tor-browser

pkix_certsel.h (69090B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* This file defines functions associated with the PKIX_CertSelector and the
* PKIX_ComCertSelParams types.
*
*/

#ifndef _PKIX_CERTSEL_H
#define _PKIX_CERTSEL_H

#include "pkixt.h"

#ifdef __cplusplus
extern "C" {
#endif

/* General
*
* Please refer to the libpkix Programmer's Guide for detailed information
* about how to use the libpkix library. Certain key warnings and notices from
* that document are repeated here for emphasis.
*
* All identifiers in this file (and all public identifiers defined in
* libpkix) begin with "PKIX_". Private identifiers only intended for use
* within the library begin with "pkix_".
*
* A function returns NULL upon success, and a PKIX_Error pointer upon failure.
*
* Unless otherwise noted, for all accessor (gettor) functions that return a
* PKIX_PL_Object pointer, callers should assume that this pointer refers to a
* shared object. Therefore, the caller should treat this shared object as
* read-only and should not modify this shared object. When done using the
* shared object, the caller should release the reference to the object by
* using the PKIX_PL_Object_DecRef function.
*
* While a function is executing, if its arguments (or anything referred to by
* its arguments) are modified, free'd, or destroyed, the function's behavior
* is undefined.
*
*/

/* PKIX_CertSelector
*
* PKIX_CertSelectors provide a standard way for the caller to select
* certificates based on particular criteria. A CertSelector is typically used
* by the caller to specify the constraints they wish to impose on the target
* certificate in a chain. (see pkix_params.h) A CertSelector is also often
* used to retrieve certificates from a CertStore that match the selector's
* criteria. (See pkix_certstore.h) For example, the caller may wish to only
* select those certificates that have a particular Subject Distinguished Name
* and a particular value for a private certificate extension. The
* MatchCallback allows the caller to specify the custom matching logic to be
* used by a CertSelector.
*
* By default, the MatchCallback is set to point to the default implementation
* provided by libpkix, which understands how to process the most common
* parameters. If the default implementation is used, the caller should set
* these common parameters using PKIX_CertSelector_SetCommonCertSelectorParams.
* Any common parameter that is not set is assumed to be disabled, which means
* the default MatchCallback implementation will select all certificates
* without regard to that particular disabled parameter. For example, if the
* SerialNumber parameter is not set, MatchCallback will not filter out any
* certificate based on its serial number. As such, if no parameters are set,
* all are disabled and any certificate will match. If a parameter is
* disabled, its associated PKIX_ComCertSelParams_Get* function returns a
* default value of NULL, or -1 for PKIX_ComCertSelParams_GetBasicConstraints
* and PKIX_ComCertSelParams_GetVersion, or 0 for
* PKIX_ComCertSelParams_GetKeyUsage.
*
* If a custom implementation is desired, the default implementation can be
* overridden by calling PKIX_CertSelector_SetMatchCallback. In this case, the
* CertSelector can be initialized with a certSelectorContext, which is where
* the caller can specify the desired parameters the caller wishes to match
* against. Note that this certSelectorContext must be an Object (although any
* object type), allowing it to be reference-counted and allowing it to
* provide the standard Object functions (Equals, Hashcode, ToString, Compare,
* Duplicate).
*
*/

/*
* FUNCTION: PKIX_CertSelector_MatchCallback
* DESCRIPTION:
*
*  This callback function determines whether the specified Cert pointed to by
*  "cert" matches the criteria of the CertSelector pointed to by "selector".
*  If the Cert does not matches the CertSelector's criteria, an exception will
*  be thrown.
*
* PARAMETERS:
*  "selector"
*      Address of CertSelector whose MatchCallback logic and parameters are
*      to be used. Must be non-NULL.
*  "cert"
*      Address of Cert that is to be matched using "selector".
*      Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe
*
*  Multiple threads must be able to safely call this function without
*  worrying about conflicts, even if they're operating on the same object.
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
typedef PKIX_Error *
(*PKIX_CertSelector_MatchCallback)(
       PKIX_CertSelector *selector,
       PKIX_PL_Cert *cert,
       void *plContext);

/*
* FUNCTION: PKIX_CertSelector_Create
* DESCRIPTION:
*
*  Creates a new CertSelector using the Object pointed to by
*  "certSelectorContext" (if any) and stores it at "pSelector". As noted
*  above, by default, the MatchCallback is set to point to the default
*  implementation provided by libpkix, which understands how to process
*  ComCertSelParams objects. This is overridden if the MatchCallback pointed
*  to by "callback" is not NULL, in which case the parameters are specified
*  using the certSelectorContext.
*
* PARAMETERS:
*  "callback"
*      The MatchCallback function to be used.
*  "certSelectorContext"
*      Address of Object representing the CertSelector's context (if any).
*  "pSelector"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_CertSelector_Create(
       PKIX_CertSelector_MatchCallback callback,
       PKIX_PL_Object *certSelectorContext,
       PKIX_CertSelector **pSelector,
       void *plContext);

/*
* FUNCTION: PKIX_CertSelector_GetMatchCallback
* DESCRIPTION:
*
*  Retrieves a pointer to "selector's" Match callback function and puts it in
*  "pCallback".
*
* PARAMETERS:
*  "selector"
*      The CertSelector whose Match callback is desired. Must be non-NULL.
*  "pCallback"
*      Address where Match callback function pointer will be stored.
*      Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_CertSelector_GetMatchCallback(
       PKIX_CertSelector *selector,
       PKIX_CertSelector_MatchCallback *pCallback,
       void *plContext);

/*
* FUNCTION: PKIX_CertSelector_GetCertSelectorContext
* DESCRIPTION:
*
*  Retrieves a pointer to a PKIX_PL_Object representing the context (if any)
*  of the CertSelector pointed to by "selector" and stores it at
*  "pCertSelectorContext".
*
* PARAMETERS:
*  "selector"
*      Address of CertSelector whose context is to be stored.
*      Must be non-NULL.
*  "pCertSelectorContext"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_CertSelector_GetCertSelectorContext(
       PKIX_CertSelector *selector,
       PKIX_PL_Object **pCertSelectorContext,
       void *plContext);

/*
* FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
* DESCRIPTION:
*
*  Retrieves a pointer to the ComCertSelParams object that represent the
*  common parameters of the CertSelector pointed to by "selector" and stores
*  it at "pCommonCertSelectorParams". If there are no common parameters
*  stored with the CertSelector, this function stores NULL at
*  "pCommonCertSelectorParams".
*
* PARAMETERS:
*  "selector"
*      Address of CertSelector whose ComCertSelParams object is to be stored.
*      Must be non-NULL.
*  "pCommonCertSelectorParams"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_CertSelector_GetCommonCertSelectorParams(
       PKIX_CertSelector *selector,
       PKIX_ComCertSelParams **pCommonCertSelectorParams,
       void *plContext);

/*
* FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
* DESCRIPTION:
*
*  Sets the common parameters for the CertSelector pointed to by "selector"
*  using the ComCertSelParams object pointed to by "commonCertSelectorParams".
*
* PARAMETERS:
*  "selector"
*      Address of CertSelector whose common parameters are to be set.
*      Must be non-NULL.
*  "commonCertSelectorParams"
*      Address of ComCertSelParams object representing the common parameters.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "selector"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_CertSelector_SetCommonCertSelectorParams(
       PKIX_CertSelector *selector,
       PKIX_ComCertSelParams *commonCertSelectorParams,
       void *plContext);

/* PKIX_ComCertSelParams
*
* PKIX_ComCertSelParams objects are X.509 parameters commonly used with
* CertSelectors, especially when enforcing constraints on a target
* certificate or determining which certificates to retrieve from a CertStore.
* ComCertSelParams objects are typically used with those CertSelectors that
* use the default implementation of MatchCallback, which understands how to
* process ComCertSelParams objects.
*/

/*
* FUNCTION: PKIX_ComCertSelParams_Create
* DESCRIPTION:
*
*  Creates a new ComCertSelParams object and stores it at "pParams".
*
* PARAMETERS:
*  "pParams"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_Create(
       PKIX_ComCertSelParams **pParams,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSubjAltNames
* DESCRIPTION:
*
*  Retrieves a pointer to the List of GeneralNames (if any) representing the
*  subject alternative names criterion that is set in the ComCertSelParams
*  object pointed to by "params" and stores it at "pNames". In order to match
*  against this criterion, a certificate must contain all or at least one of
*  the criterion's subject alternative names (depending on the result of
*  PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default behavior
*  requires a certificate to contain all of the criterion's subject
*  alternative names in order to match.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pNames", in which case all certificates are considered to match this
*  criterion.
*
*  Note that the List returned by this function is immutable.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject alternative names
*      criterion (if any) is to be stored. Must be non-NULL.
*  "pNames"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSubjAltNames(
       PKIX_ComCertSelParams *params,
       PKIX_List **pNames, /* list of PKIX_PL_GeneralName */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames
* DESCRIPTION:
*
*  Sets the subject alternative names criterion of the ComCertSelParams object
*  pointed to by "params" using a List of GeneralNames pointed to by "names".
*  In order to match against this criterion, a certificate must contain all or
*  at least one of the criterion's subject alternative names (depending on the
*  result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default
*  behavior requires a certificate to contain all of the criterion's subject
*  alternative names in order to match.
*
*  If "names" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject alternative
*      names criterion is to be set. Must be non-NULL.
*  "names"
*      Address of List of GeneralNames used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubjAltNames(
       PKIX_ComCertSelParams *params,
       PKIX_List *names,  /* list of PKIX_PL_GeneralName */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_AddSubjAltName
* DESCRIPTION:
*
*  Adds to the subject alternative names criterion of the ComCertSelParams
*  object pointed to by "params" using the GeneralName pointed to by "name".
*  In order to match against this criterion, a certificate must contain all
*  or at least one of the criterion's subject alternative names (depending on
*  the result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default
*  behavior requires a certificate to contain all of the criterion's subject
*  alternative names in order to match.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject alternative names
*      criterion is to be added to. Must be non-NULL.
*  "name"
*      Address of GeneralName to be added.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_AddSubjAltName(
       PKIX_ComCertSelParams *params,
       PKIX_PL_GeneralName *name,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetPathToNames
* DESCRIPTION:
*
*  Retrieves a pointer to the List of GeneralNames (if any) representing the
*  path to names criterion that is set in the ComCertSelParams object pointed
*  to by "params" and stores it at "pNames". In order to match against this
*  criterion, a certificate must not include name constraints that would
*  prohibit building a path to the criterion's specified names.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pNames", in which case all certificates are considered to match this
*  criterion.
*
*  Note that the List returned by this function is immutable.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose path to names criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pNames"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetPathToNames(
       PKIX_ComCertSelParams *params,
       PKIX_List **pNames,  /* list of PKIX_PL_GeneralName */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetPathToNames
* DESCRIPTION:
*
*  Sets the path to names criterion of the ComCertSelParams object pointed to
*  by "params" using a List of GeneralNames pointed to by "names". In order to
*  match against this criterion, a certificate must not include name
*  constraints that would prohibit building a path to the criterion's
*  specified names.
*
*  If "names" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose path to names criterion
*      is to be set. Must be non-NULL.
*  "names"
*      Address of List of GeneralNames used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetPathToNames(
       PKIX_ComCertSelParams *params,
       PKIX_List *names,    /* list of PKIX_PL_GeneralName */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_AddPathToName
* DESCRIPTION:
*
*  Adds to the path to names criterion of the ComCertSelParams object pointed
*  to by "params" using the GeneralName pointed to by "pathToName". In order
*  to match against this criterion, a certificate must not include name
*  constraints that would prohibit building a path to the criterion's
*  specified names.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose path to names criterion is to
*      be added to. Must be non-NULL.
*  "pathToName"
*      Address of GeneralName to be added.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_AddPathToName(
       PKIX_ComCertSelParams *params,
       PKIX_PL_GeneralName *pathToName,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
* DESCRIPTION:
*
*  Retrieves a pointer to the ByteArray (if any) representing the authority
*  key identifier criterion that is set in the ComCertSelParams object
*  pointed to by "params" and stores it at "pAuthKeyId". In order to match
*  against this criterion, a certificate must contain an
*  AuthorityKeyIdentifier extension whose value matches the criterion's
*  authority key identifier value.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pAuthKeyId", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose authority key identifier
*      criterion (if any) is to be stored. Must be non-NULL.
*  "pAuthKeyId"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetAuthorityKeyIdentifier(
       PKIX_ComCertSelParams *params,
       PKIX_PL_ByteArray **pAuthKeyId,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
* DESCRIPTION:
*
*  Sets the authority key identifier criterion of the ComCertSelParams object
*  pointed to by "params" to the ByteArray pointed to by "authKeyId". In
*  order to match against this criterion, a certificate must contain an
*  AuthorityKeyIdentifier extension whose value matches the criterion's
*  authority key identifier value.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose authority key identifier
*      criterion is to be set. Must be non-NULL.
*  "authKeyId"
*      Address of ByteArray used to set the criterion
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(
       PKIX_ComCertSelParams *params,
       PKIX_PL_ByteArray *authKeyId,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSubjKeyIdentifier
* DESCRIPTION:
*
*  Retrieves a pointer to the ByteArray (if any) representing the subject key
*  identifier criterion that is set in the ComCertSelParams object pointed to
*  by "params" and stores it at "pSubjKeyId". In order to match against this
*  criterion, a certificate must contain a SubjectKeyIdentifier extension
*  whose value matches the criterion's subject key identifier value.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pSubjKeyId", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject key identifier
*      criterion (if any) is to be stored. Must be non-NULL.
*  "pSubjKeyId"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSubjKeyIdentifier(
       PKIX_ComCertSelParams *params,
       PKIX_PL_ByteArray **pSubjKeyId,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSubjKeyIdentifier
* DESCRIPTION:
*
*  Sets the subject key identifier criterion of the ComCertSelParams object
*  pointed to by "params" using a ByteArray pointed to by "subjKeyId". In
*  order to match against this criterion, a certificate must contain an
*  SubjectKeyIdentifier extension whose value matches the criterion's subject
*  key identifier value.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject key identifier
*      criterion is to be set. Must be non-NULL.
*  "subjKeyId"
*      Address of ByteArray used to set the criterion
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubjKeyIdentifier(
       PKIX_ComCertSelParams *params,
       PKIX_PL_ByteArray *subKeyId,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSubjPubKey
* DESCRIPTION:
*
*  Retrieves a pointer to the PublicKey (if any) representing the subject
*  public key criterion that is set in the ComCertSelParams object pointed to
*  by "params" and stores it at "pPubKey". In order to match against this
*  criterion, a certificate must contain a SubjectPublicKey that matches the
*  criterion's public key.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pPubKey", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject public key criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pPubKey"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSubjPubKey(
       PKIX_ComCertSelParams *params,
       PKIX_PL_PublicKey **pPubKey,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSubjPubKey
* DESCRIPTION:
*
*  Sets the subject public key criterion of the ComCertSelParams object
*  pointed to by "params" using a PublicKey pointed to by "pubKey". In order
*  to match against this criterion, a certificate must contain a
*  SubjectPublicKey that matches the criterion's public key.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject public key
*      criterion is to be set. Must be non-NULL.
*  "pubKey"
*      Address of PublicKey used to set the criterion
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubjPubKey(
       PKIX_ComCertSelParams *params,
       PKIX_PL_PublicKey *pubKey,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSubjPKAlgId
* DESCRIPTION:
*
*  Retrieves a pointer to the OID (if any) representing the subject public key
*  algorithm identifier criterion that is set in the ComCertSelParams object
*  pointed to by "params" and stores it at "pPubKey". In order to match
*  against this criterion, a certificate must contain a SubjectPublicKey with
*  an algorithm that matches the criterion's algorithm.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pAlgId", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject public key algorithm
*      identifier (if any) is to be stored. Must be non-NULL.
*  "pAlgId"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSubjPKAlgId(
       PKIX_ComCertSelParams *params,
       PKIX_PL_OID **pAlgId,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSubjPKAlgId
* DESCRIPTION:
*
*  Sets the subject public key algorithm identifier criterion of the
*  ComCertSelParams object pointed to by "params" using an OID pointed to by
*  "algId". In order to match against this criterion, a certificate must
*  contain a SubjectPublicKey with an algorithm that matches the criterion's
*  algorithm.
*
*  If "algId" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject public key
*      algorithm identifier criterion is to be set. Must be non-NULL.
*  "algId"
*      Address of OID used to set criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubjPKAlgId(
       PKIX_ComCertSelParams *params,
       PKIX_PL_OID *algId,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetBasicConstraints
* DESCRIPTION:
*
*  Retrieves a pointer to the minimum path length (if any) representing the
*  basic constraints criterion that is set in the ComCertSelParams object
*  pointed to by "params" and stores it at "pMinPathLength". In order to
*  match against this criterion, there are several possibilities.
*
*  1) If the criterion's minimum path length is greater than or equal to zero,
*  a certificate must include a BasicConstraints extension with a pathLen of
*  at least this value.
*
*  2) If the criterion's minimum path length is -2, a certificate must be an
*  end-entity certificate.
*
*  3) If the criterion's minimum path length is -1, no basic constraints check
*  is done and all certificates are considered to match this criterion.
*
*  The semantics of other values of the criterion's minimum path length are
*  undefined but may be defined in future versions of the API.
*
*  If "params" does not have this criterion set, this function stores -1 at
*  "pMinPathLength", in which case all certificates are considered to match
*  this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose basic constraints criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pMinPathLength"
*      Address where PKIX_Int32 will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetBasicConstraints(
       PKIX_ComCertSelParams *params,
       PKIX_Int32 *pMinPathLength,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetBasicConstraints
* DESCRIPTION:
*
*  Sets the basic constraints criterion of the ComCertSelParams object
*  pointed to by "params" using the integer value of "minPathLength". In
*  order to match against this criterion, there are several possibilities.
*
*  1) If the criterion's minimum path length is greater than or equal to zero,
*  a certificate must include a BasicConstraints extension with a pathLen of
*  at least this value.
*
*  2) If the criterion's minimum path length is -2, a certificate must be an
*  end-entity certificate.
*
*  3) If the criterion's minimum path length is -1, no basic constraints check
*  is done and all certificates are considered to match this criterion.
*
*  The semantics of other values of the criterion's minimum path length are
*  undefined but may be defined in future versions of the API.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose basic constraints
*      criterion is to be set. Must be non-NULL.
*  "minPathLength"
*      Value of PKIX_Int32 used to set the criterion
*      (or -1 to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetBasicConstraints(
       PKIX_ComCertSelParams *params,
       PKIX_Int32 minPathLength,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetCertificate
* DESCRIPTION:
*
*  Retrieves a pointer to the Cert (if any) representing the certificate
*  criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pCert". In order to match against this
*  criterion, a certificate must be equal to the criterion's certificate. If
*  this criterion is specified, it is usually not necessary to specify any
*  other criteria, since this criterion requires an exact certificate match.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pCert", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose certificate criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pCert"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetCertificate(
       PKIX_ComCertSelParams *params,
       PKIX_PL_Cert **pCert,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetCertificate
* DESCRIPTION:
*
*  Sets the certificate criterion of the ComCertSelParams object pointed to by
* "params" using a Cert pointed to by "cert". In order to match against this
*  criterion, a certificate must be equal to the criterion's certificate.
*  If this criterion is specified, it is usually not necessary to specify
*  any other criteria, since this criterion requires an exact certificate
*  match.
*
*  If "cert" is NULL, all certificates are considered to match this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose certificate criterion is to be
*      set. Must be non-NULL.
*  "cert"
*      Address of Cert used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetCertificate(
       PKIX_ComCertSelParams *params,
       PKIX_PL_Cert *cert,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetCertificateValid
* DESCRIPTION:
*
*  Retrieves a pointer to the Date (if any) representing the certificate
*  validity criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pDate". In order to match against this
*  criterion, a certificate's validity period must include the criterion's
*  Date.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pDate", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose certificate validity criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pDate"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetCertificateValid(
       PKIX_ComCertSelParams *params,
       PKIX_PL_Date **pDate,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetCertificateValid
* DESCRIPTION:
*
*  Sets the certificate validity criterion of the ComCertSelParams object
*  pointed to by "params" using a Date pointed to by "date". In order to
*  match against this criterion, a certificate's validity period must include
*  the criterion's Date.
*
*  If "date" is NULL, all certificates are considered to match this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose certificate validity criterion
*      is to be set. Must be non-NULL.
*  "date"
*      Address of Date used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetCertificateValid(
       PKIX_ComCertSelParams *params,
       PKIX_PL_Date *date,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSerialNumber
* DESCRIPTION:
*
*  Retrieves a pointer to the BigInt (if any) representing the serial number
*  criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pSerialNumber". In order to match against this
*  criterion, a certificate must have a serial number equal to the
*  criterion's serial number.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pSerialNumber", in which case all certificates are considered to match
*  this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose serial number criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pSerialNumber"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSerialNumber(
       PKIX_ComCertSelParams *params,
       PKIX_PL_BigInt **pSerialNumber,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSerialNumber
* DESCRIPTION:
*
*  Sets the serial number criterion of the ComCertSelParams object pointed to
*  by "params" using a BigInt pointed to by "serialNumber". In order to match
*  against this criterion, a certificate must have a serial number equal to
*  the criterion's serial number.
*
*  If "serialNumber" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose serial number criterion is to
*      be set. Must be non-NULL.
*  "serialNumber"
*      Address of BigInt used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSerialNumber(
       PKIX_ComCertSelParams *params,
       PKIX_PL_BigInt *serialNumber,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetVersion
* DESCRIPTION:
*
*  Retrieves a PKIX_UInt32 (if any) representing the version criterion that is
*  set in the ComCertSelParams object pointed to by "params" and stores it at
*  "pVersion". In order to match against this criterion, a certificate's
*  version must be equal to the criterion's version.
*
*  The version number will either be 0, 1, or 2 (corresponding to
*  v1, v2, or v3, respectively).
*
*  If "params" does not have this criterion set, this function stores
*  0xFFFFFFFF at "pVersion", in which case all certificates are considered
*  to match this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose version criterion (if any) is
*      to be stored. Must be non-NULL.
*  "pVersion"
*      Address where PKIX_Int32 will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetVersion(
       PKIX_ComCertSelParams *params,
       PKIX_UInt32 *pVersion,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetVersion
* DESCRIPTION:
*
*  Sets the version criterion of the ComCertSelParams object pointed to by
*  "params" using the integer value of "version". In order to match against
*  this criterion, a certificate's version must be equal to the criterion's
*  version. If the criterion's version is -1, no version check is done and
*  all certificates are considered to match this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose version criterion is to be
*      set. Must be non-NULL.
*  "version"
*      Value of PKIX_Int32 used to set the criterion
*      (or -1 to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetVersion(
       PKIX_ComCertSelParams *params,
       PKIX_Int32 version,
       void *plContext);


/*
* FUNCTION: PKIX_ComCertSelParams_GetKeyUsage
* DESCRIPTION:
*
*  Retrieves a PKIX_UInt32 (if any) representing the key usage criterion that
*  is set in the ComCertSelParams object pointed to by "params" and stores it
*  at "pKeyUsage". In order to match against this criterion, a certificate
*  must allow the criterion's key usage values. Note that a certificate that
*  has no KeyUsage extension implicity allows all key usages. Note also that
*  this functions supports a maximum of 32 key usage bits.
*
*  If "params" does not have this criterion set, this function stores zero at
*  "pKeyUsage", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose key usage criterion (if any)
*      is to be stored. Must be non-NULL.
*  "pKeyUsage"
*      Address where PKIX_UInt32 will be stored. Must not be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetKeyUsage(
       PKIX_ComCertSelParams *params,
       PKIX_UInt32 *pKeyUsage,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetKeyUsage
* DESCRIPTION:
*
*  Sets the key usage criterion of the ComCertSelParams object pointed to by
*  "params" using the integer value of "keyUsage". In order to match against
*  this criterion, a certificate must allow the criterion's key usage values.
*  Note that a certificate that has no KeyUsage extension implicity allows
*  all key usages. Note also that this functions supports a maximum of 32 key
*  usage bits.
*
*  If the criterion's key usage value is zero, no key usage check is done and
*  all certificates are considered to match this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose key usage criterion is to be
*      set. Must be non-NULL.
*  "keyUsage"
*      Value of PKIX_Int32 used to set the criterion
*      (or zero to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetKeyUsage(
       PKIX_ComCertSelParams *params,
       PKIX_UInt32 keyUsage,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetExtendedKeyUsage
* DESCRIPTION:
*
*  Retrieves a pointer to the List of OIDs (if any) representing the extended
*  key usage criterion that is set in the ComCertSelParams object pointed to
*  by "params" and stores it at "pExtKeyUsage". In order to match against this
*  criterion, a certificate's ExtendedKeyUsage extension must allow the
*  criterion's extended key usages. Note that a certificate that has no
*  ExtendedKeyUsage extension implicity allows all key purposes.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pExtKeyUsage", in which case all certificates are considered to match
*  this criterion.
*
*  Note that the List returned by this function is immutable.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose extended key usage criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pExtKeyUsage"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetExtendedKeyUsage(
       PKIX_ComCertSelParams *params,
       PKIX_List **pExtKeyUsage, /* list of PKIX_PL_OID */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetExtendedKeyUsage
* DESCRIPTION:
*
*  Sets the extended key usage criterion of the ComCertSelParams object
*  pointed to by "params" using a List of OIDs pointed to by "extKeyUsage".
*  In order to match against this criterion, a certificate's ExtendedKeyUsage
*  extension must allow the criterion's extended key usages. Note that a
*  certificate that has no ExtendedKeyUsage extension implicitly allows all
*  key purposes.
*
*  If "extKeyUsage" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose extended key usage criterion
*      is to be set. Must be non-NULL.
*  "extKeyUsage"
*      Address of List of OIDs used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetExtendedKeyUsage(
       PKIX_ComCertSelParams *params,
       PKIX_List *extKeyUsage,  /* list of PKIX_PL_OID */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetPolicy
* DESCRIPTION:
*
*  Retrieves a pointer to the List of OIDs (if any) representing the policy
*  criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pPolicy". In order to match against this
*  criterion, a certificate's CertificatePolicies extension must include at
*  least one of the criterion's policies. If "params" has this criterion set,
*  but the List of OIDs is empty, then a certificate's CertificatePolicies
*  extension must include at least some policy.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pPolicy", in which case all certificates are considered to match this
*  criterion.
*
*  Note that the List returned by this function is immutable.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose policy criterion (if any) is
*      to be stored. Must be non-NULL.
*  "pPolicy"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetPolicy(
       PKIX_ComCertSelParams *params,
       PKIX_List **pPolicy,  /* list of PKIX_PL_OID */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetPolicy
* DESCRIPTION:
*
*  Sets the policy criterion of the ComCertSelParams object pointed to by
*  "params" using a List of OIDs pointed to by "policy". In order to match
*  against this criterion, a certificate's CertificatePolicies extension must
*  include at least one of the criterion's policies. If "params" has this
*  criterion set, but the List of OIDs is empty, then a certificate's
*  CertificatePolicies extension must include at least some policy.
*
*  If "policy" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose policy criterion is to be set.
*      Must be non-NULL.
*  "policy"
*      Address of List of OIDs used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetPolicy(
       PKIX_ComCertSelParams *params,
       PKIX_List *policy,    /* list of PKIX_PL_OID */
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetIssuer
* DESCRIPTION:
*
*  Retrieves a pointer to the X500Name (if any) representing the issuer
*  criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pIssuer". In order to match against this
*  criterion, a certificate's IssuerName must match the criterion's issuer
*  name.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pIssuer", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose issuer criterion (if any) is
*      to be stored. Must be non-NULL.
*  "pIssuer"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetIssuer(
       PKIX_ComCertSelParams *params,
       PKIX_PL_X500Name **pIssuer,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetIssuer
* DESCRIPTION:
*
*  Sets the issuer criterion of the ComCertSelParams object pointed to by
*  "params" using an X500Name pointed to by "issuer". In order to match
*  against this criterion, a certificate's IssuerName must match the
*  criterion's issuer name.
*
*  If "issuer" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose issuer criterion is to be set.
*      Must be non-NULL.
*  "issuer"
*      Address of X500Name used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetIssuer(
       PKIX_ComCertSelParams *params,
       PKIX_PL_X500Name *issuer,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSubject
* DESCRIPTION:
*
*  Retrieves a pointer to the X500Name (if any) representing the subject
*  criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pSubject". In order to match against this
*  criterion, a certificate's SubjectName must match the criterion's subject
*  name.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pSubject", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject criterion (if any) is
*      to be stored. Must be non-NULL.
*  "pSubject"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSubject(
       PKIX_ComCertSelParams *params,
       PKIX_PL_X500Name **pSubject,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSubject
* DESCRIPTION:
*
*  Sets the subject criterion of the ComCertSelParams object pointed to by
*  "params" using an X500Name pointed to by "subject". In order to match
*  against this criterion, a certificate's SubjectName must match the
*  criterion's subject name.
*
*  If "subject" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject criterion is to be
*      set. Must be non-NULL.
*  "subject"
*      Address of X500Name used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubject(
       PKIX_ComCertSelParams *params,
       PKIX_PL_X500Name *subject,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetSubjectAsByteArray
* DESCRIPTION:
*
*  Retrieves a pointer to the ByteArray (if any) representing the subject
*  criterion that is set in the ComCertSelParams object pointed to by
*  "params" and stores it at "pSubject". In order to match against this
*  criterion, a certificate's SubjectName must match the criterion's subject
*  name.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pSubject", in which case all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject criterion (if any) is
*      to be stored. Must be non-NULL.
*  "pSubject"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetSubjectAsByteArray(
       PKIX_ComCertSelParams *params,
       PKIX_PL_ByteArray **pSubject,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetSubjectAsByteArray
* DESCRIPTION:
*
*  Sets the subject criterion of the ComCertSelParams object pointed to by
*  "params" using a ByteArray pointed to by "subject". In order to match
*  against this criterion, a certificate's SubjectName must match the
*  criterion's subject name.
*
*  If "subject" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose subject criterion is to be
*      set. Must be non-NULL.
*  "subject"
*      Address of ByteArray used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubjectAsByteArray(
       PKIX_ComCertSelParams *params,
       PKIX_PL_ByteArray *subject,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetNameConstraints
* DESCRIPTION:
*
*  Retrieves a pointer to the X500Name (if any) representing the name
*  constraints criterion that is set in the ComCertSelParams object pointed
*  to by "params" and stores it at "pConstraints". In order to match against
*  this criterion, a certificate's subject and subject alternative names must
*  be allowed by the criterion's name constraints.
*
*  If "params" does not have this criterion set, this function stores NULL at
*  "pConstraints", in which case all certificates are considered to match
*  this criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose name constraints criterion
*      (if any) is to be stored. Must be non-NULL.
*  "pConstraints"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetNameConstraints(
       PKIX_ComCertSelParams *params,
       PKIX_PL_CertNameConstraints **pConstraints,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetNameConstraints
* DESCRIPTION:
*
*  Sets the name constraints criterion of the ComCertSelParams object pointed
*  to by "params" using the CertNameConstraints pointed to by "constraints".
*  In order to match against this criterion, a certificate's subject and
*  subject alternative names must be allowed by the criterion's name
*  constraints.
*
*  If "constraints" is NULL, all certificates are considered to match this
*  criterion.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose name constraints criterion is
*      to be set. Must be non-NULL.
*  "constraints"
*      Address of CertNameConstraints used to set the criterion
*      (or NULL to disable the criterion).
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetNameConstraints(
       PKIX_ComCertSelParams *params,
       PKIX_PL_CertNameConstraints *constraints,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetMatchAllSubjAltNames
* DESCRIPTION:
*
*  Checks whether the ComCertSelParams object pointed to by "params" indicate
*  that all subject alternative names are to be matched and stores the Boolean
*  result at "pMatch". This Boolean value determines the behavior of the
*  subject alternative names criterion.
*
*  In order to match against the subject alternative names criterion, if the
*  Boolean value at "pMatch" is PKIX_TRUE, a certificate must contain all of
*  the criterion's subject alternative names. If the Boolean value at
*  "pMatch" is PKIX_FALSE, a certificate must contain at least one of the
*  criterion's subject alternative names. The default behavior is as if the
*  Boolean value at "pMatch" is PKIX_TRUE.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object used to determine whether all
*      subject alternative names must be matched. Must be non-NULL.
*  "pMatch"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_GetMatchAllSubjAltNames(
       PKIX_ComCertSelParams *params,
       PKIX_Boolean *pMatch,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetMatchAllSubjAltNames
* DESCRIPTION:
*
*  Sets the match flag of the ComCertSelParams object pointed to by "params"
*  using the Boolean value of "match". This Boolean value determines the
*  behavior of the subject alternative names criterion.
*
*  In order to match against the subject alternative names criterion, if the
*  "match" is PKIX_TRUE, a certificate must contain all of the criterion's
*  subject alternative names. If the "match" is PKIX_FALSE, a certificate
*  must contain at least one of the criterion's subject alternative names.
*  The default behavior is as if "match" is PKIX_TRUE.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose match flag is to be set.
*      Must be non-NULL.
*  "match"
*      Boolean value used to set the match flag.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetMatchAllSubjAltNames(
       PKIX_ComCertSelParams *params,
       PKIX_Boolean match,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag
* DESCRIPTION:
*
* Return "leafCert" flag of the ComCertSelParams structure. If set to true,
* the flag indicates that a selector should filter out all cert that are not
* qualified to be a leaf cert according to the specified key/ekey usages.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object used to determine whether all
*      subject alternative names must be matched. Must be non-NULL.
*  "pLeafFlag"
*      Address of returned value.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*      (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error*
PKIX_ComCertSelParams_GetLeafCertFlag(
       PKIX_ComCertSelParams *params,
       PKIX_Boolean *pLeafFlag,
       void *plContext);

/*
* FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag
* DESCRIPTION:
*
* Sets a flag that if its value is true, indicates that the selector
* should only pick certs that qualifies to be leaf for this cert path
* validation.
*
* PARAMETERS:
*  "params"
*      Address of ComCertSelParams object whose match flag is to be set.
*      Must be non-NULL.
*  "leafFlag"
*      Boolean value used to set the leaf flag.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe - assumes exclusive access to "params"
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a CertSelector Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetLeafCertFlag(
       PKIX_ComCertSelParams *params,
       PKIX_Boolean leafFlag,
       void *plContext);

#ifdef __cplusplus
}
#endif

#endif /* _PKIX_CERTSEL_H */