security/nss/lib/certdb/certt.h
author Kai Engert <kaie@kuix.de>
Thu, 22 Jan 2015 12:26:00 -0500
changeset 251103 6b4103d8c3f769d4d97937a9d5a3a9cba8884247
parent 184903 fa127f705db1f99ca2f5899f02fa80ea49afc292
child 267143 cdebefc5da888b7d9802bf5f44dd773e99e07377
permissions -rw-r--r--
Bug 1107731 - Upgrade Mozilla 37 to use NSS 3.17.4. a=sledru

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * certt.h - public data structures for the certificate library
 */
#ifndef _CERTT_H_
#define _CERTT_H_

#include "prclist.h"
#include "pkcs11t.h"
#include "seccomon.h"
#include "secmodt.h"
#include "secoidt.h"
#include "plarena.h"
#include "prcvar.h"
#include "nssilock.h"
#include "prio.h"
#include "prmon.h"

/* Stan data types */
struct NSSCertificateStr;
struct NSSTrustDomainStr;

/* Non-opaque objects */
typedef struct CERTAVAStr                        CERTAVA;
typedef struct CERTAttributeStr                  CERTAttribute;
typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
typedef struct CERTCertExtensionStr              CERTCertExtension;
typedef struct CERTCertKeyStr                    CERTCertKey;
typedef struct CERTCertListStr                   CERTCertList;
typedef struct CERTCertListNodeStr               CERTCertListNode;
typedef struct CERTCertNicknamesStr              CERTCertNicknames;
typedef struct CERTCertTrustStr                  CERTCertTrust;
typedef struct CERTCertificateStr                CERTCertificate;
typedef struct CERTCertificateListStr            CERTCertificateList;
typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
typedef struct CERTCrlStr                        CERTCrl;
typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
typedef struct CERTCrlEntryStr                   CERTCrlEntry;
typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
typedef struct CERTCrlKeyStr                     CERTCrlKey;
typedef struct CERTCrlNodeStr                    CERTCrlNode;
typedef struct CERTDERCertsStr                   CERTDERCerts;
typedef struct CERTDistNamesStr                  CERTDistNames;
typedef struct CERTGeneralNameStr                CERTGeneralName;
typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
typedef struct CERTNameStr                       CERTName;
typedef struct CERTNameConstraintStr             CERTNameConstraint;
typedef struct CERTNameConstraintsStr            CERTNameConstraints;
typedef struct CERTOKDomainNameStr               CERTOKDomainName;
typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
typedef struct CERTRDNStr                        CERTRDN;
typedef struct CERTSignedCrlStr                  CERTSignedCrl;
typedef struct CERTSignedDataStr                 CERTSignedData;
typedef struct CERTStatusConfigStr               CERTStatusConfig;
typedef struct CERTSubjectListStr                CERTSubjectList;
typedef struct CERTSubjectNodeStr                CERTSubjectNode;
typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
typedef struct CERTValidityStr                   CERTValidity;
typedef struct CERTVerifyLogStr                  CERTVerifyLog;
typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
typedef struct CRLDistributionPointStr           CRLDistributionPoint;

/* CRL extensions type */
typedef unsigned long CERTCrlNumber;

/*
** An X.500 AVA object
*/
struct CERTAVAStr {
    SECItem type;
    SECItem value;
};

/*
** An X.500 RDN object
*/
struct CERTRDNStr {
    CERTAVA **avas;
};

/*
** An X.500 name object
*/
struct CERTNameStr {
    PLArenaPool *arena;
    CERTRDN **rdns;
};

/*
** An X.509 validity object
*/
struct CERTValidityStr {
    PLArenaPool *arena;
    SECItem notBefore;
    SECItem notAfter;
};

/*
 * A serial number and issuer name, which is used as a database key
 */
struct CERTCertKeyStr {
    SECItem serialNumber;
    SECItem derIssuer;
};

/*
** A signed data object. Used to implement the "signed" macro used
** in the X.500 specs.
*/
struct CERTSignedDataStr {
    SECItem data;
    SECAlgorithmID signatureAlgorithm;
    SECItem signature;
};

/*
** An X.509 subject-public-key-info object
*/
struct CERTSubjectPublicKeyInfoStr {
    PLArenaPool *arena;
    SECAlgorithmID algorithm;
    SECItem subjectPublicKey;
};

struct CERTPublicKeyAndChallengeStr {
    SECItem spki;
    SECItem challenge;
};

struct CERTCertTrustStr {
    unsigned int sslFlags;
    unsigned int emailFlags;
    unsigned int objectSigningFlags;
};

/*
 * defined the types of trust that exist
 */
typedef enum SECTrustTypeEnum {
    trustSSL = 0,
    trustEmail = 1,
    trustObjectSigning = 2,
    trustTypeNone = 3
} SECTrustType;

#define SEC_GET_TRUST_FLAGS(trust,type) \
        (((type)==trustSSL)?((trust)->sslFlags): \
	 (((type)==trustEmail)?((trust)->emailFlags): \
	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))

/*
** An X.509.3 certificate extension
*/
struct CERTCertExtensionStr {
    SECItem id;
    SECItem critical;
    SECItem value;
};

struct CERTSubjectNodeStr {
    struct CERTSubjectNodeStr *next;
    struct CERTSubjectNodeStr *prev;
    SECItem certKey;
    SECItem keyID;
};

struct CERTSubjectListStr {
    PLArenaPool *arena;
    int ncerts;
    char *emailAddr;
    CERTSubjectNode *head;
    CERTSubjectNode *tail; /* do we need tail? */
    void *entry;
};

/*
** An X.509 certificate object (the unsigned form)
*/
struct CERTCertificateStr {
    /* the arena is used to allocate any data structures that have the same
     * lifetime as the cert.  This is all stuff that hangs off of the cert
     * structure, and is all freed at the same time.  I is used when the
     * cert is decoded, destroyed, and at some times when it changes
     * state
     */
    PLArenaPool *arena;

    /* The following fields are static after the cert has been decoded */
    char *subjectName;
    char *issuerName;
    CERTSignedData signatureWrap;	/* XXX */
    SECItem derCert;			/* original DER for the cert */
    SECItem derIssuer;			/* DER for issuer name */
    SECItem derSubject;			/* DER for subject name */
    SECItem derPublicKey;		/* DER for the public key */
    SECItem certKey;			/* database key for this cert */
    SECItem version;
    SECItem serialNumber;
    SECAlgorithmID signature;
    CERTName issuer;
    CERTValidity validity;
    CERTName subject;
    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
    SECItem issuerID;
    SECItem subjectID;
    CERTCertExtension **extensions;
    char *emailAddr;
    CERTCertDBHandle *dbhandle;
    SECItem subjectKeyID;	/* x509v3 subject key identifier */
    PRBool keyIDGenerated;	/* was the keyid generated? */
    unsigned int keyUsage;	/* what uses are allowed for this cert */
    unsigned int rawKeyUsage;	/* value of the key usage extension */
    PRBool keyUsagePresent;	/* was the key usage extension present */
    PRUint32 nsCertType;	/* value of the ns cert type extension */
				/* must be 32-bit for PR_ATOMIC_SET */

    /* these values can be set by the application to bypass certain checks
     * or to keep the cert in memory for an entire session.
     * XXX - need an api to set these
     */
    PRBool keepSession;			/* keep this cert for entire session*/
    PRBool timeOK;			/* is the bad validity time ok? */
    CERTOKDomainName *domainOK;		/* these domain names are ok */

    /*
     * these values can change when the cert changes state.  These state
     * changes include transitions from temp to perm or vice-versa, and
     * changes of trust flags
     */
    PRBool isperm;
    PRBool istemp;
    char *nickname;
    char *dbnickname;
    struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
    CERTCertTrust *trust;

    /* the reference count is modified whenever someone looks up, dups
     * or destroys a certificate
     */
    int referenceCount;

    /* The subject list is a list of all certs with the same subject name.
     * It can be modified any time a cert is added or deleted from either
     * the in-memory(temporary) or on-disk(permanent) database.
     */
    CERTSubjectList *subjectList;

    /* these belong in the static section, but are here to maintain
     * the structure's integrity
     */
    CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
    PRBool isRoot;              /* cert is the end of a chain */

    /* these fields are used by client GUI code to keep track of ssl sockets
     * that are blocked waiting on GUI feedback related to this cert.
     * XXX - these should be moved into some sort of application specific
     *       data structure.  They are only used by the browser right now.
     */
    union {
        void* apointer; /* was struct SECSocketNode* authsocketlist */
        struct {
            unsigned int hasUnsupportedCriticalExt :1;
            /* add any new option bits needed here */
        } bits;
    } options;
    int series; /* was int authsocketcount; record the series of the pkcs11ID */

    /* This is PKCS #11 stuff. */
    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
    PRBool ownSlot;		/*true if the cert owns the slot reference */
};
#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */

#define SEC_CRL_VERSION_1		0	/* default */
#define SEC_CRL_VERSION_2		1	/* v2 extensions */

/*
 * used to identify class of cert in mime stream code
 */
#define SEC_CERT_CLASS_CA	1
#define SEC_CERT_CLASS_SERVER	2
#define SEC_CERT_CLASS_USER	3
#define SEC_CERT_CLASS_EMAIL	4

struct CERTDERCertsStr {
    PLArenaPool *arena;
    int numcerts;
    SECItem *rawCerts;
};

/*
** A PKCS ? Attribute
** XXX this is duplicated through out the code, it *should* be moved
** to a central location.  Where would be appropriate?
*/
struct CERTAttributeStr {
    SECItem attrType;
    SECItem **attrValue;
};

/*
** A PKCS#10 certificate-request object (the unsigned form)
*/
struct CERTCertificateRequestStr {
    PLArenaPool *arena;
    SECItem version;
    CERTName subject;
    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
    CERTAttribute **attributes;
};
#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */


/*
** A certificate list object.
*/
struct CERTCertificateListStr {
    SECItem *certs;
    int len;					/* number of certs */
    PLArenaPool *arena;
};

struct CERTCertListNodeStr {
    PRCList links;
    CERTCertificate *cert;
    void *appData;
};

struct CERTCertListStr {
    PRCList list;
    PLArenaPool *arena;
};

#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)

struct CERTCrlEntryStr {
    SECItem serialNumber;
    SECItem revocationDate;
    CERTCertExtension **extensions;    
};

struct CERTCrlStr {
    PLArenaPool *arena;
    SECItem version;
    SECAlgorithmID signatureAlg;
    SECItem derName;
    CERTName name;
    SECItem lastUpdate;
    SECItem nextUpdate;				/* optional for x.509 CRL  */
    CERTCrlEntry **entries;
    CERTCertExtension **extensions;    
    /* can't add anything there for binary backwards compatibility reasons */
};

struct CERTCrlKeyStr {
    SECItem derName;
    SECItem dummy;			/* The decoder can not skip a primitive,
					   this serves as a place holder for the
					   decoder to finish its task only
					*/
};

struct CERTSignedCrlStr {
    PLArenaPool *arena;
    CERTCrl crl;
    void *reserved1;
    PRBool reserved2;
    PRBool isperm;
    PRBool istemp;
    int referenceCount;
    CERTCertDBHandle *dbhandle;
    CERTSignedData signatureWrap;	/* XXX */
    char *url;
    SECItem *derCrl;
    PK11SlotInfo *slot;
    CK_OBJECT_HANDLE pkcs11ID;
    void* opaque; /* do not touch */
};


struct CERTCrlHeadNodeStr {
    PLArenaPool *arena;
    CERTCertDBHandle *dbhandle;
    CERTCrlNode *first;
    CERTCrlNode *last;
};


struct CERTCrlNodeStr {
    CERTCrlNode *next;
    int 	type;
    CERTSignedCrl *crl;
};


/*
 * Array of X.500 Distinguished Names
 */
struct CERTDistNamesStr {
    PLArenaPool *arena;
    int nnames;
    SECItem  *names;
    void *head; /* private */
};


#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */

#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)

#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
			  NS_CERT_TYPE_SSL_SERVER | \
			  NS_CERT_TYPE_EMAIL | \
			  NS_CERT_TYPE_OBJECT_SIGNING )

#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
			 NS_CERT_TYPE_EMAIL_CA | \
			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
			 EXT_KEY_USAGE_STATUS_RESPONDER )
typedef enum SECCertUsageEnum {
    certUsageSSLClient = 0,
    certUsageSSLServer = 1,
    certUsageSSLServerWithStepUp = 2,
    certUsageSSLCA = 3,
    certUsageEmailSigner = 4,
    certUsageEmailRecipient = 5,
    certUsageObjectSigner = 6,
    certUsageUserCertImport = 7,
    certUsageVerifyCA = 8,
    certUsageProtectedObjectSigner = 9,
    certUsageStatusResponder = 10,
    certUsageAnyCA = 11
} SECCertUsage;

typedef PRInt64 SECCertificateUsage;

#define certificateUsageCheckAllUsages         (0x0000)
#define certificateUsageSSLClient              (0x0001)
#define certificateUsageSSLServer              (0x0002)
#define certificateUsageSSLServerWithStepUp    (0x0004)
#define certificateUsageSSLCA                  (0x0008)
#define certificateUsageEmailSigner            (0x0010)
#define certificateUsageEmailRecipient         (0x0020)
#define certificateUsageObjectSigner           (0x0040)
#define certificateUsageUserCertImport         (0x0080)
#define certificateUsageVerifyCA               (0x0100)
#define certificateUsageProtectedObjectSigner  (0x0200)
#define certificateUsageStatusResponder        (0x0400)
#define certificateUsageAnyCA                  (0x0800)

#define certificateUsageHighest certificateUsageAnyCA

/*
 * Does the cert belong to the user, a peer, or a CA.
 */
typedef enum CERTCertOwnerEnum {
    certOwnerUser = 0,
    certOwnerPeer = 1,
    certOwnerCA = 2
} CERTCertOwner;

/*
 * This enum represents the state of validity times of a certificate
 */
typedef enum SECCertTimeValidityEnum {
    secCertTimeValid = 0,
    secCertTimeExpired = 1,
    secCertTimeNotValidYet = 2,
    secCertTimeUndetermined = 3 /* validity could not be decoded from the
                                   cert, most likely because it was NULL */
} SECCertTimeValidity;

/*
 * This is used as return status in functions that compare the validity
 * periods of two certificates A and B, currently only
 * CERT_CompareValidityTimes.
 */

typedef enum CERTCompareValidityStatusEnum
{
    certValidityUndetermined = 0, /* the function is unable to select one cert 
                                     over another */
    certValidityChooseB = 1,      /* cert B should be preferred */
    certValidityEqual = 2,        /* both certs have the same validity period */
    certValidityChooseA = 3       /* cert A should be preferred */
} CERTCompareValidityStatus;

/*
 * Interface for getting certificate nickname strings out of the database
 */

/* these are values for the what argument below */
#define SEC_CERT_NICKNAMES_ALL		1
#define SEC_CERT_NICKNAMES_USER		2
#define SEC_CERT_NICKNAMES_SERVER	3
#define SEC_CERT_NICKNAMES_CA		4

struct CERTCertNicknamesStr {
    PLArenaPool *arena;
    void *head;
    int numnicknames;
    char **nicknames;
    int what;
    int totallen;
};

struct CERTIssuerAndSNStr {
    SECItem derIssuer;
    CERTName issuer;
    SECItem serialNumber;
};


/* X.509 v3 Key Usage Extension flags */
#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
#define KU_CRL_SIGN			(0x02)  /* bit 6 */
#define KU_ENCIPHER_ONLY		(0x01)  /* bit 7 */
#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
					 KU_NON_REPUDIATION | \
					 KU_KEY_ENCIPHERMENT | \
					 KU_DATA_ENCIPHERMENT | \
					 KU_KEY_AGREEMENT | \
					 KU_KEY_CERT_SIGN | \
					 KU_CRL_SIGN | \
					 KU_ENCIPHER_ONLY)

/* This value will not occur in certs.  It is used internally for the case
 * when either digital signature or non-repudiation is the correct value.
 */
#define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)

/* This value will not occur in certs.  It is used internally for the case
 * when the key type is not know ahead of time and either key agreement or
 * key encipherment are the correct value based on key type
 */
#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)

/* internal bits that do not match bits in the x509v3 spec, but are used
 * for similar purposes
 */
#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
/*
 * x.509 v3 Basic Constraints Extension
 * If isCA is false, the pathLenConstraint is ignored.
 * Otherwise, the following pathLenConstraint values will apply:
 *	< 0 - there is no limit to the certificate path
 *	0   - CA can issues end-entity certificates only
 *	> 0 - the number of certificates in the certificate path is
 *	      limited to this number
 */
#define CERT_UNLIMITED_PATH_CONSTRAINT -2

struct CERTBasicConstraintsStr {
    PRBool isCA;			/* on if is CA */
    int pathLenConstraint;		/* maximum number of certificates that can be
					   in the cert path.  Only applies to a CA
					   certificate; otherwise, it's ignored.
					 */
};

/* Maximum length of a certificate chain */
#define CERT_MAX_CERT_CHAIN 20

#define CERT_MAX_SERIAL_NUMBER_BYTES  20    /* from RFC 3280 */
#define CERT_MAX_DN_BYTES             4096  /* arbitrary */

/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
#define RF_UNUSED			(0x80)	/* bit 0 */
#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
#define RF_SUPERSEDED			(0x08)  /* bit 4 */
#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */

/* enum for CRL Entry Reason Code */
typedef enum CERTCRLEntryReasonCodeEnum {
    crlEntryReasonUnspecified = 0,
    crlEntryReasonKeyCompromise = 1,
    crlEntryReasonCaCompromise = 2,
    crlEntryReasonAffiliationChanged = 3,
    crlEntryReasonSuperseded = 4,
    crlEntryReasonCessationOfOperation = 5,
    crlEntryReasoncertificatedHold = 6,
    crlEntryReasonRemoveFromCRL = 8,
    crlEntryReasonPrivilegeWithdrawn = 9,
    crlEntryReasonAaCompromise = 10
} CERTCRLEntryReasonCode;

/* If we needed to extract the general name field, use this */
/* General Name types */
typedef enum CERTGeneralNameTypeEnum {
    certOtherName = 1,
    certRFC822Name = 2,
    certDNSName = 3,
    certX400Address = 4,
    certDirectoryName = 5,
    certEDIPartyName = 6,
    certURI = 7,
    certIPAddress = 8,
    certRegisterID = 9
} CERTGeneralNameType;


typedef struct OtherNameStr {
    SECItem          name;
    SECItem          oid;
}OtherName;



struct CERTGeneralNameStr {
    CERTGeneralNameType type;		/* name type */
    union {
	CERTName directoryName;         /* distinguish name */
	OtherName  OthName;		/* Other Name */
	SECItem other;                  /* the rest of the name forms */
    }name;
    SECItem derDirectoryName;		/* this is saved to simplify directory name
					   comparison */
    PRCList l;
};

struct CERTGeneralNameListStr {
    PLArenaPool *arena;
    CERTGeneralName *name;
    int refCount;
    int len;
    PZLock *lock;
};

struct CERTNameConstraintStr {
    CERTGeneralName  name;
    SECItem          DERName;
    SECItem          min;
    SECItem          max;
    PRCList          l;
};


struct CERTNameConstraintsStr {
    CERTNameConstraint  *permited;
    CERTNameConstraint  *excluded;
    SECItem             **DERPermited;
    SECItem             **DERExcluded;
};


/* Private Key Usage Period extension struct. */
struct CERTPrivKeyUsagePeriodStr {
    SECItem notBefore;
    SECItem notAfter;
    PLArenaPool *arena;
};

/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
   issuer field, we only support URI now.
 */
struct CERTAuthKeyIDStr {
    SECItem keyID;			/* unique key identifier */
    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
    SECItem authCertSerialNumber;	/* CA's certificate serial number */
    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
					   the authCertIssuer field. It is used
					   by the encoding engine. It should be
					   used as a read only field by the caller.
					*/
};

/* x.509 v3 CRL Distributeion Point */

/*
 * defined the types of CRL Distribution points
 */
typedef enum DistributionPointTypesEnum {
    generalName = 1,			/* only support this for now */
    relativeDistinguishedName = 2
} DistributionPointTypes;

struct CRLDistributionPointStr {
    DistributionPointTypes distPointType;
    union {
	CERTGeneralName *fullName;
	CERTRDN relativeName;
    } distPoint;
    SECItem reasons;
    CERTGeneralName *crlIssuer;
    
    /* Reserved for internal use only*/
    SECItem derDistPoint;
    SECItem derRelativeName;
    SECItem **derCrlIssuer;
    SECItem **derFullName;
    SECItem bitsmap;
};

struct CERTCrlDistributionPointsStr {
    CRLDistributionPoint **distPoints;
};

/*
 * This structure is used to keep a log of errors when verifying
 * a cert chain.  This allows multiple errors to be reported all at
 * once.
 */
struct CERTVerifyLogNodeStr {
    CERTCertificate *cert;	/* what cert had the error */
    long error;			/* what error was it? */
    unsigned int depth;		/* how far up the chain are we */
    void *arg;			/* error specific argument */
    struct CERTVerifyLogNodeStr *next; /* next in the list */
    struct CERTVerifyLogNodeStr *prev; /* next in the list */
};


struct CERTVerifyLogStr {
    PLArenaPool *arena;
    unsigned int count;
    struct CERTVerifyLogNodeStr *head;
    struct CERTVerifyLogNodeStr *tail;
};


struct CERTOKDomainNameStr {
    CERTOKDomainName *next;
    char              name[1]; /* actual length may be longer. */
};


typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
						    CERTCertificate *cert,
						    PRTime time,
						    void *pwArg);

typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);

struct CERTStatusConfigStr {
    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
    void *statusContext;		/* cx specific to checking protocol */
};

struct CERTAuthInfoAccessStr {
    SECItem method;
    SECItem derLocation;
    CERTGeneralName *location;		/* decoded location */
};


/* This is the typedef for the callback passed to CERT_OpenCertDB() */
/* callback to return database name based on version number */
typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);

/*
 * types of cert packages that we can decode
 */
typedef enum CERTPackageTypeEnum {
    certPackageNone = 0,
    certPackageCert = 1,
    certPackagePKCS7 = 2,
    certPackageNSCertSeq = 3,
    certPackageNSCertWrap = 4
} CERTPackageType;

/*
 * these types are for the PKIX Certificate Policies extension
 */
typedef struct {
    SECOidTag oid;
    SECItem qualifierID;
    SECItem qualifierValue;
} CERTPolicyQualifier;

typedef struct {
    SECOidTag oid;
    SECItem policyID;
    CERTPolicyQualifier **policyQualifiers;
} CERTPolicyInfo;

typedef struct {
    PLArenaPool *arena;
    CERTPolicyInfo **policyInfos;
} CERTCertificatePolicies;

typedef struct {
    SECItem organization;
    SECItem **noticeNumbers;
} CERTNoticeReference;

typedef struct {
    PLArenaPool *arena;
    CERTNoticeReference noticeReference;
    SECItem derNoticeReference;
    SECItem displayText;
} CERTUserNotice;

typedef struct {
    PLArenaPool *arena;
    SECItem **oids;
} CERTOidSequence;

/*
 * these types are for the PKIX Policy Mappings extension
 */
typedef struct {
    SECItem issuerDomainPolicy;
    SECItem subjectDomainPolicy;
} CERTPolicyMap;

typedef struct {
    PLArenaPool *arena;
    CERTPolicyMap **policyMaps;
} CERTCertificatePolicyMappings;

/*
 * these types are for the PKIX inhibitAnyPolicy extension
 */
typedef struct {
    SECItem inhibitAnySkipCerts;
} CERTCertificateInhibitAny;

/*
 * these types are for the PKIX Policy Constraints extension
 */
typedef struct {
    SECItem explicitPolicySkipCerts;
    SECItem inhibitMappingSkipCerts;
} CERTCertificatePolicyConstraints;

/*
 * These types are for the validate chain callback param.
 *
 * CERTChainVerifyCallback is an application-supplied callback that can be used
 * to augment libpkix's certificate chain validation with additional
 * application-specific checks. It may be called multiple times if there are
 * multiple potentially-valid paths for the certificate being validated. This
 * callback is called before revocation checking is done on the certificates in
 * the given chain.
 *
 * - isValidChainArg contains the application-provided opaque argument
 * - currentChain is the currently validated chain. It is ordered with the leaf
 *   certificate at the head and the trust anchor at the tail.
 *
 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
 * return SECSuccess if the chain is unacceptable, to indicate that the given
 * chain is bad and path building should continue. It should return SECFailure
 * to indicate an fatal error that will cause path validation to fail
 * immediately.
 */
typedef SECStatus (*CERTChainVerifyCallbackFunc)
                                             (void *isChainValidArg,
                                              const CERTCertList *currentChain,
                                              PRBool *chainOK);

/*
 * Note: If extending this structure, it will be necessary to change the
 * associated CERTValParamInType
 */
typedef struct {
    CERTChainVerifyCallbackFunc isChainValid;
    void *isChainValidArg;
} CERTChainVerifyCallback;

/*
 * these types are for the CERT_PKIX* Verification functions
 * These are all optional parameters.
 */

typedef enum {
   cert_pi_end             = 0, /* SPECIAL: signifies end of array of  
				 * CERTValParam* */
   cert_pi_nbioContext     = 1, /* specify a non-blocking IO context used to
			         * resume a session. If this argument is 
				 * specified, no other arguments should be.
				 * Specified in value.pointer.p. If the 
				 * operation completes the context will be 
				 * freed. */
   cert_pi_nbioAbort       = 2, /* specify a non-blocking IO context for an 
				 * existing operation which the caller wants
			         * to abort. If this argument is 
				 * specified, no other arguments should be.
				 * Specified in value.pointer.p. If the 
			         * operation succeeds the context will be 
				 * freed. */
   cert_pi_certList        = 3, /* specify the chain to validate against. If
				 * this value is given, then the path 
				 * construction step in the validation is 
				 * skipped. Specified in value.pointer.chain */
   cert_pi_policyOID       = 4, /* validate certificate for policy OID.
				 * Specified in value.array.oids. Cert must
				 * be good for at least one OID in order
				 * to validate. Default is that the user is not
				 * concerned about certificate policy. */
   cert_pi_policyFlags     = 5, /* flags for each policy specified in policyOID.
				 * Specified in value.scalar.ul. Policy flags
				 * apply to all specified oids. 
				 * Use CERT_POLICY_FLAG_* macros below. If not
				 * specified policy flags default to 0 */
   cert_pi_keyusage        = 6, /* specify what the keyusages the certificate 
				 * will be evaluated against, specified in
				 * value.scalar.ui. The cert must validate for
				 * at least one of the specified key usages.
				 * Values match the KU_  bit flags defined
				 * in this file. Default is derived from
				 * the 'usages' function argument */
   cert_pi_extendedKeyusage= 7, /* specify what the required extended key 
				 * usage of the certificate. Specified as
				 * an array of oidTags in value.array.oids.
				 * The cert must validate for at least one
				 * of the specified extended key usages.
				 * If not specified, no extended key usages
				 * will be checked. */
   cert_pi_date            = 8, /* validate certificate is valid as of date 
				 * specified in value.scalar.time. A special 
				 * value '0' indicates 'now'. default is '0' */
   cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
				 * See CERT_REV_FLAG_* macros below
				 * Set in value.pointer.revocation */
   cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
				 * Set in value.scalar.ui */
   cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to 
				 * validate against. 
				 * The default set of trusted roots, these are
				 * root CA certs from libnssckbi.so or CA
				 * certs trusted by user, are used in any of
				 * the following cases:
				 *      * when the parameter is not set.
				 *      * when the list of trust anchors is empty.
				 * Note that this handling can be further altered by altering the
				 * cert_pi_useOnlyTrustAnchors flag
				 * Specified in value.pointer.chain */
   cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
				 * In NSS 3.12.1 or later. Default is off.
				 * Value is in value.scalar.b */
   cert_pi_chainVerifyCallback = 13,
                                /* The callback container for doing extra
                                 * validation on the currently calculated chain.
                                 * Value is in value.pointer.chainVerifyCallback */
   cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
				 * certificates other than the ones passed in via cert_pi_trustAnchors.
				 * If false, then the certificates specified via cert_pi_trustAnchors
				 * will be combined with the pre-existing trusted roots, but only for
				 * the certificate validation being performed.
				 * If no value has been supplied via cert_pi_trustAnchors, this has no
				 * effect.
				 * The default value is true, meaning if this is not supplied, only
				 * trust anchors supplied via cert_pi_trustAnchors are trusted.
				 * Specified in value.scalar.b */
   cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
				 *  can increase in future releases */
} CERTValParamInType;

/*
 * for all out parameters:
 *  out parameters are only returned if the caller asks for them in
 *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
 *  array itself. The pkix verify function will allocate and other arrays
 *  pointers, or objects. The Caller is responsible for freeing those results.
 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
 */
typedef enum {
   cert_po_end             = 0, /* SPECIAL: signifies end of array of  
				 * CERTValParam* */
   cert_po_nbioContext     = 1, /* Return a nonblocking context. If no
				 * non-blocking context is specified, then
				 * blocking IO will be used. 
				 * Returned in value.pointer.p. The context is 
				 * freed after an abort or a complete operation.
				 * This value is only returned on SECWouldBlock.
				 */
   cert_po_trustAnchor     = 2, /* Return the trust anchor for the chain that
				 * was validated. Returned in 
				 * value.pointer.cert, this value is only 
				 * returned on SECSuccess. */
   cert_po_certList        = 3, /* Return the entire chain that was validated.
				 * Returned in value.pointer.certList. If no 
				 * chain could be constructed, this value 
				 * would be NULL. */
   cert_po_policyOID       = 4, /* Return the policies that were found to be
				 * valid. Returned in value.array.oids as an 
				 * array. This is only returned on 
				 * SECSuccess. */
   cert_po_errorLog        = 5, /* Return a log of problems with the chain.
				 * Returned in value.pointer.log  */
   cert_po_usages          = 6, /* Return what usages the certificate is valid
				   for. Returned in value.scalar.usages */
   cert_po_keyUsage        = 7, /* Return what key usages the certificate
				 * is valid for.
				 * Returned in value.scalar.usage */
   cert_po_extendedKeyusage= 8, /* Return what extended key usages the
				 * certificate is valid for.
				 * Returned in value.array.oids */
   cert_po_max                  /* SPECIAL: signifies maximum allowed value,
				 *  can increase in future releases */

} CERTValParamOutType;

typedef enum {
    cert_revocation_method_crl = 0,
    cert_revocation_method_ocsp,
    cert_revocation_method_count
} CERTRevocationMethodIndex;


/*
 * The following flags are supposed to be used to control bits in
 * each integer contained in the array pointed to be:
 *     CERTRevocationTests.cert_rev_flags_per_method
 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
 * this is a method dependent flag.
 */

/*
 * Whether or not to use a method for revocation testing.
 * If set to "do not test", then all other flags are ignored.
 */
#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD     0UL
#define CERT_REV_M_TEST_USING_THIS_METHOD            1UL

/*
 * Whether or not NSS is allowed to attempt to fetch fresh information
 *         from the network.
 * (Although fetching will never happen if fresh information for the
 *           method is already locally available.)
 */
#define CERT_REV_M_ALLOW_NETWORK_FETCHING            0UL
#define CERT_REV_M_FORBID_NETWORK_FETCHING           2UL

/*
 * Example for an implicit default source:
 *         The globally configured default OCSP responder.
 * IGNORE means:
 *        ignore the implicit default source, whether it's configured or not.
 * ALLOW means:
 *       if an implicit default source is configured, 
 *          then it overrides any available or missing source in the cert.
 *       if no implicit default source is configured,
 *          then we continue to use what's available (or not available) 
 *          in the certs.
 */ 
#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE     0UL
#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE    4UL

/*
 * Defines the behavior if no fresh information is available,
 *   fetching from the network is allowed, but the source of revocation
 *   information is unknown (even after considering implicit sources,
 *   if allowed by other flags).
 * SKIPT_TEST means:
 *          We ignore that no fresh information is available and 
 *          skip this test.
 * REQUIRE_INFO means:
 *          We still require that fresh information is available.
 *          Other flags define what happens on missing fresh info.
 */
#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE       0UL
#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE    8UL

/*
 * Defines the behavior if we are unable to obtain fresh information.
 * INGORE means:
 *      Return "cert status unknown"
 * FAIL means:
 *      Return "cert revoked".
 */
#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO         0UL
#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO        16UL

/*
 * What should happen if we were able to find fresh information using
 * this method, and the data indicated the cert is good?
 * STOP_TESTING means:
 *              Our success is sufficient, do not continue testing
 *              other methods.
 * CONTINUE_TESTING means:
 *                  We will continue and test the next allowed
 *                  specified method.
 */
#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO        0UL
#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO    32UL

/* When this flag is used, libpkix will never attempt to use the GET HTTP
 * method for OCSP requests; it will always use POST.
 */
#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL

/*
 * The following flags are supposed to be used to control bits in
 *     CERTRevocationTests.cert_rev_method_independent_flags
 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
 * this is a method independent flag.
 */

/*
 * This defines the order to checking.
 * EACH_METHOD_SEPARATELY means:
 *      Do all tests related to a particular allowed method
 *      (both local information and network fetching) in a single step.
 *      Only after testing for a particular method is done,
 *      then switching to the next method will happen.
 * ALL_LOCAL_INFORMATION_FIRST means:
 *      Start by testing the information for all allowed methods
 *      which are already locally available. Only after that is done
 *      consider to fetch from the network (as allowed by other flags).
 */
#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY       0UL
#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST  1UL

/*
 * Use this flag to specify that it's necessary that fresh information
 * is available for at least one of the allowed methods, but it's
 * irrelevant which of the mechanisms succeeded.
 * NO_OVERALL_INFO_REQUIREMENT means:
 *     We strictly follow the requirements for each individual method.
 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
 *     After the individual tests have been executed, we must have
 *     been able to find fresh information using at least one method.
 *     If we were unable to find fresh info, it's a failure.
 *     This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
 *     flag on all methods.
 */
#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0UL
#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL


typedef struct {
    /*
     * The size of the array that cert_rev_flags_per_method points to,
     * meaning, the number of methods that are known and defined
     * by the caller.
     */
    PRUint32 number_of_defined_methods;

    /*
     * A pointer to an array of integers.
     * Each integer defines revocation checking for a single method,
     *      by having individual CERT_REV_M_* bits set or not set.
     * The meaning of index numbers into this array are defined by 
     *     enum CERTRevocationMethodIndex
     * The size of the array must be specified by the caller in the separate
     *     variable number_of_defined_methods.
     * The size of the array may be smaller than 
     *     cert_revocation_method_count, it can happen if a caller
     *     is not yet aware of the latest revocation methods
     *     (or does not want to use them).
     */ 
    PRUint64 *cert_rev_flags_per_method;

    /*
     * How many preferred methods are specified?
     * This is equivalent to the size of the array that 
     *      preferred_methods points to.
     * It's allowed to set this value to zero,
     *      then NSS will decide which methods to prefer.
     */
    PRUint32 number_of_preferred_methods;

    /* Array that may specify an optional order of preferred methods.
     * Each array entry shall contain a method identifier as defined
     *   by CERTRevocationMethodIndex.
     * The entry at index [0] specifies the method with highest preference.
     * These methods will be tested first for locally available information.
     * Methods allowed for downloading will be attempted in the same order.
     */
    CERTRevocationMethodIndex *preferred_methods;

    /*
     * An integer which defines certain aspects of revocation checking
     * (independent of individual methods) by having individual
     * CERT_REV_MI_* bits set or not set.
     */
    PRUint64 cert_rev_method_independent_flags;
} CERTRevocationTests;

typedef struct {
    CERTRevocationTests leafTests;
    CERTRevocationTests chainTests;
} CERTRevocationFlags;

typedef struct CERTValParamInValueStr {
    union {
        PRBool   b;
        PRInt32  i;
        PRUint32 ui;
        PRInt64  l;
        PRUint64 ul;
        PRTime time;
    } scalar;
    union {
        const void*    p;
        const char*    s;
        const CERTCertificate* cert;
        const CERTCertList *chain;
        const CERTRevocationFlags *revocation;
        const CERTChainVerifyCallback *chainVerifyCallback;
    } pointer;
    union {
        const PRInt32  *pi;
        const PRUint32 *pui;
        const PRInt64  *pl;
        const PRUint64 *pul;
        const SECOidTag *oids;
    } array;
    int arraySize;
} CERTValParamInValue;


typedef struct CERTValParamOutValueStr {
    union {
        PRBool   b;
        PRInt32  i;
        PRUint32 ui;
        PRInt64  l;
        PRUint64 ul;
        SECCertificateUsage usages;
    } scalar;
    union {
        void*    p;
        char*    s;
        CERTVerifyLog *log;
        CERTCertificate* cert;
        CERTCertList *chain;
    } pointer;
    union {
        void 	  *p;
        SECOidTag *oids;
    } array;
    int arraySize;
} CERTValParamOutValue;

typedef struct {
    CERTValParamInType type;
    CERTValParamInValue value;
} CERTValInParam;

typedef struct {
    CERTValParamOutType type;
    CERTValParamOutValue value;
} CERTValOutParam;

/*
 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
 */
typedef enum CertStrictnessLevels {
    CERT_N2A_READABLE   =  0, /* maximum human readability */
    CERT_N2A_STRICT     = 10, /* strict RFC compliance    */
    CERT_N2A_INVERTIBLE = 20  /* maximum invertibility,
                                 all DirectoryStrings encoded in hex */
} CertStrictnessLevel;

/*
 * policy flag defines
 */
#define CERT_POLICY_FLAG_NO_MAPPING    1
#define CERT_POLICY_FLAG_EXPLICIT      2
#define CERT_POLICY_FLAG_NO_ANY        4

/*
 * CertStore flags
 */
#define CERT_ENABLE_LDAP_FETCH          1
#define CERT_ENABLE_HTTP_FETCH          2

/* This functin pointer type may be used for any function that takes
 * a CERTCertificate * and returns an allocated string, which must be
 * freed by a call to PORT_Free.
 */
typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);

/* XXX Lisa thinks the template declarations belong in cert.h, not here? */

#include "secasn1t.h"	/* way down here because I expect template stuff to
			 * move out of here anyway */

SEC_BEGIN_PROTOS

extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
extern const SEC_ASN1Template CERT_CertificateTemplate[];
extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
extern const SEC_ASN1Template CERT_ValidityTemplate[];
extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
extern const SEC_ASN1Template SEC_CertSequenceTemplate[];

extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
extern const SEC_ASN1Template CERT_NameTemplate[];
extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
extern const SEC_ASN1Template CERT_RDNTemplate[];
extern const SEC_ASN1Template CERT_SignedDataTemplate[];
extern const SEC_ASN1Template CERT_CrlTemplate[];
extern const SEC_ASN1Template CERT_SignedCrlTemplate[];

/*
** XXX should the attribute stuff be centralized for all of ns/security?
*/
extern const SEC_ASN1Template CERT_AttributeTemplate[];
extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];

/* These functions simply return the address of the above-declared templates.
** This is necessary for Windows DLLs.  Sigh.
*/
SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)

SEC_END_PROTOS

#endif /* _CERTT_H_ */