#define VALIDATE_H
-enum {
- /* Simple certificate validation mode. */
- VALIDATE_MODE_CERT = 0,
- /* Standard CRL issuer certificate validation; i.e. CRLs are not
- considered for CRL issuer certificates. */
- VALIDATE_MODE_CRL = 1,
- /* Full CRL validation. */
- VALIDATE_MODE_CRL_RECURSIVE = 2,
- /* Validation as used for OCSP. */
- VALIDATE_MODE_OCSP = 3
-};
+/* Flag values matching the CERTTRUST_CLASS values and a MASK for
+ * them. check_header_constants() checks their consistency. */
+#define VALIDATE_FLAG_TRUST_SYSTEM 1
+#define VALIDATE_FLAG_TRUST_CONFIG 2
+#define VALIDATE_FLAG_TRUST_HKP 4
+#define VALIDATE_FLAG_TRUST_HKPSPOOL 8
+#define VALIDATE_FLAG_MASK_TRUST 0x0f
+
+/* Standard CRL issuer certificate validation; i.e. CRLs are not
+ * considered for CRL issuer certificates. */
+#define VALIDATE_FLAG_CRL 64
+
+/* If this flag is set along with VALIDATE_FLAG_CRL a full CRL
+ * verification is done. */
+#define VALIDATE_FLAG_RECURSIVE 128
+
+/* Validation mode as used for OCSP. */
+#define VALIDATE_FLAG_OCSP 256
+
+/* Validation mode as used with TLS. */
+#define VALIDATE_FLAG_TLS 512
+
+/* Don't do CRL checks. */
+#define VALIDATE_FLAG_NOCRLCHECK 1024
/* Validate the certificate CHAIN up to the trust anchor. Optionally
return the closest expiration time in R_EXPTIME. */
gpg_error_t validate_cert_chain (ctrl_t ctrl,
ksba_cert_t cert, ksba_isotime_t r_exptime,
- int mode, char **r_trust_anchor);
+ unsigned int flags, char **r_trust_anchor);
/* Return 0 if the certificate CERT is usable for certification. */
-gpg_error_t cert_use_cert_p (ksba_cert_t cert);
+gpg_error_t check_cert_use_cert (ksba_cert_t cert);
/* Return 0 if the certificate CERT is usable for signing OCSP
responses. */
-gpg_error_t cert_use_ocsp_p (ksba_cert_t cert);
+gpg_error_t check_cert_use_ocsp (ksba_cert_t cert);
/* Return 0 if the certificate CERT is usable for signing CRLs. */
-gpg_error_t cert_use_crl_p (ksba_cert_t cert);
+gpg_error_t check_cert_use_crl (ksba_cert_t cert);
#endif /*VALIDATE_H*/