pjs/security/nss/lib/crmf/cmmf.h

1123 строки
44 KiB
C

/* -*- Mode: C; tab-width: 8 -*-*/
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef _CMMF_H_
#define _CMMF_H_
/*
* These are the functions exported by the security library for
* implementing Certificate Management Message Formats (CMMF).
*
* This API is designed against July 1998 CMMF draft. Please read this
* draft before trying to use this API in an application that use CMMF.
*/
#include "seccomon.h"
#include "cmmft.h"
#include "crmf.h"
SEC_BEGIN_PROTOS
/******************* Creation Functions *************************/
/*
* FUNCTION: CMMF_CreateCertRepContent
* INPUTS:
* NONE
* NOTES:
* This function will create an empty CMMFCertRepContent Structure.
* The client of the library must set the CMMFCertResponses.
* Call CMMF_CertRepContentSetCertResponse to accomplish this task.
* If the client of the library also wants to include the chain of
* CA certs required to make the certificates in CMMFCertResponse valid,
* then the user must also set the caPubs field of CMMFCertRepContent.
* Call CMMF_CertRepContentSetCAPubs to accomplish this. After setting
* the desired fields, the user can then call CMMF_EncodeCertRepContent
* to DER-encode the CertRepContent.
* RETURN:
* A pointer to the CMMFCertRepContent. A NULL return value indicates
* an error in allocating memory or failure to initialize the structure.
*/
extern CMMFCertRepContent* CMMF_CreateCertRepContent(void);
/*
* FUNCTION: CMMF_CreateCertRepContentFromDER
* INPUTS
* db
* The certificate database where the certificates will be placed.
* The certificates will be placed in the temporary database associated
* with the handle.
* buf
* A buffer to the DER-encoded CMMFCertRepContent
* len
* The length in bytes of the buffer 'buf'
* NOTES:
* This function passes the buffer to the ASN1 decoder and creates a
* CMMFCertRepContent structure. The user must call
* CMMF_DestroyCertRepContent after the return value is no longer needed.
*
* RETURN:
* A pointer to the CMMFCertRepContent structure. A NULL return
* value indicates the library was unable to parse the DER.
*/
extern CMMFCertRepContent*
CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db,
const char *buf,
long len);
/*
* FUNCTION: CMMF_CreateCertResponse
* INPUTS:
* inCertReqId
* The Certificate Request Id this response is for.
* NOTES:
* This creates a CMMFCertResponse. This response should correspond
* to a request that was received via CRMF. From the CRMF message you
* can get the Request Id to pass in as inCertReqId, in essence binding
* a CMRFCertRequest message to the CMMFCertResponse created by this
* function. If no requuest id is associated with the response to create
* then the user should pass in -1 for 'inCertReqId'.
*
* RETURN:
* A pointer to the new CMMFCertResponse corresponding to the request id
* passed in. A NULL return value indicates an error while trying to
* create the CMMFCertResponse.
*/
extern CMMFCertResponse* CMMF_CreateCertResponse(long inCertReqId);
/*
* FUNCTION: CMMF_CreateKeyRecRepContent
* INPUTS:
* NONE
* NOTES:
* This function creates a new empty CMMFKeyRecRepContent structure.
* At the very minimum, the user must call
* CMMF_KeyRecRepContentSetPKIStatusInfoStatus field to have an
* encodable structure. Depending on what the response is, the user may
* have to set other fields as well to properly build up the structure so
* that it can be encoded. Refer to the CMMF draft for how to properly
* set up a CMMFKeyRecRepContent. This is the structure that an RA returns
* to an end entity when doing key recovery.
* The user must call CMMF_DestroyKeyRecRepContent when the return value
* is no longer needed.
* RETURN:
* A pointer to the empty CMMFKeyRecRepContent. A return value of NULL
* indicates an error in allocating memory or initializing the structure.
*/
extern CMMFKeyRecRepContent *CMMF_CreateKeyRecRepContent(void);
/*
* FUNCTION: CMMF_CreateKeyRecRepContentFromDER
* INPUTS:
* db
* The handle for the certificate database where the decoded
* certificates will be placed. The decoded certificates will
* be placed in the temporary database associated with the
* handle.
* buf
* A buffer contatining the DER-encoded CMMFKeyRecRepContent
* len
* The length in bytes of the buffer 'buf'
* NOTES
* This function passes the buffer to the ASN1 decoder and creates a
* CMMFKeyRecRepContent structure.
*
* RETURN:
* A pointer to the CMMFKeyRecRepContent structure. A NULL return
* value indicates the library was unable to parse the DER.
*/
extern CMMFKeyRecRepContent*
CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db,
const char *buf,
long len);
/*
* FUNCTION: CMMF_CreatePOPODecKeyChallContent
* INPUTS:
* NONE
* NOTES:
* This function creates an empty CMMFPOPODecKeyChallContent. The user
* must add the challenges individually specifying the random number to
* be used and the public key to be used when creating each individual
* challenge. User can accomplish this by calling the function
* CMMF_POPODecKeyChallContentSetNextChallenge.
* RETURN:
* A pointer to a CMMFPOPODecKeyChallContent structure. Ther user can
* then call CMMF_EncodePOPODecKeyChallContent passing in the return
* value from this function after setting all of the challenges. A
* return value of NULL indicates an error while creating the
* CMMFPOPODecKeyChallContent structure.
*/
extern CMMFPOPODecKeyChallContent*
CMMF_CreatePOPODecKeyChallContent(void);
/*
* FUNCTION: CMMF_CreatePOPODecKeyChallContentFromDER
* INPUTS
* buf
* A buffer containing the DER-encoded CMMFPOPODecKeyChallContent
* len
* The length in bytes of the buffer 'buf'
* NOTES:
* This function passes the buffer to the ASN1 decoder and creates a
* CMMFPOPODecKeyChallContent structure.
*
* RETURN:
* A pointer to the CMMFPOPODecKeyChallContent structure. A NULL return
* value indicates the library was unable to parse the DER.
*/
extern CMMFPOPODecKeyChallContent*
CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len);
/*
* FUNCTION: CMMF_CreatePOPODecKeyRespContentFromDER
* INPUTS:
* buf
* A buffer contatining the DER-encoded CMMFPOPODecKeyRespContent
* len
* The length in bytes of the buffer 'buf'
* NOTES
* This function passes the buffer to the ASN1 decoder and creates a
* CMMFPOPODecKeyRespContent structure.
*
* RETURN:
* A pointer to the CMMFPOPODecKeyRespContent structure. A NULL return
* value indicates the library was unable to parse the DER.
*/
extern CMMFPOPODecKeyRespContent*
CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len);
/************************** Set Functions *************************/
/*
* FUNCTION: CMMF_CertRepContentSetCertResponses
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to operate on.
* inCertResponses
* An array of pointers to CMMFCertResponse structures to
* add to the CMMFCertRepContent structure.
* inNumResponses
* The length of the array 'inCertResponses'
* NOTES:
* This function will add the CMMFCertResponse structure to the
* CMMFCertRepContent passed in. The CMMFCertResponse field of
* CMMFCertRepContent is required, so the client must call this function
* before calling CMMF_EncodeCertRepContent. If the user calls
* CMMF_EncodeCertRepContent before calling this function,
* CMMF_EncodeCertRepContent will fail.
*
* RETURN:
* SECSuccess if adding the CMMFCertResponses to the CMMFCertRepContent
* structure was successful. Any other return value indicates an error
* while trying to add the CMMFCertResponses.
*/
extern SECStatus
CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
CMMFCertResponse **inCertResponses,
int inNumResponses);
/*
* FUNCTION: CMMF_CertRepContentSetCAPubs
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to operate on.
* inCAPubs
* The certificate list which makes up the chain of CA certificates
* required to make the issued cert valid.
* NOTES:
* This function will set the the certificates in the CA chain as part
* of the CMMFCertRepContent. This field is an optional member of the
* CMMFCertRepContent structure, so the client is not required to call
* this function before calling CMMF_EncodeCertRepContent.
*
* RETURN:
* SECSuccess if adding the 'inCAPubs' to the CERTRepContent was successful.
* Any other return value indicates an error while adding 'inCAPubs' to the
* CMMFCertRepContent structure.
*
*/
extern SECStatus
CMMF_CertRepContentSetCAPubs (CMMFCertRepContent *inCertRepContent,
CERTCertList *inCAPubs);
/*
* FUNCTION: CMMF_CertResponseSetPKIStatusInfoStatus
* INPUTS:
* inCertResp
* The CMMFCertResponse to operate on.
* inPKIStatus
* The value to set for the PKIStatusInfo.status field.
* NOTES:
* This function will set the CertResponse.status.status field of
* the CMMFCertResponse structure. (View the definition of CertResponse
* in the CMMF draft to see exactly which value this talks about.) This
* field is a required member of the structure, so the user must call this
* function in order to have a CMMFCertResponse that can be encoded.
*
* RETURN:
* SECSuccess if setting the field with the passed in value was successful.
* Any other return value indicates an error while trying to set the field.
*/
extern SECStatus
CMMF_CertResponseSetPKIStatusInfoStatus (CMMFCertResponse *inCertResp,
CMMFPKIStatus inPKIStatus);
/*
* FUNCTION: CMMF_CertResponseSetCertificate
* INPUTS:
* inCertResp
* The CMMFCertResponse to operate on.
* inCertificate
* The certificate to add to the
* CertResponse.CertifiedKeyPair.certOrEncCert.certificate field.
* NOTES:
* This function will take the certificate and make it a member of the
* CMMFCertResponse. The certificate should be the actual certificate
* being issued via the response.
*
* RETURN:
* SECSuccess if adding the certificate to the response was successful.
* Any other return value indicates an error in adding the certificate to
* the CertResponse.
*/
extern SECStatus
CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
CERTCertificate *inCertificate);
/*
* FUNCTION: CMMF_KeyRecRepContentSetPKIStatusInfoStatus
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* inPKIStatus
* The value to set the PKIStatusInfo.status field to.
* NOTES:
* This function sets the only required field for the KeyRecRepContent.
* In most cases, the user will set this field and other fields of the
* structure to properly create the CMMFKeyRecRepContent structure.
* Refer to the CMMF draft to see which fields need to be set in order
* to create the desired CMMFKeyRecRepContent.
*
* RETURN:
* SECSuccess if setting the PKIStatusInfo.status field was successful.
* Any other return value indicates an error in setting the field.
*/
extern SECStatus
CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
CMMFPKIStatus inPKIStatus);
/*
* FUNCTION: CMMF_KeyRecRepContentSetNewSignCert
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* inNewSignCert
* The new signing cert to add to the CMMFKeyRecRepContent structure.
* NOTES:
* This function sets the new signeing cert in the CMMFKeyRecRepContent
* structure.
*
* RETURN:
* SECSuccess if setting the new signing cert was successful. Any other
* return value indicates an error occurred while trying to add the
* new signing certificate.
*/
extern SECStatus
CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
CERTCertificate *inNewSignCert);
/*
* FUNCTION: CMMF_KeyRecRepContentSetCACerts
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* inCACerts
* The list of CA certificates required to construct a valid
* certificate chain with the certificates that will be returned
* to the end user via this KeyRecRepContent.
* NOTES:
* This function sets the caCerts that are required to form a chain with the
* end entity certificates that are being re-issued in this
* CMMFKeyRecRepContent structure.
*
* RETURN:
* SECSuccess if adding the caCerts was successful. Any other return value
* indicates an error while tring to add the caCerts.
*/
extern SECStatus
CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
CERTCertList *inCACerts);
/*
* FUNCTION: CMMF_KeyRecRepContentSetCertifiedKeyPair
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* inCert
* The certificate to add to the CMMFKeyRecRepContent structure.
* inPrivKey
* The private key associated with the certificate above passed in.
* inPubKey
* The public key to use for wrapping the private key.
* NOTES:
* This function adds another certificate-key pair to the
* CMMFKeyRecRepcontent structure. There may be more than one
* certificate-key pair in the structure, so the user must call this
* function multiple times to add more than one cert-key pair.
*
* RETURN:
* SECSuccess if adding the certified key pair was successful. Any other
* return value indicates an error in adding certified key pair to
* CMMFKeyRecRepContent structure.
*/
extern SECStatus
CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
CERTCertificate *inCert,
SECKEYPrivateKey *inPrivKey,
SECKEYPublicKey *inPubKey);
/*
* FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
* INPUTS:
* inDecKeyChall
* The CMMFPOPODecKeyChallContent to operate on.
* inRandom
* The random number to use when generating the challenge,
* inSender
* The GeneralName representation of the sender of the challenge.
* inPubKey
* The public key to use when encrypting the challenge.
* passwdArg
* This value will be passed to the function used for getting a
* password. The password for getting a password should be registered
* by calling PK11_SetPasswordFunc before this function is called.
* If no password callback is registered and the library needs to
* authenticate to the slot for any reason, this function will fail.
* NOTES:
* This function adds a challenge to the end of the list of challenges
* contained by 'inDecKeyChall'. Refer to the CMMF draft on how the
* the random number passed in and the sender's GeneralName are used
* to generate the challenge and witness fields of the challenge. This
* library will use SHA1 as the one-way function for generating the
* witess field of the challenge.
*
* RETURN:
* SECSuccess if generating the challenge and adding to the end of list
* of challenges was successful. Any other return value indicates an error
* while trying to generate the challenge.
*/
extern SECStatus
CMMF_POPODecKeyChallContentSetNextChallenge
(CMMFPOPODecKeyChallContent *inDecKeyChall,
long inRandom,
CERTGeneralName *inSender,
SECKEYPublicKey *inPubKey,
void *passwdArg);
/************************** Encoding Functions *************************/
/*
* FUNCTION: CMMF_EncodeCertRepContent
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to DER-encode.
* inCallback
* A callback function that the ASN1 encoder will call whenever it
* wants to write out DER-encoded bytes. Look at the defintion of
* CRMFEncoderOutputCallback in crmft.h for a description of the
* parameters to the function.
* inArg
* An opaque pointer to a user-supplied argument that will be passed
* to the callback funtion whenever the function is called.
* NOTES:
* The CMMF library will use the same DER-encoding scheme as the CRMF
* library. In other words, when reading CRMF comments that pertain to
* encoding, those comments apply to the CMMF libray as well.
* The callback function will be called multiple times, each time supplying
* the next chunk of DER-encoded bytes. The user must concatenate the
* output of each successive call to the callback in order to get the
* entire DER-encoded CMMFCertRepContent structure.
*
* RETURN:
* SECSuccess if encoding the CMMFCertRepContent was successful. Any
* other return value indicates an error while decoding the structure.
*/
extern SECStatus
CMMF_EncodeCertRepContent (CMMFCertRepContent *inCertRepContent,
CRMFEncoderOutputCallback inCallback,
void *inArg);
/*
* FUNCTION: CMMF_EncodeKeyRecRepContent
* INPUTS:
* inKeyRecRep
* The CMMFKeyRepContent to DER-encode.
* inCallback
* A callback function that the ASN1 encoder will call whenever it
* wants to write out DER-encoded bytes. Look at the defintion of
* CRMFEncoderOutputCallback in crmft.h for a description of the
* parameters to the function.
* inArg
* An opaque pointer to a user-supplied argument that will be passed
* to the callback funtion whenever the function is called.
* NOTES:
* The CMMF library will use the same DER-encoding scheme as the CRMF
* library. In other words, when reading CRMF comments that pertain to
* encoding, those comments apply to the CMMF libray as well.
* The callback function will be called multiple times, each time supplying
* the next chunk of DER-encoded bytes. The user must concatenate the
* output of each successive call to the callback in order to get the
* entire DER-encoded CMMFCertRepContent structure.
*
* RETURN:
* SECSuccess if encoding the CMMFKeyRecRepContent was successful. Any
* other return value indicates an error while decoding the structure.
*/
extern SECStatus
CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep,
CRMFEncoderOutputCallback inCallback,
void *inArg);
/*
* FUNCTION: CMMF_EncodePOPODecKeyChallContent
* INPUTS:
* inDecKeyChall
* The CMMFDecKeyChallContent to operate on.
* inCallback
* A callback function that the ASN1 encoder will call whenever it
* wants to write out DER-encoded bytes. Look at the defintion of
* CRMFEncoderOutputCallback in crmft.h for a description of the
* parameters to the function.
* inArg
* An opaque pointer to a user-supplied argument that will be passed
* to the callback function whenever the function is called.
* NOTES:
* The CMMF library will use the same DER-encoding scheme as the CRMF
* library. In other words, when reading CRMF comments that pertain to
* encoding, those comments apply to the CMMF libray as well.
* The callback function will be called multiple times, each time supplying
* the next chunk of DER-encoded bytes. The user must concatenate the
* output of each successive call to the callback in order to get the
* entire DER-encoded CMMFCertRepContent structure.
* The DER will be an encoding of the type POPODecKeyChallContents, which
* is just a sequence of challenges.
*
* RETURN:
* SECSuccess if encoding was successful. Any other return value indicates
* an error in trying to encode the Challenges.
*/
extern SECStatus
CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
CRMFEncoderOutputCallback inCallback,
void *inArg);
/*
* FUNCTION: CMMF_EncodePOPODecKeyRespContent
* INPUTS:
* inDecodedRand
* An array of integers to encode as the responses to
* CMMFPOPODecKeyChallContent. The integers must be in the same order
* as the challenges extracted from CMMFPOPODecKeyChallContent.
* inNumRand
* The number of random integers contained in the array 'inDecodedRand'
* inCallback
* A callback function that the ASN1 encoder will call whenever it
* wants to write out DER-encoded bytes. Look at the defintion of
* CRMFEncoderOutputCallback in crmft.h for a description of the
* parameters to the function.
* inArg
* An opaque pointer to a user-supplied argument that will be passed
* to the callback funtion whenever the function is called.
* NOTES:
* The CMMF library will use the same DER-encoding scheme as the CRMF
* library. In other words, when reading CRMF comments that pertain to
* encoding, those comments apply to the CMMF libray as well.
* The callback function will be called multiple times, each time supplying
* the next chunk of DER-encoded bytes. The user must concatenate the
* output of each successive call to the callback in order to get the
* entire DER-encoded POPODecKeyRespContent.
*
* RETURN:
* SECSuccess if encoding was successful. Any other return value indicates
* an error in trying to encode the Challenges.
*/
extern SECStatus
CMMF_EncodePOPODecKeyRespContent(long *inDecodedRand,
int inNumRand,
CRMFEncoderOutputCallback inCallback,
void *inArg);
/*************** Accessor function ***********************************/
/*
* FUNCTION: CMMF_CertRepContentGetCAPubs
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to extract the caPubs from.
* NOTES:
* This function will return a copy of the list of certificates that
* make up the chain of CA's required to make the cert issued valid.
* The user must call CERT_DestroyCertList on the return value when
* done using the return value.
*
* Only call this function on a CertRepContent that has been decoded.
* The client must call CERT_DestroyCertList when the certificate list
* is no longer needed.
*
* The certs in the list will not be in the temporary database. In order
* to make these certificates a part of the permanent CA internal database,
* the user must collect the der for all of these certs and call
* CERT_ImportCAChain. Afterwards the certs will be part of the permanent
* database.
*
* RETURN:
* A pointer to the CERTCertList representing the CA chain associated
* with the issued cert. A NULL return value indicates that no CA Pubs
* were available in the CMMFCertRepContent structure.
*/
extern CERTCertList*
CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent);
/*
* FUNCTION: CMMF_CertRepContentGetNumResponses
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to operate on.
* NOTES:
* This function will return the number of CertResponses that are contained
* by the CMMFCertRepContent passed in.
*
* RETURN:
* The number of CMMFCertResponses contained in the structure passed in.
*/
extern int
CMMF_CertRepContentGetNumResponses (CMMFCertRepContent *inCertRepContent);
/*
* FUNCTION: CMMF_CertRepContentGetResponseAtIndex
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to operate on.
* inIndex
* The index of the CMMFCertResponse the user wants a copy of.
* NOTES:
* This funciton creates a copy of the CMMFCertResponse at the index
* corresponding to the parameter 'inIndex'. Indexing is done like a
* traditional C array, ie the valid indexes are (0...numResponses-1).
* The user must call CMMF_DestroyCertResponse after the return value is
* no longer needed.
*
* RETURN:
* A pointer to the CMMFCertResponse at the index corresponding to
* 'inIndex'. A return value of NULL indicates an error in copying
* the CMMFCertResponse.
*/
extern CMMFCertResponse*
CMMF_CertRepContentGetResponseAtIndex (CMMFCertRepContent *inCertRepContent,
int inIndex);
/*
* FUNCTION: CMMF_CertResponseGetCertReqId
* INPUTS:
* inCertResp
* The CMMFCertResponse to operate on.
* NOTES:
* This function returns the CertResponse.certReqId from the
* CMMFCertResponse structure passed in. If the return value is -1, that
* means there is no associated certificate request with the CertResponse.
* RETURN:
* A long representing the id of the certificate request this
* CMMFCertResponse corresponds to. A return value of -1 indicates an
* error in extracting the value of the integer.
*/
extern long CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp);
/*
* FUNCTION: CMMF_CertResponseGetPKIStatusInfoStatus
* INPUTS:
* inCertResp
* The CMMFCertResponse to operate on.
* NOTES:
* This function returns the CertResponse.status.status field of the
* CMMFCertResponse structure.
*
* RETURN:
* The enumerated value corresponding to the PKIStatus defined in the CMMF
* draft. See the CMMF draft for the definition of PKIStatus. See crmft.h
* for the definition of CMMFPKIStatus.
*/
extern CMMFPKIStatus
CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp);
/*
* FUNCTION: CMMF_CertResponseGetCertificate
* INPUTS:
* inCertResp
* The Certificate Response to operate on.
* inCertdb
* This is the certificate database where the function will place the
* newly issued certificate.
* NOTES:
* This function retrieves the CertResponse.certifiedKeyPair.certificate
* from the CMMFCertResponse. The user will get a copy of that certificate
* so the user must call CERT_DestroyCertificate when the return value is
* no longer needed. The certificate returned will be in the temporary
* certificate database.
*
* RETURN:
* A pointer to a copy of the certificate contained within the
* CMMFCertResponse. A return value of NULL indicates an error while trying
* to make a copy of the certificate.
*/
extern CERTCertificate*
CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
CERTCertDBHandle *inCertdb);
/*
* FUNCTION: CMMF_KeyRecRepContentGetPKIStatusInfoStatus
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent structure to operate on.
* NOTES:
* This function retrieves the KeyRecRepContent.status.status field of
* the CMMFKeyRecRepContent structure.
* RETURN:
* The CMMFPKIStatus corresponding to the value held in the
* CMMFKeyRecRepContent structure.
*/
extern CMMFPKIStatus
CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep);
/*
* FUNCTION: CMMF_KeyRecRepContentGetNewSignCert
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* NOTES:
* This function retrieves the KeyRecRepContent.newSignCert field of the
* CMMFKeyRecRepContent structure. The user must call
* CERT_DestroyCertificate when the return value is no longer needed. The
* returned certificate will be in the temporary database. The user
* must then place the certificate permanently in whatever token the
* user determines is the proper destination. A return value of NULL
* indicates the newSigCert field was not present.
*/
extern CERTCertificate*
CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep);
/*
* FUNCTION: CMMF_KeyRecRepContentGetCACerts
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* NOTES:
* This function returns a CERTCertList which contains all of the
* certficates that are in the sequence KeyRecRepContent.caCerts
* User must call CERT_DestroyCertList when the return value is no longer
* needed. All of these certificates will be placed in the tempoaray
* database.
*
* RETURN:
* A pointer to the list of caCerts contained in the CMMFKeyRecRepContent
* structure. A return value of NULL indicates the library was not able to
* make a copy of the certifcates. This may be because there are no caCerts
* included in the CMMFKeyRecRepContent strucure or an internal error. Call
* CMMF_KeyRecRepContentHasCACerts to find out if there are any caCerts
* included in 'inKeyRecRep'.
*/
extern CERTCertList*
CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep);
/*
* FUNCTION: CMMF_KeyRecRepContentGetNumKeyPairs
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to operate on.
* RETURN:
* This function returns the number of CMMFCertifiedKeyPair structures that
* that are stored in the KeyRecRepContent structure.
*/
extern int
CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep);
/*
* FUNCTION: CMMF_KeyRecRepContentGetCertKeyAtIndex
* INPUTS:
* inKeyRecRepContent
* The CMMFKeyRecRepContent to operate on.
* inIndex
* The index of the desired CMMFCertifiedKeyPair
* NOTES:
* This function retrieves the CMMFCertifiedKeyPair structure at the index
* 'inIndex'. Valid indexes are 0...(numKeyPairs-1) The user must call
* CMMF_DestroyCertifiedKeyPair when the return value is no longer needed.
*
* RETURN:
* A pointer to the Certified Key Pair at the desired index. A return value
* of NULL indicates an error in extracting the Certified Key Pair at the
* desired index.
*/
extern CMMFCertifiedKeyPair*
CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
int inIndex);
/*
* FUNCTION: CMMF_CertifiedKeyPairGetCertificate
* INPUTS:
* inCertKeyPair
* The CMMFCertifiedKeyPair to operate on.
* inCertdb
* The database handle for the database you want this certificate
* to wind up in.
* NOTES:
* This function retrieves the certificate at
* CertifiedKeyPair.certOrEncCert.certificate
* The user must call CERT_DestroyCertificate when the return value is no
* longer needed. The user must import this certificate as a token object
* onto PKCS#11 slot in order to make it a permanent object. The returned
* certificate will be in the temporary database.
*
* RETURN:
* A pointer to the certificate contained within the certified key pair.
* A return value of NULL indicates an error in creating the copy of the
* certificate.
*/
extern CERTCertificate*
CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
CERTCertDBHandle *inCertdb);
/*
* FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
* INPUTS:
* inKeyChallCont
* The CMMFPOPODecKeyChallContent to operate on.
* RETURN:
* This function returns the number of CMMFChallenges are contained in
* the CMMFPOPODecKeyChallContent structure.
*/
extern int CMMF_POPODecKeyChallContentGetNumChallenges
(CMMFPOPODecKeyChallContent *inKeyChallCont);
/*
* FUNCTION: CMMF_POPODecKeyChallContentGetPublicValue
* ---------------------------------------------------
* INPUTS:
* inKeyChallCont
* The CMMFPOPODecKeyChallContent to operate on.
* inIndex
* The index of the Challenge within inKeyChallCont to operate on.
* Indexes start from 0, ie the Nth Challenge corresponds to index
* N-1.
* NOTES:
* This function retrieves the public value stored away in the Challenge at
* index inIndex of inKeyChallCont.
* RETURN:
* A pointer to a SECItem containing the public value. User must call
* SECITEM_FreeItem on the return value when the value is no longer necessary.
* A return value of NULL indicates an error while retrieving the public value.
*/
extern SECItem* CMMF_POPODecKeyChallContentGetPublicValue
(CMMFPOPODecKeyChallContent *inKeyChallCont,
int inIndex);
/*
* FUNCTION: CMMF_POPODecKeyChallContentGetRandomNumber
* INPUTS:
* inChallContent
* The CMMFPOPODecKeyChallContent to operate on.
* inIndex
* The index of the challenge to look at. Valid indexes are 0 through
* (CMMF_POPODecKeyChallContentGetNumChallenges(inChallContent) - 1).
* inDest
* A pointer to a user supplied buffer where the library
* can place a copy of the random integer contatained in the
* challenge.
* NOTES:
* This function returns the value held in the decrypted Rand structure
* corresponding to the random integer. The user must call
* CMMF_POPODecKeyChallContentDecryptChallenge before calling this function. Call
* CMMF_ChallengeIsDecrypted to find out if the challenge has been
* decrypted.
*
* RETURN:
* SECSuccess indicates the witness field has been previously decrypted
* and the value for the random integer was successfully placed at *inDest.
* Any other return value indicates an error and that the value at *inDest
* is not a valid value.
*/
extern SECStatus CMMF_POPODecKeyChallContentGetRandomNumber
(CMMFPOPODecKeyChallContent *inKeyChallCont,
int inIndex,
long *inDest);
/*
* FUNCTION: CMMF_POPODecKeyRespContentGetNumResponses
* INPUTS:
* inRespCont
* The POPODecKeyRespContent to operate on.
* RETURN:
* This function returns the number of responses contained in inRespContent.
*/
extern int
CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont);
/*
* FUNCTION: CMMF_POPODecKeyRespContentGetResponse
* INPUTS:
* inRespCont
* The POPODecKeyRespContent to operate on.
* inIndex
* The index of the response to retrieve.
* The Nth response is at index N-1, ie the 1st response is at index 0,
* the 2nd response is at index 1, and so on.
* inDest
* A pointer to a pre-allocated buffer where the library can put the
* value of the response located at inIndex.
* NOTES:
* The function returns the response contained at index inIndex.
* CMMFPOPODecKeyRespContent is a structure that the server will generally
* get in response to a CMMFPOPODecKeyChallContent. The server will expect
* to see the responses in the same order as it constructed them in
* the CMMFPOPODecKeyChallContent structure.
* RETURN:
* SECSuccess if getting the response at the desired index was successful. Any
* other return value indicates an errror.
*/
extern SECStatus
CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
int inIndex,
long *inDest);
/************************* Destructor Functions ******************************/
/*
* FUNCTION: CMMF_DestroyCertResponse
* INPUTS:
* inCertResp
* The CMMFCertResponse to destroy.
* NOTES:
* This function frees all the memory associated with the CMMFCertResponse
* passed in.
* RETURN:
* SECSuccess if freeing the memory was successful. Any other return value
* indicates an error while freeing the memory.
*/
extern SECStatus CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp);
/*
* FUNCTION: CMMF_DestroyCertRepContent
* INPUTS:
* inCertRepContent
* The CMMFCertRepContent to destroy
* NOTES:
* This function frees the memory associated with the CMMFCertRepContent
* passed in.
* RETURN:
* SECSuccess if freeing all the memory associated with the
* CMMFCertRepContent passed in is successful. Any other return value
* indicates an error while freeing the memory.
*/
extern SECStatus
CMMF_DestroyCertRepContent (CMMFCertRepContent *inCertRepContent);
/*
* FUNCTION: CMMF_DestroyKeyRecRepContent
* INPUTS:
* inKeyRecRep
* The CMMFKeyRecRepContent to destroy.
* NOTES:
* This function destroys all the memory associated with the
* CMMFKeyRecRepContent passed in.
*
* RETURN:
* SECSuccess if freeing all the memory is successful. Any other return
* value indicates an error in freeing the memory.
*/
extern SECStatus
CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep);
/*
* FUNCTION: CMMF_DestroyCertifiedKeyPair
* INPUTS:
* inCertKeyPair
* The CMMFCertifiedKeyPair to operate on.
* NOTES:
* This function frees up all the memory associated with 'inCertKeyPair'
*
* RETURN:
* SECSuccess if freeing all the memory associated with 'inCertKeyPair'
* is successful. Any other return value indicates an error while trying
* to free the memory.
*/
extern SECStatus
CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair);
/*
* FUNCTION: CMMF_DestroyPOPODecKeyRespContent
* INPUTS:
* inDecKeyResp
* The CMMFPOPODecKeyRespContent structure to free.
* NOTES:
* This function frees up all the memory associate with the
* CMMFPOPODecKeyRespContent.
*
* RETURN:
* SECSuccess if freeing up all the memory associated with the
* CMMFPOPODecKeyRespContent structure is successful. Any other
* return value indicates an error while freeing the memory.
*/
extern SECStatus
CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
/************************** Miscellaneous Functions *************************/
/*
* FUNCTION: CMMF_CertifiedKeyPairUnwrapPrivKey
* INPUTS:
* inCertKeyPair
* The CMMFCertifiedKeyPair to operate on.
* inPrivKey
* The private key to use to un-wrap the private key
* inNickName
* This is the nickname that will be associated with the private key
* to be unwrapped.
* inSlot
* The PKCS11 slot where the unwrapped private key should end up.
* inCertdb
* The Certificate database with which the new key will be associated.
* destPrivKey
* A pointer to memory where the library can place a pointer to the
* private key after importing the key onto the specified slot.
* wincx
* An opaque pointer that the library will use in a callback function
* to get the password if necessary.
*
* NOTES:
* This function uses the private key passed in to unwrap the private key
* contained within the CMMFCertifiedKeyPair structure. After this
* function successfully returns, the private key has been unwrapped and
* placed in the specified slot.
*
* RETURN:
* SECSuccess if unwrapping the private key was successful. Any other
* return value indicates an error while trying to un-wrap the private key.
*/
extern SECStatus
CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
SECKEYPrivateKey *inPrivKey,
SECItem *inNickName,
PK11SlotInfo *inSlot,
CERTCertDBHandle *inCertdb,
SECKEYPrivateKey **destPrivKey,
void *wincx);
/*
* FUNCTION: CMMF_KeyRecRepContentHasCACerts
* INPUTS:
* inKeyRecRecp
* The CMMFKeyRecRepContent to operate on.
* RETURN:
* This function returns PR_TRUE if there are one or more certificates in
* the sequence KeyRecRepContent.caCerts within the CMMFKeyRecRepContent
* structure. The function will return PR_FALSE if there are 0 certificate
* in the above mentioned sequence.
*/
extern PRBool
CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep);
/*
* FUNCTION: CMMF_POPODecKeyChallContDecryptChallenge
* INPUTS:
* inChalCont
* The CMMFPOPODecKeyChallContent to operate on.
* inIndex
* The index of the Challenge to operate on. The 1st Challenge is
* at index 0, the second at index 1 and so forth.
* inPrivKey
* The private key to use to decrypt the witness field.
* NOTES:
* This function uses the private key to decrypt the challenge field
* contained in the appropriate challenge. Make sure the private key matches
* the public key that was used to encrypt the witness. Use
* CMMF_POPODecKeyChallContentGetPublicValue to get the public value of
* the key used to encrypt the witness and then use that to determine the
* appropriate private key. This can be done by calling PK11_MakeIDFromPubKey
* and then passing that return value to PK11_FindKeyByKeyID. The creator of
* the challenge will most likely be an RA that has the public key
* from a Cert request. So the private key should be the private key
* associated with public key in that request. This function will also
* verify the witness field of the challenge. This function also verifies
* that the sender and witness hashes match within the challenge.
*
* RETURN:
* SECSuccess if decrypting the witness field was successful. This does
* not indicate that the decrypted data is valid, since the private key
* passed in may not be the actual key needed to properly decrypt the
* witness field. Meaning that there is a decrypted structure now, but
* may be garbage because the private key was incorrect.
* Any other return value indicates the function could not complete the
* decryption process.
*/
extern SECStatus
CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
int inIndex,
SECKEYPrivateKey *inPrivKey);
/*
* FUNCTION: CMMF_DestroyPOPODecKeyChallContent
* INPUTS:
* inDecKeyCont
* The CMMFPOPODecKeyChallContent to free
* NOTES:
* This function frees up all the memory associated with the
* CMMFPOPODecKeyChallContent
* RETURN:
* SECSuccess if freeing up all the memory associatd with the
* CMMFPOPODecKeyChallContent is successful. Any other return value
* indicates an error while freeing the memory.
*
*/
extern SECStatus
CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
SEC_END_PROTOS
#endif /* _CMMF_H_ */