certt.h source code [include/nss/certt.h]

1	/ This Source Code Form is subject to the terms of the Mozilla Public*
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4	/*
5	* certt.h - public data structures for the certificate library
6	*/
7	#ifndef _CERTT_H_
8	#define _CERTT_H_
9
10	#include "prclist.h"
11	#include "pkcs11t.h"
12	#include "seccomon.h"
13	#include "secmodt.h"
14	#include "secoidt.h"
15	#include "plarena.h"
16	#include "prcvar.h"
17	#include "nssilock.h"
18	#include "prio.h"
19	#include "prmon.h"
20
21	/ Stan data types /
22	struct NSSCertificateStr;
23	struct NSSTrustDomainStr;
24
25	/ Non-opaque objects /
26	typedef struct CERTAVAStr CERTAVA;
27	typedef struct CERTAttributeStr CERTAttribute;
28	typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
29	typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
30	typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
31	typedef struct NSSTrustDomainStr CERTCertDBHandle;
32	typedef struct CERTCertExtensionStr CERTCertExtension;
33	typedef struct CERTCertKeyStr CERTCertKey;
34	typedef struct CERTCertListStr CERTCertList;
35	typedef struct CERTCertListNodeStr CERTCertListNode;
36	typedef struct CERTCertNicknamesStr CERTCertNicknames;
37	typedef struct CERTCertTrustStr CERTCertTrust;
38	typedef struct CERTCertDistrustStr CERTCertDistrust;
39	typedef struct CERTCertificateStr CERTCertificate;
40	typedef struct CERTCertificateListStr CERTCertificateList;
41	typedef struct CERTCertificateRequestStr CERTCertificateRequest;
42	typedef struct CERTCrlStr CERTCrl;
43	typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
44	typedef struct CERTCrlEntryStr CERTCrlEntry;
45	typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
46	typedef struct CERTCrlKeyStr CERTCrlKey;
47	typedef struct CERTCrlNodeStr CERTCrlNode;
48	typedef struct CERTDERCertsStr CERTDERCerts;
49	typedef struct CERTDistNamesStr CERTDistNames;
50	typedef struct CERTGeneralNameStr CERTGeneralName;
51	typedef struct CERTGeneralNameListStr CERTGeneralNameList;
52	typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
53	typedef struct CERTNameStr CERTName;
54	typedef struct CERTNameConstraintStr CERTNameConstraint;
55	typedef struct CERTNameConstraintsStr CERTNameConstraints;
56	typedef struct CERTOKDomainNameStr CERTOKDomainName;
57	typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
58	typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
59	typedef struct CERTRDNStr CERTRDN;
60	typedef struct CERTSignedCrlStr CERTSignedCrl;
61	typedef struct CERTSignedDataStr CERTSignedData;
62	typedef struct CERTStatusConfigStr CERTStatusConfig;
63	typedef struct CERTSubjectListStr CERTSubjectList;
64	typedef struct CERTSubjectNodeStr CERTSubjectNode;
65	typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
66	typedef struct CERTValidityStr CERTValidity;
67	typedef struct CERTVerifyLogStr CERTVerifyLog;
68	typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
69	typedef struct CRLDistributionPointStr CRLDistributionPoint;
70
71	/ CRL extensions type /
72	typedef unsigned long CERTCrlNumber;
73
74	/*
75	** An X.500 AVA object
76	*/
77	struct CERTAVAStr {
78	SECItem type;
79	SECItem value;
80	};
81
82	/*
83	** An X.500 RDN object
84	*/
85	struct CERTRDNStr {
86	CERTAVA **avas;
87	};
88
89	/*
90	** An X.500 name object
91	*/
92	struct CERTNameStr {
93	PLArenaPool *arena;
94	CERTRDN **rdns;
95	};
96
97	/*
98	** An X.509 validity object
99	*/
100	struct CERTValidityStr {
101	PLArenaPool *arena;
102	SECItem notBefore;
103	SECItem notAfter;
104	};
105
106	/*
107	* A serial number and issuer name, which is used as a database key
108	*/
109	struct CERTCertKeyStr {
110	SECItem serialNumber;
111	SECItem derIssuer;
112	};
113
114	/*
115	** A signed data object. Used to implement the "signed" macro used
116	** in the X.500 specs.
117	*/
118	struct CERTSignedDataStr {
119	SECItem data;
120	SECAlgorithmID signatureAlgorithm;
121	SECItem signature;
122	};
123
124	/*
125	** An X.509 subject-public-key-info object
126	*/
127	struct CERTSubjectPublicKeyInfoStr {
128	PLArenaPool *arena;
129	SECAlgorithmID algorithm;
130	SECItem subjectPublicKey;
131	};
132
133	struct CERTPublicKeyAndChallengeStr {
134	SECItem spki;
135	SECItem challenge;
136	};
137
138	struct CERTCertTrustStr {
139	unsigned int sslFlags;
140	unsigned int emailFlags;
141	unsigned int objectSigningFlags;
142	};
143
144	/*
145	* Distrust dates for specific certificate usages.
146	* These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
147	* compatible with the format of certdata.txt, other date fields in certs and
148	* existing functions to read these dates. Clients should check the distrust
149	* date in certificates to avoid trusting a CA for service they have ceased to
150	* support */
151	struct CERTCertDistrustStr {
152	SECItem serverDistrustAfter;
153	SECItem emailDistrustAfter;
154	};
155
156	/*
157	* defined the types of trust that exist
158	*/
159	typedef enum SECTrustTypeEnum {
160	trustSSL = `0`,
161	trustEmail = `1`,
162	trustObjectSigning = `2`,
163	trustTypeNone = `3`
164	} SECTrustType;
165
166	#define SEC_GET_TRUST_FLAGS(trust, type) \
167	(((type) == trustSSL) \
168	? ((trust)->sslFlags) \
169	: (((type) == trustEmail) ? ((trust)->emailFlags) \
170	: (((type) == trustObjectSigning) \
171	? ((trust)->objectSigningFlags) \
172	: 0)))
173
174	/*
175	** An X.509.3 certificate extension
176	*/
177	struct CERTCertExtensionStr {
178	SECItem id;
179	SECItem critical;
180	SECItem value;
181	};
182
183	struct CERTSubjectNodeStr {
184	struct CERTSubjectNodeStr *next;
185	struct CERTSubjectNodeStr *prev;
186	SECItem certKey;
187	SECItem keyID;
188	};
189
190	struct CERTSubjectListStr {
191	PLArenaPool *arena;
192	int ncerts;
193	char *emailAddr;
194	CERTSubjectNode *head;
195	CERTSubjectNode tail; /* do we need tail? /
196	void *entry;
197	};
198
199	/*
200	** An X.509 certificate object (the unsigned form)
201	*/
202	struct CERTCertificateStr {
203	/ the arena is used to allocate any data structures that have the same*
204	* lifetime as the cert. This is all stuff that hangs off of the cert
205	* structure, and is all freed at the same time. It is used when the
206	* cert is decoded, destroyed, and at some times when it changes
207	* state
208	*/
209	PLArenaPool *arena;
210
211	/ The following fields are static after the cert has been decoded /
212	char *subjectName;
213	char *issuerName;
214	CERTSignedData signatureWrap; / XXX /
215	SECItem derCert; / original DER for the cert /
216	SECItem derIssuer; / DER for issuer name /
217	SECItem derSubject; / DER for subject name /
218	SECItem derPublicKey; / DER for the public key /
219	SECItem certKey; / database key for this cert /
220	SECItem version;
221	SECItem serialNumber;
222	SECAlgorithmID signature;
223	CERTName issuer;
224	CERTValidity validity;
225	CERTName subject;
226	CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
227	SECItem issuerID;
228	SECItem subjectID;
229	CERTCertExtension **extensions;
230	char *emailAddr;
231	CERTCertDBHandle *dbhandle;
232	SECItem subjectKeyID; / x509v3 subject key identifier /
233	PRBool keyIDGenerated; / was the keyid generated? /
234	unsigned int keyUsage; / what uses are allowed for this cert /
235	unsigned int rawKeyUsage; / value of the key usage extension /
236	PRBool keyUsagePresent; / was the key usage extension present /
237	PRUint32 nsCertType; / value of the ns cert type extension /
238	/ must be 32-bit for PR_ATOMIC_SET /
239
240	/ these values can be set by the application to bypass certain checks*
241	* or to keep the cert in memory for an entire session.
242	* XXX - need an api to set these
243	*/
244	PRBool keepSession; / keep this cert for entire session/
245	PRBool timeOK; / is the bad validity time ok? /
246	CERTOKDomainName domainOK; /* these domain names are ok /
247
248	/*
249	* these values can change when the cert changes state. These state
250	* changes include transitions from temp to perm or vice-versa, and
251	* changes of trust flags
252	*/
253	PRBool isperm;
254	PRBool istemp;
255	char *nickname;
256	char *dbnickname;
257	struct NSSCertificateStr nssCertificate; /* This is Stan stuff. /
258	CERTCertTrust *trust;
259
260	/ the reference count is modified whenever someone looks up, dups*
261	* or destroys a certificate
262	*/
263	int referenceCount;
264
265	/ The subject list is a list of all certs with the same subject name.*
266	* It can be modified any time a cert is added or deleted from either
267	* the in-memory(temporary) or on-disk(permanent) database.
268	*/
269	CERTSubjectList *subjectList;
270
271	/ these belong in the static section, but are here to maintain*
272	* the structure's integrity
273	*/
274	CERTAuthKeyID authKeyID; /* x509v3 authority key identifier /
275	PRBool isRoot; / cert is the end of a chain /
276
277	/ these fields are used by client GUI code to keep track of ssl sockets*
278	* that are blocked waiting on GUI feedback related to this cert.
279	* XXX - these should be moved into some sort of application specific
280	* data structure. They are only used by the browser right now.
281	*/
282	union {
283	void apointer; /* was struct SECSocketNode* authsocketlist /
284	struct {
285	unsigned int hasUnsupportedCriticalExt : `1`;
286	/ add any new option bits needed here /
287	} bits;
288	} options;
289	int series; / was int authsocketcount; record the series of the pkcs11ID /
290
291	/ This is PKCS #11 stuff. /
292	PK11SlotInfo slot; /if this cert came of a token, which is it/*
293	CK_OBJECT_HANDLE pkcs11ID; /and which object on that token is it /
294	PRBool ownSlot; /true if the cert owns the slot reference /
295	/ These fields are used in nssckbi/builtins CAs. /
296	CERTCertDistrust *distrust;
297	};
298	#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
299	#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
300	#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
301
302	#define SEC_CRL_VERSION_1 0 /* default */
303	#define SEC_CRL_VERSION_2 1 /* v2 extensions */
304
305	/*
306	* used to identify class of cert in mime stream code
307	*/
308	#define SEC_CERT_CLASS_CA 1
309	#define SEC_CERT_CLASS_SERVER 2
310	#define SEC_CERT_CLASS_USER 3
311	#define SEC_CERT_CLASS_EMAIL 4
312
313	struct CERTDERCertsStr {
314	PLArenaPool *arena;
315	int numcerts;
316	SECItem *rawCerts;
317	};
318
319	/*
320	** A PKCS ? Attribute
321	** XXX this is duplicated through out the code, it should be moved
322	** to a central location. Where would be appropriate?
323	*/
324	struct CERTAttributeStr {
325	SECItem attrType;
326	SECItem **attrValue;
327	};
328
329	/*
330	** A PKCS#10 certificate-request object (the unsigned form)
331	*/
332	struct CERTCertificateRequestStr {
333	PLArenaPool *arena;
334	SECItem version;
335	CERTName subject;
336	CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
337	CERTAttribute **attributes;
338	};
339	#define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we create */
340
341	/*
342	** A certificate list object.
343	*/
344	struct CERTCertificateListStr {
345	SECItem *certs;
346	int len; / number of certs /
347	PLArenaPool *arena;
348	};
349
350	struct CERTCertListNodeStr {
351	PRCList links;
352	CERTCertificate *cert;
353	void *appData;
354	};
355
356	struct CERTCertListStr {
357	PRCList list;
358	PLArenaPool *arena;
359	};
360
361	#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
362	#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
363	#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
364	#define CERT_LIST_END(n, l) (((void )n) == ((void )&l->list))
365	#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
366
367	struct CERTCrlEntryStr {
368	SECItem serialNumber;
369	SECItem revocationDate;
370	CERTCertExtension **extensions;
371	};
372
373	struct CERTCrlStr {
374	PLArenaPool *arena;
375	SECItem version;
376	SECAlgorithmID signatureAlg;
377	SECItem derName;
378	CERTName name;
379	SECItem lastUpdate;
380	SECItem nextUpdate; / optional for x.509 CRL /
381	CERTCrlEntry **entries;
382	CERTCertExtension **extensions;
383	/ can't add anything there for binary backwards compatibility reasons /
384	};
385
386	struct CERTCrlKeyStr {
387	SECItem derName;
388	SECItem dummy; / The decoder can not skip a primitive,*
389	this serves as a place holder for the
390	decoder to finish its task only
391	*/
392	};
393
394	struct CERTSignedCrlStr {
395	PLArenaPool *arena;
396	CERTCrl crl;
397	void *reserved1;
398	PRBool reserved2;
399	PRBool isperm;
400	PRBool istemp;
401	int referenceCount;
402	CERTCertDBHandle *dbhandle;
403	CERTSignedData signatureWrap; / XXX /
404	char *url;
405	SECItem *derCrl;
406	PK11SlotInfo *slot;
407	CK_OBJECT_HANDLE pkcs11ID;
408	void opaque; /* do not touch /
409	};
410
411	struct CERTCrlHeadNodeStr {
412	PLArenaPool *arena;
413	CERTCertDBHandle *dbhandle;
414	CERTCrlNode *first;
415	CERTCrlNode *last;
416	};
417
418	struct CERTCrlNodeStr {
419	CERTCrlNode *next;
420	int type;
421	CERTSignedCrl *crl;
422	};
423
424	/*
425	* Array of X.500 Distinguished Names
426	*/
427	struct CERTDistNamesStr {
428	PLArenaPool *arena;
429	int nnames;
430	SECItem *names;
431	void head; /* private /
432	};
433
434	/*
435	* NS_CERT_TYPE defines are used in two areas:
436	* 1) The old NSS Cert Type Extension, which is a certificate extension in the
437	* actual cert. It was created before the x509 Extended Key Usage Extension,
438	* which has now taken over it's function. This field is only 8 bits wide
439	* 2) The nsCertType entry in the CERTCertificate structure. This field is
440	* 32 bits wide.
441	* Any entries in this table greater than 0x80 will not be able to be encoded
442	* in an NSS Cert Type Extension, but can still be represented internally in
443	* the nsCertType field.
444	*/
445	#define NS_CERT_TYPE_IPSEC_CA (0x200) /* outside the NS Cert Type Extenstion */
446	#define NS_CERT_TYPE_IPSEC (0x100) /* outside the NS Cert Type Extenstion */
447	#define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
448	#define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
449	#define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
450	#define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
451	#define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
452	#define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
453	#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
454	#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
455
456	#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
457	#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
458
459	#define NS_CERT_TYPE_APP \
460	(NS_CERT_TYPE_SSL_CLIENT \| NS_CERT_TYPE_SSL_SERVER \| NS_CERT_TYPE_EMAIL \| \
461	NS_CERT_TYPE_IPSEC \| NS_CERT_TYPE_OBJECT_SIGNING)
462
463	#define NS_CERT_TYPE_CA \
464	(NS_CERT_TYPE_SSL_CA \| NS_CERT_TYPE_EMAIL_CA \| \
465	NS_CERT_TYPE_OBJECT_SIGNING_CA \| EXT_KEY_USAGE_STATUS_RESPONDER \| \
466	NS_CERT_TYPE_IPSEC_CA)
467	typedef enum SECCertUsageEnum {
468	certUsageSSLClient = `0`,
469	certUsageSSLServer = `1`,
470	certUsageSSLServerWithStepUp = `2`,
471	certUsageSSLCA = `3`,
472	certUsageEmailSigner = `4`,
473	certUsageEmailRecipient = `5`,
474	certUsageObjectSigner = `6`,
475	certUsageUserCertImport = `7`,
476	certUsageVerifyCA = `8`,
477	certUsageProtectedObjectSigner = `9`,
478	certUsageStatusResponder = `10`,
479	certUsageAnyCA = `11`,
480	certUsageIPsec = `12`
481	} SECCertUsage;
482
483	typedef PRInt64 SECCertificateUsage;
484
485	#define certificateUsageCheckAllUsages (0x0000)
486	#define certificateUsageSSLClient (0x0001)
487	#define certificateUsageSSLServer (0x0002)
488	#define certificateUsageSSLServerWithStepUp (0x0004)
489	#define certificateUsageSSLCA (0x0008)
490	#define certificateUsageEmailSigner (0x0010)
491	#define certificateUsageEmailRecipient (0x0020)
492	#define certificateUsageObjectSigner (0x0040)
493	#define certificateUsageUserCertImport (0x0080)
494	#define certificateUsageVerifyCA (0x0100)
495	#define certificateUsageProtectedObjectSigner (0x0200)
496	#define certificateUsageStatusResponder (0x0400)
497	#define certificateUsageAnyCA (0x0800)
498	#define certificateUsageIPsec (0x1000)
499
500	#define certificateUsageHighest certificateUsageIPsec
501
502	/*
503	* Does the cert belong to the user, a peer, or a CA.
504	*/
505	typedef enum CERTCertOwnerEnum {
506	certOwnerUser = `0`,
507	certOwnerPeer = `1`,
508	certOwnerCA = `2`
509	} CERTCertOwner;
510
511	/*
512	* This enum represents the state of validity times of a certificate
513	*/
514	typedef enum SECCertTimeValidityEnum {
515	secCertTimeValid = `0`,
516	secCertTimeExpired = `1`,
517	secCertTimeNotValidYet = `2`,
518	secCertTimeUndetermined = `3` / validity could not be decoded from the*
519	cert, most likely because it was NULL /*
520	} SECCertTimeValidity;
521
522	/*
523	* This is used as return status in functions that compare the validity
524	* periods of two certificates A and B, currently only
525	* CERT_CompareValidityTimes.
526	*/
527
528	typedef enum CERTCompareValidityStatusEnum {
529	certValidityUndetermined = `0`, / the function is unable to select one cert*
530	over another /*
531	certValidityChooseB = `1`, / cert B should be preferred /
532	certValidityEqual = `2`, / both certs have the same validity period /
533	certValidityChooseA = `3` / cert A should be preferred /
534	} CERTCompareValidityStatus;
535
536	/*
537	* Interface for getting certificate nickname strings out of the database
538	*/
539
540	/ these are values for the what argument below /
541	#define SEC_CERT_NICKNAMES_ALL 1
542	#define SEC_CERT_NICKNAMES_USER 2
543	#define SEC_CERT_NICKNAMES_SERVER 3
544	#define SEC_CERT_NICKNAMES_CA 4
545
546	struct CERTCertNicknamesStr {
547	PLArenaPool *arena;
548	void *head;
549	int numnicknames;
550	char **nicknames;
551	int what;
552	int totallen;
553	};
554
555	struct CERTIssuerAndSNStr {
556	SECItem derIssuer;
557	CERTName issuer;
558	SECItem serialNumber;
559	};
560
561	/ X.509 v3 Key Usage Extension flags /
562	#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
563	#define KU_NON_REPUDIATION (0x40) /* bit 1 */
564	#define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
565	#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
566	#define KU_KEY_AGREEMENT (0x08) /* bit 4 */
567	#define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
568	#define KU_CRL_SIGN (0x02) /* bit 6 */
569	#define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
570	#define KU_ALL \
571	(KU_DIGITAL_SIGNATURE \| KU_NON_REPUDIATION \| KU_KEY_ENCIPHERMENT \| \
572	KU_DATA_ENCIPHERMENT \| KU_KEY_AGREEMENT \| KU_KEY_CERT_SIGN \| \
573	KU_CRL_SIGN \| KU_ENCIPHER_ONLY)
574
575	/ This value will not occur in certs. It is used internally for the case*
576	* when either digital signature or non-repudiation is the correct value.
577	*/
578	#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
579
580	/ This value will not occur in certs. It is used internally for the case*
581	* when the key type is not know ahead of time and either key agreement or
582	* key encipherment are the correct value based on key type
583	*/
584	#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
585
586	/ internal bits that do not match bits in the x509v3 spec, but are used*
587	* for similar purposes
588	*/
589	#define KU_NS_GOVT_APPROVED (0x8000) /don't make part of KU_ALL!/
590	/*
591	* x.509 v3 Basic Constraints Extension
592	* If isCA is false, the pathLenConstraint is ignored.
593	* Otherwise, the following pathLenConstraint values will apply:
594	* < 0 - there is no limit to the certificate path
595	* 0 - CA can issues end-entity certificates only
596	* > 0 - the number of certificates in the certificate path is
597	* limited to this number
598	*/
599	#define CERT_UNLIMITED_PATH_CONSTRAINT -2
600
601	struct CERTBasicConstraintsStr {
602	PRBool isCA; / on if is CA /
603	int pathLenConstraint; / maximum number of certificates that can be*
604	in the cert path. Only applies to a CA
605	certificate; otherwise, it's ignored.
606	*/
607	};
608
609	/ Maximum length of a certificate chain /
610	#define CERT_MAX_CERT_CHAIN 20
611
612	#define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
613	#define CERT_MAX_DN_BYTES 4096 /* arbitrary */
614
615	/ x.509 v3 Reason Flags, used in CRLDistributionPoint Extension /
616	#define RF_UNUSED (0x80) /* bit 0 */
617	#define RF_KEY_COMPROMISE (0x40) /* bit 1 */
618	#define RF_CA_COMPROMISE (0x20) /* bit 2 */
619	#define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
620	#define RF_SUPERSEDED (0x08) /* bit 4 */
621	#define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
622	#define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
623
624	/ enum for CRL Entry Reason Code /
625	typedef enum CERTCRLEntryReasonCodeEnum {
626	crlEntryReasonUnspecified = `0`,
627	crlEntryReasonKeyCompromise = `1`,
628	crlEntryReasonCaCompromise = `2`,
629	crlEntryReasonAffiliationChanged = `3`,
630	crlEntryReasonSuperseded = `4`,
631	crlEntryReasonCessationOfOperation = `5`,
632	crlEntryReasoncertificatedHold = `6`,
633	crlEntryReasonRemoveFromCRL = `8`,
634	crlEntryReasonPrivilegeWithdrawn = `9`,
635	crlEntryReasonAaCompromise = `10`
636	} CERTCRLEntryReasonCode;
637
638	/ If we needed to extract the general name field, use this /
639	/ General Name types /
640	typedef enum CERTGeneralNameTypeEnum {
641	certOtherName = `1`,
642	certRFC822Name = `2`,
643	certDNSName = `3`,
644	certX400Address = `4`,
645	certDirectoryName = `5`,
646	certEDIPartyName = `6`,
647	certURI = `7`,
648	certIPAddress = `8`,
649	certRegisterID = `9`
650	} CERTGeneralNameType;
651
652	typedef struct OtherNameStr {
653	SECItem name;
654	SECItem oid;
655	} OtherName;
656
657	struct CERTGeneralNameStr {
658	CERTGeneralNameType type; / name type /
659	union {
660	CERTName directoryName; / distinguish name /
661	OtherName OthName; / Other Name /
662	SECItem other; / the rest of the name forms /
663	} name;
664	SECItem derDirectoryName; / this is saved to simplify directory name*
665	comparison /*
666	PRCList l;
667	};
668
669	struct CERTGeneralNameListStr {
670	PLArenaPool *arena;
671	CERTGeneralName *name;
672	int refCount;
673	int len;
674	PZLock *lock;
675	};
676
677	struct CERTNameConstraintStr {
678	CERTGeneralName name;
679	SECItem DERName;
680	SECItem min;
681	SECItem max;
682	PRCList l;
683	};
684
685	struct CERTNameConstraintsStr {
686	CERTNameConstraint *permited;
687	CERTNameConstraint *excluded;
688	SECItem **DERPermited;
689	SECItem **DERExcluded;
690	};
691
692	/ Private Key Usage Period extension struct. /
693	struct CERTPrivKeyUsagePeriodStr {
694	SECItem notBefore;
695	SECItem notAfter;
696	PLArenaPool *arena;
697	};
698
699	/ X.509 v3 Authority Key Identifier extension. For the authority certificate*
700	issuer field, we only support URI now.
701	*/
702	struct CERTAuthKeyIDStr {
703	SECItem keyID; / unique key identifier /
704	CERTGeneralName authCertIssuer; /* CA's issuer name. End with a NULL /
705	SECItem authCertSerialNumber; / CA's certificate serial number /
706	SECItem *DERAuthCertIssuer; /* This holds the DER encoded format of*
707	the authCertIssuer field. It is used
708	by the encoding engine. It should be
709	used as a read only field by the caller.
710	*/
711	};
712
713	/ x.509 v3 CRL Distributeion Point /
714
715	/*
716	* defined the types of CRL Distribution points
717	*/
718	typedef enum DistributionPointTypesEnum {
719	generalName = `1`, / only support this for now /
720	relativeDistinguishedName = `2`
721	} DistributionPointTypes;
722
723	struct CRLDistributionPointStr {
724	DistributionPointTypes distPointType;
725	union {
726	CERTGeneralName *fullName;
727	CERTRDN relativeName;
728	} distPoint;
729	SECItem reasons;
730	CERTGeneralName *crlIssuer;
731
732	/ Reserved for internal use only/
733	SECItem derDistPoint;
734	SECItem derRelativeName;
735	SECItem **derCrlIssuer;
736	SECItem **derFullName;
737	SECItem bitsmap;
738	};
739
740	struct CERTCrlDistributionPointsStr {
741	CRLDistributionPoint **distPoints;
742	};
743
744	/*
745	* This structure is used to keep a log of errors when verifying
746	* a cert chain. This allows multiple errors to be reported all at
747	* once.
748	*/
749	struct CERTVerifyLogNodeStr {
750	CERTCertificate cert; /* what cert had the error /
751	long error; / what error was it? /
752	unsigned int depth; / how far up the chain are we /
753	void arg; /* error specific argument /
754	struct CERTVerifyLogNodeStr next; /* next in the list /
755	struct CERTVerifyLogNodeStr prev; /* next in the list /
756	};
757
758	struct CERTVerifyLogStr {
759	PLArenaPool *arena;
760	unsigned int count;
761	struct CERTVerifyLogNodeStr *head;
762	struct CERTVerifyLogNodeStr *tail;
763	};
764
765	struct CERTOKDomainNameStr {
766	CERTOKDomainName *next;
767	char *name;
768	};
769
770	typedef SECStatus(PR_CALLBACK CERTStatusChecker)(CERTCertDBHandle handle,
771	CERTCertificate *cert,
772	PRTime time, void *pwArg);
773
774	typedef SECStatus(PR_CALLBACK CERTStatusDestroy)(CERTStatusConfig handle);
775
776	struct CERTStatusConfigStr {
777	CERTStatusChecker statusChecker; / NULL means no checking enabled /
778	CERTStatusDestroy statusDestroy; / enabled or no, will clean up /
779	void statusContext; /* cx specific to checking protocol /
780	};
781
782	struct CERTAuthInfoAccessStr {
783	SECItem method;
784	SECItem derLocation;
785	CERTGeneralName location; /* decoded location /
786	};
787
788	/ This is the typedef for the callback passed to CERT_OpenCertDB() /
789	/ callback to return database name based on version number /
790	typedef char (CERTDBNameFunc)(void arg, int* dbVersion);
791
792	/*
793	* types of cert packages that we can decode
794	*/
795	typedef enum CERTPackageTypeEnum {
796	certPackageNone = `0`,
797	certPackageCert = `1`,
798	certPackagePKCS7 = `2`,
799	certPackageNSCertSeq = `3`,
800	certPackageNSCertWrap = `4`
801	} CERTPackageType;
802
803	/*
804	* these types are for the PKIX Certificate Policies extension
805	*/
806	typedef struct {
807	SECOidTag oid;
808	SECItem qualifierID;
809	SECItem qualifierValue;
810	} CERTPolicyQualifier;
811
812	typedef struct {
813	SECOidTag oid;
814	SECItem policyID;
815	CERTPolicyQualifier **policyQualifiers;
816	} CERTPolicyInfo;
817
818	typedef struct {
819	PLArenaPool *arena;
820	CERTPolicyInfo **policyInfos;
821	} CERTCertificatePolicies;
822
823	typedef struct {
824	SECItem organization;
825	SECItem **noticeNumbers;
826	} CERTNoticeReference;
827
828	typedef struct {
829	PLArenaPool *arena;
830	CERTNoticeReference noticeReference;
831	SECItem derNoticeReference;
832	SECItem displayText;
833	} CERTUserNotice;
834
835	typedef struct {
836	PLArenaPool *arena;
837	SECItem **oids;
838	} CERTOidSequence;
839
840	/*
841	* these types are for the PKIX Policy Mappings extension
842	*/
843	typedef struct {
844	SECItem issuerDomainPolicy;
845	SECItem subjectDomainPolicy;
846	} CERTPolicyMap;
847
848	typedef struct {
849	PLArenaPool *arena;
850	CERTPolicyMap **policyMaps;
851	} CERTCertificatePolicyMappings;
852
853	/*
854	* these types are for the PKIX inhibitAnyPolicy extension
855	*/
856	typedef struct {
857	SECItem inhibitAnySkipCerts;
858	} CERTCertificateInhibitAny;
859
860	/*
861	* these types are for the PKIX Policy Constraints extension
862	*/
863	typedef struct {
864	SECItem explicitPolicySkipCerts;
865	SECItem inhibitMappingSkipCerts;
866	} CERTCertificatePolicyConstraints;
867
868	/*
869	* These types are for the validate chain callback param.
870	*
871	* CERTChainVerifyCallback is an application-supplied callback that can be used
872	* to augment libpkix's certificate chain validation with additional
873	* application-specific checks. It may be called multiple times if there are
874	* multiple potentially-valid paths for the certificate being validated. This
875	* callback is called before revocation checking is done on the certificates in
876	* the given chain.
877	*
878	* - isValidChainArg contains the application-provided opaque argument
879	* - currentChain is the currently validated chain. It is ordered with the leaf
880	* certificate at the head and the trust anchor at the tail.
881	*
882	* The callback should set *chainOK = PR_TRUE and return SECSuccess if the
883	* certificate chain is acceptable. It should set *chainOK = PR_FALSE and
884	* return SECSuccess if the chain is unacceptable, to indicate that the given
885	* chain is bad and path building should continue. It should return SECFailure
886	* to indicate an fatal error that will cause path validation to fail
887	* immediately.
888	*/
889	typedef SECStatus (*CERTChainVerifyCallbackFunc)(
890	void isChainValidArg, const* CERTCertList currentChain, PRBool chainOK);
891
892	/*
893	* Note: If extending this structure, it will be necessary to change the
894	* associated CERTValParamInType
895	*/
896	typedef struct {
897	CERTChainVerifyCallbackFunc isChainValid;
898	void *isChainValidArg;
899	} CERTChainVerifyCallback;
900
901	/*
902	* these types are for the CERT_PKIX* Verification functions
903	* These are all optional parameters.
904	*/
905
906	typedef enum {
907	cert_pi_end = `0`, / SPECIAL: signifies end of array of*
908	* CERTValParam* */
909	cert_pi_nbioContext = `1`, / specify a non-blocking IO context used to*
910	* resume a session. If this argument is
911	* specified, no other arguments should be.
912	* Specified in value.pointer.p. If the
913	* operation completes the context will be
914	* freed. */
915	cert_pi_nbioAbort = `2`, / specify a non-blocking IO context for an*
916	* existing operation which the caller wants
917	* to abort. If this argument is
918	* specified, no other arguments should be.
919	* Specified in value.pointer.p. If the
920	* operation succeeds the context will be
921	* freed. */
922	cert_pi_certList = `3`, / specify the chain to validate against. If*
923	* this value is given, then the path
924	* construction step in the validation is
925	* skipped. Specified in value.pointer.chain */
926	cert_pi_policyOID = `4`, / validate certificate for policy OID.*
927	* Specified in value.array.oids. Cert must
928	* be good for at least one OID in order
929	* to validate. Default is that the user is not
930	* concerned about certificate policy. */
931	cert_pi_policyFlags = `5`, / flags for each policy specified in policyOID.*
932	* Specified in value.scalar.ul. Policy flags
933	* apply to all specified oids.
934	* Use CERT_POLICY_FLAG_* macros below. If not
935	* specified policy flags default to 0 */
936	cert_pi_keyusage = `6`, / specify what the keyusages the certificate*
937	* will be evaluated against, specified in
938	* value.scalar.ui. The cert must validate for
939	* at least one of the specified key usages.
940	* Values match the KU_ bit flags defined
941	* in this file. Default is derived from
942	* the 'usages' function argument */
943	cert_pi_extendedKeyusage = `7`, / specify what the required extended key*
944	* usage of the certificate. Specified as
945	* an array of oidTags in value.array.oids.
946	* The cert must validate for at least one
947	* of the specified extended key usages.
948	* If not specified, no extended key usages
949	* will be checked. */
950	cert_pi_date = `8`, / validate certificate is valid as of date*
951	* specified in value.scalar.time. A special
952	* value '0' indicates 'now'. default is '0' */
953	cert_pi_revocationFlags = `9`, / Specify what revocation checking to do.*
954	* See CERT_REV_FLAG_* macros below
955	* Set in value.pointer.revocation */
956	cert_pi_certStores = `10`, / Bitmask of Cert Store flags (see below)*
957	* Set in value.scalar.ui */
958	cert_pi_trustAnchors =
959	`11`, / Specify the list of trusted roots to*
960	* validate against.
961	* The default set of trusted roots, these are
962	* root CA certs from libnssckbi.so or CA
963	* certs trusted by user, are used in any of
964	* the following cases:
965	* * when the parameter is not set.
966	* * when the list of trust anchors is
967	* empty.
968	* Note that this handling can be further
969	* altered by altering the
970	* cert_pi_useOnlyTrustAnchors flag
971	* Specified in value.pointer.chain */
972	cert_pi_useAIACertFetch = `12`, / Enables cert fetching using AIA extension.*
973	* In NSS 3.12.1 or later. Default is off.
974	* Value is in value.scalar.b */
975	cert_pi_chainVerifyCallback = `13`,
976	/ The callback container for doing extra*
977	* validation on the currently calculated chain.
978	* Value is in value.pointer.chainVerifyCallback */
979	cert_pi_useOnlyTrustAnchors = `14`,
980	/ If true, disables trusting any*
981	* certificates other than the ones passed in via cert_pi_trustAnchors.
982	* If false, then the certificates specified via cert_pi_trustAnchors
983	* will be combined with the pre-existing trusted roots, but only
984	* for the certificate validation being performed.
985	* If no value has been supplied via cert_pi_trustAnchors, this has
986	* no effect.
987	* The default value is true, meaning if this is not supplied, only
988	* trust anchors supplied via cert_pi_trustAnchors are trusted.
989	* Specified in value.scalar.b */
990	cert_pi_max / SPECIAL: signifies maximum allowed value,*
991	* can increase in future releases */
992	} CERTValParamInType;
993
994	/*
995	* for all out parameters:
996	* out parameters are only returned if the caller asks for them in
997	* the CERTValOutParam array. Caller is responsible for the CERTValOutParam
998	* array itself. The pkix verify function will allocate and other arrays
999	* pointers, or objects. The Caller is responsible for freeing those results.
1000	* If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
1001	*/
1002	typedef enum {
1003	cert_po_end = `0`, / SPECIAL: signifies end of array of*
1004	* CERTValParam* */
1005	cert_po_nbioContext = `1`, / Return a nonblocking context. If no*
1006	* non-blocking context is specified, then
1007	* blocking IO will be used.
1008	* Returned in value.pointer.p. The context is
1009	* freed after an abort or a complete operation.
1010	* This value is only returned on SECWouldBlock.
1011	*/
1012	cert_po_trustAnchor = `2`, / Return the trust anchor for the chain that*
1013	* was validated. Returned in
1014	* value.pointer.cert, this value is only
1015	* returned on SECSuccess. */
1016	cert_po_certList = `3`, / Return the entire chain that was validated.*
1017	* Returned in value.pointer.certList. If no
1018	* chain could be constructed, this value
1019	* would be NULL. */
1020	cert_po_policyOID = `4`, / Return the policies that were found to be*
1021	* valid. Returned in value.array.oids as an
1022	* array. This is only returned on
1023	* SECSuccess. */
1024	cert_po_errorLog = `5`, / Return a log of problems with the chain.*
1025	* Returned in value.pointer.log */
1026	cert_po_usages = `6`, / Return what usages the certificate is valid*
1027	for. Returned in value.scalar.usages /*
1028	cert_po_keyUsage = `7`, / Return what key usages the certificate*
1029	* is valid for.
1030	* Returned in value.scalar.usage */
1031	cert_po_extendedKeyusage = `8`, / Return what extended key usages the*
1032	* certificate is valid for.
1033	* Returned in value.array.oids */
1034	cert_po_max / SPECIAL: signifies maximum allowed value,*
1035	* can increase in future releases */
1036
1037	} CERTValParamOutType;
1038
1039	typedef enum {
1040	cert_revocation_method_crl = `0`,
1041	cert_revocation_method_ocsp,
1042	cert_revocation_method_count
1043	} CERTRevocationMethodIndex;
1044
1045	/*
1046	* The following flags are supposed to be used to control bits in
1047	* each integer contained in the array pointed to be:
1048	* CERTRevocationTests.cert_rev_flags_per_method
1049	* All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1050	* this is a method dependent flag.
1051	*/
1052
1053	/*
1054	* Whether or not to use a method for revocation testing.
1055	* If set to "do not test", then all other flags are ignored.
1056	*/
1057	#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1058	#define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1059
1060	/*
1061	* Whether or not NSS is allowed to attempt to fetch fresh information
1062	* from the network.
1063	* (Although fetching will never happen if fresh information for the
1064	* method is already locally available.)
1065	*/
1066	#define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1067	#define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1068
1069	/*
1070	* Example for an implicit default source:
1071	* The globally configured default OCSP responder.
1072	* IGNORE means:
1073	* ignore the implicit default source, whether it's configured or not.
1074	* ALLOW means:
1075	* if an implicit default source is configured,
1076	* then it overrides any available or missing source in the cert.
1077	* if no implicit default source is configured,
1078	* then we continue to use what's available (or not available)
1079	* in the certs.
1080	*/
1081	#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1082	#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1083
1084	/*
1085	* Defines the behavior if no fresh information is available,
1086	* fetching from the network is allowed, but the source of revocation
1087	* information is unknown (even after considering implicit sources,
1088	* if allowed by other flags).
1089	* SKIPT_TEST means:
1090	* We ignore that no fresh information is available and
1091	* skip this test.
1092	* REQUIRE_INFO means:
1093	* We still require that fresh information is available.
1094	* Other flags define what happens on missing fresh info.
1095	*/
1096	#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1097	#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1098
1099	/*
1100	* Defines the behavior if we are unable to obtain fresh information.
1101	* INGORE means:
1102	* Return "cert status unknown"
1103	* FAIL means:
1104	* Return "cert revoked".
1105	*/
1106	#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1107	#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1108
1109	/*
1110	* What should happen if we were able to find fresh information using
1111	* this method, and the data indicated the cert is good?
1112	* STOP_TESTING means:
1113	* Our success is sufficient, do not continue testing
1114	* other methods.
1115	* CONTINUE_TESTING means:
1116	* We will continue and test the next allowed
1117	* specified method.
1118	*/
1119	#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1120	#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1121
1122	/ When this flag is used, libpkix will never attempt to use the GET HTTP*
1123	* method for OCSP requests; it will always use POST.
1124	*/
1125	#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1126
1127	/*
1128	* The following flags are supposed to be used to control bits in
1129	* CERTRevocationTests.cert_rev_method_independent_flags
1130	* All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1131	* this is a method independent flag.
1132	*/
1133
1134	/*
1135	* This defines the order to checking.
1136	* EACH_METHOD_SEPARATELY means:
1137	* Do all tests related to a particular allowed method
1138	* (both local information and network fetching) in a single step.
1139	* Only after testing for a particular method is done,
1140	* then switching to the next method will happen.
1141	* ALL_LOCAL_INFORMATION_FIRST means:
1142	* Start by testing the information for all allowed methods
1143	* which are already locally available. Only after that is done
1144	* consider to fetch from the network (as allowed by other flags).
1145	*/
1146	#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1147	#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1148
1149	/*
1150	* Use this flag to specify that it's necessary that fresh information
1151	* is available for at least one of the allowed methods, but it's
1152	* irrelevant which of the mechanisms succeeded.
1153	* NO_OVERALL_INFO_REQUIREMENT means:
1154	* We strictly follow the requirements for each individual method.
1155	* REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1156	* After the individual tests have been executed, we must have
1157	* been able to find fresh information using at least one method.
1158	* If we were unable to find fresh info, it's a failure.
1159	* This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1160	* flag on all methods.
1161	*/
1162	#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1163	#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1164
1165	typedef struct {
1166	/*
1167	* The size of the array that cert_rev_flags_per_method points to,
1168	* meaning, the number of methods that are known and defined
1169	* by the caller.
1170	*/
1171	PRUint32 number_of_defined_methods;
1172
1173	/*
1174	* A pointer to an array of integers.
1175	* Each integer defines revocation checking for a single method,
1176	* by having individual CERT_REV_M_* bits set or not set.
1177	* The meaning of index numbers into this array are defined by
1178	* enum CERTRevocationMethodIndex
1179	* The size of the array must be specified by the caller in the separate
1180	* variable number_of_defined_methods.
1181	* The size of the array may be smaller than
1182	* cert_revocation_method_count, it can happen if a caller
1183	* is not yet aware of the latest revocation methods
1184	* (or does not want to use them).
1185	*/
1186	PRUint64 *cert_rev_flags_per_method;
1187
1188	/*
1189	* How many preferred methods are specified?
1190	* This is equivalent to the size of the array that
1191	* preferred_methods points to.
1192	* It's allowed to set this value to zero,
1193	* then NSS will decide which methods to prefer.
1194	*/
1195	PRUint32 number_of_preferred_methods;
1196
1197	/ Array that may specify an optional order of preferred methods.*
1198	* Each array entry shall contain a method identifier as defined
1199	* by CERTRevocationMethodIndex.
1200	* The entry at index [0] specifies the method with highest preference.
1201	* These methods will be tested first for locally available information.
1202	* Methods allowed for downloading will be attempted in the same order.
1203	*/
1204	CERTRevocationMethodIndex *preferred_methods;
1205
1206	/*
1207	* An integer which defines certain aspects of revocation checking
1208	* (independent of individual methods) by having individual
1209	* CERT_REV_MI_* bits set or not set.
1210	*/
1211	PRUint64 cert_rev_method_independent_flags;
1212	} CERTRevocationTests;
1213
1214	typedef struct {
1215	CERTRevocationTests leafTests;
1216	CERTRevocationTests chainTests;
1217	} CERTRevocationFlags;
1218
1219	typedef struct CERTValParamInValueStr {
1220	union {
1221	PRBool b;
1222	PRInt32 i;
1223	PRUint32 ui;
1224	PRInt64 l;
1225	PRUint64 ul;
1226	PRTime time;
1227	} scalar;
1228	union {
1229	const void *p;
1230	const char *s;
1231	const CERTCertificate *cert;
1232	const CERTCertList *chain;
1233	const CERTRevocationFlags *revocation;
1234	const CERTChainVerifyCallback *chainVerifyCallback;
1235	} pointer;
1236	union {
1237	const PRInt32 *pi;
1238	const PRUint32 *pui;
1239	const PRInt64 *pl;
1240	const PRUint64 *pul;
1241	const SECOidTag *oids;
1242	} array;
1243	int arraySize;
1244	} CERTValParamInValue;
1245
1246	typedef struct CERTValParamOutValueStr {
1247	union {
1248	PRBool b;
1249	PRInt32 i;
1250	PRUint32 ui;
1251	PRInt64 l;
1252	PRUint64 ul;
1253	SECCertificateUsage usages;
1254	} scalar;
1255	union {
1256	void *p;
1257	char *s;
1258	CERTVerifyLog *log;
1259	CERTCertificate *cert;
1260	CERTCertList *chain;
1261	} pointer;
1262	union {
1263	void *p;
1264	SECOidTag *oids;
1265	} array;
1266	int arraySize;
1267	} CERTValParamOutValue;
1268
1269	typedef struct {
1270	CERTValParamInType type;
1271	CERTValParamInValue value;
1272	} CERTValInParam;
1273
1274	typedef struct {
1275	CERTValParamOutType type;
1276	CERTValParamOutValue value;
1277	} CERTValOutParam;
1278
1279	/*
1280	* Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1281	*/
1282	typedef enum CertStrictnessLevels {
1283	CERT_N2A_READABLE = `0`, / maximum human readability /
1284	CERT_N2A_STRICT = `10`, / strict RFC compliance /
1285	CERT_N2A_INVERTIBLE = `20` / maximum invertibility,*
1286	all DirectoryStrings encoded in hex /*
1287	} CertStrictnessLevel;
1288
1289	/*
1290	* policy flag defines
1291	*/
1292	#define CERT_POLICY_FLAG_NO_MAPPING 1
1293	#define CERT_POLICY_FLAG_EXPLICIT 2
1294	#define CERT_POLICY_FLAG_NO_ANY 4
1295
1296	/*
1297	* CertStore flags
1298	*/
1299	#define CERT_ENABLE_LDAP_FETCH 1
1300	#define CERT_ENABLE_HTTP_FETCH 2
1301
1302	/ This functin pointer type may be used for any function that takes*
1303	* a CERTCertificate * and returns an allocated string, which must be
1304	* freed by a call to PORT_Free.
1305	*/
1306	typedef char (CERT_StringFromCertFcn)(CERTCertificate *cert);
1307
1308	/ XXX Lisa thinks the template declarations belong in cert.h, not here? /
1309
1310	#include "secasn1t.h" /* way down here because I expect template stuff to
1311	* move out of here anyway */
1312
1313	SEC_BEGIN_PROTOS
1314
1315	extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1316	extern const SEC_ASN1Template CERT_CertificateTemplate[];
1317	extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1318	extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1319	extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1320	extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1321	extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1322	extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1323	extern const SEC_ASN1Template CERT_ValidityTemplate[];
1324	extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1325	extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1326
1327	extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1328	extern const SEC_ASN1Template CERT_NameTemplate[];
1329	extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1330	extern const SEC_ASN1Template CERT_RDNTemplate[];
1331	extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1332	extern const SEC_ASN1Template CERT_CrlTemplate[];
1333	extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1334
1335	/*
1336	** XXX should the attribute stuff be centralized for all of ns/security?
1337	*/
1338	extern const SEC_ASN1Template CERT_AttributeTemplate[];
1339	extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1340
1341	/ These functions simply return the address of the above-declared templates.*
1342	** This is necessary for Windows DLLs. Sigh.
1343	*/
1344	SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1345	SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1346	SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1347	SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1348	SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1349	SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1350	SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1351	SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1352	SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1353	SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1354	SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1355	SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1356
1357	SEC_END_PROTOS
1358
1359	#endif /* _CERTT_H_ */
1360

source code of include/nss/certt.h