/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * This file defines functions associated with the PKIX_CertSelector and the * PKIX_ComCertSelParams types. * */ #ifndef _PKIX_CERTSEL_H #define _PKIX_CERTSEL_H #include "pkixt.h" #ifdef __cplusplus extern "C" { #endif /* General * * Please refer to the libpkix Programmer's Guide for detailed information * about how to use the libpkix library. Certain key warnings and notices from * that document are repeated here for emphasis. * * All identifiers in this file (and all public identifiers defined in * libpkix) begin with "PKIX_". Private identifiers only intended for use * within the library begin with "pkix_". * * A function returns NULL upon success, and a PKIX_Error pointer upon failure. * * Unless otherwise noted, for all accessor (gettor) functions that return a * PKIX_PL_Object pointer, callers should assume that this pointer refers to a * shared object. Therefore, the caller should treat this shared object as * read-only and should not modify this shared object. When done using the * shared object, the caller should release the reference to the object by * using the PKIX_PL_Object_DecRef function. * * While a function is executing, if its arguments (or anything referred to by * its arguments) are modified, free'd, or destroyed, the function's behavior * is undefined. * */ /* PKIX_CertSelector * * PKIX_CertSelectors provide a standard way for the caller to select * certificates based on particular criteria. A CertSelector is typically used * by the caller to specify the constraints they wish to impose on the target * certificate in a chain. (see pkix_params.h) A CertSelector is also often * used to retrieve certificates from a CertStore that match the selector's * criteria. (See pkix_certstore.h) For example, the caller may wish to only * select those certificates that have a particular Subject Distinguished Name * and a particular value for a private certificate extension. The * MatchCallback allows the caller to specify the custom matching logic to be * used by a CertSelector. * * By default, the MatchCallback is set to point to the default implementation * provided by libpkix, which understands how to process the most common * parameters. If the default implementation is used, the caller should set * these common parameters using PKIX_CertSelector_SetCommonCertSelectorParams. * Any common parameter that is not set is assumed to be disabled, which means * the default MatchCallback implementation will select all certificates * without regard to that particular disabled parameter. For example, if the * SerialNumber parameter is not set, MatchCallback will not filter out any * certificate based on its serial number. As such, if no parameters are set, * all are disabled and any certificate will match. If a parameter is * disabled, its associated PKIX_ComCertSelParams_Get* function returns a * default value of NULL, or -1 for PKIX_ComCertSelParams_GetBasicConstraints * and PKIX_ComCertSelParams_GetVersion, or 0 for * PKIX_ComCertSelParams_GetKeyUsage. * * If a custom implementation is desired, the default implementation can be * overridden by calling PKIX_CertSelector_SetMatchCallback. In this case, the * CertSelector can be initialized with a certSelectorContext, which is where * the caller can specify the desired parameters the caller wishes to match * against. Note that this certSelectorContext must be an Object (although any * object type), allowing it to be reference-counted and allowing it to * provide the standard Object functions (Equals, Hashcode, ToString, Compare, * Duplicate). * */ /* * FUNCTION: PKIX_CertSelector_MatchCallback * DESCRIPTION: * * This callback function determines whether the specified Cert pointed to by * "cert" matches the criteria of the CertSelector pointed to by "selector". * If the Cert does not matches the CertSelector's criteria, an exception will * be thrown. * * PARAMETERS: * "selector" * Address of CertSelector whose MatchCallback logic and parameters are * to be used. Must be non-NULL. * "cert" * Address of Cert that is to be matched using "selector". * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ typedef PKIX_Error * (*PKIX_CertSelector_MatchCallback)( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, void *plContext); /* * FUNCTION: PKIX_CertSelector_Create * DESCRIPTION: * * Creates a new CertSelector using the Object pointed to by * "certSelectorContext" (if any) and stores it at "pSelector". As noted * above, by default, the MatchCallback is set to point to the default * implementation provided by libpkix, which understands how to process * ComCertSelParams objects. This is overridden if the MatchCallback pointed * to by "callback" is not NULL, in which case the parameters are specified * using the certSelectorContext. * * PARAMETERS: * "callback" * The MatchCallback function to be used. * "certSelectorContext" * Address of Object representing the CertSelector's context (if any). * "pSelector" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertSelector_Create( PKIX_CertSelector_MatchCallback callback, PKIX_PL_Object *certSelectorContext, PKIX_CertSelector **pSelector, void *plContext); /* * FUNCTION: PKIX_CertSelector_GetMatchCallback * DESCRIPTION: * * Retrieves a pointer to "selector's" Match callback function and puts it in * "pCallback". * * PARAMETERS: * "selector" * The CertSelector whose Match callback is desired. Must be non-NULL. * "pCallback" * Address where Match callback function pointer will be stored. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertSelector_GetMatchCallback( PKIX_CertSelector *selector, PKIX_CertSelector_MatchCallback *pCallback, void *plContext); /* * FUNCTION: PKIX_CertSelector_GetCertSelectorContext * DESCRIPTION: * * Retrieves a pointer to a PKIX_PL_Object representing the context (if any) * of the CertSelector pointed to by "selector" and stores it at * "pCertSelectorContext". * * PARAMETERS: * "selector" * Address of CertSelector whose context is to be stored. * Must be non-NULL. * "pCertSelectorContext" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertSelector_GetCertSelectorContext( PKIX_CertSelector *selector, PKIX_PL_Object **pCertSelectorContext, void *plContext); /* * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams * DESCRIPTION: * * Retrieves a pointer to the ComCertSelParams object that represent the * common parameters of the CertSelector pointed to by "selector" and stores * it at "pCommonCertSelectorParams". If there are no common parameters * stored with the CertSelector, this function stores NULL at * "pCommonCertSelectorParams". * * PARAMETERS: * "selector" * Address of CertSelector whose ComCertSelParams object is to be stored. * Must be non-NULL. * "pCommonCertSelectorParams" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertSelector_GetCommonCertSelectorParams( PKIX_CertSelector *selector, PKIX_ComCertSelParams **pCommonCertSelectorParams, void *plContext); /* * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams * DESCRIPTION: * * Sets the common parameters for the CertSelector pointed to by "selector" * using the ComCertSelParams object pointed to by "commonCertSelectorParams". * * PARAMETERS: * "selector" * Address of CertSelector whose common parameters are to be set. * Must be non-NULL. * "commonCertSelectorParams" * Address of ComCertSelParams object representing the common parameters. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "selector" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertSelector_SetCommonCertSelectorParams( PKIX_CertSelector *selector, PKIX_ComCertSelParams *commonCertSelectorParams, void *plContext); /* PKIX_ComCertSelParams * * PKIX_ComCertSelParams objects are X.509 parameters commonly used with * CertSelectors, especially when enforcing constraints on a target * certificate or determining which certificates to retrieve from a CertStore. * ComCertSelParams objects are typically used with those CertSelectors that * use the default implementation of MatchCallback, which understands how to * process ComCertSelParams objects. */ /* * FUNCTION: PKIX_ComCertSelParams_Create * DESCRIPTION: * * Creates a new ComCertSelParams object and stores it at "pParams". * * PARAMETERS: * "pParams" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_Create( PKIX_ComCertSelParams **pParams, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSubjAltNames * DESCRIPTION: * * Retrieves a pointer to the List of GeneralNames (if any) representing the * subject alternative names criterion that is set in the ComCertSelParams * object pointed to by "params" and stores it at "pNames". In order to match * against this criterion, a certificate must contain all or at least one of * the criterion's subject alternative names (depending on the result of * PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default behavior * requires a certificate to contain all of the criterion's subject * alternative names in order to match. * * If "params" does not have this criterion set, this function stores NULL at * "pNames", in which case all certificates are considered to match this * criterion. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject alternative names * criterion (if any) is to be stored. Must be non-NULL. * "pNames" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSubjAltNames( PKIX_ComCertSelParams *params, PKIX_List **pNames, /* list of PKIX_PL_GeneralName */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames * DESCRIPTION: * * Sets the subject alternative names criterion of the ComCertSelParams object * pointed to by "params" using a List of GeneralNames pointed to by "names". * In order to match against this criterion, a certificate must contain all or * at least one of the criterion's subject alternative names (depending on the * result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default * behavior requires a certificate to contain all of the criterion's subject * alternative names in order to match. * * If "names" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject alternative * names criterion is to be set. Must be non-NULL. * "names" * Address of List of GeneralNames used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSubjAltNames( PKIX_ComCertSelParams *params, PKIX_List *names, /* list of PKIX_PL_GeneralName */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_AddSubjAltName * DESCRIPTION: * * Adds to the subject alternative names criterion of the ComCertSelParams * object pointed to by "params" using the GeneralName pointed to by "name". * In order to match against this criterion, a certificate must contain all * or at least one of the criterion's subject alternative names (depending on * the result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default * behavior requires a certificate to contain all of the criterion's subject * alternative names in order to match. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject alternative names * criterion is to be added to. Must be non-NULL. * "name" * Address of GeneralName to be added. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_AddSubjAltName( PKIX_ComCertSelParams *params, PKIX_PL_GeneralName *name, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetPathToNames * DESCRIPTION: * * Retrieves a pointer to the List of GeneralNames (if any) representing the * path to names criterion that is set in the ComCertSelParams object pointed * to by "params" and stores it at "pNames". In order to match against this * criterion, a certificate must not include name constraints that would * prohibit building a path to the criterion's specified names. * * If "params" does not have this criterion set, this function stores NULL at * "pNames", in which case all certificates are considered to match this * criterion. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose path to names criterion * (if any) is to be stored. Must be non-NULL. * "pNames" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetPathToNames( PKIX_ComCertSelParams *params, PKIX_List **pNames, /* list of PKIX_PL_GeneralName */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetPathToNames * DESCRIPTION: * * Sets the path to names criterion of the ComCertSelParams object pointed to * by "params" using a List of GeneralNames pointed to by "names". In order to * match against this criterion, a certificate must not include name * constraints that would prohibit building a path to the criterion's * specified names. * * If "names" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose path to names criterion * is to be set. Must be non-NULL. * "names" * Address of List of GeneralNames used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetPathToNames( PKIX_ComCertSelParams *params, PKIX_List *names, /* list of PKIX_PL_GeneralName */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_AddPathToName * DESCRIPTION: * * Adds to the path to names criterion of the ComCertSelParams object pointed * to by "params" using the GeneralName pointed to by "pathToName". In order * to match against this criterion, a certificate must not include name * constraints that would prohibit building a path to the criterion's * specified names. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose path to names criterion is to * be added to. Must be non-NULL. * "pathToName" * Address of GeneralName to be added. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_AddPathToName( PKIX_ComCertSelParams *params, PKIX_PL_GeneralName *pathToName, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetAuthorityKeyIdentifier * DESCRIPTION: * * Retrieves a pointer to the ByteArray (if any) representing the authority * key identifier criterion that is set in the ComCertSelParams object * pointed to by "params" and stores it at "pAuthKeyId". In order to match * against this criterion, a certificate must contain an * AuthorityKeyIdentifier extension whose value matches the criterion's * authority key identifier value. * * If "params" does not have this criterion set, this function stores NULL at * "pAuthKeyId", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose authority key identifier * criterion (if any) is to be stored. Must be non-NULL. * "pAuthKeyId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetAuthorityKeyIdentifier( PKIX_ComCertSelParams *params, PKIX_PL_ByteArray **pAuthKeyId, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetAuthorityKeyIdentifier * DESCRIPTION: * * Sets the authority key identifier criterion of the ComCertSelParams object * pointed to by "params" to the ByteArray pointed to by "authKeyId". In * order to match against this criterion, a certificate must contain an * AuthorityKeyIdentifier extension whose value matches the criterion's * authority key identifier value. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose authority key identifier * criterion is to be set. Must be non-NULL. * "authKeyId" * Address of ByteArray used to set the criterion * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetAuthorityKeyIdentifier( PKIX_ComCertSelParams *params, PKIX_PL_ByteArray *authKeyId, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSubjKeyIdentifier * DESCRIPTION: * * Retrieves a pointer to the ByteArray (if any) representing the subject key * identifier criterion that is set in the ComCertSelParams object pointed to * by "params" and stores it at "pSubjKeyId". In order to match against this * criterion, a certificate must contain a SubjectKeyIdentifier extension * whose value matches the criterion's subject key identifier value. * * If "params" does not have this criterion set, this function stores NULL at * "pSubjKeyId", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject key identifier * criterion (if any) is to be stored. Must be non-NULL. * "pSubjKeyId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSubjKeyIdentifier( PKIX_ComCertSelParams *params, PKIX_PL_ByteArray **pSubjKeyId, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSubjKeyIdentifier * DESCRIPTION: * * Sets the subject key identifier criterion of the ComCertSelParams object * pointed to by "params" using a ByteArray pointed to by "subjKeyId". In * order to match against this criterion, a certificate must contain an * SubjectKeyIdentifier extension whose value matches the criterion's subject * key identifier value. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject key identifier * criterion is to be set. Must be non-NULL. * "subjKeyId" * Address of ByteArray used to set the criterion * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSubjKeyIdentifier( PKIX_ComCertSelParams *params, PKIX_PL_ByteArray *subKeyId, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSubjPubKey * DESCRIPTION: * * Retrieves a pointer to the PublicKey (if any) representing the subject * public key criterion that is set in the ComCertSelParams object pointed to * by "params" and stores it at "pPubKey". In order to match against this * criterion, a certificate must contain a SubjectPublicKey that matches the * criterion's public key. * * If "params" does not have this criterion set, this function stores NULL at * "pPubKey", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject public key criterion * (if any) is to be stored. Must be non-NULL. * "pPubKey" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSubjPubKey( PKIX_ComCertSelParams *params, PKIX_PL_PublicKey **pPubKey, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSubjPubKey * DESCRIPTION: * * Sets the subject public key criterion of the ComCertSelParams object * pointed to by "params" using a PublicKey pointed to by "pubKey". In order * to match against this criterion, a certificate must contain a * SubjectPublicKey that matches the criterion's public key. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject public key * criterion is to be set. Must be non-NULL. * "pubKey" * Address of PublicKey used to set the criterion * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSubjPubKey( PKIX_ComCertSelParams *params, PKIX_PL_PublicKey *pubKey, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSubjPKAlgId * DESCRIPTION: * * Retrieves a pointer to the OID (if any) representing the subject public key * algorithm identifier criterion that is set in the ComCertSelParams object * pointed to by "params" and stores it at "pPubKey". In order to match * against this criterion, a certificate must contain a SubjectPublicKey with * an algorithm that matches the criterion's algorithm. * * If "params" does not have this criterion set, this function stores NULL at * "pAlgId", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject public key algorithm * identifier (if any) is to be stored. Must be non-NULL. * "pAlgId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSubjPKAlgId( PKIX_ComCertSelParams *params, PKIX_PL_OID **pAlgId, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSubjPKAlgId * DESCRIPTION: * * Sets the subject public key algorithm identifier criterion of the * ComCertSelParams object pointed to by "params" using an OID pointed to by * "algId". In order to match against this criterion, a certificate must * contain a SubjectPublicKey with an algorithm that matches the criterion's * algorithm. * * If "algId" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject public key * algorithm identifier criterion is to be set. Must be non-NULL. * "algId" * Address of OID used to set criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSubjPKAlgId( PKIX_ComCertSelParams *params, PKIX_PL_OID *algId, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetBasicConstraints * DESCRIPTION: * * Retrieves a pointer to the minimum path length (if any) representing the * basic constraints criterion that is set in the ComCertSelParams object * pointed to by "params" and stores it at "pMinPathLength". In order to * match against this criterion, there are several possibilities. * * 1) If the criterion's minimum path length is greater than or equal to zero, * a certificate must include a BasicConstraints extension with a pathLen of * at least this value. * * 2) If the criterion's minimum path length is -2, a certificate must be an * end-entity certificate. * * 3) If the criterion's minimum path length is -1, no basic constraints check * is done and all certificates are considered to match this criterion. * * The semantics of other values of the criterion's minimum path length are * undefined but may be defined in future versions of the API. * * If "params" does not have this criterion set, this function stores -1 at * "pMinPathLength", in which case all certificates are considered to match * this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose basic constraints criterion * (if any) is to be stored. Must be non-NULL. * "pMinPathLength" * Address where PKIX_Int32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetBasicConstraints( PKIX_ComCertSelParams *params, PKIX_Int32 *pMinPathLength, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetBasicConstraints * DESCRIPTION: * * Sets the basic constraints criterion of the ComCertSelParams object * pointed to by "params" using the integer value of "minPathLength". In * order to match against this criterion, there are several possibilities. * * 1) If the criterion's minimum path length is greater than or equal to zero, * a certificate must include a BasicConstraints extension with a pathLen of * at least this value. * * 2) If the criterion's minimum path length is -2, a certificate must be an * end-entity certificate. * * 3) If the criterion's minimum path length is -1, no basic constraints check * is done and all certificates are considered to match this criterion. * * The semantics of other values of the criterion's minimum path length are * undefined but may be defined in future versions of the API. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose basic constraints * criterion is to be set. Must be non-NULL. * "minPathLength" * Value of PKIX_Int32 used to set the criterion * (or -1 to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetBasicConstraints( PKIX_ComCertSelParams *params, PKIX_Int32 minPathLength, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetCertificate * DESCRIPTION: * * Retrieves a pointer to the Cert (if any) representing the certificate * criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pCert". In order to match against this * criterion, a certificate must be equal to the criterion's certificate. If * this criterion is specified, it is usually not necessary to specify any * other criteria, since this criterion requires an exact certificate match. * * If "params" does not have this criterion set, this function stores NULL at * "pCert", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose certificate criterion * (if any) is to be stored. Must be non-NULL. * "pCert" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetCertificate( PKIX_ComCertSelParams *params, PKIX_PL_Cert **pCert, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetCertificate * DESCRIPTION: * * Sets the certificate criterion of the ComCertSelParams object pointed to by * "params" using a Cert pointed to by "cert". In order to match against this * criterion, a certificate must be equal to the criterion's certificate. * If this criterion is specified, it is usually not necessary to specify * any other criteria, since this criterion requires an exact certificate * match. * * If "cert" is NULL, all certificates are considered to match this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose certificate criterion is to be * set. Must be non-NULL. * "cert" * Address of Cert used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetCertificate( PKIX_ComCertSelParams *params, PKIX_PL_Cert *cert, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetCertificateValid * DESCRIPTION: * * Retrieves a pointer to the Date (if any) representing the certificate * validity criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pDate". In order to match against this * criterion, a certificate's validity period must include the criterion's * Date. * * If "params" does not have this criterion set, this function stores NULL at * "pDate", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose certificate validity criterion * (if any) is to be stored. Must be non-NULL. * "pDate" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetCertificateValid( PKIX_ComCertSelParams *params, PKIX_PL_Date **pDate, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetCertificateValid * DESCRIPTION: * * Sets the certificate validity criterion of the ComCertSelParams object * pointed to by "params" using a Date pointed to by "date". In order to * match against this criterion, a certificate's validity period must include * the criterion's Date. * * If "date" is NULL, all certificates are considered to match this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose certificate validity criterion * is to be set. Must be non-NULL. * "date" * Address of Date used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetCertificateValid( PKIX_ComCertSelParams *params, PKIX_PL_Date *date, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSerialNumber * DESCRIPTION: * * Retrieves a pointer to the BigInt (if any) representing the serial number * criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pSerialNumber". In order to match against this * criterion, a certificate must have a serial number equal to the * criterion's serial number. * * If "params" does not have this criterion set, this function stores NULL at * "pSerialNumber", in which case all certificates are considered to match * this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose serial number criterion * (if any) is to be stored. Must be non-NULL. * "pSerialNumber" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSerialNumber( PKIX_ComCertSelParams *params, PKIX_PL_BigInt **pSerialNumber, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSerialNumber * DESCRIPTION: * * Sets the serial number criterion of the ComCertSelParams object pointed to * by "params" using a BigInt pointed to by "serialNumber". In order to match * against this criterion, a certificate must have a serial number equal to * the criterion's serial number. * * If "serialNumber" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose serial number criterion is to * be set. Must be non-NULL. * "serialNumber" * Address of BigInt used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSerialNumber( PKIX_ComCertSelParams *params, PKIX_PL_BigInt *serialNumber, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetVersion * DESCRIPTION: * * Retrieves a PKIX_UInt32 (if any) representing the version criterion that is * set in the ComCertSelParams object pointed to by "params" and stores it at * "pVersion". In order to match against this criterion, a certificate's * version must be equal to the criterion's version. * * The version number will either be 0, 1, or 2 (corresponding to * v1, v2, or v3, respectively). * * If "params" does not have this criterion set, this function stores * 0xFFFFFFFF at "pVersion", in which case all certificates are considered * to match this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose version criterion (if any) is * to be stored. Must be non-NULL. * "pVersion" * Address where PKIX_Int32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetVersion( PKIX_ComCertSelParams *params, PKIX_UInt32 *pVersion, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetVersion * DESCRIPTION: * * Sets the version criterion of the ComCertSelParams object pointed to by * "params" using the integer value of "version". In order to match against * this criterion, a certificate's version must be equal to the criterion's * version. If the criterion's version is -1, no version check is done and * all certificates are considered to match this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose version criterion is to be * set. Must be non-NULL. * "version" * Value of PKIX_Int32 used to set the criterion * (or -1 to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetVersion( PKIX_ComCertSelParams *params, PKIX_Int32 version, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetKeyUsage * DESCRIPTION: * * Retrieves a PKIX_UInt32 (if any) representing the key usage criterion that * is set in the ComCertSelParams object pointed to by "params" and stores it * at "pKeyUsage". In order to match against this criterion, a certificate * must allow the criterion's key usage values. Note that a certificate that * has no KeyUsage extension implicity allows all key usages. Note also that * this functions supports a maximum of 32 key usage bits. * * If "params" does not have this criterion set, this function stores zero at * "pKeyUsage", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose key usage criterion (if any) * is to be stored. Must be non-NULL. * "pKeyUsage" * Address where PKIX_UInt32 will be stored. Must not be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetKeyUsage( PKIX_ComCertSelParams *params, PKIX_UInt32 *pKeyUsage, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetKeyUsage * DESCRIPTION: * * Sets the key usage criterion of the ComCertSelParams object pointed to by * "params" using the integer value of "keyUsage". In order to match against * this criterion, a certificate must allow the criterion's key usage values. * Note that a certificate that has no KeyUsage extension implicity allows * all key usages. Note also that this functions supports a maximum of 32 key * usage bits. * * If the criterion's key usage value is zero, no key usage check is done and * all certificates are considered to match this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose key usage criterion is to be * set. Must be non-NULL. * "keyUsage" * Value of PKIX_Int32 used to set the criterion * (or zero to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetKeyUsage( PKIX_ComCertSelParams *params, PKIX_UInt32 keyUsage, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetExtendedKeyUsage * DESCRIPTION: * * Retrieves a pointer to the List of OIDs (if any) representing the extended * key usage criterion that is set in the ComCertSelParams object pointed to * by "params" and stores it at "pExtKeyUsage". In order to match against this * criterion, a certificate's ExtendedKeyUsage extension must allow the * criterion's extended key usages. Note that a certificate that has no * ExtendedKeyUsage extension implicity allows all key purposes. * * If "params" does not have this criterion set, this function stores NULL at * "pExtKeyUsage", in which case all certificates are considered to match * this criterion. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose extended key usage criterion * (if any) is to be stored. Must be non-NULL. * "pExtKeyUsage" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetExtendedKeyUsage( PKIX_ComCertSelParams *params, PKIX_List **pExtKeyUsage, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetExtendedKeyUsage * DESCRIPTION: * * Sets the extended key usage criterion of the ComCertSelParams object * pointed to by "params" using a List of OIDs pointed to by "extKeyUsage". * In order to match against this criterion, a certificate's ExtendedKeyUsage * extension must allow the criterion's extended key usages. Note that a * certificate that has no ExtendedKeyUsage extension implicitly allows all * key purposes. * * If "extKeyUsage" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose extended key usage criterion * is to be set. Must be non-NULL. * "extKeyUsage" * Address of List of OIDs used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetExtendedKeyUsage( PKIX_ComCertSelParams *params, PKIX_List *extKeyUsage, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetPolicy * DESCRIPTION: * * Retrieves a pointer to the List of OIDs (if any) representing the policy * criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pPolicy". In order to match against this * criterion, a certificate's CertificatePolicies extension must include at * least one of the criterion's policies. If "params" has this criterion set, * but the List of OIDs is empty, then a certificate's CertificatePolicies * extension must include at least some policy. * * If "params" does not have this criterion set, this function stores NULL at * "pPolicy", in which case all certificates are considered to match this * criterion. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose policy criterion (if any) is * to be stored. Must be non-NULL. * "pPolicy" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetPolicy( PKIX_ComCertSelParams *params, PKIX_List **pPolicy, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetPolicy * DESCRIPTION: * * Sets the policy criterion of the ComCertSelParams object pointed to by * "params" using a List of OIDs pointed to by "policy". In order to match * against this criterion, a certificate's CertificatePolicies extension must * include at least one of the criterion's policies. If "params" has this * criterion set, but the List of OIDs is empty, then a certificate's * CertificatePolicies extension must include at least some policy. * * If "policy" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose policy criterion is to be set. * Must be non-NULL. * "policy" * Address of List of OIDs used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetPolicy( PKIX_ComCertSelParams *params, PKIX_List *policy, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetIssuer * DESCRIPTION: * * Retrieves a pointer to the X500Name (if any) representing the issuer * criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pIssuer". In order to match against this * criterion, a certificate's IssuerName must match the criterion's issuer * name. * * If "params" does not have this criterion set, this function stores NULL at * "pIssuer", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose issuer criterion (if any) is * to be stored. Must be non-NULL. * "pIssuer" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetIssuer( PKIX_ComCertSelParams *params, PKIX_PL_X500Name **pIssuer, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetIssuer * DESCRIPTION: * * Sets the issuer criterion of the ComCertSelParams object pointed to by * "params" using an X500Name pointed to by "issuer". In order to match * against this criterion, a certificate's IssuerName must match the * criterion's issuer name. * * If "issuer" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose issuer criterion is to be set. * Must be non-NULL. * "issuer" * Address of X500Name used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetIssuer( PKIX_ComCertSelParams *params, PKIX_PL_X500Name *issuer, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSubject * DESCRIPTION: * * Retrieves a pointer to the X500Name (if any) representing the subject * criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pSubject". In order to match against this * criterion, a certificate's SubjectName must match the criterion's subject * name. * * If "params" does not have this criterion set, this function stores NULL at * "pSubject", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject criterion (if any) is * to be stored. Must be non-NULL. * "pSubject" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSubject( PKIX_ComCertSelParams *params, PKIX_PL_X500Name **pSubject, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSubject * DESCRIPTION: * * Sets the subject criterion of the ComCertSelParams object pointed to by * "params" using an X500Name pointed to by "subject". In order to match * against this criterion, a certificate's SubjectName must match the * criterion's subject name. * * If "subject" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject criterion is to be * set. Must be non-NULL. * "subject" * Address of X500Name used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSubject( PKIX_ComCertSelParams *params, PKIX_PL_X500Name *subject, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetSubjectAsByteArray * DESCRIPTION: * * Retrieves a pointer to the ByteArray (if any) representing the subject * criterion that is set in the ComCertSelParams object pointed to by * "params" and stores it at "pSubject". In order to match against this * criterion, a certificate's SubjectName must match the criterion's subject * name. * * If "params" does not have this criterion set, this function stores NULL at * "pSubject", in which case all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject criterion (if any) is * to be stored. Must be non-NULL. * "pSubject" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetSubjectAsByteArray( PKIX_ComCertSelParams *params, PKIX_PL_ByteArray **pSubject, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetSubjectAsByteArray * DESCRIPTION: * * Sets the subject criterion of the ComCertSelParams object pointed to by * "params" using a ByteArray pointed to by "subject". In order to match * against this criterion, a certificate's SubjectName must match the * criterion's subject name. * * If "subject" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose subject criterion is to be * set. Must be non-NULL. * "subject" * Address of ByteArray used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetSubjectAsByteArray( PKIX_ComCertSelParams *params, PKIX_PL_ByteArray *subject, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetNameConstraints * DESCRIPTION: * * Retrieves a pointer to the X500Name (if any) representing the name * constraints criterion that is set in the ComCertSelParams object pointed * to by "params" and stores it at "pConstraints". In order to match against * this criterion, a certificate's subject and subject alternative names must * be allowed by the criterion's name constraints. * * If "params" does not have this criterion set, this function stores NULL at * "pConstraints", in which case all certificates are considered to match * this criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose name constraints criterion * (if any) is to be stored. Must be non-NULL. * "pConstraints" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetNameConstraints( PKIX_ComCertSelParams *params, PKIX_PL_CertNameConstraints **pConstraints, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetNameConstraints * DESCRIPTION: * * Sets the name constraints criterion of the ComCertSelParams object pointed * to by "params" using the CertNameConstraints pointed to by "constraints". * In order to match against this criterion, a certificate's subject and * subject alternative names must be allowed by the criterion's name * constraints. * * If "constraints" is NULL, all certificates are considered to match this * criterion. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose name constraints criterion is * to be set. Must be non-NULL. * "constraints" * Address of CertNameConstraints used to set the criterion * (or NULL to disable the criterion). * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetNameConstraints( PKIX_ComCertSelParams *params, PKIX_PL_CertNameConstraints *constraints, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetMatchAllSubjAltNames * DESCRIPTION: * * Checks whether the ComCertSelParams object pointed to by "params" indicate * that all subject alternative names are to be matched and stores the Boolean * result at "pMatch". This Boolean value determines the behavior of the * subject alternative names criterion. * * In order to match against the subject alternative names criterion, if the * Boolean value at "pMatch" is PKIX_TRUE, a certificate must contain all of * the criterion's subject alternative names. If the Boolean value at * "pMatch" is PKIX_FALSE, a certificate must contain at least one of the * criterion's subject alternative names. The default behavior is as if the * Boolean value at "pMatch" is PKIX_TRUE. * * PARAMETERS: * "params" * Address of ComCertSelParams object used to determine whether all * subject alternative names must be matched. Must be non-NULL. * "pMatch" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_GetMatchAllSubjAltNames( PKIX_ComCertSelParams *params, PKIX_Boolean *pMatch, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetMatchAllSubjAltNames * DESCRIPTION: * * Sets the match flag of the ComCertSelParams object pointed to by "params" * using the Boolean value of "match". This Boolean value determines the * behavior of the subject alternative names criterion. * * In order to match against the subject alternative names criterion, if the * "match" is PKIX_TRUE, a certificate must contain all of the criterion's * subject alternative names. If the "match" is PKIX_FALSE, a certificate * must contain at least one of the criterion's subject alternative names. * The default behavior is as if "match" is PKIX_TRUE. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose match flag is to be set. * Must be non-NULL. * "match" * Boolean value used to set the match flag. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetMatchAllSubjAltNames( PKIX_ComCertSelParams *params, PKIX_Boolean match, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag * DESCRIPTION: * * Return "leafCert" flag of the ComCertSelParams structure. If set to true, * the flag indicates that a selector should filter out all cert that are not * qualified to be a leaf cert according to the specified key/ekey usages. * * PARAMETERS: * "params" * Address of ComCertSelParams object used to determine whether all * subject alternative names must be matched. Must be non-NULL. * "pLeafFlag" * Address of returned value. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error* PKIX_ComCertSelParams_GetLeafCertFlag( PKIX_ComCertSelParams *params, PKIX_Boolean *pLeafFlag, void *plContext); /* * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag * DESCRIPTION: * * Sets a flag that if its value is true, indicates that the selector * should only pick certs that qualifies to be leaf for this cert path * validation. * * PARAMETERS: * "params" * Address of ComCertSelParams object whose match flag is to be set. * Must be non-NULL. * "leafFlag" * Boolean value used to set the leaf flag. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "params" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertSelector Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_ComCertSelParams_SetLeafCertFlag( PKIX_ComCertSelParams *params, PKIX_Boolean leafFlag, void *plContext); #ifdef __cplusplus } #endif #endif /* _PKIX_CERTSEL_H */