зеркало из https://github.com/mozilla/pjs.git
888 строки
27 KiB
C
888 строки
27 KiB
C
/* ***** BEGIN LICENSE BLOCK *****
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
*
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
* http://www.mozilla.org/MPL/
|
|
*
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
* for the specific language governing rights and limitations under the
|
|
* License.
|
|
*
|
|
* The Original Code is the Netscape security libraries.
|
|
*
|
|
* The Initial Developer of the Original Code is
|
|
* Netscape Communications Corporation.
|
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
* the Initial Developer. All Rights Reserved.
|
|
*
|
|
* Contributor(s):
|
|
*
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
* the provisions above, a recipient may use your version of this file under
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
*
|
|
* ***** END LICENSE BLOCK ***** */
|
|
/*
|
|
* certt.h - public data structures for the certificate library
|
|
*
|
|
* $Id: certt.h,v 1.33 2005-08-17 02:04:12 julien.pierre.bugs%sun.com Exp $
|
|
*/
|
|
#ifndef _CERTT_H_
|
|
#define _CERTT_H_
|
|
|
|
#include "prclist.h"
|
|
#include "pkcs11t.h"
|
|
#include "seccomon.h"
|
|
#include "secmodt.h"
|
|
#include "secoidt.h"
|
|
#include "plarena.h"
|
|
#include "prcvar.h"
|
|
#include "nssilock.h"
|
|
#include "prio.h"
|
|
#include "prmon.h"
|
|
|
|
/* Stan data types */
|
|
struct NSSCertificateStr;
|
|
struct NSSTrustDomainStr;
|
|
|
|
/* Non-opaque objects */
|
|
typedef struct CERTAVAStr CERTAVA;
|
|
typedef struct CERTAttributeStr CERTAttribute;
|
|
typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
|
|
typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
|
|
typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
|
|
#ifdef NSS_CLASSIC
|
|
typedef struct CERTCertDBHandleStr CERTCertDBHandle;
|
|
#else
|
|
typedef struct NSSTrustDomainStr CERTCertDBHandle;
|
|
#endif
|
|
typedef struct CERTCertExtensionStr CERTCertExtension;
|
|
typedef struct CERTCertKeyStr CERTCertKey;
|
|
typedef struct CERTCertListStr CERTCertList;
|
|
typedef struct CERTCertListNodeStr CERTCertListNode;
|
|
typedef struct CERTCertNicknamesStr CERTCertNicknames;
|
|
typedef struct CERTCertTrustStr CERTCertTrust;
|
|
typedef struct CERTCertificateStr CERTCertificate;
|
|
typedef struct CERTCertificateListStr CERTCertificateList;
|
|
typedef struct CERTCertificateRequestStr CERTCertificateRequest;
|
|
typedef struct CERTCrlStr CERTCrl;
|
|
typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
|
|
typedef struct CERTCrlEntryStr CERTCrlEntry;
|
|
typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
|
|
typedef struct CERTCrlKeyStr CERTCrlKey;
|
|
typedef struct CERTCrlNodeStr CERTCrlNode;
|
|
typedef struct CERTDERCertsStr CERTDERCerts;
|
|
typedef struct CERTDistNamesStr CERTDistNames;
|
|
typedef struct CERTGeneralNameStr CERTGeneralName;
|
|
typedef struct CERTGeneralNameListStr CERTGeneralNameList;
|
|
typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
|
|
typedef struct CERTNameStr CERTName;
|
|
typedef struct CERTNameConstraintStr CERTNameConstraint;
|
|
typedef struct CERTNameConstraintsStr CERTNameConstraints;
|
|
typedef struct CERTOKDomainNameStr CERTOKDomainName;
|
|
typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
|
|
typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
|
|
typedef struct CERTRDNStr CERTRDN;
|
|
typedef struct CERTSignedCrlStr CERTSignedCrl;
|
|
typedef struct CERTSignedDataStr CERTSignedData;
|
|
typedef struct CERTStatusConfigStr CERTStatusConfig;
|
|
typedef struct CERTSubjectListStr CERTSubjectList;
|
|
typedef struct CERTSubjectNodeStr CERTSubjectNode;
|
|
typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
|
|
typedef struct CERTValidityStr CERTValidity;
|
|
typedef struct CERTVerifyLogStr CERTVerifyLog;
|
|
typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
|
|
typedef struct CRLDistributionPointStr CRLDistributionPoint;
|
|
|
|
/* CRL extensions type */
|
|
typedef unsigned long CERTCrlNumber;
|
|
|
|
/*
|
|
** An X.500 AVA object
|
|
*/
|
|
struct CERTAVAStr {
|
|
SECItem type;
|
|
SECItem value;
|
|
};
|
|
|
|
/*
|
|
** An X.500 RDN object
|
|
*/
|
|
struct CERTRDNStr {
|
|
CERTAVA **avas;
|
|
};
|
|
|
|
/*
|
|
** An X.500 name object
|
|
*/
|
|
struct CERTNameStr {
|
|
PRArenaPool *arena;
|
|
CERTRDN **rdns;
|
|
};
|
|
|
|
/*
|
|
** An X.509 validity object
|
|
*/
|
|
struct CERTValidityStr {
|
|
PRArenaPool *arena;
|
|
SECItem notBefore;
|
|
SECItem notAfter;
|
|
};
|
|
|
|
/*
|
|
* A serial number and issuer name, which is used as a database key
|
|
*/
|
|
struct CERTCertKeyStr {
|
|
SECItem serialNumber;
|
|
SECItem derIssuer;
|
|
};
|
|
|
|
/*
|
|
** A signed data object. Used to implement the "signed" macro used
|
|
** in the X.500 specs.
|
|
*/
|
|
struct CERTSignedDataStr {
|
|
SECItem data;
|
|
SECAlgorithmID signatureAlgorithm;
|
|
SECItem signature;
|
|
};
|
|
|
|
/*
|
|
** An X.509 subject-public-key-info object
|
|
*/
|
|
struct CERTSubjectPublicKeyInfoStr {
|
|
PRArenaPool *arena;
|
|
SECAlgorithmID algorithm;
|
|
SECItem subjectPublicKey;
|
|
};
|
|
|
|
struct CERTPublicKeyAndChallengeStr {
|
|
SECItem spki;
|
|
SECItem challenge;
|
|
};
|
|
|
|
struct CERTCertTrustStr {
|
|
unsigned int sslFlags;
|
|
unsigned int emailFlags;
|
|
unsigned int objectSigningFlags;
|
|
};
|
|
|
|
/*
|
|
* defined the types of trust that exist
|
|
*/
|
|
typedef enum SECTrustTypeEnum {
|
|
trustSSL = 0,
|
|
trustEmail = 1,
|
|
trustObjectSigning = 2,
|
|
trustTypeNone = 3
|
|
} SECTrustType;
|
|
|
|
#define SEC_GET_TRUST_FLAGS(trust,type) \
|
|
(((type)==trustSSL)?((trust)->sslFlags): \
|
|
(((type)==trustEmail)?((trust)->emailFlags): \
|
|
(((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
|
|
|
|
/*
|
|
** An X.509.3 certificate extension
|
|
*/
|
|
struct CERTCertExtensionStr {
|
|
SECItem id;
|
|
SECItem critical;
|
|
SECItem value;
|
|
};
|
|
|
|
struct CERTSubjectNodeStr {
|
|
struct CERTSubjectNodeStr *next;
|
|
struct CERTSubjectNodeStr *prev;
|
|
SECItem certKey;
|
|
SECItem keyID;
|
|
};
|
|
|
|
struct CERTSubjectListStr {
|
|
PRArenaPool *arena;
|
|
int ncerts;
|
|
char *emailAddr;
|
|
CERTSubjectNode *head;
|
|
CERTSubjectNode *tail; /* do we need tail? */
|
|
void *entry;
|
|
};
|
|
|
|
/*
|
|
** An X.509 certificate object (the unsigned form)
|
|
*/
|
|
struct CERTCertificateStr {
|
|
/* the arena is used to allocate any data structures that have the same
|
|
* lifetime as the cert. This is all stuff that hangs off of the cert
|
|
* structure, and is all freed at the same time. I is used when the
|
|
* cert is decoded, destroyed, and at some times when it changes
|
|
* state
|
|
*/
|
|
PRArenaPool *arena;
|
|
|
|
/* The following fields are static after the cert has been decoded */
|
|
char *subjectName;
|
|
char *issuerName;
|
|
CERTSignedData signatureWrap; /* XXX */
|
|
SECItem derCert; /* original DER for the cert */
|
|
SECItem derIssuer; /* DER for issuer name */
|
|
SECItem derSubject; /* DER for subject name */
|
|
SECItem derPublicKey; /* DER for the public key */
|
|
SECItem certKey; /* database key for this cert */
|
|
SECItem version;
|
|
SECItem serialNumber;
|
|
SECAlgorithmID signature;
|
|
CERTName issuer;
|
|
CERTValidity validity;
|
|
CERTName subject;
|
|
CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
|
|
SECItem issuerID;
|
|
SECItem subjectID;
|
|
CERTCertExtension **extensions;
|
|
char *emailAddr;
|
|
CERTCertDBHandle *dbhandle;
|
|
SECItem subjectKeyID; /* x509v3 subject key identifier */
|
|
PRBool keyIDGenerated; /* was the keyid generated? */
|
|
unsigned int keyUsage; /* what uses are allowed for this cert */
|
|
unsigned int rawKeyUsage; /* value of the key usage extension */
|
|
PRBool keyUsagePresent; /* was the key usage extension present */
|
|
PRUint32 nsCertType; /* value of the ns cert type extension */
|
|
/* must be 32-bit for PR_AtomicSet */
|
|
|
|
/* these values can be set by the application to bypass certain checks
|
|
* or to keep the cert in memory for an entire session.
|
|
* XXX - need an api to set these
|
|
*/
|
|
PRBool keepSession; /* keep this cert for entire session*/
|
|
PRBool timeOK; /* is the bad validity time ok? */
|
|
CERTOKDomainName *domainOK; /* these domain names are ok */
|
|
|
|
/*
|
|
* these values can change when the cert changes state. These state
|
|
* changes include transitions from temp to perm or vice-versa, and
|
|
* changes of trust flags
|
|
*/
|
|
PRBool isperm;
|
|
PRBool istemp;
|
|
char *nickname;
|
|
char *dbnickname;
|
|
struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
|
|
CERTCertTrust *trust;
|
|
|
|
/* the reference count is modified whenever someone looks up, dups
|
|
* or destroys a certificate
|
|
*/
|
|
int referenceCount;
|
|
|
|
/* The subject list is a list of all certs with the same subject name.
|
|
* It can be modified any time a cert is added or deleted from either
|
|
* the in-memory(temporary) or on-disk(permanent) database.
|
|
*/
|
|
CERTSubjectList *subjectList;
|
|
|
|
/* these belong in the static section, but are here to maintain
|
|
* the structure's integrity
|
|
*/
|
|
CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */
|
|
PRBool isRoot; /* cert is the end of a chain */
|
|
|
|
/* these fields are used by client GUI code to keep track of ssl sockets
|
|
* that are blocked waiting on GUI feedback related to this cert.
|
|
* XXX - these should be moved into some sort of application specific
|
|
* data structure. They are only used by the browser right now.
|
|
*/
|
|
struct SECSocketNode *authsocketlist;
|
|
int series; /* was int authsocketcount; record the series of the pkcs11ID */
|
|
|
|
/* This is PKCS #11 stuff. */
|
|
PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
|
|
CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
|
|
PRBool ownSlot; /*true if the cert owns the slot reference */
|
|
};
|
|
#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
|
|
#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
|
|
#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
|
|
|
|
#define SEC_CRL_VERSION_1 0 /* default */
|
|
#define SEC_CRL_VERSION_2 1 /* v2 extensions */
|
|
|
|
/*
|
|
* used to identify class of cert in mime stream code
|
|
*/
|
|
#define SEC_CERT_CLASS_CA 1
|
|
#define SEC_CERT_CLASS_SERVER 2
|
|
#define SEC_CERT_CLASS_USER 3
|
|
#define SEC_CERT_CLASS_EMAIL 4
|
|
|
|
struct CERTDERCertsStr {
|
|
PRArenaPool *arena;
|
|
int numcerts;
|
|
SECItem *rawCerts;
|
|
};
|
|
|
|
/*
|
|
** A PKCS ? Attribute
|
|
** XXX this is duplicated through out the code, it *should* be moved
|
|
** to a central location. Where would be appropriate?
|
|
*/
|
|
struct CERTAttributeStr {
|
|
SECItem attrType;
|
|
SECItem **attrValue;
|
|
};
|
|
|
|
/*
|
|
** A PKCS#10 certificate-request object (the unsigned form)
|
|
*/
|
|
struct CERTCertificateRequestStr {
|
|
PRArenaPool *arena;
|
|
SECItem version;
|
|
CERTName subject;
|
|
CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
|
|
CERTAttribute **attributes;
|
|
};
|
|
#define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
|
|
|
|
|
|
/*
|
|
** A certificate list object.
|
|
*/
|
|
struct CERTCertificateListStr {
|
|
SECItem *certs;
|
|
int len; /* number of certs */
|
|
PRArenaPool *arena;
|
|
};
|
|
|
|
struct CERTCertListNodeStr {
|
|
PRCList links;
|
|
CERTCertificate *cert;
|
|
void *appData;
|
|
};
|
|
|
|
struct CERTCertListStr {
|
|
PRCList list;
|
|
PRArenaPool *arena;
|
|
};
|
|
|
|
#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
|
|
#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
|
|
#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
|
|
#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
|
|
|
|
struct CERTCrlEntryStr {
|
|
SECItem serialNumber;
|
|
SECItem revocationDate;
|
|
CERTCertExtension **extensions;
|
|
};
|
|
|
|
struct CERTCrlStr {
|
|
PRArenaPool *arena;
|
|
SECItem version;
|
|
SECAlgorithmID signatureAlg;
|
|
SECItem derName;
|
|
CERTName name;
|
|
SECItem lastUpdate;
|
|
SECItem nextUpdate; /* optional for x.509 CRL */
|
|
CERTCrlEntry **entries;
|
|
CERTCertExtension **extensions;
|
|
/* can't add anything there for binary backwards compatibility reasons */
|
|
};
|
|
|
|
struct CERTCrlKeyStr {
|
|
SECItem derName;
|
|
SECItem dummy; /* The decoder can not skip a primitive,
|
|
this serves as a place holder for the
|
|
decoder to finish its task only
|
|
*/
|
|
};
|
|
|
|
struct CERTSignedCrlStr {
|
|
PRArenaPool *arena;
|
|
CERTCrl crl;
|
|
void *reserved1;
|
|
PRBool reserved2;
|
|
PRBool isperm;
|
|
PRBool istemp;
|
|
int referenceCount;
|
|
CERTCertDBHandle *dbhandle;
|
|
CERTSignedData signatureWrap; /* XXX */
|
|
char *url;
|
|
SECItem *derCrl;
|
|
PK11SlotInfo *slot;
|
|
CK_OBJECT_HANDLE pkcs11ID;
|
|
void* opaque; /* do not touch */
|
|
};
|
|
|
|
|
|
struct CERTCrlHeadNodeStr {
|
|
PRArenaPool *arena;
|
|
CERTCertDBHandle *dbhandle;
|
|
CERTCrlNode *first;
|
|
CERTCrlNode *last;
|
|
};
|
|
|
|
|
|
struct CERTCrlNodeStr {
|
|
CERTCrlNode *next;
|
|
int type;
|
|
CERTSignedCrl *crl;
|
|
};
|
|
|
|
|
|
/*
|
|
* Array of X.500 Distinguished Names
|
|
*/
|
|
struct CERTDistNamesStr {
|
|
PRArenaPool *arena;
|
|
int nnames;
|
|
SECItem *names;
|
|
void *head; /* private */
|
|
};
|
|
|
|
|
|
#define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
|
|
#define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
|
|
#define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
|
|
#define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
|
|
#define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
|
|
#define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
|
|
#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
|
|
#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
|
|
|
|
#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
|
|
#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
|
|
|
|
#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
|
|
NS_CERT_TYPE_SSL_SERVER | \
|
|
NS_CERT_TYPE_EMAIL | \
|
|
NS_CERT_TYPE_OBJECT_SIGNING )
|
|
|
|
#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
|
|
NS_CERT_TYPE_EMAIL_CA | \
|
|
NS_CERT_TYPE_OBJECT_SIGNING_CA | \
|
|
EXT_KEY_USAGE_STATUS_RESPONDER )
|
|
typedef enum SECCertUsageEnum {
|
|
certUsageSSLClient = 0,
|
|
certUsageSSLServer = 1,
|
|
certUsageSSLServerWithStepUp = 2,
|
|
certUsageSSLCA = 3,
|
|
certUsageEmailSigner = 4,
|
|
certUsageEmailRecipient = 5,
|
|
certUsageObjectSigner = 6,
|
|
certUsageUserCertImport = 7,
|
|
certUsageVerifyCA = 8,
|
|
certUsageProtectedObjectSigner = 9,
|
|
certUsageStatusResponder = 10,
|
|
certUsageAnyCA = 11
|
|
} SECCertUsage;
|
|
|
|
typedef PRInt64 SECCertificateUsage;
|
|
|
|
#define certificateUsageSSLClient (0x0001)
|
|
#define certificateUsageSSLServer (0x0002)
|
|
#define certificateUsageSSLServerWithStepUp (0x0004)
|
|
#define certificateUsageSSLCA (0x0008)
|
|
#define certificateUsageEmailSigner (0x0010)
|
|
#define certificateUsageEmailRecipient (0x0020)
|
|
#define certificateUsageObjectSigner (0x0040)
|
|
#define certificateUsageUserCertImport (0x0080)
|
|
#define certificateUsageVerifyCA (0x0100)
|
|
#define certificateUsageProtectedObjectSigner (0x0200)
|
|
#define certificateUsageStatusResponder (0x0400)
|
|
#define certificateUsageAnyCA (0x0800)
|
|
|
|
#define certificateUsageHighest certificateUsageAnyCA
|
|
|
|
/*
|
|
* Does the cert belong to the user, a peer, or a CA.
|
|
*/
|
|
typedef enum CERTCertOwnerEnum {
|
|
certOwnerUser = 0,
|
|
certOwnerPeer = 1,
|
|
certOwnerCA = 2
|
|
} CERTCertOwner;
|
|
|
|
/*
|
|
* This enum represents the state of validity times of a certificate
|
|
*/
|
|
typedef enum SECCertTimeValidityEnum {
|
|
secCertTimeValid = 0,
|
|
secCertTimeExpired = 1,
|
|
secCertTimeNotValidYet = 2,
|
|
secCertTimeUndetermined = 3 /* validity could not be decoded from the
|
|
cert, most likely because it was NULL */
|
|
} SECCertTimeValidity;
|
|
|
|
/*
|
|
* This is used as return status in functions that compare the validity
|
|
* periods of two certificates A and B, currently only
|
|
* CERT_CompareValidityTimes.
|
|
*/
|
|
|
|
typedef enum CERTCompareValidityStatusEnum
|
|
{
|
|
certValidityUndetermined = 0, /* the function is unable to select one cert
|
|
over another */
|
|
certValidityChooseB = 1, /* cert B should be preferred */
|
|
certValidityEqual = 2, /* both certs have the same validity period */
|
|
certValidityChooseA = 3 /* cert A should be preferred */
|
|
} CERTCompareValidityStatus;
|
|
|
|
/*
|
|
* Interface for getting certificate nickname strings out of the database
|
|
*/
|
|
|
|
/* these are values for the what argument below */
|
|
#define SEC_CERT_NICKNAMES_ALL 1
|
|
#define SEC_CERT_NICKNAMES_USER 2
|
|
#define SEC_CERT_NICKNAMES_SERVER 3
|
|
#define SEC_CERT_NICKNAMES_CA 4
|
|
|
|
struct CERTCertNicknamesStr {
|
|
PRArenaPool *arena;
|
|
void *head;
|
|
int numnicknames;
|
|
char **nicknames;
|
|
int what;
|
|
int totallen;
|
|
};
|
|
|
|
struct CERTIssuerAndSNStr {
|
|
SECItem derIssuer;
|
|
CERTName issuer;
|
|
SECItem serialNumber;
|
|
};
|
|
|
|
|
|
/* X.509 v3 Key Usage Extension flags */
|
|
#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
|
|
#define KU_NON_REPUDIATION (0x40) /* bit 1 */
|
|
#define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
|
|
#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
|
|
#define KU_KEY_AGREEMENT (0x08) /* bit 4 */
|
|
#define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
|
|
#define KU_CRL_SIGN (0x02) /* bit 6 */
|
|
#define KU_ALL (KU_DIGITAL_SIGNATURE | \
|
|
KU_NON_REPUDIATION | \
|
|
KU_KEY_ENCIPHERMENT | \
|
|
KU_DATA_ENCIPHERMENT | \
|
|
KU_KEY_AGREEMENT | \
|
|
KU_KEY_CERT_SIGN | \
|
|
KU_CRL_SIGN)
|
|
|
|
/* This value will not occur in certs. It is used internally for the case
|
|
* when the key type is not know ahead of time and either key agreement or
|
|
* key encipherment are the correct value based on key type
|
|
*/
|
|
#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
|
|
|
|
/* internal bits that do not match bits in the x509v3 spec, but are used
|
|
* for similar purposes
|
|
*/
|
|
#define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
|
|
/*
|
|
* x.509 v3 Basic Constraints Extension
|
|
* If isCA is false, the pathLenConstraint is ignored.
|
|
* Otherwise, the following pathLenConstraint values will apply:
|
|
* < 0 - there is no limit to the certificate path
|
|
* 0 - CA can issues end-entity certificates only
|
|
* > 0 - the number of certificates in the certificate path is
|
|
* limited to this number
|
|
*/
|
|
#define CERT_UNLIMITED_PATH_CONSTRAINT -2
|
|
|
|
struct CERTBasicConstraintsStr {
|
|
PRBool isCA; /* on if is CA */
|
|
int pathLenConstraint; /* maximum number of certificates that can be
|
|
in the cert path. Only applies to a CA
|
|
certificate; otherwise, it's ignored.
|
|
*/
|
|
};
|
|
|
|
/* Maximum length of a certificate chain */
|
|
#define CERT_MAX_CERT_CHAIN 20
|
|
|
|
/* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
|
|
#define RF_UNUSED (0x80) /* bit 0 */
|
|
#define RF_KEY_COMPROMISE (0x40) /* bit 1 */
|
|
#define RF_CA_COMPROMISE (0x20) /* bit 2 */
|
|
#define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
|
|
#define RF_SUPERSEDED (0x08) /* bit 4 */
|
|
#define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
|
|
#define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
|
|
|
|
/* If we needed to extract the general name field, use this */
|
|
/* General Name types */
|
|
typedef enum CERTGeneralNameTypeEnum {
|
|
certOtherName = 1,
|
|
certRFC822Name = 2,
|
|
certDNSName = 3,
|
|
certX400Address = 4,
|
|
certDirectoryName = 5,
|
|
certEDIPartyName = 6,
|
|
certURI = 7,
|
|
certIPAddress = 8,
|
|
certRegisterID = 9
|
|
} CERTGeneralNameType;
|
|
|
|
|
|
typedef struct OtherNameStr {
|
|
SECItem name;
|
|
SECItem oid;
|
|
}OtherName;
|
|
|
|
|
|
|
|
struct CERTGeneralNameStr {
|
|
CERTGeneralNameType type; /* name type */
|
|
union {
|
|
CERTName directoryName; /* distinguish name */
|
|
OtherName OthName; /* Other Name */
|
|
SECItem other; /* the rest of the name forms */
|
|
}name;
|
|
SECItem derDirectoryName; /* this is saved to simplify directory name
|
|
comparison */
|
|
PRCList l;
|
|
};
|
|
|
|
struct CERTGeneralNameListStr {
|
|
PRArenaPool *arena;
|
|
CERTGeneralName *name;
|
|
int refCount;
|
|
int len;
|
|
PZLock *lock;
|
|
};
|
|
|
|
struct CERTNameConstraintStr {
|
|
CERTGeneralName name;
|
|
SECItem DERName;
|
|
SECItem min;
|
|
SECItem max;
|
|
PRCList l;
|
|
};
|
|
|
|
|
|
struct CERTNameConstraintsStr {
|
|
CERTNameConstraint *permited;
|
|
CERTNameConstraint *excluded;
|
|
SECItem **DERPermited;
|
|
SECItem **DERExcluded;
|
|
};
|
|
|
|
|
|
/* Private Key Usage Period extension struct. */
|
|
struct CERTPrivKeyUsagePeriodStr {
|
|
SECItem notBefore;
|
|
SECItem notAfter;
|
|
PRArenaPool *arena;
|
|
};
|
|
|
|
/* X.509 v3 Authority Key Identifier extension. For the authority certificate
|
|
issuer field, we only support URI now.
|
|
*/
|
|
struct CERTAuthKeyIDStr {
|
|
SECItem keyID; /* unique key identifier */
|
|
CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
|
|
SECItem authCertSerialNumber; /* CA's certificate serial number */
|
|
SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
|
|
the authCertIssuer field. It is used
|
|
by the encoding engine. It should be
|
|
used as a read only field by the caller.
|
|
*/
|
|
};
|
|
|
|
/* x.509 v3 CRL Distributeion Point */
|
|
|
|
/*
|
|
* defined the types of CRL Distribution points
|
|
*/
|
|
typedef enum DistributionPointTypesEnum {
|
|
generalName = 1, /* only support this for now */
|
|
relativeDistinguishedName = 2
|
|
} DistributionPointTypes;
|
|
|
|
struct CRLDistributionPointStr {
|
|
DistributionPointTypes distPointType;
|
|
union {
|
|
CERTGeneralName *fullName;
|
|
CERTRDN relativeName;
|
|
} distPoint;
|
|
SECItem reasons;
|
|
CERTGeneralName *crlIssuer;
|
|
|
|
/* Reserved for internal use only*/
|
|
SECItem derDistPoint;
|
|
SECItem derRelativeName;
|
|
SECItem **derCrlIssuer;
|
|
SECItem **derFullName;
|
|
SECItem bitsmap;
|
|
};
|
|
|
|
struct CERTCrlDistributionPointsStr {
|
|
CRLDistributionPoint **distPoints;
|
|
};
|
|
|
|
/*
|
|
* This structure is used to keep a log of errors when verifying
|
|
* a cert chain. This allows multiple errors to be reported all at
|
|
* once.
|
|
*/
|
|
struct CERTVerifyLogNodeStr {
|
|
CERTCertificate *cert; /* what cert had the error */
|
|
long error; /* what error was it? */
|
|
unsigned int depth; /* how far up the chain are we */
|
|
void *arg; /* error specific argument */
|
|
struct CERTVerifyLogNodeStr *next; /* next in the list */
|
|
struct CERTVerifyLogNodeStr *prev; /* next in the list */
|
|
};
|
|
|
|
|
|
struct CERTVerifyLogStr {
|
|
PRArenaPool *arena;
|
|
unsigned int count;
|
|
struct CERTVerifyLogNodeStr *head;
|
|
struct CERTVerifyLogNodeStr *tail;
|
|
};
|
|
|
|
|
|
struct CERTOKDomainNameStr {
|
|
CERTOKDomainName *next;
|
|
char name[1]; /* actual length may be longer. */
|
|
};
|
|
|
|
|
|
typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
|
|
CERTCertificate *cert,
|
|
int64 time,
|
|
void *pwArg);
|
|
|
|
typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
|
|
|
|
struct CERTStatusConfigStr {
|
|
CERTStatusChecker statusChecker; /* NULL means no checking enabled */
|
|
CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
|
|
void *statusContext; /* cx specific to checking protocol */
|
|
};
|
|
|
|
struct CERTAuthInfoAccessStr {
|
|
SECItem method;
|
|
SECItem derLocation;
|
|
CERTGeneralName *location; /* decoded location */
|
|
};
|
|
|
|
|
|
/* This is the typedef for the callback passed to CERT_OpenCertDB() */
|
|
/* callback to return database name based on version number */
|
|
typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
|
|
|
|
/*
|
|
* types of cert packages that we can decode
|
|
*/
|
|
typedef enum CERTPackageTypeEnum {
|
|
certPackageNone = 0,
|
|
certPackageCert = 1,
|
|
certPackagePKCS7 = 2,
|
|
certPackageNSCertSeq = 3,
|
|
certPackageNSCertWrap = 4
|
|
} CERTPackageType;
|
|
|
|
/*
|
|
* these types are for the PKIX Certificate Policies extension
|
|
*/
|
|
typedef struct {
|
|
SECOidTag oid;
|
|
SECItem qualifierID;
|
|
SECItem qualifierValue;
|
|
} CERTPolicyQualifier;
|
|
|
|
typedef struct {
|
|
SECOidTag oid;
|
|
SECItem policyID;
|
|
CERTPolicyQualifier **policyQualifiers;
|
|
} CERTPolicyInfo;
|
|
|
|
typedef struct {
|
|
PRArenaPool *arena;
|
|
CERTPolicyInfo **policyInfos;
|
|
} CERTCertificatePolicies;
|
|
|
|
typedef struct {
|
|
SECItem organization;
|
|
SECItem **noticeNumbers;
|
|
} CERTNoticeReference;
|
|
|
|
typedef struct {
|
|
PRArenaPool *arena;
|
|
CERTNoticeReference noticeReference;
|
|
SECItem derNoticeReference;
|
|
SECItem displayText;
|
|
} CERTUserNotice;
|
|
|
|
typedef struct {
|
|
PRArenaPool *arena;
|
|
SECItem **oids;
|
|
} CERTOidSequence;
|
|
|
|
|
|
/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
|
|
|
|
#include "secasn1t.h" /* way down here because I expect template stuff to
|
|
* move out of here anyway */
|
|
|
|
SEC_BEGIN_PROTOS
|
|
|
|
extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
|
|
extern const SEC_ASN1Template CERT_CertificateTemplate[];
|
|
extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
|
|
extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
|
|
extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
|
|
extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
|
|
extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
|
|
extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
|
|
extern const SEC_ASN1Template CERT_ValidityTemplate[];
|
|
extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
|
|
extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
|
|
|
|
extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
|
|
extern const SEC_ASN1Template CERT_NameTemplate[];
|
|
extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
|
|
extern const SEC_ASN1Template CERT_RDNTemplate[];
|
|
extern const SEC_ASN1Template CERT_SignedDataTemplate[];
|
|
extern const SEC_ASN1Template CERT_CrlTemplate[];
|
|
extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
|
|
|
|
/*
|
|
** XXX should the attribute stuff be centralized for all of ns/security?
|
|
*/
|
|
extern const SEC_ASN1Template CERT_AttributeTemplate[];
|
|
extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
|
|
|
|
/* These functions simply return the address of the above-declared templates.
|
|
** This is necessary for Windows DLLs. Sigh.
|
|
*/
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
|
|
SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
|
|
|
|
SEC_END_PROTOS
|
|
|
|
#endif /* _CERTT_H_ */
|