/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef NSSPKI_H #define NSSPKI_H /* * nsspki.h * * This file prototypes the methods of the top-level PKI objects. */ #ifndef NSSDEVT_H #include "nssdevt.h" #endif /* NSSDEVT_H */ #ifndef NSSPKIT_H #include "nsspkit.h" #endif /* NSSPKIT_H */ #ifndef BASE_H #include "base.h" #endif /* BASE_H */ #include "pkcs11uri.h" PR_BEGIN_EXTERN_C /* * A note about interfaces * * Although these APIs are specified in C, a language which does * not have fancy support for abstract interfaces, this library * was designed from an object-oriented perspective. It may be * useful to consider the standard interfaces which went into * the writing of these APIs. * * Basic operations on all objects: * Destroy -- free a pointer to an object * DeleteStoredObject -- delete an object permanently * * Public Key cryptographic operations: * Encrypt * Verify * VerifyRecover * Wrap * Derive * * Private Key cryptographic operations: * IsStillPresent * Decrypt * Sign * SignRecover * Unwrap * Derive * * Symmetric Key cryptographic operations: * IsStillPresent * Encrypt * Decrypt * Sign * SignRecover * Verify * VerifyRecover * Wrap * Unwrap * Derive * */ /* * NSSCertificate * * These things can do crypto ops like public keys, except that the trust, * usage, and other constraints are checked. These objects are "high-level," * so trust, usages, etc. are in the form we throw around (client auth, * email signing, etc.). Remember that theoretically another implementation * (think PGP) could be beneath this object. */ /* * NSSCertificate_Destroy * * Free a pointer to a certificate object. */ NSS_EXTERN PRStatus NSSCertificate_Destroy(NSSCertificate *c); /* * NSSCertificate_DeleteStoredObject * * Permanently remove this certificate from storage. If this is the * only (remaining) certificate corresponding to a private key, * public key, and/or other object; then that object (those objects) * are deleted too. */ NSS_EXTERN PRStatus NSSCertificate_DeleteStoredObject( NSSCertificate *c, NSSCallback *uhh); /* * NSSCertificate_Validate * * Verify that this certificate is trusted, for the specified usage(s), * at the specified time, {word word} the specified policies. */ NSS_EXTERN PRStatus NSSCertificate_Validate( NSSCertificate *c, NSSTime *timeOpt, /* NULL for "now" */ NSSUsage *usage, NSSPolicies *policiesOpt /* NULL for none */ ); /* * NSSCertificate_ValidateCompletely * * Verify that this certificate is trusted. The difference between * this and the previous call is that NSSCertificate_Validate merely * returns success or failure with an appropriate error stack. * However, there may be (and often are) multiple problems with a * certificate. This routine returns an array of errors, specifying * every problem. */ /* * Return value must be an array of objects, each of which has * an NSSError, and any corresponding certificate (in the chain) * and/or policy. */ NSS_EXTERN void ** /* void *[] */ NSSCertificate_ValidateCompletely( NSSCertificate *c, NSSTime *timeOpt, /* NULL for "now" */ NSSUsage *usage, NSSPolicies *policiesOpt, /* NULL for none */ void **rvOpt, /* NULL for allocate */ PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt /* NULL for heap */ ); /* * NSSCertificate_ValidateAndDiscoverUsagesAndPolicies * * Returns PR_SUCCESS if the certificate is valid for at least something. */ NSS_EXTERN PRStatus NSSCertificate_ValidateAndDiscoverUsagesAndPolicies( NSSCertificate *c, NSSTime **notBeforeOutOpt, NSSTime **notAfterOutOpt, void *allowedUsages, void *disallowedUsages, void *allowedPolicies, void *disallowedPolicies, /* more args.. work on this fgmr */ NSSArena *arenaOpt); /* * NSSCertificate_Encode * */ NSS_EXTERN NSSDER * NSSCertificate_Encode( NSSCertificate *c, NSSDER *rvOpt, NSSArena *arenaOpt); /* * NSSCertificate_BuildChain * * This routine returns NSSCertificate *'s for each certificate * in the "chain" starting from the specified one up to and * including the root. The zeroth element in the array is the * specified ("leaf") certificate. * * If statusOpt is supplied, and is returned as PR_FAILURE, possible * error values are: * * NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND - the chain is incomplete * */ extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND; NSS_EXTERN NSSCertificate ** NSSCertificate_BuildChain( NSSCertificate *c, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt, PRStatus *statusOpt, NSSTrustDomain *td, NSSCryptoContext *cc); /* * NSSCertificate_GetTrustDomain * */ NSS_EXTERN NSSTrustDomain * NSSCertificate_GetTrustDomain(NSSCertificate *c); /* * NSSCertificate_GetToken * * There doesn't have to be one. */ NSS_EXTERN NSSToken * NSSCertificate_GetToken( NSSCertificate *c, PRStatus *statusOpt); /* * NSSCertificate_GetSlot * * There doesn't have to be one. */ NSS_EXTERN NSSSlot * NSSCertificate_GetSlot( NSSCertificate *c, PRStatus *statusOpt); /* * NSSCertificate_GetModule * * There doesn't have to be one. */ NSS_EXTERN NSSModule * NSSCertificate_GetModule( NSSCertificate *c, PRStatus *statusOpt); /* * NSSCertificate_Encrypt * * Encrypt a single chunk of data with the public key corresponding to * this certificate. */ NSS_EXTERN NSSItem * NSSCertificate_Encrypt( NSSCertificate *c, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCertificate_Verify * */ NSS_EXTERN PRStatus NSSCertificate_Verify( NSSCertificate *c, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSItem *signature, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh); /* * NSSCertificate_VerifyRecover * */ NSS_EXTERN NSSItem * NSSCertificate_VerifyRecover( NSSCertificate *c, NSSAlgorithmAndParameters *apOpt, NSSItem *signature, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCertificate_WrapSymmetricKey * * This method tries very hard to to succeed, even in situations * involving sensitive keys and multiple modules. * { relyea: want to add verbiage? } */ NSS_EXTERN NSSItem * NSSCertificate_WrapSymmetricKey( NSSCertificate *c, NSSAlgorithmAndParameters *apOpt, NSSSymmetricKey *keyToWrap, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCertificate_CreateCryptoContext * * Create a crypto context, in this certificate's trust domain, with this * as the distinguished certificate. */ NSS_EXTERN NSSCryptoContext * NSSCertificate_CreateCryptoContext( NSSCertificate *c, NSSAlgorithmAndParameters *apOpt, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh); /* * NSSCertificate_GetPublicKey * * Returns the public key corresponding to this certificate. */ NSS_EXTERN NSSPublicKey * NSSCertificate_GetPublicKey(NSSCertificate *c); /* * NSSCertificate_FindPrivateKey * * Finds and returns the private key corresponding to this certificate, * if it is available. * * { Should this hang off of NSSUserCertificate? } */ NSS_EXTERN NSSPrivateKey * NSSCertificate_FindPrivateKey( NSSCertificate *c, NSSCallback *uhh); /* * NSSCertificate_IsPrivateKeyAvailable * * Returns success if the private key corresponding to this certificate * is available to be used. * * { Should *this* hang off of NSSUserCertificate?? } */ NSS_EXTERN PRBool NSSCertificate_IsPrivateKeyAvailable( NSSCertificate *c, NSSCallback *uhh, PRStatus *statusOpt); /* * If we make NSSUserCertificate not a typedef of NSSCertificate, * then we'll need implementations of the following: * * NSSUserCertificate_Destroy * NSSUserCertificate_DeleteStoredObject * NSSUserCertificate_Validate * NSSUserCertificate_ValidateCompletely * NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies * NSSUserCertificate_Encode * NSSUserCertificate_BuildChain * NSSUserCertificate_GetTrustDomain * NSSUserCertificate_GetToken * NSSUserCertificate_GetSlot * NSSUserCertificate_GetModule * NSSUserCertificate_GetCryptoContext * NSSUserCertificate_GetPublicKey */ /* * NSSUserCertificate_IsStillPresent * * Verify that if this certificate lives on a token, that the token * is still present and the certificate still exists. This is a * lightweight call which should be used whenever it should be * verified that the user hasn't perhaps popped out his or her * token and strolled away. */ NSS_EXTERN PRBool NSSUserCertificate_IsStillPresent( NSSUserCertificate *uc, PRStatus *statusOpt); /* * NSSUserCertificate_Decrypt * * Decrypt a single chunk of data with the private key corresponding * to this certificate. */ NSS_EXTERN NSSItem * NSSUserCertificate_Decrypt( NSSUserCertificate *uc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSUserCertificate_Sign * */ NSS_EXTERN NSSItem * NSSUserCertificate_Sign( NSSUserCertificate *uc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSUserCertificate_SignRecover * */ NSS_EXTERN NSSItem * NSSUserCertificate_SignRecover( NSSUserCertificate *uc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSUserCertificate_UnwrapSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSUserCertificate_UnwrapSymmetricKey( NSSUserCertificate *uc, NSSAlgorithmAndParameters *apOpt, NSSItem *wrappedKey, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSUserCertificate_DeriveSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSUserCertificate_DeriveSymmetricKey( NSSUserCertificate *uc, /* provides private key */ NSSCertificate *c, /* provides public key */ NSSAlgorithmAndParameters *apOpt, NSSOID *target, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhh); /* filter-certs function(s) */ /** ** fgmr -- trust objects **/ /* * NSSPrivateKey * */ /* * NSSPrivateKey_Destroy * * Free a pointer to a private key object. */ NSS_EXTERN PRStatus NSSPrivateKey_Destroy(NSSPrivateKey *vk); /* * NSSPrivateKey_DeleteStoredObject * * Permanently remove this object, and any related objects (such as the * certificates corresponding to this key). */ NSS_EXTERN PRStatus NSSPrivateKey_DeleteStoredObject( NSSPrivateKey *vk, NSSCallback *uhh); /* * NSSPrivateKey_GetSignatureLength * */ NSS_EXTERN PRUint32 NSSPrivateKey_GetSignatureLength(NSSPrivateKey *vk); /* * NSSPrivateKey_GetPrivateModulusLength * */ NSS_EXTERN PRUint32 NSSPrivateKey_GetPrivateModulusLength(NSSPrivateKey *vk); /* * NSSPrivateKey_IsStillPresent * */ NSS_EXTERN PRBool NSSPrivateKey_IsStillPresent( NSSPrivateKey *vk, PRStatus *statusOpt); /* * NSSPrivateKey_Encode * */ NSS_EXTERN NSSItem * NSSPrivateKey_Encode( NSSPrivateKey *vk, NSSAlgorithmAndParameters *ap, NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */ NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPrivateKey_GetTrustDomain * * There doesn't have to be one. */ NSS_EXTERN NSSTrustDomain * NSSPrivateKey_GetTrustDomain( NSSPrivateKey *vk, PRStatus *statusOpt); /* * NSSPrivateKey_GetToken * */ NSS_EXTERN NSSToken * NSSPrivateKey_GetToken(NSSPrivateKey *vk); /* * NSSPrivateKey_GetSlot * */ NSS_EXTERN NSSSlot * NSSPrivateKey_GetSlot(NSSPrivateKey *vk); /* * NSSPrivateKey_GetModule * */ NSS_EXTERN NSSModule * NSSPrivateKey_GetModule(NSSPrivateKey *vk); /* * NSSPrivateKey_Decrypt * */ NSS_EXTERN NSSItem * NSSPrivateKey_Decrypt( NSSPrivateKey *vk, NSSAlgorithmAndParameters *apOpt, NSSItem *encryptedData, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPrivateKey_Sign * */ NSS_EXTERN NSSItem * NSSPrivateKey_Sign( NSSPrivateKey *vk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPrivateKey_SignRecover * */ NSS_EXTERN NSSItem * NSSPrivateKey_SignRecover( NSSPrivateKey *vk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPrivateKey_UnwrapSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSPrivateKey_UnwrapSymmetricKey( NSSPrivateKey *vk, NSSAlgorithmAndParameters *apOpt, NSSItem *wrappedKey, NSSCallback *uhh); /* * NSSPrivateKey_DeriveSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSPrivateKey_DeriveSymmetricKey( NSSPrivateKey *vk, NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSOID *target, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhh); /* * NSSPrivateKey_FindPublicKey * */ NSS_EXTERN NSSPublicKey * NSSPrivateKey_FindPublicKey( NSSPrivateKey *vk /* { don't need the callback here, right? } */ ); /* * NSSPrivateKey_CreateCryptoContext * * Create a crypto context, in this key's trust domain, * with this as the distinguished private key. */ NSS_EXTERN NSSCryptoContext * NSSPrivateKey_CreateCryptoContext( NSSPrivateKey *vk, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhh); /* * NSSPrivateKey_FindCertificates * * Note that there may be more than one certificate for this * private key. { FilterCertificates function to further * reduce the list. } */ NSS_EXTERN NSSCertificate ** NSSPrivateKey_FindCertificates( NSSPrivateKey *vk, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSPrivateKey_FindBestCertificate * * The parameters for this function will depend on what the users * need. This is just a starting point. */ NSS_EXTERN NSSCertificate * NSSPrivateKey_FindBestCertificate( NSSPrivateKey *vk, NSSTime *timeOpt, NSSUsage *usageOpt, NSSPolicies *policiesOpt); /* * NSSPublicKey * * Once you generate, find, or derive one of these, you can use it * to perform (simple) cryptographic operations. Though there may * be certificates associated with these public keys, they are not * verified. */ /* * NSSPublicKey_Destroy * * Free a pointer to a public key object. */ NSS_EXTERN PRStatus NSSPublicKey_Destroy(NSSPublicKey *bk); /* * NSSPublicKey_DeleteStoredObject * * Permanently remove this object, and any related objects (such as the * corresponding private keys and certificates). */ NSS_EXTERN PRStatus NSSPublicKey_DeleteStoredObject( NSSPublicKey *bk, NSSCallback *uhh); /* * NSSPublicKey_Encode * */ NSS_EXTERN NSSItem * NSSPublicKey_Encode( NSSPublicKey *bk, NSSAlgorithmAndParameters *ap, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPublicKey_GetTrustDomain * * There doesn't have to be one. */ NSS_EXTERN NSSTrustDomain * NSSPublicKey_GetTrustDomain( NSSPublicKey *bk, PRStatus *statusOpt); /* * NSSPublicKey_GetToken * * There doesn't have to be one. */ NSS_EXTERN NSSToken * NSSPublicKey_GetToken( NSSPublicKey *bk, PRStatus *statusOpt); /* * NSSPublicKey_GetSlot * * There doesn't have to be one. */ NSS_EXTERN NSSSlot * NSSPublicKey_GetSlot( NSSPublicKey *bk, PRStatus *statusOpt); /* * NSSPublicKey_GetModule * * There doesn't have to be one. */ NSS_EXTERN NSSModule * NSSPublicKey_GetModule( NSSPublicKey *bk, PRStatus *statusOpt); /* * NSSPublicKey_Encrypt * * Encrypt a single chunk of data with the public key corresponding to * this certificate. */ NSS_EXTERN NSSItem * NSSPublicKey_Encrypt( NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPublicKey_Verify * */ NSS_EXTERN PRStatus NSSPublicKey_Verify( NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSItem *signature, NSSCallback *uhh); /* * NSSPublicKey_VerifyRecover * */ NSS_EXTERN NSSItem * NSSPublicKey_VerifyRecover( NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSItem *signature, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPublicKey_WrapSymmetricKey * */ NSS_EXTERN NSSItem * NSSPublicKey_WrapSymmetricKey( NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSSymmetricKey *keyToWrap, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSPublicKey_CreateCryptoContext * * Create a crypto context, in this key's trust domain, with this * as the distinguished public key. */ NSS_EXTERN NSSCryptoContext * NSSPublicKey_CreateCryptoContext( NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhh); /* * NSSPublicKey_FindCertificates * * Note that there may be more than one certificate for this * public key. The current implementation may not find every * last certificate available for this public key: that would * involve trolling e.g. huge ldap databases, which will be * grossly inefficient and not generally useful. * { FilterCertificates function to further reduce the list } */ NSS_EXTERN NSSCertificate ** NSSPublicKey_FindCertificates( NSSPublicKey *bk, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSPrivateKey_FindBestCertificate * * The parameters for this function will depend on what the users * need. This is just a starting point. */ NSS_EXTERN NSSCertificate * NSSPublicKey_FindBestCertificate( NSSPublicKey *bk, NSSTime *timeOpt, NSSUsage *usageOpt, NSSPolicies *policiesOpt); /* * NSSPublicKey_FindPrivateKey * */ NSS_EXTERN NSSPrivateKey * NSSPublicKey_FindPrivateKey( NSSPublicKey *bk, NSSCallback *uhh); /* * NSSSymmetricKey * */ /* * NSSSymmetricKey_Destroy * * Free a pointer to a symmetric key object. */ NSS_EXTERN PRStatus NSSSymmetricKey_Destroy(NSSSymmetricKey *mk); /* * NSSSymmetricKey_DeleteStoredObject * * Permanently remove this object. */ NSS_EXTERN PRStatus NSSSymmetricKey_DeleteStoredObject( NSSSymmetricKey *mk, NSSCallback *uhh); /* * NSSSymmetricKey_GetKeyLength * */ NSS_EXTERN PRUint32 NSSSymmetricKey_GetKeyLength(NSSSymmetricKey *mk); /* * NSSSymmetricKey_GetKeyStrength * */ NSS_EXTERN PRUint32 NSSSymmetricKey_GetKeyStrength(NSSSymmetricKey *mk); /* * NSSSymmetricKey_IsStillPresent * */ NSS_EXTERN PRStatus NSSSymmetricKey_IsStillPresent(NSSSymmetricKey *mk); /* * NSSSymmetricKey_GetTrustDomain * * There doesn't have to be one. */ NSS_EXTERN NSSTrustDomain * NSSSymmetricKey_GetTrustDomain( NSSSymmetricKey *mk, PRStatus *statusOpt); /* * NSSSymmetricKey_GetToken * * There doesn't have to be one. */ NSS_EXTERN NSSToken * NSSSymmetricKey_GetToken( NSSSymmetricKey *mk, PRStatus *statusOpt); /* * NSSSymmetricKey_GetSlot * * There doesn't have to be one. */ NSS_EXTERN NSSSlot * NSSSymmetricKey_GetSlot( NSSSymmetricKey *mk, PRStatus *statusOpt); /* * NSSSymmetricKey_GetModule * * There doesn't have to be one. */ NSS_EXTERN NSSModule * NSSSymmetricKey_GetModule( NSSSymmetricKey *mk, PRStatus *statusOpt); /* * NSSSymmetricKey_Encrypt * */ NSS_EXTERN NSSItem * NSSSymmetricKey_Encrypt( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_Decrypt * */ NSS_EXTERN NSSItem * NSSSymmetricKey_Decrypt( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSItem *encryptedData, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_Sign * */ NSS_EXTERN NSSItem * NSSSymmetricKey_Sign( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_SignRecover * */ NSS_EXTERN NSSItem * NSSSymmetricKey_SignRecover( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_Verify * */ NSS_EXTERN PRStatus NSSSymmetricKey_Verify( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSItem *signature, NSSCallback *uhh); /* * NSSSymmetricKey_VerifyRecover * */ NSS_EXTERN NSSItem * NSSSymmetricKey_VerifyRecover( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSItem *signature, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_WrapSymmetricKey * */ NSS_EXTERN NSSItem * NSSSymmetricKey_WrapSymmetricKey( NSSSymmetricKey *wrappingKey, NSSAlgorithmAndParameters *apOpt, NSSSymmetricKey *keyToWrap, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_WrapPrivateKey * */ NSS_EXTERN NSSItem * NSSSymmetricKey_WrapPrivateKey( NSSSymmetricKey *wrappingKey, NSSAlgorithmAndParameters *apOpt, NSSPrivateKey *keyToWrap, NSSCallback *uhh, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSSymmetricKey_UnwrapSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSSymmetricKey_UnwrapSymmetricKey( NSSSymmetricKey *wrappingKey, NSSAlgorithmAndParameters *apOpt, NSSItem *wrappedKey, NSSOID *target, PRUint32 keySizeOpt, NSSOperations operations, NSSCallback *uhh); /* * NSSSymmetricKey_UnwrapPrivateKey * */ NSS_EXTERN NSSPrivateKey * NSSSymmetricKey_UnwrapPrivateKey( NSSSymmetricKey *wrappingKey, NSSAlgorithmAndParameters *apOpt, NSSItem *wrappedKey, NSSUTF8 *labelOpt, NSSItem *keyIDOpt, PRBool persistant, PRBool sensitive, NSSToken *destinationOpt, NSSCallback *uhh); /* * NSSSymmetricKey_DeriveSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSSymmetricKey_DeriveSymmetricKey( NSSSymmetricKey *originalKey, NSSAlgorithmAndParameters *apOpt, NSSOID *target, PRUint32 keySizeOpt, NSSOperations operations, NSSCallback *uhh); /* * NSSSymmetricKey_CreateCryptoContext * * Create a crypto context, in this key's trust domain, * with this as the distinguished symmetric key. */ NSS_EXTERN NSSCryptoContext * NSSSymmetricKey_CreateCryptoContext( NSSSymmetricKey *mk, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhh); /* * NSSTrustDomain * */ /* * NSSTrustDomain_Create * * This creates a trust domain, optionally with an initial cryptoki * module. If the module name is not null, the module is loaded if * needed (using the uriOpt argument), and initialized with the * opaqueOpt argument. If mumble mumble priority settings, then * module-specification objects in the module can cause the loading * and initialization of further modules. * * The uriOpt is defined to take a URI. At present, we only * support file: URLs pointing to platform-native shared libraries. * However, by specifying this as a URI, this keeps open the * possibility of supporting other, possibly remote, resources. * * The "reserved" arguments is held for when we figure out the * module priority stuff. */ NSS_EXTERN NSSTrustDomain * NSSTrustDomain_Create( NSSUTF8 *moduleOpt, NSSUTF8 *uriOpt, NSSUTF8 *opaqueOpt, void *reserved); /* * NSSTrustDomain_Destroy * */ NSS_EXTERN PRStatus NSSTrustDomain_Destroy(NSSTrustDomain *td); /* * NSSTrustDomain_SetDefaultCallback * */ NSS_EXTERN PRStatus NSSTrustDomain_SetDefaultCallback( NSSTrustDomain *td, NSSCallback *newCallback, NSSCallback **oldCallbackOpt); /* * NSSTrustDomain_GetDefaultCallback * */ NSS_EXTERN NSSCallback * NSSTrustDomain_GetDefaultCallback( NSSTrustDomain *td, PRStatus *statusOpt); /* * Default policies? * Default usage? * Default time, for completeness? */ /* * NSSTrustDomain_LoadModule * */ NSS_EXTERN PRStatus NSSTrustDomain_LoadModule( NSSTrustDomain *td, NSSUTF8 *moduleOpt, NSSUTF8 *uriOpt, NSSUTF8 *opaqueOpt, void *reserved); /* * NSSTrustDomain_AddModule * NSSTrustDomain_AddSlot * NSSTrustDomain_UnloadModule * Managing modules, slots, tokens; priorities; * Traversing all of the above * this needs more work */ /* * NSSTrustDomain_DisableToken * */ NSS_EXTERN PRStatus NSSTrustDomain_DisableToken( NSSTrustDomain *td, NSSToken *token, NSSError why); /* * NSSTrustDomain_EnableToken * */ NSS_EXTERN PRStatus NSSTrustDomain_EnableToken( NSSTrustDomain *td, NSSToken *token); /* * NSSTrustDomain_IsTokenEnabled * * If disabled, "why" is always on the error stack. * The optional argument is just for convenience. */ NSS_EXTERN PRStatus NSSTrustDomain_IsTokenEnabled( NSSTrustDomain *td, NSSToken *token, NSSError *whyOpt); /* * NSSTrustDomain_FindTokensByURI * */ NSS_EXTERN NSSToken ** NSSTrustDomain_FindTokensByURI( NSSTrustDomain *td, PK11URI *uri); /* * NSSTrustDomain_FindSlotByName * */ NSS_EXTERN NSSSlot * NSSTrustDomain_FindSlotByName( NSSTrustDomain *td, NSSUTF8 *slotName); /* * NSSTrustDomain_FindTokenByName * */ NSS_EXTERN NSSToken * NSSTrustDomain_FindTokenByName( NSSTrustDomain *td, NSSUTF8 *tokenName); /* * NSSTrustDomain_FindTokenBySlotName * */ NSS_EXTERN NSSToken * NSSTrustDomain_FindTokenBySlotName( NSSTrustDomain *td, NSSUTF8 *slotName); /* * NSSTrustDomain_FindBestTokenForAlgorithm * */ NSS_EXTERN NSSToken * NSSTrustDomain_FindTokenForAlgorithm( NSSTrustDomain *td, NSSOID *algorithm); /* * NSSTrustDomain_FindBestTokenForAlgorithms * */ NSS_EXTERN NSSToken * NSSTrustDomain_FindBestTokenForAlgorithms( NSSTrustDomain *td, NSSOID *algorithms[], /* may be null-terminated */ PRUint32 nAlgorithmsOpt /* limits the array if nonzero */ ); /* * NSSTrustDomain_Login * */ NSS_EXTERN PRStatus NSSTrustDomain_Login( NSSTrustDomain *td, NSSCallback *uhhOpt); /* * NSSTrustDomain_Logout * */ NSS_EXTERN PRStatus NSSTrustDomain_Logout(NSSTrustDomain *td); /* Importing things */ /* * NSSTrustDomain_ImportCertificate * * The implementation will pull some data out of the certificate * (e.g. e-mail address) for use in pkcs#11 object attributes. */ NSS_EXTERN NSSCertificate * NSSTrustDomain_ImportCertificate( NSSTrustDomain *td, NSSCertificate *c); /* * NSSTrustDomain_ImportPKIXCertificate * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_ImportPKIXCertificate( NSSTrustDomain *td, /* declared as a struct until these "data types" are defined */ struct NSSPKIXCertificateStr *pc); /* * NSSTrustDomain_ImportEncodedCertificate * * Imports any type of certificate we support. */ NSS_EXTERN NSSCertificate * NSSTrustDomain_ImportEncodedCertificate( NSSTrustDomain *td, NSSBER *ber); /* * NSSTrustDomain_ImportEncodedCertificateChain * * If you just want the leaf, pass in a maximum of one. */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_ImportEncodedCertificateChain( NSSTrustDomain *td, NSSBER *ber, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSTrustDomain_ImportEncodedPrivateKey * */ NSS_EXTERN NSSPrivateKey * NSSTrustDomain_ImportEncodedPrivateKey( NSSTrustDomain *td, NSSBER *ber, NSSItem *passwordOpt, /* NULL will cause a callback */ NSSCallback *uhhOpt, NSSToken *destination); /* * NSSTrustDomain_ImportEncodedPublicKey * */ NSS_EXTERN NSSPublicKey * NSSTrustDomain_ImportEncodedPublicKey( NSSTrustDomain *td, NSSBER *ber); /* Other importations: S/MIME capabilities */ /* * NSSTrustDomain_FindBestCertificateByNickname * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindBestCertificateByNickname( NSSTrustDomain *td, const NSSUTF8 *name, NSSTime *timeOpt, /* NULL for "now" */ NSSUsage *usage, NSSPolicies *policiesOpt /* NULL for none */ ); /* * NSSTrustDomain_FindCertificatesByNickname * */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindCertificatesByNickname( NSSTrustDomain *td, NSSUTF8 *name, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber( NSSTrustDomain *td, NSSDER *issuer, NSSDER *serialNumber); /* * NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber * * Theoretically, this should never happen. However, some companies * we know have issued duplicate certificates with the same issuer * and serial number. Do we just ignore them? I'm thinking yes. */ /* * NSSTrustDomain_FindBestCertificateBySubject * * This does not search through alternate names hidden in extensions. */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindBestCertificateBySubject( NSSTrustDomain *td, NSSDER /*NSSUTF8*/ *subject, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSTrustDomain_FindCertificatesBySubject * * This does not search through alternate names hidden in extensions. */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindCertificatesBySubject( NSSTrustDomain *td, NSSDER /*NSSUTF8*/ *subject, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSTrustDomain_FindBestCertificateByNameComponents * * This call does try several tricks, including a pseudo pkcs#11 * attribute for the ldap module to try as a query. Eventually * this call falls back to a traversal if that's what's required. * It will search through alternate names hidden in extensions. */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindBestCertificateByNameComponents( NSSTrustDomain *td, NSSUTF8 *nameComponents, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSTrustDomain_FindCertificatesByNameComponents * * This call, too, tries several tricks. It will stop on the first * attempt that generates results, so it won't e.g. traverse the * entire ldap database. */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindCertificatesByNameComponents( NSSTrustDomain *td, NSSUTF8 *nameComponents, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSTrustDomain_FindCertificateByEncodedCertificate * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindCertificateByEncodedCertificate( NSSTrustDomain *td, NSSBER *encodedCertificate); /* * NSSTrustDomain_FindBestCertificateByEmail * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindCertificateByEmail( NSSTrustDomain *td, NSSASCII7 *email, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSTrustDomain_FindCertificatesByEmail * */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindCertificatesByEmail( NSSTrustDomain *td, NSSASCII7 *email, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSTrustDomain_FindCertificateByOCSPHash * * There can be only one. */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindCertificateByOCSPHash( NSSTrustDomain *td, NSSItem *hash); /* * NSSTrustDomain_TraverseCertificates * * This function descends from one in older versions of NSS which * traverses the certs in the permanent database. That function * was used to implement selection routines, but was directly * available too. Trust domains are going to contain a lot more * certs now (e.g., an ldap server), so we'd really like to * discourage traversal. Thus for now, this is commented out. * If it's needed, let's look at the situation more closely to * find out what the actual requirements are. */ /* For now, adding this function. This may only be for debugging * purposes. * Perhaps some equivalent function, on a specified token, will be * needed in a "friend" header file? */ NSS_EXTERN PRStatus * NSSTrustDomain_TraverseCertificates( NSSTrustDomain *td, PRStatus (*callback)(NSSCertificate *c, void *arg), void *arg); /* * NSSTrustDomain_FindBestUserCertificate * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindBestUserCertificate( NSSTrustDomain *td, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSTrustDomain_FindUserCertificates * */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindUserCertificates( NSSTrustDomain *td, NSSTime *timeOpt, NSSUsage *usageOpt, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt); /* * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth( NSSTrustDomain *td, NSSUTF8 *sslHostOpt, NSSDER *rootCAsOpt[], /* null pointer for none */ PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt); /* * NSSTrustDomain_FindUserCertificatesForSSLClientAuth * */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindUserCertificatesForSSLClientAuth( NSSTrustDomain *td, NSSUTF8 *sslHostOpt, NSSDER *rootCAsOpt[], /* null pointer for none */ PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt); /* * NSSTrustDomain_FindBestUserCertificateForEmailSigning * */ NSS_EXTERN NSSCertificate * NSSTrustDomain_FindBestUserCertificateForEmailSigning( NSSTrustDomain *td, NSSASCII7 *signerOpt, NSSASCII7 *recipientOpt, /* anything more here? */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt); /* * NSSTrustDomain_FindUserCertificatesForEmailSigning * */ NSS_EXTERN NSSCertificate ** NSSTrustDomain_FindUserCertificatesForEmailSigning( NSSTrustDomain *td, NSSASCII7 *signerOpt, NSSASCII7 *recipientOpt, /* anything more here? */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt); /* * Here is where we'd add more Find[Best]UserCertificate[s]For * routines. */ /* Private Keys */ /* * NSSTrustDomain_GenerateKeyPair * * Creates persistant objects. If you want session objects, use * NSSCryptoContext_GenerateKeyPair. The destination token is where * the keys are stored. If that token can do the required math, then * that's where the keys are generated too. Otherwise, the keys are * generated elsewhere and moved to that token. */ NSS_EXTERN PRStatus NSSTrustDomain_GenerateKeyPair( NSSTrustDomain *td, NSSAlgorithmAndParameters *ap, NSSPrivateKey **pvkOpt, NSSPublicKey **pbkOpt, PRBool privateKeyIsSensitive, NSSToken *destination, NSSCallback *uhhOpt); /* * NSSTrustDomain_TraversePrivateKeys * * * NSS_EXTERN PRStatus * * NSSTrustDomain_TraversePrivateKeys * ( * NSSTrustDomain *td, * PRStatus (*callback)(NSSPrivateKey *vk, void *arg), * void *arg * ); */ /* Symmetric Keys */ /* * NSSTrustDomain_GenerateSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSTrustDomain_GenerateSymmetricKey( NSSTrustDomain *td, NSSAlgorithmAndParameters *ap, PRUint32 keysize, NSSToken *destination, NSSCallback *uhhOpt); /* * NSSTrustDomain_GenerateSymmetricKeyFromPassword * */ NSS_EXTERN NSSSymmetricKey * NSSTrustDomain_GenerateSymmetricKeyFromPassword( NSSTrustDomain *td, NSSAlgorithmAndParameters *ap, NSSUTF8 *passwordOpt, /* if null, prompt */ NSSToken *destinationOpt, NSSCallback *uhhOpt); /* * NSSTrustDomain_FindSymmetricKeyByAlgorithm * * Is this still needed? * * NSS_EXTERN NSSSymmetricKey * * NSSTrustDomain_FindSymmetricKeyByAlgorithm * ( * NSSTrustDomain *td, * NSSOID *algorithm, * NSSCallback *uhhOpt * ); */ /* * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID * */ NSS_EXTERN NSSSymmetricKey * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID( NSSTrustDomain *td, NSSOID *algorithm, NSSItem *keyID, NSSCallback *uhhOpt); /* * NSSTrustDomain_TraverseSymmetricKeys * * * NSS_EXTERN PRStatus * * NSSTrustDomain_TraverseSymmetricKeys * ( * NSSTrustDomain *td, * PRStatus (*callback)(NSSSymmetricKey *mk, void *arg), * void *arg * ); */ /* * NSSTrustDomain_CreateCryptoContext * * If a callback object is specified, it becomes the for the crypto * context; otherwise, this trust domain's default (if any) is * inherited. */ NSS_EXTERN NSSCryptoContext * NSSTrustDomain_CreateCryptoContext( NSSTrustDomain *td, NSSCallback *uhhOpt); /* * NSSTrustDomain_CreateCryptoContextForAlgorithm * */ NSS_EXTERN NSSCryptoContext * NSSTrustDomain_CreateCryptoContextForAlgorithm( NSSTrustDomain *td, NSSOID *algorithm); /* * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters * */ NSS_EXTERN NSSCryptoContext * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters( NSSTrustDomain *td, NSSAlgorithmAndParameters *ap); /* find/traverse other objects, e.g. s/mime profiles */ /* * NSSCryptoContext * * A crypto context is sort of a short-term snapshot of a trust domain, * used for the life of "one crypto operation." You can also think of * it as a "temporary database." * * Just about all of the things you can do with a trust domain -- importing * or creating certs, keys, etc. -- can be done with a crypto context. * The difference is that the objects will be temporary ("session") objects. * * Also, if the context was created for a key, cert, and/or algorithm; or * if such objects have been "associated" with the context, then the context * can do everything the keys can, like crypto operations. * * And finally, because it keeps the state of the crypto operations, it * can do streaming crypto ops. */ /* * NSSTrustDomain_Destroy * */ NSS_EXTERN PRStatus NSSCryptoContext_Destroy(NSSCryptoContext *cc); /* establishing a default callback */ /* * NSSCryptoContext_SetDefaultCallback * */ NSS_EXTERN PRStatus NSSCryptoContext_SetDefaultCallback( NSSCryptoContext *cc, NSSCallback *newCallback, NSSCallback **oldCallbackOpt); /* * NSSCryptoContext_GetDefaultCallback * */ NSS_EXTERN NSSCallback * NSSCryptoContext_GetDefaultCallback( NSSCryptoContext *cc, PRStatus *statusOpt); /* * NSSCryptoContext_GetTrustDomain * */ NSS_EXTERN NSSTrustDomain * NSSCryptoContext_GetTrustDomain( NSSCryptoContext *cc); /* AddModule, etc: should we allow "temporary" changes here? */ /* DisableToken, etc: ditto */ /* Ordering of tokens? */ /* Finding slots+token etc. */ /* login+logout */ /* Importing things */ /* * NSSCryptoContext_FindOrImportCertificate * * If the certificate store already contains this DER cert, return the * address of the matching NSSCertificate that is already in the store, * and bump its reference count. * * If this DER cert is NOT already in the store, then add the new * NSSCertificate to the store and bump its reference count, * then return its address. * * if this DER cert is not in the store and cannot be added to it, * return NULL; * * Record the associated crypto context in the certificate. */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindOrImportCertificate( NSSCryptoContext *cc, NSSCertificate *c); /* * NSSCryptoContext_ImportPKIXCertificate * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_ImportPKIXCertificate( NSSCryptoContext *cc, struct NSSPKIXCertificateStr *pc); /* * NSSCryptoContext_ImportEncodedCertificate * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_ImportEncodedCertificate( NSSCryptoContext *cc, NSSBER *ber); /* * NSSCryptoContext_ImportEncodedPKIXCertificateChain * */ NSS_EXTERN PRStatus NSSCryptoContext_ImportEncodedPKIXCertificateChain( NSSCryptoContext *cc, NSSBER *ber); /* Other importations: S/MIME capabilities */ /* * NSSCryptoContext_FindBestCertificateByNickname * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestCertificateByNickname( NSSCryptoContext *cc, const NSSUTF8 *name, NSSTime *timeOpt, /* NULL for "now" */ NSSUsage *usage, NSSPolicies *policiesOpt /* NULL for none */ ); /* * NSSCryptoContext_FindCertificatesByNickname * */ NSS_EXTERN NSSCertificate ** NSSCryptoContext_FindCertificatesByNickname( NSSCryptoContext *cc, NSSUTF8 *name, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber( NSSCryptoContext *cc, NSSDER *issuer, NSSDER *serialNumber); /* * NSSCryptoContext_FindBestCertificateBySubject * * This does not search through alternate names hidden in extensions. */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestCertificateBySubject( NSSCryptoContext *cc, NSSDER /*NSSUTF8*/ *subject, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSCryptoContext_FindCertificatesBySubject * * This does not search through alternate names hidden in extensions. */ NSS_EXTERN NSSCertificate ** NSSCryptoContext_FindCertificatesBySubject( NSSCryptoContext *cc, NSSDER /*NSSUTF8*/ *subject, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSCryptoContext_FindBestCertificateByNameComponents * * This call does try several tricks, including a pseudo pkcs#11 * attribute for the ldap module to try as a query. Eventually * this call falls back to a traversal if that's what's required. * It will search through alternate names hidden in extensions. */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestCertificateByNameComponents( NSSCryptoContext *cc, NSSUTF8 *nameComponents, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSCryptoContext_FindCertificatesByNameComponents * * This call, too, tries several tricks. It will stop on the first * attempt that generates results, so it won't e.g. traverse the * entire ldap database. */ NSS_EXTERN NSSCertificate ** NSSCryptoContext_FindCertificatesByNameComponents( NSSCryptoContext *cc, NSSUTF8 *nameComponents, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSCryptoContext_FindCertificateByEncodedCertificate * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindCertificateByEncodedCertificate( NSSCryptoContext *cc, NSSBER *encodedCertificate); /* * NSSCryptoContext_FindBestCertificateByEmail * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestCertificateByEmail( NSSCryptoContext *cc, NSSASCII7 *email, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSCryptoContext_FindCertificatesByEmail * */ NSS_EXTERN NSSCertificate ** NSSCryptoContext_FindCertificatesByEmail( NSSCryptoContext *cc, NSSASCII7 *email, NSSCertificate *rvOpt[], PRUint32 maximumOpt, /* 0 for no max */ NSSArena *arenaOpt); /* * NSSCryptoContext_FindCertificateByOCSPHash * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindCertificateByOCSPHash( NSSCryptoContext *cc, NSSItem *hash); /* * NSSCryptoContext_TraverseCertificates * * * NSS_EXTERN PRStatus * * NSSCryptoContext_TraverseCertificates * ( * NSSCryptoContext *cc, * PRStatus (*callback)(NSSCertificate *c, void *arg), * void *arg * ); */ /* * NSSCryptoContext_FindBestUserCertificate * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestUserCertificate( NSSCryptoContext *cc, NSSTime *timeOpt, NSSUsage *usage, NSSPolicies *policiesOpt); /* * NSSCryptoContext_FindUserCertificates * */ NSS_EXTERN NSSCertificate ** NSSCryptoContext_FindUserCertificates( NSSCryptoContext *cc, NSSTime *timeOpt, NSSUsage *usageOpt, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt); /* * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth( NSSCryptoContext *cc, NSSUTF8 *sslHostOpt, NSSDER *rootCAsOpt[], /* null pointer for none */ PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt); /* * NSSCryptoContext_FindUserCertificatesForSSLClientAuth * */ NSS_EXTERN NSSCertificate ** NSSCryptoContext_FindUserCertificatesForSSLClientAuth( NSSCryptoContext *cc, NSSUTF8 *sslHostOpt, NSSDER *rootCAsOpt[], /* null pointer for none */ PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt); /* * NSSCryptoContext_FindBestUserCertificateForEmailSigning * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindBestUserCertificateForEmailSigning( NSSCryptoContext *cc, NSSASCII7 *signerOpt, NSSASCII7 *recipientOpt, /* anything more here? */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt); /* * NSSCryptoContext_FindUserCertificatesForEmailSigning * */ NSS_EXTERN NSSCertificate * NSSCryptoContext_FindUserCertificatesForEmailSigning( NSSCryptoContext *cc, NSSASCII7 *signerOpt, /* fgmr or a more general name? */ NSSASCII7 *recipientOpt, /* anything more here? */ NSSAlgorithmAndParameters *apOpt, NSSPolicies *policiesOpt, NSSCertificate **rvOpt, PRUint32 rvLimit, /* zero for no limit */ NSSArena *arenaOpt); /* Private Keys */ /* * NSSCryptoContext_GenerateKeyPair * * Creates session objects. If you want persistant objects, use * NSSTrustDomain_GenerateKeyPair. The destination token is where * the keys are stored. If that token can do the required math, then * that's where the keys are generated too. Otherwise, the keys are * generated elsewhere and moved to that token. */ NSS_EXTERN PRStatus NSSCryptoContext_GenerateKeyPair( NSSCryptoContext *cc, NSSAlgorithmAndParameters *ap, NSSPrivateKey **pvkOpt, NSSPublicKey **pbkOpt, PRBool privateKeyIsSensitive, NSSToken *destination, NSSCallback *uhhOpt); /* * NSSCryptoContext_TraversePrivateKeys * * * NSS_EXTERN PRStatus * * NSSCryptoContext_TraversePrivateKeys * ( * NSSCryptoContext *cc, * PRStatus (*callback)(NSSPrivateKey *vk, void *arg), * void *arg * ); */ /* Symmetric Keys */ /* * NSSCryptoContext_GenerateSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSCryptoContext_GenerateSymmetricKey( NSSCryptoContext *cc, NSSAlgorithmAndParameters *ap, PRUint32 keysize, NSSToken *destination, NSSCallback *uhhOpt); /* * NSSCryptoContext_GenerateSymmetricKeyFromPassword * */ NSS_EXTERN NSSSymmetricKey * NSSCryptoContext_GenerateSymmetricKeyFromPassword( NSSCryptoContext *cc, NSSAlgorithmAndParameters *ap, NSSUTF8 *passwordOpt, /* if null, prompt */ NSSToken *destinationOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_FindSymmetricKeyByAlgorithm * * * NSS_EXTERN NSSSymmetricKey * * NSSCryptoContext_FindSymmetricKeyByType * ( * NSSCryptoContext *cc, * NSSOID *type, * NSSCallback *uhhOpt * ); */ /* * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID * */ NSS_EXTERN NSSSymmetricKey * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID( NSSCryptoContext *cc, NSSOID *algorithm, NSSItem *keyID, NSSCallback *uhhOpt); /* * NSSCryptoContext_TraverseSymmetricKeys * * * NSS_EXTERN PRStatus * * NSSCryptoContext_TraverseSymmetricKeys * ( * NSSCryptoContext *cc, * PRStatus (*callback)(NSSSymmetricKey *mk, void *arg), * void *arg * ); */ /* Crypto ops on distinguished keys */ /* * NSSCryptoContext_Decrypt * */ NSS_EXTERN NSSItem * NSSCryptoContext_Decrypt( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *encryptedData, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_BeginDecrypt * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginDecrypt( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueDecrypt * */ /* * NSSItem semantics: * * If rvOpt is NULL, a new NSSItem and buffer are allocated. * If rvOpt is not null, but the buffer pointer is null, * then rvOpt is returned but a new buffer is allocated. * In this case, if the length value is not zero, then * no more than that much space will be allocated. * If rvOpt is not null and the buffer pointer is not null, * then that buffer is re-used. No more than the buffer * length value will be used; if it's not enough, an * error is returned. If less is used, the number is * adjusted downwards. * * Note that although this is short of some ideal "Item" * definition, we can usually tell how big these buffers * have to be. * * Feedback is requested; and earlier is better than later. */ NSS_EXTERN NSSItem * NSSCryptoContext_ContinueDecrypt( NSSCryptoContext *cc, NSSItem *data, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_FinishDecrypt * */ NSS_EXTERN NSSItem * NSSCryptoContext_FinishDecrypt( NSSCryptoContext *cc, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_Sign * */ NSS_EXTERN NSSItem * NSSCryptoContext_Sign( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_BeginSign * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginSign( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueSign * */ NSS_EXTERN PRStatus NSSCryptoContext_ContinueSign( NSSCryptoContext *cc, NSSItem *data); /* * NSSCryptoContext_FinishSign * */ NSS_EXTERN NSSItem * NSSCryptoContext_FinishSign( NSSCryptoContext *cc, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_SignRecover * */ NSS_EXTERN NSSItem * NSSCryptoContext_SignRecover( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_BeginSignRecover * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginSignRecover( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueSignRecover * */ NSS_EXTERN NSSItem * NSSCryptoContext_ContinueSignRecover( NSSCryptoContext *cc, NSSItem *data, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_FinishSignRecover * */ NSS_EXTERN NSSItem * NSSCryptoContext_FinishSignRecover( NSSCryptoContext *cc, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_UnwrapSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSCryptoContext_UnwrapSymmetricKey( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *wrappedKey, NSSCallback *uhhOpt); /* * NSSCryptoContext_DeriveSymmetricKey * */ NSS_EXTERN NSSSymmetricKey * NSSCryptoContext_DeriveSymmetricKey( NSSCryptoContext *cc, NSSPublicKey *bk, NSSAlgorithmAndParameters *apOpt, NSSOID *target, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhhOpt); /* * NSSCryptoContext_Encrypt * * Encrypt a single chunk of data with the distinguished public key * of this crypto context. */ NSS_EXTERN NSSItem * NSSCryptoContext_Encrypt( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_BeginEncrypt * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginEncrypt( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueEncrypt * */ NSS_EXTERN NSSItem * NSSCryptoContext_ContinueEncrypt( NSSCryptoContext *cc, NSSItem *data, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_FinishEncrypt * */ NSS_EXTERN NSSItem * NSSCryptoContext_FinishEncrypt( NSSCryptoContext *cc, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_Verify * */ NSS_EXTERN PRStatus NSSCryptoContext_Verify( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSItem *signature, NSSCallback *uhhOpt); /* * NSSCryptoContext_BeginVerify * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginVerify( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *signature, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueVerify * */ NSS_EXTERN PRStatus NSSCryptoContext_ContinueVerify( NSSCryptoContext *cc, NSSItem *data); /* * NSSCryptoContext_FinishVerify * */ NSS_EXTERN PRStatus NSSCryptoContext_FinishVerify( NSSCryptoContext *cc); /* * NSSCryptoContext_VerifyRecover * */ NSS_EXTERN NSSItem * NSSCryptoContext_VerifyRecover( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *signature, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_BeginVerifyRecover * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginVerifyRecover( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueVerifyRecover * */ NSS_EXTERN NSSItem * NSSCryptoContext_ContinueVerifyRecover( NSSCryptoContext *cc, NSSItem *data, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_FinishVerifyRecover * */ NSS_EXTERN NSSItem * NSSCryptoContext_FinishVerifyRecover( NSSCryptoContext *cc, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_WrapSymmetricKey * */ NSS_EXTERN NSSItem * NSSCryptoContext_WrapSymmetricKey( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSSymmetricKey *keyToWrap, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_Digest * * Digest a single chunk of data with the distinguished digest key * of this crypto context. */ NSS_EXTERN NSSItem * NSSCryptoContext_Digest( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *data, NSSCallback *uhhOpt, NSSItem *rvOpt, NSSArena *arenaOpt); /* * NSSCryptoContext_BeginDigest * */ NSS_EXTERN PRStatus NSSCryptoContext_BeginDigest( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSCallback *uhhOpt); /* * NSSCryptoContext_ContinueDigest * */ NSS_EXTERN PRStatus NSSCryptoContext_ContinueDigest( NSSCryptoContext *cc, NSSAlgorithmAndParameters *apOpt, NSSItem *item); /* * NSSCryptoContext_FinishDigest * */ NSS_EXTERN NSSItem * NSSCryptoContext_FinishDigest( NSSCryptoContext *cc, NSSItem *rvOpt, NSSArena *arenaOpt); /* * tbd: Combination ops */ /* * NSSCryptoContext_Clone * */ NSS_EXTERN NSSCryptoContext * NSSCryptoContext_Clone(NSSCryptoContext *cc); /* * NSSCryptoContext_Save * NSSCryptoContext_Restore * * We need to be able to save and restore the state of contexts. * Perhaps a mark-and-release mechanism would be better? */ /* * ..._SignTBSCertificate * * This requires feedback from the cert server team. */ /* * PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c); * PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted); * * These will be helper functions which get the trust object for a cert, * and then call the corresponding function(s) on it. * * PKIX trust objects will have methods to manipulate the low-level trust * bits (which are based on key usage and extended key usage), and also the * conceptual high-level usages (e.g. ssl client auth, email encryption, etc.) * * Other types of trust objects (if any) might have different low-level * representations, but hopefully high-level concepts would map. * * Only these high-level general routines would be promoted to the * general certificate level here. Hence the {xxx} above would be things * like "EmailSigning." * * * NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c); * PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t); * * I want to hold off on any general trust object until we've investigated * other models more thoroughly. */ PR_END_EXTERN_C #endif /* NSSPKI_H */