PageRenderTime 265ms CodeModel.GetById 65ms app.highlight 119ms RepoModel.GetById 44ms app.codeStats 1ms

/gecko_api/include/certt.h

http://firefox-mac-pdf.googlecode.com/
C++ Header | 1294 lines | 718 code | 153 blank | 423 comment | 1 complexity | 20039168e689c5acd348605073c1bbf2 MD5 | raw file
   1/* ***** BEGIN LICENSE BLOCK *****
   2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   3 *
   4 * The contents of this file are subject to the Mozilla Public License Version
   5 * 1.1 (the "License"); you may not use this file except in compliance with
   6 * the License. You may obtain a copy of the License at
   7 * http://www.mozilla.org/MPL/
   8 *
   9 * Software distributed under the License is distributed on an "AS IS" basis,
  10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11 * for the specific language governing rights and limitations under the
  12 * License.
  13 *
  14 * The Original Code is the Netscape security libraries.
  15 *
  16 * The Initial Developer of the Original Code is
  17 * Netscape Communications Corporation.
  18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19 * the Initial Developer. All Rights Reserved.
  20 *
  21 * Contributor(s):
  22 *
  23 * Alternatively, the contents of this file may be used under the terms of
  24 * either the GNU General Public License Version 2 or later (the "GPL"), or
  25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26 * in which case the provisions of the GPL or the LGPL are applicable instead
  27 * of those above. If you wish to allow use of your version of this file only
  28 * under the terms of either the GPL or the LGPL, and not to allow others to
  29 * use your version of this file under the terms of the MPL, indicate your
  30 * decision by deleting the provisions above and replace them with the notice
  31 * and other provisions required by the GPL or the LGPL. If you do not delete
  32 * the provisions above, a recipient may use your version of this file under
  33 * the terms of any one of the MPL, the GPL or the LGPL.
  34 *
  35 * ***** END LICENSE BLOCK ***** */
  36/*
  37 * certt.h - public data structures for the certificate library
  38 *
  39 * $Id: certt.h,v 1.44 2008/03/27 21:56:24 alexei.volkov.bugs%sun.com Exp $
  40 */
  41#ifndef _CERTT_H_
  42#define _CERTT_H_
  43
  44#include "prclist.h"
  45#include "pkcs11t.h"
  46#include "seccomon.h"
  47#include "secmodt.h"
  48#include "secoidt.h"
  49#include "plarena.h"
  50#include "prcvar.h"
  51#include "nssilock.h"
  52#include "prio.h"
  53#include "prmon.h"
  54
  55/* Stan data types */
  56struct NSSCertificateStr;
  57struct NSSTrustDomainStr;
  58
  59/* Non-opaque objects */
  60typedef struct CERTAVAStr                        CERTAVA;
  61typedef struct CERTAttributeStr                  CERTAttribute;
  62typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
  63typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
  64typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
  65typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
  66typedef struct CERTCertExtensionStr              CERTCertExtension;
  67typedef struct CERTCertKeyStr                    CERTCertKey;
  68typedef struct CERTCertListStr                   CERTCertList;
  69typedef struct CERTCertListNodeStr               CERTCertListNode;
  70typedef struct CERTCertNicknamesStr              CERTCertNicknames;
  71typedef struct CERTCertTrustStr                  CERTCertTrust;
  72typedef struct CERTCertificateStr                CERTCertificate;
  73typedef struct CERTCertificateListStr            CERTCertificateList;
  74typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
  75typedef struct CERTCrlStr                        CERTCrl;
  76typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
  77typedef struct CERTCrlEntryStr                   CERTCrlEntry;
  78typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
  79typedef struct CERTCrlKeyStr                     CERTCrlKey;
  80typedef struct CERTCrlNodeStr                    CERTCrlNode;
  81typedef struct CERTDERCertsStr                   CERTDERCerts;
  82typedef struct CERTDistNamesStr                  CERTDistNames;
  83typedef struct CERTGeneralNameStr                CERTGeneralName;
  84typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
  85typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
  86typedef struct CERTNameStr                       CERTName;
  87typedef struct CERTNameConstraintStr             CERTNameConstraint;
  88typedef struct CERTNameConstraintsStr            CERTNameConstraints;
  89typedef struct CERTOKDomainNameStr               CERTOKDomainName;
  90typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
  91typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
  92typedef struct CERTRDNStr                        CERTRDN;
  93typedef struct CERTSignedCrlStr                  CERTSignedCrl;
  94typedef struct CERTSignedDataStr                 CERTSignedData;
  95typedef struct CERTStatusConfigStr               CERTStatusConfig;
  96typedef struct CERTSubjectListStr                CERTSubjectList;
  97typedef struct CERTSubjectNodeStr                CERTSubjectNode;
  98typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
  99typedef struct CERTValidityStr                   CERTValidity;
 100typedef struct CERTVerifyLogStr                  CERTVerifyLog;
 101typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
 102typedef struct CRLDistributionPointStr           CRLDistributionPoint;
 103
 104/* CRL extensions type */
 105typedef unsigned long CERTCrlNumber;
 106
 107/*
 108** An X.500 AVA object
 109*/
 110struct CERTAVAStr {
 111    SECItem type;
 112    SECItem value;
 113};
 114
 115/*
 116** An X.500 RDN object
 117*/
 118struct CERTRDNStr {
 119    CERTAVA **avas;
 120};
 121
 122/*
 123** An X.500 name object
 124*/
 125struct CERTNameStr {
 126    PRArenaPool *arena;
 127    CERTRDN **rdns;
 128};
 129
 130/*
 131** An X.509 validity object
 132*/
 133struct CERTValidityStr {
 134    PRArenaPool *arena;
 135    SECItem notBefore;
 136    SECItem notAfter;
 137};
 138
 139/*
 140 * A serial number and issuer name, which is used as a database key
 141 */
 142struct CERTCertKeyStr {
 143    SECItem serialNumber;
 144    SECItem derIssuer;
 145};
 146
 147/*
 148** A signed data object. Used to implement the "signed" macro used
 149** in the X.500 specs.
 150*/
 151struct CERTSignedDataStr {
 152    SECItem data;
 153    SECAlgorithmID signatureAlgorithm;
 154    SECItem signature;
 155};
 156
 157/*
 158** An X.509 subject-public-key-info object
 159*/
 160struct CERTSubjectPublicKeyInfoStr {
 161    PRArenaPool *arena;
 162    SECAlgorithmID algorithm;
 163    SECItem subjectPublicKey;
 164};
 165
 166struct CERTPublicKeyAndChallengeStr {
 167    SECItem spki;
 168    SECItem challenge;
 169};
 170
 171struct CERTCertTrustStr {
 172    unsigned int sslFlags;
 173    unsigned int emailFlags;
 174    unsigned int objectSigningFlags;
 175};
 176
 177/*
 178 * defined the types of trust that exist
 179 */
 180typedef enum SECTrustTypeEnum {
 181    trustSSL = 0,
 182    trustEmail = 1,
 183    trustObjectSigning = 2,
 184    trustTypeNone = 3
 185} SECTrustType;
 186
 187#define SEC_GET_TRUST_FLAGS(trust,type) \
 188        (((type)==trustSSL)?((trust)->sslFlags): \
 189	 (((type)==trustEmail)?((trust)->emailFlags): \
 190	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
 191
 192/*
 193** An X.509.3 certificate extension
 194*/
 195struct CERTCertExtensionStr {
 196    SECItem id;
 197    SECItem critical;
 198    SECItem value;
 199};
 200
 201struct CERTSubjectNodeStr {
 202    struct CERTSubjectNodeStr *next;
 203    struct CERTSubjectNodeStr *prev;
 204    SECItem certKey;
 205    SECItem keyID;
 206};
 207
 208struct CERTSubjectListStr {
 209    PRArenaPool *arena;
 210    int ncerts;
 211    char *emailAddr;
 212    CERTSubjectNode *head;
 213    CERTSubjectNode *tail; /* do we need tail? */
 214    void *entry;
 215};
 216
 217/*
 218** An X.509 certificate object (the unsigned form)
 219*/
 220struct CERTCertificateStr {
 221    /* the arena is used to allocate any data structures that have the same
 222     * lifetime as the cert.  This is all stuff that hangs off of the cert
 223     * structure, and is all freed at the same time.  I is used when the
 224     * cert is decoded, destroyed, and at some times when it changes
 225     * state
 226     */
 227    PRArenaPool *arena;
 228
 229    /* The following fields are static after the cert has been decoded */
 230    char *subjectName;
 231    char *issuerName;
 232    CERTSignedData signatureWrap;	/* XXX */
 233    SECItem derCert;			/* original DER for the cert */
 234    SECItem derIssuer;			/* DER for issuer name */
 235    SECItem derSubject;			/* DER for subject name */
 236    SECItem derPublicKey;		/* DER for the public key */
 237    SECItem certKey;			/* database key for this cert */
 238    SECItem version;
 239    SECItem serialNumber;
 240    SECAlgorithmID signature;
 241    CERTName issuer;
 242    CERTValidity validity;
 243    CERTName subject;
 244    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
 245    SECItem issuerID;
 246    SECItem subjectID;
 247    CERTCertExtension **extensions;
 248    char *emailAddr;
 249    CERTCertDBHandle *dbhandle;
 250    SECItem subjectKeyID;	/* x509v3 subject key identifier */
 251    PRBool keyIDGenerated;	/* was the keyid generated? */
 252    unsigned int keyUsage;	/* what uses are allowed for this cert */
 253    unsigned int rawKeyUsage;	/* value of the key usage extension */
 254    PRBool keyUsagePresent;	/* was the key usage extension present */
 255    PRUint32 nsCertType;	/* value of the ns cert type extension */
 256				/* must be 32-bit for PR_AtomicSet */
 257
 258    /* these values can be set by the application to bypass certain checks
 259     * or to keep the cert in memory for an entire session.
 260     * XXX - need an api to set these
 261     */
 262    PRBool keepSession;			/* keep this cert for entire session*/
 263    PRBool timeOK;			/* is the bad validity time ok? */
 264    CERTOKDomainName *domainOK;		/* these domain names are ok */
 265
 266    /*
 267     * these values can change when the cert changes state.  These state
 268     * changes include transitions from temp to perm or vice-versa, and
 269     * changes of trust flags
 270     */
 271    PRBool isperm;
 272    PRBool istemp;
 273    char *nickname;
 274    char *dbnickname;
 275    struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
 276    CERTCertTrust *trust;
 277
 278    /* the reference count is modified whenever someone looks up, dups
 279     * or destroys a certificate
 280     */
 281    int referenceCount;
 282
 283    /* The subject list is a list of all certs with the same subject name.
 284     * It can be modified any time a cert is added or deleted from either
 285     * the in-memory(temporary) or on-disk(permanent) database.
 286     */
 287    CERTSubjectList *subjectList;
 288
 289    /* these belong in the static section, but are here to maintain
 290     * the structure's integrity
 291     */
 292    CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
 293    PRBool isRoot;              /* cert is the end of a chain */
 294
 295    /* these fields are used by client GUI code to keep track of ssl sockets
 296     * that are blocked waiting on GUI feedback related to this cert.
 297     * XXX - these should be moved into some sort of application specific
 298     *       data structure.  They are only used by the browser right now.
 299     */
 300    union {
 301        void* apointer; /* was struct SECSocketNode* authsocketlist */
 302        struct {
 303            unsigned int hasUnsupportedCriticalExt :1;
 304            /* add any new option bits needed here */
 305        } bits;
 306    } options;
 307    int series; /* was int authsocketcount; record the series of the pkcs11ID */
 308
 309    /* This is PKCS #11 stuff. */
 310    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
 311    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
 312    PRBool ownSlot;		/*true if the cert owns the slot reference */
 313};
 314#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
 315#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
 316#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
 317
 318#define SEC_CRL_VERSION_1		0	/* default */
 319#define SEC_CRL_VERSION_2		1	/* v2 extensions */
 320
 321/*
 322 * used to identify class of cert in mime stream code
 323 */
 324#define SEC_CERT_CLASS_CA	1
 325#define SEC_CERT_CLASS_SERVER	2
 326#define SEC_CERT_CLASS_USER	3
 327#define SEC_CERT_CLASS_EMAIL	4
 328
 329struct CERTDERCertsStr {
 330    PRArenaPool *arena;
 331    int numcerts;
 332    SECItem *rawCerts;
 333};
 334
 335/*
 336** A PKCS ? Attribute
 337** XXX this is duplicated through out the code, it *should* be moved
 338** to a central location.  Where would be appropriate?
 339*/
 340struct CERTAttributeStr {
 341    SECItem attrType;
 342    SECItem **attrValue;
 343};
 344
 345/*
 346** A PKCS#10 certificate-request object (the unsigned form)
 347*/
 348struct CERTCertificateRequestStr {
 349    PRArenaPool *arena;
 350    SECItem version;
 351    CERTName subject;
 352    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
 353    CERTAttribute **attributes;
 354};
 355#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
 356
 357
 358/*
 359** A certificate list object.
 360*/
 361struct CERTCertificateListStr {
 362    SECItem *certs;
 363    int len;					/* number of certs */
 364    PRArenaPool *arena;
 365};
 366
 367struct CERTCertListNodeStr {
 368    PRCList links;
 369    CERTCertificate *cert;
 370    void *appData;
 371};
 372
 373struct CERTCertListStr {
 374    PRCList list;
 375    PRArenaPool *arena;
 376};
 377
 378#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
 379#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
 380#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
 381#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
 382
 383struct CERTCrlEntryStr {
 384    SECItem serialNumber;
 385    SECItem revocationDate;
 386    CERTCertExtension **extensions;    
 387};
 388
 389struct CERTCrlStr {
 390    PRArenaPool *arena;
 391    SECItem version;
 392    SECAlgorithmID signatureAlg;
 393    SECItem derName;
 394    CERTName name;
 395    SECItem lastUpdate;
 396    SECItem nextUpdate;				/* optional for x.509 CRL  */
 397    CERTCrlEntry **entries;
 398    CERTCertExtension **extensions;    
 399    /* can't add anything there for binary backwards compatibility reasons */
 400};
 401
 402struct CERTCrlKeyStr {
 403    SECItem derName;
 404    SECItem dummy;			/* The decoder can not skip a primitive,
 405					   this serves as a place holder for the
 406					   decoder to finish its task only
 407					*/
 408};
 409
 410struct CERTSignedCrlStr {
 411    PRArenaPool *arena;
 412    CERTCrl crl;
 413    void *reserved1;
 414    PRBool reserved2;
 415    PRBool isperm;
 416    PRBool istemp;
 417    int referenceCount;
 418    CERTCertDBHandle *dbhandle;
 419    CERTSignedData signatureWrap;	/* XXX */
 420    char *url;
 421    SECItem *derCrl;
 422    PK11SlotInfo *slot;
 423    CK_OBJECT_HANDLE pkcs11ID;
 424    void* opaque; /* do not touch */
 425};
 426
 427
 428struct CERTCrlHeadNodeStr {
 429    PRArenaPool *arena;
 430    CERTCertDBHandle *dbhandle;
 431    CERTCrlNode *first;
 432    CERTCrlNode *last;
 433};
 434
 435
 436struct CERTCrlNodeStr {
 437    CERTCrlNode *next;
 438    int 	type;
 439    CERTSignedCrl *crl;
 440};
 441
 442
 443/*
 444 * Array of X.500 Distinguished Names
 445 */
 446struct CERTDistNamesStr {
 447    PRArenaPool *arena;
 448    int nnames;
 449    SECItem  *names;
 450    void *head; /* private */
 451};
 452
 453
 454#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
 455#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
 456#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
 457#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
 458#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
 459#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
 460#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
 461#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
 462
 463#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
 464#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
 465
 466#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
 467			  NS_CERT_TYPE_SSL_SERVER | \
 468			  NS_CERT_TYPE_EMAIL | \
 469			  NS_CERT_TYPE_OBJECT_SIGNING )
 470
 471#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
 472			 NS_CERT_TYPE_EMAIL_CA | \
 473			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
 474			 EXT_KEY_USAGE_STATUS_RESPONDER )
 475typedef enum SECCertUsageEnum {
 476    certUsageSSLClient = 0,
 477    certUsageSSLServer = 1,
 478    certUsageSSLServerWithStepUp = 2,
 479    certUsageSSLCA = 3,
 480    certUsageEmailSigner = 4,
 481    certUsageEmailRecipient = 5,
 482    certUsageObjectSigner = 6,
 483    certUsageUserCertImport = 7,
 484    certUsageVerifyCA = 8,
 485    certUsageProtectedObjectSigner = 9,
 486    certUsageStatusResponder = 10,
 487    certUsageAnyCA = 11
 488} SECCertUsage;
 489
 490typedef PRInt64 SECCertificateUsage;
 491
 492#define certificateUsageCheckAllUsages         (0x0000)
 493#define certificateUsageSSLClient              (0x0001)
 494#define certificateUsageSSLServer              (0x0002)
 495#define certificateUsageSSLServerWithStepUp    (0x0004)
 496#define certificateUsageSSLCA                  (0x0008)
 497#define certificateUsageEmailSigner            (0x0010)
 498#define certificateUsageEmailRecipient         (0x0020)
 499#define certificateUsageObjectSigner           (0x0040)
 500#define certificateUsageUserCertImport         (0x0080)
 501#define certificateUsageVerifyCA               (0x0100)
 502#define certificateUsageProtectedObjectSigner  (0x0200)
 503#define certificateUsageStatusResponder        (0x0400)
 504#define certificateUsageAnyCA                  (0x0800)
 505
 506#define certificateUsageHighest certificateUsageAnyCA
 507
 508/*
 509 * Does the cert belong to the user, a peer, or a CA.
 510 */
 511typedef enum CERTCertOwnerEnum {
 512    certOwnerUser = 0,
 513    certOwnerPeer = 1,
 514    certOwnerCA = 2
 515} CERTCertOwner;
 516
 517/*
 518 * This enum represents the state of validity times of a certificate
 519 */
 520typedef enum SECCertTimeValidityEnum {
 521    secCertTimeValid = 0,
 522    secCertTimeExpired = 1,
 523    secCertTimeNotValidYet = 2,
 524    secCertTimeUndetermined = 3 /* validity could not be decoded from the
 525                                   cert, most likely because it was NULL */
 526} SECCertTimeValidity;
 527
 528/*
 529 * This is used as return status in functions that compare the validity
 530 * periods of two certificates A and B, currently only
 531 * CERT_CompareValidityTimes.
 532 */
 533
 534typedef enum CERTCompareValidityStatusEnum
 535{
 536    certValidityUndetermined = 0, /* the function is unable to select one cert 
 537                                     over another */
 538    certValidityChooseB = 1,      /* cert B should be preferred */
 539    certValidityEqual = 2,        /* both certs have the same validity period */
 540    certValidityChooseA = 3       /* cert A should be preferred */
 541} CERTCompareValidityStatus;
 542
 543/*
 544 * Interface for getting certificate nickname strings out of the database
 545 */
 546
 547/* these are values for the what argument below */
 548#define SEC_CERT_NICKNAMES_ALL		1
 549#define SEC_CERT_NICKNAMES_USER		2
 550#define SEC_CERT_NICKNAMES_SERVER	3
 551#define SEC_CERT_NICKNAMES_CA		4
 552
 553struct CERTCertNicknamesStr {
 554    PRArenaPool *arena;
 555    void *head;
 556    int numnicknames;
 557    char **nicknames;
 558    int what;
 559    int totallen;
 560};
 561
 562struct CERTIssuerAndSNStr {
 563    SECItem derIssuer;
 564    CERTName issuer;
 565    SECItem serialNumber;
 566};
 567
 568
 569/* X.509 v3 Key Usage Extension flags */
 570#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
 571#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
 572#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
 573#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
 574#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
 575#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
 576#define KU_CRL_SIGN			(0x02)  /* bit 6 */
 577#define KU_ENCIPHER_ONLY		(0x01)  /* bit 7 */
 578#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
 579					 KU_NON_REPUDIATION | \
 580					 KU_KEY_ENCIPHERMENT | \
 581					 KU_DATA_ENCIPHERMENT | \
 582					 KU_KEY_AGREEMENT | \
 583					 KU_KEY_CERT_SIGN | \
 584					 KU_CRL_SIGN | \
 585					 KU_ENCIPHER_ONLY)
 586
 587/* This value will not occur in certs.  It is used internally for the case
 588 * when the key type is not know ahead of time and either key agreement or
 589 * key encipherment are the correct value based on key type
 590 */
 591#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
 592
 593/* internal bits that do not match bits in the x509v3 spec, but are used
 594 * for similar purposes
 595 */
 596#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
 597/*
 598 * x.509 v3 Basic Constraints Extension
 599 * If isCA is false, the pathLenConstraint is ignored.
 600 * Otherwise, the following pathLenConstraint values will apply:
 601 *	< 0 - there is no limit to the certificate path
 602 *	0   - CA can issues end-entity certificates only
 603 *	> 0 - the number of certificates in the certificate path is
 604 *	      limited to this number
 605 */
 606#define CERT_UNLIMITED_PATH_CONSTRAINT -2
 607
 608struct CERTBasicConstraintsStr {
 609    PRBool isCA;			/* on if is CA */
 610    int pathLenConstraint;		/* maximum number of certificates that can be
 611					   in the cert path.  Only applies to a CA
 612					   certificate; otherwise, it's ignored.
 613					 */
 614};
 615
 616/* Maximum length of a certificate chain */
 617#define CERT_MAX_CERT_CHAIN 20
 618
 619#define CERT_MAX_SERIAL_NUMBER_BYTES  20    /* from RFC 3280 */
 620#define CERT_MAX_DN_BYTES             4096  /* arbitrary */
 621
 622/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
 623#define RF_UNUSED			(0x80)	/* bit 0 */
 624#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
 625#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
 626#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
 627#define RF_SUPERSEDED			(0x08)  /* bit 4 */
 628#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
 629#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
 630
 631/* enum for CRL Entry Reason Code */
 632typedef enum CERTCRLEntryReasonCodeEnum {
 633    crlEntryReasonUnspecified = 0,
 634    crlEntryReasonKeyCompromise = 1,
 635    crlEntryReasonCaCompromise = 2,
 636    crlEntryReasonAffiliationChanged = 3,
 637    crlEntryReasonSuperseded = 4,
 638    crlEntryReasonCessationOfOperation = 5,
 639    crlEntryReasoncertificatedHold = 6,
 640    crlEntryReasonRemoveFromCRL = 8,
 641    crlEntryReasonPrivilegeWithdrawn = 9,
 642    crlEntryReasonAaCompromise = 10
 643} CERTCRLEntryReasonCode;
 644
 645/* If we needed to extract the general name field, use this */
 646/* General Name types */
 647typedef enum CERTGeneralNameTypeEnum {
 648    certOtherName = 1,
 649    certRFC822Name = 2,
 650    certDNSName = 3,
 651    certX400Address = 4,
 652    certDirectoryName = 5,
 653    certEDIPartyName = 6,
 654    certURI = 7,
 655    certIPAddress = 8,
 656    certRegisterID = 9
 657} CERTGeneralNameType;
 658
 659
 660typedef struct OtherNameStr {
 661    SECItem          name;
 662    SECItem          oid;
 663}OtherName;
 664
 665
 666
 667struct CERTGeneralNameStr {
 668    CERTGeneralNameType type;		/* name type */
 669    union {
 670	CERTName directoryName;         /* distinguish name */
 671	OtherName  OthName;		/* Other Name */
 672	SECItem other;                  /* the rest of the name forms */
 673    }name;
 674    SECItem derDirectoryName;		/* this is saved to simplify directory name
 675					   comparison */
 676    PRCList l;
 677};
 678
 679struct CERTGeneralNameListStr {
 680    PRArenaPool *arena;
 681    CERTGeneralName *name;
 682    int refCount;
 683    int len;
 684    PZLock *lock;
 685};
 686
 687struct CERTNameConstraintStr {
 688    CERTGeneralName  name;
 689    SECItem          DERName;
 690    SECItem          min;
 691    SECItem          max;
 692    PRCList          l;
 693};
 694
 695
 696struct CERTNameConstraintsStr {
 697    CERTNameConstraint  *permited;
 698    CERTNameConstraint  *excluded;
 699    SECItem             **DERPermited;
 700    SECItem             **DERExcluded;
 701};
 702
 703
 704/* Private Key Usage Period extension struct. */
 705struct CERTPrivKeyUsagePeriodStr {
 706    SECItem notBefore;
 707    SECItem notAfter;
 708    PRArenaPool *arena;
 709};
 710
 711/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
 712   issuer field, we only support URI now.
 713 */
 714struct CERTAuthKeyIDStr {
 715    SECItem keyID;			/* unique key identifier */
 716    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
 717    SECItem authCertSerialNumber;	/* CA's certificate serial number */
 718    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
 719					   the authCertIssuer field. It is used
 720					   by the encoding engine. It should be
 721					   used as a read only field by the caller.
 722					*/
 723};
 724
 725/* x.509 v3 CRL Distributeion Point */
 726
 727/*
 728 * defined the types of CRL Distribution points
 729 */
 730typedef enum DistributionPointTypesEnum {
 731    generalName = 1,			/* only support this for now */
 732    relativeDistinguishedName = 2
 733} DistributionPointTypes;
 734
 735struct CRLDistributionPointStr {
 736    DistributionPointTypes distPointType;
 737    union {
 738	CERTGeneralName *fullName;
 739	CERTRDN relativeName;
 740    } distPoint;
 741    SECItem reasons;
 742    CERTGeneralName *crlIssuer;
 743    
 744    /* Reserved for internal use only*/
 745    SECItem derDistPoint;
 746    SECItem derRelativeName;
 747    SECItem **derCrlIssuer;
 748    SECItem **derFullName;
 749    SECItem bitsmap;
 750};
 751
 752struct CERTCrlDistributionPointsStr {
 753    CRLDistributionPoint **distPoints;
 754};
 755
 756/*
 757 * This structure is used to keep a log of errors when verifying
 758 * a cert chain.  This allows multiple errors to be reported all at
 759 * once.
 760 */
 761struct CERTVerifyLogNodeStr {
 762    CERTCertificate *cert;	/* what cert had the error */
 763    long error;			/* what error was it? */
 764    unsigned int depth;		/* how far up the chain are we */
 765    void *arg;			/* error specific argument */
 766    struct CERTVerifyLogNodeStr *next; /* next in the list */
 767    struct CERTVerifyLogNodeStr *prev; /* next in the list */
 768};
 769
 770
 771struct CERTVerifyLogStr {
 772    PRArenaPool *arena;
 773    unsigned int count;
 774    struct CERTVerifyLogNodeStr *head;
 775    struct CERTVerifyLogNodeStr *tail;
 776};
 777
 778
 779struct CERTOKDomainNameStr {
 780    CERTOKDomainName *next;
 781    char              name[1]; /* actual length may be longer. */
 782};
 783
 784
 785typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
 786						    CERTCertificate *cert,
 787						    int64 time,
 788						    void *pwArg);
 789
 790typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
 791
 792struct CERTStatusConfigStr {
 793    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
 794    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
 795    void *statusContext;		/* cx specific to checking protocol */
 796};
 797
 798struct CERTAuthInfoAccessStr {
 799    SECItem method;
 800    SECItem derLocation;
 801    CERTGeneralName *location;		/* decoded location */
 802};
 803
 804
 805/* This is the typedef for the callback passed to CERT_OpenCertDB() */
 806/* callback to return database name based on version number */
 807typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
 808
 809/*
 810 * types of cert packages that we can decode
 811 */
 812typedef enum CERTPackageTypeEnum {
 813    certPackageNone = 0,
 814    certPackageCert = 1,
 815    certPackagePKCS7 = 2,
 816    certPackageNSCertSeq = 3,
 817    certPackageNSCertWrap = 4
 818} CERTPackageType;
 819
 820/*
 821 * these types are for the PKIX Certificate Policies extension
 822 */
 823typedef struct {
 824    SECOidTag oid;
 825    SECItem qualifierID;
 826    SECItem qualifierValue;
 827} CERTPolicyQualifier;
 828
 829typedef struct {
 830    SECOidTag oid;
 831    SECItem policyID;
 832    CERTPolicyQualifier **policyQualifiers;
 833} CERTPolicyInfo;
 834
 835typedef struct {
 836    PRArenaPool *arena;
 837    CERTPolicyInfo **policyInfos;
 838} CERTCertificatePolicies;
 839
 840typedef struct {
 841    SECItem organization;
 842    SECItem **noticeNumbers;
 843} CERTNoticeReference;
 844
 845typedef struct {
 846    PRArenaPool *arena;
 847    CERTNoticeReference noticeReference;
 848    SECItem derNoticeReference;
 849    SECItem displayText;
 850} CERTUserNotice;
 851
 852typedef struct {
 853    PRArenaPool *arena;
 854    SECItem **oids;
 855} CERTOidSequence;
 856
 857/*
 858 * these types are for the PKIX Policy Mappings extension
 859 */
 860typedef struct {
 861    SECItem issuerDomainPolicy;
 862    SECItem subjectDomainPolicy;
 863} CERTPolicyMap;
 864
 865typedef struct {
 866    PRArenaPool *arena;
 867    CERTPolicyMap **policyMaps;
 868} CERTCertificatePolicyMappings;
 869
 870/*
 871 * these types are for the PKIX inhibitAnyPolicy extension
 872 */
 873typedef struct {
 874    SECItem inhibitAnySkipCerts;
 875} CERTCertificateInhibitAny;
 876
 877/*
 878 * these types are for the PKIX Policy Constraints extension
 879 */
 880typedef struct {
 881    SECItem explicitPolicySkipCerts;
 882    SECItem inhibitMappingSkipCerts;
 883} CERTCertificatePolicyConstraints;
 884
 885
 886/*
 887 * these types are for the CERT_PKIX* Verification functions
 888 * These are all optional parameters.
 889 */
 890
 891typedef enum {
 892   cert_pi_end             = 0, /* SPECIAL: signifies end of array of  
 893				 * CERTValParam* */
 894   cert_pi_nbioContext     = 1, /* specify a non-blocking IO context used to
 895			         * resume a session. If this argument is 
 896				 * specified, no other arguments should be.
 897				 * Specified in value.pointer.p. If the 
 898				 * operation completes the context will be 
 899				 * freed. */
 900   cert_pi_nbioAbort       = 2, /* specify a non-blocking IO context for an 
 901				 * existing operation which the caller wants
 902			         * to abort. If this argument is 
 903				 * specified, no other arguments should be.
 904				 * Specified in value.pointer.p. If the 
 905			         * operation succeeds the context will be 
 906				 * freed. */
 907   cert_pi_certList        = 3, /* specify the chain to validate against. If
 908				 * this value is given, then the path 
 909				 * construction step in the validation is 
 910				 * skipped. Specified in value.pointer.chain */
 911   cert_pi_policyOID       = 4, /* validate certificate for policy OID.
 912				 * Specified in value.array.oids. Cert must
 913				 * be good for at least one OID in order
 914				 * to validate. Default is no policyOID */
 915   cert_pi_policyFlags     = 5, /* flags for each policy specified in policyOID.
 916				 * Specified in value.scalar.ul. Policy flags
 917				 * apply to all specified oids. 
 918				 * Use CERT_POLICY_FLAG_* macros below. If not
 919				 * specified policy flags default to 0 */
 920   cert_pi_keyusage        = 6, /* specify what the keyusages the certificate 
 921				 * will be evaluated against, specified in
 922				 * value.scalar.ui. The cert must validate for
 923				 * at least one of the specified key usages.
 924				 * Values match the KU_  bit flags defined
 925				 * in this file. Default is derived from
 926				 * the 'usages' function argument */
 927   cert_pi_extendedKeyusage= 7, /* specify what the required extended key 
 928				 * usage of the certificate. Specified as
 929				 * an array of oidTags in value.array.oids.
 930				 * The cert must validate for at least one
 931				 * of the specified extended key usages.
 932				 * If not specified, no extended key usages
 933				 * will be checked. */
 934   cert_pi_date            = 8, /* validate certificate is valid as of date 
 935				 * specified in value.scalar.time. A special 
 936				 * value '0' indicates 'now'. default is '0' */
 937   cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
 938				 * See CERT_REV_FLAG_* macros below
 939				 * Set in value.pointer.revocation */
 940   cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
 941				 * Set in value.scalar.ui */
 942   cert_pi_trustAnchors    = 11,/* specify the list of trusted roots to 
 943				 * validate against. If the list in NULL all
 944				 * default trusted roots are used.
 945				 * Specified in value.pointer.chain */
 946   cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
 947				 *  can increase in future releases */
 948} CERTValParamInType;
 949
 950/*
 951 * for all out parameters:
 952 *  out parameters are only returned if the caller asks for them in
 953 *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
 954 *  array itself. The pkix verify function will allocate and other arrays
 955 *  pointers, or objects. The Caller is responsible for freeing those results.
 956 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
 957 */
 958typedef enum {
 959   cert_po_end             = 0, /* SPECIAL: signifies end of array of  
 960				 * CERTValParam* */
 961   cert_po_nbioContext     = 1, /* Return a nonblocking context. If no
 962				 * non-blocking context is specified, then
 963				 * blocking IO will be used. 
 964				 * Returned in value.pointer.p. The context is 
 965				 * freed after an abort or a complete operation.
 966				 * This value is only returned on SECWouldBlock.
 967				 */
 968   cert_po_trustAnchor     = 2, /* Return the trust anchor for the chain that
 969				 * was validated. Returned in 
 970				 * value.pointer.cert, this value is only 
 971				 * returned on SECSuccess. */
 972   cert_po_certList        = 3, /* Return the entire chain that was validated.
 973				 * Returned in value.pointer.certList. If no 
 974				 * chain could be constructed, this value 
 975				 * would be NULL. */
 976   cert_po_policyOID       = 4, /* Return the policies that were found to be
 977				 * valid. Returned in value.array.oids as an 
 978				 * array. This is only returned on 
 979				 * SECSuccess. */
 980   cert_po_errorLog        = 5, /* Return a log of problems with the chain.
 981				 * Returned in value.pointer.log  */
 982   cert_po_usages          = 6, /* Return what usages the certificate is valid
 983				   for. Returned in value.scalar.usages */
 984   cert_po_keyUsage        = 7, /* Return what key usages the certificate
 985				 * is valid for.
 986				 * Returned in value.scalar.usage */
 987   cert_po_extendedKeyusage= 8, /* Return what extended key usages the
 988				 * certificate is valid for.
 989				 * Returned in value.array.oids */
 990   cert_po_max                  /* SPECIAL: signifies maximum allowed value,
 991				 *  can increase in future releases */
 992
 993} CERTValParamOutType;
 994
 995typedef enum {
 996    cert_revocation_method_crl = 0,
 997    cert_revocation_method_ocsp,
 998    cert_revocation_method_count
 999} CERTRevocationMethodIndex;
1000
1001
1002/*
1003 * The following flags are supposed to be used to control bits in
1004 * each integer contained in the array pointed to be:
1005 *     CERTRevocationTests.cert_rev_flags_per_method
1006 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1007 * this is a method dependent flag.
1008 */
1009
1010/*
1011 * Whether or not to use a method for revocation testing.
1012 * If set to "do not test", then all other flags are ignored.
1013 */
1014#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD     0L
1015#define CERT_REV_M_TEST_USING_THIS_METHOD            1L
1016
1017/*
1018 * Whether or not NSS is allowed to attempt to fetch fresh information
1019 *         from the network.
1020 * (Although fetching will never happen if fresh information for the
1021 *           method is already locally available.)
1022 */
1023#define CERT_REV_M_ALLOW_NETWORK_FETCHING            0L
1024#define CERT_REV_M_FORBID_NETWORK_FETCHING           2L
1025
1026/*
1027 * Example for an implicit default source:
1028 *         The globally configured default OCSP responder.
1029 * IGNORE means:
1030 *        ignore the implicit default source, whether it's configured or not.
1031 * ALLOW means:
1032 *       if an implicit default source is configured, 
1033 *          then it overrides any available or missing source in the cert.
1034 *       if no implicit default source is configured,
1035 *          then we continue to use what's available (or not available) 
1036 *          in the certs.
1037 */ 
1038#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE     0L
1039#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE    4L
1040
1041/*
1042 * Defines the behavior if no fresh information is available,
1043 *   fetching from the network is allowed, but the source of revocation
1044 *   information is unknown (even after considering implicit sources,
1045 *   if allowed by other flags).
1046 * SKIPT_TEST means:
1047 *          We ignore that no fresh information is available and 
1048 *          skip this test.
1049 * REQUIRE_INFO means:
1050 *          We still require that fresh information is available.
1051 *          Other flags define what happens on missing fresh info.
1052 */
1053#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE       0L
1054#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE    8L
1055
1056/*
1057 * Defines the behavior if we are unable to obtain fresh information.
1058 * INGORE means:
1059 *        Return "test succeded, not revoked"
1060 * FAIL means:
1061 *      Return "cert revoked".
1062 */
1063#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO         0L
1064#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO        16L
1065
1066/*
1067 * What should happen if we were able to find fresh information using
1068 * this method, and the data indicated the cert is good?
1069 * STOP_TESTING means:
1070 *              Our success is sufficient, do not continue testing
1071 *              other methods.
1072 * CONTINUE_TESTING means:
1073 *                  We will continue and test the next allowed
1074 *                  specified method.
1075 */
1076#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO        0L
1077#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO    32L
1078
1079/*
1080 * The following flags are supposed to be used to control bits in
1081 *     CERTRevocationTests.cert_rev_method_independent_flags
1082 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1083 * this is a method independent flag.
1084 */
1085
1086/*
1087 * This defines the order to checking.
1088 * EACH_METHOD_SEPARATELY means:
1089 *      Do all tests related to a particular allowed method
1090 *      (both local information and network fetching) in a single step.
1091 *      Only after testing for a particular method is done,
1092 *      then switching to the next method will happen.
1093 * ALL_LOCAL_INFORMATION_FIRST means:
1094 *      Start by testing the information for all allowed methods
1095 *      which are already locally available. Only after that is done
1096 *      consider to fetch from the network (as allowed by other flags).
1097 */
1098#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY       0L
1099#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST  1L
1100
1101/*
1102 * Use this flag to specify that it's necessary that fresh information
1103 * is available for at least one of the allowed methods, but it's
1104 * irrelevant which of the mechanisms succeeded.
1105 * NO_OVERALL_INFO_REQUIREMENT means:
1106 *     We strictly follow the requirements for each individual method.
1107 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1108 *     After the individual tests have been executed, we must have
1109 *     been able to find fresh information using at least one method.
1110 *     If we were unable to find fresh info, it's a failure.
1111 */
1112#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0L
1113#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2L
1114
1115
1116typedef struct {
1117    /*
1118     * The size of the array that cert_rev_flags_per_method points to,
1119     * meaning, the number of methods that are known and defined
1120     * by the caller.
1121     */
1122    PRUint32 number_of_defined_methods;
1123
1124    /*
1125     * A pointer to an array of integers.
1126     * Each integer defines revocation checking for a single method,
1127     *      by having individual CERT_REV_M_* bits set or not set.
1128     * The meaning of index numbers into this array are defined by 
1129     *     enum CERTRevocationMethodIndex
1130     * The size of the array must be specified by the caller in the separate
1131     *     variable number_of_defined_methods.
1132     * The size of the array may be smaller than 
1133     *     cert_revocation_method_count, it can happen if a caller
1134     *     is not yet aware of the latest revocation methods
1135     *     (or does not want to use them).
1136     */ 
1137    PRUint64 *cert_rev_flags_per_method;
1138
1139    /*
1140     * How many preferred methods are specified?
1141     * This is equivalent to the size of the array that 
1142     *      preferred_revocation_methods points to.
1143     * It's allowed to set this value to zero,
1144     *      then NSS will decide which methods to prefer.
1145     */
1146    PRUint32 number_of_preferred_methods;
1147
1148    /* Array that may specify an optional order of preferred methods.
1149     * Each array entry shall contain a method identifier as defined
1150     *   by CERTRevocationMethodIndex.
1151     * The entry at index [0] specifies the method with highest preferrence.
1152     * These methods will be tested first for locally available information.
1153     * Methods allowed for downloading will be attempted in the same order.
1154     */
1155    CERTRevocationMethodIndex *preferred_methods;
1156
1157    /*
1158     * An integer which defines certain aspects of revocation checking
1159     * (independent of individual methods) by having individual
1160     * CERT_REV_MI_* bits set or not set.
1161     */
1162    PRUint64 cert_rev_method_independent_flags;
1163} CERTRevocationTests;
1164
1165typedef struct {
1166    CERTRevocationTests leafTests;
1167    CERTRevocationTests chainTests;
1168} CERTRevocationFlags;
1169
1170typedef struct CERTValParamInValueStr {
1171    union {
1172        PRBool   b;
1173        PRInt32  i;
1174        PRUint32 ui;
1175        PRInt64  l;
1176        PRUint64 ul;
1177        PRTime time;
1178    } scalar;
1179    union {
1180        const void*    p;
1181        const char*    s;
1182        const CERTCertificate* cert;
1183        const CERTCertList *chain;
1184        const CERTRevocationFlags *revocation;
1185    } pointer;
1186    union {
1187        const PRInt32  *pi;
1188        const PRUint32 *pui;
1189        const PRInt64  *pl;
1190        const PRUint64 *pul;
1191        const SECOidTag *oids;
1192    } array;
1193    int arraySize;
1194} CERTValParamInValue;
1195
1196
1197typedef struct CERTValParamOutValueStr {
1198    union {
1199        PRBool   b;
1200        PRInt32  i;
1201        PRUint32 ui;
1202        PRInt64  l;
1203        PRUint64 ul;
1204        SECCertificateUsage usages;
1205    } scalar;
1206    union {
1207        void*    p;
1208        char*    s;
1209        CERTVerifyLog *log;
1210        CERTCertificate* cert;
1211        CERTCertList *chain;
1212    } pointer;
1213    union {
1214        void 	  *p;
1215        SECOidTag *oids;
1216    } array;
1217    int arraySize;
1218} CERTValParamOutValue;
1219
1220typedef struct {
1221    CERTValParamInType type;
1222    CERTValParamInValue value;
1223} CERTValInParam;
1224
1225typedef struct {
1226    CERTValParamOutType type;
1227    CERTValParamOutValue value;
1228} CERTValOutParam;
1229
1230/*
1231 * policy flag defines
1232 */
1233#define CERT_POLICY_FLAG_NO_MAPPING    1
1234#define CERT_POLICY_FLAG_EXPLICIT      2
1235#define CERT_POLICY_FLAG_NO_ANY        4
1236
1237/*
1238 * CertStore flags
1239 */
1240#define CERT_ENABLE_LDAP_FETCH          1
1241#define CERT_ENABLE_HTTP_FETCH          2
1242
1243/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1244
1245#include "secasn1t.h"	/* way down here because I expect template stuff to
1246			 * move out of here anyway */
1247
1248SEC_BEGIN_PROTOS
1249
1250extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1251extern const SEC_ASN1Template CERT_CertificateTemplate[];
1252extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1253extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1254extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1255extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1256extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1257extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1258extern const SEC_ASN1Template CERT_ValidityTemplate[];
1259extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1260extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1261
1262extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1263extern const SEC_ASN1Template CERT_NameTemplate[];
1264extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1265extern const SEC_ASN1Template CERT_RDNTemplate[];
1266extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1267extern const SEC_ASN1Template CERT_CrlTemplate[];
1268extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1269
1270/*
1271** XXX should the attribute stuff be centralized for all of ns/security?
1272*/
1273extern const SEC_ASN1Template CERT_AttributeTemplate[];
1274extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1275
1276/* These functions simply return the address of the above-declared templates.
1277** This is necessary for Windows DLLs.  Sigh.
1278*/
1279SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1280SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1281SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1282SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1283SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1284SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1285SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1286SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1287SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1288SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1289SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1290SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1291
1292SEC_END_PROTOS
1293
1294#endif /* _CERTT_H_ */