1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the Netscape security libraries.
16
* The Initial Developer of the Original Code is
17
* Netscape Communications Corporation.
18
* Portions created by the Initial Developer are Copyright (C) 1994-2000
19
* the Initial Developer. All Rights Reserved.
23
* Alternatively, the contents of this file may be used under the terms of
24
* either the GNU General Public License Version 2 or later (the "GPL"), or
25
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26
* in which case the provisions of the GPL or the LGPL are applicable instead
27
* of those above. If you wish to allow use of your version of this file only
28
* under the terms of either the GPL or the LGPL, and not to allow others to
29
* use your version of this file under the terms of the MPL, indicate your
30
* decision by deleting the provisions above and replace them with the notice
31
* and other provisions required by the GPL or the LGPL. If you do not delete
32
* the provisions above, a recipient may use your version of this file under
33
* the terms of any one of the MPL, the GPL or the LGPL.
35
* ***** END LICENSE BLOCK ***** */
37
* certt.h - public data structures for the certificate library
39
* $Id: pcertt.h,v 1.13.30.1 2006/04/25 02:22:27 nelson%bolyard.com Exp $
54
/* Non-opaque objects */
55
typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle;
56
typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey;
58
typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust;
59
typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust;
60
typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate;
61
typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList;
62
typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN;
63
typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData;
64
typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo;
65
typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity;
68
** An X.509 validity object
70
struct NSSLOWCERTValidityStr {
77
* A serial number and issuer name, which is used as a database key
79
struct NSSLOWCERTCertKeyStr {
85
** A signed data object. Used to implement the "signed" macro used
86
** in the X.500 specs.
88
struct NSSLOWCERTSignedDataStr {
90
SECAlgorithmID signatureAlgorithm;
95
** An X.509 subject-public-key-info object
97
struct NSSLOWCERTSubjectPublicKeyInfoStr {
99
SECAlgorithmID algorithm;
100
SECItem subjectPublicKey;
103
typedef struct _certDBEntryCert certDBEntryCert;
104
typedef struct _certDBEntryRevocation certDBEntryRevocation;
106
struct NSSLOWCERTCertTrustStr {
107
unsigned int sslFlags;
108
unsigned int emailFlags;
109
unsigned int objectSigningFlags;
113
** PKCS11 Trust representation
115
struct NSSLOWCERTTrustStr {
116
NSSLOWCERTTrust *next;
117
NSSLOWCERTCertDBHandle *dbhandle;
118
SECItem dbKey; /* database key for this cert */
119
certDBEntryCert *dbEntry; /* database entry struct */
120
NSSLOWCERTCertTrust *trust;
121
SECItem *derCert; /* original DER for the cert */
122
unsigned char dbKeySpace[512];
126
** An X.509 certificate object (the unsigned form)
128
struct NSSLOWCERTCertificateStr {
129
/* the arena is used to allocate any data structures that have the same
130
* lifetime as the cert. This is all stuff that hangs off of the cert
131
* structure, and is all freed at the same time. I is used when the
132
* cert is decoded, destroyed, and at some times when it changes
135
NSSLOWCERTCertificate *next;
136
NSSLOWCERTCertDBHandle *dbhandle;
138
SECItem derCert; /* original DER for the cert */
139
SECItem derIssuer; /* DER for issuer name */
141
SECItem serialNumber;
142
SECItem derSubject; /* DER for subject name */
143
SECItem derSubjKeyInfo;
144
NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
145
SECItem certKey; /* database key for this cert */
147
certDBEntryCert *dbEntry; /* database entry struct */
148
SECItem subjectKeyID; /* x509v3 subject key identifier */
151
NSSLOWCERTCertTrust *trust;
153
/* the reference count is modified whenever someone looks up, dups
154
* or destroys a certificate
158
char nicknameSpace[200];
159
unsigned char certKeySpace[512];
162
#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
163
#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
164
#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
166
#define SEC_CRL_VERSION_1 0 /* default */
167
#define SEC_CRL_VERSION_2 1 /* v2 extensions */
169
struct NSSLOWCERTIssuerAndSNStr {
171
SECItem serialNumber;
174
typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
176
/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
177
/* callback to return database name based on version number */
178
typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
180
/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
182
#include "secasn1t.h" /* way down here because I expect template stuff to
183
* move out of here anyway */
186
* Certificate Database related definitions and data structures
189
/* version number of certificate database */
190
#define CERT_DB_FILE_VERSION 8
191
#define CERT_DB_V7_FILE_VERSION 7
192
#define CERT_DB_CONTENT_VERSION 2
194
#define SEC_DB_ENTRY_HEADER_LEN 3
195
#define SEC_DB_KEY_HEADER_LEN 1
197
/* All database entries have this form:
206
/* database entry types */
208
certDBEntryTypeVersion = 0,
209
certDBEntryTypeCert = 1,
210
certDBEntryTypeNickname = 2,
211
certDBEntryTypeSubject = 3,
212
certDBEntryTypeRevocation = 4,
213
certDBEntryTypeKeyRevocation = 5,
214
certDBEntryTypeSMimeProfile = 6,
215
certDBEntryTypeContentVersion = 7,
216
certDBEntryTypeBlob = 8
220
certDBEntryType type;
221
unsigned int version;
235
* 4 objectSigningFlags-msb
236
* 5 objectSigningFlags-lsb
244
* NOTE: the nickname string as stored in the database is null terminated,
245
* in other words, the last byte of the db entry is always 0
246
* if a nickname is present.
247
* NOTE: if nickname is not present, then nickname-len-msb and
248
* nickname-len-lsb will both be zero.
250
struct _certDBEntryCert {
251
certDBEntryCommon common;
252
certDBEntryCert *next;
253
NSSLOWCERTCertTrust trust;
256
char nicknameSpace[200];
257
unsigned char derCertSpace[2048];
261
* Certificate Nickname entry:
265
* 0 subjectname-len-msb
266
* 1 subjectname-len-lsb
269
* The database key for this type of entry is a nickname string
270
* The "subjectname" value is the DER encoded DN of the identity
271
* that matches this nickname.
274
certDBEntryCommon common;
277
} certDBEntryNickname;
279
#define DB_NICKNAME_ENTRY_HEADER_LEN 2
282
* Certificate Subject entry:
294
* ...+2*i certkey-len-msb
295
* ...+1+2*i certkey-len-lsb
296
* ...+2*ncerts+2*i keyid-len-msb
297
* ...+1+2*ncerts+2*i keyid-len-lsb
301
* The database key for this type of entry is the DER encoded subject name
302
* The "certkey" value is an array of certificate database lookup keys that
303
* points to the database entries for the certificates that matche
307
typedef struct _certDBEntrySubject {
308
certDBEntryCommon common;
315
unsigned int nemailAddrs;
316
} certDBEntrySubject;
318
#define DB_SUBJECT_ENTRY_HEADER_LEN 6
321
* Certificate SMIME profile entry:
325
* 0 subjectname-len-msb
326
* 1 subjectname-len-lsb
327
* 2 smimeoptions-len-msb
328
* 3 smimeoptions-len-lsb
329
* 4 options-date-len-msb
330
* 5 options-date-len-lsb
335
* The database key for this type of entry is the email address string
336
* The "subjectname" value is the DER encoded DN of the identity
337
* that matches this nickname.
338
* The "smimeoptions" value is a string that represents the algorithm
339
* capabilities on the remote user.
340
* The "options-date" is the date that the smime options value was created.
341
* This is generally the signing time of the signed message that contained
342
* the options. It is a UTCTime value.
345
certDBEntryCommon common;
348
SECItem smimeOptions;
352
#define DB_SMIME_ENTRY_HEADER_LEN 6
366
* NOTE: the url string as stored in the database is null terminated,
367
* in other words, the last byte of the db entry is always 0
368
* if a nickname is present.
369
* NOTE: if url is not present, then url-len-msb and
370
* url-len-lsb will both be zero.
372
#define DB_CRL_ENTRY_HEADER_LEN 4
373
struct _certDBEntryRevocation {
374
certDBEntryCommon common;
376
char *url; /* where to load the crl from */
380
* Database Version Entry:
384
* only the low level header...
386
* The database key for this type of entry is the string "Version"
389
certDBEntryCommon common;
390
} certDBEntryVersion;
392
#define SEC_DB_VERSION_KEY "Version"
393
#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
396
* Database Content Version Entry:
402
* The database key for this type of entry is the string "ContentVersion"
405
certDBEntryCommon common;
407
} certDBEntryContentVersion;
409
#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
410
#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
413
certDBEntryCommon common;
414
certDBEntryCert cert;
415
certDBEntryContentVersion content;
416
certDBEntryNickname nickname;
417
certDBEntryRevocation revocation;
418
certDBEntrySMime smime;
419
certDBEntrySubject subject;
420
certDBEntryVersion version;
423
/* length of the fixed part of a database entry */
424
#define DBCERT_V4_HEADER_LEN 7
425
#define DB_CERT_V5_ENTRY_HEADER_LEN 7
426
#define DB_CERT_V6_ENTRY_HEADER_LEN 7
427
#define DB_CERT_ENTRY_HEADER_LEN 10
429
/* common flags for all types of certificates */
430
#define CERTDB_VALID_PEER (1<<0)
431
#define CERTDB_TRUSTED (1<<1)
432
#define CERTDB_SEND_WARN (1<<2)
433
#define CERTDB_VALID_CA (1<<3)
434
#define CERTDB_TRUSTED_CA (1<<4) /* trusted for issuing server certs */
435
#define CERTDB_NS_TRUSTED_CA (1<<5)
436
#define CERTDB_USER (1<<6)
437
#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
438
#define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */
439
#define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */
440
#define CERTDB_NOT_TRUSTED (1<<10) /* explicitly don't trust this cert */
441
#define CERTDB_TRUSTED_UNKNOWN (1<<11) /* accept trust from another source */
443
/* bits not affected by the CKO_NETSCAPE_TRUST object */
444
#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
445
CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
446
CERTDB_GOVT_APPROVED_CA)
448
#endif /* _PCERTT_H_ */