PageRenderTime 236ms CodeModel.GetById 60ms app.highlight 127ms RepoModel.GetById 34ms app.codeStats 1ms

/gecko_api/include/cert.h

http://firefox-mac-pdf.googlecode.com/
C++ Header | 1661 lines | 565 code | 291 blank | 805 comment | 0 complexity | cec6c62e3f2324f6966abbd9b7a225e7 MD5 | raw file

Large files files are truncated, but you can click here to view the full file

   1/* ***** BEGIN LICENSE BLOCK *****
   2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   3 *
   4 * The contents of this file are subject to the Mozilla Public License Version
   5 * 1.1 (the "License"); you may not use this file except in compliance with
   6 * the License. You may obtain a copy of the License at
   7 * http://www.mozilla.org/MPL/
   8 *
   9 * Software distributed under the License is distributed on an "AS IS" basis,
  10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11 * for the specific language governing rights and limitations under the
  12 * License.
  13 *
  14 * The Original Code is the Netscape security libraries.
  15 *
  16 * The Initial Developer of the Original Code is
  17 * Netscape Communications Corporation.
  18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19 * the Initial Developer. All Rights Reserved.
  20 *
  21 * Contributor(s):
  22 *
  23 * Alternatively, the contents of this file may be used under the terms of
  24 * either the GNU General Public License Version 2 or later (the "GPL"), or
  25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26 * in which case the provisions of the GPL or the LGPL are applicable instead
  27 * of those above. If you wish to allow use of your version of this file only
  28 * under the terms of either the GPL or the LGPL, and not to allow others to
  29 * use your version of this file under the terms of the MPL, indicate your
  30 * decision by deleting the provisions above and replace them with the notice
  31 * and other provisions required by the GPL or the LGPL. If you do not delete
  32 * the provisions above, a recipient may use your version of this file under
  33 * the terms of any one of the MPL, the GPL or the LGPL.
  34 *
  35 * ***** END LICENSE BLOCK ***** */
  36
  37/*
  38 * cert.h - public data structures and prototypes for the certificate library
  39 *
  40 * $Id: cert.h,v 1.68 2008/03/15 02:15:34 alexei.volkov.bugs%sun.com Exp $
  41 */
  42
  43#ifndef _CERT_H_
  44#define _CERT_H_
  45
  46#include "utilrename.h"
  47#include "plarena.h"
  48#include "plhash.h"
  49#include "prlong.h"
  50#include "prlog.h"
  51
  52#include "seccomon.h"
  53#include "secdert.h"
  54#include "secoidt.h"
  55#include "keyt.h"
  56#include "certt.h"
  57
  58SEC_BEGIN_PROTOS
  59   
  60/****************************************************************************
  61 *
  62 * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
  63 *
  64 ****************************************************************************/
  65
  66/*
  67** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
  68*/
  69extern CERTName *CERT_AsciiToName(char *string);
  70
  71/*
  72** Convert an CERTName into its RFC1485 encoded equivalent.
  73** Returns a string that must be freed with PORT_Free().
  74*/
  75extern char *CERT_NameToAscii(CERTName *name);
  76
  77extern CERTAVA *CERT_CopyAVA(PRArenaPool *arena, CERTAVA *src);
  78
  79/* convert an OID to dotted-decimal representation */
  80/* Returns a string that must be freed with PR_smprintf_free(). */
  81extern char * CERT_GetOidString(const SECItem *oid);
  82
  83/*
  84** Examine an AVA and return the tag that refers to it. The AVA tags are
  85** defined as SEC_OID_AVA*.
  86*/
  87extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
  88
  89/*
  90** Compare two AVA's, returning the difference between them.
  91*/
  92extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
  93
  94/*
  95** Create an RDN (relative-distinguished-name). The argument list is a
  96** NULL terminated list of AVA's.
  97*/
  98extern CERTRDN *CERT_CreateRDN(PRArenaPool *arena, CERTAVA *avas, ...);
  99
 100/*
 101** Make a copy of "src" storing it in "dest".
 102*/
 103extern SECStatus CERT_CopyRDN(PRArenaPool *arena, CERTRDN *dest, CERTRDN *src);
 104
 105/*
 106** Destory an RDN object.
 107**	"rdn" the RDN to destroy
 108**	"freeit" if PR_TRUE then free the object as well as its sub-objects
 109*/
 110extern void CERT_DestroyRDN(CERTRDN *rdn, PRBool freeit);
 111
 112/*
 113** Add an AVA to an RDN.
 114**	"rdn" the RDN to add to
 115**	"ava" the AVA to add
 116*/
 117extern SECStatus CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
 118
 119/*
 120** Compare two RDN's, returning the difference between them.
 121*/
 122extern SECComparison CERT_CompareRDN(CERTRDN *a, CERTRDN *b);
 123
 124/*
 125** Create an X.500 style name using a NULL terminated list of RDN's.
 126*/
 127extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
 128
 129/*
 130** Make a copy of "src" storing it in "dest". Memory is allocated in
 131** "dest" for each of the appropriate sub objects. Memory is not freed in
 132** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
 133** do that).
 134*/
 135extern SECStatus CERT_CopyName(PRArenaPool *arena, CERTName *dest, CERTName *src);
 136
 137/*
 138** Destroy a Name object.
 139**	"name" the CERTName to destroy
 140**	"freeit" if PR_TRUE then free the object as well as its sub-objects
 141*/
 142extern void CERT_DestroyName(CERTName *name);
 143
 144/*
 145** Add an RDN to a name.
 146**	"name" the name to add the RDN to
 147**	"rdn" the RDN to add to name
 148*/
 149extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
 150
 151/*
 152** Compare two names, returning the difference between them.
 153*/
 154extern SECComparison CERT_CompareName(CERTName *a, CERTName *b);
 155
 156/*
 157** Convert a CERTName into something readable
 158*/
 159extern char *CERT_FormatName (CERTName *name);
 160
 161/*
 162** Convert a der-encoded integer to a hex printable string form.
 163** Perhaps this should be a SEC function but it's only used for certs.
 164*/
 165extern char *CERT_Hexify (SECItem *i, int do_colon);
 166
 167/******************************************************************************
 168 *
 169 * Certificate handling operations
 170 *
 171 *****************************************************************************/
 172
 173/*
 174** Create a new validity object given two unix time values.
 175**	"notBefore" the time before which the validity is not valid
 176**	"notAfter" the time after which the validity is not valid
 177*/
 178extern CERTValidity *CERT_CreateValidity(int64 notBefore, int64 notAfter);
 179
 180/*
 181** Destroy a validity object.
 182**	"v" the validity to destroy
 183**	"freeit" if PR_TRUE then free the object as well as its sub-objects
 184*/
 185extern void CERT_DestroyValidity(CERTValidity *v);
 186
 187/*
 188** Copy the "src" object to "dest". Memory is allocated in "dest" for
 189** each of the appropriate sub-objects. Memory in "dest" is not freed
 190** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
 191** that).
 192*/
 193extern SECStatus CERT_CopyValidity
 194   (PRArenaPool *arena, CERTValidity *dest, CERTValidity *src);
 195
 196/*
 197** The cert lib considers a cert or CRL valid if the "notBefore" time is
 198** in the not-too-distant future, e.g. within the next 24 hours. This 
 199** prevents freshly issued certificates from being considered invalid
 200** because the local system's time zone is incorrectly set.  
 201** The amount of "pending slop time" is adjustable by the application.
 202** Units of SlopTime are seconds.  Default is 86400  (24 hours).
 203** Negative SlopTime values are not allowed.
 204*/
 205PRInt32 CERT_GetSlopTime(void);
 206
 207SECStatus CERT_SetSlopTime(PRInt32 slop);
 208
 209/*
 210** Create a new certificate object. The result must be wrapped with an
 211** CERTSignedData to create a signed certificate.
 212**	"serialNumber" the serial number
 213**	"issuer" the name of the certificate issuer
 214**	"validity" the validity period of the certificate
 215**	"req" the certificate request that prompted the certificate issuance
 216*/
 217extern CERTCertificate *
 218CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
 219			CERTValidity *validity, CERTCertificateRequest *req);
 220
 221/*
 222** Destroy a certificate object
 223**	"cert" the certificate to destroy
 224** NOTE: certificate's are reference counted. This call decrements the
 225** reference count, and if the result is zero, then the object is destroyed
 226** and optionally freed.
 227*/
 228extern void CERT_DestroyCertificate(CERTCertificate *cert);
 229
 230/*
 231** Make a shallow copy of a certificate "c". Just increments the
 232** reference count on "c".
 233*/
 234extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
 235
 236/*
 237** Create a new certificate request. This result must be wrapped with an
 238** CERTSignedData to create a signed certificate request.
 239**	"name" the subject name (who the certificate request is from)
 240**	"spki" describes/defines the public key the certificate is for
 241**	"attributes" if non-zero, some optional attribute data
 242*/
 243extern CERTCertificateRequest *
 244CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
 245			       SECItem **attributes);
 246
 247/*
 248** Destroy a certificate-request object
 249**	"r" the certificate-request to destroy
 250**	"freeit" if PR_TRUE then free the object as well as its sub-objects
 251*/
 252extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
 253
 254/*
 255** Start adding extensions to a certificate request.
 256*/
 257void *
 258CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
 259
 260/*
 261** Reformat the certificate extension list into a CertificateRequest
 262** attribute list.
 263*/
 264SECStatus
 265CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
 266
 267/*
 268** Extract the Extension Requests from a DER CertRequest attribute list.
 269*/
 270SECStatus
 271CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
 272                                     CERTCertExtension ***exts);
 273
 274/*
 275** Extract a public key object from a certificate
 276*/
 277extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
 278
 279/*
 280 * used to get a public key with Key Material ID. Only used for fortezza V1
 281 * certificates.
 282 */
 283extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
 284
 285
 286/*
 287** Retrieve the Key Type associated with the cert we're dealing with
 288*/
 289
 290extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
 291
 292/*
 293** Initialize the certificate database.  This is called to create
 294**  the initial list of certificates in the database.
 295*/
 296extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
 297
 298extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
 299
 300/*
 301** Default certificate database routines
 302*/
 303extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
 304
 305extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
 306
 307extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, 
 308					       int64 time, 
 309					       SECCertUsage usage);
 310extern CERTCertificate *
 311CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
 312                         char *nickname, PRBool isperm, PRBool copyDER);
 313
 314
 315/******************************************************************************
 316 *
 317 * X.500 Name handling operations
 318 *
 319 *****************************************************************************/
 320
 321/*
 322** Create an AVA (attribute-value-assertion)
 323**	"arena" the memory arena to alloc from
 324**	"kind" is one of SEC_OID_AVA_*
 325**	"valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
 326**	   DER_T61_STRING
 327**	"value" is the null terminated string containing the value
 328*/
 329extern CERTAVA *CERT_CreateAVA
 330   (PRArenaPool *arena, SECOidTag kind, int valueType, char *value);
 331
 332/*
 333** Extract the Distinguished Name from a DER encoded certificate
 334**	"derCert" is the DER encoded certificate
 335**	"derName" is the SECItem that the name is returned in
 336*/
 337extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
 338
 339/*
 340** Extract the Issuers Distinguished Name from a DER encoded certificate
 341**	"derCert" is the DER encoded certificate
 342**	"derName" is the SECItem that the name is returned in
 343*/
 344extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, 
 345					    SECItem *derName);
 346
 347extern SECItem *
 348CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
 349		       PRArenaPool *arena);
 350
 351extern CERTGeneralName *
 352CERT_DecodeGeneralName(PRArenaPool *reqArena, SECItem *encodedName,
 353		       CERTGeneralName  *genName);
 354
 355
 356
 357/*
 358** Generate a database search key for a certificate, based on the
 359** issuer and serial number.
 360**	"arena" the memory arena to alloc from
 361**	"derCert" the DER encoded certificate
 362**	"key" the returned key
 363*/
 364extern SECStatus CERT_KeyFromDERCert(PRArenaPool *reqArena, SECItem *derCert,
 365                                     SECItem *key);
 366
 367extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
 368					 SECItem *sn, SECItem *key);
 369
 370extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, 
 371						SECItem *derName);
 372
 373
 374/*
 375** Generate a database search key for a crl, based on the
 376** issuer.
 377**	"arena" the memory arena to alloc from
 378**	"derCrl" the DER encoded crl
 379**	"key" the returned key
 380*/
 381extern SECStatus CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key);
 382
 383/*
 384** Open the certificate database.  Use callback to get name of database.
 385*/
 386extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
 387				 CERTDBNameFunc namecb, void *cbarg);
 388
 389/* Open the certificate database.  Use given filename for database. */
 390extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
 391					 char *certdbname, PRBool readOnly);
 392
 393/*
 394** Open and initialize a cert database that is entirely in memory.  This
 395** can be used when the permanent database can not be opened or created.
 396*/
 397extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
 398
 399/*
 400** Extract the list of host names, host name patters, IP address strings
 401** this cert is valid for.
 402** This function does NOT return nicknames.
 403** Type CERTCertNicknames is being used because it's a convenient 
 404** data structure to carry a list of strings and its count.
 405*/
 406extern CERTCertNicknames *
 407  CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert);
 408
 409/*
 410** Check the hostname to make sure that it matches the shexp that
 411** is given in the common name of the certificate.
 412*/
 413extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
 414
 415/*
 416** Add a domain name to the list of names that the user has explicitly
 417** allowed (despite cert name mismatches) for use with a server cert.
 418*/
 419extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
 420
 421/*
 422** Decode a DER encoded certificate into an CERTCertificate structure
 423**	"derSignedCert" is the DER encoded signed certificate
 424**	"copyDER" is true if the DER should be copied, false if the
 425**		existing copy should be referenced
 426**	"nickname" is the nickname to use in the database.  If it is NULL
 427**		then a temporary nickname is generated.
 428*/
 429extern CERTCertificate *
 430CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
 431/*
 432** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
 433**	"derSignedCrl" is the DER encoded signed crl/krl.
 434**	"type" is this a CRL or KRL.
 435*/
 436#define SEC_CRL_TYPE	1
 437#define SEC_KRL_TYPE	0
 438
 439extern CERTSignedCrl *
 440CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
 441
 442/*
 443 * same as CERT_DecodeDERCrl, plus allow options to be passed in
 444 */
 445
 446extern CERTSignedCrl *
 447CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
 448                          int type, PRInt32 options);
 449
 450/* CRL options to pass */
 451
 452#define CRL_DECODE_DEFAULT_OPTIONS          0x00000000
 453
 454/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
 455   application must then keep derSignedCrl until it destroys the
 456   CRL . Ideally, it should allocate derSignedCrl in an arena
 457   and pass that arena in as the first argument to
 458   CERT_DecodeDERCrlWithFlags */
 459
 460#define CRL_DECODE_DONT_COPY_DER            0x00000001
 461#define CRL_DECODE_SKIP_ENTRIES             0x00000002
 462#define CRL_DECODE_KEEP_BAD_CRL             0x00000004
 463#define CRL_DECODE_ADOPT_HEAP_DER           0x00000008
 464
 465/* complete the decoding of a partially decoded CRL, ie. decode the
 466   entries. Note that entries is an optional field in a CRL, so the
 467   "entries" pointer in CERTCrlStr may still be NULL even after
 468   function returns SECSuccess */
 469
 470extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl);
 471
 472/* Validate CRL then import it to the dbase.  If there is already a CRL with the
 473 * same CA in the dbase, it will be replaced if derCRL is more up to date.  
 474 * If the process successes, a CRL will be returned.  Otherwise, a NULL will 
 475 * be returned. The caller should call PORT_GetError() for the exactly error 
 476 * code.
 477 */
 478extern CERTSignedCrl *
 479CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, 
 480						int type, void * wincx);
 481
 482extern void CERT_DestroyCrl (CERTSignedCrl *crl);
 483
 484/* this is a hint to flush the CRL cache. crlKey is the DER subject of
 485   the issuer (CA). */
 486void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey);
 487
 488/* add the specified DER CRL object to the CRL cache. Doing so will allow
 489   certificate verification functions (such as CERT_VerifyCertificate)
 490   to automatically find and make use of this CRL object.
 491   Once a CRL is added to the CRL cache, the application must hold on to
 492   the object's memory, because the cache will reference it directly. The
 493   application can only free the object after it calls CERT_UncacheCRL to
 494   remove it from the CRL cache.
 495*/
 496SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
 497
 498/* remove a previously added CRL object from the CRL cache. It is OK
 499   for the application to free the memory after a successful removal
 500*/
 501SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
 502
 503/*
 504** Decode a certificate and put it into the temporary certificate database
 505*/
 506extern CERTCertificate *
 507CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
 508
 509/*
 510** Find a certificate in the database
 511**	"key" is the database key to look for
 512*/
 513extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
 514
 515/*
 516** Find a certificate in the database by name
 517**	"name" is the distinguished name to look up
 518*/
 519extern CERTCertificate *
 520CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
 521
 522/*
 523** Find a certificate in the database by name
 524**	"name" is the distinguished name to look up (in ascii)
 525*/
 526extern CERTCertificate *
 527CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
 528
 529/*
 530** Find a certificate in the database by name and keyid
 531**	"name" is the distinguished name to look up
 532**	"keyID" is the value of the subjectKeyID to match
 533*/
 534extern CERTCertificate *
 535CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
 536
 537/*
 538** Generate a certificate key from the issuer and serialnumber, then look it
 539** up in the database.  Return the cert if found.
 540**	"issuerAndSN" is the issuer and serial number to look for
 541*/
 542extern CERTCertificate *
 543CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
 544
 545/*
 546** Find a certificate in the database by a subject key ID
 547**	"subjKeyID" is the subject Key ID to look for
 548*/
 549extern CERTCertificate *
 550CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
 551
 552/*
 553** Find a certificate in the database by a nickname
 554**	"nickname" is the ascii string nickname to look for
 555*/
 556extern CERTCertificate *
 557CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname);
 558
 559/*
 560** Find a certificate in the database by a DER encoded certificate
 561**	"derCert" is the DER encoded certificate
 562*/
 563extern CERTCertificate *
 564CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
 565
 566/*
 567** Find a certificate in the database by a email address
 568**	"emailAddr" is the email address to look up
 569*/
 570CERTCertificate *
 571CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
 572
 573/*
 574** Find a certificate in the database by a email address or nickname
 575**	"name" is the email address or nickname to look up
 576*/
 577CERTCertificate *
 578CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name);
 579
 580/*
 581** Find a certificate in the database by a digest of a subject public key
 582**	"spkDigest" is the digest to look up
 583*/
 584extern CERTCertificate *
 585CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
 586
 587/*
 588 * Find the issuer of a cert
 589 */
 590CERTCertificate *
 591CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage);
 592
 593/*
 594** Check the validity times of a certificate vs. time 't', allowing
 595** some slop for broken clocks and stuff.
 596**	"cert" is the certificate to be checked
 597**	"t" is the time to check against
 598**	"allowOverride" if true then check to see if the invalidity has
 599**		been overridden by the user.
 600*/
 601extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
 602						    PRTime t,
 603						    PRBool allowOverride);
 604
 605/*
 606** WARNING - this function is depricated, and will either go away or have
 607**		a new API in the near future.
 608**
 609** Check the validity times of a certificate vs. the current time, allowing
 610** some slop for broken clocks and stuff.
 611**	"cert" is the certificate to be checked
 612*/
 613extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
 614
 615/*
 616** Extract the validity times from a certificate
 617**	"c" is the certificate
 618**	"notBefore" is the start of the validity period
 619**	"notAfter" is the end of the validity period
 620*/
 621extern SECStatus
 622CERT_GetCertTimes (CERTCertificate *c, PRTime *notBefore, PRTime *notAfter);
 623
 624/*
 625** Extract the issuer and serial number from a certificate
 626*/
 627extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PRArenaPool *, 
 628							CERTCertificate *);
 629
 630/*
 631** verify the signature of a signed data object with a given certificate
 632**	"sd" the signed data object to be verified
 633**	"cert" the certificate to use to check the signature
 634*/
 635extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
 636				       CERTCertificate *cert,
 637				       int64 t,
 638				       void *wincx);
 639/*
 640** verify the signature of a signed data object with the given DER publickey
 641*/
 642extern SECStatus
 643CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
 644                                       CERTSubjectPublicKeyInfo *pubKeyInfo,
 645                                       void *wincx);
 646
 647/*
 648** verify the signature of a signed data object with a SECKEYPublicKey.
 649*/
 650extern SECStatus
 651CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd,
 652                                   SECKEYPublicKey *pubKey, void *wincx);
 653
 654/*
 655** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
 656** verify a certificate by checking validity times against a certain time,
 657** that we trust the issuer, and that the signature on the certificate is
 658** valid.
 659**	"cert" the certificate to verify
 660**	"checkSig" only check signatures if true
 661*/
 662extern SECStatus
 663CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 664		PRBool checkSig, SECCertificateUsage requiredUsages,
 665                int64 t, void *wincx, CERTVerifyLog *log,
 666                SECCertificateUsage* returnedUsages);
 667
 668/* same as above, but uses current time */
 669extern SECStatus
 670CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
 671		   PRBool checkSig, SECCertificateUsage requiredUsages,
 672                   void *wincx, SECCertificateUsage* returnedUsages);
 673
 674/*
 675** Verify that a CA cert can certify some (unspecified) leaf cert for a given
 676** purpose. This is used by UI code to help identify where a chain may be
 677** broken and why. This takes identical parameters to CERT_VerifyCert
 678*/
 679extern SECStatus
 680CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
 681		PRBool checkSig, SECCertUsage certUsage, int64 t,
 682		void *wincx, CERTVerifyLog *log);
 683
 684/*
 685** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
 686** verify a certificate by checking validity times against a certain time,
 687** that we trust the issuer, and that the signature on the certificate is
 688** valid.
 689**	"cert" the certificate to verify
 690**	"checkSig" only check signatures if true
 691*/
 692extern SECStatus
 693CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
 694		PRBool checkSig, SECCertUsage certUsage, int64 t,
 695		void *wincx, CERTVerifyLog *log);
 696
 697/* same as above, but uses current time */
 698extern SECStatus
 699CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
 700		   PRBool checkSig, SECCertUsage certUsage, void *wincx);
 701
 702SECStatus
 703CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
 704		     PRBool checkSig, SECCertUsage certUsage, int64 t,
 705		     void *wincx, CERTVerifyLog *log);
 706
 707/*
 708** Read a base64 ascii encoded DER certificate and convert it to our
 709** internal format.
 710**	"certstr" is a null-terminated string containing the certificate
 711*/
 712extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
 713
 714/*
 715** Read a certificate in some foreign format, and convert it to our
 716** internal format.
 717**	"certbuf" is the buffer containing the certificate
 718**	"certlen" is the length of the buffer
 719** NOTE - currently supports netscape base64 ascii encoded raw certs
 720**  and netscape binary DER typed files.
 721*/
 722extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
 723
 724extern SECStatus
 725CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
 726
 727extern SECStatus
 728CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
 729
 730/*
 731** Read a certificate chain in some foreign format, and pass it to a 
 732** callback function.
 733**	"certbuf" is the buffer containing the certificate
 734**	"certlen" is the length of the buffer
 735**	"f" is the callback function
 736**	"arg" is the callback argument
 737*/
 738typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
 739   (void *arg, SECItem **certs, int numcerts);
 740
 741extern SECStatus
 742CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
 743		       void *arg);
 744
 745/* 
 746** Returns the value of an AVA.  This was a formerly static 
 747** function that has been exposed due to the need to decode
 748** and convert unicode strings to UTF8.  
 749**
 750** XXX This function resides in certhtml.c, should it be
 751** moved elsewhere?
 752*/
 753extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
 754
 755
 756
 757/*
 758** extract various element strings from a distinguished name.
 759**	"name" the distinguished name
 760*/
 761
 762extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
 763
 764extern char *CERT_GetCertEmailAddress(CERTName *name);
 765
 766extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
 767
 768extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, 
 769                                             const char * prev);
 770
 771/* The return value must be freed with PORT_Free. */
 772extern char *CERT_GetCommonName(CERTName *name);
 773
 774extern char *CERT_GetCountryName(CERTName *name);
 775
 776extern char *CERT_GetLocalityName(CERTName *name);
 777
 778extern char *CERT_GetStateName(CERTName *name);
 779
 780extern char *CERT_GetOrgName(CERTName *name);
 781
 782extern char *CERT_GetOrgUnitName(CERTName *name);
 783
 784extern char *CERT_GetDomainComponentName(CERTName *name);
 785
 786extern char *CERT_GetCertUid(CERTName *name);
 787
 788/* manipulate the trust parameters of a certificate */
 789
 790extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
 791
 792extern SECStatus
 793CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
 794		      CERTCertTrust *trust);
 795
 796extern SECStatus
 797CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
 798			    SECCertUsage usage);
 799
 800/*************************************************************************
 801 *
 802 * manipulate the extensions of a certificate
 803 *
 804 ************************************************************************/
 805
 806/*
 807** Set up a cert for adding X509v3 extensions.  Returns an opaque handle
 808** used by the next two routines.
 809**	"cert" is the certificate we are adding extensions to
 810*/
 811extern void *CERT_StartCertExtensions(CERTCertificate *cert);
 812
 813/*
 814** Add an extension to a certificate.
 815**	"exthandle" is the handle returned by the previous function
 816**	"idtag" is the integer tag for the OID that should ID this extension
 817**	"value" is the value of the extension
 818**	"critical" is the critical extension flag
 819**	"copyData" is a flag indicating whether the value data should be
 820**		copied.
 821*/
 822extern SECStatus CERT_AddExtension (void *exthandle, int idtag, 
 823			SECItem *value, PRBool critical, PRBool copyData);
 824
 825extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
 826			 SECItem *value, PRBool critical, PRBool copyData);
 827
 828extern SECStatus CERT_EncodeAndAddExtension
 829   (void *exthandle, int idtag, void *value, PRBool critical,
 830    const SEC_ASN1Template *atemplate);
 831
 832extern SECStatus CERT_EncodeAndAddBitStrExtension
 833   (void *exthandle, int idtag, SECItem *value, PRBool critical);
 834
 835
 836extern SECStatus
 837CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
 838
 839
 840/*
 841** Finish adding cert extensions.  Does final processing on extension
 842** data, putting it in the right format, and freeing any temporary
 843** storage.
 844**	"exthandle" is the handle used to add extensions to a certificate
 845*/
 846extern SECStatus CERT_FinishExtensions(void *exthandle);
 847
 848/*
 849** Merge an external list of extensions into a cert's extension list, adding one
 850** only when its OID matches none of the cert's existing extensions. Call this
 851** immediately before calling CERT_FinishExtensions().
 852*/
 853SECStatus
 854CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
 855
 856/* If the extension is found, return its criticality and value.
 857** This allocate storage for the returning extension value.
 858*/
 859extern SECStatus CERT_GetExtenCriticality
 860   (CERTCertExtension **extensions, int tag, PRBool *isCritical);
 861
 862extern void
 863CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
 864
 865/****************************************************************************
 866 *
 867 * DER encode and decode extension values
 868 *
 869 ****************************************************************************/
 870
 871/* Encode the value of the basicConstraint extension.
 872**	arena - where to allocate memory for the encoded value.
 873**	value - extension value to encode
 874**	encodedValue - output encoded value
 875*/
 876extern SECStatus CERT_EncodeBasicConstraintValue
 877   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
 878
 879/*
 880** Encode the value of the authorityKeyIdentifier extension.
 881*/
 882extern SECStatus CERT_EncodeAuthKeyID
 883   (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
 884
 885/*
 886** Encode the value of the crlDistributionPoints extension.
 887*/
 888extern SECStatus CERT_EncodeCRLDistributionPoints
 889   (PRArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
 890
 891/*
 892** Decodes a DER encoded basicConstaint extension value into a readable format
 893**	value - decoded value
 894**	encodedValue - value to decoded
 895*/
 896extern SECStatus CERT_DecodeBasicConstraintValue
 897   (CERTBasicConstraints *value, SECItem *encodedValue);
 898
 899/* Decodes a DER encoded authorityKeyIdentifier extension value into a
 900** readable format.
 901**	arena - where to allocate memory for the decoded value
 902**	encodedValue - value to be decoded
 903**	Returns a CERTAuthKeyID structure which contains the decoded value
 904*/
 905extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
 906			(PRArenaPool *arena, SECItem *encodedValue);
 907
 908
 909/* Decodes a DER encoded crlDistributionPoints extension value into a 
 910** readable format.
 911**	arena - where to allocate memory for the decoded value
 912**	der - value to be decoded
 913**	Returns a CERTCrlDistributionPoints structure which contains the 
 914**          decoded value
 915*/
 916extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
 917   (PRArenaPool *arena, SECItem *der);
 918
 919/* Extract certain name type from a generalName */
 920extern void *CERT_GetGeneralNameByType
 921   (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
 922
 923
 924extern CERTOidSequence *
 925CERT_DecodeOidSequence(SECItem *seqItem);
 926
 927
 928
 929
 930/****************************************************************************
 931 *
 932 * Find extension values of a certificate 
 933 *
 934 ***************************************************************************/
 935
 936extern SECStatus CERT_FindCertExtension
 937   (CERTCertificate *cert, int tag, SECItem *value);
 938
 939extern SECStatus CERT_FindNSCertTypeExtension
 940   (CERTCertificate *cert, SECItem *value);
 941
 942extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
 943
 944extern SECStatus CERT_FindIssuerCertExtension
 945   (CERTCertificate *cert, int tag, SECItem *value);
 946
 947extern SECStatus CERT_FindCertExtensionByOID
 948   (CERTCertificate *cert, SECItem *oid, SECItem *value);
 949
 950extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
 951								int catag);
 952
 953/* Returns the decoded value of the authKeyID extension.
 954**   Note that this uses passed in the arena to allocate storage for the result
 955*/
 956extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PRArenaPool *arena,CERTCertificate *cert);
 957
 958/* Returns the decoded value of the basicConstraint extension.
 959 */
 960extern SECStatus CERT_FindBasicConstraintExten
 961   (CERTCertificate *cert, CERTBasicConstraints *value);
 962
 963/* Returns the decoded value of the crlDistributionPoints extension.
 964**  Note that the arena in cert is used to allocate storage for the result
 965*/
 966extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
 967   (CERTCertificate *cert);
 968
 969/* Returns value of the keyUsage extension.  This uses PR_Alloc to allocate 
 970** buffer for the decoded value. The caller should free up the storage 
 971** allocated in value->data.
 972*/
 973extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, 
 974							SECItem *value);
 975
 976/* Return the decoded value of the subjectKeyID extension. The caller should 
 977** free up the storage allocated in retItem->data.
 978*/
 979extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, 
 980							   SECItem *retItem);
 981
 982/*
 983** If cert is a v3 certificate, and a critical keyUsage extension is included,
 984** then check the usage against the extension value.  If a non-critical 
 985** keyUsage extension is included, this will return SECSuccess without 
 986** checking, since the extension is an advisory field, not a restriction.  
 987** If cert is not a v3 certificate, this will return SECSuccess.
 988**	cert - certificate
 989**	usage - one of the x.509 v3 the Key Usage Extension flags
 990*/
 991extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, 
 992							unsigned char usage);
 993
 994/****************************************************************************
 995 *
 996 *  CRL v2 Extensions supported routines
 997 *
 998 ****************************************************************************/
 999
1000extern SECStatus CERT_FindCRLExtensionByOID
1001   (CERTCrl *crl, SECItem *oid, SECItem *value);
1002
1003extern SECStatus CERT_FindCRLExtension
1004   (CERTCrl *crl, int tag, SECItem *value);
1005
1006extern SECStatus
1007   CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value);
1008
1009/*
1010** Set up a crl for adding X509v3 extensions.  Returns an opaque handle
1011** used by routines that take an exthandle (void*) argument .
1012**	"crl" is the CRL we are adding extensions to
1013*/
1014extern void *CERT_StartCRLExtensions(CERTCrl *crl);
1015
1016/*
1017** Set up a crl entry for adding X509v3 extensions.  Returns an opaque handle
1018** used by routines that take an exthandle (void*) argument .
1019**	"crl" is the crl we are adding certs entries to
1020**      "entry" is the crl entry we are adding extensions to
1021*/
1022extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
1023
1024extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
1025						 int what, void *wincx);
1026
1027/*
1028** Finds the crlNumber extension and decodes its value into 'value'
1029*/
1030extern SECStatus CERT_FindCRLNumberExten (PRArenaPool *arena, CERTCrl *crl,
1031                                          SECItem *value);
1032
1033extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
1034					       CERTCRLEntryReasonCode *value);
1035
1036extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
1037
1038extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
1039
1040extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
1041							 CERTCertificate *c2);
1042
1043/*
1044** Generate an array of the Distinguished Names that the given cert database
1045** "trusts"
1046*/
1047extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
1048
1049extern void CERT_FreeDistNames(CERTDistNames *names);
1050
1051/*
1052** Generate an array of Distinguished names from an array of nicknames
1053*/
1054extern CERTDistNames *CERT_DistNamesFromNicknames
1055   (CERTCertDBHandle *handle, char **nicknames, int nnames);
1056
1057/*
1058** Generate a certificate chain from a certificate.
1059*/
1060extern CERTCertificateList *
1061CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
1062		       PRBool includeRoot);
1063
1064extern CERTCertificateList *
1065CERT_CertListFromCert(CERTCertificate *cert);
1066
1067extern CERTCertificateList *
1068CERT_DupCertList(CERTCertificateList * oldList);
1069
1070extern void CERT_DestroyCertificateList(CERTCertificateList *list);
1071
1072/*
1073** is cert a user cert? i.e. does it have CERTDB_USER trust,
1074** i.e. a private key?
1075*/
1076PRBool CERT_IsUserCert(CERTCertificate* cert);
1077
1078/* is cert a newer than cert b? */
1079PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
1080
1081/* currently a stub for address book */
1082PRBool
1083CERT_IsCertRevoked(CERTCertificate *cert);
1084
1085void
1086CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
1087
1088/* convert an email address to lower case */
1089char *CERT_FixupEmailAddr(const char *emailAddr);
1090
1091/* decode string representation of trust flags into trust struct */
1092SECStatus
1093CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts);
1094
1095/* encode trust struct into string representation of trust flags */
1096char *
1097CERT_EncodeTrustString(CERTCertTrust *trust);
1098
1099/* find the next or prev cert in a subject list */
1100CERTCertificate *
1101CERT_PrevSubjectCert(CERTCertificate *cert);
1102CERTCertificate *
1103CERT_NextSubjectCert(CERTCertificate *cert);
1104
1105/*
1106 * import a collection of certs into the temporary or permanent cert
1107 * database
1108 */
1109SECStatus
1110CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
1111		 unsigned int ncerts, SECItem **derCerts,
1112		 CERTCertificate ***retCerts, PRBool keepCerts,
1113		 PRBool caOnly, char *nickname);
1114
1115char *
1116CERT_MakeCANickname(CERTCertificate *cert);
1117
1118PRBool
1119CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
1120
1121PRBool
1122CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
1123
1124PRBool
1125CERT_IsRootDERCert(SECItem *derCert);
1126
1127SECStatus
1128CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
1129		      SECItem *profileTime);
1130
1131/*
1132 * find the smime symmetric capabilities profile for a given cert
1133 */
1134SECItem *
1135CERT_FindSMimeProfile(CERTCertificate *cert);
1136
1137SECStatus
1138CERT_AddNewCerts(CERTCertDBHandle *handle);
1139
1140CERTPackageType
1141CERT_CertPackageType(SECItem *package, SECItem *certitem);
1142
1143CERTCertificatePolicies *
1144CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
1145
1146void
1147CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
1148
1149CERTCertificatePolicyMappings *
1150CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
1151
1152SECStatus
1153CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
1154
1155SECStatus
1156CERT_DecodePolicyConstraintsExtension(
1157    CERTCertificatePolicyConstraints *decodedValue, SECItem *encodedValue);
1158
1159SECStatus CERT_DecodeInhibitAnyExtension
1160    (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
1161
1162CERTUserNotice *
1163CERT_DecodeUserNotice(SECItem *noticeItem);
1164
1165extern CERTGeneralName *
1166CERT_DecodeAltNameExtension(PRArenaPool *reqArena, SECItem *EncodedAltName);
1167
1168extern CERTNameConstraints *
1169CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, 
1170                                    SECItem *encodedConstraints);
1171
1172/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
1173extern CERTAuthInfoAccess **
1174CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena,
1175				   SECItem     *encodedExtension);
1176
1177extern CERTPrivKeyUsagePeriod *
1178CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
1179
1180extern CERTGeneralName *
1181CERT_GetNextGeneralName(CERTGeneralName *current);
1182
1183extern CERTGeneralName *
1184CERT_GetPrevGeneralName(CERTGeneralName *current);
1185
1186CERTNameConstraint *
1187CERT_GetNextNameConstraint(CERTNameConstraint *current);
1188
1189CERTNameConstraint *
1190CERT_GetPrevNameConstraint(CERTNameConstraint *current);
1191
1192void
1193CERT_DestroyUserNotice(CERTUserNotice *userNotice);
1194
1195typedef char * (* CERTPolicyStringCallback)(char *org,
1196					       unsigned long noticeNumber,
1197					       void *arg);
1198void
1199CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
1200
1201char *
1202CERT_GetCertCommentString(CERTCertificate *cert);
1203
1204PRBool
1205CERT_GovtApprovedBitSet(CERTCertificate *cert);
1206
1207SECStatus
1208CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
1209
1210CERTCertList *
1211CERT_MatchUserCert(CERTCertDBHandle *handle,
1212		   SECCertUsage usage,
1213		   int nCANames, char **caNames,
1214		   void *proto_win);
1215
1216CERTCertList *
1217CERT_NewCertList(void);
1218
1219void
1220CERT_DestroyCertList(CERTCertList *certs);
1221
1222/* remove the node and free the cert */
1223void
1224CERT_RemoveCertListNode(CERTCertListNode *node);
1225
1226SECStatus
1227CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
1228
1229SECStatus
1230CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
1231
1232SECStatus
1233CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
1234							 void *appData);
1235
1236SECStatus
1237CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
1238							 void *appData);
1239
1240typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
1241				    CERTCertificate *certb,
1242				    void *arg);
1243SECStatus
1244CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
1245			 CERTSortCallback f, void *arg);
1246
1247/* callback for CERT_AddCertToListSorted that sorts based on validity
1248 * period and a given time.
1249 */
1250PRBool
1251CERT_SortCBValidity(CERTCertificate *certa,
1252		    CERTCertificate *certb,
1253		    void *arg);
1254
1255SECStatus
1256CERT_CheckForEvilCert(CERTCertificate *cert);
1257
1258CERTGeneralName *
1259CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena);
1260
1261char *
1262CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena);
1263
1264/*
1265 * Creates or adds to a list of all certs with a give subject name, sorted by
1266 * validity time, newest first.  Invalid certs are considered older than
1267 * valid certs. If validOnly is set, do not include invalid certs on list.
1268 */
1269CERTCertList *
1270CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1271			   SECItem *name, int64 sorttime, PRBool validOnly);
1272
1273/*
1274 * Creates or adds to a list of all certs with a give nickname, sorted by
1275 * validity time, newest first.  Invalid certs are considered older than valid
1276 * certs. If validOnly is set, do not include invalid certs on list.
1277 */
1278CERTCertList *
1279CERT_CreateNicknameCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1280			    char *nickname, int64 sorttime, PRBool validOnly);
1281
1282/*
1283 * Creates or adds to a list of all certs with a give email addr, sorted by
1284 * validity time, newest first.  Invalid certs are considered older than valid
1285 * certs. If validOnly is set, do not include invalid certs on list.
1286 */
1287CERTCertList *
1288CERT_CreateEmailAddrCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1289			     char *emailAddr, int64 sorttime, PRBool validOnly);
1290
1291/*
1292 * remove certs from a list that don't have keyUsage and certType
1293 * that match the given usage.
1294 */
1295SECStatus
1296CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
1297			   PRBool ca);
1298
1299/*
1300 * check the key usage of a cert against a set of required values
1301 */
1302SECStatus
1303CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
1304
1305/*
1306 * return required key usage and cert type based on cert usage
1307 */
1308SECStatus
1309CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
1310				 PRBool ca,
1311				 unsigned int *retKeyUsage,
1312				 unsigned int *retCertType);
1313/*
1314 * return required trust flags for various cert usages for CAs
1315 */
1316SECStatus
1317CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
1318			      unsigned int *retFlags,
1319			      SECTrustType *retTrustType);
1320
1321/*
1322 * Find all user certificates that match the given criteria.
1323 * 
1324 *	"handle" - database to search
1325 *	"usage" - certificate usage to match
1326 *	"oneCertPerName" - if set then only return the "best" cert per
1327 *			name
1328 *	"validOnly" - only return certs that are curently valid
1329 *	"proto_win" - window handle passed to pkcs11
1330 */
1331CERTCertList *
1332CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
1333			  SECCertUsage usage,
1334			  PRBool oneCertPerName,
1335			  PRBool validOnly,
1336			  void *proto_win);
1337
1338/*
1339 * Find a user certificate that matchs the given criteria.
1340 * 
1341 *	"handle" - database to search
1342 *	"nickname" - nickname to match
1343 *	"usage" - certificate usage to match
1344 *	"validOnly" - only return certs that are curently valid
1345 *	"proto_win" - window handle passed to pkcs11
1346 */
1347CERTCertificate *
1348CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
1349			 const char *nickname,
1350			 SECCertUsage usage,
1351			 PRBool validOnly,
1352			 void *proto_win);
1353
1354/*
1355 * Filter a list of certificates, removing those certs that do not have
1356 * one of the named CA certs somewhere in their cert chain.
1357 *
1358 *	"certList" - the list of certificates to filter
1359 *	"nCANames" - number of CA names
1360 *	"caNames" - array of CA names in string(rfc 1485) form
1361 *	"usage" - what use the certs are for, this is used when
1362 *		selecting CA certs
1363 */
1364SECStatus
1365CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
1366			     char **caNames, SECCertUsage usage);
1367
1368/*
1369 * Filter a list of certificates, removing those certs that aren't user certs
1370 */
1371SECStatus
1372CERT_FilterCertListForUserCerts(CERTCertList *certList);
1373
1374/*
1375 * Collect the nicknames from all certs in a CertList.  If the cert is not
1376 * valid, append a string to that nickname.
1377 *
1378 * "certList" - the list of certificates
1379 * "expiredString" - the string to append to the nickname of any expired cert
1380 * "notYetGoodString" - the string to append to the nickname of any cert
1381 *		that is not yet valid
1382 */
1383CERTCertNicknames *
1384CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
1385				 char *notYetGoodString);
1386
1387/*
1388 * Extract the nickname from a nickmake string that may have either
1389 * expiredString or notYetGoodString appended.
1390 *
1391 * Args:
1392 *	"namestring" - the string containing the nickname, and possibly
1393 *		one of the validity label strings
1394 *	"expiredString" - the expired validity label string
1395 *	"notYetGoodString" - the not yet good validity label string
1396 *
1397 * Returns the raw nickname
1398 */
1399char *
1400CERT_ExtractNicknameString(char *namestring, char *expiredString,
1401			   char *notYetGoodString);
1402
1403/*
1404 * Given a certificate, return a string containing the nickname, and possibly
1405 * one of the validity strings, based on the current validity state of the
1406 * certificate.
1407 *
1408 * "arena" - arena to allocate returned string from.  If NULL, then heap
1409 *	is used.
1410 * "cert" - the cert to get nickname from
1411 * "expiredString" - the string to append to the nickname if the cert is
1412 *		expired.
1413 * "notYetGoodString" - the string to append to the nickname if the cert is
1414 *		not yet good.
1415 */
1416char *
1417CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
1418				 char *expiredString, char *notYetGoodString);
1419
1420/*
1421 * Return the string representation of a DER encoded distinguished name
1422 * "dername" - The DER encoded name to convert
1423 */
1424char *
1425CERT_DerNameToAscii(SECItem *dername);
1426
1427/*
1428 * Supported usage values and types:
1429 *	certUsageSSLClient
1430 *	certUsageSSLServer
1431 *	certUsageSSLServerWithStepUp
1432 *	certUsageEmailSigner
1433 *	certUsageEmailRecipient
1434 *	certUsageObjectSigner
1435 */
1436
1437CERTCertificate *
1438CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
1439		      CERTCertOwner owner, SECCertUsage usage,
1440		      PRBool preferTrusted, int64 validTime, PRBool validOnly);
1441
1442/*
1443 * Acquire the global lock on the cert database.
1444 * This lock is currently used for the following operations:
1445 *	adding or deleting a cert to either the temp or perm databases
1446 *	converting a temp to perm or perm to temp
1447 *	changing(maybe just adding?) the trust of a cert
1448 *	adjusting the reference count of a cert
1449 */
1450void
1451CERT_LockDB(CERTCertDBHandle *handle);
1452
1453/*
1454 * Free the global cert database lock.
1455 */
1456void
1457CERT_UnlockDB(CERTCertDBHandle *handle);
1458
1459/*
1460 * Get the certificate status checking configuratino data for
1461 * the certificate database
1462 */
1463CERTStatusConfig *
1464CERT_GetStatusConfig(CERTCertDBHandle *handle);
1465
1466/*
1467 * Set the certificate status checking information for the
1468 * database.  The input structure becomes part of the certificate
1469 * database and will be freed by calling the 'Destroy' function in
1470 * the configuration object.
1471 */
1472void
1473CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
1474
1475
1476
1477/*
1478 * Acquire the cert reference count lock
1479 * There is currently one global lock for all certs, but I'm putting a cert
1480 * arg here so that it will be easy to make it per-cert in the future if
1481 * that turns out to be necessary.
1482 */
1483void
1484CERT_LockCertRefCount(CERTCertificate *cert);
1485
1486/*
1487 * Free the cert reference count lock
1488 */
1489void
1490CERT_UnlockCertRefCount(CERTCertificate *cert);
1491
1492/*
1493 * Acquire the cert trust lock
1494 * There is currently one global lock for all certs, but I'm putting a cert
1495 * arg here so that it will be easy to make it per-cert in the future if
1496 * that turns out to be necessary.
1497 */
1498void
1499CERT_LockCertTrust(CERTCertificate *cert);
1500
1501/*
1502 * Free the cert trust lock
1503 */
1504void
1505CERT_UnlockCertTrust(CERTCertificate *cert);
1506
1507/*
1508 * Digest the cert's subject public key using the specified algorithm.
1509 * The necessary storage for the digest data is allocated.  If "fill" is
1510 * non-null, the data is put there, otherwise a SECItem is allocated.
1511 * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
1512 * results in a NULL being returned (and an appropriate error set).
1513 */ 
1514extern SECItem *
1515CERT_GetSPKIDigest(PRArenaPool *arena, const CERTCertificate *cert,
1516                   SECOidTag digestAlg, SECItem *fill);
1517
1518
1519SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
1520                        SECItem* dp, int64 t, void* wincx);
1521
1522
1523/*
1524 * Add a CERTNameConstraint to the CERTNameConstraint list
1525 */
1526extern CERTNameConstraint *
1527CERT_AddNameConstraint(CERTNameConstraint *list, 
1528		       CERTNameConstraint *constraint);
1529
1530/*
1531 * Allocate space and copy CERTNameConstraint from src to dest.
1532 * Arena is used to allocate result(if dest eq NULL) and its members
1533 * SECItem data.
1534 */
1535extern CERTNameConstraint *
1536CERT_CopyNameConstraint(PRArenaPool         *arena, 
1537			CERTNameConstraint  *dest, 
1538			CERTNameConstraint  *src);
1539
1540/*
1541 * Verify name against all the constraints relevant to that type of
1542 * the name.
1543 */
1544extern SECStatus
1545CERT_CheckNameSpace(PRArenaPool          *arena,
1546		    CERTNameConstraints 

Large files files are truncated, but you can click here to view the full file