/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef PKIM_H #define PKIM_H #ifndef BASE_H #include "base.h" #endif /* BASE_H */ #ifndef PKI_H #include "pki.h" #endif /* PKI_H */ #ifndef PKITM_H #include "pkitm.h" #endif /* PKITM_H */ PR_BEGIN_EXTERN_C /* nssPKIObject * * This is the base object class, common to all PKI objects defined in * in this module. Each object can be safely 'casted' to an nssPKIObject, * then passed to these methods. * * nssPKIObject_Create * nssPKIObject_Destroy * nssPKIObject_AddRef * nssPKIObject_AddInstance * nssPKIObject_HasInstance * nssPKIObject_GetTokens * nssPKIObject_GetNicknameForToken * nssPKIObject_RemoveInstanceForToken * nssPKIObject_DeleteStoredObject */ NSS_EXTERN void nssPKIObject_Lock(nssPKIObject *object); NSS_EXTERN void nssPKIObject_Unlock(nssPKIObject *object); NSS_EXTERN PRStatus nssPKIObject_NewLock(nssPKIObject *object, nssPKILockType lockType); NSS_EXTERN void nssPKIObject_DestroyLock(nssPKIObject *object); /* nssPKIObject_Create * * A generic PKI object. It must live in a trust domain. It may be * initialized with a token instance, or alternatively in a crypto context. */ NSS_EXTERN nssPKIObject * nssPKIObject_Create( NSSArena *arenaOpt, nssCryptokiObject *instanceOpt, NSSTrustDomain *td, NSSCryptoContext *ccOpt, nssPKILockType lockType); /* nssPKIObject_AddRef */ NSS_EXTERN nssPKIObject * nssPKIObject_AddRef(nssPKIObject *object); /* nssPKIObject_Destroy * * Returns true if object was destroyed. This notifies the subclass that * all references are gone and it should delete any members it owns. */ NSS_EXTERN PRBool nssPKIObject_Destroy(nssPKIObject *object); /* nssPKIObject_AddInstance * * Add a token instance to the object, if it does not have it already. */ NSS_EXTERN PRStatus nssPKIObject_AddInstance( nssPKIObject *object, nssCryptokiObject *instance); /* nssPKIObject_HasInstance * * Query the object for a token instance. */ NSS_EXTERN PRBool nssPKIObject_HasInstance( nssPKIObject *object, nssCryptokiObject *instance); /* nssPKIObject_GetTokens * * Get all tokens which have an instance of the object. */ NSS_EXTERN NSSToken ** nssPKIObject_GetTokens( nssPKIObject *object, PRStatus *statusOpt); /* nssPKIObject_GetNicknameForToken * * tokenOpt == NULL means take the first available, otherwise return the * nickname for the specified token. */ NSS_EXTERN NSSUTF8 * nssPKIObject_GetNicknameForToken( nssPKIObject *object, NSSToken *tokenOpt); /* nssPKIObject_RemoveInstanceForToken * * Remove the instance of the object on the specified token. */ NSS_EXTERN PRStatus nssPKIObject_RemoveInstanceForToken( nssPKIObject *object, NSSToken *token); /* nssPKIObject_DeleteStoredObject * * Delete all token instances of the object, as well as any crypto context * instances (TODO). If any of the instances are read-only, or if the * removal fails, the object will keep those instances. 'isFriendly' refers * to the object -- can this object be removed from a friendly token without * login? For example, certificates are friendly, private keys are not. * Note that if the token is not friendly, authentication will be required * regardless of the value of 'isFriendly'. */ NSS_EXTERN PRStatus nssPKIObject_DeleteStoredObject( nssPKIObject *object, NSSCallback *uhh, PRBool isFriendly); NSS_EXTERN nssCryptokiObject ** nssPKIObject_GetInstances( nssPKIObject *object); NSS_EXTERN NSSCertificate ** nssTrustDomain_FindCertificatesByID( NSSTrustDomain *td, NSSItem *id, NSSCertificate **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt); NSS_EXTERN NSSCRL ** nssTrustDomain_FindCRLsBySubject( NSSTrustDomain *td, NSSDER *subject); /* module-private nsspki methods */ NSS_EXTERN NSSCryptoContext * nssCryptoContext_Create( NSSTrustDomain *td, NSSCallback *uhhOpt); /* XXX for the collection */ NSS_EXTERN NSSCertificate * nssCertificate_Create(nssPKIObject *object); NSS_EXTERN PRStatus nssCertificate_SetCertTrust( NSSCertificate *c, NSSTrust *trust); NSS_EXTERN nssDecodedCert * nssCertificate_GetDecoding(NSSCertificate *c); extern PRIntn nssCertificate_SubjectListSort( void *v1, void *v2); NSS_EXTERN nssDecodedCert * nssDecodedCert_Create( NSSArena *arenaOpt, NSSDER *encoding, NSSCertificateType type); NSS_EXTERN PRStatus nssDecodedCert_Destroy(nssDecodedCert *dc); NSS_EXTERN NSSTrust * nssTrust_Create( nssPKIObject *object, NSSItem *certData); NSS_EXTERN NSSCRL * nssCRL_Create(nssPKIObject *object); NSS_EXTERN NSSCRL * nssCRL_AddRef(NSSCRL *crl); NSS_EXTERN PRStatus nssCRL_Destroy(NSSCRL *crl); NSS_EXTERN PRStatus nssCRL_DeleteStoredObject( NSSCRL *crl, NSSCallback *uhh); NSS_EXTERN NSSPrivateKey * nssPrivateKey_Create(nssPKIObject *o); NSS_EXTERN NSSDER * nssCRL_GetEncoding(NSSCRL *crl); NSS_EXTERN NSSPublicKey * nssPublicKey_Create(nssPKIObject *object); /* nssCertificateArray * * These are being thrown around a lot, might as well group together some * functionality. * * nssCertificateArray_Destroy * nssCertificateArray_Join * nssCertificateArray_FindBestCertificate * nssCertificateArray_Traverse */ /* nssCertificateArray_Destroy * * Will destroy the array and the certs within it. If the array was created * in an arena, will *not* (of course) destroy the arena. However, is safe * to call this method on an arena-allocated array. */ NSS_EXTERN void nssCertificateArray_Destroy(NSSCertificate **certs); /* nssCertificateArray_Join * * Join two arrays into one. The two arrays, certs1 and certs2, should * be considered invalid after a call to this function (they may be destroyed * as part of the join). certs1 and/or certs2 may be NULL. Safe to * call with arrays allocated in an arena, the result will also be in the * arena. */ NSS_EXTERN NSSCertificate ** nssCertificateArray_Join( NSSCertificate **certs1, NSSCertificate **certs2); /* nssCertificateArray_FindBestCertificate * * Use the usual { time, usage, policies } to find the best cert in the * array. */ NSS_EXTERN NSSCertificate * nssCertificateArray_FindBestCertificate( NSSCertificate **certs, NSSTime *timeOpt, const NSSUsage *usage, NSSPolicies *policiesOpt); /* nssCertificateArray_Traverse * * Do the callback for each cert, terminate the traversal if the callback * fails. */ NSS_EXTERN PRStatus nssCertificateArray_Traverse( NSSCertificate **certs, PRStatus (*callback)(NSSCertificate *c, void *arg), void *arg); NSS_EXTERN void nssCRLArray_Destroy(NSSCRL **crls); /* nssPKIObjectCollection * * This is a handy way to group objects together and perform operations * on them. It can also handle "proto-objects"-- references to * objects instances on tokens, where the actual object hasn't * been formed yet. * * nssCertificateCollection_Create * nssPrivateKeyCollection_Create * nssPublicKeyCollection_Create * * If this was a language that provided for inheritance, each type would * inherit all of the following methods. Instead, there is only one * type (nssPKIObjectCollection), shared among all. This may cause * confusion; an alternative would be to define all of the methods * for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't * seem worth the code bloat.. It is left up to the caller to remember * what type of collection he/she is dealing with. * * nssPKIObjectCollection_Destroy * nssPKIObjectCollection_Count * nssPKIObjectCollection_AddObject * nssPKIObjectCollection_AddInstances * nssPKIObjectCollection_Traverse * * Back to type-specific methods. * * nssPKIObjectCollection_GetCertificates * nssPKIObjectCollection_GetCRLs * nssPKIObjectCollection_GetPrivateKeys * nssPKIObjectCollection_GetPublicKeys */ /* nssCertificateCollection_Create * * Create a collection of certificates in the specified trust domain. * Optionally provide a starting set of certs. */ NSS_EXTERN nssPKIObjectCollection * nssCertificateCollection_Create( NSSTrustDomain *td, NSSCertificate **certsOpt); /* nssCRLCollection_Create * * Create a collection of CRLs/KRLs in the specified trust domain. * Optionally provide a starting set of CRLs. */ NSS_EXTERN nssPKIObjectCollection * nssCRLCollection_Create( NSSTrustDomain *td, NSSCRL **crlsOpt); /* nssPrivateKeyCollection_Create * * Create a collection of private keys in the specified trust domain. * Optionally provide a starting set of keys. */ NSS_EXTERN nssPKIObjectCollection * nssPrivateKeyCollection_Create( NSSTrustDomain *td, NSSPrivateKey **pvkOpt); /* nssPublicKeyCollection_Create * * Create a collection of public keys in the specified trust domain. * Optionally provide a starting set of keys. */ NSS_EXTERN nssPKIObjectCollection * nssPublicKeyCollection_Create( NSSTrustDomain *td, NSSPublicKey **pvkOpt); /* nssPKIObjectCollection_Destroy */ NSS_EXTERN void nssPKIObjectCollection_Destroy(nssPKIObjectCollection *collection); /* nssPKIObjectCollection_Count */ NSS_EXTERN PRUint32 nssPKIObjectCollection_Count(nssPKIObjectCollection *collection); NSS_EXTERN PRStatus nssPKIObjectCollection_AddObject( nssPKIObjectCollection *collection, nssPKIObject *object); /* nssPKIObjectCollection_AddInstances * * Add a set of object instances to the collection. The instances * will be sorted into any existing certs/proto-certs that may be in * the collection. The instances will be absorbed by the collection, * the array should not be used after this call (except to free it). * * Failure means the collection is in an invalid state. * * numInstances = 0 means the array is NULL-terminated */ NSS_EXTERN PRStatus nssPKIObjectCollection_AddInstances( nssPKIObjectCollection *collection, nssCryptokiObject **instances, PRUint32 numInstances); /* nssPKIObjectCollection_Traverse */ NSS_EXTERN PRStatus nssPKIObjectCollection_Traverse( nssPKIObjectCollection *collection, nssPKIObjectCallback *callback); /* This function is being added for NSS 3.5. It corresponds to the function * nssToken_TraverseCertificates. The idea is to use the collection during * a traversal, creating certs each time a new instance is added for which * a cert does not already exist. */ NSS_EXTERN PRStatus nssPKIObjectCollection_AddInstanceAsObject( nssPKIObjectCollection *collection, nssCryptokiObject *instance); /* nssPKIObjectCollection_GetCertificates * * Get all of the certificates in the collection. */ NSS_EXTERN NSSCertificate ** nssPKIObjectCollection_GetCertificates( nssPKIObjectCollection *collection, NSSCertificate **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt); NSS_EXTERN NSSCRL ** nssPKIObjectCollection_GetCRLs( nssPKIObjectCollection *collection, NSSCRL **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt); NSS_EXTERN NSSPrivateKey ** nssPKIObjectCollection_GetPrivateKeys( nssPKIObjectCollection *collection, NSSPrivateKey **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt); NSS_EXTERN NSSPublicKey ** nssPKIObjectCollection_GetPublicKeys( nssPKIObjectCollection *collection, NSSPublicKey **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt); NSS_EXTERN NSSTime * NSSTime_Now(NSSTime *timeOpt); NSS_EXTERN NSSTime * NSSTime_SetPRTime( NSSTime *timeOpt, PRTime prTime); NSS_EXTERN PRTime NSSTime_GetPRTime( NSSTime *time); NSS_EXTERN nssHash * nssHash_CreateCertificate( NSSArena *arenaOpt, PRUint32 numBuckets); /* 3.4 Certificate cache routines */ NSS_EXTERN PRStatus nssTrustDomain_InitializeCache( NSSTrustDomain *td, PRUint32 cacheSize); NSS_EXTERN PRStatus nssTrustDomain_AddCertsToCache( NSSTrustDomain *td, NSSCertificate **certs, PRUint32 numCerts); NSS_EXTERN void nssTrustDomain_RemoveCertFromCacheLOCKED( NSSTrustDomain *td, NSSCertificate *cert); NSS_EXTERN void nssTrustDomain_LockCertCache(NSSTrustDomain *td); NSS_EXTERN void nssTrustDomain_UnlockCertCache(NSSTrustDomain *td); NSS_IMPLEMENT PRStatus nssTrustDomain_DestroyCache(NSSTrustDomain *td); /* * Remove all certs for the given token from the cache. This is * needed if the token is removed. */ NSS_EXTERN PRStatus nssTrustDomain_RemoveTokenCertsFromCache( NSSTrustDomain *td, NSSToken *token); NSS_EXTERN PRStatus nssTrustDomain_UpdateCachedTokenCerts( NSSTrustDomain *td, NSSToken *token); /* * Find all cached certs with this nickname (label). */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsForNicknameFromCache( NSSTrustDomain *td, const NSSUTF8 *nickname, nssList *certListOpt); /* * Find all cached certs with this email address. */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsForEmailAddressFromCache( NSSTrustDomain *td, NSSASCII7 *email, nssList *certListOpt); /* * Find all cached certs with this subject. */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsForSubjectFromCache( NSSTrustDomain *td, NSSDER *subject, nssList *certListOpt); /* * Look for a specific cert in the cache. */ NSS_EXTERN NSSCertificate * nssTrustDomain_GetCertForIssuerAndSNFromCache( NSSTrustDomain *td, NSSDER *issuer, NSSDER *serialNum); /* * Look for a specific cert in the cache. */ NSS_EXTERN NSSCertificate * nssTrustDomain_GetCertByDERFromCache( NSSTrustDomain *td, NSSDER *der); /* Get all certs from the cache */ /* XXX this is being included to make some old-style calls word, not to * say we should keep it */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsFromCache( NSSTrustDomain *td, nssList *certListOpt); NSS_EXTERN void nssTrustDomain_DumpCacheInfo( NSSTrustDomain *td, void (*cert_dump_iter)(const void *, void *, void *), void *arg); NSS_EXTERN void nssCertificateList_AddReferences( nssList *certList); PR_END_EXTERN_C #endif /* PKIM_H */