PageRenderTime 53ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/gecko_api/include/certt.h

http://firefox-mac-pdf.googlecode.com/
C Header | 1294 lines | 718 code | 153 blank | 423 comment | 1 complexity | 20039168e689c5acd348605073c1bbf2 MD5 | raw file
  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is the Netscape security libraries.
  15. *
  16. * The Initial Developer of the Original Code is
  17. * Netscape Communications Corporation.
  18. * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19. * the Initial Developer. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. *
  23. * Alternatively, the contents of this file may be used under the terms of
  24. * either the GNU General Public License Version 2 or later (the "GPL"), or
  25. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26. * in which case the provisions of the GPL or the LGPL are applicable instead
  27. * of those above. If you wish to allow use of your version of this file only
  28. * under the terms of either the GPL or the LGPL, and not to allow others to
  29. * use your version of this file under the terms of the MPL, indicate your
  30. * decision by deleting the provisions above and replace them with the notice
  31. * and other provisions required by the GPL or the LGPL. If you do not delete
  32. * the provisions above, a recipient may use your version of this file under
  33. * the terms of any one of the MPL, the GPL or the LGPL.
  34. *
  35. * ***** END LICENSE BLOCK ***** */
  36. /*
  37. * certt.h - public data structures for the certificate library
  38. *
  39. * $Id: certt.h,v 1.44 2008/03/27 21:56:24 alexei.volkov.bugs%sun.com Exp $
  40. */
  41. #ifndef _CERTT_H_
  42. #define _CERTT_H_
  43. #include "prclist.h"
  44. #include "pkcs11t.h"
  45. #include "seccomon.h"
  46. #include "secmodt.h"
  47. #include "secoidt.h"
  48. #include "plarena.h"
  49. #include "prcvar.h"
  50. #include "nssilock.h"
  51. #include "prio.h"
  52. #include "prmon.h"
  53. /* Stan data types */
  54. struct NSSCertificateStr;
  55. struct NSSTrustDomainStr;
  56. /* Non-opaque objects */
  57. typedef struct CERTAVAStr CERTAVA;
  58. typedef struct CERTAttributeStr CERTAttribute;
  59. typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
  60. typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
  61. typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
  62. typedef struct NSSTrustDomainStr CERTCertDBHandle;
  63. typedef struct CERTCertExtensionStr CERTCertExtension;
  64. typedef struct CERTCertKeyStr CERTCertKey;
  65. typedef struct CERTCertListStr CERTCertList;
  66. typedef struct CERTCertListNodeStr CERTCertListNode;
  67. typedef struct CERTCertNicknamesStr CERTCertNicknames;
  68. typedef struct CERTCertTrustStr CERTCertTrust;
  69. typedef struct CERTCertificateStr CERTCertificate;
  70. typedef struct CERTCertificateListStr CERTCertificateList;
  71. typedef struct CERTCertificateRequestStr CERTCertificateRequest;
  72. typedef struct CERTCrlStr CERTCrl;
  73. typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
  74. typedef struct CERTCrlEntryStr CERTCrlEntry;
  75. typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
  76. typedef struct CERTCrlKeyStr CERTCrlKey;
  77. typedef struct CERTCrlNodeStr CERTCrlNode;
  78. typedef struct CERTDERCertsStr CERTDERCerts;
  79. typedef struct CERTDistNamesStr CERTDistNames;
  80. typedef struct CERTGeneralNameStr CERTGeneralName;
  81. typedef struct CERTGeneralNameListStr CERTGeneralNameList;
  82. typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
  83. typedef struct CERTNameStr CERTName;
  84. typedef struct CERTNameConstraintStr CERTNameConstraint;
  85. typedef struct CERTNameConstraintsStr CERTNameConstraints;
  86. typedef struct CERTOKDomainNameStr CERTOKDomainName;
  87. typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
  88. typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
  89. typedef struct CERTRDNStr CERTRDN;
  90. typedef struct CERTSignedCrlStr CERTSignedCrl;
  91. typedef struct CERTSignedDataStr CERTSignedData;
  92. typedef struct CERTStatusConfigStr CERTStatusConfig;
  93. typedef struct CERTSubjectListStr CERTSubjectList;
  94. typedef struct CERTSubjectNodeStr CERTSubjectNode;
  95. typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
  96. typedef struct CERTValidityStr CERTValidity;
  97. typedef struct CERTVerifyLogStr CERTVerifyLog;
  98. typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
  99. typedef struct CRLDistributionPointStr CRLDistributionPoint;
  100. /* CRL extensions type */
  101. typedef unsigned long CERTCrlNumber;
  102. /*
  103. ** An X.500 AVA object
  104. */
  105. struct CERTAVAStr {
  106. SECItem type;
  107. SECItem value;
  108. };
  109. /*
  110. ** An X.500 RDN object
  111. */
  112. struct CERTRDNStr {
  113. CERTAVA **avas;
  114. };
  115. /*
  116. ** An X.500 name object
  117. */
  118. struct CERTNameStr {
  119. PRArenaPool *arena;
  120. CERTRDN **rdns;
  121. };
  122. /*
  123. ** An X.509 validity object
  124. */
  125. struct CERTValidityStr {
  126. PRArenaPool *arena;
  127. SECItem notBefore;
  128. SECItem notAfter;
  129. };
  130. /*
  131. * A serial number and issuer name, which is used as a database key
  132. */
  133. struct CERTCertKeyStr {
  134. SECItem serialNumber;
  135. SECItem derIssuer;
  136. };
  137. /*
  138. ** A signed data object. Used to implement the "signed" macro used
  139. ** in the X.500 specs.
  140. */
  141. struct CERTSignedDataStr {
  142. SECItem data;
  143. SECAlgorithmID signatureAlgorithm;
  144. SECItem signature;
  145. };
  146. /*
  147. ** An X.509 subject-public-key-info object
  148. */
  149. struct CERTSubjectPublicKeyInfoStr {
  150. PRArenaPool *arena;
  151. SECAlgorithmID algorithm;
  152. SECItem subjectPublicKey;
  153. };
  154. struct CERTPublicKeyAndChallengeStr {
  155. SECItem spki;
  156. SECItem challenge;
  157. };
  158. struct CERTCertTrustStr {
  159. unsigned int sslFlags;
  160. unsigned int emailFlags;
  161. unsigned int objectSigningFlags;
  162. };
  163. /*
  164. * defined the types of trust that exist
  165. */
  166. typedef enum SECTrustTypeEnum {
  167. trustSSL = 0,
  168. trustEmail = 1,
  169. trustObjectSigning = 2,
  170. trustTypeNone = 3
  171. } SECTrustType;
  172. #define SEC_GET_TRUST_FLAGS(trust,type) \
  173. (((type)==trustSSL)?((trust)->sslFlags): \
  174. (((type)==trustEmail)?((trust)->emailFlags): \
  175. (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
  176. /*
  177. ** An X.509.3 certificate extension
  178. */
  179. struct CERTCertExtensionStr {
  180. SECItem id;
  181. SECItem critical;
  182. SECItem value;
  183. };
  184. struct CERTSubjectNodeStr {
  185. struct CERTSubjectNodeStr *next;
  186. struct CERTSubjectNodeStr *prev;
  187. SECItem certKey;
  188. SECItem keyID;
  189. };
  190. struct CERTSubjectListStr {
  191. PRArenaPool *arena;
  192. int ncerts;
  193. char *emailAddr;
  194. CERTSubjectNode *head;
  195. CERTSubjectNode *tail; /* do we need tail? */
  196. void *entry;
  197. };
  198. /*
  199. ** An X.509 certificate object (the unsigned form)
  200. */
  201. struct CERTCertificateStr {
  202. /* the arena is used to allocate any data structures that have the same
  203. * lifetime as the cert. This is all stuff that hangs off of the cert
  204. * structure, and is all freed at the same time. I is used when the
  205. * cert is decoded, destroyed, and at some times when it changes
  206. * state
  207. */
  208. PRArenaPool *arena;
  209. /* The following fields are static after the cert has been decoded */
  210. char *subjectName;
  211. char *issuerName;
  212. CERTSignedData signatureWrap; /* XXX */
  213. SECItem derCert; /* original DER for the cert */
  214. SECItem derIssuer; /* DER for issuer name */
  215. SECItem derSubject; /* DER for subject name */
  216. SECItem derPublicKey; /* DER for the public key */
  217. SECItem certKey; /* database key for this cert */
  218. SECItem version;
  219. SECItem serialNumber;
  220. SECAlgorithmID signature;
  221. CERTName issuer;
  222. CERTValidity validity;
  223. CERTName subject;
  224. CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
  225. SECItem issuerID;
  226. SECItem subjectID;
  227. CERTCertExtension **extensions;
  228. char *emailAddr;
  229. CERTCertDBHandle *dbhandle;
  230. SECItem subjectKeyID; /* x509v3 subject key identifier */
  231. PRBool keyIDGenerated; /* was the keyid generated? */
  232. unsigned int keyUsage; /* what uses are allowed for this cert */
  233. unsigned int rawKeyUsage; /* value of the key usage extension */
  234. PRBool keyUsagePresent; /* was the key usage extension present */
  235. PRUint32 nsCertType; /* value of the ns cert type extension */
  236. /* must be 32-bit for PR_AtomicSet */
  237. /* these values can be set by the application to bypass certain checks
  238. * or to keep the cert in memory for an entire session.
  239. * XXX - need an api to set these
  240. */
  241. PRBool keepSession; /* keep this cert for entire session*/
  242. PRBool timeOK; /* is the bad validity time ok? */
  243. CERTOKDomainName *domainOK; /* these domain names are ok */
  244. /*
  245. * these values can change when the cert changes state. These state
  246. * changes include transitions from temp to perm or vice-versa, and
  247. * changes of trust flags
  248. */
  249. PRBool isperm;
  250. PRBool istemp;
  251. char *nickname;
  252. char *dbnickname;
  253. struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
  254. CERTCertTrust *trust;
  255. /* the reference count is modified whenever someone looks up, dups
  256. * or destroys a certificate
  257. */
  258. int referenceCount;
  259. /* The subject list is a list of all certs with the same subject name.
  260. * It can be modified any time a cert is added or deleted from either
  261. * the in-memory(temporary) or on-disk(permanent) database.
  262. */
  263. CERTSubjectList *subjectList;
  264. /* these belong in the static section, but are here to maintain
  265. * the structure's integrity
  266. */
  267. CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */
  268. PRBool isRoot; /* cert is the end of a chain */
  269. /* these fields are used by client GUI code to keep track of ssl sockets
  270. * that are blocked waiting on GUI feedback related to this cert.
  271. * XXX - these should be moved into some sort of application specific
  272. * data structure. They are only used by the browser right now.
  273. */
  274. union {
  275. void* apointer; /* was struct SECSocketNode* authsocketlist */
  276. struct {
  277. unsigned int hasUnsupportedCriticalExt :1;
  278. /* add any new option bits needed here */
  279. } bits;
  280. } options;
  281. int series; /* was int authsocketcount; record the series of the pkcs11ID */
  282. /* This is PKCS #11 stuff. */
  283. PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
  284. CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
  285. PRBool ownSlot; /*true if the cert owns the slot reference */
  286. };
  287. #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
  288. #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
  289. #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
  290. #define SEC_CRL_VERSION_1 0 /* default */
  291. #define SEC_CRL_VERSION_2 1 /* v2 extensions */
  292. /*
  293. * used to identify class of cert in mime stream code
  294. */
  295. #define SEC_CERT_CLASS_CA 1
  296. #define SEC_CERT_CLASS_SERVER 2
  297. #define SEC_CERT_CLASS_USER 3
  298. #define SEC_CERT_CLASS_EMAIL 4
  299. struct CERTDERCertsStr {
  300. PRArenaPool *arena;
  301. int numcerts;
  302. SECItem *rawCerts;
  303. };
  304. /*
  305. ** A PKCS ? Attribute
  306. ** XXX this is duplicated through out the code, it *should* be moved
  307. ** to a central location. Where would be appropriate?
  308. */
  309. struct CERTAttributeStr {
  310. SECItem attrType;
  311. SECItem **attrValue;
  312. };
  313. /*
  314. ** A PKCS#10 certificate-request object (the unsigned form)
  315. */
  316. struct CERTCertificateRequestStr {
  317. PRArenaPool *arena;
  318. SECItem version;
  319. CERTName subject;
  320. CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
  321. CERTAttribute **attributes;
  322. };
  323. #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
  324. /*
  325. ** A certificate list object.
  326. */
  327. struct CERTCertificateListStr {
  328. SECItem *certs;
  329. int len; /* number of certs */
  330. PRArenaPool *arena;
  331. };
  332. struct CERTCertListNodeStr {
  333. PRCList links;
  334. CERTCertificate *cert;
  335. void *appData;
  336. };
  337. struct CERTCertListStr {
  338. PRCList list;
  339. PRArenaPool *arena;
  340. };
  341. #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
  342. #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
  343. #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
  344. #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
  345. struct CERTCrlEntryStr {
  346. SECItem serialNumber;
  347. SECItem revocationDate;
  348. CERTCertExtension **extensions;
  349. };
  350. struct CERTCrlStr {
  351. PRArenaPool *arena;
  352. SECItem version;
  353. SECAlgorithmID signatureAlg;
  354. SECItem derName;
  355. CERTName name;
  356. SECItem lastUpdate;
  357. SECItem nextUpdate; /* optional for x.509 CRL */
  358. CERTCrlEntry **entries;
  359. CERTCertExtension **extensions;
  360. /* can't add anything there for binary backwards compatibility reasons */
  361. };
  362. struct CERTCrlKeyStr {
  363. SECItem derName;
  364. SECItem dummy; /* The decoder can not skip a primitive,
  365. this serves as a place holder for the
  366. decoder to finish its task only
  367. */
  368. };
  369. struct CERTSignedCrlStr {
  370. PRArenaPool *arena;
  371. CERTCrl crl;
  372. void *reserved1;
  373. PRBool reserved2;
  374. PRBool isperm;
  375. PRBool istemp;
  376. int referenceCount;
  377. CERTCertDBHandle *dbhandle;
  378. CERTSignedData signatureWrap; /* XXX */
  379. char *url;
  380. SECItem *derCrl;
  381. PK11SlotInfo *slot;
  382. CK_OBJECT_HANDLE pkcs11ID;
  383. void* opaque; /* do not touch */
  384. };
  385. struct CERTCrlHeadNodeStr {
  386. PRArenaPool *arena;
  387. CERTCertDBHandle *dbhandle;
  388. CERTCrlNode *first;
  389. CERTCrlNode *last;
  390. };
  391. struct CERTCrlNodeStr {
  392. CERTCrlNode *next;
  393. int type;
  394. CERTSignedCrl *crl;
  395. };
  396. /*
  397. * Array of X.500 Distinguished Names
  398. */
  399. struct CERTDistNamesStr {
  400. PRArenaPool *arena;
  401. int nnames;
  402. SECItem *names;
  403. void *head; /* private */
  404. };
  405. #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
  406. #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
  407. #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
  408. #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
  409. #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
  410. #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
  411. #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
  412. #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
  413. #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
  414. #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
  415. #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
  416. NS_CERT_TYPE_SSL_SERVER | \
  417. NS_CERT_TYPE_EMAIL | \
  418. NS_CERT_TYPE_OBJECT_SIGNING )
  419. #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
  420. NS_CERT_TYPE_EMAIL_CA | \
  421. NS_CERT_TYPE_OBJECT_SIGNING_CA | \
  422. EXT_KEY_USAGE_STATUS_RESPONDER )
  423. typedef enum SECCertUsageEnum {
  424. certUsageSSLClient = 0,
  425. certUsageSSLServer = 1,
  426. certUsageSSLServerWithStepUp = 2,
  427. certUsageSSLCA = 3,
  428. certUsageEmailSigner = 4,
  429. certUsageEmailRecipient = 5,
  430. certUsageObjectSigner = 6,
  431. certUsageUserCertImport = 7,
  432. certUsageVerifyCA = 8,
  433. certUsageProtectedObjectSigner = 9,
  434. certUsageStatusResponder = 10,
  435. certUsageAnyCA = 11
  436. } SECCertUsage;
  437. typedef PRInt64 SECCertificateUsage;
  438. #define certificateUsageCheckAllUsages (0x0000)
  439. #define certificateUsageSSLClient (0x0001)
  440. #define certificateUsageSSLServer (0x0002)
  441. #define certificateUsageSSLServerWithStepUp (0x0004)
  442. #define certificateUsageSSLCA (0x0008)
  443. #define certificateUsageEmailSigner (0x0010)
  444. #define certificateUsageEmailRecipient (0x0020)
  445. #define certificateUsageObjectSigner (0x0040)
  446. #define certificateUsageUserCertImport (0x0080)
  447. #define certificateUsageVerifyCA (0x0100)
  448. #define certificateUsageProtectedObjectSigner (0x0200)
  449. #define certificateUsageStatusResponder (0x0400)
  450. #define certificateUsageAnyCA (0x0800)
  451. #define certificateUsageHighest certificateUsageAnyCA
  452. /*
  453. * Does the cert belong to the user, a peer, or a CA.
  454. */
  455. typedef enum CERTCertOwnerEnum {
  456. certOwnerUser = 0,
  457. certOwnerPeer = 1,
  458. certOwnerCA = 2
  459. } CERTCertOwner;
  460. /*
  461. * This enum represents the state of validity times of a certificate
  462. */
  463. typedef enum SECCertTimeValidityEnum {
  464. secCertTimeValid = 0,
  465. secCertTimeExpired = 1,
  466. secCertTimeNotValidYet = 2,
  467. secCertTimeUndetermined = 3 /* validity could not be decoded from the
  468. cert, most likely because it was NULL */
  469. } SECCertTimeValidity;
  470. /*
  471. * This is used as return status in functions that compare the validity
  472. * periods of two certificates A and B, currently only
  473. * CERT_CompareValidityTimes.
  474. */
  475. typedef enum CERTCompareValidityStatusEnum
  476. {
  477. certValidityUndetermined = 0, /* the function is unable to select one cert
  478. over another */
  479. certValidityChooseB = 1, /* cert B should be preferred */
  480. certValidityEqual = 2, /* both certs have the same validity period */
  481. certValidityChooseA = 3 /* cert A should be preferred */
  482. } CERTCompareValidityStatus;
  483. /*
  484. * Interface for getting certificate nickname strings out of the database
  485. */
  486. /* these are values for the what argument below */
  487. #define SEC_CERT_NICKNAMES_ALL 1
  488. #define SEC_CERT_NICKNAMES_USER 2
  489. #define SEC_CERT_NICKNAMES_SERVER 3
  490. #define SEC_CERT_NICKNAMES_CA 4
  491. struct CERTCertNicknamesStr {
  492. PRArenaPool *arena;
  493. void *head;
  494. int numnicknames;
  495. char **nicknames;
  496. int what;
  497. int totallen;
  498. };
  499. struct CERTIssuerAndSNStr {
  500. SECItem derIssuer;
  501. CERTName issuer;
  502. SECItem serialNumber;
  503. };
  504. /* X.509 v3 Key Usage Extension flags */
  505. #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
  506. #define KU_NON_REPUDIATION (0x40) /* bit 1 */
  507. #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
  508. #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
  509. #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
  510. #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
  511. #define KU_CRL_SIGN (0x02) /* bit 6 */
  512. #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
  513. #define KU_ALL (KU_DIGITAL_SIGNATURE | \
  514. KU_NON_REPUDIATION | \
  515. KU_KEY_ENCIPHERMENT | \
  516. KU_DATA_ENCIPHERMENT | \
  517. KU_KEY_AGREEMENT | \
  518. KU_KEY_CERT_SIGN | \
  519. KU_CRL_SIGN | \
  520. KU_ENCIPHER_ONLY)
  521. /* This value will not occur in certs. It is used internally for the case
  522. * when the key type is not know ahead of time and either key agreement or
  523. * key encipherment are the correct value based on key type
  524. */
  525. #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
  526. /* internal bits that do not match bits in the x509v3 spec, but are used
  527. * for similar purposes
  528. */
  529. #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
  530. /*
  531. * x.509 v3 Basic Constraints Extension
  532. * If isCA is false, the pathLenConstraint is ignored.
  533. * Otherwise, the following pathLenConstraint values will apply:
  534. * < 0 - there is no limit to the certificate path
  535. * 0 - CA can issues end-entity certificates only
  536. * > 0 - the number of certificates in the certificate path is
  537. * limited to this number
  538. */
  539. #define CERT_UNLIMITED_PATH_CONSTRAINT -2
  540. struct CERTBasicConstraintsStr {
  541. PRBool isCA; /* on if is CA */
  542. int pathLenConstraint; /* maximum number of certificates that can be
  543. in the cert path. Only applies to a CA
  544. certificate; otherwise, it's ignored.
  545. */
  546. };
  547. /* Maximum length of a certificate chain */
  548. #define CERT_MAX_CERT_CHAIN 20
  549. #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
  550. #define CERT_MAX_DN_BYTES 4096 /* arbitrary */
  551. /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
  552. #define RF_UNUSED (0x80) /* bit 0 */
  553. #define RF_KEY_COMPROMISE (0x40) /* bit 1 */
  554. #define RF_CA_COMPROMISE (0x20) /* bit 2 */
  555. #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
  556. #define RF_SUPERSEDED (0x08) /* bit 4 */
  557. #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
  558. #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
  559. /* enum for CRL Entry Reason Code */
  560. typedef enum CERTCRLEntryReasonCodeEnum {
  561. crlEntryReasonUnspecified = 0,
  562. crlEntryReasonKeyCompromise = 1,
  563. crlEntryReasonCaCompromise = 2,
  564. crlEntryReasonAffiliationChanged = 3,
  565. crlEntryReasonSuperseded = 4,
  566. crlEntryReasonCessationOfOperation = 5,
  567. crlEntryReasoncertificatedHold = 6,
  568. crlEntryReasonRemoveFromCRL = 8,
  569. crlEntryReasonPrivilegeWithdrawn = 9,
  570. crlEntryReasonAaCompromise = 10
  571. } CERTCRLEntryReasonCode;
  572. /* If we needed to extract the general name field, use this */
  573. /* General Name types */
  574. typedef enum CERTGeneralNameTypeEnum {
  575. certOtherName = 1,
  576. certRFC822Name = 2,
  577. certDNSName = 3,
  578. certX400Address = 4,
  579. certDirectoryName = 5,
  580. certEDIPartyName = 6,
  581. certURI = 7,
  582. certIPAddress = 8,
  583. certRegisterID = 9
  584. } CERTGeneralNameType;
  585. typedef struct OtherNameStr {
  586. SECItem name;
  587. SECItem oid;
  588. }OtherName;
  589. struct CERTGeneralNameStr {
  590. CERTGeneralNameType type; /* name type */
  591. union {
  592. CERTName directoryName; /* distinguish name */
  593. OtherName OthName; /* Other Name */
  594. SECItem other; /* the rest of the name forms */
  595. }name;
  596. SECItem derDirectoryName; /* this is saved to simplify directory name
  597. comparison */
  598. PRCList l;
  599. };
  600. struct CERTGeneralNameListStr {
  601. PRArenaPool *arena;
  602. CERTGeneralName *name;
  603. int refCount;
  604. int len;
  605. PZLock *lock;
  606. };
  607. struct CERTNameConstraintStr {
  608. CERTGeneralName name;
  609. SECItem DERName;
  610. SECItem min;
  611. SECItem max;
  612. PRCList l;
  613. };
  614. struct CERTNameConstraintsStr {
  615. CERTNameConstraint *permited;
  616. CERTNameConstraint *excluded;
  617. SECItem **DERPermited;
  618. SECItem **DERExcluded;
  619. };
  620. /* Private Key Usage Period extension struct. */
  621. struct CERTPrivKeyUsagePeriodStr {
  622. SECItem notBefore;
  623. SECItem notAfter;
  624. PRArenaPool *arena;
  625. };
  626. /* X.509 v3 Authority Key Identifier extension. For the authority certificate
  627. issuer field, we only support URI now.
  628. */
  629. struct CERTAuthKeyIDStr {
  630. SECItem keyID; /* unique key identifier */
  631. CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
  632. SECItem authCertSerialNumber; /* CA's certificate serial number */
  633. SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
  634. the authCertIssuer field. It is used
  635. by the encoding engine. It should be
  636. used as a read only field by the caller.
  637. */
  638. };
  639. /* x.509 v3 CRL Distributeion Point */
  640. /*
  641. * defined the types of CRL Distribution points
  642. */
  643. typedef enum DistributionPointTypesEnum {
  644. generalName = 1, /* only support this for now */
  645. relativeDistinguishedName = 2
  646. } DistributionPointTypes;
  647. struct CRLDistributionPointStr {
  648. DistributionPointTypes distPointType;
  649. union {
  650. CERTGeneralName *fullName;
  651. CERTRDN relativeName;
  652. } distPoint;
  653. SECItem reasons;
  654. CERTGeneralName *crlIssuer;
  655. /* Reserved for internal use only*/
  656. SECItem derDistPoint;
  657. SECItem derRelativeName;
  658. SECItem **derCrlIssuer;
  659. SECItem **derFullName;
  660. SECItem bitsmap;
  661. };
  662. struct CERTCrlDistributionPointsStr {
  663. CRLDistributionPoint **distPoints;
  664. };
  665. /*
  666. * This structure is used to keep a log of errors when verifying
  667. * a cert chain. This allows multiple errors to be reported all at
  668. * once.
  669. */
  670. struct CERTVerifyLogNodeStr {
  671. CERTCertificate *cert; /* what cert had the error */
  672. long error; /* what error was it? */
  673. unsigned int depth; /* how far up the chain are we */
  674. void *arg; /* error specific argument */
  675. struct CERTVerifyLogNodeStr *next; /* next in the list */
  676. struct CERTVerifyLogNodeStr *prev; /* next in the list */
  677. };
  678. struct CERTVerifyLogStr {
  679. PRArenaPool *arena;
  680. unsigned int count;
  681. struct CERTVerifyLogNodeStr *head;
  682. struct CERTVerifyLogNodeStr *tail;
  683. };
  684. struct CERTOKDomainNameStr {
  685. CERTOKDomainName *next;
  686. char name[1]; /* actual length may be longer. */
  687. };
  688. typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
  689. CERTCertificate *cert,
  690. int64 time,
  691. void *pwArg);
  692. typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
  693. struct CERTStatusConfigStr {
  694. CERTStatusChecker statusChecker; /* NULL means no checking enabled */
  695. CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
  696. void *statusContext; /* cx specific to checking protocol */
  697. };
  698. struct CERTAuthInfoAccessStr {
  699. SECItem method;
  700. SECItem derLocation;
  701. CERTGeneralName *location; /* decoded location */
  702. };
  703. /* This is the typedef for the callback passed to CERT_OpenCertDB() */
  704. /* callback to return database name based on version number */
  705. typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
  706. /*
  707. * types of cert packages that we can decode
  708. */
  709. typedef enum CERTPackageTypeEnum {
  710. certPackageNone = 0,
  711. certPackageCert = 1,
  712. certPackagePKCS7 = 2,
  713. certPackageNSCertSeq = 3,
  714. certPackageNSCertWrap = 4
  715. } CERTPackageType;
  716. /*
  717. * these types are for the PKIX Certificate Policies extension
  718. */
  719. typedef struct {
  720. SECOidTag oid;
  721. SECItem qualifierID;
  722. SECItem qualifierValue;
  723. } CERTPolicyQualifier;
  724. typedef struct {
  725. SECOidTag oid;
  726. SECItem policyID;
  727. CERTPolicyQualifier **policyQualifiers;
  728. } CERTPolicyInfo;
  729. typedef struct {
  730. PRArenaPool *arena;
  731. CERTPolicyInfo **policyInfos;
  732. } CERTCertificatePolicies;
  733. typedef struct {
  734. SECItem organization;
  735. SECItem **noticeNumbers;
  736. } CERTNoticeReference;
  737. typedef struct {
  738. PRArenaPool *arena;
  739. CERTNoticeReference noticeReference;
  740. SECItem derNoticeReference;
  741. SECItem displayText;
  742. } CERTUserNotice;
  743. typedef struct {
  744. PRArenaPool *arena;
  745. SECItem **oids;
  746. } CERTOidSequence;
  747. /*
  748. * these types are for the PKIX Policy Mappings extension
  749. */
  750. typedef struct {
  751. SECItem issuerDomainPolicy;
  752. SECItem subjectDomainPolicy;
  753. } CERTPolicyMap;
  754. typedef struct {
  755. PRArenaPool *arena;
  756. CERTPolicyMap **policyMaps;
  757. } CERTCertificatePolicyMappings;
  758. /*
  759. * these types are for the PKIX inhibitAnyPolicy extension
  760. */
  761. typedef struct {
  762. SECItem inhibitAnySkipCerts;
  763. } CERTCertificateInhibitAny;
  764. /*
  765. * these types are for the PKIX Policy Constraints extension
  766. */
  767. typedef struct {
  768. SECItem explicitPolicySkipCerts;
  769. SECItem inhibitMappingSkipCerts;
  770. } CERTCertificatePolicyConstraints;
  771. /*
  772. * these types are for the CERT_PKIX* Verification functions
  773. * These are all optional parameters.
  774. */
  775. typedef enum {
  776. cert_pi_end = 0, /* SPECIAL: signifies end of array of
  777. * CERTValParam* */
  778. cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
  779. * resume a session. If this argument is
  780. * specified, no other arguments should be.
  781. * Specified in value.pointer.p. If the
  782. * operation completes the context will be
  783. * freed. */
  784. cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
  785. * existing operation which the caller wants
  786. * to abort. If this argument is
  787. * specified, no other arguments should be.
  788. * Specified in value.pointer.p. If the
  789. * operation succeeds the context will be
  790. * freed. */
  791. cert_pi_certList = 3, /* specify the chain to validate against. If
  792. * this value is given, then the path
  793. * construction step in the validation is
  794. * skipped. Specified in value.pointer.chain */
  795. cert_pi_policyOID = 4, /* validate certificate for policy OID.
  796. * Specified in value.array.oids. Cert must
  797. * be good for at least one OID in order
  798. * to validate. Default is no policyOID */
  799. cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
  800. * Specified in value.scalar.ul. Policy flags
  801. * apply to all specified oids.
  802. * Use CERT_POLICY_FLAG_* macros below. If not
  803. * specified policy flags default to 0 */
  804. cert_pi_keyusage = 6, /* specify what the keyusages the certificate
  805. * will be evaluated against, specified in
  806. * value.scalar.ui. The cert must validate for
  807. * at least one of the specified key usages.
  808. * Values match the KU_ bit flags defined
  809. * in this file. Default is derived from
  810. * the 'usages' function argument */
  811. cert_pi_extendedKeyusage= 7, /* specify what the required extended key
  812. * usage of the certificate. Specified as
  813. * an array of oidTags in value.array.oids.
  814. * The cert must validate for at least one
  815. * of the specified extended key usages.
  816. * If not specified, no extended key usages
  817. * will be checked. */
  818. cert_pi_date = 8, /* validate certificate is valid as of date
  819. * specified in value.scalar.time. A special
  820. * value '0' indicates 'now'. default is '0' */
  821. cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
  822. * See CERT_REV_FLAG_* macros below
  823. * Set in value.pointer.revocation */
  824. cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below)
  825. * Set in value.scalar.ui */
  826. cert_pi_trustAnchors = 11,/* specify the list of trusted roots to
  827. * validate against. If the list in NULL all
  828. * default trusted roots are used.
  829. * Specified in value.pointer.chain */
  830. cert_pi_max /* SPECIAL: signifies maximum allowed value,
  831. * can increase in future releases */
  832. } CERTValParamInType;
  833. /*
  834. * for all out parameters:
  835. * out parameters are only returned if the caller asks for them in
  836. * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
  837. * array itself. The pkix verify function will allocate and other arrays
  838. * pointers, or objects. The Caller is responsible for freeing those results.
  839. * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
  840. */
  841. typedef enum {
  842. cert_po_end = 0, /* SPECIAL: signifies end of array of
  843. * CERTValParam* */
  844. cert_po_nbioContext = 1, /* Return a nonblocking context. If no
  845. * non-blocking context is specified, then
  846. * blocking IO will be used.
  847. * Returned in value.pointer.p. The context is
  848. * freed after an abort or a complete operation.
  849. * This value is only returned on SECWouldBlock.
  850. */
  851. cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
  852. * was validated. Returned in
  853. * value.pointer.cert, this value is only
  854. * returned on SECSuccess. */
  855. cert_po_certList = 3, /* Return the entire chain that was validated.
  856. * Returned in value.pointer.certList. If no
  857. * chain could be constructed, this value
  858. * would be NULL. */
  859. cert_po_policyOID = 4, /* Return the policies that were found to be
  860. * valid. Returned in value.array.oids as an
  861. * array. This is only returned on
  862. * SECSuccess. */
  863. cert_po_errorLog = 5, /* Return a log of problems with the chain.
  864. * Returned in value.pointer.log */
  865. cert_po_usages = 6, /* Return what usages the certificate is valid
  866. for. Returned in value.scalar.usages */
  867. cert_po_keyUsage = 7, /* Return what key usages the certificate
  868. * is valid for.
  869. * Returned in value.scalar.usage */
  870. cert_po_extendedKeyusage= 8, /* Return what extended key usages the
  871. * certificate is valid for.
  872. * Returned in value.array.oids */
  873. cert_po_max /* SPECIAL: signifies maximum allowed value,
  874. * can increase in future releases */
  875. } CERTValParamOutType;
  876. typedef enum {
  877. cert_revocation_method_crl = 0,
  878. cert_revocation_method_ocsp,
  879. cert_revocation_method_count
  880. } CERTRevocationMethodIndex;
  881. /*
  882. * The following flags are supposed to be used to control bits in
  883. * each integer contained in the array pointed to be:
  884. * CERTRevocationTests.cert_rev_flags_per_method
  885. * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
  886. * this is a method dependent flag.
  887. */
  888. /*
  889. * Whether or not to use a method for revocation testing.
  890. * If set to "do not test", then all other flags are ignored.
  891. */
  892. #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0L
  893. #define CERT_REV_M_TEST_USING_THIS_METHOD 1L
  894. /*
  895. * Whether or not NSS is allowed to attempt to fetch fresh information
  896. * from the network.
  897. * (Although fetching will never happen if fresh information for the
  898. * method is already locally available.)
  899. */
  900. #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0L
  901. #define CERT_REV_M_FORBID_NETWORK_FETCHING 2L
  902. /*
  903. * Example for an implicit default source:
  904. * The globally configured default OCSP responder.
  905. * IGNORE means:
  906. * ignore the implicit default source, whether it's configured or not.
  907. * ALLOW means:
  908. * if an implicit default source is configured,
  909. * then it overrides any available or missing source in the cert.
  910. * if no implicit default source is configured,
  911. * then we continue to use what's available (or not available)
  912. * in the certs.
  913. */
  914. #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0L
  915. #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4L
  916. /*
  917. * Defines the behavior if no fresh information is available,
  918. * fetching from the network is allowed, but the source of revocation
  919. * information is unknown (even after considering implicit sources,
  920. * if allowed by other flags).
  921. * SKIPT_TEST means:
  922. * We ignore that no fresh information is available and
  923. * skip this test.
  924. * REQUIRE_INFO means:
  925. * We still require that fresh information is available.
  926. * Other flags define what happens on missing fresh info.
  927. */
  928. #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0L
  929. #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8L
  930. /*
  931. * Defines the behavior if we are unable to obtain fresh information.
  932. * INGORE means:
  933. * Return "test succeded, not revoked"
  934. * FAIL means:
  935. * Return "cert revoked".
  936. */
  937. #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0L
  938. #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16L
  939. /*
  940. * What should happen if we were able to find fresh information using
  941. * this method, and the data indicated the cert is good?
  942. * STOP_TESTING means:
  943. * Our success is sufficient, do not continue testing
  944. * other methods.
  945. * CONTINUE_TESTING means:
  946. * We will continue and test the next allowed
  947. * specified method.
  948. */
  949. #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0L
  950. #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32L
  951. /*
  952. * The following flags are supposed to be used to control bits in
  953. * CERTRevocationTests.cert_rev_method_independent_flags
  954. * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
  955. * this is a method independent flag.
  956. */
  957. /*
  958. * This defines the order to checking.
  959. * EACH_METHOD_SEPARATELY means:
  960. * Do all tests related to a particular allowed method
  961. * (both local information and network fetching) in a single step.
  962. * Only after testing for a particular method is done,
  963. * then switching to the next method will happen.
  964. * ALL_LOCAL_INFORMATION_FIRST means:
  965. * Start by testing the information for all allowed methods
  966. * which are already locally available. Only after that is done
  967. * consider to fetch from the network (as allowed by other flags).
  968. */
  969. #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0L
  970. #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1L
  971. /*
  972. * Use this flag to specify that it's necessary that fresh information
  973. * is available for at least one of the allowed methods, but it's
  974. * irrelevant which of the mechanisms succeeded.
  975. * NO_OVERALL_INFO_REQUIREMENT means:
  976. * We strictly follow the requirements for each individual method.
  977. * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
  978. * After the individual tests have been executed, we must have
  979. * been able to find fresh information using at least one method.
  980. * If we were unable to find fresh info, it's a failure.
  981. */
  982. #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0L
  983. #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2L
  984. typedef struct {
  985. /*
  986. * The size of the array that cert_rev_flags_per_method points to,
  987. * meaning, the number of methods that are known and defined
  988. * by the caller.
  989. */
  990. PRUint32 number_of_defined_methods;
  991. /*
  992. * A pointer to an array of integers.
  993. * Each integer defines revocation checking for a single method,
  994. * by having individual CERT_REV_M_* bits set or not set.
  995. * The meaning of index numbers into this array are defined by
  996. * enum CERTRevocationMethodIndex
  997. * The size of the array must be specified by the caller in the separate
  998. * variable number_of_defined_methods.
  999. * The size of the array may be smaller than
  1000. * cert_revocation_method_count, it can happen if a caller
  1001. * is not yet aware of the latest revocation methods
  1002. * (or does not want to use them).
  1003. */
  1004. PRUint64 *cert_rev_flags_per_method;
  1005. /*
  1006. * How many preferred methods are specified?
  1007. * This is equivalent to the size of the array that
  1008. * preferred_revocation_methods points to.
  1009. * It's allowed to set this value to zero,
  1010. * then NSS will decide which methods to prefer.
  1011. */
  1012. PRUint32 number_of_preferred_methods;
  1013. /* Array that may specify an optional order of preferred methods.
  1014. * Each array entry shall contain a method identifier as defined
  1015. * by CERTRevocationMethodIndex.
  1016. * The entry at index [0] specifies the method with highest preferrence.
  1017. * These methods will be tested first for locally available information.
  1018. * Methods allowed for downloading will be attempted in the same order.
  1019. */
  1020. CERTRevocationMethodIndex *preferred_methods;
  1021. /*
  1022. * An integer which defines certain aspects of revocation checking
  1023. * (independent of individual methods) by having individual
  1024. * CERT_REV_MI_* bits set or not set.
  1025. */
  1026. PRUint64 cert_rev_method_independent_flags;
  1027. } CERTRevocationTests;
  1028. typedef struct {
  1029. CERTRevocationTests leafTests;
  1030. CERTRevocationTests chainTests;
  1031. } CERTRevocationFlags;
  1032. typedef struct CERTValParamInValueStr {
  1033. union {
  1034. PRBool b;
  1035. PRInt32 i;
  1036. PRUint32 ui;
  1037. PRInt64 l;
  1038. PRUint64 ul;
  1039. PRTime time;
  1040. } scalar;
  1041. union {
  1042. const void* p;
  1043. const char* s;
  1044. const CERTCertificate* cert;
  1045. const CERTCertList *chain;
  1046. const CERTRevocationFlags *revocation;
  1047. } pointer;
  1048. union {
  1049. const PRInt32 *pi;
  1050. const PRUint32 *pui;
  1051. const PRInt64 *pl;
  1052. const PRUint64 *pul;
  1053. const SECOidTag *oids;
  1054. } array;
  1055. int arraySize;
  1056. } CERTValParamInValue;
  1057. typedef struct CERTValParamOutValueStr {
  1058. union {
  1059. PRBool b;
  1060. PRInt32 i;
  1061. PRUint32 ui;
  1062. PRInt64 l;
  1063. PRUint64 ul;
  1064. SECCertificateUsage usages;
  1065. } scalar;
  1066. union {
  1067. void* p;
  1068. char* s;
  1069. CERTVerifyLog *log;
  1070. CERTCertificate* cert;
  1071. CERTCertList *chain;
  1072. } pointer;
  1073. union {
  1074. void *p;
  1075. SECOidTag *oids;
  1076. } array;
  1077. int arraySize;
  1078. } CERTValParamOutValue;
  1079. typedef struct {
  1080. CERTValParamInType type;
  1081. CERTValParamInValue value;
  1082. } CERTValInParam;
  1083. typedef struct {
  1084. CERTValParamOutType type;
  1085. CERTValParamOutValue value;
  1086. } CERTValOutParam;
  1087. /*
  1088. * policy flag defines
  1089. */
  1090. #define CERT_POLICY_FLAG_NO_MAPPING 1
  1091. #define CERT_POLICY_FLAG_EXPLICIT 2
  1092. #define CERT_POLICY_FLAG_NO_ANY 4
  1093. /*
  1094. * CertStore flags
  1095. */
  1096. #define CERT_ENABLE_LDAP_FETCH 1
  1097. #define CERT_ENABLE_HTTP_FETCH 2
  1098. /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
  1099. #include "secasn1t.h" /* way down here because I expect template stuff to
  1100. * move out of here anyway */
  1101. SEC_BEGIN_PROTOS
  1102. extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
  1103. extern const SEC_ASN1Template CERT_CertificateTemplate[];
  1104. extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
  1105. extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
  1106. extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
  1107. extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
  1108. extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
  1109. extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
  1110. extern const SEC_ASN1Template CERT_ValidityTemplate[];
  1111. extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
  1112. extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
  1113. extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
  1114. extern const SEC_ASN1Template CERT_NameTemplate[];
  1115. extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
  1116. extern const SEC_ASN1Template CERT_RDNTemplate[];
  1117. extern const SEC_ASN1Template CERT_SignedDataTemplate[];
  1118. extern const SEC_ASN1Template CERT_CrlTemplate[];
  1119. extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
  1120. /*
  1121. ** XXX should the attribute stuff be centralized for all of ns/security?
  1122. */
  1123. extern const SEC_ASN1Template CERT_AttributeTemplate[];
  1124. extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
  1125. /* These functions simply return the address of the above-declared templates.
  1126. ** This is necessary for Windows DLLs. Sigh.
  1127. */
  1128. SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
  1129. SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
  1130. SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
  1131. SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
  1132. SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
  1133. SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
  1134. SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
  1135. SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
  1136. SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
  1137. SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
  1138. SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
  1139. SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
  1140. SEC_END_PROTOS
  1141. #endif /* _CERTT_H_ */