1/* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4/*
5 * certt.h - public data structures for the certificate library
6 */
7#ifndef _CERTT_H_
8#define _CERTT_H_
9
10#include "prclist.h"
11#include "pkcs11t.h"
12#include "seccomon.h"
13#include "secmodt.h"
14#include "secoidt.h"
15#include "plarena.h"
16#include "prcvar.h"
17#include "nssilock.h"
18#include "prio.h"
19#include "prmon.h"
20
21/* Stan data types */
22struct NSSCertificateStr;
23struct NSSTrustDomainStr;
24
25/* Non-opaque objects */
26typedef struct CERTAVAStr CERTAVA;
27typedef struct CERTAttributeStr CERTAttribute;
28typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
29typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
30typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
31typedef struct NSSTrustDomainStr CERTCertDBHandle;
32typedef struct CERTCertExtensionStr CERTCertExtension;
33typedef struct CERTCertKeyStr CERTCertKey;
34typedef struct CERTCertListStr CERTCertList;
35typedef struct CERTCertListNodeStr CERTCertListNode;
36typedef struct CERTCertNicknamesStr CERTCertNicknames;
37typedef struct CERTCertTrustStr CERTCertTrust;
38typedef struct CERTCertificateStr CERTCertificate;
39typedef struct CERTCertificateListStr CERTCertificateList;
40typedef struct CERTCertificateRequestStr CERTCertificateRequest;
41typedef struct CERTCrlStr CERTCrl;
42typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
43typedef struct CERTCrlEntryStr CERTCrlEntry;
44typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
45typedef struct CERTCrlKeyStr CERTCrlKey;
46typedef struct CERTCrlNodeStr CERTCrlNode;
47typedef struct CERTDERCertsStr CERTDERCerts;
48typedef struct CERTDistNamesStr CERTDistNames;
49typedef struct CERTGeneralNameStr CERTGeneralName;
50typedef struct CERTGeneralNameListStr CERTGeneralNameList;
51typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
52typedef struct CERTNameStr CERTName;
53typedef struct CERTNameConstraintStr CERTNameConstraint;
54typedef struct CERTNameConstraintsStr CERTNameConstraints;
55typedef struct CERTOKDomainNameStr CERTOKDomainName;
56typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
57typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
58typedef struct CERTRDNStr CERTRDN;
59typedef struct CERTSignedCrlStr CERTSignedCrl;
60typedef struct CERTSignedDataStr CERTSignedData;
61typedef struct CERTStatusConfigStr CERTStatusConfig;
62typedef struct CERTSubjectListStr CERTSubjectList;
63typedef struct CERTSubjectNodeStr CERTSubjectNode;
64typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
65typedef struct CERTValidityStr CERTValidity;
66typedef struct CERTVerifyLogStr CERTVerifyLog;
67typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
68typedef struct CRLDistributionPointStr CRLDistributionPoint;
69
70/* CRL extensions type */
71typedef unsigned long CERTCrlNumber;
72
73/*
74** An X.500 AVA object
75*/
76struct CERTAVAStr {
77 SECItem type;
78 SECItem value;
79};
80
81/*
82** An X.500 RDN object
83*/
84struct CERTRDNStr {
85 CERTAVA **avas;
86};
87
88/*
89** An X.500 name object
90*/
91struct CERTNameStr {
92 PLArenaPool *arena;
93 CERTRDN **rdns;
94};
95
96/*
97** An X.509 validity object
98*/
99struct CERTValidityStr {
100 PLArenaPool *arena;
101 SECItem notBefore;
102 SECItem notAfter;
103};
104
105/*
106 * A serial number and issuer name, which is used as a database key
107 */
108struct CERTCertKeyStr {
109 SECItem serialNumber;
110 SECItem derIssuer;
111};
112
113/*
114** A signed data object. Used to implement the "signed" macro used
115** in the X.500 specs.
116*/
117struct CERTSignedDataStr {
118 SECItem data;
119 SECAlgorithmID signatureAlgorithm;
120 SECItem signature;
121};
122
123/*
124** An X.509 subject-public-key-info object
125*/
126struct CERTSubjectPublicKeyInfoStr {
127 PLArenaPool *arena;
128 SECAlgorithmID algorithm;
129 SECItem subjectPublicKey;
130};
131
132struct CERTPublicKeyAndChallengeStr {
133 SECItem spki;
134 SECItem challenge;
135};
136
137struct CERTCertTrustStr {
138 unsigned int sslFlags;
139 unsigned int emailFlags;
140 unsigned int objectSigningFlags;
141};
142
143/*
144 * defined the types of trust that exist
145 */
146typedef enum SECTrustTypeEnum {
147 trustSSL = 0,
148 trustEmail = 1,
149 trustObjectSigning = 2,
150 trustTypeNone = 3
151} SECTrustType;
152
153#define SEC_GET_TRUST_FLAGS(trust, type) \
154 (((type) == trustSSL) \
155 ? ((trust)->sslFlags) \
156 : (((type) == trustEmail) ? ((trust)->emailFlags) \
157 : (((type) == trustObjectSigning) \
158 ? ((trust)->objectSigningFlags) \
159 : 0)))
160
161/*
162** An X.509.3 certificate extension
163*/
164struct CERTCertExtensionStr {
165 SECItem id;
166 SECItem critical;
167 SECItem value;
168};
169
170struct CERTSubjectNodeStr {
171 struct CERTSubjectNodeStr *next;
172 struct CERTSubjectNodeStr *prev;
173 SECItem certKey;
174 SECItem keyID;
175};
176
177struct CERTSubjectListStr {
178 PLArenaPool *arena;
179 int ncerts;
180 char *emailAddr;
181 CERTSubjectNode *head;
182 CERTSubjectNode *tail; /* do we need tail? */
183 void *entry;
184};
185
186/*
187** An X.509 certificate object (the unsigned form)
188*/
189struct CERTCertificateStr {
190 /* the arena is used to allocate any data structures that have the same
191 * lifetime as the cert. This is all stuff that hangs off of the cert
192 * structure, and is all freed at the same time. It is used when the
193 * cert is decoded, destroyed, and at some times when it changes
194 * state
195 */
196 PLArenaPool *arena;
197
198 /* The following fields are static after the cert has been decoded */
199 char *subjectName;
200 char *issuerName;
201 CERTSignedData signatureWrap; /* XXX */
202 SECItem derCert; /* original DER for the cert */
203 SECItem derIssuer; /* DER for issuer name */
204 SECItem derSubject; /* DER for subject name */
205 SECItem derPublicKey; /* DER for the public key */
206 SECItem certKey; /* database key for this cert */
207 SECItem version;
208 SECItem serialNumber;
209 SECAlgorithmID signature;
210 CERTName issuer;
211 CERTValidity validity;
212 CERTName subject;
213 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
214 SECItem issuerID;
215 SECItem subjectID;
216 CERTCertExtension **extensions;
217 char *emailAddr;
218 CERTCertDBHandle *dbhandle;
219 SECItem subjectKeyID; /* x509v3 subject key identifier */
220 PRBool keyIDGenerated; /* was the keyid generated? */
221 unsigned int keyUsage; /* what uses are allowed for this cert */
222 unsigned int rawKeyUsage; /* value of the key usage extension */
223 PRBool keyUsagePresent; /* was the key usage extension present */
224 PRUint32 nsCertType; /* value of the ns cert type extension */
225 /* must be 32-bit for PR_ATOMIC_SET */
226
227 /* these values can be set by the application to bypass certain checks
228 * or to keep the cert in memory for an entire session.
229 * XXX - need an api to set these
230 */
231 PRBool keepSession; /* keep this cert for entire session*/
232 PRBool timeOK; /* is the bad validity time ok? */
233 CERTOKDomainName *domainOK; /* these domain names are ok */
234
235 /*
236 * these values can change when the cert changes state. These state
237 * changes include transitions from temp to perm or vice-versa, and
238 * changes of trust flags
239 */
240 PRBool isperm;
241 PRBool istemp;
242 char *nickname;
243 char *dbnickname;
244 struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
245 CERTCertTrust *trust;
246
247 /* the reference count is modified whenever someone looks up, dups
248 * or destroys a certificate
249 */
250 int referenceCount;
251
252 /* The subject list is a list of all certs with the same subject name.
253 * It can be modified any time a cert is added or deleted from either
254 * the in-memory(temporary) or on-disk(permanent) database.
255 */
256 CERTSubjectList *subjectList;
257
258 /* these belong in the static section, but are here to maintain
259 * the structure's integrity
260 */
261 CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */
262 PRBool isRoot; /* cert is the end of a chain */
263
264 /* these fields are used by client GUI code to keep track of ssl sockets
265 * that are blocked waiting on GUI feedback related to this cert.
266 * XXX - these should be moved into some sort of application specific
267 * data structure. They are only used by the browser right now.
268 */
269 union {
270 void *apointer; /* was struct SECSocketNode* authsocketlist */
271 struct {
272 unsigned int hasUnsupportedCriticalExt : 1;
273 /* add any new option bits needed here */
274 } bits;
275 } options;
276 int series; /* was int authsocketcount; record the series of the pkcs11ID */
277
278 /* This is PKCS #11 stuff. */
279 PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
280 CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
281 PRBool ownSlot; /*true if the cert owns the slot reference */
282};
283#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
284#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
285#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
286
287#define SEC_CRL_VERSION_1 0 /* default */
288#define SEC_CRL_VERSION_2 1 /* v2 extensions */
289
290/*
291 * used to identify class of cert in mime stream code
292 */
293#define SEC_CERT_CLASS_CA 1
294#define SEC_CERT_CLASS_SERVER 2
295#define SEC_CERT_CLASS_USER 3
296#define SEC_CERT_CLASS_EMAIL 4
297
298struct CERTDERCertsStr {
299 PLArenaPool *arena;
300 int numcerts;
301 SECItem *rawCerts;
302};
303
304/*
305** A PKCS ? Attribute
306** XXX this is duplicated through out the code, it *should* be moved
307** to a central location. Where would be appropriate?
308*/
309struct CERTAttributeStr {
310 SECItem attrType;
311 SECItem **attrValue;
312};
313
314/*
315** A PKCS#10 certificate-request object (the unsigned form)
316*/
317struct CERTCertificateRequestStr {
318 PLArenaPool *arena;
319 SECItem version;
320 CERTName subject;
321 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
322 CERTAttribute **attributes;
323};
324#define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */
325
326/*
327** A certificate list object.
328*/
329struct CERTCertificateListStr {
330 SECItem *certs;
331 int len; /* number of certs */
332 PLArenaPool *arena;
333};
334
335struct CERTCertListNodeStr {
336 PRCList links;
337 CERTCertificate *cert;
338 void *appData;
339};
340
341struct CERTCertListStr {
342 PRCList list;
343 PLArenaPool *arena;
344};
345
346#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
347#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
348#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
349#define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
350#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
351
352struct CERTCrlEntryStr {
353 SECItem serialNumber;
354 SECItem revocationDate;
355 CERTCertExtension **extensions;
356};
357
358struct CERTCrlStr {
359 PLArenaPool *arena;
360 SECItem version;
361 SECAlgorithmID signatureAlg;
362 SECItem derName;
363 CERTName name;
364 SECItem lastUpdate;
365 SECItem nextUpdate; /* optional for x.509 CRL */
366 CERTCrlEntry **entries;
367 CERTCertExtension **extensions;
368 /* can't add anything there for binary backwards compatibility reasons */
369};
370
371struct CERTCrlKeyStr {
372 SECItem derName;
373 SECItem dummy; /* The decoder can not skip a primitive,
374 this serves as a place holder for the
375 decoder to finish its task only
376 */
377};
378
379struct CERTSignedCrlStr {
380 PLArenaPool *arena;
381 CERTCrl crl;
382 void *reserved1;
383 PRBool reserved2;
384 PRBool isperm;
385 PRBool istemp;
386 int referenceCount;
387 CERTCertDBHandle *dbhandle;
388 CERTSignedData signatureWrap; /* XXX */
389 char *url;
390 SECItem *derCrl;
391 PK11SlotInfo *slot;
392 CK_OBJECT_HANDLE pkcs11ID;
393 void *opaque; /* do not touch */
394};
395
396struct CERTCrlHeadNodeStr {
397 PLArenaPool *arena;
398 CERTCertDBHandle *dbhandle;
399 CERTCrlNode *first;
400 CERTCrlNode *last;
401};
402
403struct CERTCrlNodeStr {
404 CERTCrlNode *next;
405 int type;
406 CERTSignedCrl *crl;
407};
408
409/*
410 * Array of X.500 Distinguished Names
411 */
412struct CERTDistNamesStr {
413 PLArenaPool *arena;
414 int nnames;
415 SECItem *names;
416 void *head; /* private */
417};
418
419#define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
420#define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
421#define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
422#define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
423#define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
424#define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
425#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
426#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
427
428#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
429#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
430
431#define NS_CERT_TYPE_APP \
432 (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
433 NS_CERT_TYPE_OBJECT_SIGNING)
434
435#define NS_CERT_TYPE_CA \
436 (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \
437 NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER)
438typedef enum SECCertUsageEnum {
439 certUsageSSLClient = 0,
440 certUsageSSLServer = 1,
441 certUsageSSLServerWithStepUp = 2,
442 certUsageSSLCA = 3,
443 certUsageEmailSigner = 4,
444 certUsageEmailRecipient = 5,
445 certUsageObjectSigner = 6,
446 certUsageUserCertImport = 7,
447 certUsageVerifyCA = 8,
448 certUsageProtectedObjectSigner = 9,
449 certUsageStatusResponder = 10,
450 certUsageAnyCA = 11,
451 certUsageIPsec = 12
452} SECCertUsage;
453
454typedef PRInt64 SECCertificateUsage;
455
456#define certificateUsageCheckAllUsages (0x0000)
457#define certificateUsageSSLClient (0x0001)
458#define certificateUsageSSLServer (0x0002)
459#define certificateUsageSSLServerWithStepUp (0x0004)
460#define certificateUsageSSLCA (0x0008)
461#define certificateUsageEmailSigner (0x0010)
462#define certificateUsageEmailRecipient (0x0020)
463#define certificateUsageObjectSigner (0x0040)
464#define certificateUsageUserCertImport (0x0080)
465#define certificateUsageVerifyCA (0x0100)
466#define certificateUsageProtectedObjectSigner (0x0200)
467#define certificateUsageStatusResponder (0x0400)
468#define certificateUsageAnyCA (0x0800)
469#define certificateUsageIPsec (0x1000)
470
471#define certificateUsageHighest certificateUsageIPsec
472
473/*
474 * Does the cert belong to the user, a peer, or a CA.
475 */
476typedef enum CERTCertOwnerEnum {
477 certOwnerUser = 0,
478 certOwnerPeer = 1,
479 certOwnerCA = 2
480} CERTCertOwner;
481
482/*
483 * This enum represents the state of validity times of a certificate
484 */
485typedef enum SECCertTimeValidityEnum {
486 secCertTimeValid = 0,
487 secCertTimeExpired = 1,
488 secCertTimeNotValidYet = 2,
489 secCertTimeUndetermined = 3 /* validity could not be decoded from the
490 cert, most likely because it was NULL */
491} SECCertTimeValidity;
492
493/*
494 * This is used as return status in functions that compare the validity
495 * periods of two certificates A and B, currently only
496 * CERT_CompareValidityTimes.
497 */
498
499typedef enum CERTCompareValidityStatusEnum {
500 certValidityUndetermined = 0, /* the function is unable to select one cert
501 over another */
502 certValidityChooseB = 1, /* cert B should be preferred */
503 certValidityEqual = 2, /* both certs have the same validity period */
504 certValidityChooseA = 3 /* cert A should be preferred */
505} CERTCompareValidityStatus;
506
507/*
508 * Interface for getting certificate nickname strings out of the database
509 */
510
511/* these are values for the what argument below */
512#define SEC_CERT_NICKNAMES_ALL 1
513#define SEC_CERT_NICKNAMES_USER 2
514#define SEC_CERT_NICKNAMES_SERVER 3
515#define SEC_CERT_NICKNAMES_CA 4
516
517struct CERTCertNicknamesStr {
518 PLArenaPool *arena;
519 void *head;
520 int numnicknames;
521 char **nicknames;
522 int what;
523 int totallen;
524};
525
526struct CERTIssuerAndSNStr {
527 SECItem derIssuer;
528 CERTName issuer;
529 SECItem serialNumber;
530};
531
532/* X.509 v3 Key Usage Extension flags */
533#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
534#define KU_NON_REPUDIATION (0x40) /* bit 1 */
535#define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
536#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
537#define KU_KEY_AGREEMENT (0x08) /* bit 4 */
538#define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
539#define KU_CRL_SIGN (0x02) /* bit 6 */
540#define KU_ENCIPHER_ONLY (0x01) /* bit 7 */
541#define KU_ALL \
542 (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \
543 KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN | \
544 KU_CRL_SIGN | KU_ENCIPHER_ONLY)
545
546/* This value will not occur in certs. It is used internally for the case
547 * when either digital signature or non-repudiation is the correct value.
548 */
549#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
550
551/* This value will not occur in certs. It is used internally for the case
552 * when the key type is not know ahead of time and either key agreement or
553 * key encipherment are the correct value based on key type
554 */
555#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
556
557/* internal bits that do not match bits in the x509v3 spec, but are used
558 * for similar purposes
559 */
560#define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
561/*
562* x.509 v3 Basic Constraints Extension
563* If isCA is false, the pathLenConstraint is ignored.
564* Otherwise, the following pathLenConstraint values will apply:
565* < 0 - there is no limit to the certificate path
566* 0 - CA can issues end-entity certificates only
567* > 0 - the number of certificates in the certificate path is
568* limited to this number
569*/
570#define CERT_UNLIMITED_PATH_CONSTRAINT -2
571
572struct CERTBasicConstraintsStr {
573 PRBool isCA; /* on if is CA */
574 int pathLenConstraint; /* maximum number of certificates that can be
575 in the cert path. Only applies to a CA
576 certificate; otherwise, it's ignored.
577 */
578};
579
580/* Maximum length of a certificate chain */
581#define CERT_MAX_CERT_CHAIN 20
582
583#define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
584#define CERT_MAX_DN_BYTES 4096 /* arbitrary */
585
586/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
587#define RF_UNUSED (0x80) /* bit 0 */
588#define RF_KEY_COMPROMISE (0x40) /* bit 1 */
589#define RF_CA_COMPROMISE (0x20) /* bit 2 */
590#define RF_AFFILIATION_CHANGED (0x10) /* bit 3 */
591#define RF_SUPERSEDED (0x08) /* bit 4 */
592#define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
593#define RF_CERTIFICATE_HOLD (0x02) /* bit 6 */
594
595/* enum for CRL Entry Reason Code */
596typedef enum CERTCRLEntryReasonCodeEnum {
597 crlEntryReasonUnspecified = 0,
598 crlEntryReasonKeyCompromise = 1,
599 crlEntryReasonCaCompromise = 2,
600 crlEntryReasonAffiliationChanged = 3,
601 crlEntryReasonSuperseded = 4,
602 crlEntryReasonCessationOfOperation = 5,
603 crlEntryReasoncertificatedHold = 6,
604 crlEntryReasonRemoveFromCRL = 8,
605 crlEntryReasonPrivilegeWithdrawn = 9,
606 crlEntryReasonAaCompromise = 10
607} CERTCRLEntryReasonCode;
608
609/* If we needed to extract the general name field, use this */
610/* General Name types */
611typedef enum CERTGeneralNameTypeEnum {
612 certOtherName = 1,
613 certRFC822Name = 2,
614 certDNSName = 3,
615 certX400Address = 4,
616 certDirectoryName = 5,
617 certEDIPartyName = 6,
618 certURI = 7,
619 certIPAddress = 8,
620 certRegisterID = 9
621} CERTGeneralNameType;
622
623typedef struct OtherNameStr {
624 SECItem name;
625 SECItem oid;
626} OtherName;
627
628struct CERTGeneralNameStr {
629 CERTGeneralNameType type; /* name type */
630 union {
631 CERTName directoryName; /* distinguish name */
632 OtherName OthName; /* Other Name */
633 SECItem other; /* the rest of the name forms */
634 } name;
635 SECItem derDirectoryName; /* this is saved to simplify directory name
636 comparison */
637 PRCList l;
638};
639
640struct CERTGeneralNameListStr {
641 PLArenaPool *arena;
642 CERTGeneralName *name;
643 int refCount;
644 int len;
645 PZLock *lock;
646};
647
648struct CERTNameConstraintStr {
649 CERTGeneralName name;
650 SECItem DERName;
651 SECItem min;
652 SECItem max;
653 PRCList l;
654};
655
656struct CERTNameConstraintsStr {
657 CERTNameConstraint *permited;
658 CERTNameConstraint *excluded;
659 SECItem **DERPermited;
660 SECItem **DERExcluded;
661};
662
663/* Private Key Usage Period extension struct. */
664struct CERTPrivKeyUsagePeriodStr {
665 SECItem notBefore;
666 SECItem notAfter;
667 PLArenaPool *arena;
668};
669
670/* X.509 v3 Authority Key Identifier extension. For the authority certificate
671 issuer field, we only support URI now.
672 */
673struct CERTAuthKeyIDStr {
674 SECItem keyID; /* unique key identifier */
675 CERTGeneralName *authCertIssuer; /* CA's issuer name. End with a NULL */
676 SECItem authCertSerialNumber; /* CA's certificate serial number */
677 SECItem **DERAuthCertIssuer; /* This holds the DER encoded format of
678 the authCertIssuer field. It is used
679 by the encoding engine. It should be
680 used as a read only field by the caller.
681 */
682};
683
684/* x.509 v3 CRL Distributeion Point */
685
686/*
687 * defined the types of CRL Distribution points
688 */
689typedef enum DistributionPointTypesEnum {
690 generalName = 1, /* only support this for now */
691 relativeDistinguishedName = 2
692} DistributionPointTypes;
693
694struct CRLDistributionPointStr {
695 DistributionPointTypes distPointType;
696 union {
697 CERTGeneralName *fullName;
698 CERTRDN relativeName;
699 } distPoint;
700 SECItem reasons;
701 CERTGeneralName *crlIssuer;
702
703 /* Reserved for internal use only*/
704 SECItem derDistPoint;
705 SECItem derRelativeName;
706 SECItem **derCrlIssuer;
707 SECItem **derFullName;
708 SECItem bitsmap;
709};
710
711struct CERTCrlDistributionPointsStr {
712 CRLDistributionPoint **distPoints;
713};
714
715/*
716 * This structure is used to keep a log of errors when verifying
717 * a cert chain. This allows multiple errors to be reported all at
718 * once.
719 */
720struct CERTVerifyLogNodeStr {
721 CERTCertificate *cert; /* what cert had the error */
722 long error; /* what error was it? */
723 unsigned int depth; /* how far up the chain are we */
724 void *arg; /* error specific argument */
725 struct CERTVerifyLogNodeStr *next; /* next in the list */
726 struct CERTVerifyLogNodeStr *prev; /* next in the list */
727};
728
729struct CERTVerifyLogStr {
730 PLArenaPool *arena;
731 unsigned int count;
732 struct CERTVerifyLogNodeStr *head;
733 struct CERTVerifyLogNodeStr *tail;
734};
735
736struct CERTOKDomainNameStr {
737 CERTOKDomainName *next;
738 char *name;
739};
740
741typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle,
742 CERTCertificate *cert,
743 PRTime time, void *pwArg);
744
745typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle);
746
747struct CERTStatusConfigStr {
748 CERTStatusChecker statusChecker; /* NULL means no checking enabled */
749 CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
750 void *statusContext; /* cx specific to checking protocol */
751};
752
753struct CERTAuthInfoAccessStr {
754 SECItem method;
755 SECItem derLocation;
756 CERTGeneralName *location; /* decoded location */
757};
758
759/* This is the typedef for the callback passed to CERT_OpenCertDB() */
760/* callback to return database name based on version number */
761typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion);
762
763/*
764 * types of cert packages that we can decode
765 */
766typedef enum CERTPackageTypeEnum {
767 certPackageNone = 0,
768 certPackageCert = 1,
769 certPackagePKCS7 = 2,
770 certPackageNSCertSeq = 3,
771 certPackageNSCertWrap = 4
772} CERTPackageType;
773
774/*
775 * these types are for the PKIX Certificate Policies extension
776 */
777typedef struct {
778 SECOidTag oid;
779 SECItem qualifierID;
780 SECItem qualifierValue;
781} CERTPolicyQualifier;
782
783typedef struct {
784 SECOidTag oid;
785 SECItem policyID;
786 CERTPolicyQualifier **policyQualifiers;
787} CERTPolicyInfo;
788
789typedef struct {
790 PLArenaPool *arena;
791 CERTPolicyInfo **policyInfos;
792} CERTCertificatePolicies;
793
794typedef struct {
795 SECItem organization;
796 SECItem **noticeNumbers;
797} CERTNoticeReference;
798
799typedef struct {
800 PLArenaPool *arena;
801 CERTNoticeReference noticeReference;
802 SECItem derNoticeReference;
803 SECItem displayText;
804} CERTUserNotice;
805
806typedef struct {
807 PLArenaPool *arena;
808 SECItem **oids;
809} CERTOidSequence;
810
811/*
812 * these types are for the PKIX Policy Mappings extension
813 */
814typedef struct {
815 SECItem issuerDomainPolicy;
816 SECItem subjectDomainPolicy;
817} CERTPolicyMap;
818
819typedef struct {
820 PLArenaPool *arena;
821 CERTPolicyMap **policyMaps;
822} CERTCertificatePolicyMappings;
823
824/*
825 * these types are for the PKIX inhibitAnyPolicy extension
826 */
827typedef struct {
828 SECItem inhibitAnySkipCerts;
829} CERTCertificateInhibitAny;
830
831/*
832 * these types are for the PKIX Policy Constraints extension
833 */
834typedef struct {
835 SECItem explicitPolicySkipCerts;
836 SECItem inhibitMappingSkipCerts;
837} CERTCertificatePolicyConstraints;
838
839/*
840 * These types are for the validate chain callback param.
841 *
842 * CERTChainVerifyCallback is an application-supplied callback that can be used
843 * to augment libpkix's certificate chain validation with additional
844 * application-specific checks. It may be called multiple times if there are
845 * multiple potentially-valid paths for the certificate being validated. This
846 * callback is called before revocation checking is done on the certificates in
847 * the given chain.
848 *
849 * - isValidChainArg contains the application-provided opaque argument
850 * - currentChain is the currently validated chain. It is ordered with the leaf
851 * certificate at the head and the trust anchor at the tail.
852 *
853 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
854 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
855 * return SECSuccess if the chain is unacceptable, to indicate that the given
856 * chain is bad and path building should continue. It should return SECFailure
857 * to indicate an fatal error that will cause path validation to fail
858 * immediately.
859 */
860typedef SECStatus (*CERTChainVerifyCallbackFunc)(
861 void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK);
862
863/*
864 * Note: If extending this structure, it will be necessary to change the
865 * associated CERTValParamInType
866 */
867typedef struct {
868 CERTChainVerifyCallbackFunc isChainValid;
869 void *isChainValidArg;
870} CERTChainVerifyCallback;
871
872/*
873 * these types are for the CERT_PKIX* Verification functions
874 * These are all optional parameters.
875 */
876
877typedef enum {
878 cert_pi_end = 0, /* SPECIAL: signifies end of array of
879 * CERTValParam* */
880 cert_pi_nbioContext = 1, /* specify a non-blocking IO context used to
881 * resume a session. If this argument is
882 * specified, no other arguments should be.
883 * Specified in value.pointer.p. If the
884 * operation completes the context will be
885 * freed. */
886 cert_pi_nbioAbort = 2, /* specify a non-blocking IO context for an
887 * existing operation which the caller wants
888 * to abort. If this argument is
889 * specified, no other arguments should be.
890 * Specified in value.pointer.p. If the
891 * operation succeeds the context will be
892 * freed. */
893 cert_pi_certList = 3, /* specify the chain to validate against. If
894 * this value is given, then the path
895 * construction step in the validation is
896 * skipped. Specified in value.pointer.chain */
897 cert_pi_policyOID = 4, /* validate certificate for policy OID.
898 * Specified in value.array.oids. Cert must
899 * be good for at least one OID in order
900 * to validate. Default is that the user is not
901 * concerned about certificate policy. */
902 cert_pi_policyFlags = 5, /* flags for each policy specified in policyOID.
903 * Specified in value.scalar.ul. Policy flags
904 * apply to all specified oids.
905 * Use CERT_POLICY_FLAG_* macros below. If not
906 * specified policy flags default to 0 */
907 cert_pi_keyusage = 6, /* specify what the keyusages the certificate
908 * will be evaluated against, specified in
909 * value.scalar.ui. The cert must validate for
910 * at least one of the specified key usages.
911 * Values match the KU_ bit flags defined
912 * in this file. Default is derived from
913 * the 'usages' function argument */
914 cert_pi_extendedKeyusage = 7, /* specify what the required extended key
915 * usage of the certificate. Specified as
916 * an array of oidTags in value.array.oids.
917 * The cert must validate for at least one
918 * of the specified extended key usages.
919 * If not specified, no extended key usages
920 * will be checked. */
921 cert_pi_date = 8, /* validate certificate is valid as of date
922 * specified in value.scalar.time. A special
923 * value '0' indicates 'now'. default is '0' */
924 cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
925 * See CERT_REV_FLAG_* macros below
926 * Set in value.pointer.revocation */
927 cert_pi_certStores = 10, /* Bitmask of Cert Store flags (see below)
928 * Set in value.scalar.ui */
929 cert_pi_trustAnchors =
930 11, /* Specify the list of trusted roots to
931 * validate against.
932 * The default set of trusted roots, these are
933 * root CA certs from libnssckbi.so or CA
934 * certs trusted by user, are used in any of
935 * the following cases:
936 * * when the parameter is not set.
937 * * when the list of trust anchors is
938 * empty.
939 * Note that this handling can be further
940 * altered by altering the
941 * cert_pi_useOnlyTrustAnchors flag
942 * Specified in value.pointer.chain */
943 cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
944 * In NSS 3.12.1 or later. Default is off.
945 * Value is in value.scalar.b */
946 cert_pi_chainVerifyCallback = 13,
947 /* The callback container for doing extra
948 * validation on the currently calculated chain.
949 * Value is in value.pointer.chainVerifyCallback */
950 cert_pi_useOnlyTrustAnchors = 14,
951 /* If true, disables trusting any
952 * certificates other than the ones passed in via cert_pi_trustAnchors.
953 * If false, then the certificates specified via cert_pi_trustAnchors
954 * will be combined with the pre-existing trusted roots, but only
955 * for the certificate validation being performed.
956 * If no value has been supplied via cert_pi_trustAnchors, this has
957 * no effect.
958 * The default value is true, meaning if this is not supplied, only
959 * trust anchors supplied via cert_pi_trustAnchors are trusted.
960 * Specified in value.scalar.b */
961 cert_pi_max /* SPECIAL: signifies maximum allowed value,
962 * can increase in future releases */
963} CERTValParamInType;
964
965/*
966 * for all out parameters:
967 * out parameters are only returned if the caller asks for them in
968 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
969 * array itself. The pkix verify function will allocate and other arrays
970 * pointers, or objects. The Caller is responsible for freeing those results.
971 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
972 */
973typedef enum {
974 cert_po_end = 0, /* SPECIAL: signifies end of array of
975 * CERTValParam* */
976 cert_po_nbioContext = 1, /* Return a nonblocking context. If no
977 * non-blocking context is specified, then
978 * blocking IO will be used.
979 * Returned in value.pointer.p. The context is
980 * freed after an abort or a complete operation.
981 * This value is only returned on SECWouldBlock.
982 */
983 cert_po_trustAnchor = 2, /* Return the trust anchor for the chain that
984 * was validated. Returned in
985 * value.pointer.cert, this value is only
986 * returned on SECSuccess. */
987 cert_po_certList = 3, /* Return the entire chain that was validated.
988 * Returned in value.pointer.certList. If no
989 * chain could be constructed, this value
990 * would be NULL. */
991 cert_po_policyOID = 4, /* Return the policies that were found to be
992 * valid. Returned in value.array.oids as an
993 * array. This is only returned on
994 * SECSuccess. */
995 cert_po_errorLog = 5, /* Return a log of problems with the chain.
996 * Returned in value.pointer.log */
997 cert_po_usages = 6, /* Return what usages the certificate is valid
998 for. Returned in value.scalar.usages */
999 cert_po_keyUsage = 7, /* Return what key usages the certificate
1000 * is valid for.
1001 * Returned in value.scalar.usage */
1002 cert_po_extendedKeyusage = 8, /* Return what extended key usages the
1003 * certificate is valid for.
1004 * Returned in value.array.oids */
1005 cert_po_max /* SPECIAL: signifies maximum allowed value,
1006 * can increase in future releases */
1007
1008} CERTValParamOutType;
1009
1010typedef enum {
1011 cert_revocation_method_crl = 0,
1012 cert_revocation_method_ocsp,
1013 cert_revocation_method_count
1014} CERTRevocationMethodIndex;
1015
1016/*
1017 * The following flags are supposed to be used to control bits in
1018 * each integer contained in the array pointed to be:
1019 * CERTRevocationTests.cert_rev_flags_per_method
1020 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1021 * this is a method dependent flag.
1022 */
1023
1024/*
1025 * Whether or not to use a method for revocation testing.
1026 * If set to "do not test", then all other flags are ignored.
1027 */
1028#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1029#define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1030
1031/*
1032 * Whether or not NSS is allowed to attempt to fetch fresh information
1033 * from the network.
1034 * (Although fetching will never happen if fresh information for the
1035 * method is already locally available.)
1036 */
1037#define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1038#define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1039
1040/*
1041 * Example for an implicit default source:
1042 * The globally configured default OCSP responder.
1043 * IGNORE means:
1044 * ignore the implicit default source, whether it's configured or not.
1045 * ALLOW means:
1046 * if an implicit default source is configured,
1047 * then it overrides any available or missing source in the cert.
1048 * if no implicit default source is configured,
1049 * then we continue to use what's available (or not available)
1050 * in the certs.
1051 */
1052#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1053#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1054
1055/*
1056 * Defines the behavior if no fresh information is available,
1057 * fetching from the network is allowed, but the source of revocation
1058 * information is unknown (even after considering implicit sources,
1059 * if allowed by other flags).
1060 * SKIPT_TEST means:
1061 * We ignore that no fresh information is available and
1062 * skip this test.
1063 * REQUIRE_INFO means:
1064 * We still require that fresh information is available.
1065 * Other flags define what happens on missing fresh info.
1066 */
1067#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1068#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1069
1070/*
1071 * Defines the behavior if we are unable to obtain fresh information.
1072 * INGORE means:
1073 * Return "cert status unknown"
1074 * FAIL means:
1075 * Return "cert revoked".
1076 */
1077#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1078#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1079
1080/*
1081 * What should happen if we were able to find fresh information using
1082 * this method, and the data indicated the cert is good?
1083 * STOP_TESTING means:
1084 * Our success is sufficient, do not continue testing
1085 * other methods.
1086 * CONTINUE_TESTING means:
1087 * We will continue and test the next allowed
1088 * specified method.
1089 */
1090#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1091#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1092
1093/* When this flag is used, libpkix will never attempt to use the GET HTTP
1094 * method for OCSP requests; it will always use POST.
1095 */
1096#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1097
1098/*
1099 * The following flags are supposed to be used to control bits in
1100 * CERTRevocationTests.cert_rev_method_independent_flags
1101 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1102 * this is a method independent flag.
1103 */
1104
1105/*
1106 * This defines the order to checking.
1107 * EACH_METHOD_SEPARATELY means:
1108 * Do all tests related to a particular allowed method
1109 * (both local information and network fetching) in a single step.
1110 * Only after testing for a particular method is done,
1111 * then switching to the next method will happen.
1112 * ALL_LOCAL_INFORMATION_FIRST means:
1113 * Start by testing the information for all allowed methods
1114 * which are already locally available. Only after that is done
1115 * consider to fetch from the network (as allowed by other flags).
1116 */
1117#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1118#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1119
1120/*
1121 * Use this flag to specify that it's necessary that fresh information
1122 * is available for at least one of the allowed methods, but it's
1123 * irrelevant which of the mechanisms succeeded.
1124 * NO_OVERALL_INFO_REQUIREMENT means:
1125 * We strictly follow the requirements for each individual method.
1126 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1127 * After the individual tests have been executed, we must have
1128 * been able to find fresh information using at least one method.
1129 * If we were unable to find fresh info, it's a failure.
1130 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1131 * flag on all methods.
1132 */
1133#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1134#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1135
1136typedef struct {
1137 /*
1138 * The size of the array that cert_rev_flags_per_method points to,
1139 * meaning, the number of methods that are known and defined
1140 * by the caller.
1141 */
1142 PRUint32 number_of_defined_methods;
1143
1144 /*
1145 * A pointer to an array of integers.
1146 * Each integer defines revocation checking for a single method,
1147 * by having individual CERT_REV_M_* bits set or not set.
1148 * The meaning of index numbers into this array are defined by
1149 * enum CERTRevocationMethodIndex
1150 * The size of the array must be specified by the caller in the separate
1151 * variable number_of_defined_methods.
1152 * The size of the array may be smaller than
1153 * cert_revocation_method_count, it can happen if a caller
1154 * is not yet aware of the latest revocation methods
1155 * (or does not want to use them).
1156 */
1157 PRUint64 *cert_rev_flags_per_method;
1158
1159 /*
1160 * How many preferred methods are specified?
1161 * This is equivalent to the size of the array that
1162 * preferred_methods points to.
1163 * It's allowed to set this value to zero,
1164 * then NSS will decide which methods to prefer.
1165 */
1166 PRUint32 number_of_preferred_methods;
1167
1168 /* Array that may specify an optional order of preferred methods.
1169 * Each array entry shall contain a method identifier as defined
1170 * by CERTRevocationMethodIndex.
1171 * The entry at index [0] specifies the method with highest preference.
1172 * These methods will be tested first for locally available information.
1173 * Methods allowed for downloading will be attempted in the same order.
1174 */
1175 CERTRevocationMethodIndex *preferred_methods;
1176
1177 /*
1178 * An integer which defines certain aspects of revocation checking
1179 * (independent of individual methods) by having individual
1180 * CERT_REV_MI_* bits set or not set.
1181 */
1182 PRUint64 cert_rev_method_independent_flags;
1183} CERTRevocationTests;
1184
1185typedef struct {
1186 CERTRevocationTests leafTests;
1187 CERTRevocationTests chainTests;
1188} CERTRevocationFlags;
1189
1190typedef struct CERTValParamInValueStr {
1191 union {
1192 PRBool b;
1193 PRInt32 i;
1194 PRUint32 ui;
1195 PRInt64 l;
1196 PRUint64 ul;
1197 PRTime time;
1198 } scalar;
1199 union {
1200 const void *p;
1201 const char *s;
1202 const CERTCertificate *cert;
1203 const CERTCertList *chain;
1204 const CERTRevocationFlags *revocation;
1205 const CERTChainVerifyCallback *chainVerifyCallback;
1206 } pointer;
1207 union {
1208 const PRInt32 *pi;
1209 const PRUint32 *pui;
1210 const PRInt64 *pl;
1211 const PRUint64 *pul;
1212 const SECOidTag *oids;
1213 } array;
1214 int arraySize;
1215} CERTValParamInValue;
1216
1217typedef struct CERTValParamOutValueStr {
1218 union {
1219 PRBool b;
1220 PRInt32 i;
1221 PRUint32 ui;
1222 PRInt64 l;
1223 PRUint64 ul;
1224 SECCertificateUsage usages;
1225 } scalar;
1226 union {
1227 void *p;
1228 char *s;
1229 CERTVerifyLog *log;
1230 CERTCertificate *cert;
1231 CERTCertList *chain;
1232 } pointer;
1233 union {
1234 void *p;
1235 SECOidTag *oids;
1236 } array;
1237 int arraySize;
1238} CERTValParamOutValue;
1239
1240typedef struct {
1241 CERTValParamInType type;
1242 CERTValParamInValue value;
1243} CERTValInParam;
1244
1245typedef struct {
1246 CERTValParamOutType type;
1247 CERTValParamOutValue value;
1248} CERTValOutParam;
1249
1250/*
1251 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1252 */
1253typedef enum CertStrictnessLevels {
1254 CERT_N2A_READABLE = 0, /* maximum human readability */
1255 CERT_N2A_STRICT = 10, /* strict RFC compliance */
1256 CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
1257 all DirectoryStrings encoded in hex */
1258} CertStrictnessLevel;
1259
1260/*
1261 * policy flag defines
1262 */
1263#define CERT_POLICY_FLAG_NO_MAPPING 1
1264#define CERT_POLICY_FLAG_EXPLICIT 2
1265#define CERT_POLICY_FLAG_NO_ANY 4
1266
1267/*
1268 * CertStore flags
1269 */
1270#define CERT_ENABLE_LDAP_FETCH 1
1271#define CERT_ENABLE_HTTP_FETCH 2
1272
1273/* This functin pointer type may be used for any function that takes
1274 * a CERTCertificate * and returns an allocated string, which must be
1275 * freed by a call to PORT_Free.
1276 */
1277typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert);
1278
1279/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1280
1281#include "secasn1t.h" /* way down here because I expect template stuff to
1282 * move out of here anyway */
1283
1284SEC_BEGIN_PROTOS
1285
1286extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
1287extern const SEC_ASN1Template CERT_CertificateTemplate[];
1288extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
1289extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
1290extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
1291extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
1292extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
1293extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
1294extern const SEC_ASN1Template CERT_ValidityTemplate[];
1295extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
1296extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
1297
1298extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
1299extern const SEC_ASN1Template CERT_NameTemplate[];
1300extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
1301extern const SEC_ASN1Template CERT_RDNTemplate[];
1302extern const SEC_ASN1Template CERT_SignedDataTemplate[];
1303extern const SEC_ASN1Template CERT_CrlTemplate[];
1304extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
1305
1306/*
1307** XXX should the attribute stuff be centralized for all of ns/security?
1308*/
1309extern const SEC_ASN1Template CERT_AttributeTemplate[];
1310extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
1311
1312/* These functions simply return the address of the above-declared templates.
1313** This is necessary for Windows DLLs. Sigh.
1314*/
1315SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
1316SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
1317SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
1318SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
1319SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
1320SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
1321SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
1322SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
1323SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
1324SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
1325SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
1326SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
1327
1328SEC_END_PROTOS
1329
1330#endif /* _CERTT_H_ */
1331