Back to index

lightning-sunbird  0.9+nobinonly
pcertt.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 /*
00037  * certt.h - public data structures for the certificate library
00038  *
00039  * $Id: pcertt.h,v 1.13.30.1 2006/04/25 02:22:27 nelson%bolyard.com Exp $
00040  */
00041 #ifndef _PCERTT_H_
00042 #define _PCERTT_H_
00043 
00044 #include "prclist.h"
00045 #include "pkcs11t.h"
00046 #include "seccomon.h"
00047 #include "secoidt.h"
00048 #include "plarena.h"
00049 #include "prcvar.h"
00050 #include "nssilock.h"
00051 #include "prio.h"
00052 #include "prmon.h"
00053 
00054 /* Non-opaque objects */
00055 typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
00056 typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
00057 
00058 typedef struct NSSLOWCERTTrustStr                      NSSLOWCERTTrust;
00059 typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
00060 typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
00061 typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
00062 typedef struct NSSLOWCERTIssuerAndSNStr                NSSLOWCERTIssuerAndSN;
00063 typedef struct NSSLOWCERTSignedDataStr                 NSSLOWCERTSignedData;
00064 typedef struct NSSLOWCERTSubjectPublicKeyInfoStr       NSSLOWCERTSubjectPublicKeyInfo;
00065 typedef struct NSSLOWCERTValidityStr                   NSSLOWCERTValidity;
00066 
00067 /*
00068 ** An X.509 validity object
00069 */
00070 struct NSSLOWCERTValidityStr {
00071     PRArenaPool *arena;
00072     SECItem notBefore;
00073     SECItem notAfter;
00074 };
00075 
00076 /*
00077  * A serial number and issuer name, which is used as a database key
00078  */
00079 struct NSSLOWCERTCertKeyStr {
00080     SECItem serialNumber;
00081     SECItem derIssuer;
00082 };
00083 
00084 /*
00085 ** A signed data object. Used to implement the "signed" macro used
00086 ** in the X.500 specs.
00087 */
00088 struct NSSLOWCERTSignedDataStr {
00089     SECItem data;
00090     SECAlgorithmID signatureAlgorithm;
00091     SECItem signature;
00092 };
00093 
00094 /*
00095 ** An X.509 subject-public-key-info object
00096 */
00097 struct NSSLOWCERTSubjectPublicKeyInfoStr {
00098     PRArenaPool *arena;
00099     SECAlgorithmID algorithm;
00100     SECItem subjectPublicKey;
00101 };
00102 
00103 typedef struct _certDBEntryCert certDBEntryCert;
00104 typedef struct _certDBEntryRevocation certDBEntryRevocation;
00105 
00106 struct NSSLOWCERTCertTrustStr {
00107     unsigned int sslFlags;
00108     unsigned int emailFlags;
00109     unsigned int objectSigningFlags;
00110 };
00111 
00112 /*
00113 ** PKCS11 Trust representation
00114 */
00115 struct NSSLOWCERTTrustStr {
00116     NSSLOWCERTTrust *next;
00117     NSSLOWCERTCertDBHandle *dbhandle;
00118     SECItem dbKey;                 /* database key for this cert */
00119     certDBEntryCert *dbEntry;             /* database entry struct */
00120     NSSLOWCERTCertTrust *trust;
00121     SECItem *derCert;                     /* original DER for the cert */
00122     unsigned char dbKeySpace[512];
00123 };
00124 
00125 /*
00126 ** An X.509 certificate object (the unsigned form)
00127 */
00128 struct NSSLOWCERTCertificateStr {
00129     /* the arena is used to allocate any data structures that have the same
00130      * lifetime as the cert.  This is all stuff that hangs off of the cert
00131      * structure, and is all freed at the same time.  I is used when the
00132      * cert is decoded, destroyed, and at some times when it changes
00133      * state
00134      */
00135     NSSLOWCERTCertificate *next;
00136     NSSLOWCERTCertDBHandle *dbhandle;
00137 
00138     SECItem derCert;               /* original DER for the cert */
00139     SECItem derIssuer;                    /* DER for issuer name */
00140     SECItem derSN;
00141     SECItem serialNumber;
00142     SECItem derSubject;                   /* DER for subject name */
00143     SECItem derSubjKeyInfo;
00144     NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
00145     SECItem certKey;               /* database key for this cert */
00146     SECItem validity;
00147     certDBEntryCert *dbEntry;             /* database entry struct */
00148     SECItem subjectKeyID;   /* x509v3 subject key identifier */
00149     char *nickname;
00150     char *emailAddr;
00151     NSSLOWCERTCertTrust *trust;
00152 
00153     /* the reference count is modified whenever someone looks up, dups
00154      * or destroys a certificate
00155      */
00156     int referenceCount;
00157 
00158     char nicknameSpace[200];
00159     unsigned char certKeySpace[512];
00160 };
00161 
00162 #define SEC_CERTIFICATE_VERSION_1         0      /* default created */
00163 #define SEC_CERTIFICATE_VERSION_2         1      /* v2 */
00164 #define SEC_CERTIFICATE_VERSION_3         2      /* v3 extensions */
00165 
00166 #define SEC_CRL_VERSION_1          0      /* default */
00167 #define SEC_CRL_VERSION_2          1      /* v2 extensions */
00168 
00169 struct NSSLOWCERTIssuerAndSNStr {
00170     SECItem derIssuer;
00171     SECItem serialNumber;
00172 };
00173 
00174 typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
00175 
00176 /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
00177 /* callback to return database name based on version number */
00178 typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
00179 
00180 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
00181 
00182 #include "secasn1t.h"       /* way down here because I expect template stuff to
00183                       * move out of here anyway */
00184 
00185 /*
00186  * Certificate Database related definitions and data structures
00187  */
00188 
00189 /* version number of certificate database */
00190 #define CERT_DB_FILE_VERSION              8
00191 #define CERT_DB_V7_FILE_VERSION           7
00192 #define CERT_DB_CONTENT_VERSION           2
00193 
00194 #define SEC_DB_ENTRY_HEADER_LEN           3
00195 #define SEC_DB_KEY_HEADER_LEN             1
00196 
00197 /* All database entries have this form:
00198  *     
00199  *     byte offset   field
00200  *     -----------   -----
00201  *     0             version
00202  *     1             type
00203  *     2             flags
00204  */
00205 
00206 /* database entry types */
00207 typedef enum {
00208     certDBEntryTypeVersion = 0,
00209     certDBEntryTypeCert = 1,
00210     certDBEntryTypeNickname = 2,
00211     certDBEntryTypeSubject = 3,
00212     certDBEntryTypeRevocation = 4,
00213     certDBEntryTypeKeyRevocation = 5,
00214     certDBEntryTypeSMimeProfile = 6,
00215     certDBEntryTypeContentVersion = 7,
00216     certDBEntryTypeBlob = 8
00217 } certDBEntryType;
00218 
00219 typedef struct {
00220     certDBEntryType type;
00221     unsigned int version;
00222     unsigned int flags;
00223     PRArenaPool *arena;
00224 } certDBEntryCommon;
00225 
00226 /*
00227  * Certificate entry:
00228  *
00229  *     byte offset   field
00230  *     -----------   -----
00231  *     0             sslFlags-msb
00232  *     1             sslFlags-lsb
00233  *     2             emailFlags-msb
00234  *     3             emailFlags-lsb
00235  *     4             objectSigningFlags-msb
00236  *     5             objectSigningFlags-lsb
00237  *     6             derCert-len-msb
00238  *     7             derCert-len-lsb
00239  *     8             nickname-len-msb
00240  *     9             nickname-len-lsb
00241  *     ...           derCert
00242  *     ...           nickname
00243  *
00244  * NOTE: the nickname string as stored in the database is null terminated,
00245  *            in other words, the last byte of the db entry is always 0
00246  *            if a nickname is present.
00247  * NOTE: if nickname is not present, then nickname-len-msb and
00248  *            nickname-len-lsb will both be zero.
00249  */
00250 struct _certDBEntryCert {
00251     certDBEntryCommon common;
00252     certDBEntryCert *next;
00253     NSSLOWCERTCertTrust trust;
00254     SECItem derCert;
00255     char *nickname;
00256     char nicknameSpace[200];
00257     unsigned char derCertSpace[2048];
00258 };
00259 
00260 /*
00261  * Certificate Nickname entry:
00262  *
00263  *     byte offset   field
00264  *     -----------   -----
00265  *     0             subjectname-len-msb
00266  *     1              subjectname-len-lsb
00267  *     2...          subjectname
00268  *
00269  * The database key for this type of entry is a nickname string
00270  * The "subjectname" value is the DER encoded DN of the identity
00271  *   that matches this nickname.
00272  */
00273 typedef struct {
00274     certDBEntryCommon common;
00275     char *nickname;
00276     SECItem subjectName;
00277 } certDBEntryNickname;
00278 
00279 #define DB_NICKNAME_ENTRY_HEADER_LEN 2
00280 
00281 /*
00282  * Certificate Subject entry:
00283  *
00284  *     byte offset   field
00285  *     -----------   -----
00286  *     0             ncerts-msb
00287  *     1             ncerts-lsb
00288  *     2             nickname-msb
00289  *     3             nickname-lsb
00290  *     4             emailAddr-msb
00291  *     5             emailAddr-lsb
00292  *     ...           nickname
00293  *     ...           emailAddr
00294  *     ...+2*i              certkey-len-msb
00295  *     ...+1+2*i       certkey-len-lsb
00296  *     ...+2*ncerts+2*i keyid-len-msb
00297  *     ...+1+2*ncerts+2*i keyid-len-lsb
00298  *     ...           certkeys
00299  *     ...           keyids
00300  *
00301  * The database key for this type of entry is the DER encoded subject name
00302  * The "certkey" value is an array of  certificate database lookup keys that
00303  *   points to the database entries for the certificates that matche
00304  *   this subject.
00305  *
00306  */
00307 typedef struct _certDBEntrySubject {
00308     certDBEntryCommon common;
00309     SECItem derSubject;
00310     unsigned int ncerts;
00311     char *nickname;
00312     SECItem *certKeys;
00313     SECItem *keyIDs;
00314     char **emailAddrs;
00315     unsigned int nemailAddrs;
00316 } certDBEntrySubject;
00317 
00318 #define DB_SUBJECT_ENTRY_HEADER_LEN 6
00319 
00320 /*
00321  * Certificate SMIME profile entry:
00322  *
00323  *     byte offset   field
00324  *     -----------   -----
00325  *     0             subjectname-len-msb
00326  *     1              subjectname-len-lsb
00327  *     2             smimeoptions-len-msb
00328  *     3             smimeoptions-len-lsb
00329  *     4             options-date-len-msb
00330  *     5             options-date-len-lsb
00331  *     6...          subjectname
00332  *     ...           smimeoptions
00333  *     ...           options-date
00334  *
00335  * The database key for this type of entry is the email address string
00336  * The "subjectname" value is the DER encoded DN of the identity
00337  *   that matches this nickname.
00338  * The "smimeoptions" value is a string that represents the algorithm
00339  *   capabilities on the remote user.
00340  * The "options-date" is the date that the smime options value was created.
00341  *   This is generally the signing time of the signed message that contained
00342  *   the options.  It is a UTCTime value.
00343  */
00344 typedef struct {
00345     certDBEntryCommon common;
00346     char *emailAddr;
00347     SECItem subjectName;
00348     SECItem smimeOptions;
00349     SECItem optionsDate;
00350 } certDBEntrySMime;
00351 
00352 #define DB_SMIME_ENTRY_HEADER_LEN 6
00353 
00354 /*
00355  * Crl/krl entry:
00356  *
00357  *     byte offset   field
00358  *     -----------   -----
00359  *     0             derCert-len-msb
00360  *     1             derCert-len-lsb
00361  *     2             url-len-msb
00362  *     3             url-len-lsb
00363  *     ...           derCert
00364  *     ...           url
00365  *
00366  * NOTE: the url string as stored in the database is null terminated,
00367  *            in other words, the last byte of the db entry is always 0
00368  *            if a nickname is present. 
00369  * NOTE: if url is not present, then url-len-msb and
00370  *            url-len-lsb will both be zero.
00371  */
00372 #define DB_CRL_ENTRY_HEADER_LEN    4
00373 struct _certDBEntryRevocation {
00374     certDBEntryCommon common;
00375     SECItem   derCrl;
00376     char      *url;  /* where to load the crl from */
00377 };
00378 
00379 /*
00380  * Database Version Entry:
00381  *
00382  *     byte offset   field
00383  *     -----------   -----
00384  *     only the low level header...
00385  *
00386  * The database key for this type of entry is the string "Version"
00387  */
00388 typedef struct {
00389     certDBEntryCommon common;
00390 } certDBEntryVersion;
00391 
00392 #define SEC_DB_VERSION_KEY "Version"
00393 #define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
00394 
00395 /*
00396  * Database Content Version Entry:
00397  *
00398  *     byte offset   field
00399  *     -----------   -----
00400  *     0             contentVersion
00401  *
00402  * The database key for this type of entry is the string "ContentVersion"
00403  */
00404 typedef struct {
00405     certDBEntryCommon common;
00406     char contentVersion;
00407 } certDBEntryContentVersion;
00408 
00409 #define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
00410 #define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
00411 
00412 typedef union {
00413     certDBEntryCommon         common;
00414     certDBEntryCert           cert;
00415     certDBEntryContentVersion content;
00416     certDBEntryNickname       nickname;
00417     certDBEntryRevocation     revocation;
00418     certDBEntrySMime          smime;
00419     certDBEntrySubject        subject;
00420     certDBEntryVersion        version;
00421 } certDBEntry;
00422 
00423 /* length of the fixed part of a database entry */
00424 #define DBCERT_V4_HEADER_LEN       7
00425 #define DB_CERT_V5_ENTRY_HEADER_LEN       7
00426 #define DB_CERT_V6_ENTRY_HEADER_LEN       7
00427 #define DB_CERT_ENTRY_HEADER_LEN   10
00428 
00429 /* common flags for all types of certificates */
00430 #define CERTDB_VALID_PEER   (1<<0)
00431 #define CERTDB_TRUSTED             (1<<1)
00432 #define CERTDB_SEND_WARN    (1<<2)
00433 #define CERTDB_VALID_CA            (1<<3)
00434 #define CERTDB_TRUSTED_CA   (1<<4) /* trusted for issuing server certs */
00435 #define CERTDB_NS_TRUSTED_CA       (1<<5)
00436 #define CERTDB_USER         (1<<6)
00437 #define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
00438 #define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */
00439 #define CERTDB_GOVT_APPROVED_CA    (1<<9) /* can do strong crypto in export ver */
00440 #define CERTDB_NOT_TRUSTED  (1<<10) /* explicitly don't trust this cert */
00441 #define CERTDB_TRUSTED_UNKNOWN     (1<<11) /* accept trust from another source */
00442 
00443 /* bits not affected by the CKO_NETSCAPE_TRUST object */
00444 #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
00445         CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
00446                                         CERTDB_GOVT_APPROVED_CA)
00447 
00448 #endif /* _PCERTT_H_ */