tor-browser

certt.h (48572B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* certt.h - public data structures for the certificate library
*/
#ifndef _CERTT_H_
#define _CERTT_H_

#include "prclist.h"
#include "pkcs11t.h"
#include "seccomon.h"
#include "secmodt.h"
#include "secoidt.h"
#include "plarena.h"
#include "prcvar.h"
#include "nssilock.h"
#include "prio.h"
#include "prmon.h"

/* Stan data types */
struct NSSCertificateStr;
struct NSSTrustDomainStr;

/* Non-opaque objects */
typedef struct CERTAVAStr CERTAVA;
typedef struct CERTAttributeStr CERTAttribute;
typedef struct CERTAuthInfoAccessStr CERTAuthInfoAccess;
typedef struct CERTAuthKeyIDStr CERTAuthKeyID;
typedef struct CERTBasicConstraintsStr CERTBasicConstraints;
typedef struct NSSTrustDomainStr CERTCertDBHandle;
typedef struct CERTCertExtensionStr CERTCertExtension;
typedef struct CERTCertKeyStr CERTCertKey;
typedef struct CERTCertListStr CERTCertList;
typedef struct CERTCertListNodeStr CERTCertListNode;
typedef struct CERTCertNicknamesStr CERTCertNicknames;
typedef struct CERTCertTrustStr CERTCertTrust;
typedef struct CERTCertDistrustStr CERTCertDistrust;
typedef struct CERTCertificateStr CERTCertificate;
typedef struct CERTCertificateListStr CERTCertificateList;
typedef struct CERTCertificateRequestStr CERTCertificateRequest;
typedef struct CERTCrlStr CERTCrl;
typedef struct CERTCrlDistributionPointsStr CERTCrlDistributionPoints;
typedef struct CERTCrlEntryStr CERTCrlEntry;
typedef struct CERTCrlHeadNodeStr CERTCrlHeadNode;
typedef struct CERTCrlKeyStr CERTCrlKey;
typedef struct CERTCrlNodeStr CERTCrlNode;
typedef struct CERTDERCertsStr CERTDERCerts;
typedef struct CERTDistNamesStr CERTDistNames;
typedef struct CERTGeneralNameStr CERTGeneralName;
typedef struct CERTGeneralNameListStr CERTGeneralNameList;
typedef struct CERTIssuerAndSNStr CERTIssuerAndSN;
typedef struct CERTNameStr CERTName;
typedef struct CERTNameConstraintStr CERTNameConstraint;
typedef struct CERTNameConstraintsStr CERTNameConstraints;
typedef struct CERTOKDomainNameStr CERTOKDomainName;
typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod;
typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge;
typedef struct CERTRDNStr CERTRDN;
typedef struct CERTSignedCrlStr CERTSignedCrl;
typedef struct CERTSignedDataStr CERTSignedData;
typedef struct CERTStatusConfigStr CERTStatusConfig;
typedef struct CERTSubjectListStr CERTSubjectList;
typedef struct CERTSubjectNodeStr CERTSubjectNode;
typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
typedef struct CERTValidityStr CERTValidity;
typedef struct CERTVerifyLogStr CERTVerifyLog;
typedef struct CERTVerifyLogNodeStr CERTVerifyLogNode;
typedef struct CRLDistributionPointStr CRLDistributionPoint;

/* CRL extensions type */
typedef unsigned long CERTCrlNumber;

/*
** An X.500 AVA object
*/
struct CERTAVAStr {
   SECItem type;
   SECItem value;
};

/*
** An X.500 RDN object
*/
struct CERTRDNStr {
   CERTAVA **avas;
};

/*
** An X.500 name object
*/
struct CERTNameStr {
   PLArenaPool *arena;
   CERTRDN **rdns;
};

/*
** An X.509 validity object
*/
struct CERTValidityStr {
   PLArenaPool *arena;
   SECItem notBefore;
   SECItem notAfter;
};

/*
* A serial number and issuer name, which is used as a database key
*/
struct CERTCertKeyStr {
   SECItem serialNumber;
   SECItem derIssuer;
};

/*
** A signed data object. Used to implement the "signed" macro used
** in the X.500 specs.
*/
struct CERTSignedDataStr {
   SECItem data;
   SECAlgorithmID signatureAlgorithm;
   SECItem signature;
};

/*
** An X.509 subject-public-key-info object
*/
struct CERTSubjectPublicKeyInfoStr {
   PLArenaPool *arena;
   SECAlgorithmID algorithm;
   SECItem subjectPublicKey;
};

struct CERTPublicKeyAndChallengeStr {
   SECItem spki;
   SECItem challenge;
};

struct CERTCertTrustStr {
   unsigned int sslFlags;
   unsigned int emailFlags;
   unsigned int objectSigningFlags;
};

/*
* Distrust dates for specific certificate usages.
* These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
* compatible with the format of certdata.txt, other date fields in certs and
* existing functions to read these dates. Clients should check the distrust
* date in certificates to avoid trusting a CA for service they have ceased to
* support */
struct CERTCertDistrustStr {
   SECItem serverDistrustAfter;
   SECItem emailDistrustAfter;
};

/*
* defined the types of trust that exist
*/
typedef enum SECTrustTypeEnum {
   trustSSL = 0,
   trustEmail = 1,
   trustObjectSigning = 2,
   trustTypeNone = 3
} SECTrustType;

#define SEC_GET_TRUST_FLAGS(trust, type)                                  \
   (((type) == trustSSL)                                                 \
        ? ((trust)->sslFlags)                                            \
        : (((type) == trustEmail) ? ((trust)->emailFlags)                \
                                  : (((type) == trustObjectSigning)      \
                                         ? ((trust)->objectSigningFlags) \
                                         : 0)))

/*
** An X.509.3 certificate extension
*/
struct CERTCertExtensionStr {
   SECItem id;
   SECItem critical;
   SECItem value;
};

struct CERTSubjectNodeStr {
   struct CERTSubjectNodeStr *next;
   struct CERTSubjectNodeStr *prev;
   SECItem certKey;
   SECItem keyID;
};

struct CERTSubjectListStr {
   PLArenaPool *arena;
   int ncerts;
   char *emailAddr;
   CERTSubjectNode *head;
   CERTSubjectNode *tail; /* do we need tail? */
   void *entry;
};

/*
** An X.509 certificate object (the unsigned form)
*/
struct CERTCertificateStr {
   /* the arena is used to allocate any data structures that have the same
    * lifetime as the cert.  This is all stuff that hangs off of the cert
    * structure, and is all freed at the same time.  It is used when the
    * cert is decoded, destroyed, and at some times when it changes
    * state
    */
   PLArenaPool *arena;

   /* The following fields are static after the cert has been decoded */
   char *subjectName;
   char *issuerName;
   CERTSignedData signatureWrap; /* XXX */
   SECItem derCert;              /* original DER for the cert */
   SECItem derIssuer;            /* DER for issuer name */
   SECItem derSubject;           /* DER for subject name */
   SECItem derPublicKey;         /* DER for the public key */
   SECItem certKey;              /* database key for this cert */
   SECItem version;
   SECItem serialNumber;
   SECAlgorithmID signature;
   CERTName issuer;
   CERTValidity validity;
   CERTName subject;
   CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
   SECItem issuerID;
   SECItem subjectID;
   CERTCertExtension **extensions;
   char *emailAddr;
   CERTCertDBHandle *dbhandle;
   SECItem subjectKeyID;     /* x509v3 subject key identifier */
   PRBool keyIDGenerated;    /* was the keyid generated? */
   unsigned int keyUsage;    /* what uses are allowed for this cert */
   unsigned int rawKeyUsage; /* value of the key usage extension */
   PRBool keyUsagePresent;   /* was the key usage extension present */
   PRUint32 nsCertType;      /* value of the ns cert type extension */
                             /* must be 32-bit for PR_ATOMIC_SET */

   /* these values can be set by the application to bypass certain checks
    * or to keep the cert in memory for an entire session.
    * XXX - need an api to set these
    */
   PRBool keepSession;         /* keep this cert for entire session*/
   PRBool timeOK;              /* is the bad validity time ok? */
   CERTOKDomainName *domainOK; /* these domain names are ok */

   /*
    * these values can change when the cert changes state.  These state
    * changes include transitions from temp to perm or vice-versa, and
    * changes of trust flags
    */
   PRBool isperm;
   PRBool istemp;
   char *nickname;
   char *dbnickname;
   struct NSSCertificateStr *nssCertificate; /* This is Stan stuff. */
   CERTCertTrust *trust;

   /* the reference count is modified whenever someone looks up, dups
    * or destroys a certificate
    */
   int referenceCount;

   /* The subject list is a list of all certs with the same subject name.
    * It can be modified any time a cert is added or deleted from either
    * the in-memory(temporary) or on-disk(permanent) database.
    */
   CERTSubjectList *subjectList;

   /* these belong in the static section, but are here to maintain
    * the structure's integrity
    */
   CERTAuthKeyID *authKeyID; /* x509v3 authority key identifier */
   PRBool isRoot;            /* cert is the end of a chain */

   /* these fields are used by client GUI code to keep track of ssl sockets
    * that are blocked waiting on GUI feedback related to this cert.
    * XXX - these should be moved into some sort of application specific
    *       data structure.  They are only used by the browser right now.
    */
   union {
       void *apointer; /* was struct SECSocketNode* authsocketlist */
       struct {
           unsigned int hasUnsupportedCriticalExt : 1;
           /* add any new option bits needed here */
       } bits;
   } options;
   int series; /* was int authsocketcount; record the series of the pkcs11ID */

   /* This is PKCS #11 stuff. */
   PK11SlotInfo *slot;        /*if this cert came of a token, which is it*/
   CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
   PRBool ownSlot;            /*true if the cert owns the slot reference */
   /* These fields are used in nssckbi/builtins CAs. */
   CERTCertDistrust *distrust;
};
#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */

#define SEC_CRL_VERSION_1 0 /* default */
#define SEC_CRL_VERSION_2 1 /* v2 extensions */

/*
* used to identify class of cert in mime stream code
*/
#define SEC_CERT_CLASS_CA 1
#define SEC_CERT_CLASS_SERVER 2
#define SEC_CERT_CLASS_USER 3
#define SEC_CERT_CLASS_EMAIL 4

struct CERTDERCertsStr {
   PLArenaPool *arena;
   int numcerts;
   SECItem *rawCerts;
};

/*
** A PKCS ? Attribute
** XXX this is duplicated through out the code, it *should* be moved
** to a central location.  Where would be appropriate?
*/
struct CERTAttributeStr {
   SECItem attrType;
   SECItem **attrValue;
};

/*
** A PKCS#10 certificate-request object (the unsigned form)
*/
struct CERTCertificateRequestStr {
   PLArenaPool *arena;
   SECItem version;
   CERTName subject;
   CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
   CERTAttribute **attributes;
};
#define SEC_CERTIFICATE_REQUEST_VERSION 0 /* what we *create* */

/*
** A certificate list object.
*/
struct CERTCertificateListStr {
   SECItem *certs;
   int len; /* number of certs */
   PLArenaPool *arena;
};

struct CERTCertListNodeStr {
   PRCList links;
   CERTCertificate *cert;
   void *appData;
};

struct CERTCertListStr {
   PRCList list;
   PLArenaPool *arena;
};

#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
#define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)

struct CERTCrlEntryStr {
   SECItem serialNumber;
   SECItem revocationDate;
   CERTCertExtension **extensions;
};

struct CERTCrlStr {
   PLArenaPool *arena;
   SECItem version;
   SECAlgorithmID signatureAlg;
   SECItem derName;
   CERTName name;
   SECItem lastUpdate;
   SECItem nextUpdate; /* optional for x.509 CRL  */
   CERTCrlEntry **entries;
   CERTCertExtension **extensions;
   /* can't add anything there for binary backwards compatibility reasons */
};

struct CERTCrlKeyStr {
   SECItem derName;
   SECItem dummy; /* The decoder can not skip a primitive,
                     this serves as a place holder for the
                     decoder to finish its task only
                  */
};

struct CERTSignedCrlStr {
   PLArenaPool *arena;
   CERTCrl crl;
   void *reserved1;
   PRBool reserved2;
   PRBool isperm;
   PRBool istemp;
   int referenceCount;
   CERTCertDBHandle *dbhandle;
   CERTSignedData signatureWrap; /* XXX */
   char *url;
   SECItem *derCrl;
   PK11SlotInfo *slot;
   CK_OBJECT_HANDLE pkcs11ID;
   void *opaque; /* do not touch */
};

struct CERTCrlHeadNodeStr {
   PLArenaPool *arena;
   CERTCertDBHandle *dbhandle;
   CERTCrlNode *first;
   CERTCrlNode *last;
};

struct CERTCrlNodeStr {
   CERTCrlNode *next;
   int type;
   CERTSignedCrl *crl;
};

/*
* Array of X.500 Distinguished Names
*/
struct CERTDistNamesStr {
   PLArenaPool *arena;
   int nnames;
   SECItem *names;
   void *head; /* private */
};

/*
* NS_CERT_TYPE defines are used in two areas:
* 1) The old NSS Cert Type Extension, which is a certificate extension in the
* actual cert. It was created before the x509 Extended Key Usage Extension,
* which has now taken over it's function. This field is only 8 bits wide
* 2) The nsCertType entry in the CERTCertificate structure. This field is
* 32 bits wide.
* Any entries in this table greater than 0x80 will not be able to be encoded
* in an NSS Cert Type Extension, but can still be represented internally in
* the nsCertType field.
*/
#define NS_CERT_TYPE_IPSEC_CA (0x200)         /* outside the NS Cert Type Extenstion */
#define NS_CERT_TYPE_IPSEC (0x100)            /* outside the NS Cert Type Extenstion */
#define NS_CERT_TYPE_SSL_CLIENT (0x80)        /* bit 0 */
#define NS_CERT_TYPE_SSL_SERVER (0x40)        /* bit 1 */
#define NS_CERT_TYPE_EMAIL (0x20)             /* bit 2 */
#define NS_CERT_TYPE_OBJECT_SIGNING (0x10)    /* bit 3 */
#define NS_CERT_TYPE_RESERVED (0x08)          /* bit 4 */
#define NS_CERT_TYPE_SSL_CA (0x04)            /* bit 5 */
#define NS_CERT_TYPE_EMAIL_CA (0x02)          /* bit 6 */
#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */

#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)

#define NS_CERT_TYPE_APP                                                      \
   (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
    NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING)

#define NS_CERT_TYPE_CA                                                \
   (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |                     \
    NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \
    NS_CERT_TYPE_IPSEC_CA)
typedef enum SECCertUsageEnum {
   certUsageSSLClient = 0,
   certUsageSSLServer = 1,
   certUsageSSLServerWithStepUp = 2,
   certUsageSSLCA = 3,
   certUsageEmailSigner = 4,
   certUsageEmailRecipient = 5,
   certUsageObjectSigner = 6,
   certUsageUserCertImport = 7,
   certUsageVerifyCA = 8,
   certUsageProtectedObjectSigner = 9,
   certUsageStatusResponder = 10,
   certUsageAnyCA = 11,
   certUsageIPsec = 12
} SECCertUsage;

typedef PRInt64 SECCertificateUsage;

#define certificateUsageCheckAllUsages (0x0000)
#define certificateUsageSSLClient (0x0001)
#define certificateUsageSSLServer (0x0002)
#define certificateUsageSSLServerWithStepUp (0x0004)
#define certificateUsageSSLCA (0x0008)
#define certificateUsageEmailSigner (0x0010)
#define certificateUsageEmailRecipient (0x0020)
#define certificateUsageObjectSigner (0x0040)
#define certificateUsageUserCertImport (0x0080)
#define certificateUsageVerifyCA (0x0100)
#define certificateUsageProtectedObjectSigner (0x0200)
#define certificateUsageStatusResponder (0x0400)
#define certificateUsageAnyCA (0x0800)
#define certificateUsageIPsec (0x1000)

#define certificateUsageHighest certificateUsageIPsec

/*
* Does the cert belong to the user, a peer, or a CA.
*/
typedef enum CERTCertOwnerEnum {
   certOwnerUser = 0,
   certOwnerPeer = 1,
   certOwnerCA = 2
} CERTCertOwner;

/*
* This enum represents the state of validity times of a certificate
*/
typedef enum SECCertTimeValidityEnum {
   secCertTimeValid = 0,
   secCertTimeExpired = 1,
   secCertTimeNotValidYet = 2,
   secCertTimeUndetermined = 3 /* validity could not be decoded from the
                                  cert, most likely because it was NULL */
} SECCertTimeValidity;

/*
* This is used as return status in functions that compare the validity
* periods of two certificates A and B, currently only
* CERT_CompareValidityTimes.
*/

typedef enum CERTCompareValidityStatusEnum {
   certValidityUndetermined = 0, /* the function is unable to select one cert
                                    over another */
   certValidityChooseB = 1,      /* cert B should be preferred */
   certValidityEqual = 2,        /* both certs have the same validity period */
   certValidityChooseA = 3       /* cert A should be preferred */
} CERTCompareValidityStatus;

/*
* Interface for getting certificate nickname strings out of the database
*/

/* these are values for the what argument below */
#define SEC_CERT_NICKNAMES_ALL 1
#define SEC_CERT_NICKNAMES_USER 2
#define SEC_CERT_NICKNAMES_SERVER 3
#define SEC_CERT_NICKNAMES_CA 4

struct CERTCertNicknamesStr {
   PLArenaPool *arena;
   void *head;
   int numnicknames;
   char **nicknames;
   int what;
   int totallen;
};

struct CERTIssuerAndSNStr {
   SECItem derIssuer;
   CERTName issuer;
   SECItem serialNumber;
};

/* X.509 v3 Key Usage Extension flags */
#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
#define KU_NON_REPUDIATION (0x40)   /* bit 1 */
#define KU_KEY_ENCIPHERMENT (0x20)  /* bit 2 */
#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
#define KU_KEY_AGREEMENT (0x08)     /* bit 4 */
#define KU_KEY_CERT_SIGN (0x04)     /* bit 5 */
#define KU_CRL_SIGN (0x02)          /* bit 6 */
#define KU_ENCIPHER_ONLY (0x01)     /* bit 7 */
#define KU_ALL                                                         \
   (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \
    KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN |      \
    KU_CRL_SIGN | KU_ENCIPHER_ONLY)

/* This value will not occur in certs.  It is used internally for the case
* when either digital signature or non-repudiation is the correct value.
*/
#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)

/* This value will not occur in certs.  It is used internally for the case
* when the key type is not know ahead of time and either key agreement or
* key encipherment are the correct value based on key type
*/
#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)

/* internal bits that do not match bits in the x509v3 spec, but are used
* for similar purposes
*/
#define KU_NS_GOVT_APPROVED (0x8000) /*don't make part of KU_ALL!*/
/*
* x.509 v3 Basic Constraints Extension
* If isCA is false, the pathLenConstraint is ignored.
* Otherwise, the following pathLenConstraint values will apply:
*	< 0 - there is no limit to the certificate path
*	0   - CA can issues end-entity certificates only
*	> 0 - the number of certificates in the certificate path is
*	      limited to this number
*/
#define CERT_UNLIMITED_PATH_CONSTRAINT -2

struct CERTBasicConstraintsStr {
   PRBool isCA;           /* on if is CA */
   int pathLenConstraint; /* maximum number of certificates that can be
                             in the cert path.  Only applies to a CA
                             certificate; otherwise, it's ignored.
                           */
};

/* Maximum length of a certificate chain */
#define CERT_MAX_CERT_CHAIN 20

#define CERT_MAX_SERIAL_NUMBER_BYTES 20 /* from RFC 3280 */
#define CERT_MAX_DN_BYTES 4096          /* arbitrary */

/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
#define RF_UNUSED (0x80)                 /* bit 0 */
#define RF_KEY_COMPROMISE (0x40)         /* bit 1 */
#define RF_CA_COMPROMISE (0x20)          /* bit 2 */
#define RF_AFFILIATION_CHANGED (0x10)    /* bit 3 */
#define RF_SUPERSEDED (0x08)             /* bit 4 */
#define RF_CESSATION_OF_OPERATION (0x04) /* bit 5 */
#define RF_CERTIFICATE_HOLD (0x02)       /* bit 6 */

/* enum for CRL Entry Reason Code */
typedef enum CERTCRLEntryReasonCodeEnum {
   crlEntryReasonUnspecified = 0,
   crlEntryReasonKeyCompromise = 1,
   crlEntryReasonCaCompromise = 2,
   crlEntryReasonAffiliationChanged = 3,
   crlEntryReasonSuperseded = 4,
   crlEntryReasonCessationOfOperation = 5,
   crlEntryReasoncertificatedHold = 6,
   crlEntryReasonRemoveFromCRL = 8,
   crlEntryReasonPrivilegeWithdrawn = 9,
   crlEntryReasonAaCompromise = 10
} CERTCRLEntryReasonCode;

/* If we needed to extract the general name field, use this */
/* General Name types */
typedef enum CERTGeneralNameTypeEnum {
   certOtherName = 1,
   certRFC822Name = 2,
   certDNSName = 3,
   certX400Address = 4,
   certDirectoryName = 5,
   certEDIPartyName = 6,
   certURI = 7,
   certIPAddress = 8,
   certRegisterID = 9
} CERTGeneralNameType;

typedef struct OtherNameStr {
   SECItem name;
   SECItem oid;
} OtherName;

struct CERTGeneralNameStr {
   CERTGeneralNameType type; /* name type */
   union {
       CERTName directoryName; /* distinguish name */
       OtherName OthName;      /* Other Name */
       SECItem other;          /* the rest of the name forms */
   } name;
   SECItem derDirectoryName; /* this is saved to simplify directory name
                                comparison */
   PRCList l;
};

struct CERTGeneralNameListStr {
   PLArenaPool *arena;
   CERTGeneralName *name;
   int refCount;
   int len;
   PZLock *lock;
};

struct CERTNameConstraintStr {
   CERTGeneralName name;
   SECItem DERName;
   SECItem min;
   SECItem max;
   PRCList l;
};

struct CERTNameConstraintsStr {
   CERTNameConstraint *permited;
   CERTNameConstraint *excluded;
   SECItem **DERPermited;
   SECItem **DERExcluded;
};

/* Private Key Usage Period extension struct. */
struct CERTPrivKeyUsagePeriodStr {
   SECItem notBefore;
   SECItem notAfter;
   PLArenaPool *arena;
};

/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
  issuer field, we only support URI now.
*/
struct CERTAuthKeyIDStr {
   SECItem keyID;                   /* unique key identifier */
   CERTGeneralName *authCertIssuer; /* CA's issuer name.  End with a NULL */
   SECItem authCertSerialNumber;    /* CA's certificate serial number */
   SECItem **DERAuthCertIssuer;     /* This holds the DER encoded format of
                                       the authCertIssuer field. It is used
                                       by the encoding engine. It should be
                                       used as a read only field by the caller.
                                    */
};

/* x.509 v3 CRL Distributeion Point */

/*
* defined the types of CRL Distribution points
*/
typedef enum DistributionPointTypesEnum {
   generalName = 1, /* only support this for now */
   relativeDistinguishedName = 2
} DistributionPointTypes;

struct CRLDistributionPointStr {
   DistributionPointTypes distPointType;
   union {
       CERTGeneralName *fullName;
       CERTRDN relativeName;
   } distPoint;
   SECItem reasons;
   CERTGeneralName *crlIssuer;

   /* Reserved for internal use only*/
   SECItem derDistPoint;
   SECItem derRelativeName;
   SECItem **derCrlIssuer;
   SECItem **derFullName;
   SECItem bitsmap;
};

struct CERTCrlDistributionPointsStr {
   CRLDistributionPoint **distPoints;
};

/*
* This structure is used to keep a log of errors when verifying
* a cert chain.  This allows multiple errors to be reported all at
* once.
*/
struct CERTVerifyLogNodeStr {
   CERTCertificate *cert;             /* what cert had the error */
   long error;                        /* what error was it? */
   unsigned int depth;                /* how far up the chain are we */
   void *arg;                         /* error specific argument */
   struct CERTVerifyLogNodeStr *next; /* next in the list */
   struct CERTVerifyLogNodeStr *prev; /* next in the list */
};

struct CERTVerifyLogStr {
   PLArenaPool *arena;
   unsigned int count;
   struct CERTVerifyLogNodeStr *head;
   struct CERTVerifyLogNodeStr *tail;
};

struct CERTOKDomainNameStr {
   CERTOKDomainName *next;
   char *name;
};

typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle,
                                                 CERTCertificate *cert,
                                                 PRTime time, void *pwArg);

typedef SECStatus(PR_CALLBACK *CERTStatusDestroy)(CERTStatusConfig *handle);

struct CERTStatusConfigStr {
   CERTStatusChecker statusChecker; /* NULL means no checking enabled */
   CERTStatusDestroy statusDestroy; /* enabled or no, will clean up */
   void *statusContext;             /* cx specific to checking protocol */
};

struct CERTAuthInfoAccessStr {
   SECItem method;
   SECItem derLocation;
   CERTGeneralName *location; /* decoded location */
};

/* This is the typedef for the callback passed to CERT_OpenCertDB() */
/* callback to return database name based on version number */
typedef char *(*CERTDBNameFunc)(void *arg, int dbVersion);

/*
* types of cert packages that we can decode
*/
typedef enum CERTPackageTypeEnum {
   certPackageNone = 0,
   certPackageCert = 1,
   certPackagePKCS7 = 2,
   certPackageNSCertSeq = 3,
   certPackageNSCertWrap = 4
} CERTPackageType;

/*
* these types are for the PKIX Certificate Policies extension
*/
typedef struct {
   SECOidTag oid;
   SECItem qualifierID;
   SECItem qualifierValue;
} CERTPolicyQualifier;

typedef struct {
   SECOidTag oid;
   SECItem policyID;
   CERTPolicyQualifier **policyQualifiers;
} CERTPolicyInfo;

typedef struct {
   PLArenaPool *arena;
   CERTPolicyInfo **policyInfos;
} CERTCertificatePolicies;

typedef struct {
   SECItem organization;
   SECItem **noticeNumbers;
} CERTNoticeReference;

typedef struct {
   PLArenaPool *arena;
   CERTNoticeReference noticeReference;
   SECItem derNoticeReference;
   SECItem displayText;
} CERTUserNotice;

typedef struct {
   PLArenaPool *arena;
   SECItem **oids;
} CERTOidSequence;

/*
* these types are for the PKIX Policy Mappings extension
*/
typedef struct {
   SECItem issuerDomainPolicy;
   SECItem subjectDomainPolicy;
} CERTPolicyMap;

typedef struct {
   PLArenaPool *arena;
   CERTPolicyMap **policyMaps;
} CERTCertificatePolicyMappings;

/*
* these types are for the PKIX inhibitAnyPolicy extension
*/
typedef struct {
   SECItem inhibitAnySkipCerts;
} CERTCertificateInhibitAny;

/*
* these types are for the PKIX Policy Constraints extension
*/
typedef struct {
   SECItem explicitPolicySkipCerts;
   SECItem inhibitMappingSkipCerts;
} CERTCertificatePolicyConstraints;

/*
* These types are for the validate chain callback param.
*
* CERTChainVerifyCallback is an application-supplied callback that can be used
* to augment libpkix's certificate chain validation with additional
* application-specific checks. It may be called multiple times if there are
* multiple potentially-valid paths for the certificate being validated. This
* callback is called before revocation checking is done on the certificates in
* the given chain.
*
* - isValidChainArg contains the application-provided opaque argument
* - currentChain is the currently validated chain. It is ordered with the leaf
*   certificate at the head and the trust anchor at the tail.
*
* The callback should set *chainOK = PR_TRUE and return SECSuccess if the
* certificate chain is acceptable. It should set *chainOK = PR_FALSE and
* return SECSuccess if the chain is unacceptable, to indicate that the given
* chain is bad and path building should continue. It should return SECFailure
* to indicate an fatal error that will cause path validation to fail
* immediately.
*/
typedef SECStatus (*CERTChainVerifyCallbackFunc)(
   void *isChainValidArg, const CERTCertList *currentChain, PRBool *chainOK);

/*
* Note: If extending this structure, it will be necessary to change the
* associated CERTValParamInType
*/
typedef struct {
   CERTChainVerifyCallbackFunc isChainValid;
   void *isChainValidArg;
} CERTChainVerifyCallback;

/*
* these types are for the CERT_PKIX* Verification functions
* These are all optional parameters.
*/

typedef enum {
   cert_pi_end = 0,              /* SPECIAL: signifies end of array of
                                  * CERTValParam* */
   cert_pi_nbioContext = 1,      /* specify a non-blocking IO context used to
                                  * resume a session. If this argument is
                                  * specified, no other arguments should be.
                                  * Specified in value.pointer.p. If the
                                  * operation completes the context will be
                                  * freed. */
   cert_pi_nbioAbort = 2,        /* specify a non-blocking IO context for an
                                  * existing operation which the caller wants
                                  * to abort. If this argument is
                                  * specified, no other arguments should be.
                                  * Specified in value.pointer.p. If the
                                  * operation succeeds the context will be
                                  * freed. */
   cert_pi_certList = 3,         /* specify the chain to validate against. If
                                  * this value is given, then the path
                                  * construction step in the validation is
                                  * skipped. Specified in value.pointer.chain */
   cert_pi_policyOID = 4,        /* validate certificate for policy OID.
                                  * Specified in value.array.oids. Cert must
                                  * be good for at least one OID in order
                                  * to validate. Default is that the user is not
                                  * concerned about certificate policy. */
   cert_pi_policyFlags = 5,      /* flags for each policy specified in policyOID.
                                  * Specified in value.scalar.ul. Policy flags
                                  * apply to all specified oids.
                                  * Use CERT_POLICY_FLAG_* macros below. If not
                                  * specified policy flags default to 0 */
   cert_pi_keyusage = 6,         /* specify what the keyusages the certificate
                                  * will be evaluated against, specified in
                                  * value.scalar.ui. The cert must validate for
                                  * at least one of the specified key usages.
                                  * Values match the KU_  bit flags defined
                                  * in this file. Default is derived from
                                  * the 'usages' function argument */
   cert_pi_extendedKeyusage = 7, /* specify what the required extended key
                                  * usage of the certificate. Specified as
                                  * an array of oidTags in value.array.oids.
                                  * The cert must validate for at least one
                                  * of the specified extended key usages.
                                  * If not specified, no extended key usages
                                  * will be checked. */
   cert_pi_date = 8,             /* validate certificate is valid as of date
                                  * specified in value.scalar.time. A special
                                  * value '0' indicates 'now'. default is '0' */
   cert_pi_revocationFlags = 9,  /* Specify what revocation checking to do.
                                  * See CERT_REV_FLAG_* macros below
                                  * Set in value.pointer.revocation */
   cert_pi_certStores = 10,      /* Bitmask of Cert Store flags (see below)
                                  * Set in value.scalar.ui */
   cert_pi_trustAnchors =
       11,                       /* Specify the list of trusted roots to
                                  * validate against.
                                  * The default set of trusted roots, these are
                                  * root CA certs from libnssckbi.so or CA
                                  * certs trusted by user, are used in any of
                                  * the following cases:
                                  *      * when the parameter is not set.
                                  *      * when the list of trust anchors is
                                  *        empty.
                                  * Note that this handling can be further
                                  * altered by altering the
                                  * cert_pi_useOnlyTrustAnchors flag
                                  * Specified in value.pointer.chain */
   cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
                                  * In NSS 3.12.1 or later. Default is off.
                                  * Value is in value.scalar.b */
   cert_pi_chainVerifyCallback = 13,
   /* The callback container for doing extra
    * validation on the currently calculated chain.
    * Value is in value.pointer.chainVerifyCallback */
   cert_pi_useOnlyTrustAnchors = 14,
   /* If true, disables trusting any
    * certificates other than the ones passed in via cert_pi_trustAnchors.
    * If false, then the certificates specified via cert_pi_trustAnchors
    * will be combined with the pre-existing trusted roots, but only
    * for the certificate validation being performed.
    * If no value has been supplied via cert_pi_trustAnchors, this has
    * no effect.
    * The default value is true, meaning if this is not supplied, only
    * trust anchors supplied via cert_pi_trustAnchors are trusted.
    * Specified in value.scalar.b */
   cert_pi_max /* SPECIAL: signifies maximum allowed value,
                *  can increase in future releases */
} CERTValParamInType;

/*
* for all out parameters:
*  out parameters are only returned if the caller asks for them in
*  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
*  array itself. The pkix verify function will allocate and other arrays
*  pointers, or objects. The Caller is responsible for freeing those results.
* If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
*/
typedef enum {
   cert_po_end = 0,              /* SPECIAL: signifies end of array of
                                  * CERTValParam* */
   cert_po_nbioContext = 1,      /* Return a nonblocking context. If no
                                  * non-blocking context is specified, then
                                  * blocking IO will be used.
                                  * Returned in value.pointer.p. The context is
                                  * freed after an abort or a complete operation.
                                  * This value is only returned on SECWouldBlock.
                                  */
   cert_po_trustAnchor = 2,      /* Return the trust anchor for the chain that
                                  * was validated. Returned in
                                  * value.pointer.cert, this value is only
                                  * returned on SECSuccess. */
   cert_po_certList = 3,         /* Return the entire chain that was validated.
                                  * Returned in value.pointer.certList. If no
                                  * chain could be constructed, this value
                                  * would be NULL. */
   cert_po_policyOID = 4,        /* Return the policies that were found to be
                                  * valid. Returned in value.array.oids as an
                                  * array. This is only returned on
                                  * SECSuccess. */
   cert_po_errorLog = 5,         /* Return a log of problems with the chain.
                                  * Returned in value.pointer.log  */
   cert_po_usages = 6,           /* Return what usages the certificate is valid
                                    for. Returned in value.scalar.usages */
   cert_po_keyUsage = 7,         /* Return what key usages the certificate
                                  * is valid for.
                                  * Returned in value.scalar.usage */
   cert_po_extendedKeyusage = 8, /* Return what extended key usages the
                                  * certificate is valid for.
                                  * Returned in value.array.oids */
   cert_po_max                   /* SPECIAL: signifies maximum allowed value,
                                  *  can increase in future releases */

} CERTValParamOutType;

typedef enum {
   cert_revocation_method_crl = 0,
   cert_revocation_method_ocsp,
   cert_revocation_method_count
} CERTRevocationMethodIndex;

/*
* The following flags are supposed to be used to control bits in
* each integer contained in the array pointed to be:
*     CERTRevocationTests.cert_rev_flags_per_method
* All Flags are prefixed by CERT_REV_M_, where _M_ indicates
* this is a method dependent flag.
*/

/*
* Whether or not to use a method for revocation testing.
* If set to "do not test", then all other flags are ignored.
*/
#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
#define CERT_REV_M_TEST_USING_THIS_METHOD 1UL

/*
* Whether or not NSS is allowed to attempt to fetch fresh information
*         from the network.
* (Although fetching will never happen if fresh information for the
*           method is already locally available.)
*/
#define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
#define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL

/*
* Example for an implicit default source:
*         The globally configured default OCSP responder.
* IGNORE means:
*        ignore the implicit default source, whether it's configured or not.
* ALLOW means:
*       if an implicit default source is configured,
*          then it overrides any available or missing source in the cert.
*       if no implicit default source is configured,
*          then we continue to use what's available (or not available)
*          in the certs.
*/
#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL

/*
* Defines the behavior if no fresh information is available,
*   fetching from the network is allowed, but the source of revocation
*   information is unknown (even after considering implicit sources,
*   if allowed by other flags).
* SKIPT_TEST means:
*          We ignore that no fresh information is available and
*          skip this test.
* REQUIRE_INFO means:
*          We still require that fresh information is available.
*          Other flags define what happens on missing fresh info.
*/
#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL

/*
* Defines the behavior if we are unable to obtain fresh information.
* INGORE means:
*      Return "cert status unknown"
* FAIL means:
*      Return "cert revoked".
*/
#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL

/*
* What should happen if we were able to find fresh information using
* this method, and the data indicated the cert is good?
* STOP_TESTING means:
*              Our success is sufficient, do not continue testing
*              other methods.
* CONTINUE_TESTING means:
*                  We will continue and test the next allowed
*                  specified method.
*/
#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL

/* When this flag is used, libpkix will never attempt to use the GET HTTP
* method for OCSP requests; it will always use POST.
*/
#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL

/*
* The following flags are supposed to be used to control bits in
*     CERTRevocationTests.cert_rev_method_independent_flags
* All Flags are prefixed by CERT_REV_M_, where _M_ indicates
* this is a method independent flag.
*/

/*
* This defines the order to checking.
* EACH_METHOD_SEPARATELY means:
*      Do all tests related to a particular allowed method
*      (both local information and network fetching) in a single step.
*      Only after testing for a particular method is done,
*      then switching to the next method will happen.
* ALL_LOCAL_INFORMATION_FIRST means:
*      Start by testing the information for all allowed methods
*      which are already locally available. Only after that is done
*      consider to fetch from the network (as allowed by other flags).
*/
#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL

/*
* Use this flag to specify that it's necessary that fresh information
* is available for at least one of the allowed methods, but it's
* irrelevant which of the mechanisms succeeded.
* NO_OVERALL_INFO_REQUIREMENT means:
*     We strictly follow the requirements for each individual method.
* REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
*     After the individual tests have been executed, we must have
*     been able to find fresh information using at least one method.
*     If we were unable to find fresh info, it's a failure.
*     This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
*     flag on all methods.
*/
#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL

typedef struct {
   /*
    * The size of the array that cert_rev_flags_per_method points to,
    * meaning, the number of methods that are known and defined
    * by the caller.
    */
   PRUint32 number_of_defined_methods;

   /*
    * A pointer to an array of integers.
    * Each integer defines revocation checking for a single method,
    *      by having individual CERT_REV_M_* bits set or not set.
    * The meaning of index numbers into this array are defined by
    *     enum CERTRevocationMethodIndex
    * The size of the array must be specified by the caller in the separate
    *     variable number_of_defined_methods.
    * The size of the array may be smaller than
    *     cert_revocation_method_count, it can happen if a caller
    *     is not yet aware of the latest revocation methods
    *     (or does not want to use them).
    */
   PRUint64 *cert_rev_flags_per_method;

   /*
    * How many preferred methods are specified?
    * This is equivalent to the size of the array that
    *      preferred_methods points to.
    * It's allowed to set this value to zero,
    *      then NSS will decide which methods to prefer.
    */
   PRUint32 number_of_preferred_methods;

   /* Array that may specify an optional order of preferred methods.
    * Each array entry shall contain a method identifier as defined
    *   by CERTRevocationMethodIndex.
    * The entry at index [0] specifies the method with highest preference.
    * These methods will be tested first for locally available information.
    * Methods allowed for downloading will be attempted in the same order.
    */
   CERTRevocationMethodIndex *preferred_methods;

   /*
    * An integer which defines certain aspects of revocation checking
    * (independent of individual methods) by having individual
    * CERT_REV_MI_* bits set or not set.
    */
   PRUint64 cert_rev_method_independent_flags;
} CERTRevocationTests;

typedef struct {
   CERTRevocationTests leafTests;
   CERTRevocationTests chainTests;
} CERTRevocationFlags;

typedef struct CERTValParamInValueStr {
   union {
       PRBool b;
       PRInt32 i;
       PRUint32 ui;
       PRInt64 l;
       PRUint64 ul;
       PRTime time;
   } scalar;
   union {
       const void *p;
       const char *s;
       const CERTCertificate *cert;
       const CERTCertList *chain;
       const CERTRevocationFlags *revocation;
       const CERTChainVerifyCallback *chainVerifyCallback;
   } pointer;
   union {
       const PRInt32 *pi;
       const PRUint32 *pui;
       const PRInt64 *pl;
       const PRUint64 *pul;
       const SECOidTag *oids;
   } array;
   int arraySize;
} CERTValParamInValue;

typedef struct CERTValParamOutValueStr {
   union {
       PRBool b;
       PRInt32 i;
       PRUint32 ui;
       PRInt64 l;
       PRUint64 ul;
       SECCertificateUsage usages;
   } scalar;
   union {
       void *p;
       char *s;
       CERTVerifyLog *log;
       CERTCertificate *cert;
       CERTCertList *chain;
   } pointer;
   union {
       void *p;
       SECOidTag *oids;
   } array;
   int arraySize;
} CERTValParamOutValue;

typedef struct {
   CERTValParamInType type;
   CERTValParamInValue value;
} CERTValInParam;

typedef struct {
   CERTValParamOutType type;
   CERTValParamOutValue value;
} CERTValOutParam;

/*
* Levels of standards conformance strictness for CERT_NameToAsciiInvertible
*/
typedef enum CertStrictnessLevels {
   CERT_N2A_READABLE = 0,   /* maximum human readability */
   CERT_N2A_STRICT = 10,    /* strict RFC compliance    */
   CERT_N2A_INVERTIBLE = 20 /* maximum invertibility,
                               all DirectoryStrings encoded in hex */
} CertStrictnessLevel;

/*
* policy flag defines
*/
#define CERT_POLICY_FLAG_NO_MAPPING 1
#define CERT_POLICY_FLAG_EXPLICIT 2
#define CERT_POLICY_FLAG_NO_ANY 4

/*
* CertStore flags
*/
#define CERT_ENABLE_LDAP_FETCH 1
#define CERT_ENABLE_HTTP_FETCH 2

/* This functin pointer type may be used for any function that takes
* a CERTCertificate * and returns an allocated string, which must be
* freed by a call to PORT_Free.
*/
typedef char *(*CERT_StringFromCertFcn)(CERTCertificate *cert);

/* XXX Lisa thinks the template declarations belong in cert.h, not here? */

#include "secasn1t.h" /* way down here because I expect template stuff to
                      * move out of here anyway */

SEC_BEGIN_PROTOS

extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
extern const SEC_ASN1Template CERT_CertificateTemplate[];
extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
extern const SEC_ASN1Template CERT_ValidityTemplate[];
extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
extern const SEC_ASN1Template SEC_CertSequenceTemplate[];

extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
extern const SEC_ASN1Template CERT_NameTemplate[];
extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
extern const SEC_ASN1Template CERT_RDNTemplate[];
extern const SEC_ASN1Template CERT_SignedDataTemplate[];
extern const SEC_ASN1Template CERT_CrlTemplate[];
extern const SEC_ASN1Template CERT_SignedCrlTemplate[];

/*
** XXX should the attribute stuff be centralized for all of ns/security?
*/
extern const SEC_ASN1Template CERT_AttributeTemplate[];
extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];

/* These functions simply return the address of the above-declared templates.
** This is necessary for Windows DLLs.  Sigh.
*/
SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)

SEC_END_PROTOS

#endif /* _CERTT_H_ */