gecko-dev/security/nss/lib/pki/pkim.h

696 строки
14 KiB
C

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef PKIM_H
#define PKIM_H
#ifndef BASE_H
#include "base.h"
#endif /* BASE_H */
#ifndef PKI_H
#include "pki.h"
#endif /* PKI_H */
#ifndef PKITM_H
#include "pkitm.h"
#endif /* PKITM_H */
PR_BEGIN_EXTERN_C
/* nssPKIObject
*
* This is the base object class, common to all PKI objects defined in
* in this module. Each object can be safely 'casted' to an nssPKIObject,
* then passed to these methods.
*
* nssPKIObject_Create
* nssPKIObject_Destroy
* nssPKIObject_AddRef
* nssPKIObject_AddInstance
* nssPKIObject_HasInstance
* nssPKIObject_GetTokens
* nssPKIObject_GetNicknameForToken
* nssPKIObject_RemoveInstanceForToken
* nssPKIObject_DeleteStoredObject
*/
NSS_EXTERN void nssPKIObject_Lock (nssPKIObject * object);
NSS_EXTERN void nssPKIObject_Unlock (nssPKIObject * object);
NSS_EXTERN PRStatus nssPKIObject_NewLock (nssPKIObject * object,
nssPKILockType lockType);
NSS_EXTERN void nssPKIObject_DestroyLock(nssPKIObject * object);
/* nssPKIObject_Create
*
* A generic PKI object. It must live in a trust domain. It may be
* initialized with a token instance, or alternatively in a crypto context.
*/
NSS_EXTERN nssPKIObject *
nssPKIObject_Create
(
NSSArena *arenaOpt,
nssCryptokiObject *instanceOpt,
NSSTrustDomain *td,
NSSCryptoContext *ccOpt,
nssPKILockType lockType
);
/* nssPKIObject_AddRef
*/
NSS_EXTERN nssPKIObject *
nssPKIObject_AddRef
(
nssPKIObject *object
);
/* nssPKIObject_Destroy
*
* Returns true if object was destroyed. This notifies the subclass that
* all references are gone and it should delete any members it owns.
*/
NSS_EXTERN PRBool
nssPKIObject_Destroy
(
nssPKIObject *object
);
/* nssPKIObject_AddInstance
*
* Add a token instance to the object, if it does not have it already.
*/
NSS_EXTERN PRStatus
nssPKIObject_AddInstance
(
nssPKIObject *object,
nssCryptokiObject *instance
);
/* nssPKIObject_HasInstance
*
* Query the object for a token instance.
*/
NSS_EXTERN PRBool
nssPKIObject_HasInstance
(
nssPKIObject *object,
nssCryptokiObject *instance
);
/* nssPKIObject_GetTokens
*
* Get all tokens which have an instance of the object.
*/
NSS_EXTERN NSSToken **
nssPKIObject_GetTokens
(
nssPKIObject *object,
PRStatus *statusOpt
);
/* nssPKIObject_GetNicknameForToken
*
* tokenOpt == NULL means take the first available, otherwise return the
* nickname for the specified token.
*/
NSS_EXTERN NSSUTF8 *
nssPKIObject_GetNicknameForToken
(
nssPKIObject *object,
NSSToken *tokenOpt
);
/* nssPKIObject_RemoveInstanceForToken
*
* Remove the instance of the object on the specified token.
*/
NSS_EXTERN PRStatus
nssPKIObject_RemoveInstanceForToken
(
nssPKIObject *object,
NSSToken *token
);
/* nssPKIObject_DeleteStoredObject
*
* Delete all token instances of the object, as well as any crypto context
* instances (TODO). If any of the instances are read-only, or if the
* removal fails, the object will keep those instances. 'isFriendly' refers
* to the object -- can this object be removed from a friendly token without
* login? For example, certificates are friendly, private keys are not.
* Note that if the token is not friendly, authentication will be required
* regardless of the value of 'isFriendly'.
*/
NSS_EXTERN PRStatus
nssPKIObject_DeleteStoredObject
(
nssPKIObject *object,
NSSCallback *uhh,
PRBool isFriendly
);
NSS_EXTERN nssCryptokiObject **
nssPKIObject_GetInstances
(
nssPKIObject *object
);
NSS_EXTERN NSSCertificate **
nssTrustDomain_FindCertificatesByID
(
NSSTrustDomain *td,
NSSItem *id,
NSSCertificate **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt
);
NSS_EXTERN NSSCRL **
nssTrustDomain_FindCRLsBySubject
(
NSSTrustDomain *td,
NSSDER *subject
);
/* module-private nsspki methods */
NSS_EXTERN NSSCryptoContext *
nssCryptoContext_Create
(
NSSTrustDomain *td,
NSSCallback *uhhOpt
);
/* XXX for the collection */
NSS_EXTERN NSSCertificate *
nssCertificate_Create
(
nssPKIObject *object
);
NSS_EXTERN PRStatus
nssCertificate_SetCertTrust
(
NSSCertificate *c,
NSSTrust *trust
);
NSS_EXTERN nssDecodedCert *
nssCertificate_GetDecoding
(
NSSCertificate *c
);
extern PRIntn
nssCertificate_SubjectListSort
(
void *v1,
void *v2
);
NSS_EXTERN nssDecodedCert *
nssDecodedCert_Create
(
NSSArena *arenaOpt,
NSSDER *encoding,
NSSCertificateType type
);
NSS_EXTERN PRStatus
nssDecodedCert_Destroy
(
nssDecodedCert *dc
);
NSS_EXTERN NSSTrust *
nssTrust_Create
(
nssPKIObject *object,
NSSItem *certData
);
NSS_EXTERN NSSCRL *
nssCRL_Create
(
nssPKIObject *object
);
NSS_EXTERN NSSCRL *
nssCRL_AddRef
(
NSSCRL *crl
);
NSS_EXTERN PRStatus
nssCRL_Destroy
(
NSSCRL *crl
);
NSS_EXTERN PRStatus
nssCRL_DeleteStoredObject
(
NSSCRL *crl,
NSSCallback *uhh
);
NSS_EXTERN NSSPrivateKey *
nssPrivateKey_Create
(
nssPKIObject *o
);
NSS_EXTERN NSSDER *
nssCRL_GetEncoding
(
NSSCRL *crl
);
NSS_EXTERN NSSPublicKey *
nssPublicKey_Create
(
nssPKIObject *object
);
/* nssCertificateArray
*
* These are being thrown around a lot, might as well group together some
* functionality.
*
* nssCertificateArray_Destroy
* nssCertificateArray_Join
* nssCertificateArray_FindBestCertificate
* nssCertificateArray_Traverse
*/
/* nssCertificateArray_Destroy
*
* Will destroy the array and the certs within it. If the array was created
* in an arena, will *not* (of course) destroy the arena. However, is safe
* to call this method on an arena-allocated array.
*/
NSS_EXTERN void
nssCertificateArray_Destroy
(
NSSCertificate **certs
);
/* nssCertificateArray_Join
*
* Join two arrays into one. The two arrays, certs1 and certs2, should
* be considered invalid after a call to this function (they may be destroyed
* as part of the join). certs1 and/or certs2 may be NULL. Safe to
* call with arrays allocated in an arena, the result will also be in the
* arena.
*/
NSS_EXTERN NSSCertificate **
nssCertificateArray_Join
(
NSSCertificate **certs1,
NSSCertificate **certs2
);
/* nssCertificateArray_FindBestCertificate
*
* Use the usual { time, usage, policies } to find the best cert in the
* array.
*/
NSS_EXTERN NSSCertificate *
nssCertificateArray_FindBestCertificate
(
NSSCertificate **certs,
NSSTime *timeOpt,
const NSSUsage *usage,
NSSPolicies *policiesOpt
);
/* nssCertificateArray_Traverse
*
* Do the callback for each cert, terminate the traversal if the callback
* fails.
*/
NSS_EXTERN PRStatus
nssCertificateArray_Traverse
(
NSSCertificate **certs,
PRStatus (* callback)(NSSCertificate *c, void *arg),
void *arg
);
NSS_EXTERN void
nssCRLArray_Destroy
(
NSSCRL **crls
);
/* nssPKIObjectCollection
*
* This is a handy way to group objects together and perform operations
* on them. It can also handle "proto-objects"-- references to
* objects instances on tokens, where the actual object hasn't
* been formed yet.
*
* nssCertificateCollection_Create
* nssPrivateKeyCollection_Create
* nssPublicKeyCollection_Create
*
* If this was a language that provided for inheritance, each type would
* inherit all of the following methods. Instead, there is only one
* type (nssPKIObjectCollection), shared among all. This may cause
* confusion; an alternative would be to define all of the methods
* for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't
* seem worth the code bloat.. It is left up to the caller to remember
* what type of collection he/she is dealing with.
*
* nssPKIObjectCollection_Destroy
* nssPKIObjectCollection_Count
* nssPKIObjectCollection_AddObject
* nssPKIObjectCollection_AddInstances
* nssPKIObjectCollection_Traverse
*
* Back to type-specific methods.
*
* nssPKIObjectCollection_GetCertificates
* nssPKIObjectCollection_GetCRLs
* nssPKIObjectCollection_GetPrivateKeys
* nssPKIObjectCollection_GetPublicKeys
*/
/* nssCertificateCollection_Create
*
* Create a collection of certificates in the specified trust domain.
* Optionally provide a starting set of certs.
*/
NSS_EXTERN nssPKIObjectCollection *
nssCertificateCollection_Create
(
NSSTrustDomain *td,
NSSCertificate **certsOpt
);
/* nssCRLCollection_Create
*
* Create a collection of CRLs/KRLs in the specified trust domain.
* Optionally provide a starting set of CRLs.
*/
NSS_EXTERN nssPKIObjectCollection *
nssCRLCollection_Create
(
NSSTrustDomain *td,
NSSCRL **crlsOpt
);
/* nssPrivateKeyCollection_Create
*
* Create a collection of private keys in the specified trust domain.
* Optionally provide a starting set of keys.
*/
NSS_EXTERN nssPKIObjectCollection *
nssPrivateKeyCollection_Create
(
NSSTrustDomain *td,
NSSPrivateKey **pvkOpt
);
/* nssPublicKeyCollection_Create
*
* Create a collection of public keys in the specified trust domain.
* Optionally provide a starting set of keys.
*/
NSS_EXTERN nssPKIObjectCollection *
nssPublicKeyCollection_Create
(
NSSTrustDomain *td,
NSSPublicKey **pvkOpt
);
/* nssPKIObjectCollection_Destroy
*/
NSS_EXTERN void
nssPKIObjectCollection_Destroy
(
nssPKIObjectCollection *collection
);
/* nssPKIObjectCollection_Count
*/
NSS_EXTERN PRUint32
nssPKIObjectCollection_Count
(
nssPKIObjectCollection *collection
);
NSS_EXTERN PRStatus
nssPKIObjectCollection_AddObject
(
nssPKIObjectCollection *collection,
nssPKIObject *object
);
/* nssPKIObjectCollection_AddInstances
*
* Add a set of object instances to the collection. The instances
* will be sorted into any existing certs/proto-certs that may be in
* the collection. The instances will be absorbed by the collection,
* the array should not be used after this call (except to free it).
*
* Failure means the collection is in an invalid state.
*
* numInstances = 0 means the array is NULL-terminated
*/
NSS_EXTERN PRStatus
nssPKIObjectCollection_AddInstances
(
nssPKIObjectCollection *collection,
nssCryptokiObject **instances,
PRUint32 numInstances
);
/* nssPKIObjectCollection_Traverse
*/
NSS_EXTERN PRStatus
nssPKIObjectCollection_Traverse
(
nssPKIObjectCollection *collection,
nssPKIObjectCallback *callback
);
/* This function is being added for NSS 3.5. It corresponds to the function
* nssToken_TraverseCertificates. The idea is to use the collection during
* a traversal, creating certs each time a new instance is added for which
* a cert does not already exist.
*/
NSS_EXTERN PRStatus
nssPKIObjectCollection_AddInstanceAsObject
(
nssPKIObjectCollection *collection,
nssCryptokiObject *instance
);
/* nssPKIObjectCollection_GetCertificates
*
* Get all of the certificates in the collection.
*/
NSS_EXTERN NSSCertificate **
nssPKIObjectCollection_GetCertificates
(
nssPKIObjectCollection *collection,
NSSCertificate **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt
);
NSS_EXTERN NSSCRL **
nssPKIObjectCollection_GetCRLs
(
nssPKIObjectCollection *collection,
NSSCRL **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt
);
NSS_EXTERN NSSPrivateKey **
nssPKIObjectCollection_GetPrivateKeys
(
nssPKIObjectCollection *collection,
NSSPrivateKey **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt
);
NSS_EXTERN NSSPublicKey **
nssPKIObjectCollection_GetPublicKeys
(
nssPKIObjectCollection *collection,
NSSPublicKey **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt
);
NSS_EXTERN NSSTime *
NSSTime_Now
(
NSSTime *timeOpt
);
NSS_EXTERN NSSTime *
NSSTime_SetPRTime
(
NSSTime *timeOpt,
PRTime prTime
);
NSS_EXTERN PRTime
NSSTime_GetPRTime
(
NSSTime *time
);
NSS_EXTERN nssHash *
nssHash_CreateCertificate
(
NSSArena *arenaOpt,
PRUint32 numBuckets
);
/* 3.4 Certificate cache routines */
NSS_EXTERN PRStatus
nssTrustDomain_InitializeCache
(
NSSTrustDomain *td,
PRUint32 cacheSize
);
NSS_EXTERN PRStatus
nssTrustDomain_AddCertsToCache
(
NSSTrustDomain *td,
NSSCertificate **certs,
PRUint32 numCerts
);
NSS_EXTERN void
nssTrustDomain_RemoveCertFromCacheLOCKED (
NSSTrustDomain *td,
NSSCertificate *cert
);
NSS_EXTERN void
nssTrustDomain_LockCertCache (
NSSTrustDomain *td
);
NSS_EXTERN void
nssTrustDomain_UnlockCertCache (
NSSTrustDomain *td
);
NSS_IMPLEMENT PRStatus
nssTrustDomain_DestroyCache
(
NSSTrustDomain *td
);
/*
* Remove all certs for the given token from the cache. This is
* needed if the token is removed.
*/
NSS_EXTERN PRStatus
nssTrustDomain_RemoveTokenCertsFromCache
(
NSSTrustDomain *td,
NSSToken *token
);
NSS_EXTERN PRStatus
nssTrustDomain_UpdateCachedTokenCerts
(
NSSTrustDomain *td,
NSSToken *token
);
/*
* Find all cached certs with this nickname (label).
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsForNicknameFromCache
(
NSSTrustDomain *td,
const NSSUTF8 *nickname,
nssList *certListOpt
);
/*
* Find all cached certs with this email address.
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsForEmailAddressFromCache
(
NSSTrustDomain *td,
NSSASCII7 *email,
nssList *certListOpt
);
/*
* Find all cached certs with this subject.
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsForSubjectFromCache
(
NSSTrustDomain *td,
NSSDER *subject,
nssList *certListOpt
);
/*
* Look for a specific cert in the cache.
*/
NSS_EXTERN NSSCertificate *
nssTrustDomain_GetCertForIssuerAndSNFromCache
(
NSSTrustDomain *td,
NSSDER *issuer,
NSSDER *serialNum
);
/*
* Look for a specific cert in the cache.
*/
NSS_EXTERN NSSCertificate *
nssTrustDomain_GetCertByDERFromCache
(
NSSTrustDomain *td,
NSSDER *der
);
/* Get all certs from the cache */
/* XXX this is being included to make some old-style calls word, not to
* say we should keep it
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsFromCache
(
NSSTrustDomain *td,
nssList *certListOpt
);
NSS_EXTERN void
nssTrustDomain_DumpCacheInfo
(
NSSTrustDomain *td,
void (* cert_dump_iter)(const void *, void *, void *),
void *arg
);
NSS_EXTERN void
nssCertificateList_AddReferences
(
nssList *certList
);
PR_END_EXTERN_C
#endif /* PKIM_H */