pjs/security/nss/lib/pki/nsspki.h

3162 строки
56 KiB
C

/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1994-2000 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
* replace them with the notice and other provisions required by
* the GPL. If you do not delete the provisions above, a recipient
* may use your version of this file under either the MPL or the
* GPL.
*/
#ifndef NSSPKI_H
#define NSSPKI_H
#ifdef DEBUG
static const char NSSPKI_CVS_ID[] = "@(#) $RCSfile: nsspki.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:16:12 $ $Name: $";
#endif /* DEBUG */
/*
* nsspki.h
*
* This file prototypes the methods of the top-level PKI objects.
*/
#ifndef NSSPKIT_H
#include "nsspkit.h"
#endif /* NSSPKIT_H */
PR_BEGIN_EXTERN_C
/*
* A note about interfaces
*
* Although these APIs are specified in C, a language which does
* not have fancy support for abstract interfaces, this library
* was designed from an object-oriented perspective. It may be
* useful to consider the standard interfaces which went into
* the writing of these APIs.
*
* Basic operations on all objects:
* Destroy -- free a pointer to an object
* DeleteStoredObject -- delete an object permanently
*
* Public Key cryptographic operations:
* Encrypt
* Verify
* VerifyRecover
* Wrap
* Derive
*
* Private Key cryptographic operations:
* IsStillPresent
* Decrypt
* Sign
* SignRecover
* Unwrap
* Derive
*
* Symmetric Key cryptographic operations:
* IsStillPresent
* Encrypt
* Decrypt
* Sign
* SignRecover
* Verify
* VerifyRecover
* Wrap
* Unwrap
* Derive
*
*/
/*
* NSSCertificate
*
* These things can do crypto ops like public keys, except that the trust,
* usage, and other constraints are checked. These objects are "high-level,"
* so trust, usages, etc. are in the form we throw around (client auth,
* email signing, etc.). Remember that theoretically another implementation
* (think PGP) could be beneath this object.
*/
/*
* NSSCertificate_Destroy
*
* Free a pointer to a certificate object.
*/
NSS_EXTERN PRStatus
NSSCertificate_Destroy
(
NSSCertificate *c
);
/*
* NSSCertificate_DeleteStoredObject
*
* Permanently remove this certificate from storage. If this is the
* only (remaining) certificate corresponding to a private key,
* public key, and/or other object; then that object (those objects)
* are deleted too.
*/
NSS_EXTERN PRStatus
NSSCertificate_DeleteStoredObject
(
NSSCertificate *c,
NSSCallback *uhh
);
/*
* NSSCertificate_Validate
*
* Verify that this certificate is trusted, for the specified usage(s),
* at the specified time, {word word} the specified policies.
*/
NSS_EXTERN PRStatus
NSSCertificate_Validate
(
NSSCertificate *c,
NSSTime *timeOpt, /* NULL for "now" */
NSSUsage *usage,
NSSPolicies *policiesOpt /* NULL for none */
);
/*
* NSSCertificate_ValidateCompletely
*
* Verify that this certificate is trusted. The difference between
* this and the previous call is that NSSCertificate_Validate merely
* returns success or failure with an appropriate error stack.
* However, there may be (and often are) multiple problems with a
* certificate. This routine returns an array of errors, specifying
* every problem.
*/
/*
* Return value must be an array of objects, each of which has
* an NSSError, and any corresponding certificate (in the chain)
* and/or policy.
*/
NSS_EXTERN void ** /* void *[] */
NSSCertificate_ValidateCompletely
(
NSSCertificate *c,
NSSTime *timeOpt, /* NULL for "now" */
NSSUsage *usage,
NSSPolicies *policiesOpt, /* NULL for none */
void **rvOpt, /* NULL for allocate */
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt /* NULL for heap */
);
/*
* NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
*
* Returns PR_SUCCESS if the certificate is valid for at least something.
*/
NSS_EXTERN PRStatus
NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
(
NSSCertificate *c,
NSSTime **notBeforeOutOpt,
NSSTime **notAfterOutOpt,
void *allowedUsages,
void *disallowedUsages,
void *allowedPolicies,
void *disallowedPolicies,
/* more args.. work on this fgmr */
NSSArena *arenaOpt
);
/*
* NSSCertificate_Encode
*
*/
NSS_EXTERN NSSDER *
NSSCertificate_Encode
(
NSSCertificate *c,
NSSDER *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCertificate_BuildChain
*
* This routine returns NSSCertificate *'s for each certificate
* in the "chain" starting from the specified one up to and
* including the root. The zeroth element in the array is the
* specified ("leaf") certificate.
*/
NSS_EXTERN NSSCertificate **
NSSCertificate_BuildChain
(
NSSCertificate *c,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/*
* NSSCertificate_GetTrustDomain
*
*/
NSS_EXTERN NSSTrustDomain *
NSSCertificate_GetTrustDomain
(
NSSCertificate *c
);
/*
* NSSCertificate_GetToken
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSToken *
NSSCertificate_GetToken
(
NSSCertificate *c,
PRStatus *statusOpt
);
/*
* NSSCertificate_GetSlot
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSSlot *
NSSCertificate_GetSlot
(
NSSCertificate *c,
PRStatus *statusOpt
);
/*
* NSSCertificate_GetModule
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSModule *
NSSCertificate_GetModule
(
NSSCertificate *c,
PRStatus *statusOpt
);
/*
* NSSCertificate_Encrypt
*
* Encrypt a single chunk of data with the public key corresponding to
* this certificate.
*/
NSS_EXTERN NSSItem *
NSSCertificate_Encrypt
(
NSSCertificate *c,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCertificate_Verify
*
*/
NSS_EXTERN PRStatus
NSSCertificate_Verify
(
NSSCertificate *c,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSItem *signature,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh
);
/*
* NSSCertificate_VerifyRecover
*
*/
NSS_EXTERN NSSItem *
NSSCertificate_VerifyRecover
(
NSSCertificate *c,
NSSAlgorithmAndParameters *apOpt,
NSSItem *signature,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCertificate_WrapSymmetricKey
*
* This method tries very hard to to succeed, even in situations
* involving sensitive keys and multiple modules.
* { relyea: want to add verbiage? }
*/
NSS_EXTERN NSSItem *
NSSCertificate_WrapSymmetricKey
(
NSSCertificate *c,
NSSAlgorithmAndParameters *apOpt,
NSSSymmetricKey *keyToWrap,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCertificate_CreateCryptoContext
*
* Create a crypto context, in this certificate's trust domain, with this
* as the distinguished certificate.
*/
NSS_EXTERN NSSCryptoContext *
NSSCertificate_CreateCryptoContext
(
NSSCertificate *c,
NSSAlgorithmAndParameters *apOpt,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh
);
/*
* NSSCertificate_GetPublicKey
*
* Returns the public key corresponding to this certificate.
*/
NSS_EXTERN NSSPublicKey *
NSSCertificate_GetPublicKey
(
NSSCertificate *c
);
/*
* NSSCertificate_FindPrivateKey
*
* Finds and returns the private key corresponding to this certificate,
* if it is available.
*
* { Should this hang off of NSSUserCertificate? }
*/
NSS_EXTERN NSSPrivateKey *
NSSCertificate_FindPrivateKey
(
NSSCertificate *c,
NSSCallback *uhh
);
/*
* NSSCertificate_IsPrivateKeyAvailable
*
* Returns success if the private key corresponding to this certificate
* is available to be used.
*
* { Should *this* hang off of NSSUserCertificate?? }
*/
NSS_EXTERN PRBool
NSSCertificate_IsPrivateKeyAvailable
(
NSSCertificate *c,
NSSCallback *uhh,
PRStatus *statusOpt
);
/*
* If we make NSSUserCertificate not a typedef of NSSCertificate,
* then we'll need implementations of the following:
*
* NSSUserCertificate_Destroy
* NSSUserCertificate_DeleteStoredObject
* NSSUserCertificate_Validate
* NSSUserCertificate_ValidateCompletely
* NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies
* NSSUserCertificate_Encode
* NSSUserCertificate_BuildChain
* NSSUserCertificate_GetTrustDomain
* NSSUserCertificate_GetToken
* NSSUserCertificate_GetSlot
* NSSUserCertificate_GetModule
* NSSUserCertificate_GetCryptoContext
* NSSUserCertificate_GetPublicKey
*/
/*
* NSSUserCertificate_IsStillPresent
*
* Verify that if this certificate lives on a token, that the token
* is still present and the certificate still exists. This is a
* lightweight call which should be used whenever it should be
* verified that the user hasn't perhaps popped out his or her
* token and strolled away.
*/
NSS_EXTERN PRBool
NSSUserCertificate_IsStillPresent
(
NSSUserCertificate *uc,
PRStatus *statusOpt
);
/*
* NSSUserCertificate_Decrypt
*
* Decrypt a single chunk of data with the private key corresponding
* to this certificate.
*/
NSS_EXTERN NSSItem *
NSSUserCertificate_Decrypt
(
NSSUserCertificate *uc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSUserCertificate_Sign
*
*/
NSS_EXTERN NSSItem *
NSSUserCertificate_Sign
(
NSSUserCertificate *uc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSUserCertificate_SignRecover
*
*/
NSS_EXTERN NSSItem *
NSSUserCertificate_SignRecover
(
NSSUserCertificate *uc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSUserCertificate_UnwrapSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSUserCertificate_UnwrapSymmetricKey
(
NSSUserCertificate *uc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *wrappedKey,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSUserCertificate_DeriveSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSUserCertificate_DeriveSymmetricKey
(
NSSUserCertificate *uc, /* provides private key */
NSSCertificate *c, /* provides public key */
NSSAlgorithmAndParameters *apOpt,
NSSOID *target,
PRUint32 keySizeOpt, /* zero for best allowed */
NSSOperations operations,
NSSCallback *uhh
);
/* filter-certs function(s) */
/**
** fgmr -- trust objects
**/
/*
* NSSPrivateKey
*
*/
/*
* NSSPrivateKey_Destroy
*
* Free a pointer to a private key object.
*/
NSS_EXTERN PRStatus
NSSPrivateKey_Destroy
(
NSSPrivateKey *vk
);
/*
* NSSPrivateKey_DeleteStoredObject
*
* Permanently remove this object, and any related objects (such as the
* certificates corresponding to this key).
*/
NSS_EXTERN PRStatus
NSSPrivateKey_DeleteStoredObject
(
NSSPrivateKey *vk,
NSSCallback *uhh
);
/*
* NSSPrivateKey_GetSignatureLength
*
*/
NSS_EXTERN PRUint32
NSSPrivateKey_GetSignatureLength
(
NSSPrivateKey *vk
);
/*
* NSSPrivateKey_GetPrivateModulusLength
*
*/
NSS_EXTERN PRUint32
NSSPrivateKey_GetPrivateModulusLength
(
NSSPrivateKey *vk
);
/*
* NSSPrivateKey_IsStillPresent
*
*/
NSS_EXTERN PRBool
NSSPrivateKey_IsStillPresent
(
NSSPrivateKey *vk,
PRStatus *statusOpt
);
/*
* NSSPrivateKey_Encode
*
*/
NSS_EXTERN NSSItem *
NSSPrivateKey_Encode
(
NSSPrivateKey *vk,
NSSAlgorithmAndParameters *ap,
NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPrivateKey_GetTrustDomain
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSTrustDomain *
NSSPrivateKey_GetTrustDomain
(
NSSPrivateKey *vk,
PRStatus *statusOpt
);
/*
* NSSPrivateKey_GetToken
*
*/
NSS_EXTERN NSSToken *
NSSPrivateKey_GetToken
(
NSSPrivateKey *vk
);
/*
* NSSPrivateKey_GetSlot
*
*/
NSS_EXTERN NSSSlot *
NSSPrivateKey_GetSlot
(
NSSPrivateKey *vk
);
/*
* NSSPrivateKey_GetModule
*
*/
NSS_EXTERN NSSModule *
NSSPrivateKey_GetModule
(
NSSPrivateKey *vk
);
/*
* NSSPrivateKey_Decrypt
*
*/
NSS_EXTERN NSSItem *
NSSPrivateKey_Decrypt
(
NSSPrivateKey *vk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *encryptedData,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPrivateKey_Sign
*
*/
NSS_EXTERN NSSItem *
NSSPrivateKey_Sign
(
NSSPrivateKey *vk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPrivateKey_SignRecover
*
*/
NSS_EXTERN NSSItem *
NSSPrivateKey_SignRecover
(
NSSPrivateKey *vk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPrivateKey_UnwrapSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSPrivateKey_UnwrapSymmetricKey
(
NSSPrivateKey *vk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *wrappedKey,
NSSCallback *uhh
);
/*
* NSSPrivateKey_DeriveSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSPrivateKey_DeriveSymmetricKey
(
NSSPrivateKey *vk,
NSSPublicKey *bk,
NSSAlgorithmAndParameters *apOpt,
NSSOID *target,
PRUint32 keySizeOpt, /* zero for best allowed */
NSSOperations operations,
NSSCallback *uhh
);
/*
* NSSPrivateKey_FindPublicKey
*
*/
NSS_EXTERN NSSPublicKey *
NSSPrivateKey_FindPublicKey
(
NSSPrivateKey *vk
/* { don't need the callback here, right? } */
);
/*
* NSSPrivateKey_CreateCryptoContext
*
* Create a crypto context, in this key's trust domain,
* with this as the distinguished private key.
*/
NSS_EXTERN NSSCryptoContext *
NSSPrivateKey_CreateCryptoContext
(
NSSPrivateKey *vk
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhh
);
/*
* NSSPrivateKey_FindCertificates
*
* Note that there may be more than one certificate for this
* private key. { FilterCertificates function to further
* reduce the list. }
*/
NSS_EXTERN NSSCertificate **
NSSPrivateKey_FindCertificates
(
NSSPrivateKey *vk,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSPrivateKey_FindBestCertificate
*
* The parameters for this function will depend on what the users
* need. This is just a starting point.
*/
NSS_EXTERN NSSCertificate *
NSSPrivateKey_FindBestCertificate
(
NSSPrivateKey *vk,
NSSTime *timeOpt,
NSSUsage *usageOpt,
NSSPolicies *policiesOpt
);
/*
* NSSPublicKey
*
* Once you generate, find, or derive one of these, you can use it
* to perform (simple) cryptographic operations. Though there may
* be certificates associated with these public keys, they are not
* verified.
*/
/*
* NSSPublicKey_Destroy
*
* Free a pointer to a public key object.
*/
NSS_EXTERN PRStatus
NSSPublicKey_Destroy
(
NSSPublicKey *bk
);
/*
* NSSPublicKey_DeleteStoredObject
*
* Permanently remove this object, and any related objects (such as the
* corresponding private keys and certificates).
*/
NSS_EXTERN PRStatus
NSSPublicKey_DeleteStoredObject
(
NSSPublicKey *bk,
NSSCallback *uhh
);
/*
* NSSPublicKey_Encode
*
*/
NSS_EXTERN NSSItem *
NSSPublicKey_Encode
(
NSSPublicKey *bk,
NSSAlgorithmAndParameters *ap,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPublicKey_GetTrustDomain
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSTrustDomain *
NSSPublicKey_GetTrustDomain
(
NSSPublicKey *bk,
PRStatus *statusOpt
);
/*
* NSSPublicKey_GetToken
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSToken *
NSSPublicKey_GetToken
(
NSSPublicKey *bk,
PRStatus *statusOpt
);
/*
* NSSPublicKey_GetSlot
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSSlot *
NSSPublicKey_GetSlot
(
NSSPublicKey *bk,
PRStatus *statusOpt
);
/*
* NSSPublicKey_GetModule
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSModule *
NSSPublicKey_GetModule
(
NSSPublicKey *bk,
PRStatus *statusOpt
);
/*
* NSSPublicKey_Encrypt
*
* Encrypt a single chunk of data with the public key corresponding to
* this certificate.
*/
NSS_EXTERN NSSItem *
NSSPublicKey_Encrypt
(
NSSPublicKey *bk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPublicKey_Verify
*
*/
NSS_EXTERN PRStatus
NSSPublicKey_Verify
(
NSSPublicKey *bk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSItem *signature,
NSSCallback *uhh
);
/*
* NSSPublicKey_VerifyRecover
*
*/
NSS_EXTERN NSSItem *
NSSPublicKey_VerifyRecover
(
NSSPublicKey *bk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *signature,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPublicKey_WrapSymmetricKey
*
*/
NSS_EXTERN NSSItem *
NSSPublicKey_WrapSymmetricKey
(
NSSPublicKey *bk,
NSSAlgorithmAndParameters *apOpt,
NSSSymmetricKey *keyToWrap,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSPublicKey_CreateCryptoContext
*
* Create a crypto context, in this key's trust domain, with this
* as the distinguished public key.
*/
NSS_EXTERN NSSCryptoContext *
NSSPublicKey_CreateCryptoContext
(
NSSPublicKey *bk
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhh
);
/*
* NSSPublicKey_FindCertificates
*
* Note that there may be more than one certificate for this
* public key. The current implementation may not find every
* last certificate available for this public key: that would
* involve trolling e.g. huge ldap databases, which will be
* grossly inefficient and not generally useful.
* { FilterCertificates function to further reduce the list }
*/
NSS_EXTERN NSSCertificate **
NSSPublicKey_FindCertificates
(
NSSPublicKey *bk,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSPrivateKey_FindBestCertificate
*
* The parameters for this function will depend on what the users
* need. This is just a starting point.
*/
NSS_EXTERN NSSCertificate *
NSSPublicKey_FindBestCertificate
(
NSSPublicKey *bk,
NSSTime *timeOpt,
NSSUsage *usageOpt,
NSSPolicies *policiesOpt
);
/*
* NSSPublicKey_FindPrivateKey
*
*/
NSS_EXTERN NSSPrivateKey *
NSSPublicKey_FindPrivateKey
(
NSSPublicKey *bk,
NSSCallback *uhh
);
/*
* NSSSymmetricKey
*
*/
/*
* NSSSymmetricKey_Destroy
*
* Free a pointer to a symmetric key object.
*/
NSS_EXTERN PRStatus
NSSSymmetricKey_Destroy
(
NSSSymmetricKey *mk
);
/*
* NSSSymmetricKey_DeleteStoredObject
*
* Permanently remove this object.
*/
NSS_EXTERN PRStatus
NSSSymmetricKey_DeleteStoredObject
(
NSSSymmetricKey *mk,
NSSCallback *uhh
);
/*
* NSSSymmetricKey_GetKeyLength
*
*/
NSS_EXTERN PRUint32
NSSSymmetricKey_GetKeyLength
(
NSSSymmetricKey *mk
);
/*
* NSSSymmetricKey_GetKeyStrength
*
*/
NSS_EXTERN PRUint32
NSSSymmetricKey_GetKeyStrength
(
NSSSymmetricKey *mk
);
/*
* NSSSymmetricKey_IsStillPresent
*
*/
NSS_EXTERN PRStatus
NSSSymmetricKey_IsStillPresent
(
NSSSymmetricKey *mk
);
/*
* NSSSymmetricKey_GetTrustDomain
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSTrustDomain *
NSSSymmetricKey_GetTrustDomain
(
NSSSymmetricKey *mk,
PRStatus *statusOpt
);
/*
* NSSSymmetricKey_GetToken
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSToken *
NSSSymmetricKey_GetToken
(
NSSSymmetricKey *mk,
PRStatus *statusOpt
);
/*
* NSSSymmetricKey_GetSlot
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSSlot *
NSSSymmetricKey_GetSlot
(
NSSSymmetricKey *mk,
PRStatus *statusOpt
);
/*
* NSSSymmetricKey_GetModule
*
* There doesn't have to be one.
*/
NSS_EXTERN NSSModule *
NSSSymmetricKey_GetModule
(
NSSSymmetricKey *mk,
PRStatus *statusOpt
);
/*
* NSSSymmetricKey_Encrypt
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_Encrypt
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_Decrypt
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_Decrypt
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *encryptedData,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_Sign
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_Sign
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_SignRecover
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_SignRecover
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_Verify
*
*/
NSS_EXTERN PRStatus
NSSSymmetricKey_Verify
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSItem *signature,
NSSCallback *uhh
);
/*
* NSSSymmetricKey_VerifyRecover
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_VerifyRecover
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSItem *signature,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_WrapSymmetricKey
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_WrapSymmetricKey
(
NSSSymmetricKey *wrappingKey,
NSSAlgorithmAndParameters *apOpt,
NSSSymmetricKey *keyToWrap,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_WrapPrivateKey
*
*/
NSS_EXTERN NSSItem *
NSSSymmetricKey_WrapPrivateKey
(
NSSSymmetricKey *wrappingKey,
NSSAlgorithmAndParameters *apOpt,
NSSPrivateKey *keyToWrap,
NSSCallback *uhh,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSSymmetricKey_UnwrapSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSSymmetricKey_UnwrapSymmetricKey
(
NSSSymmetricKey *wrappingKey,
NSSAlgorithmAndParameters *apOpt,
NSSItem *wrappedKey,
NSSOID *target,
PRUint32 keySizeOpt,
NSSOperations operations,
NSSCallback *uhh
);
/*
* NSSSymmetricKey_UnwrapPrivateKey
*
*/
NSS_EXTERN NSSPrivateKey *
NSSSymmetricKey_UnwrapPrivateKey
(
NSSSymmetricKey *wrappingKey,
NSSAlgorithmAndParameters *apOpt,
NSSItem *wrappedKey,
NSSUTF8 *labelOpt,
NSSItem *keyIDOpt,
PRBool persistant,
PRBool sensitive,
NSSToken *destinationOpt,
NSSCallback *uhh
);
/*
* NSSSymmetricKey_DeriveSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSSymmetricKey_DeriveSymmetricKey
(
NSSSymmetricKey *originalKey,
NSSAlgorithmAndParameters *apOpt,
NSSOID *target,
PRUint32 keySizeOpt,
NSSOperations operations,
NSSCallback *uhh
);
/*
* NSSSymmetricKey_CreateCryptoContext
*
* Create a crypto context, in this key's trust domain,
* with this as the distinguished symmetric key.
*/
NSS_EXTERN NSSCryptoContext *
NSSSymmetricKey_CreateCryptoContext
(
NSSSymmetricKey *mk,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhh
);
/*
* NSSTrustDomain
*
*/
/*
* NSSTrustDomain_Create
*
* This creates a trust domain, optionally with an initial cryptoki
* module. If the module name is not null, the module is loaded if
* needed (using the uriOpt argument), and initialized with the
* opaqueOpt argument. If mumble mumble priority settings, then
* module-specification objects in the module can cause the loading
* and initialization of further modules.
*
* The uriOpt is defined to take a URI. At present, we only
* support file: URLs pointing to platform-native shared libraries.
* However, by specifying this as a URI, this keeps open the
* possibility of supporting other, possibly remote, resources.
*
* The "reserved" arguments is held for when we figure out the
* module priority stuff.
*/
NSS_EXTERN NSSTrustDomain *
NSSTrustDomain_Create
(
NSSUTF8 *moduleOpt,
NSSUTF8 *uriOpt,
NSSUTF8 *opaqueOpt,
void *reserved
);
/*
* NSSTrustDomain_Destroy
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_Destroy
(
NSSTrustDomain *td
);
/*
* NSSTrustDomain_SetDefaultCallback
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_SetDefaultCallback
(
NSSTrustDomain *td,
NSSCallback *newCallback,
NSSCallback **oldCallbackOpt
);
/*
* NSSTrustDomain_GetDefaultCallback
*
*/
NSS_EXTERN NSSCallback *
NSSTrustDomain_GetDefaultCallback
(
NSSTrustDomain *td,
PRStatus *statusOpt
);
/*
* Default policies?
* Default usage?
* Default time, for completeness?
*/
/*
* NSSTrustDomain_LoadModule
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_LoadModule
(
NSSUTF8 *moduleOpt,
NSSUTF8 *uriOpt,
NSSUTF8 *opaqueOpt,
void *reserved
);
/*
* NSSTrustDomain_AddModule
* NSSTrustDomain_AddSlot
* NSSTrustDomain_UnloadModule
* Managing modules, slots, tokens; priorities;
* Traversing all of the above
* this needs more work
*/
/*
* NSSTrustDomain_DisableToken
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_DisableToken
(
NSSTrustDomain *td,
NSSToken *token,
NSSError why
);
/*
* NSSTrustDomain_EnableToken
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_EnableToken
(
NSSTrustDomain *td,
NSSToken *token
);
/*
* NSSTrustDomain_IsTokenEnabled
*
* If disabled, "why" is always on the error stack.
* The optional argument is just for convenience.
*/
NSS_EXTERN PRStatus
NSSTrustDomain_IsTokenEnabled
(
NSSTrustDomain *td,
NSSToken *token,
NSSError *whyOpt
);
/*
* NSSTrustDomain_FindSlotByName
*
*/
NSS_EXTERN NSSSlot *
NSSTrustDomain_FindSlotByName
(
NSSTrustDomain *td,
NSSUTF8 *slotName
);
/*
* NSSTrustDomain_FindTokenByName
*
*/
NSS_EXTERN NSSToken *
NSSTrustDomain_FindTokenByName
(
NSSTrustDomain *td,
NSSUTF8 *tokenName
);
/*
* NSSTrustDomain_FindTokenBySlotName
*
*/
NSS_EXTERN NSSToken *
NSSTrustDomain_FindTokenBySlotName
(
NSSTrustDomain *td,
NSSUTF8 *slotName
);
/*
* NSSTrustDomain_FindBestTokenForAlgorithm
*
*/
NSS_EXTERN NSSToken *
NSSTrustDomain_FindTokenForAlgorithm
(
NSSTrustDomain *td,
NSSOID *algorithm
);
/*
* NSSTrustDomain_FindBestTokenForAlgorithms
*
*/
NSS_EXTERN NSSToken *
NSSTrustDomain_FindBestTokenForAlgorithms
(
NSSTrustDomain *td,
NSSOID *algorithms[], /* may be null-terminated */
PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
);
/*
* NSSTrustDomain_Login
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_Login
(
NSSTrustDomain *td,
NSSCallback *uhhOpt
);
/*
* NSSTrustDomain_Logout
*
*/
NSS_EXTERN PRStatus
NSSTrustDomain_Logout
(
NSSTrustDomain *td
);
/* Importing things */
/*
* NSSTrustDomain_ImportCertificate
*
* The implementation will pull some data out of the certificate
* (e.g. e-mail address) for use in pkcs#11 object attributes.
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_ImportCertificate
(
NSSTrustDomain *td,
NSSCertificate *c
);
/*
* NSSTrustDomain_ImportPKIXCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_ImportPKIXCertificate
(
NSSTrustDomain *td,
/* declared as a struct until these "data types" are defined */
struct NSSPKIXCertificateStr *pc
);
/*
* NSSTrustDomain_ImportEncodedCertificate
*
* Imports any type of certificate we support.
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_ImportEncodedCertificate
(
NSSTrustDomain *td,
NSSBER *ber
);
/*
* NSSTrustDomain_ImportEncodedCertificateChain
*
* If you just want the leaf, pass in a maximum of one.
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_ImportEncodedCertificateChain
(
NSSTrustDomain *td,
NSSBER *ber,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_ImportEncodedPrivateKey
*
*/
NSS_EXTERN NSSPrivateKey *
NSSTrustDomain_ImportEncodedPrivateKey
(
NSSTrustDomain *td,
NSSBER *ber,
NSSItem *passwordOpt, /* NULL will cause a callback */
NSSCallback *uhhOpt,
NSSToken *destination
);
/*
* NSSTrustDomain_ImportEncodedPublicKey
*
*/
NSS_EXTERN NSSPublicKey *
NSSTrustDomain_ImportEncodedPublicKey
(
NSSTrustDomain *td,
NSSBER *ber
);
/* Other importations: S/MIME capabilities */
/*
* NSSTrustDomain_FindBestCertificateByNickname
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindBestCertificateByNickname
(
NSSTrustDomain *td,
NSSUTF8 *name,
NSSTime *timeOpt, /* NULL for "now" */
NSSUsage *usage,
NSSPolicies *policiesOpt /* NULL for none */
);
/*
* NSSTrustDomain_FindCertificatesByNickname
*
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindCertificatesByNickname
(
NSSTrustDomain *td,
NSSUTF8 *name,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
(
NSSTrustDomain *td,
NSSDER *issuer,
NSSDER *serialNumber
);
/*
* NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber
*
* Theoretically, this should never happen. However, some companies
* we know have issued duplicate certificates with the same issuer
* and serial number. Do we just ignore them? I'm thinking yes.
*/
/*
* NSSTrustDomain_FindBestCertificateBySubject
*
* This does not search through alternate names hidden in extensions.
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindBestCertificateBySubject
(
NSSTrustDomain *td,
NSSUTF8 *subject,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSTrustDomain_FindCertificatesBySubject
*
* This does not search through alternate names hidden in extensions.
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindCertificatesBySubject
(
NSSTrustDomain *td,
NSSUTF8 *subject,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_FindBestCertificateByNameComponents
*
* This call does try several tricks, including a pseudo pkcs#11
* attribute for the ldap module to try as a query. Eventually
* this call falls back to a traversal if that's what's required.
* It will search through alternate names hidden in extensions.
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindBestCertificateByNameComponents
(
NSSTrustDomain *td,
NSSUTF8 *nameComponents,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSTrustDomain_FindCertificatesByNameComponents
*
* This call, too, tries several tricks. It will stop on the first
* attempt that generates results, so it won't e.g. traverse the
* entire ldap database.
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindCertificatesByNameComponents
(
NSSTrustDomain *td,
NSSUTF8 *nameComponents,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_FindCertificateByEncodedCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindCertificateByEncodedCertificate
(
NSSTrustDomain *td,
NSSBER *encodedCertificate
);
/*
* NSSTrustDomain_FindBestCertificateByEmail
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindCertificateByEmail
(
NSSTrustDomain *td,
NSSASCII7 *email,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSTrustDomain_FindCertificatesByEmail
*
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindCertificateByEmail
(
NSSTrustDomain *td,
NSSASCII7 *email,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_FindCertificateByOCSPHash
*
* There can be only one.
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindCertificateByOCSPHash
(
NSSTrustDomain *td,
NSSItem *hash
);
/*
* NSSTrustDomain_TraverseCertificates
*
* This function descends from one in older versions of NSS which
* traverses the certs in the permanent database. That function
* was used to implement selection routines, but was directly
* available too. Trust domains are going to contain a lot more
* certs now (e.g., an ldap server), so we'd really like to
* discourage traversal. Thus for now, this is commented out.
* If it's needed, let's look at the situation more closely to
* find out what the actual requirements are.
*
*
* NSS_EXTERN PRStatus *
* NSSTrustDomain_TraverseCertificates
* (
* NSSTrustDomain *td,
* PRStatus (*callback)(NSSCertificate *c, void *arg),
* void *arg
* );
*/
/*
* NSSTrustDomain_FindBestUserCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindBestUserCertificate
(
NSSTrustDomain *td,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSTrustDomain_FindUserCertificates
*
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindUserCertificates
(
NSSTrustDomain *td,
NSSTime *timeOpt,
NSSUsage *usageOpt,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
(
NSSTrustDomain *td,
NSSUTF8 *sslHostOpt,
NSSDER *rootCAsOpt[], /* null pointer for none */
PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt
);
/*
* NSSTrustDomain_FindUserCertificatesForSSLClientAuth
*
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindUserCertificatesForSSLClientAuth
(
NSSTrustDomain *td,
NSSUTF8 *sslHostOpt,
NSSDER *rootCAsOpt[], /* null pointer for none */
PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/*
* NSSTrustDomain_FindBestUserCertificateForEmailSigning
*
*/
NSS_EXTERN NSSCertificate *
NSSTrustDomain_FindBestUserCertificateForEmailSigning
(
NSSTrustDomain *td,
NSSASCII7 *signerOpt,
NSSASCII7 *recipientOpt,
/* anything more here? */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt
);
/*
* NSSTrustDomain_FindUserCertificatesForEmailSigning
*
*/
NSS_EXTERN NSSCertificate **
NSSTrustDomain_FindUserCertificatesForEmailSigning
(
NSSTrustDomain *td,
NSSASCII7 *signerOpt,
NSSASCII7 *recipientOpt,
/* anything more here? */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/*
* Here is where we'd add more Find[Best]UserCertificate[s]For<usage>
* routines.
*/
/* Private Keys */
/*
* NSSTrustDomain_GenerateKeyPair
*
* Creates persistant objects. If you want session objects, use
* NSSCryptoContext_GenerateKeyPair. The destination token is where
* the keys are stored. If that token can do the required math, then
* that's where the keys are generated too. Otherwise, the keys are
* generated elsewhere and moved to that token.
*/
NSS_EXTERN PRStatus
NSSTrustDomain_GenerateKeyPair
(
NSSTrustDomain *td,
NSSAlgorithmAndParameters *ap,
NSSPrivateKey **pvkOpt,
NSSPublicKey **pbkOpt,
PRBool privateKeyIsSensitive,
NSSToken *destination,
NSSCallback *uhhOpt
);
/*
* NSSTrustDomain_TraversePrivateKeys
*
*
* NSS_EXTERN PRStatus *
* NSSTrustDomain_TraversePrivateKeys
* (
* NSSTrustDomain *td,
* PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
* void *arg
* );
*/
/* Symmetric Keys */
/*
* NSSTrustDomain_GenerateSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSTrustDomain_GenerateSymmetricKey
(
NSSTrustDomain *td,
NSSAlgorithmAndParameters *ap,
PRUint32 keysize,
NSSToken *destination,
NSSCallback *uhhOpt
);
/*
* NSSTrustDomain_GenerateSymmetricKeyFromPassword
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSTrustDomain_GenerateSymmetricKeyFromPassword
(
NSSTrustDomain *td,
NSSAlgorithmAndParameters *ap,
NSSUTF8 *passwordOpt, /* if null, prompt */
NSSToken *destinationOpt,
NSSCallback *uhhOpt
);
/*
* NSSTrustDomain_FindSymmetricKeyByAlgorithm
*
* Is this still needed?
*
* NSS_EXTERN NSSSymmetricKey *
* NSSTrustDomain_FindSymmetricKeyByAlgorithm
* (
* NSSTrustDomain *td,
* NSSOID *algorithm,
* NSSCallback *uhhOpt
* );
*/
/*
* NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
(
NSSTrustDomain *td,
NSSOID *algorithm,
NSSItem *keyID,
NSSCallback *uhhOpt
);
/*
* NSSTrustDomain_TraverseSymmetricKeys
*
*
* NSS_EXTERN PRStatus *
* NSSTrustDomain_TraverseSymmetricKeys
* (
* NSSTrustDomain *td,
* PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
* void *arg
* );
*/
/*
* NSSTrustDomain_CreateCryptoContext
*
* If a callback object is specified, it becomes the for the crypto
* context; otherwise, this trust domain's default (if any) is
* inherited.
*/
NSS_EXTERN NSSCryptoContext *
NSSTrustDomain_CreateCryptoContext
(
NSSTrustDomain *td,
NSSCallback *uhhOpt
);
/*
* NSSTrustDomain_CreateCryptoContextForAlgorithm
*
*/
NSS_EXTERN NSSCryptoContext *
NSSTrustDomain_CreateCryptoContextForAlgorithm
(
NSSTrustDomain *td,
NSSOID *algorithm
);
/*
* NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
*
*/
NSS_EXTERN NSSCryptoContext *
NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
(
NSSTrustDomain *td,
NSSAlgorithmAndParameters *ap
);
/* find/traverse other objects, e.g. s/mime profiles */
/*
* NSSCryptoContext
*
* A crypto context is sort of a short-term snapshot of a trust domain,
* used for the life of "one crypto operation." You can also think of
* it as a "temporary database."
*
* Just about all of the things you can do with a trust domain -- importing
* or creating certs, keys, etc. -- can be done with a crypto context.
* The difference is that the objects will be temporary ("session") objects.
*
* Also, if the context was created for a key, cert, and/or algorithm; or
* if such objects have been "associated" with the context, then the context
* can do everything the keys can, like crypto operations.
*
* And finally, because it keeps the state of the crypto operations, it
* can do streaming crypto ops.
*/
/*
* NSSTrustDomain_Destroy
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_Destroy
(
NSSCryptoContext *td
);
/* establishing a default callback */
/*
* NSSCryptoContext_SetDefaultCallback
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_SetDefaultCallback
(
NSSCryptoContext *td,
NSSCallback *newCallback,
NSSCallback **oldCallbackOpt
);
/*
* NSSCryptoContext_GetDefaultCallback
*
*/
NSS_EXTERN NSSCallback *
NSSCryptoContext_GetDefaultCallback
(
NSSCryptoContext *td,
PRStatus *statusOpt
);
/*
* NSSCryptoContext_GetTrustDomain
*
*/
NSS_EXTERN NSSTrustDomain *
NSSCryptoContext_GetTrustDomain
(
NSSCryptoContext *td
);
/* AddModule, etc: should we allow "temporary" changes here? */
/* DisableToken, etc: ditto */
/* Ordering of tokens? */
/* Finding slots+token etc. */
/* login+logout */
/* Importing things */
/*
* NSSCryptoContext_ImportCertificate
*
* If there's not a "distinguished certificate" for this context, this
* sets the specified one to be it.
*/
NSS_EXTERN PRStatus
NSSCryptoContext_ImportCertificate
(
NSSCryptoContext *cc,
NSSCertificate *c
);
/*
* NSSCryptoContext_ImportPKIXCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_ImportPKIXCertificate
(
NSSCryptoContext *cc,
struct NSSPKIXCertificateStr *pc
);
/*
* NSSCryptoContext_ImportEncodedCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_ImportEncodedCertificate
(
NSSCryptoContext *cc,
NSSBER *ber
);
/*
* NSSCryptoContext_ImportEncodedPKIXCertificateChain
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_ImportEncodedPKIXCertificateChain
(
NSSCryptoContext *cc,
NSSBER *ber
);
/* Other importations: S/MIME capabilities
*/
/*
* NSSCryptoContext_FindBestCertificateByNickname
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestCertificateByNickname
(
NSSCryptoContext *cc,
NSSUTF8 *name,
NSSTime *timeOpt, /* NULL for "now" */
NSSUsage *usage,
NSSPolicies *policiesOpt /* NULL for none */
);
/*
* NSSCryptoContext_FindCertificatesByNickname
*
*/
NSS_EXTERN NSSCertificate **
NSSCryptoContext_FindCertificatesByNickname
(
NSSCryptoContext *cc,
NSSUTF8 *name,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
(
NSSCryptoContext *cc,
NSSDER *issuer,
NSSDER *serialNumber
);
/*
* NSSCryptoContext_FindBestCertificateBySubject
*
* This does not search through alternate names hidden in extensions.
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestCertificateBySubject
(
NSSCryptoContext *cc,
NSSUTF8 *subject,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSCryptoContext_FindCertificatesBySubject
*
* This does not search through alternate names hidden in extensions.
*/
NSS_EXTERN NSSCertificate **
NSSCryptoContext_FindCertificatesBySubject
(
NSSCryptoContext *cc,
NSSUTF8 *subject,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FindBestCertificateByNameComponents
*
* This call does try several tricks, including a pseudo pkcs#11
* attribute for the ldap module to try as a query. Eventually
* this call falls back to a traversal if that's what's required.
* It will search through alternate names hidden in extensions.
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestCertificateByNameComponents
(
NSSCryptoContext *cc,
NSSUTF8 *nameComponents,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSCryptoContext_FindCertificatesByNameComponents
*
* This call, too, tries several tricks. It will stop on the first
* attempt that generates results, so it won't e.g. traverse the
* entire ldap database.
*/
NSS_EXTERN NSSCertificate **
NSSCryptoContext_FindCertificatesByNameComponents
(
NSSCryptoContext *cc,
NSSUTF8 *nameComponents,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FindCertificateByEncodedCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindCertificateByEncodedCertificate
(
NSSCryptoContext *cc,
NSSBER *encodedCertificate
);
/*
* NSSCryptoContext_FindBestCertificateByEmail
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestCertificateByEmail
(
NSSCryptoContext *cc,
NSSASCII7 *email
);
/*
* NSSCryptoContext_FindCertificatesByEmail
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindCertificatesByEmail
(
NSSCryptoContext *cc,
NSSASCII7 *email,
NSSCertificate *rvOpt[],
PRUint32 maximumOpt, /* 0 for no max */
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FindCertificateByOCSPHash
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindCertificateByOCSPHash
(
NSSCryptoContext *cc,
NSSITem *hash
);
/*
* NSSCryptoContext_TraverseCertificates
*
*
* NSS_EXTERN PRStatus *
* NSSCryptoContext_TraverseCertificates
* (
* NSSCryptoContext *cc,
* PRStatus (*callback)(NSSCertificate *c, void *arg),
* void *arg
* );
*/
/*
* NSSCryptoContext_FindBestUserCertificate
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestUserCertificate
(
NSSCryptoContext *cc,
NSSTime *timeOpt,
NSSUsage *usage,
NSSPolicies *policiesOpt
);
/*
* NSSCryptoContext_FindUserCertificates
*
*/
NSS_EXTERN NSSCertificate **
NSSCryptoContext_FindUserCertificates
(
NSSCryptoContext *cc,
NSSTime *timeOpt,
NSSUsage *usageOpt,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
(
NSSCryptoContext *cc,
NSSUTF8 *sslHostOpt,
NSSDER *rootCAsOpt[], /* null pointer for none */
PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt
);
/*
* NSSCryptoContext_FindUserCertificatesForSSLClientAuth
*
*/
NSS_EXTERN NSSCertificate **
NSSCryptoContext_FindUserCertificatesForSSLClientAuth
(
NSSCryptoContext *cc,
NSSUTF8 *sslHostOpt,
NSSDER *rootCAsOpt[], /* null pointer for none */
PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FindBestUserCertificateForEmailSigning
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindBestUserCertificateForEmailSigning
(
NSSCryptoContext *cc,
NSSASCII7 *signerOpt,
NSSASCII7 *recipientOpt,
/* anything more here? */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt
);
/*
* NSSCryptoContext_FindUserCertificatesForEmailSigning
*
*/
NSS_EXTERN NSSCertificate *
NSSCryptoContext_FindUserCertificatesForEmailSigning
(
NSSCryptoContext *cc,
NSSASCII7 *signerOpt, /* fgmr or a more general name? */
NSSASCII7 *recipientOpt,
/* anything more here? */
NSSAlgorithmAndParameters *apOpt,
NSSPolicies *policiesOpt,
NSSCertificate **rvOpt,
PRUint32 rvLimit, /* zero for no limit */
NSSArena *arenaOpt
);
/* Private Keys */
/*
* NSSCryptoContext_GenerateKeyPair
*
* Creates session objects. If you want persistant objects, use
* NSSTrustDomain_GenerateKeyPair. The destination token is where
* the keys are stored. If that token can do the required math, then
* that's where the keys are generated too. Otherwise, the keys are
* generated elsewhere and moved to that token.
*/
NSS_EXTERN PRStatus
NSSCryptoContext_GenerateKeyPair
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *ap,
NSSPrivateKey **pvkOpt,
NSSPublicKey **pbkOpt,
PRBool privateKeyIsSensitive,
NSSToken *destination,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_TraversePrivateKeys
*
*
* NSS_EXTERN PRStatus *
* NSSCryptoContext_TraversePrivateKeys
* (
* NSSCryptoContext *cc,
* PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
* void *arg
* );
*/
/* Symmetric Keys */
/*
* NSSCryptoContext_GenerateSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSCryptoContext_GenerateSymmetricKey
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *ap,
PRUint32 keysize,
NSSToken *destination,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_GenerateSymmetricKeyFromPassword
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSCryptoContext_GenerateSymmetricKeyFromPassword
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *ap,
NSSUTF8 *passwordOpt, /* if null, prompt */
NSSToken *destinationOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_FindSymmetricKeyByAlgorithm
*
*
* NSS_EXTERN NSSSymmetricKey *
* NSSCryptoContext_FindSymmetricKeyByType
* (
* NSSCryptoContext *cc,
* NSSOID *type,
* NSSCallback *uhhOpt
* );
*/
/*
* NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
(
NSSCryptoContext *cc,
NSSOID *algorithm,
NSSItem *keyID,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_TraverseSymmetricKeys
*
*
* NSS_EXTERN PRStatus *
* NSSCryptoContext_TraverseSymmetricKeys
* (
* NSSCryptoContext *cc,
* PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
* void *arg
* );
*/
/* Crypto ops on distinguished keys */
/*
* NSSCryptoContext_Decrypt
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_Decrypt
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *encryptedData,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_BeginDecrypt
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginDecrypt
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueDecrypt
*
*/
/*
* NSSItem semantics:
*
* If rvOpt is NULL, a new NSSItem and buffer are allocated.
* If rvOpt is not null, but the buffer pointer is null,
* then rvOpt is returned but a new buffer is allocated.
* In this case, if the length value is not zero, then
* no more than that much space will be allocated.
* If rvOpt is not null and the buffer pointer is not null,
* then that buffer is re-used. No more than the buffer
* length value will be used; if it's not enough, an
* error is returned. If less is used, the number is
* adjusted downwards.
*
* Note that although this is short of some ideal "Item"
* definition, we can usually tell how big these buffers
* have to be.
*
* Feedback is requested; and earlier is better than later.
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_ContinueDecrypt
(
NSSCryptoContext *cc,
NSSItem *data,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FinishDecrypt
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_FinishDecrypt
(
NSSCryptoContext *cc,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_Sign
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_Sign
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_BeginSign
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginSign
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueSign
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginSign
(
NSSCryptoContext *cc,
NSSItem *data
);
/*
* NSSCryptoContext_FinishSign
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_FinishSign
(
NSSCryptoContext *cc,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_SignRecover
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_SignRecover
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_BeginSignRecover
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginSignRecover
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueSignRecover
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_ContinueSignRecover
(
NSSCryptoContext *cc,
NSSItem *data,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FinishSignRecover
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_FinishSignRecover
(
NSSCryptoContext *cc,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_UnwrapSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSCryptoContext_UnwrapSymmetricKey
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *wrappedKey,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_DeriveSymmetricKey
*
*/
NSS_EXTERN NSSSymmetricKey *
NSSCryptoContext_DeriveSymmetricKey
(
NSSCryptoContext *cc,
NSSPublicKey *bk,
NSSAlgorithmAndParameters *apOpt,
NSSOID *target,
PRUint32 keySizeOpt, /* zero for best allowed */
NSSOperations operations,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_Encrypt
*
* Encrypt a single chunk of data with the distinguished public key
* of this crypto context.
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_Encrypt
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_BeginEncrypt
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginEncrypt
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueEncrypt
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_ContinueEncrypt
(
NSSCryptoContext *cc,
NSSItem *data,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FinishEncrypt
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_FinishEncrypt
(
NSSCryptoContext *cc,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_Verify
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_Verify
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSItem *signature,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_BeginVerify
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginVerify
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *signature,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueVerify
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_ContinueVerify
(
NSSCryptoContext *cc,
NSSItem *data
);
/*
* NSSCryptoContext_FinishVerify
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_FinishVerify
(
NSSCryptoContext *cc
);
/*
* NSSCryptoContext_VerifyRecover
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_VerifyRecover
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *signature,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_BeginVerifyRecover
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginVerifyRecover
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueVerifyRecover
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_ContinueVerifyRecover
(
NSSCryptoContext *cc,
NSSItem *data,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_FinishVerifyRecover
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_FinishVerifyRecover
(
NSSCryptoContext *cc,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_WrapSymmetricKey
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_WrapSymmetricKey
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSSymmetricKey *keyToWrap,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_Digest
*
* Digest a single chunk of data with the distinguished digest key
* of this crypto context.
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_Digest
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *data,
NSSCallback *uhhOpt,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* NSSCryptoContext_BeginDigest
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_BeginDigest
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSCallback *uhhOpt
);
/*
* NSSCryptoContext_ContinueDigest
*
*/
NSS_EXTERN PRStatus
NSSCryptoContext_ContinueDigest
(
NSSCryptoContext *cc,
NSSAlgorithmAndParameters *apOpt,
NSSItem *item
);
/*
* NSSCryptoContext_FinishDigest
*
*/
NSS_EXTERN NSSItem *
NSSCryptoContext_FinishDigest
(
NSSCryptoContext *cc,
NSSItem *rvOpt,
NSSArena *arenaOpt
);
/*
* tbd: Combination ops
*/
/*
* NSSCryptoContext_Clone
*
*/
NSS_EXTERN NSSCryptoContext *
NSSCryptoContext_Clone
(
NSSCryptoContext *cc
);
/*
* NSSCryptoContext_Save
* NSSCryptoContext_Restore
*
* We need to be able to save and restore the state of contexts.
* Perhaps a mark-and-release mechanism would be better?
*/
/*
* ..._SignTBSCertificate
*
* This requires feedback from the cert server team.
*/
/*
* PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c);
* PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted);
*
* These will be helper functions which get the trust object for a cert,
* and then call the corresponding function(s) on it.
*
* PKIX trust objects will have methods to manipulate the low-level trust
* bits (which are based on key usage and extended key usage), and also the
* conceptual high-level usages (e.g. ssl client auth, email encryption, etc.)
*
* Other types of trust objects (if any) might have different low-level
* representations, but hopefully high-level concepts would map.
*
* Only these high-level general routines would be promoted to the
* general certificate level here. Hence the {xxx} above would be things
* like "EmailSigning."
*
*
* NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c);
* PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t);
*
* I want to hold off on any general trust object until we've investigated
* other models more thoroughly.
*/
PR_END_EXTERN_C
#endif /* NSSPKI_H */