1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 * certt.h - public data structures for the certificate library
22 struct NSSCertificateStr;
23 struct NSSTrustDomainStr;
25 /* Non-opaque objects */
26 typedef struct CERTAVAStr CERTAVA;
27 typedef struct CERTAttributeStr CERTAttribute;
28 typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
29 typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
30 typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
31 typedef struct NSSTrustDomainStr CERTCertDBHandle;
32 typedef struct CERTCertExtensionStr CERTCertExtension;
33 typedef struct CERTCertKeyStr CERTCertKey;
34 typedef struct CERTCertListStr CERTCertList;
35 typedef struct CERTCertListNodeStr CERTCertListNode;
36 typedef struct CERTCertNicknamesStr CERTCertNicknames;
37 typedef struct CERTCertTrustStr CERTCertTrust;
38 typedef struct CERTCertificateStr CERTCertificate;
39 typedef struct CERTCertificateListStr CERTCertificateList;
40 typedef struct CERTCertificateRequestStr CERTCertificateRequest;
41 typedef struct CERTCrlStr CERTCrl;
42 typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
43 typedef struct CERTCrlEntryStr CERTCrlEntry;
44 typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
45 typedef struct CERTCrlKeyStr CERTCrlKey;
46 typedef struct CERTCrlNodeStr CERTCrlNode;
47 typedef struct CERTDERCertsStr CERTDERCerts;
48 typedef struct CERTDistNamesStr CERTDistNames;
49 typedef struct CERTGeneralNameStr CERTGeneralName;
50 typedef struct CERTGeneralNameListStr CERTGeneralNameList;
51 typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
52 typedef struct CERTNameStr CERTName;
53 typedef struct CERTNameConstraintStr CERTNameConstraint;
54 typedef struct CERTNameConstraintsStr CERTNameConstraints;
55 typedef struct CERTOKDomainNameStr CERTOKDomainName;
56 typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
57 typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
58 typedef struct CERTRDNStr CERTRDN;
59 typedef struct CERTSignedCrlStr CERTSignedCrl;
60 typedef struct CERTSignedDataStr CERTSignedData;
61 typedef struct CERTStatusConfigStr CERTStatusConfig;
62 typedef struct CERTSubjectListStr CERTSubjectList;
63 typedef struct CERTSubjectNodeStr CERTSubjectNode;
64 typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
65 typedef struct CERTValidityStr CERTValidity;
66 typedef struct CERTVerifyLogStr CERTVerifyLog;
67 typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
68 typedef struct CRLDistributionPointStr CRLDistributionPoint;
70 /* CRL extensions type */
71 typedef unsigned long CERTCrlNumber;
74 ** An X.500 AVA object
82 ** An X.500 RDN object
89 ** An X.500 name object
97 ** An X.509 validity object
99 struct CERTValidityStr {
106 * A serial number and issuer name, which is used as a database key
108 struct CERTCertKeyStr {
109 SECItem serialNumber;
114 ** A signed data object. Used to implement the "signed" macro used
115 ** in the X.500 specs.
117 struct CERTSignedDataStr {
119 SECAlgorithmID signatureAlgorithm;
124 ** An X.509 subject-public-key-info object
126 struct CERTSubjectPublicKeyInfoStr {
128 SECAlgorithmID algorithm;
129 SECItem subjectPublicKey;
132 struct CERTPublicKeyAndChallengeStr {
137 struct CERTCertTrustStr {
138 unsigned int sslFlags;
139 unsigned int emailFlags;
140 unsigned int objectSigningFlags;
144 * defined the types of trust that exist
146 typedef enum SECTrustTypeEnum {
149 trustObjectSigning = 2,
153 #define SEC_GET_TRUST_FLAGS(trust,type) \
154 (((type)==trustSSL)?((trust)->sslFlags): \
155 (((type)==trustEmail)?((trust)->emailFlags): \
156 (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
159 ** An X.509.3 certificate extension
161 struct CERTCertExtensionStr {
167 struct CERTSubjectNodeStr {
168 struct CERTSubjectNodeStr *next;
169 struct CERTSubjectNodeStr *prev;
174 struct CERTSubjectListStr {
178 CERTSubjectNode *head;
179 CERTSubjectNode *tail; /* do we need tail? */
184 ** An X.509 certificate object (the unsigned form)
186 struct CERTCertificateStr {
187 /* the arena is used to allocate any data structures that have the same
188 * lifetime as the cert. This is all stuff that hangs off of the cert
189 * structure, and is all freed at the same time. I is used when the
190 * cert is decoded, destroyed, and at some times when it changes
195 /* The following fields are static after the cert has been decoded */
198 CERTSignedData signatureWrap; /* XXX */
199 SECItem derCert; /* original DER for the cert */
200 SECItem derIssuer; /* DER for issuer name */
201 SECItem derSubject; /* DER for subject name */
202 SECItem derPublicKey; /* DER for the public key */
203 SECItem certKey; /* database key for this cert */
205 SECItem serialNumber;
206 SECAlgorithmID signature;
208 CERTValidity validity;
210 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
213 CERTCertExtension **extensions;
215 CERTCertDBHandle *dbhandle;
216 SECItem subjectKeyID; /* x509v3 subject key identifier */
217 PRBool keyIDGenerated; /* was the keyid generated? */
218 unsigned int keyUsage; /* what uses are allowed for this cert */
219 unsigned int rawKeyUsage; /* value of the key usage extension */
220 PRBool keyUsagePresent; /* was the key usage extension present */
221 PRUint32 nsCertType; /* value of the ns cert type extension */
222 /* must be 32-bit for PR_ATOMIC_SET */
224 /* these values can be set by the application to bypass certain checks
225 * or to keep the cert in memory for an entire session.
226 * XXX - need an api to set these
228 PRBool keepSession; /* keep this cert for entire session*/
229 PRBool timeOK; /* is the bad validity time ok? */
230 CERTOKDomainName *domainOK; /* these domain names are ok */
233 * these values can change when the cert changes state. These state
234 * changes include transitions from temp to perm or vice-versa, and
235 * changes of trust flags
241 struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
242 CERTCertTrust *trust;
244 /* the reference count is modified whenever someone looks up, dups
245 * or destroys a certificate
249 /* The subject list is a list of all certs with the same subject name.
250 * It can be modified any time a cert is added or deleted from either
251 * the in-memory(temporary) or on-disk(permanent) database.
253 CERTSubjectList *subjectList;
255 /* these belong in the static section, but are here to maintain
256 * the structure's integrity
258 CERTAuthKeyID * authKeyID; /* x509v3 authority key identifier */
259 PRBool isRoot; /* cert is the end of a chain */
261 /* these fields are used by client GUI code to keep track of ssl sockets
262 * that are blocked waiting on GUI feedback related to this cert.
263 * XXX - these should be moved into some sort of application specific
264 * data structure. They are only used by the browser right now.
267 void* apointer; /* was struct SECSocketNode* authsocketlist */
269 unsigned int hasUnsupportedCriticalExt :1;
270 /* add any new option bits needed here */
273 int series; /* was int authsocketcount; record the series of the pkcs11ID */
275 /* This is PKCS #11 stuff. */
276 PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
277 CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
278 PRBool ownSlot; /*true if the cert owns the slot reference */
280 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
281 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
282 #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
284 #define SEC_CRL_VERSION_1 0 /* default */
285 #define SEC_CRL_VERSION_2 1 /* v2 extensions */
288 * used to identify class of cert in mime stream code
290 #define SEC_CERT_CLASS_CA 1
291 #define SEC_CERT_CLASS_SERVER 2
292 #define SEC_CERT_CLASS_USER 3
293 #define SEC_CERT_CLASS_EMAIL 4
295 struct CERTDERCertsStr {
302 ** A PKCS ? Attribute
303 ** XXX this is duplicated through out the code, it *should* be moved
304 ** to a central location. Where would be appropriate?
306 struct CERTAttributeStr {
312 ** A PKCS#10 certificate-request object (the unsigned form)
314 struct CERTCertificateRequestStr {
318 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
319 CERTAttribute **attributes;
321 #define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
325 ** A certificate list object.
327 struct CERTCertificateListStr {
329 int len; /* number of certs */
333 struct CERTCertListNodeStr {
335 CERTCertificate *cert;
339 struct CERTCertListStr {
344 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
345 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
346 #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
347 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
349 struct CERTCrlEntryStr {
350 SECItem serialNumber;
351 SECItem revocationDate;
352 CERTCertExtension **extensions;
358 SECAlgorithmID signatureAlg;
362 SECItem nextUpdate; /* optional for x.509 CRL */
363 CERTCrlEntry **entries;
364 CERTCertExtension **extensions;
365 /* can't add anything there for binary backwards compatibility reasons */
368 struct CERTCrlKeyStr {
370 SECItem dummy; /* The decoder can not skip a primitive,
371 this serves as a place holder for the
372 decoder to finish its task only
376 struct CERTSignedCrlStr {
384 CERTCertDBHandle *dbhandle;
385 CERTSignedData signatureWrap; /* XXX */
389 CK_OBJECT_HANDLE pkcs11ID;
390 void* opaque; /* do not touch */
394 struct CERTCrlHeadNodeStr {
396 CERTCertDBHandle *dbhandle;
402 struct CERTCrlNodeStr {
410 * Array of X.500 Distinguished Names
412 struct CERTDistNamesStr {
416 void *head; /* private */
420 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
421 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
422 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
423 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
424 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
425 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
426 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
427 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
429 #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
430 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
432 #define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
433 NS_CERT_TYPE_SSL_SERVER | \
434 NS_CERT_TYPE_EMAIL | \
435 NS_CERT_TYPE_OBJECT_SIGNING )
437 #define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
438 NS_CERT_TYPE_EMAIL_CA | \
439 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
440 EXT_KEY_USAGE_STATUS_RESPONDER )
441 typedef enum SECCertUsageEnum {
442 certUsageSSLClient = 0,
443 certUsageSSLServer = 1,
444 certUsageSSLServerWithStepUp = 2,
446 certUsageEmailSigner = 4,
447 certUsageEmailRecipient = 5,
448 certUsageObjectSigner = 6,
449 certUsageUserCertImport = 7,
450 certUsageVerifyCA = 8,
451 certUsageProtectedObjectSigner = 9,
452 certUsageStatusResponder = 10,
456 typedef PRInt64 SECCertificateUsage;
458 #define certificateUsageCheckAllUsages (0x0000)
459 #define certificateUsageSSLClient (0x0001)
460 #define certificateUsageSSLServer (0x0002)
461 #define certificateUsageSSLServerWithStepUp (0x0004)
462 #define certificateUsageSSLCA (0x0008)
463 #define certificateUsageEmailSigner (0x0010)
464 #define certificateUsageEmailRecipient (0x0020)
465 #define certificateUsageObjectSigner (0x0040)
466 #define certificateUsageUserCertImport (0x0080)
467 #define certificateUsageVerifyCA (0x0100)
468 #define certificateUsageProtectedObjectSigner (0x0200)
469 #define certificateUsageStatusResponder (0x0400)
470 #define certificateUsageAnyCA (0x0800)
472 #define certificateUsageHighest certificateUsageAnyCA
475 * Does the cert belong to the user, a peer, or a CA.
477 typedef enum CERTCertOwnerEnum {
484 * This enum represents the state of validity times of a certificate
486 typedef enum SECCertTimeValidityEnum {
487 secCertTimeValid = 0,
488 secCertTimeExpired = 1,
489 secCertTimeNotValidYet = 2,
490 secCertTimeUndetermined = 3 /* validity could not be decoded from the
491 cert, most likely because it was NULL */
492 } SECCertTimeValidity;
495 * This is used as return status in functions that compare the validity
496 * periods of two certificates A and B, currently only
497 * CERT_CompareValidityTimes.
500 typedef enum CERTCompareValidityStatusEnum
502 certValidityUndetermined = 0, /* the function is unable to select one cert
504 certValidityChooseB = 1, /* cert B should be preferred */
505 certValidityEqual = 2, /* both certs have the same validity period */
506 certValidityChooseA = 3 /* cert A should be preferred */
507 } CERTCompareValidityStatus;
510 * Interface for getting certificate nickname strings out of the database
513 /* these are values for the what argument below */
514 #define SEC_CERT_NICKNAMES_ALL 1
515 #define SEC_CERT_NICKNAMES_USER 2
516 #define SEC_CERT_NICKNAMES_SERVER 3
517 #define SEC_CERT_NICKNAMES_CA 4
519 struct CERTCertNicknamesStr {
528 struct CERTIssuerAndSNStr {
531 SECItem serialNumber;
535 /* X.509 v3 Key Usage Extension flags */
536 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
537 #define KU_NON_REPUDIATION (0x40) /* bit 1 */
538 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
539 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
540 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
541 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
542 #define KU_CRL_SIGN (0x02) /* bit 6 */
543 #define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
544 #define KU_ALL (KU_DIGITAL_SIGNATURE | \
545 KU_NON_REPUDIATION | \
546 KU_KEY_ENCIPHERMENT | \
547 KU_DATA_ENCIPHERMENT | \
553 /* This value will not occur in certs. It is used internally for the case
554 * when either digital signature or non-repudiation is the correct value.
556 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
558 /* This value will not occur in certs. It is used internally for the case
559 * when the key type is not know ahead of time and either key agreement or
560 * key encipherment are the correct value based on key type
562 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
564 /* internal bits that do not match bits in the x509v3 spec, but are used
565 * for similar purposes
567 #define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
569 * x.509 v3 Basic Constraints Extension
570 * If isCA is false, the pathLenConstraint is ignored.
571 * Otherwise, the following pathLenConstraint values will apply:
572 * < 0 - there is no limit to the certificate path
573 * 0 - CA can issues end-entity certificates only
574 * > 0 - the number of certificates in the certificate path is
575 * limited to this number
577 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
579 struct CERTBasicConstraintsStr {
580 PRBool isCA; /* on if is CA */
581 int pathLenConstraint; /* maximum number of certificates that can be
582 in the cert path. Only applies to a CA
583 certificate; otherwise, it's ignored.
587 /* Maximum length of a certificate chain */
588 #define CERT_MAX_CERT_CHAIN 20
590 #define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
591 #define CERT_MAX_DN_BYTES 4096 /* arbitrary */
593 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
594 #define RF_UNUSED (0x80) /* bit 0 */
595 #define RF_KEY_COMPROMISE (0x40) /* bit 1 */
596 #define RF_CA_COMPROMISE (0x20) /* bit 2 */
597 #define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
598 #define RF_SUPERSEDED (0x08) /* bit 4 */
599 #define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
600 #define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
602 /* enum for CRL Entry Reason Code */
603 typedef enum CERTCRLEntryReasonCodeEnum {
604 crlEntryReasonUnspecified = 0,
605 crlEntryReasonKeyCompromise = 1,
606 crlEntryReasonCaCompromise = 2,
607 crlEntryReasonAffiliationChanged = 3,
608 crlEntryReasonSuperseded = 4,
609 crlEntryReasonCessationOfOperation = 5,
610 crlEntryReasoncertificatedHold = 6,
611 crlEntryReasonRemoveFromCRL = 8,
612 crlEntryReasonPrivilegeWithdrawn = 9,
613 crlEntryReasonAaCompromise = 10
614 } CERTCRLEntryReasonCode;
616 /* If we needed to extract the general name field, use this */
617 /* General Name types */
618 typedef enum CERTGeneralNameTypeEnum {
623 certDirectoryName = 5,
624 certEDIPartyName = 6,
628 } CERTGeneralNameType;
631 typedef struct OtherNameStr {
638 struct CERTGeneralNameStr {
639 CERTGeneralNameType type; /* name type */
641 CERTName directoryName; /* distinguish name */
642 OtherName OthName; /* Other Name */
643 SECItem other; /* the rest of the name forms */
645 SECItem derDirectoryName; /* this is saved to simplify directory name
650 struct CERTGeneralNameListStr {
652 CERTGeneralName *name;
658 struct CERTNameConstraintStr {
659 CERTGeneralName name;
667 struct CERTNameConstraintsStr {
668 CERTNameConstraint *permited;
669 CERTNameConstraint *excluded;
670 SECItem **DERPermited;
671 SECItem **DERExcluded;
675 /* Private Key Usage Period extension struct. */
676 struct CERTPrivKeyUsagePeriodStr {
682 /* X.509 v3 Authority Key Identifier extension. For the authority certificate
683 issuer field, we only support URI now.
685 struct CERTAuthKeyIDStr {
686 SECItem keyID; /* unique key identifier */
687 CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
688 SECItem authCertSerialNumber; /* CA's certificate serial number */
689 SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
690 the authCertIssuer field. It is used
691 by the encoding engine. It should be
692 used as a read only field by the caller.
696 /* x.509 v3 CRL Distributeion Point */
699 * defined the types of CRL Distribution points
701 typedef enum DistributionPointTypesEnum {
702 generalName = 1, /* only support this for now */
703 relativeDistinguishedName = 2
704 } DistributionPointTypes;
706 struct CRLDistributionPointStr {
707 DistributionPointTypes distPointType;
709 CERTGeneralName *fullName;
710 CERTRDN relativeName;
713 CERTGeneralName *crlIssuer;
715 /* Reserved for internal use only*/
716 SECItem derDistPoint;
717 SECItem derRelativeName;
718 SECItem **derCrlIssuer;
719 SECItem **derFullName;
723 struct CERTCrlDistributionPointsStr {
724 CRLDistributionPoint **distPoints;
728 * This structure is used to keep a log of errors when verifying
729 * a cert chain. This allows multiple errors to be reported all at
732 struct CERTVerifyLogNodeStr {
733 CERTCertificate *cert; /* what cert had the error */
734 long error; /* what error was it? */
735 unsigned int depth; /* how far up the chain are we */
736 void *arg; /* error specific argument */
737 struct CERTVerifyLogNodeStr *next; /* next in the list */
738 struct CERTVerifyLogNodeStr *prev; /* next in the list */
742 struct CERTVerifyLogStr {
745 struct CERTVerifyLogNodeStr *head;
746 struct CERTVerifyLogNodeStr *tail;
750 struct CERTOKDomainNameStr {
751 CERTOKDomainName *next;
752 char name[1]; /* actual length may be longer. */
756 typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
757 CERTCertificate *cert,
761 typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
763 struct CERTStatusConfigStr {
764 CERTStatusChecker statusChecker; /* NULL means no checking enabled */
765 CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
766 void *statusContext; /* cx specific to checking protocol */
769 struct CERTAuthInfoAccessStr {
772 CERTGeneralName *location; /* decoded location */
776 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
777 /* callback to return database name based on version number */
778 typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
781 * types of cert packages that we can decode
783 typedef enum CERTPackageTypeEnum {
786 certPackagePKCS7 = 2,
787 certPackageNSCertSeq = 3,
788 certPackageNSCertWrap = 4
792 * these types are for the PKIX Certificate Policies extension
797 SECItem qualifierValue;
798 } CERTPolicyQualifier;
803 CERTPolicyQualifier **policyQualifiers;
808 CERTPolicyInfo **policyInfos;
809 } CERTCertificatePolicies;
812 SECItem organization;
813 SECItem **noticeNumbers;
814 } CERTNoticeReference;
818 CERTNoticeReference noticeReference;
819 SECItem derNoticeReference;
829 * these types are for the PKIX Policy Mappings extension
832 SECItem issuerDomainPolicy;
833 SECItem subjectDomainPolicy;
838 CERTPolicyMap **policyMaps;
839 } CERTCertificatePolicyMappings;
842 * these types are for the PKIX inhibitAnyPolicy extension
845 SECItem inhibitAnySkipCerts;
846 } CERTCertificateInhibitAny;
849 * these types are for the PKIX Policy Constraints extension
852 SECItem explicitPolicySkipCerts;
853 SECItem inhibitMappingSkipCerts;
854 } CERTCertificatePolicyConstraints;
857 * These types are for the validate chain callback param.
859 * CERTChainVerifyCallback is an application-supplied callback that can be used
860 * to augment libpkix's certificate chain validation with additional
861 * application-specific checks. It may be called multiple times if there are
862 * multiple potentially-valid paths for the certificate being validated. This
863 * callback is called before revocation checking is done on the certificates in
866 * - isValidChainArg contains the application-provided opaque argument
867 * - currentChain is the currently validated chain. It is ordered with the leaf
868 * certificate at the head and the trust anchor at the tail.
870 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
871 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
872 * return SECSuccess if the chain is unacceptable, to indicate that the given
873 * chain is bad and path building should continue. It should return SECFailure
874 * to indicate an fatal error that will cause path validation to fail
877 typedef SECStatus (*CERTChainVerifyCallbackFunc)
878 (void *isChainValidArg,
879 const CERTCertList *currentChain,
883 * Note: If extending this structure, it will be necessary to change the
884 * associated CERTValParamInType
887 CERTChainVerifyCallbackFunc isChainValid;
888 void *isChainValidArg;
889 } CERTChainVerifyCallback;
892 * these types are for the CERT_PKIX* Verification functions
893 * These are all optional parameters.
897 cert_pi_end = 0, /* SPECIAL: signifies end of array of
899 cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
900 * resume a session. If this argument is
901 * specified, no other arguments should be.
902 * Specified in value.pointer.p. If the
903 * operation completes the context will be
905 cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
906 * existing operation which the caller wants
907 * to abort. If this argument is
908 * specified, no other arguments should be.
909 * Specified in value.pointer.p. If the
910 * operation succeeds the context will be
912 cert_pi_certList = 3, /* specify the chain to validate against. If
913 * this value is given, then the path
914 * construction step in the validation is
915 * skipped. Specified in value.pointer.chain */
916 cert_pi_policyOID = 4, /* validate certificate for policy OID.
917 * Specified in value.array.oids. Cert must
918 * be good for at least one OID in order
919 * to validate. Default is that the user is not
920 * concerned about certificate policy. */
921 cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
922 * Specified in value.scalar.ul. Policy flags
923 * apply to all specified oids.
924 * Use CERT_POLICY_FLAG_* macros below. If not
925 * specified policy flags default to 0 */
926 cert_pi_keyusage = 6, /* specify what the keyusages the certificate
927 * will be evaluated against, specified in
928 * value.scalar.ui. The cert must validate for
929 * at least one of the specified key usages.
930 * Values match the KU_ bit flags defined
931 * in this file. Default is derived from
932 * the 'usages' function argument */
933 cert_pi_extendedKeyusage= 7, /* specify what the required extended key
934 * usage of the certificate. Specified as
935 * an array of oidTags in value.array.oids.
936 * The cert must validate for at least one
937 * of the specified extended key usages.
938 * If not specified, no extended key usages
939 * will be checked. */
940 cert_pi_date = 8, /* validate certificate is valid as of date
941 * specified in value.scalar.time. A special
942 * value '0' indicates 'now'. default is '0' */
943 cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
944 * See CERT_REV_FLAG_* macros below
945 * Set in value.pointer.revocation */
946 cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below)
947 * Set in value.scalar.ui */
948 cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to
950 * The default set of trusted roots, these are
951 * root CA certs from libnssckbi.so or CA
952 * certs trusted by user, are used in any of
953 * the following cases:
954 * * when the parameter is not set.
955 * * when the list of trust anchors is empty.
956 * Note that this handling can be further altered by altering the
957 * cert_pi_useOnlyTrustAnchors flag
958 * Specified in value.pointer.chain */
959 cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
960 * In NSS 3.12.1 or later. Default is off.
961 * Value is in value.scalar.b */
962 cert_pi_chainVerifyCallback = 13,
963 /* The callback container for doing extra
964 * validation on the currently calculated chain.
965 * Value is in value.pointer.chainVerifyCallback */
966 cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
967 * certificates other than the ones passed in via cert_pi_trustAnchors.
968 * If false, then the certificates specified via cert_pi_trustAnchors
969 * will be combined with the pre-existing trusted roots, but only for
970 * the certificate validation being performed.
971 * If no value has been supplied via cert_pi_trustAnchors, this has no
973 * The default value is true, meaning if this is not supplied, only
974 * trust anchors supplied via cert_pi_trustAnchors are trusted.
975 * Specified in value.scalar.b */
976 cert_pi_max /* SPECIAL: signifies maximum allowed value,
977 * can increase in future releases */
978 } CERTValParamInType;
981 * for all out parameters:
982 * out parameters are only returned if the caller asks for them in
983 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
984 * array itself. The pkix verify function will allocate and other arrays
985 * pointers, or objects. The Caller is responsible for freeing those results.
986 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
989 cert_po_end = 0, /* SPECIAL: signifies end of array of
991 cert_po_nbioContext = 1, /* Return a nonblocking context. If no
992 * non-blocking context is specified, then
993 * blocking IO will be used.
994 * Returned in value.pointer.p. The context is
995 * freed after an abort or a complete operation.
996 * This value is only returned on SECWouldBlock.
998 cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
999 * was validated. Returned in
1000 * value.pointer.cert, this value is only
1001 * returned on SECSuccess. */
1002 cert_po_certList = 3, /* Return the entire chain that was validated.
1003 * Returned in value.pointer.certList. If no
1004 * chain could be constructed, this value
1006 cert_po_policyOID = 4, /* Return the policies that were found to be
1007 * valid. Returned in value.array.oids as an
1008 * array. This is only returned on
1010 cert_po_errorLog = 5, /* Return a log of problems with the chain.
1011 * Returned in value.pointer.log */
1012 cert_po_usages = 6, /* Return what usages the certificate is valid
1013 for. Returned in value.scalar.usages */
1014 cert_po_keyUsage = 7, /* Return what key usages the certificate
1016 * Returned in value.scalar.usage */
1017 cert_po_extendedKeyusage= 8, /* Return what extended key usages the
1018 * certificate is valid for.
1019 * Returned in value.array.oids */
1020 cert_po_max /* SPECIAL: signifies maximum allowed value,
1021 * can increase in future releases */
1023 } CERTValParamOutType;
1026 cert_revocation_method_crl = 0,
1027 cert_revocation_method_ocsp,
1028 cert_revocation_method_count
1029 } CERTRevocationMethodIndex;
1033 * The following flags are supposed to be used to control bits in
1034 * each integer contained in the array pointed to be:
1035 * CERTRevocationTests.cert_rev_flags_per_method
1036 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1037 * this is a method dependent flag.
1041 * Whether or not to use a method for revocation testing.
1042 * If set to "do not test", then all other flags are ignored.
1044 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1045 #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1048 * Whether or not NSS is allowed to attempt to fetch fresh information
1050 * (Although fetching will never happen if fresh information for the
1051 * method is already locally available.)
1053 #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1054 #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1057 * Example for an implicit default source:
1058 * The globally configured default OCSP responder.
1060 * ignore the implicit default source, whether it's configured or not.
1062 * if an implicit default source is configured,
1063 * then it overrides any available or missing source in the cert.
1064 * if no implicit default source is configured,
1065 * then we continue to use what's available (or not available)
1068 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1069 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1072 * Defines the behavior if no fresh information is available,
1073 * fetching from the network is allowed, but the source of revocation
1074 * information is unknown (even after considering implicit sources,
1075 * if allowed by other flags).
1077 * We ignore that no fresh information is available and
1079 * REQUIRE_INFO means:
1080 * We still require that fresh information is available.
1081 * Other flags define what happens on missing fresh info.
1083 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1084 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1087 * Defines the behavior if we are unable to obtain fresh information.
1089 * Return "cert status unknown"
1091 * Return "cert revoked".
1093 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1094 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1097 * What should happen if we were able to find fresh information using
1098 * this method, and the data indicated the cert is good?
1099 * STOP_TESTING means:
1100 * Our success is sufficient, do not continue testing
1102 * CONTINUE_TESTING means:
1103 * We will continue and test the next allowed
1106 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1107 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1109 /* When this flag is used, libpkix will never attempt to use the GET HTTP
1110 * method for OCSP requests; it will always use POST.
1112 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1115 * The following flags are supposed to be used to control bits in
1116 * CERTRevocationTests.cert_rev_method_independent_flags
1117 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1118 * this is a method independent flag.
1122 * This defines the order to checking.
1123 * EACH_METHOD_SEPARATELY means:
1124 * Do all tests related to a particular allowed method
1125 * (both local information and network fetching) in a single step.
1126 * Only after testing for a particular method is done,
1127 * then switching to the next method will happen.
1128 * ALL_LOCAL_INFORMATION_FIRST means:
1129 * Start by testing the information for all allowed methods
1130 * which are already locally available. Only after that is done
1131 * consider to fetch from the network (as allowed by other flags).
1133 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1134 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1137 * Use this flag to specify that it's necessary that fresh information
1138 * is available for at least one of the allowed methods, but it's
1139 * irrelevant which of the mechanisms succeeded.
1140 * NO_OVERALL_INFO_REQUIREMENT means:
1141 * We strictly follow the requirements for each individual method.
1142 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1143 * After the individual tests have been executed, we must have
1144 * been able to find fresh information using at least one method.
1145 * If we were unable to find fresh info, it's a failure.
1146 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1147 * flag on all methods.
1149 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1150 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1155 * The size of the array that cert_rev_flags_per_method points to,
1156 * meaning, the number of methods that are known and defined
1159 PRUint32 number_of_defined_methods;
1162 * A pointer to an array of integers.
1163 * Each integer defines revocation checking for a single method,
1164 * by having individual CERT_REV_M_* bits set or not set.
1165 * The meaning of index numbers into this array are defined by
1166 * enum CERTRevocationMethodIndex
1167 * The size of the array must be specified by the caller in the separate
1168 * variable number_of_defined_methods.
1169 * The size of the array may be smaller than
1170 * cert_revocation_method_count, it can happen if a caller
1171 * is not yet aware of the latest revocation methods
1172 * (or does not want to use them).
1174 PRUint64 *cert_rev_flags_per_method;
1177 * How many preferred methods are specified?
1178 * This is equivalent to the size of the array that
1179 * preferred_revocation_methods points to.
1180 * It's allowed to set this value to zero,
1181 * then NSS will decide which methods to prefer.
1183 PRUint32 number_of_preferred_methods;
1185 /* Array that may specify an optional order of preferred methods.
1186 * Each array entry shall contain a method identifier as defined
1187 * by CERTRevocationMethodIndex.
1188 * The entry at index [0] specifies the method with highest preferrence.
1189 * These methods will be tested first for locally available information.
1190 * Methods allowed for downloading will be attempted in the same order.
1192 CERTRevocationMethodIndex *preferred_methods;
1195 * An integer which defines certain aspects of revocation checking
1196 * (independent of individual methods) by having individual
1197 * CERT_REV_MI_* bits set or not set.
1199 PRUint64 cert_rev_method_independent_flags;
1200 } CERTRevocationTests;
1203 CERTRevocationTests leafTests;
1204 CERTRevocationTests chainTests;
1205 } CERTRevocationFlags;
1207 typedef struct CERTValParamInValueStr {
1219 const CERTCertificate* cert;
1220 const CERTCertList *chain;
1221 const CERTRevocationFlags *revocation;
1222 const CERTChainVerifyCallback *chainVerifyCallback;
1226 const PRUint32 *pui;
1228 const PRUint64 *pul;
1229 const SECOidTag *oids;
1232 } CERTValParamInValue;
1235 typedef struct CERTValParamOutValueStr {
1242 SECCertificateUsage usages;
1248 CERTCertificate* cert;
1249 CERTCertList *chain;
1256 } CERTValParamOutValue;
1259 CERTValParamInType type;
1260 CERTValParamInValue value;
1264 CERTValParamOutType type;
1265 CERTValParamOutValue value;
1269 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1271 typedef enum CertStrictnessLevels {
1272 CERT_N2A_READABLE = 0, /* maximum human readability */
1273 CERT_N2A_STRICT = 10, /* strict RFC compliance */
1274 CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
1275 all DirectoryStrings encoded in hex */
1276 } CertStrictnessLevel;
1279 * policy flag defines
1281 #define CERT_POLICY_FLAG_NO_MAPPING 1
1282 #define CERT_POLICY_FLAG_EXPLICIT 2
1283 #define CERT_POLICY_FLAG_NO_ANY 4
1288 #define CERT_ENABLE_LDAP_FETCH 1
1289 #define CERT_ENABLE_HTTP_FETCH 2
1291 /* This functin pointer type may be used for any function that takes
1292 * a CERTCertificate * and returns an allocated string, which must be
1293 * freed by a call to PORT_Free.
1295 typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
1297 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1299 #include "secasn1t.h" /* way down here because I expect template stuff to
1300 * move out of here anyway */
1304 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1305 extern const SEC_ASN1Template CERT_CertificateTemplate[];
1306 extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1307 extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1308 extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1309 extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1310 extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1311 extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1312 extern const SEC_ASN1Template CERT_ValidityTemplate[];
1313 extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1314 extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1316 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1317 extern const SEC_ASN1Template CERT_NameTemplate[];
1318 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1319 extern const SEC_ASN1Template CERT_RDNTemplate[];
1320 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1321 extern const SEC_ASN1Template CERT_CrlTemplate[];
1322 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1325 ** XXX should the attribute stuff be centralized for all of ns/security?
1327 extern const SEC_ASN1Template CERT_AttributeTemplate[];
1328 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1330 /* These functions simply return the address of the above-declared templates.
1331 ** This is necessary for Windows DLLs. Sigh.
1333 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1334 SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1335 SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1336 SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1337 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1338 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1339 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1340 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1341 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1342 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1343 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1344 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1348 #endif /* _CERTT_H_ */