/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * This file defines functions associated with the PKIX_CertStore type. * */ #ifndef _PKIX_CERTSTORE_H #define _PKIX_CERTSTORE_H #include "pkixt.h" #include "certt.h" #ifdef __cplusplus extern "C" { #endif /* General * * Please refer to the libpkix Programmer's Guide for detailed information * about how to use the libpkix library. Certain key warnings and notices from * that document are repeated here for emphasis. * * All identifiers in this file (and all public identifiers defined in * libpkix) begin with "PKIX_". Private identifiers only intended for use * within the library begin with "pkix_". * * A function returns NULL upon success, and a PKIX_Error pointer upon failure. * * Unless otherwise noted, for all accessor (gettor) functions that return a * PKIX_PL_Object pointer, callers should assume that this pointer refers to a * shared object. Therefore, the caller should treat this shared object as * read-only and should not modify this shared object. When done using the * shared object, the caller should release the reference to the object by * using the PKIX_PL_Object_DecRef function. * * While a function is executing, if its arguments (or anything referred to by * its arguments) are modified, free'd, or destroyed, the function's behavior * is undefined. * */ /* PKIX_CertStore * * A PKIX_CertStore provides a standard way for the caller to retrieve * certificates and CRLs from a particular repository (or "store") of * certificates and CRLs, including LDAP directories, flat files, local * databases, etc. The CertCallback allows custom certificate retrieval logic * to be used while the CRLCallback allows custom CRL retrieval logic to be * used. Additionally, a CertStore can be initialized with a certStoreContext, * which is where the caller can specify configuration data such as the host * name of an LDAP server. Note that this certStoreContext must be an * Object (although any object type), allowing it to be reference-counted and * allowing it to provide the standard Object functions (Equals, Hashcode, * ToString, Compare, Duplicate). Please note that each certStoreContext must * provide Equals and Hashcode functions in order for the caching (on Cert and * CertChain) to work correctly. When providing those two functions, it is not * required that all the components of the object be hashed or checked for * equality, but merely that the functions distinguish between unique * instances of the certStoreContext. * * Once the caller has created the CertStore object, the caller then specifies * these CertStore objects in a ProcessingParams object and passes that object * to PKIX_ValidateChain or PKIX_BuildChain, which uses the objects to call the * user's callback functions as needed during the validation or building * process. * * The order of CertStores stored (as a list) at ProcessingParams determines * the order in which certificates are retrieved. Trusted CertStores should * precede non-trusted ones on the list of CertStores so their certificates * are evaluated ahead of other certificates selected on the basis of the same * selector criteria. * * The CheckTrustCallback function is used when the CertStore object * supports trust status, which means a Cert's trust status can be altered * dynamically. When a CertStore object is created, if the * CheckTrustCallback is initialized to be non-NULL, this CertStore is * defaulted as supporting trust. Then whenever a Cert needs to (re)check its * trust status, this callback can be invoked. When a Cert is retrieved by * a CertStore supports trust, at its GetCertCallback, the CertStore * information should be updated in Cert's data structure so the link between * the Cert and CertStore exists. * */ /* * FUNCTION: PKIX_CertStore_CertCallback * DESCRIPTION: * * This callback function retrieves from the CertStore pointed to by "store" * all the certificates that match the CertSelector pointed to by "selector". * It places these certificates in a List and stores a pointer to the List at * "pCerts". If no certificates are found which match the CertSelector's * criteria, this function stores an empty List at "pCerts". In either case, if * the operation is completed, NULL is stored at "pNBIOContext". * * A CertStore which uses non-blocking I/O may store platform-dependent * information at "pNBIOContext" and NULL at "pCerts" to indicate that I/O is * pending. A subsequent call to PKIX_CertStore_CertContinue is required to * finish the operation and to obtain the List of Certs. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "store" * Address of CertStore from which Certs are to be retrieved. * Must be non-NULL. * "selector" * Address of CertSelector whose criteria must be satisfied. * Must be non-NULL. * "verifyNode" * Parent log node for tracking of filtered out certs. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. * "pCerts" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ typedef PKIX_Error * (*PKIX_CertStore_CertCallback)( PKIX_CertStore *store, PKIX_CertSelector *selector, PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); /* * FUNCTION: PKIX_CertStore_CertContinue * DESCRIPTION: * * This function continues the non-blocking operation initiated by an earlier * call to the CertCallback function, for the CertStore pointed to by "store". * If an earlier call did not terminate with the WOULDBLOCK indication (non-NULL * value returned in "pNBIOContext") calling this function will return a fatal * error. If the operation is completed the certificates found are placed in a * List, a pointer to which is stored at "pCerts". If no certificates are found * which match the CertSelector's criteria, this function stores an empty List * at "pCerts". In either case, if the operation is completed, NULL is stored * at "pNBIOContext". * * If non-blocking I/O is still pending this function stores platform-dependent * information at "pNBIOContext" and NULL at "pCerts". A subsequent call to * PKIX_CertStore_CertContinue is required to finish the operation and to * obtain the List of Certs. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "store" * Address of CertStore from which Certs are to be retrieved. * Must be non-NULL. * "selector" * Address of CertSelector whose criteria must be satisfied. * Must be non-NULL. * "verifyNode" * Parent log node for tracking of filtered out certs. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. * "pCerts" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_CertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); typedef PKIX_Error * (*PKIX_CertStore_CertContinueFunction)( PKIX_CertStore *store, PKIX_CertSelector *selector, PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); /* * FUNCTION: PKIX_CertStore_CRLCallback * DESCRIPTION: * * This callback function retrieves from the CertStore pointed to by "store" * all the CRLs that match the CRLSelector pointed to by "selector". It * places these CRLs in a List and stores a pointer to the List at "pCRLs". * If no CRLs are found which match the CRLSelector's criteria, this function * stores an empty List at "pCRLs". In either case, if the operation is * completed, NULL is stored at "pNBIOContext". * * A CertStore which uses non-blocking I/O may store platform-dependent * information at "pNBIOContext" and NULL at "pCrls" to indicate that I/O is * pending. A subsequent call to PKIX_CertStore_CRLContinue is required to * finish the operation and to obtain the List of Crls. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "store" * Address of CertStore from which CRLs are to be retrieved. * Must be non-NULL. * "selector" * Address of CRLSelector whose criteria must be satisfied. * Must be non-NULL. * "pCrls" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ typedef PKIX_Error * (*PKIX_CertStore_CRLCallback)( PKIX_CertStore *store, PKIX_CRLSelector *selector, void **pNBIOContext, PKIX_List **pCrls, /* list of PKIX_PL_CRL */ void *plContext); /* * FUNCTION: PKIX_CertStore_ImportCrlCallback * DESCRIPTION: * * The function imports crl list into a cert store. Stores that * have local cache may only have that function defined. * * PARAMETERS: * "store" * Address of CertStore from which CRLs are to be retrieved. * Must be non-NULL. * "issuerName" * Name of the issuer that will be used to track bad der crls. * "crlList" * Address on the importing crl list. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ typedef PKIX_Error * (*PKIX_CertStore_ImportCrlCallback)( PKIX_CertStore *store, PKIX_PL_X500Name *issuerName, PKIX_List *crlList, void *plContext); /* * FUNCTION: PKIX_CertStore_CheckRevokationByCrlCallback * DESCRIPTION: * * The function checks revocation status of a cert with specified * issuer, date. It returns revocation status of a cert and * a reason code(if any) if a cert was revoked. * * PARAMETERS: * "store" * Address of CertStore from which CRLs are to be retrieved. * Must be non-NULL. * "cert" * Certificate which revocation status will be checked. * "issuer" * Issuer certificate of the "crl". * "date" * Date of the revocation check. * "crlDownloadDone" * Indicates, that all needed crl downloads are done by the time of * the revocation check. * "reasonCode" * If cert is revoked, returned reason code for which a cert was revoked. * "revStatus" * Returned revocation status of the cert. See PKIX_RevocationStatus * for more details * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ typedef PKIX_Error * (*PKIX_CertStore_CheckRevokationByCrlCallback)( PKIX_CertStore *store, PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer, PKIX_PL_Date *date, PKIX_Boolean crlDownloadDone, CERTCRLEntryReasonCode *reasonCode, PKIX_RevocationStatus *revStatus, void *plContext); /* * FUNCTION: PKIX_CertStore_CrlContinue * DESCRIPTION: * * This function continues the non-blocking operation initiated by an earlier * call to the CRLCallback function, for the CertStore pointed to by "store". * If an earlier call did not terminate with the WOULDBLOCK indication (non-NULL * value returned in "pNBIOContext") calling this function will return a fatal * error. If the operation is completed the crls found are placed in a List, a * pointer to which is stored at "pCrls". If no crls are found which match the * CRLSelector's criteria, this function stores an empty List at "pCrls". In * either case, if the operation is completed, NULL is stored at "pNBIOContext". * * If non-blocking I/O is still pending this function stores platform-dependent * information at "pNBIOContext" and NULL at "pCrls". A subsequent call to * PKIX_CertStore_CrlContinue is required to finish the operation and to * obtain the List of Crls. * * Note that the List returned by this function is immutable. * * PARAMETERS: * "store" * Address of CertStore from which Crls are to be retrieved. * Must be non-NULL. * "selector" * Address of CRLSelector whose criteria must be satisfied. * Must be non-NULL. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. * "pCrls" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_CrlContinue( PKIX_CertStore *store, PKIX_CRLSelector *selector, void **pNBIOContext, PKIX_List **pCrls, /* list of PKIX_PL_CRL */ void *plContext); typedef PKIX_Error * (*PKIX_CertStore_CrlContinueFunction)( PKIX_CertStore *store, PKIX_CRLSelector *selector, void **pNBIOContext, PKIX_List **pCrls, /* list of PKIX_PL_CRL */ void *plContext); /* * FUNCTION: PKIX_CertStore_CheckTrustCallback * DESCRIPTION: * * This callback function rechecks "cert's" trust status from the CertStore * pointed to by "store". * * PARAMETERS: * "store" * Address of CertStore from which Certs are to be checked. * Must be non-NULL. * "cert" * Address of Cert whose trust status needs to be rechecked. * Must be non-NULL. * "pTrusted" * Address of PKIX_Boolean where the trust status is returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe * * Multiple threads must be able to safely call this function without * worrying about conflicts, even if they're operating on the same object. * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ typedef PKIX_Error * (*PKIX_CertStore_CheckTrustCallback)( PKIX_CertStore *store, PKIX_PL_Cert *cert, PKIX_Boolean *pTrusted, void *plContext); /* * FUNCTION: PKIX_CertStore_Create * DESCRIPTION: * * Creates a new CertStore and stores it at "pStore". The new CertStore uses * the CertCallback pointed to by "certCallback" and the CRLCallback pointed * to by "crlCallback" as its callback functions and uses the Object pointed * to by "certStoreContext" as its context . Note that this certStoreContext * must be an Object (although any object type), allowing it to be * reference-counted and allowing it to provide the standard Object functions * (Equals, Hashcode, ToString, Compare, Duplicate). Once created, a * CertStore object is immutable, although the underlying repository can * change. For example, a CertStore will often be a front-end for a database * or directory. The contents of that directory can change after the * CertStore object is created, but the CertStore object remains immutable. * * PARAMETERS: * "certCallback" * The CertCallback function to be used. Must be non-NULL. * "crlCallback" * The CRLCallback function to be used. Must be non-NULL. * "certContinue" * The function to be used to resume a certCallback that returned with a * WOULDBLOCK condition. Must be non-NULL if certStore supports non-blocking * I/O. * "crlContinue" * The function to be used to resume a crlCallback that returned with a * WOULDBLOCK condition. Must be non-NULL if certStore supports non-blocking * I/O. * "trustCallback" * Address of PKIX_CertStore_CheckTrustCallback which is called to * verify the trust status of Certs in this CertStore. * "certStoreContext" * Address of Object representing the CertStore's context (if any). * "cachedFlag" * If TRUE indicates data retrieved from CertStore should be cached. * "localFlag" * Boolean value indicating whether this CertStore is local. * "pStore" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_Create( PKIX_CertStore_CertCallback certCallback, PKIX_CertStore_CRLCallback crlCallback, PKIX_CertStore_CertContinueFunction certContinue, PKIX_CertStore_CrlContinueFunction crlContinue, PKIX_CertStore_CheckTrustCallback trustCallback, PKIX_CertStore_ImportCrlCallback importCrlCallback, PKIX_CertStore_CheckRevokationByCrlCallback checkRevByCrlCallback, PKIX_PL_Object *certStoreContext, PKIX_Boolean cachedFlag, PKIX_Boolean localFlag, PKIX_CertStore **pStore, void *plContext); /* * FUNCTION: PKIX_CertStore_GetCertCallback * DESCRIPTION: * * Retrieves a pointer to "store's" Cert callback function and put it in * "pCallback". * * PARAMETERS: * "store" * The CertStore whose Cert callback is desired. Must be non-NULL. * "pCallback" * Address where Cert callback function pointer will be stored. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetCertCallback( PKIX_CertStore *store, PKIX_CertStore_CertCallback *pCallback, void *plContext); /* * FUNCTION: PKIX_CertStore_GetCRLCallback * DESCRIPTION: * * Retrieves a pointer to "store's" CRL callback function and put it in * "pCallback". * * PARAMETERS: * "store" * The CertStore whose CRL callback is desired. Must be non-NULL. * "pCallback" * Address where CRL callback function pointer will be stored. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetCRLCallback( PKIX_CertStore *store, PKIX_CertStore_CRLCallback *pCallback, void *plContext); /* * FUNCTION: PKIX_CertStore_GetImportCrlCallback * DESCRIPTION: * * Retrieves a pointer to "store's" Import CRL callback function and put it in * "pCallback". * * PARAMETERS: * "store" * The CertStore whose CRL callback is desired. Must be non-NULL. * "pCallback" * Address where CRL callback function pointer will be stored. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetImportCrlCallback( PKIX_CertStore *store, PKIX_CertStore_ImportCrlCallback *pCallback, void *plContext); /* * FUNCTION: PKIX_CertStore_GetCheckRevByCrl * DESCRIPTION: * * Retrieves a pointer to "store's" CRL revocation checker callback function * and put it in "pCallback". * * PARAMETERS: * "store" * The CertStore whose CRL callback is desired. Must be non-NULL. * "pCallback" * Address where CRL callback function pointer will be stored. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetCrlCheckerFn( PKIX_CertStore *store, PKIX_CertStore_CheckRevokationByCrlCallback *pCallback, void *plContext); /* * FUNCTION: PKIX_CertStore_GetTrustCallback * DESCRIPTION: * * Retrieves the function pointer to the CheckTrust callback function of the * CertStore pointed to by "store" and stores it at "pCallback". * * PARAMETERS: * "store" * The CertStore whose CheckTrust callback is desired. Must be non-NULL. * "pCallback" * Address where CheckTrust callback function pointer will be stored. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetTrustCallback( PKIX_CertStore *store, PKIX_CertStore_CheckTrustCallback *pCallback, void *plContext); /* * FUNCTION: PKIX_CertStore_GetCertStoreContext * DESCRIPTION: * * Retrieves a pointer to the Object representing the context (if any) * of the CertStore pointed to by "store" and stores it at * "pCertStoreContext". * * PARAMETERS: * "store" * Address of CertStore whose context is to be stored. Must be non-NULL. * "pCertStoreContext" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetCertStoreContext( PKIX_CertStore *store, PKIX_PL_Object **pCertStoreContext, void *plContext); /* * FUNCTION: PKIX_CertStore_GetCertStoreCacheFlag * DESCRIPTION: * * Retrieves the Boolean cache flag of the CertStore pointed to by "store" and * stores it at "pCachedFlag". * * PARAMETERS: * "store" * Address of CertStore whose cache flag is to be stored. Must be non-NULL. * "pCacheFlag" * Address where the result will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetCertStoreCacheFlag( PKIX_CertStore *store, PKIX_Boolean *pCacheFlag, void *plContext); /* * FUNCTION: PKIX_CertStore_GetLocalFlag * DESCRIPTION: * * Retrieves the Boolean localFlag for the CertStore pointed to by "store" and * stores it at "pLocalFlag". The localFlag is TRUE if the CertStore can * fulfill a request without performing network I/O. * * PARAMETERS: * "store" * The CertStore whose Local flag is desired. Must be non-NULL. * "pCallback" * Address where the Boolean LocalFlag will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_CertStore_GetLocalFlag( PKIX_CertStore *store, PKIX_Boolean *pLocalFlag, void *plContext); #ifdef __cplusplus } #endif #endif /* _PKIX_CERTSTORE_H */