38
38
* cert.h - public data structures and prototypes for the certificate library
40
* $Id: cert.h,v 1.68 2008/03/15 02:15:34 alexei.volkov.bugs%sun.com Exp $
40
* $Id: cert.h,v 1.74 2008/08/04 22:31:54 nelson%bolyard.com Exp $
72
72
** Convert an CERTName into its RFC1485 encoded equivalent.
73
73
** Returns a string that must be freed with PORT_Free().
74
** This version produces a string for maximum human readability,
75
** not for strict RFC compliance.
75
77
extern char *CERT_NameToAscii(CERTName *name);
77
extern CERTAVA *CERT_CopyAVA(PRArenaPool *arena, CERTAVA *src);
80
** Convert an CERTName into its RFC1485 encoded equivalent.
81
** Returns a string that must be freed with PORT_Free().
82
** Caller chooses encoding rules.
84
extern char *CERT_NameToAsciiInvertible(CERTName *name,
85
CertStrictnessLevel strict);
87
extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
79
89
/* convert an OID to dotted-decimal representation */
80
90
/* Returns a string that must be freed with PR_smprintf_free(). */
95
105
** Create an RDN (relative-distinguished-name). The argument list is a
96
106
** NULL terminated list of AVA's.
98
extern CERTRDN *CERT_CreateRDN(PRArenaPool *arena, CERTAVA *avas, ...);
108
extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
101
111
** Make a copy of "src" storing it in "dest".
103
extern SECStatus CERT_CopyRDN(PRArenaPool *arena, CERTRDN *dest, CERTRDN *src);
113
extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
106
116
** Destory an RDN object.
114
124
** "rdn" the RDN to add to
115
125
** "ava" the AVA to add
117
extern SECStatus CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
127
extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
120
130
** Compare two RDN's, returning the difference between them.
132
142
** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
135
extern SECStatus CERT_CopyName(PRArenaPool *arena, CERTName *dest, CERTName *src);
145
extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, CERTName *src);
138
148
** Destroy a Name object.
175
185
** "notBefore" the time before which the validity is not valid
176
186
** "notAfter" the time after which the validity is not valid
178
extern CERTValidity *CERT_CreateValidity(int64 notBefore, int64 notAfter);
188
extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
181
191
** Destroy a validity object.
193
203
extern SECStatus CERT_CopyValidity
194
(PRArenaPool *arena, CERTValidity *dest, CERTValidity *src);
204
(PLArenaPool *arena, CERTValidity *dest, CERTValidity *src);
197
207
** The cert lib considers a cert or CRL valid if the "notBefore" time is
305
315
extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
307
317
extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert,
309
319
SECCertUsage usage);
310
320
extern CERTCertificate *
311
321
CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
327
337
** "value" is the null terminated string containing the value
329
339
extern CERTAVA *CERT_CreateAVA
330
(PRArenaPool *arena, SECOidTag kind, int valueType, char *value);
340
(PLArenaPool *arena, SECOidTag kind, int valueType, char *value);
333
343
** Extract the Distinguished Name from a DER encoded certificate
348
358
CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
351
361
extern CERTGeneralName *
352
CERT_DecodeGeneralName(PRArenaPool *reqArena, SECItem *encodedName,
362
CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName,
353
363
CERTGeneralName *genName);
361
371
** "derCert" the DER encoded certificate
362
372
** "key" the returned key
364
extern SECStatus CERT_KeyFromDERCert(PRArenaPool *reqArena, SECItem *derCert,
374
extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
367
extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
377
extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
368
378
SECItem *sn, SECItem *key);
370
380
extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert,
378
388
** "derCrl" the DER encoded crl
379
389
** "key" the returned key
381
extern SECStatus CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key);
391
extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key);
384
394
** Open the certificate database. Use callback to get name of database.
437
447
#define SEC_KRL_TYPE 0
439
449
extern CERTSignedCrl *
440
CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
450
CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
443
453
* same as CERT_DecodeDERCrl, plus allow options to be passed in
446
456
extern CERTSignedCrl *
447
CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
457
CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl,
448
458
int type, PRInt32 options);
450
460
/* CRL options to pass */
550
560
CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
563
** Encode Certificate SKID (Subject Key ID) extension.
567
CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString,
568
SECItem *encodedValue);
553
571
** Find a certificate in the database by a nickname
554
572
** "nickname" is the ascii string nickname to look for
588
606
* Find the issuer of a cert
590
608
CERTCertificate *
591
CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage);
609
CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage);
594
612
** Check the validity times of a certificate vs. time 't', allowing
603
621
PRBool allowOverride);
606
** WARNING - this function is depricated, and will either go away or have
624
** WARNING - this function is deprecated, and will either go away or have
607
625
** a new API in the near future.
609
627
** Check the validity times of a certificate vs. the current time, allowing
663
681
CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
664
682
PRBool checkSig, SECCertificateUsage requiredUsages,
665
int64 t, void *wincx, CERTVerifyLog *log,
683
PRTime t, void *wincx, CERTVerifyLog *log,
666
684
SECCertificateUsage* returnedUsages);
668
686
/* same as above, but uses current time */
680
698
CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
681
PRBool checkSig, SECCertUsage certUsage, int64 t,
699
PRBool checkSig, SECCertUsage certUsage, PRTime t,
682
700
void *wincx, CERTVerifyLog *log);
693
711
CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
694
PRBool checkSig, SECCertUsage certUsage, int64 t,
712
PRBool checkSig, SECCertUsage certUsage, PRTime t,
695
713
void *wincx, CERTVerifyLog *log);
697
715
/* same as above, but uses current time */
703
721
CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
704
PRBool checkSig, SECCertUsage certUsage, int64 t,
722
PRBool checkSig, SECCertUsage certUsage, PRTime t,
705
723
void *wincx, CERTVerifyLog *log);
874
892
** encodedValue - output encoded value
876
894
extern SECStatus CERT_EncodeBasicConstraintValue
877
(PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
895
(PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
880
898
** Encode the value of the authorityKeyIdentifier extension.
882
900
extern SECStatus CERT_EncodeAuthKeyID
883
(PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
901
(PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
886
904
** Encode the value of the crlDistributionPoints extension.
888
906
extern SECStatus CERT_EncodeCRLDistributionPoints
889
(PRArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
907
(PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
892
910
** Decodes a DER encoded basicConstaint extension value into a readable format
903
921
** Returns a CERTAuthKeyID structure which contains the decoded value
905
923
extern CERTAuthKeyID *CERT_DecodeAuthKeyID
906
(PRArenaPool *arena, SECItem *encodedValue);
924
(PLArenaPool *arena, SECItem *encodedValue);
909
927
/* Decodes a DER encoded crlDistributionPoints extension value into a
916
934
extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
917
(PRArenaPool *arena, SECItem *der);
935
(PLArenaPool *arena, SECItem *der);
919
937
/* Extract certain name type from a generalName */
920
938
extern void *CERT_GetGeneralNameByType
953
971
/* Returns the decoded value of the authKeyID extension.
954
972
** Note that this uses passed in the arena to allocate storage for the result
956
extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PRArenaPool *arena,CERTCertificate *cert);
974
extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert);
958
976
/* Returns the decoded value of the basicConstraint extension.
1004
1022
(CERTCrl *crl, int tag, SECItem *value);
1006
1024
extern SECStatus
1007
CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value);
1025
CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value);
1010
1028
** Set up a crl for adding X509v3 extensions. Returns an opaque handle
1028
1046
** Finds the crlNumber extension and decodes its value into 'value'
1030
extern SECStatus CERT_FindCRLNumberExten (PRArenaPool *arena, CERTCrl *crl,
1048
extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
1031
1049
SECItem *value);
1033
1051
extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
1138
1156
CERT_AddNewCerts(CERTCertDBHandle *handle);
1141
CERT_CertPackageType(SECItem *package, SECItem *certitem);
1143
1158
CERTCertificatePolicies *
1144
1159
CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
1163
1178
CERT_DecodeUserNotice(SECItem *noticeItem);
1165
1180
extern CERTGeneralName *
1166
CERT_DecodeAltNameExtension(PRArenaPool *reqArena, SECItem *EncodedAltName);
1181
CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName);
1168
1183
extern CERTNameConstraints *
1169
CERT_DecodeNameConstraintsExtension(PRArenaPool *arena,
1184
CERT_DecodeNameConstraintsExtension(PLArenaPool *arena,
1170
1185
SECItem *encodedConstraints);
1172
1187
/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
1173
1188
extern CERTAuthInfoAccess **
1174
CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena,
1189
CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
1175
1190
SECItem *encodedExtension);
1177
1192
extern CERTPrivKeyUsagePeriod *
1256
1271
CERT_CheckForEvilCert(CERTCertificate *cert);
1258
1273
CERTGeneralName *
1259
CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena);
1274
CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
1262
CERT_GetNickName(CERTCertificate *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena);
1277
CERT_GetNickName(CERTCertificate *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena);
1265
1280
* Creates or adds to a list of all certs with a give subject name, sorted by
1270
1285
CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1271
SECItem *name, int64 sorttime, PRBool validOnly);
1274
* Creates or adds to a list of all certs with a give nickname, sorted by
1275
* validity time, newest first. Invalid certs are considered older than valid
1276
* certs. If validOnly is set, do not include invalid certs on list.
1279
CERT_CreateNicknameCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1280
char *nickname, int64 sorttime, PRBool validOnly);
1283
* Creates or adds to a list of all certs with a give email addr, sorted by
1284
* validity time, newest first. Invalid certs are considered older than valid
1285
* certs. If validOnly is set, do not include invalid certs on list.
1288
CERT_CreateEmailAddrCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1289
char *emailAddr, int64 sorttime, PRBool validOnly);
1286
SECItem *name, PRTime sorttime, PRBool validOnly);
1292
1289
* remove certs from a list that don't have keyUsage and certType
1414
1411
* not yet good.
1417
CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
1414
CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
1418
1415
char *expiredString, char *notYetGoodString);
1437
1434
CERTCertificate *
1438
1435
CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
1439
1436
CERTCertOwner owner, SECCertUsage usage,
1440
PRBool preferTrusted, int64 validTime, PRBool validOnly);
1437
PRBool preferTrusted, PRTime validTime, PRBool validOnly);
1443
1440
* Acquire the global lock on the cert database.
1512
1509
* results in a NULL being returned (and an appropriate error set).
1514
1511
extern SECItem *
1515
CERT_GetSPKIDigest(PRArenaPool *arena, const CERTCertificate *cert,
1512
CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
1516
1513
SECOidTag digestAlg, SECItem *fill);
1519
1516
SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
1520
SECItem* dp, int64 t, void* wincx);
1517
SECItem* dp, PRTime t, void* wincx);
1533
1530
* SECItem data.
1535
1532
extern CERTNameConstraint *
1536
CERT_CopyNameConstraint(PRArenaPool *arena,
1533
CERT_CopyNameConstraint(PLArenaPool *arena,
1537
1534
CERTNameConstraint *dest,
1538
1535
CERTNameConstraint *src);
1544
1541
extern SECStatus
1545
CERT_CheckNameSpace(PRArenaPool *arena,
1542
CERT_CheckNameSpace(PLArenaPool *arena,
1546
1543
CERTNameConstraints *constraints,
1547
1544
CERTGeneralName *currentName);
1550
1547
* Extract and allocate the name constraints extension from the CA cert.
1552
1549
extern SECStatus
1553
CERT_FindNameConstraintsExten(PRArenaPool *arena,
1550
CERT_FindNameConstraintsExten(PLArenaPool *arena,
1554
1551
CERTCertificate *cert,
1555
1552
CERTNameConstraints **constraints);
1564
1561
* PKIX extension encoding routines
1566
1563
extern SECStatus
1567
CERT_EncodePolicyConstraintsExtension(PRArenaPool *arena,
1564
CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
1568
1565
CERTCertificatePolicyConstraints *constr,
1569
1566
SECItem *dest);
1570
1567
extern SECStatus
1571
CERT_EncodeInhibitAnyExtension(PRArenaPool *arena,
1568
CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
1572
1569
CERTCertificateInhibitAny *inhibitAny,
1573
1570
SECItem *dest);
1574
1571
extern SECStatus
1575
CERT_EncodePolicyMappingExtension(PRArenaPool *arena,
1572
CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
1576
1573
CERTCertificatePolicyMappings *maps,
1577
1574
SECItem *dest);
1579
extern SECStatus CERT_EncodeInfoAccessExtension(PRArenaPool *arena,
1576
extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
1580
1577
CERTAuthInfoAccess **info,
1581
1578
SECItem *dest);
1582
1579
extern SECStatus
1583
CERT_EncodeUserNotice(PRArenaPool *arena,
1580
CERT_EncodeUserNotice(PLArenaPool *arena,
1584
1581
CERTUserNotice *notice,
1585
1582
SECItem *dest);
1587
1584
extern SECStatus
1588
CERT_EncodeDisplayText(PRArenaPool *arena,
1585
CERT_EncodeDisplayText(PLArenaPool *arena,
1590
1587
SECItem *dest);
1592
1589
extern SECStatus
1593
CERT_EncodeCertPoliciesExtension(PRArenaPool *arena,
1590
CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
1594
1591
CERTPolicyInfo **info,
1595
1592
SECItem *dest);
1596
1593
extern SECStatus
1597
CERT_EncodeNoticeReference(PRArenaPool *arena,
1594
CERT_EncodeNoticeReference(PLArenaPool *arena,
1598
1595
CERTNoticeReference *reference,
1599
1596
SECItem *dest);