
00834 } CERTUserNotice;
00835 
00836 typedef struct {
00837     PRArenaPool *arena;
00838     SECItem **oids;
00839 } CERTOidSequence;
00840 
00841 
00842 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
00843 
00844 #include "secasn1t.h"       /* way down here because I expect template stuff to
00845                       * move out of here anyway */
00846 
00847 SEC_BEGIN_PROTOS
00848 
00849 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
00850 extern const SEC_ASN1Template CERT_CertificateTemplate[];
00851 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
00852 extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
00853 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
00854 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
00855 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
00856 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
00857 extern const SEC_ASN1Template CERT_ValidityTemplate[];
00858 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
00859 extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
00860 
00861 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
00862 extern const SEC_ASN1Template CERT_NameTemplate[];
00863 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
00864 extern const SEC_ASN1Template CERT_RDNTemplate[];
00865 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
00866 extern const SEC_ASN1Template CERT_CrlTemplate[];
00867 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
00868 
00869 /*
00870 ** XXX should the attribute stuff be centralized for all of ns/security?
00871 */
00872 extern const SEC_ASN1Template CERT_AttributeTemplate[];
00873 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
00874 
00875 /* These functions simply return the address of the above-declared templates.
00876 ** This is necessary for Windows DLLs.  Sigh.
00877 */
00878 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
00879 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
00880 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
00881 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
00882 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
00883 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
00884 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
00885 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
00886 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
00887 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
00888 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
00889 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
00890 
00891 SEC_END_PROTOS
00892 
00893 #endif /* _CERTT_H_ */