/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * This file defines several platform independent functions to * manipulate certificates and CRLs in a portable manner. * */ #ifndef _PKIX_PL_PKI_H #define _PKIX_PL_PKI_H #include "pkixt.h" #include "seccomon.h" #include "certt.h" #ifdef __cplusplus extern "C" { #endif /* General * * Please refer to the libpkix Programmer's Guide for detailed information * about how to use the libpkix library. Certain key warnings and notices from * that document are repeated here for emphasis. * * All identifiers in this file (and all public identifiers defined in * libpkix) begin with "PKIX_". Private identifiers only intended for use * within the library begin with "pkix_". * * A function returns NULL upon success, and a PKIX_Error pointer upon failure. * * Unless otherwise noted, for all accessor (gettor) functions that return a * PKIX_PL_Object pointer, callers should assume that this pointer refers to a * shared object. Therefore, the caller should treat this shared object as * read-only and should not modify this shared object. When done using the * shared object, the caller should release the reference to the object by * using the PKIX_PL_Object_DecRef function. * * While a function is executing, if its arguments (or anything referred to by * its arguments) are modified, free'd, or destroyed, the function's behavior * is undefined. * */ /* * Cert * * A Cert represents an X.509 certificate. It can be created using the bytes * of a valid ASN.1 DER encoding. Once created, a Cert is immutable. The * following functions include accessors (gettors) for the various components * of an X.509 certificate. Also included are functions to perform various * checks on a certificate, including name constraints, key usage, validity * (expiration), and signature verification. */ /* * FUNCTION: PKIX_PL_Cert_Create * DESCRIPTION: * * Creates a new certificate using the bytes in the ByteArray pointed to by * "byteArray" and stores it at "pCert". If the bytes are not a valid ASN.1 * DER encoding of a certificate, a PKIX_Error pointer is returned. Once * created, a Cert is immutable. * * Certificate ::= SEQUENCE { * tbsCertificate TBSCertificate, * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING } * * AlgorithmIdentifier ::= SEQUENCE { * algorithm OBJECT IDENTIFIER, * parameters ANY DEFINED BY algorithm OPTIONAL } * * TBSCertificate ::= SEQUENCE { * version [0] EXPLICIT Version DEFAULT v1, * serialNumber CertificateSerialNumber, * signature AlgorithmIdentifier, * issuer Name, * validity Validity, * subject Name, * subjectPublicKeyInfo SubjectPublicKeyInfo, * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version MUST be v2 or v3 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version MUST be v2 or v3 * extensions [3] EXPLICIT Extensions OPTIONAL * -- If present, version MUST be v3 * } * * Version ::= INTEGER { v1(0), v2(1), v3(2) } * * CertificateSerialNumber ::= INTEGER * * Validity ::= SEQUENCE { * notBefore Time, * notAfter Time } * * Time ::= CHOICE { * utcTime UTCTime, * generalTime GeneralizedTime } * * UniqueIdentifier ::= BIT STRING * * SubjectPublicKeyInfo ::= SEQUENCE { * algorithm AlgorithmIdentifier, * subjectPublicKey BIT STRING } * * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension * * Extension ::= SEQUENCE { * extnID OBJECT IDENTIFIER, * critical BOOLEAN DEFAULT FALSE, * extnValue OCTET STRING } * * PARAMETERS: * "byteArray" * Address of ByteArray representing the CERT's DER encoding. * Must be non-NULL. * "pCert" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_Create( PKIX_PL_ByteArray *byteArray, PKIX_PL_Cert **pCert, void *plContext); /* * FUNCTION: PKIX_PL_Cert_CreateFromCERTCertificate * DESCRIPTION: * * Creates a new certificate using passed in CERTCertificate object. * * PARAMETERS: * "nssCert" * The object that will be used to create new PKIX_PL_Cert. * "pCert" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_CreateFromCERTCertificate( const CERTCertificate *nssCert, PKIX_PL_Cert **pCert, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetCERTCertificate * DESCRIPTION: * * Returns underlying CERTCertificate structure. Return CERTCertificate * object is duplicated and should be destroyed by caller. * * PARAMETERS: * "cert" * Address of PKIX_PL_Cert. Must be non-NULL. * "pCert" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetCERTCertificate( PKIX_PL_Cert *cert, CERTCertificate **pnssCert, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetVersion * DESCRIPTION: * * Retrieves the version of the Cert pointed to by "cert" and stores it at * "pVersion". The version number will either be 0, 1, or 2 (corresponding to * v1, v2, or v3, respectively). * * Version ::= INTEGER { v1(0), v2(1), v3(2) } * * PARAMETERS: * "cert" * Address of Cert whose version is to be stored. Must be non-NULL. * "pVersion" * Address where PKIX_UInt32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetVersion( PKIX_PL_Cert *cert, PKIX_UInt32 *pVersion, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSerialNumber * DESCRIPTION: * * Retrieves a pointer to the BigInt that represents the serial number of the * Cert pointed to by "cert" and stores it at "pSerialNumber". * * CertificateSerialNumber ::= INTEGER * * PARAMETERS: * "cert" * Address of Cert whose serial number is to be stored. Must be non-NULL. * "pSerial" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSerialNumber( PKIX_PL_Cert *cert, PKIX_PL_BigInt **pSerial, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetIssuer * DESCRIPTION: * * Retrieves a pointer to the X500Name that represents the issuer DN of the * Cert pointed to by "cert" and stores it at "pIssuer". * * PARAMETERS: * "cert" * Address of Cert whose issuer is to be stored. Must be non-NULL. * "pIssuer" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetIssuer( PKIX_PL_Cert *cert, PKIX_PL_X500Name **pIssuer, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSubject * DESCRIPTION: * * Retrieves a pointer to the X500Name that represents the subject DN of the * Cert pointed to by "cert" and stores it at "pSubject". If the Cert does not * have a subject DN, this function stores NULL at "pSubject". * * PARAMETERS: * "cert" * Address of Cert whose subject is to be stored. Must be non-NULL. * "pSubject" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSubject( PKIX_PL_Cert *cert, PKIX_PL_X500Name **pSubject, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKeyAlgId * DESCRIPTION: * * Retrieves a pointer to the OID that represents the subject public key * algorithm of the Cert pointed to by "cert" and stores it at * "pSubjKeyAlgId". * * SubjectPublicKeyInfo ::= SEQUENCE { * algorithm AlgorithmIdentifier, * subjectPublicKey BIT STRING } * * AlgorithmIdentifier ::= SEQUENCE { * algorithm OBJECT IDENTIFIER, * parameters ANY DEFINED BY algorithm OPTIONAL } * * PARAMETERS: * "cert" * Address of Cert whose subject public key algorithm OID is to be stored. * Must be non-NULL. * "pSubjKeyAlgId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSubjectPublicKeyAlgId( PKIX_PL_Cert *cert, PKIX_PL_OID **pSubjKeyAlgId, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey * DESCRIPTION: * * Retrieves a pointer to the PublicKey that represents the subject public key * of the Cert pointed to by "cert" and stores it at "pPublicKey". * * SubjectPublicKeyInfo ::= SEQUENCE { * algorithm AlgorithmIdentifier, * subjectPublicKey BIT STRING } * * PARAMETERS: * "cert" * Address of Cert whose subject public key is to be stored. * Must be non-NULL. * "pPublicKey" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSubjectPublicKey( PKIX_PL_Cert *cert, PKIX_PL_PublicKey **pPublicKey, void *plContext); /* * FUNCTION: PKIX_PL_PublicKey_NeedsDSAParameters * DESCRIPTION: * * Determines if the PublicKey pointed to by "pubKey" is a DSA Key with null * parameters and stores the result at "pNeedsParams". * * PARAMETERS: * "pubKey" * Address of the Public Key of interest. Must be non-NULL. * "pNeedsParams" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a PublicKey Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_PublicKey_NeedsDSAParameters( PKIX_PL_PublicKey *pubKey, PKIX_Boolean *pNeedsParams, void *plContext); /* * FUNCTION: PKIX_PL_PublicKey_MakeInheritedDSAPublicKey * DESCRIPTION: * * This function is used for DSA key parameter inheritance, which allows a * first DSA key with omitted parameters (pointed to by "firstKey") to inherit * the PQG parameters of a second DSA key that does have parameters. (pointed * to by "secondKey"). Once created, a PublicKey is immutable. * * Specifically, the algorithm used by the function is: * * If the first PublicKey is not a DSA public key with omitted parameters, * the function stores NULL at "pResultKey". (No Error is returned) * Else if the second PublicKey is not a DSA public key with non-NULL, * parameters, the function returns an Error. * Else * the function creates a third PublicKey with a "Y" value from the * first PublicKey and the DSA parameters from the second PublicKey, * and stores it at "pResultKey". * * PARAMETERS: * "firstKey" * Address of a Public Key that needs to inherit DSA parameters. * Must be non-NULL. * "secondKey" * Address of a Public Key that has DSA parameters that will be inherited * by "firstKey". Must be non-NULL. * "pResultKey" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a PublicKey Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_PublicKey_MakeInheritedDSAPublicKey( PKIX_PL_PublicKey *firstKey, PKIX_PL_PublicKey *secondKey, PKIX_PL_PublicKey **pResultKey, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetCriticalExtensionOIDs * DESCRIPTION: * * Retrieves a pointer to the List of OIDs (each OID corresponding to a * critical extension of the Cert pointed to by "cert") and stores it at * "pExtensions". If "cert" does not have any critical extensions, this * function stores an empty List at "pExtensions". * * Note that the List returned by this function is immutable. * * PARAMETERS: * "cert" * Address of Cert whose critical extension OIDs are to be stored. * Must be non-NULL. * "pExtensions" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetCriticalExtensionOIDs( PKIX_PL_Cert *cert, PKIX_List **pExtensions, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetAuthorityKeyIdentifier * DESCRIPTION: * * Retrieves a pointer to a ByteArray representing the authority key * identifier extension of the Cert pointed to by "cert" and stores it at * "pAuthKeyId". * * Note that this function only retrieves the keyIdentifier component * (OCTET STRING) of the AuthorityKeyIdentifier extension, when present. * * If "cert" does not have an AuthorityKeyIdentifier extension or if the * keyIdentifier component of the AuthorityKeyIdentifier extension is not * present, this function stores NULL at "pAuthKeyId". * * AuthorityKeyIdentifier ::= SEQUENCE { * keyIdentifier [0] KeyIdentifier OPTIONAL, * authorityCertIssuer [1] GeneralNames OPTIONAL, * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } * * PARAMETERS: * "cert" * Address of Cert whose authority key identifier is to be stored. * Must be non-NULL. * "pAuthKeyId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetAuthorityKeyIdentifier( PKIX_PL_Cert *cert, PKIX_PL_ByteArray **pAuthKeyId, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSubjectKeyIdentifier * DESCRIPTION: * * Retrieves a pointer to a ByteArray representing the subject key identifier * extension of the Cert pointed to by "cert" and stores it at "pSubjKeyId". * If "cert" does not have a SubjectKeyIdentifier extension, this function * stores NULL at "pSubjKeyId". * * SubjectKeyIdentifier ::= KeyIdentifier * * PARAMETERS: * "cert" * Address of Cert whose subject key identifier is to be stored. * Must be non-NULL. * "pSubjKeyId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSubjectKeyIdentifier( PKIX_PL_Cert *cert, PKIX_PL_ByteArray **pSubjKeyId, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSubjectAltNames * DESCRIPTION: * * Retrieves a pointer to the List of GeneralNames (each GeneralName * representing a subject alternative name found in the subject alternative * names extension of the Cert pointed to by "cert") and stores it at * "pSubjectAltNames". If "cert" does not have a SubjectAlternativeNames * extension, this function stores NULL at "pSubjectAltNames". * * Note that the List returned by this function is immutable. * * SubjectAltName ::= GeneralNames * * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName * * GeneralName ::= CHOICE { * otherName [0] OtherName, * rfc822Name [1] IA5String, * dNSName [2] IA5String, * x400Address [3] ORAddress, * directoryName [4] Name, * ediPartyName [5] EDIPartyName, * uniformResourceIdentifier [6] IA5String, * iPAddress [7] OCTET STRING, * registeredID [8] OBJECT IDENTIFIER } * * OtherName ::= SEQUENCE { * type-id OBJECT IDENTIFIER, * value [0] EXPLICIT ANY DEFINED BY type-id } * * EDIPartyName ::= SEQUENCE { * nameAssigner [0] DirectoryString OPTIONAL, * partyName [1] DirectoryString } * * PARAMETERS: * "cert" * Address of Cert whose subjectAltNames are to be stored. * Must be non-NULL. * "pSubjectAltNames" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSubjectAltNames( PKIX_PL_Cert *cert, PKIX_List **pSubjectAltNames, /* list of PKIX_PL_GeneralName */ void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetAllSubjectNames * DESCRIPTION: * * Retrieves a pointer to the List of GeneralNames (each GeneralName * representing a subject DN or a subject alternative name found in the * subject alternative names extension of the Cert pointed to by "cert") and * stores it at "pAllSubjectNames".If the Subject DN of "cert" is empty and * it does not have a SubjectAlternativeNames extension, this function stores * NULL at "pAllSubjectNames". * * Note that the List returned by this function is immutable. * * PARAMETERS: * "cert" * Address of Cert whose subject DN and subjectAltNames are to be stored. * Must be non-NULL. * "pAllSubjectNames" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetAllSubjectNames( PKIX_PL_Cert *cert, PKIX_List **pAllSubjectNames, /* list of PKIX_PL_GeneralName */ void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetExtendedKeyUsage * DESCRIPTION: * * Retrieves a pointer to a List of OIDs (each OID corresponding to an * extended key usage of the Cert pointed to by "cert") and stores it at * "pKeyUsage". If "cert" does not have an extended key usage extension, this * function stores a NULL at "pKeyUsage". * * Note that the List returned by this function is immutable. * * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId * * KeyPurposeId ::= OBJECT IDENTIFIER * * PARAMETERS: * "cert" * Address of Cert whose extended key usage OIDs are to be stored. * Must be non-NULL. * "pKeyUsage" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetExtendedKeyUsage( PKIX_PL_Cert *cert, PKIX_List **pKeyUsage, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetNameConstraints * DESCRIPTION: * * Retrieves a pointer to a CertNameConstraints object representing the name * constraints extension of the Cert pointed to by "cert" and stores it at * "pNameConstraints". * * If "cert" does not have a name constraints extension, this function stores * NULL at "pNameConstraints". * * NameConstraints ::= SEQUENCE { * permittedSubtrees [0] GeneralSubtrees OPTIONAL, * excludedSubtrees [1] GeneralSubtrees OPTIONAL } * * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree * * GeneralSubtree ::= SEQUENCE { * base GeneralName, * minimum [0] BaseDistance DEFAULT 0, * maximum [1] BaseDistance OPTIONAL } * * BaseDistance ::= INTEGER (0..MAX) * * PARAMETERS: * "cert" * Address of Cert whose name constraints extension is to be stored. * Must be non-NULL. * "pNameConstraints" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetNameConstraints( PKIX_PL_Cert *cert, PKIX_PL_CertNameConstraints **pNameConstraints, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetBasicConstraints * DESCRIPTION: * * Retrieves a pointer to a CertBasicConstraints object representing the basic * constraints extension of the Cert pointed to by "cert" and stores it at * "pBasicConstraints". * * If "cert" does not have a basic constraints extension, this function stores * NULL at "pBasicConstraints". Once created, a CertBasicConstraints object * is immutable. * * BasicConstraints ::= SEQUENCE { * cA BOOLEAN DEFAULT FALSE, * pathLenConstraint INTEGER (0..MAX) OPTIONAL } * * PARAMETERS: * "cert" * Address of Cert whose basic constraints extension is to be stored. * Must be non-NULL. * "pBasicConstraints" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetBasicConstraints( PKIX_PL_Cert *cert, PKIX_PL_CertBasicConstraints **pBasicConstraints, void *plContext); /* * FUNCTION: PKIX_PL_BasicConstraints_GetCAFlag * DESCRIPTION: * * Retrieves a pointer to a Boolean value representing the cA Flag component * of the CertBasicConstraints object pointed to by "basicConstraints" and * stores it at "pResult". * * BasicConstraints ::= SEQUENCE { * cA BOOLEAN DEFAULT FALSE, * pathLenConstraint INTEGER (0..MAX) OPTIONAL } * * PARAMETERS: * "basicConstraints" * Address of CertBasicConstraints whose cA Flag is to be stored. * Must be non-NULL. * "pResult" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_BasicConstraints_GetCAFlag( PKIX_PL_CertBasicConstraints *basicConstraints, PKIX_Boolean *pResult, void *plContext); /* * FUNCTION: PKIX_PL_BasicConstraints_GetPathLenConstraint * DESCRIPTION: * * Retrieves a pointer to an integer value representing the pathLenConstraint * component of the CertBasicConstraints object pointed to by * "basicConstraints" and stores it at "pPathLenConstraint". If the * pathLenConstraint component is not present, this function stores -1 at * "pPathLenConstraint". * * PARAMETERS: * "basicConstraints" * Address of CertBasicConstraints whose pathLen is to be stored. * Must be non-NULL. * "pPathLenConstraint" * Address where PKIX_Int32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_BasicConstraints_GetPathLenConstraint( PKIX_PL_CertBasicConstraints *basicConstraints, PKIX_Int32 *pPathLenConstraint, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetPolicyInformation * DESCRIPTION: * * Retrieves a pointer to a List of CertPolicyInfos found in the certificate * policies extension of the Cert pointed to by "cert" and stores it at * "pPolicyInfo". If "cert" does not have a certificate policies extension, * this function stores NULL at "pPolicyInfo". Once created, a CertPolicyInfo * object is immutable. * * Note that the List returned by this function is immutable. * * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation * * PolicyInformation ::= SEQUENCE { * policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF * PolicyQualifierInfo OPTIONAL } * * PARAMETERS: * "cert" * Address of Cert whose CertPolicyInfos are to be stored. * Must be non-NULL. * "pPolicyInfo" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetPolicyInformation( PKIX_PL_Cert *cert, PKIX_List **pPolicyInfo, /* list of PKIX_PL_CertPolicyInfo */ void *plContext); /* * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolicyId * DESCRIPTION: * * Retrieves a pointer to an OID representing the policyIdentifier of the * CertPolicyInfo pointed to by "policyInfo" and stores it at "pCertPolicyId". * * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation * * PolicyInformation ::= SEQUENCE { * policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF * PolicyQualifierInfo OPTIONAL } * * CertPolicyId ::= OBJECT IDENTIFIER * * PARAMETERS: * "policyInfo" * Address of CertPolicyInfo whose policy identifier is to be stored. * Must be non-NULL. * "pCertPolicyId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CertPolicyInfo_GetPolicyId( PKIX_PL_CertPolicyInfo *policyInfo, PKIX_PL_OID **pCertPolicyId, void *plContext); /* * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolQualifiers * DESCRIPTION: * * Retrieves a pointer to a List of the CertPolicyQualifiers representing * the policyQualifiers of the CertPolicyInfo pointed to by "policyInfo" and * stores it at "pPolicyQualifiers". If "policyInfo" does not have any * policyQualifiers, this function stores NULL at "pPolicyQualifiers". Once * created, a CertPolicyQualifier is immutable. * * Note that the List returned by this function is immutable. * * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation * * PolicyInformation ::= SEQUENCE { * policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF * PolicyQualifierInfo OPTIONAL } * * PolicyQualifierInfo ::= SEQUENCE { * policyQualifierId PolicyQualifierId, * qualifier ANY DEFINED BY policyQualifierId } * * PARAMETERS: * "policyInfo" * Address of CertPolicyInfo whose policy qualifiers List is to be stored. * Must be non-NULL. * "pPolicyQualifiers" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CertPolicyInfo_GetPolQualifiers( PKIX_PL_CertPolicyInfo *policyInfo, PKIX_List **pPolicyQualifiers, /* list of PKIX_PL_CertPolicyQualifier */ void *plContext); /* * FUNCTION: PKIX_PL_PolicyQualifier_GetPolicyQualifierId * DESCRIPTION: * * Retrieves a pointer to an OID representing the policyQualifierId of the * CertPolicyQualifier pointed to by "policyQualifier" and stores it at * "pPolicyQualifierId". * * PolicyQualifierInfo ::= SEQUENCE { * policyQualifierId PolicyQualifierId, * qualifier ANY DEFINED BY policyQualifierId } * * PolicyQualifierId ::= * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) * * PARAMETERS: * "policyQualifier" * Address of CertPolQualifier whose policyQualifierId is to be stored. * Must be non-NULL. * "pPolicyQualifierId" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_PolicyQualifier_GetPolicyQualifierId( PKIX_PL_CertPolicyQualifier *policyQualifier, PKIX_PL_OID **pPolicyQualifierId, void *plContext); /* * FUNCTION: PKIX_PL_PolicyQualifier_GetQualifier * DESCRIPTION: * * Retrieves a pointer to a ByteArray representing the qualifier of the * CertPolicyQualifier pointed to by "policyQualifier" and stores it at * "pQualifier". * * PolicyQualifierInfo ::= SEQUENCE { * policyQualifierId PolicyQualifierId, * qualifier ANY DEFINED BY policyQualifierId } * * PARAMETERS: * "policyQualifier" * Address of CertPolicyQualifier whose qualifier is to be stored. * Must be non-NULL. * "pQualifier" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_PolicyQualifier_GetQualifier( PKIX_PL_CertPolicyQualifier *policyQualifier, PKIX_PL_ByteArray **pQualifier, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetPolicyMappings * DESCRIPTION: * * Retrieves a pointer to a List of CertPolicyMaps found in the policy * mappings extension of the Cert pointed to by "cert" and stores it at * "pPolicyMappings". If "cert" does not have a policy mappings extension, * this function stores NULL at "pPolicyMappings". Once created, a * CertPolicyMap is immutable. * * Note that the List returned by this function is immutable. * * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { * issuerDomainPolicy CertPolicyId, * subjectDomainPolicy CertPolicyId } * * PARAMETERS: * "cert" * Address of Cert whose CertPolicyMaps are to be stored. * Must be non-NULL. * "pPolicyMappings" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetPolicyMappings( PKIX_PL_Cert *cert, PKIX_List **pPolicyMappings, /* list of PKIX_PL_CertPolicyMap */ void *plContext); /* * FUNCTION: PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy * DESCRIPTION: * * Retrieves a pointer to an OID representing the issuerDomainPolicy of the * CertPolicyMap pointed to by "policyMapping" and stores it at * "pIssuerDomainPolicy". * * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { * issuerDomainPolicy CertPolicyId, * subjectDomainPolicy CertPolicyId } * * PARAMETERS: * "policyMapping" * Address of CertPolicyMap whose issuerDomainPolicy is to be stored. * Must be non-NULL. * "pIssuerDomainPolicy" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy( PKIX_PL_CertPolicyMap *policyMapping, PKIX_PL_OID **pIssuerDomainPolicy, void *plContext); /* * FUNCTION: PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy * DESCRIPTION: * * Retrieves a pointer to an OID representing the subjectDomainPolicy of the * CertPolicyMap pointed to by "policyMapping" and stores it at * "pSubjectDomainPolicy". * * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { * issuerDomainPolicy CertPolicyId, * subjectDomainPolicy CertPolicyId } * * PARAMETERS: * "policyMapping" * Address of CertPolicyMap whose subjectDomainPolicy is to be stored. * Must be non-NULL. * "pSubjectDomainPolicy" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy( PKIX_PL_CertPolicyMap *policyMapping, PKIX_PL_OID **pSubjectDomainPolicy, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetRequireExplicitPolicy * DESCRIPTION: * * Retrieves the requireExplicitPolicy value of the policy constraints * extension of the Cert pointed to by "cert" and stores it at "pSkipCerts". * If "cert" does not have a policy constraints extension or the * requireExplicitPolicy component is not populated, this function stores -1 * at "pSkipCerts". * * PolicyConstraints ::= SEQUENCE { * requireExplicitPolicy [0] SkipCerts OPTIONAL, * inhibitPolicyMapping [1] SkipCerts OPTIONAL } * * SkipCerts ::= INTEGER (0..MAX) * * PARAMETERS: * "cert" * Address of Cert whose requireExplicitPolicy value is to be stored. * Must be non-NULL. * "pSkipCerts" * Address where PKIX_Int32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetRequireExplicitPolicy( PKIX_PL_Cert *cert, PKIX_Int32 *pSkipCerts, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetPolicyMappingInhibited * DESCRIPTION: * * Retrieves the inhibitPolicyMapping value of the policy constraints * extension of the Cert pointed to by "cert" and stores it at "pSkipCerts". * If "cert" does not have a policy constraints extension or the * inhibitPolicyMapping component is not populated, this function stores -1 * at "pSkipCerts". * * PolicyConstraints ::= SEQUENCE { * requireExplicitPolicy [0] SkipCerts OPTIONAL, * inhibitPolicyMapping [1] SkipCerts OPTIONAL } * * SkipCerts ::= INTEGER (0..MAX) * * PARAMETERS: * "cert" * Address of Cert whose requireExplicitPolicy value is to be stored. * Must be non-NULL. * "pSkipCerts" * Address where PKIX_Int32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetPolicyMappingInhibited( PKIX_PL_Cert *cert, PKIX_Int32 *pSkipCerts, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetInhibitAnyPolicy * DESCRIPTION: * * Retrieves the value of the inhibit any-policy extension of the Cert * pointed to by "cert" and stores it at "pSkipCerts". If "cert" does not have * an inhibit any-policy extension, this function stores -1 at "pSkipCerts". * * InhibitAnyPolicy ::= SkipCerts * * SkipCerts ::= INTEGER (0..MAX) * * PARAMETERS: * "cert" * Address of Cert whose inhibit any-policy extensions value is to be * stored. Must be non-NULL. * "pSkipCerts" * Address where PKIX_Int32 will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetInhibitAnyPolicy( PKIX_PL_Cert *cert, PKIX_Int32 *pSkipCerts, void *plContext); /* policy processing functions */ /* * FUNCTION: PKIX_PL_Cert_AreCertPoliciesCritical * DESCRIPTION: * * Checks whether the certificate policies extension of the Cert pointed to * by "cert" is critical and stores the Boolean result at "pCritical". If * "cert" does not have a certificate policies extension, this function * stores NULL at "pCritical". * * XXX what distinguishes NULL from PKIX_FALSE? * * PARAMETERS: * "cert" * Address of Cert whose certificate policies extension's criticality is * to be determined. Must be non-NULL. * "pCritical" * Address where PKIX_Boolean will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_AreCertPoliciesCritical( PKIX_PL_Cert *cert, PKIX_Boolean *pCritical, void *plContext); /* * FUNCTION: PKIX_PL_Cert_CheckNameConstraints * DESCRIPTION: * * Checks whether the subject distinguished name and subject alternative names * of the Cert pointed to by "cert" satisfy the CertNameConstraints pointed * to by "nameConstraints". If the CertNameConstraints are not satisfied, a * PKIX_Error pointer is returned. If "nameConstraints" is NULL, the function * does nothing. * * PARAMETERS: * "cert" * Address of Cert whose subject names are to be checked. * Must be non-NULL. * "nameConstraints" * Address of CertNameConstraints that need to be satisfied. * "treatCommonNameAsDNSName" * PKIX_TRUE if the subject common name should be considered a dNSName * when evaluating name constraints. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_CheckNameConstraints( PKIX_PL_Cert *cert, PKIX_PL_CertNameConstraints *nameConstraints, PKIX_Boolean treatCommonNameAsDNSName, void *plContext); /* * FUNCTION: PKIX_PL_Cert_MergeNameConstraints * DESCRIPTION: * * Merges the CertNameConstraints pointed to by "firstNC" and the * CertNameConstraints pointed to by "secondNC" and stores the merged * CertNameConstraints at "pResultNC". If "secondNC" is NULL, the * CertNameConstraints pointed to by "firstNC" is stored at "pResultNC". * * Once created, a CertNameConstraints object is immutable. * * PARAMETERS: * "firstNC" * Address of first CertNameConstraints to be merged. Must be non-NULL. * "secondNC" * Address of second CertNameConstraints to be merged * "pResultNC" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_MergeNameConstraints( PKIX_PL_CertNameConstraints *firstNC, PKIX_PL_CertNameConstraints *secondNC, PKIX_PL_CertNameConstraints **pResultNC, void *plContext); /* * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage * DESCRIPTION: * * Verifies that the keyUsage bit(s) specified by "keyUsage" appear in the * keyUsage extension of the Cert pointed to by "cert". The keyUsage bit * values specified in pkixt.h are supported, and can be bitwise or'ed if * multiple bit values are to be verified. If the keyUsages do not all appear * in the keyUsage extension of "cert", a PKIX_Error pointer is returned. * * KeyUsage ::= BIT STRING { * digitalSignature (0), * nonRepudiation (1), * keyEncipherment (2), * dataEncipherment (3), * keyAgreement (4), * keyCertSign (5), * cRLSign (6), * encipherOnly (7), * decipherOnly (8) } * * PARAMETERS: * "cert" * Address of Cert whose keyUsage bits are to be verified. * Must be non-NULL. * "keyUsage" * Constant representing keyUsage bit(s) that all must appear in keyUsage * extension of "cert". * "plContext" - Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_VerifyKeyUsage( PKIX_PL_Cert *cert, PKIX_UInt32 keyUsage, void *plContext); /* * FUNCTION: PKIX_PL_Cert_VerifyCertAndKeyType * DESCRIPTION: * * Verifies cert and key types against certificate usage that is * a part of plContext(pkix_pl_nsscontext) structure. Throws an error * if cert or key types does not match. * * PARAMETERS: * "cert" * Address of Cert whose keyUsage bits are to be verified. * Must be non-NULL. * "isLeafCert" * What type of a cert has been verified. * "plContext" - Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_VerifyCertAndKeyType( PKIX_PL_Cert *cert, PKIX_Boolean isChainCert, void *plContext); /* * FUNCTION: PKIX_PL_Cert_CheckValidity * DESCRIPTION: * * Checks whether the Cert pointed to by "cert" would be valid at the time * represented by the Date pointed to by "date". If "date" is NULL, then this * function checks whether the Cert would be valid at the current time. If the * Cert would not be valid at the specified Date, a PKIX_Error pointer is * returned. * * Validity ::= SEQUENCE { * notBefore Time, * notAfter Time } * * Time ::= CHOICE { * utcTime UTCTime, * generalTime GeneralizedTime } * * PARAMETERS: * "cert" * Address of Cert whose validity is to be checked. Must be non-NULL. * "date" * Address of Date at which the Cert is being checked for validity. * If NULL, the current time is used for the Date. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_CheckValidity( PKIX_PL_Cert *cert, PKIX_PL_Date *date, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetValidityNotAfter * DESCRIPTION: * * Retrieves a pointer to the Date that represents the notAfter time of the * Certificate pointed to by "cert" and stores it at "pDate". * * Validity ::= SEQUENCE { * notBefore Time, * notAfter Time } * * PARAMETERS: * "cert" * Address of Cert whose validity time is to be retrieved. Must be * non-NULL. * "date" * Address of Date at which the Cert's notAfter time is being retrieved. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetValidityNotAfter( PKIX_PL_Cert *cert, PKIX_PL_Date **pDate, void *plContext); /* * FUNCTION: PKIX_PL_Cert_VerifySignature * DESCRIPTION: * * Verifies the signature on the Cert pointed to by "cert" using the * PublicKey pointed to by "pubKey". If the signature doesn't verify, an * Error pointer is returned. * * PARAMETERS: * "cert" * Address of Cert whose signature is to be verified. Must be non-NULL. * "pubKey" * Address of a Public Key used to verify the signature. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_VerifySignature( PKIX_PL_Cert *cert, PKIX_PL_PublicKey *pubKey, void *plContext); /* A set of flags to indicate how explicitly configured trust anchors should be * handled by PKIX_PL_Cert_IsCertTrusted */ typedef enum PKIX_PL_TrustAnchorModeEnum { /* Indicates trust anchors should be ignored; only the underlying * platform's trust settings should be used. */ PKIX_PL_TrustAnchorMode_Ignore, /* Indicates that explicitly configured trust anchors may be considered * trustworthy, if present. * Note: If the underlying platform supports marking a certificate as * explicitly untrustworthy, explicitly configured trust anchors * MAY be ignored/rejected. */ PKIX_PL_TrustAnchorMode_Additive, /* Indicates that ONLY trust anchors should be considered as * trustworthy. * Note: If the underlying platform supports marking a certificate as * explicitly untrustworthy, explicitly configured trust anchors * MAY be ignored/rejected. */ PKIX_PL_TrustAnchorMode_Exclusive } PKIX_PL_TrustAnchorMode; /* * FUNCTION: PKIX_PL_Cert_IsCertTrusted * DESCRIPTION: * * Checks the Cert specified by "cert" to determine, in a manner that depends * on the underlying platform, whether it is trusted, and stores the result in * "pTrusted". If a certificate is trusted it means that a chain built to that * certificate, and satisfying all the usage, policy, validity, and other * tests, is a valid chain and the End Entity certificate from which it was * built can be trusted. * * If the Certificate is not intrinsically trustworthy, it still might end up a * component in a successful chain. * * If the Certificate is intrinsically untrustworthy, this function will return * an error. * * PARAMETERS * "cert" * Address of Cert whose trustworthiness is to be determined. Must be * non-NULL. * "trustAnchorMode" * A PKIX_PL_TrustAnchorMode that indicates how explicitly defined user * trust anchors should be handled. * "pTrusted" * Address where the Boolean value will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CERT Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_IsCertTrusted( PKIX_PL_Cert *cert, PKIX_PL_TrustAnchorMode trustAnchorMode, PKIX_Boolean *pTrusted, void *plContext); /* * FUNCTION: PKIX_PL_Cert_IsLeafCertTrusted * DESCRIPTION: * * Checks the Leaf Cert specified by "cert" to determine, in a manner that * depends on the underlying platform, whether it is trusted, and stores the * result in "pTrusted". If a certificate is trusted it means that this * End Entify certificate has been marked as trusted for the requested usage, * policy, validity, and other tests. * * If the Certificate is not intrinsically trustworthy, we can still try to * build a successful chain. * * If the Certificate is intrinsically untrustworthy, this function will return * an error. * * PARAMETERS * "cert" * Address of Cert whose trustworthiness is to be determined. Must be * non-NULL. * "pTrusted" * Address where the Boolean value will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CERT Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_IsLeafCertTrusted( PKIX_PL_Cert *cert, PKIX_Boolean *pTrusted, void *plContext); /* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */ PKIX_Error* PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetCacheFlag * DESCRIPTION: * * Retrieves the value of the cache flag in "cert" and return it at address * pointed by "pCacheFlag". The initila cache flag is determined by the * CertStore this "cert" is fetched from. When CertStore is created, user * need to specify if the data should be cached. * * PARAMETERS: * "cert" * Address of Cert whose cache flag is fetched. Must be non-NULL. * "pCacheFlag" * Address where PKIX_Boolean will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetCacheFlag( PKIX_PL_Cert *cert, PKIX_Boolean *pCacheFlag, void *plContext); /* * FUNCTION: PKIX_PL_Cert_SetCacheFlag * DESCRIPTION: * * Set the value of the cache flag in "cert" base on the boolean value stored * at "cacheFlag". This function is meant to be used by CertStore after a * Cert is created. * * PARAMETERS: * "cert" * Address of Cert where "cacheFlag" is stored. Must be non-NULL. * "cacheFlag" * PKIX_Boolean flag for cache flag. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_SetCacheFlag( PKIX_PL_Cert *cert, PKIX_Boolean cacheFlag, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetTrustCertStore * DESCRIPTION: * * Retrieves the value of the CertStore in "cert" and return it at address * pointed by "pCertStore". * * PARAMETERS: * "cert" * Address of Cert whose CertStore is fetched. Must be non-NULL. * "pTrustCertStore" * Address where CertStore will be stored and returned. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetTrustCertStore( PKIX_PL_Cert *cert, PKIX_CertStore **pTrustCertStore, void *plContext); /* * FUNCTION: PKIX_PL_Cert_SetTrustCertStore * DESCRIPTION: * * Set the value of the CertStore "certStore" in "cert". * * PARAMETERS: * "cert" * Address of Cert where "certStore" will be stored. Must be non-NULL. * "trustCertStore" * Address where the CertStore is. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_SetTrustCertStore( PKIX_PL_Cert *cert, PKIX_CertStore *trustCertStore, void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetAuthorityInfoAccess * DESCRIPTION: * * Retrieves the value(s) of the Authority Information Access in "cert" and * returns it in a list at address pointed by "pAuthorityInfoAccess". * * SubjectInfoAccess ::= * SEQUENCE SIZE (1..MAX) of AccessDescription * AccessDescription ::= SEQUENCE { * accessMethod OBJECT IDENTIFIER, * accessLocation GeneralName * } * * PARAMETERS: * "cert" * Address of Cert whose Authority Information Access is fetched. * Must be non-NULL. * "pAuthorityInfoAccess" * Address where Authority InfoAccess will be stored and returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetAuthorityInfoAccess( PKIX_PL_Cert *cert, PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */ void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetSubjectInfoAccess * DESCRIPTION: * * Retrieves the value(s) of the Subject Information Access in "cert" and * returns it in a list at address pointed by "pSubjectInfoAccess". * * SubjectInfoAccess ::= * SEQUENCE SIZE (1..MAX) of AccessDescription * AccessDescription ::= SEQUENCE { * accessMethod OBJECT IDENTIFIER, * accessLocation GeneralName * } * * PARAMETERS: * "cert" * Address of Cert whose Subject Information Access is fetched. * Must be non-NULL. * "pSubjectInfoAccess" * Address where Subject InfoAccess will be stored and returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetSubjectInfoAccess( PKIX_PL_Cert *cert, PKIX_List **pSiaList, /* of PKIX_PL_InfoAccess */ void *plContext); /* * FUNCTION: PKIX_PL_Cert_GetCrlDp * DESCRIPTION: * * Retrieves the value(s) of the CRL Distribution Point Extension and * returns it in a list at address pointed by "pDpList". * * PARAMETERS: * "cert" * Address of Cert whose Subject Information Access is fetched. * Must be non-NULL. * "pDpList" * Address where CRL DP will be stored and returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert, PKIX_List **pDpList, void *plContext); /* * InfoAccess * * To hold Authority Information Access or Subject Information Access * retrieved from a Certificate. */ #define PKIX_INFOACCESS_OCSP 1 #define PKIX_INFOACCESS_CA_ISSUERS 2 #define PKIX_INFOACCESS_TIMESTAMPING 3 #define PKIX_INFOACCESS_CA_REPOSITORY 5 #define PKIX_INFOACCESS_LOCATION_UNKNOWN 0 #define PKIX_INFOACCESS_LOCATION_HTTP 1 #ifndef NSS_PKIX_NO_LDAP #define PKIX_INFOACCESS_LOCATION_LDAP 2 #endif /* * FUNCTION: PKIX_PL_InfoAccess_GetMethod * DESCRIPTION: * * Stores the method of the Information Access from "infoAccess" and * returns in "pMethod". * * SubjectInfoAccess ::= * AccessDescription ::= SEQUENCE { * accessMethod OBJECT IDENTIFIER, * accessLocation GeneralName * } * * PARAMETERS: * "infoAccess" * Address of PKIX_PL_InfoAccess that has the access data. * Must be non-NULL. * "pMethod" * Address where access method will be stored and returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_InfoAccess_GetMethod( PKIX_PL_InfoAccess *infoAccess, PKIX_UInt32 *pMethod, void *plContext); /* * FUNCTION: PKIX_PL_InfoAccess_GetLocation * DESCRIPTION: * * Stores the location of the Information Access from "infoAccess" and * returns in "pLocation". * * SubjectInfoAccess ::= * AccessDescription ::= SEQUENCE { * accessMethod OBJECT IDENTIFIER, * accessLocation GeneralName * } * * PARAMETERS: * "infoAccess" * Address of PKIX_PL_InfoAccess that has the access data. * Must be non-NULL. * "pLocation" * Address where access location will be stored and returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_InfoAccess_GetLocation( PKIX_PL_InfoAccess *infoAccess, PKIX_PL_GeneralName **pLocation, void *plContext); /* * FUNCTION: PKIX_PL_InfoAccess_GetLocationType * DESCRIPTION: * * Stores the type of location of the Information Access from "infoAccess" and * returns in "pType". * * SubjectInfoAccess ::= * AccessDescription ::= SEQUENCE { * accessMethod OBJECT IDENTIFIER, * accessLocation GeneralName * } * * PARAMETERS: * "infoAccess" * Address of PKIX_PL_InfoAccess that has the access data. * Must be non-NULL. * "pType" * Address where access location type will be stored and returned. * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Cert Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_InfoAccess_GetLocationType( PKIX_PL_InfoAccess *infoAccess, PKIX_UInt32 *pType, void *plContext); PKIX_Error * pkix_pl_InfoAccess_GetAIACerts( PKIX_PL_InfoAccess *ia, void **pNBIOContext, void **pHandle, PKIX_List **pCerts, void *plContext); /* * CRL * * A CRL represents an X.509 certificate revocation list. It can be created * using the bytes of a valid ASN.1 DER encoding. Once created, a CRL is * immutable. The following functions include accessors (gettors) for the * various components of an X.509 CRL, as well as a function for signature * verification. */ /* * FUNCTION: PKIX_PL_CRL_Create * DESCRIPTION: * * Creates a new CRL using the bytes in the ByteArray pointed to by * "byteArray" and stores it at "pCRL". If the bytes are not a valid ASN.1 * DER encoding of a CRL, a PKIX_Error pointer is returned. Once created, a * CRL is immutable. * * CertificateList ::= SEQUENCE { * tbsCertList TBSCertList, * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING } * * TBSCertList ::= SEQUENCE { * version Version OPTIONAL, * -- if present, MUST be v2 * signature AlgorithmIdentifier, * issuer Name, * thisUpdate Time, * nextUpdate Time OPTIONAL, * revokedCertificates SEQUENCE OF SEQUENCE { * userCertificate CertificateSerialNumber, * revocationDate Time, * crlEntryExtensions Extensions OPTIONAL * -- if present, MUST be v2 * } OPTIONAL, * crlExtensions [0] EXPLICIT Extensions OPTIONAL * -- if present, MUST be v2 * } * * PARAMETERS: * "byteArray" * Address of ByteArray representing the CRL's DER encoding. * Must be non-NULL. * "pCRL" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_Create( PKIX_PL_ByteArray *byteArray, PKIX_PL_CRL **pCRL, void *plContext); /* * FUNCTION: PKIX_PL_CRL_GetIssuer * DESCRIPTION: * * Retrieves a pointer to the X500Name that represents the issuer of the CRL * pointed to by "crl" and stores it at "pCRLIssuer". * * PARAMETERS: * "crl" * Address of CRL whose issuer is to be stored. Must be non-NULL. * "pCRLIssuer" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_GetIssuer( PKIX_PL_CRL *crl, PKIX_PL_X500Name **pCRLIssuer, void *plContext); /* * FUNCTION: PKIX_PL_CRL_GetCriticalExtensionOIDs * DESCRIPTION: * * Retrieves a pointer to the List of OIDs (each OID corresponding to a * critical extension of the CRL pointed to by "crl") and stores it at * "pExtensions". If "crl" does not have any critical extensions, this * function stores an empty List at "pExtensions". * * Note that the List returned by this function is immutable. * * PARAMETERS: * "crl" * Address of CRL whose critical extension OIDs are to be stored. * Must be non-NULL. * "pExtensions" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_GetCriticalExtensionOIDs( PKIX_PL_CRL *crl, PKIX_List **pExtensions, /* list of PKIX_PL_OID */ void *plContext); /* * FUNCTION: PKIX_PL_CRL_GetCRLEntryForSerialNumber * DESCRIPTION: * * Retrieves a pointer to the CRLEntry (found in the CRL pointed to by "crl") * corresponding to the BigInt pointed to by "serialNumber" and stores it at * "pCRLEntry". If there is no such CRLEntry, this functions stores NULL at * "pCRLEntry". Once created, a CRLEntry is immutable. * * PARAMETERS: * "crl" * Address of CRL whose CRL Entries are to be searched. Must be non-NULL. * "serialNumber" * Address of BigInt representing serial number of certificate whose * CRLEntry is to be found. Must be non-NULL. * "pCRLEntry" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_GetCRLEntryForSerialNumber( PKIX_PL_CRL *crl, PKIX_PL_BigInt *serialNumber, PKIX_PL_CRLEntry **pCRLEntry, void *plContext); /* * FUNCTION: PKIX_PL_CRL_GetCRLNumber * DESCRIPTION: * Retrieves the CRL Number from extension. This is non-critical extension. * * PARAMETERS: * "crl" * Address of CRL whose version is to be stored. Must be non-NULL. * "pCrlNumber" * Address where a CRL Number will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_GetCRLNumber( PKIX_PL_CRL *crl, PKIX_PL_BigInt **pCrlNumber, void *plContext); /* * FUNCTION: PKIX_PL_CRL_VerifyUpdateTime * DESCRIPTION: * * Checks whether the CRL pointed to by "crl" would be valid at the time * represented by the Date pointed to by "date" and stores the Boolean result * at "pResult". This check is done only when NIST policy is enforced. * * Time ::= CHOICE { * utcTime UTCTime, * generalTime GeneralizedTime } * * PARAMETERS: * "crl" * Address of CRL whose validity is to be checked. Must be non-NULL. * "date" * Address of Date at which the CRL is being checked for validity. * Must be non-NULL. * "pResult" * Address of Boolean result. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_VerifyUpdateTime( PKIX_PL_CRL *crl, PKIX_PL_Date *date, PKIX_Boolean *pResult, void *plContext); /* * FUNCTION: PKIX_PL_CRL_VerifySignature * DESCRIPTION: * * Verifies the signature on the CRL pointed to by "crl" using the PublicKey * pointed to by "pubKey". If the signature doesn't verify, a PKIX_Error * pointer is returned. * * PARAMETERS: * "crl" * Address of CRL whose signature is to be verified. Must be non-NULL. * "pubKey" * Address of a Public Key used to verify the signature. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_VerifySignature( PKIX_PL_CRL *crl, PKIX_PL_PublicKey *pubKey, void *plContext); /* * FUNCTION: PKIX_PL_CRL_ReleaseDerCrl * DESCRIPTION: * * Relinguish the ownership for the crl der. The operation will succeed if * a crl owns the der. If the crl was created from existing crl and does not * own the der, then the function will return null. * * PARAMETERS: * "crl" * Address of CRL whose signature is to be verified. Must be non-NULL. * "derCrl" * Pointer to a SECItem that has der crl. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_ReleaseDerCrl(PKIX_PL_CRL *crl, SECItem **derCrl, void *plContext); /* * FUNCTION: PKIX_PL_CRL_AdoptDerCrl * DESCRIPTION: * * Adopt memory of the der. The secItem that contains der will be * freed with destruction of parent pkix crl structure. * * * PARAMETERS: * "crl" * Address of CRL whose signature is to be verified. Must be non-NULL. * "derCrl" * Pointer to a SECItem that has der crl. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRL_AdoptDerCrl(PKIX_PL_CRL *crl, SECItem *derCrl, void *plContext); /* * FUNCTION: PKIX_PL_CRLEntry_GetCRLEntryReasonCode * DESCRIPTION: * * Retrieves the value of the reason code extension of the CRLEntry pointed * to by "crlEntry" and stores it at "pReason". If the "crlEntry" has no * reason code extension, this function stores -1 at "pReason". * * CRLReason ::= ENUMERATED { * unspecified (0), * keyCompromise (1), * cACompromise (2), * affiliationChanged (3), * superseded (4), * cessationOfOperation (5), * certificateHold (6), * removeFromCRL (8), * privilegeWithdrawn (9), * aACompromise (10) } * * PARAMETERS: * "crlEntry" * Address of CRLEntry whose reason code bit values are to be returned * at "pReason". Must be non-NULL. * "pReason" * Address of PKIX_Int32 where reason code is stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRLEntry_GetCRLEntryReasonCode( PKIX_PL_CRLEntry *crlEntry, PKIX_Int32 *pReason, void *plContext); /* * FUNCTION: PKIX_PL_CRLEntry_GetCriticalExtensionOIDs * DESCRIPTION: * * Retrieves a pointer to the List of OIDs (each OID corresponding to a * critical extension of the CRLEntry pointed to by "crlEntry") and stores it * at "pExtensions". If "crlEntry" does not have any critical extensions, this * function stores an empty List at "pExtensions". * * Note that the List returned by this function is immutable. * * PARAMETERS: * "crlEntry" * Address of CRLEntry whose critical extension OIDs are to be stored. * Must be non-NULL. * "pExtensions" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CRL Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CRLEntry_GetCriticalExtensionOIDs( PKIX_PL_CRLEntry *crlEntry, PKIX_List **pExtensions, /* list of PKIX_PL_OID */ void *plContext); #ifdef BUILD_LIBPKIX_TESTS /* * FUNCTION: PKIX_PL_X500Name_Create * DESCRIPTION: * * Creates a new X500Name using the UTF8 string representation pointed to by * "stringRep" and stores it at "pName". Once created, an X500Name is * immutable. * * Name ::= CHOICE { * RDNSequence } * * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName * * RelativeDistinguishedName ::= * SET OF AttributeTypeAndValue * * AttributeTypeAndValue ::= SEQUENCE { * type AttributeType, * value AttributeValue } * * AttributeType ::= OBJECT IDENTIFIER * * AttributeValue ::= ANY DEFINED BY AttributeType * * DirectoryString ::= CHOICE { * teletexString TeletexString (SIZE (1..MAX)), * printableString PrintableString (SIZE (1..MAX)), * universalString UniversalString (SIZE (1..MAX)), * utf8String UTF8String (SIZE (1..MAX)), * bmpString BMPString (SIZE (1..MAX)) } * * PARAMETERS: * "stringRep" * Address of UTF8 String representation of X500Name. Must be non-NULL. * "pName" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns an X500Name Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_X500Name_Create ( PKIX_PL_String *stringRep, PKIX_PL_X500Name **pName, void *plContext); #endif /* BUILD_LIBPKIX_TESTS */ /* * FUNCTION: PKIX_PL_X500Name_CreateFromCERTName * DESCRIPTION: * * The function creates x500Name using der encoded DN and/or pointer to * CERTName. If arument "name" is NULL, but derName is supplied when * the function generates nssDN(CERTName type) from der data. If derName * is not supplied, CERTName *name will not be used to generate DN DER * encoding. * * PARAMETERS: * "derName" * Address of DER representation of X500Name. Can be NULL * "name" * Address of CERTName representation of X500Name. Can be NULL * "pName" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns an X500Name Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_X500Name_CreateFromCERTName( SECItem *derName, CERTName *name, PKIX_PL_X500Name **pName, void *plContext); /* * TYPE: PKIX_PL_X500Name_Match * DESCRIPTION: * Checks whether the X500Name pointed to by "firstX500Name" MATCHES the * X500Name pointed to by "secondX500Name" and stores the boolean result at * "pResult". Two X500Names MATCH if they meet the conditions specified by * RFC 3280 (section 4.1.2.4). Namely: * * "This specification requires only a subset of the name comparison * functionality specified in the X.500 series of specifications. * Conforming implementations are REQUIRED to implement the following * name comparison rules: * * (a) attribute values encoded in different types (e.g., PrintableString * and BMPString) MAY be assumed to represent different strings; * * (b) attribute values in types other than PrintableString are case * sensitive (this permits matching of attribute values as binary objects) * * (c) attribute values in PrintableString are not case sensitive * (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and * * (d) attribute values in PrintableString are compared after removing * leading and trailing white space and converting internal substrings of * one or more consecutive white space characters to a single space." * * PARAMETERS: * "firstX500Name" * Address of first X500Name to compare. Must be non-NULL. * "secondX500Name" * Address of second X500Name to compare. Must be non-NULL. * "pResult" * Address of Boolean result. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns an X500Name Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_X500Name_Match( PKIX_PL_X500Name *firstX500Name, PKIX_PL_X500Name *secondX500Name, PKIX_Boolean *pResult, void *plContext); /* * FUNCTION: PKIX_PL_Date_Create_UTCTime * DESCRIPTION: * Creates a new Date of type UTCTime using the string representation pointed * to by "stringRep" and stores it at "pDate". The UTCTime restriction means * that the year can only be specified by the least significant two digits * (YY). As such, Only the years 1950-2049 can be represented. If "stringRep" * is NULL, this function creates a new Date representing the current time * and stores it at "pDate". Once created, a Date is immutable. * * If YY is greater than or equal to 50, the year is interpreted as 19YY. * If YY is less than 50, the year is interpreted as 20YY. * * The string representation of the date must be in the following form: * "YYMMDDhhmmssZ" where: * * YY is the least significant two digits of the year * MM is the month (01 to 12) * DD is the day (01 to 31) * hh is the hour (00 to 23) * mm are the minutes (00 to 59) * ss are the seconds (00 to 59) * Z indicates that local time is GMT * * PARAMETERS: * "stringRep" * Address of String representation of Date. * If NULL, current time is used. * "pDate" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Date Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Date_Create_UTCTime ( PKIX_PL_String *stringRep, PKIX_PL_Date **pDate, void *plContext); /* * FUNCTION: PKIX_PL_Date_Create_UTCTime * DESCRIPTION: * Creates a new Date from PRTime data. * * PARAMETERS: * "time" * Represented time in PRTime type. * "pDate" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Date Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Date_CreateFromPRTime( PRTime time, PKIX_PL_Date **pDate, void *plContext); /* * FUNCTION: PKIX_PL_Date_Create_CurrentOffBySeconds * DESCRIPTION: * Creates a new Date of type UTCTime for current time with seconds off by * "secondsOffset" and returns it at "pDate". * * PARAMETERS: * "secondsOffset" * A PKIX_Int32 indicates the time offset from current. If "secondsOffset" * is negative, the time is in past. * "pDate" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a Date Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_Date_Create_CurrentOffBySeconds( PKIX_Int32 secondsOffset, PKIX_PL_Date **pDate, void *plContext); #ifdef BUILD_LIBPKIX_TESTS /* * FUNCTION: PKIX_PL_GeneralName_Create * DESCRIPTION: * * Creates a new GeneralName of type "nameType" using the string * representation pointed to by "stringRep" and stores it at "pGName". * All of the GeneralName type format values specified in pkixt.h are * supported, with the exception of PKIX_OTHER_NAME, PKIX_EDIPARTY_NAME, * PKIX_IP_NAME, and PKIX_X400_ADDRESS. A PKIX_ESCASCII string representation * should be used for all supported nameTypes, with the exception of * registeredID and directoryName. For registeredID, the string representation * should be the same as that used by PKIX_PL_OID_Create. For directoryName, * the string representation should be the same as that used by * PKIX_PL_X500Name_Create. If an unsupported name type is used, an Error is * returned. Once created, a GeneralName is immutable. * * GeneralName ::= CHOICE { * otherName [0] OtherName, * rfc822Name [1] IA5String, * dNSName [2] IA5String, * x400Address [3] ORAddress, * directoryName [4] Name, * ediPartyName [5] EDIPartyName, * uniformResourceIdentifier [6] IA5String, * iPAddress [7] OCTET STRING, * registeredID [8] OBJECT IDENTIFIER } * * * NOTE: This function is allowed to be called only by pkix tests programs. * * PARAMETERS: * "nameType" * Type of GeneralName to be created. This must be one of the GeneralName * type format values specified in pkixt.h * "stringRep" * Address of String representation of GeneralName. Must be non-NULL. * "pGName" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a GeneralName Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_GeneralName_Create ( PKIX_UInt32 nameType, PKIX_PL_String *stringRep, PKIX_PL_GeneralName **pGName, void *plContext); #endif /* BUILD_LIBPKIX_TESTS */ /* * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace * DESCRIPTION: * * This function checks whether names in "nameList" comply with * "nameConstraints". It stores PKIX_TRUE at "pCheckPass" if the names meet the * requirement of the NameConstraints, PKIX_FALSE otherwise. * * PARAMETERS * "nameList" * List of GeneralNames that are checked for compliance. May be empty * or NULL. * "nameConstraints" * Address of CertNameConstraints that provides lists of permitted * and excluded names. Must be non-NULL. * "pCheckPass" * Address where PKIX_TRUE is returned if the all names in "nameList" are * valid. Must be non-NULL. * "plContext" - Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a NameConstraints Error if the function fails in a * non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_CertNameConstraints_CheckNamesInNameSpace( PKIX_List *nameList, /* List of PKIX_PL_GeneralName */ PKIX_PL_CertNameConstraints *nameConstraints, PKIX_Boolean *pCheckPass, void *plContext); /* * FUNCTION: PKIX_PL_AIAMgr_Create * DESCRIPTION: * * This function creates an AIAMgr to handle retrieval of Certs and CRLs * from servers given by AIA Certificate extensions. It manages connections * and caches. The manager created is stored at "pAIAMgr". * * PARAMETERS: * "pAIAMgr" * The address at which the result is stored. Must be non-NULL. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns an AIAMgr Error if the function fails in a non-fatal way * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_AIAMgr_Create( PKIX_PL_AIAMgr **pAIAMgr, void *plContext); /* * FUNCTION: PKIX_PL_AIAMgr_GetAIACerts * DESCRIPTION: * * This function uses the AIAMgr pointed to by "aiaMgr" to retrieve the Certs * specified by an AIA certificate extension, if any, in the Cert pointed to by * "prevCert", storing the results at "pCerts". If the certificate has no such * extension, this function stores NULL at "pCerts". * * If the request is suspended for non-blocking I/O, a platform-dependent * context is stored at "pNBIOContext" and NULL is stored at "pCerts". This * return is referred to as the WOULDBLOCK state. Note that the caller must * check for a non-NULL value at "pNBIOContext", to distinguish this state from * the "no such extension" return described in the first paragraph. (The * alternative would be to return an empty List, but it seemed wrong to incur * the overhead of creating and destroying an empty List for the most common * situation.) * * After a WOULDBLOCK return, the user may continue the operation by calling * pkix_AIAMgr_GetAIACerts (possibly more than once, if the function again * returns in the WOULDBLOCK state) with the previously-returned non-NULL * value of "pNBIOContext". When results are complete, NULL is stored at * "pNBIOContext", and the results (which may be NULL) are stored at "pCerts". * * PARAMETERS: * "aiaMgr" * The AIAMgr which controls the retrieval of certificates. Must be * non-NULL. * "prevCert" * Address of PKIX_PL_Cert which may provide an AIA or SIA extension. Must * be non-NULL. * "pNBIOContext" * Address at which platform-dependent information is returned if request * is suspended for non-blocking I/O. Must be non-NULL. * "pCerts" * Address at which the returned List is stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns an AIAMgr Error if the function fails in a non-fatal way * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * PKIX_PL_AIAMgr_GetAIACerts( PKIX_PL_AIAMgr *aiaMgr, PKIX_PL_Cert *prevCert, void **pNBIOContext, PKIX_List **pCerts, void *plContext); typedef PKIX_Error * (*PKIX_PL_VerifyCallback)( PKIX_PL_Object *signedObject, PKIX_PL_Cert *signerCert, /* can be unknown */ PKIX_PL_Date *producedAt, PKIX_ProcessingParams *procParams, void **pNBIOContext, void **pState, PKIX_BuildResult **pBuildResult, PKIX_VerifyNode **pVerifyTree, void *plContext); #ifdef __cplusplus } #endif #endif /* _PKIX_PL_PKI_H */