/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * certt.h - public data structures for the certificate library */ #ifndef _PCERTT_H_ #define _PCERTT_H_ #include "prclist.h" #include "pkcs11t.h" #include "seccomon.h" #include "secoidt.h" #include "plarena.h" #include "prcvar.h" #include "nssilock.h" #include "prio.h" #include "prmon.h" /* Non-opaque objects */ typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust; typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN; typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData; typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo; typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity; /* ** An X.509 validity object */ struct NSSLOWCERTValidityStr { PLArenaPool *arena; SECItem notBefore; SECItem notAfter; }; /* * A serial number and issuer name, which is used as a database key */ struct NSSLOWCERTCertKeyStr { SECItem serialNumber; SECItem derIssuer; }; /* ** A signed data object. Used to implement the "signed" macro used ** in the X.500 specs. */ struct NSSLOWCERTSignedDataStr { SECItem data; SECAlgorithmID signatureAlgorithm; SECItem signature; }; /* ** An X.509 subject-public-key-info object */ struct NSSLOWCERTSubjectPublicKeyInfoStr { PLArenaPool *arena; SECAlgorithmID algorithm; SECItem subjectPublicKey; }; typedef struct _certDBEntryCert certDBEntryCert; typedef struct _certDBEntryRevocation certDBEntryRevocation; struct NSSLOWCERTCertTrustStr { unsigned int sslFlags; unsigned int emailFlags; unsigned int objectSigningFlags; }; /* ** PKCS11 Trust representation */ struct NSSLOWCERTTrustStr { NSSLOWCERTTrust *next; NSSLOWCERTCertDBHandle *dbhandle; SECItem dbKey; /* database key for this cert */ certDBEntryCert *dbEntry; /* database entry struct */ NSSLOWCERTCertTrust *trust; SECItem *derCert; /* original DER for the cert */ unsigned char dbKeySpace[512]; }; /* ** An X.509 certificate object (the unsigned form) */ struct NSSLOWCERTCertificateStr { /* the arena is used to allocate any data structures that have the same * lifetime as the cert. This is all stuff that hangs off of the cert * structure, and is all freed at the same time. I is used when the * cert is decoded, destroyed, and at some times when it changes * state */ NSSLOWCERTCertificate *next; NSSLOWCERTCertDBHandle *dbhandle; SECItem derCert; /* original DER for the cert */ SECItem derIssuer; /* DER for issuer name */ SECItem derSN; SECItem serialNumber; SECItem derSubject; /* DER for subject name */ SECItem derSubjKeyInfo; NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo; SECItem certKey; /* database key for this cert */ SECItem validity; certDBEntryCert *dbEntry; /* database entry struct */ SECItem subjectKeyID; /* x509v3 subject key identifier */ SECItem extensions; char *nickname; char *emailAddr; NSSLOWCERTCertTrust *trust; /* the reference count is modified whenever someone looks up, dups * or destroys a certificate */ int referenceCount; char nicknameSpace[200]; char emailAddrSpace[200]; unsigned char certKeySpace[512]; }; #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ #define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ #define SEC_CRL_VERSION_1 0 /* default */ #define SEC_CRL_VERSION_2 1 /* v2 extensions */ #define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024) struct NSSLOWCERTIssuerAndSNStr { SECItem derIssuer; SECItem serialNumber; }; typedef SECStatus (*NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg); /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */ /* callback to return database name based on version number */ typedef char *(*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion); /* XXX Lisa thinks the template declarations belong in cert.h, not here? */ #include "secasn1t.h" /* way down here because I expect template stuff to * move out of here anyway */ /* * Certificate Database related definitions and data structures */ /* version number of certificate database */ #define CERT_DB_FILE_VERSION 8 #define CERT_DB_V7_FILE_VERSION 7 #define CERT_DB_CONTENT_VERSION 2 #define SEC_DB_ENTRY_HEADER_LEN 3 #define SEC_DB_KEY_HEADER_LEN 1 /* All database entries have this form: * * byte offset field * ----------- ----- * 0 version * 1 type * 2 flags */ /* database entry types */ typedef enum { certDBEntryTypeVersion = 0, certDBEntryTypeCert = 1, certDBEntryTypeNickname = 2, certDBEntryTypeSubject = 3, certDBEntryTypeRevocation = 4, certDBEntryTypeKeyRevocation = 5, certDBEntryTypeSMimeProfile = 6, certDBEntryTypeContentVersion = 7, certDBEntryTypeBlob = 8 } certDBEntryType; typedef struct { certDBEntryType type; unsigned int version; unsigned int flags; PLArenaPool *arena; } certDBEntryCommon; /* * Certificate entry: * * byte offset field * ----------- ----- * 0 sslFlags-msb * 1 sslFlags-lsb * 2 emailFlags-msb * 3 emailFlags-lsb * 4 objectSigningFlags-msb * 5 objectSigningFlags-lsb * 6 derCert-len-msb * 7 derCert-len-lsb * 8 nickname-len-msb * 9 nickname-len-lsb * ... derCert * ... nickname * * NOTE: the nickname string as stored in the database is null terminated, * in other words, the last byte of the db entry is always 0 * if a nickname is present. * NOTE: if nickname is not present, then nickname-len-msb and * nickname-len-lsb will both be zero. */ struct _certDBEntryCert { certDBEntryCommon common; certDBEntryCert *next; NSSLOWCERTCertTrust trust; SECItem derCert; char *nickname; char nicknameSpace[200]; unsigned char derCertSpace[2048]; }; /* * Certificate Nickname entry: * * byte offset field * ----------- ----- * 0 subjectname-len-msb * 1 subjectname-len-lsb * 2... subjectname * * The database key for this type of entry is a nickname string * The "subjectname" value is the DER encoded DN of the identity * that matches this nickname. */ typedef struct { certDBEntryCommon common; char *nickname; SECItem subjectName; } certDBEntryNickname; #define DB_NICKNAME_ENTRY_HEADER_LEN 2 /* * Certificate Subject entry: * * byte offset field * ----------- ----- * 0 ncerts-msb * 1 ncerts-lsb * 2 nickname-msb * 3 nickname-lsb * 4 emailAddr-msb * 5 emailAddr-lsb * ... nickname * ... emailAddr * ...+2*i certkey-len-msb * ...+1+2*i certkey-len-lsb * ...+2*ncerts+2*i keyid-len-msb * ...+1+2*ncerts+2*i keyid-len-lsb * ... certkeys * ... keyids * * The database key for this type of entry is the DER encoded subject name * The "certkey" value is an array of certificate database lookup keys that * points to the database entries for the certificates that matche * this subject. * */ typedef struct _certDBEntrySubject { certDBEntryCommon common; SECItem derSubject; unsigned int ncerts; char *nickname; SECItem *certKeys; SECItem *keyIDs; char **emailAddrs; unsigned int nemailAddrs; } certDBEntrySubject; #define DB_SUBJECT_ENTRY_HEADER_LEN 6 /* * Certificate SMIME profile entry: * * byte offset field * ----------- ----- * 0 subjectname-len-msb * 1 subjectname-len-lsb * 2 smimeoptions-len-msb * 3 smimeoptions-len-lsb * 4 options-date-len-msb * 5 options-date-len-lsb * 6... subjectname * ... smimeoptions * ... options-date * * The database key for this type of entry is the email address string * The "subjectname" value is the DER encoded DN of the identity * that matches this nickname. * The "smimeoptions" value is a string that represents the algorithm * capabilities on the remote user. * The "options-date" is the date that the smime options value was created. * This is generally the signing time of the signed message that contained * the options. It is a UTCTime value. */ typedef struct { certDBEntryCommon common; char *emailAddr; SECItem subjectName; SECItem smimeOptions; SECItem optionsDate; } certDBEntrySMime; #define DB_SMIME_ENTRY_HEADER_LEN 6 /* * Crl/krl entry: * * byte offset field * ----------- ----- * 0 derCert-len-msb * 1 derCert-len-lsb * 2 url-len-msb * 3 url-len-lsb * ... derCert * ... url * * NOTE: the url string as stored in the database is null terminated, * in other words, the last byte of the db entry is always 0 * if a nickname is present. * NOTE: if url is not present, then url-len-msb and * url-len-lsb will both be zero. */ #define DB_CRL_ENTRY_HEADER_LEN 4 struct _certDBEntryRevocation { certDBEntryCommon common; SECItem derCrl; char *url; /* where to load the crl from */ }; /* * Database Version Entry: * * byte offset field * ----------- ----- * only the low level header... * * The database key for this type of entry is the string "Version" */ typedef struct { certDBEntryCommon common; } certDBEntryVersion; #define SEC_DB_VERSION_KEY "Version" #define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY) /* * Database Content Version Entry: * * byte offset field * ----------- ----- * 0 contentVersion * * The database key for this type of entry is the string "ContentVersion" */ typedef struct { certDBEntryCommon common; char contentVersion; } certDBEntryContentVersion; #define SEC_DB_CONTENT_VERSION_KEY "ContentVersion" #define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY) typedef union { certDBEntryCommon common; certDBEntryCert cert; certDBEntryContentVersion content; certDBEntryNickname nickname; certDBEntryRevocation revocation; certDBEntrySMime smime; certDBEntrySubject subject; certDBEntryVersion version; } certDBEntry; /* length of the fixed part of a database entry */ #define DBCERT_V4_HEADER_LEN 7 #define DB_CERT_V5_ENTRY_HEADER_LEN 7 #define DB_CERT_V6_ENTRY_HEADER_LEN 7 #define DB_CERT_ENTRY_HEADER_LEN 10 /* common flags for all types of certificates */ #define CERTDB_TERMINAL_RECORD (1u << 0) #define CERTDB_TRUSTED (1u << 1) #define CERTDB_SEND_WARN (1u << 2) #define CERTDB_VALID_CA (1u << 3) #define CERTDB_TRUSTED_CA (1u << 4) /* trusted for issuing server certs */ #define CERTDB_NS_TRUSTED_CA (1u << 5) #define CERTDB_USER (1u << 6) #define CERTDB_TRUSTED_CLIENT_CA (1u << 7) /* trusted for issuing client certs */ #define CERTDB_INVISIBLE_CA (1u << 8) /* don't show in UI */ #define CERTDB_GOVT_APPROVED_CA (1u << 9) /* can do strong crypto in export ver */ #define CERTDB_MUST_VERIFY (1u << 10) /* explicitly don't trust this cert */ #define CERTDB_TRUSTED_UNKNOWN (1u << 11) /* accept trust from another source */ /* bits not affected by the CKO_NETSCAPE_TRUST object */ #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \ CERTDB_GOVT_APPROVED_CA) #endif /* _PCERTT_H_ */