From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- security/nss/lib/pki/pkim.h | 547 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 547 insertions(+) create mode 100644 security/nss/lib/pki/pkim.h (limited to 'security/nss/lib/pki/pkim.h') diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h new file mode 100644 index 0000000000..3be3337ccf --- /dev/null +++ b/security/nss/lib/pki/pkim.h @@ -0,0 +1,547 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef PKIM_H +#define PKIM_H + +#ifndef BASE_H +#include "base.h" +#endif /* BASE_H */ + +#ifndef PKI_H +#include "pki.h" +#endif /* PKI_H */ + +#ifndef PKITM_H +#include "pkitm.h" +#endif /* PKITM_H */ + +PR_BEGIN_EXTERN_C + +/* nssPKIObject + * + * This is the base object class, common to all PKI objects defined in + * in this module. Each object can be safely 'casted' to an nssPKIObject, + * then passed to these methods. + * + * nssPKIObject_Create + * nssPKIObject_Destroy + * nssPKIObject_AddRef + * nssPKIObject_AddInstance + * nssPKIObject_HasInstance + * nssPKIObject_GetTokens + * nssPKIObject_GetNicknameForToken + * nssPKIObject_RemoveInstanceForToken + * nssPKIObject_DeleteStoredObject + */ + +NSS_EXTERN void nssPKIObject_Lock(nssPKIObject *object); +NSS_EXTERN void nssPKIObject_Unlock(nssPKIObject *object); +NSS_EXTERN PRStatus nssPKIObject_NewLock(nssPKIObject *object, + nssPKILockType lockType); +NSS_EXTERN void nssPKIObject_DestroyLock(nssPKIObject *object); + +/* nssPKIObject_Create + * + * A generic PKI object. It must live in a trust domain. It may be + * initialized with a token instance, or alternatively in a crypto context. + */ +NSS_EXTERN nssPKIObject * +nssPKIObject_Create( + NSSArena *arenaOpt, + nssCryptokiObject *instanceOpt, + NSSTrustDomain *td, + NSSCryptoContext *ccOpt, + nssPKILockType lockType); + +/* nssPKIObject_AddRef + */ +NSS_EXTERN nssPKIObject * +nssPKIObject_AddRef(nssPKIObject *object); + +/* nssPKIObject_Destroy + * + * Returns true if object was destroyed. This notifies the subclass that + * all references are gone and it should delete any members it owns. + */ +NSS_EXTERN PRBool +nssPKIObject_Destroy(nssPKIObject *object); + +/* nssPKIObject_AddInstance + * + * Add a token instance to the object, if it does not have it already. + */ +NSS_EXTERN PRStatus +nssPKIObject_AddInstance( + nssPKIObject *object, + nssCryptokiObject *instance); + +/* nssPKIObject_HasInstance + * + * Query the object for a token instance. + */ +NSS_EXTERN PRBool +nssPKIObject_HasInstance( + nssPKIObject *object, + nssCryptokiObject *instance); + +/* nssPKIObject_GetTokens + * + * Get all tokens which have an instance of the object. + */ +NSS_EXTERN NSSToken ** +nssPKIObject_GetTokens( + nssPKIObject *object, + PRStatus *statusOpt); + +/* nssPKIObject_GetNicknameForToken + * + * tokenOpt == NULL means take the first available, otherwise return the + * nickname for the specified token. + */ +NSS_EXTERN NSSUTF8 * +nssPKIObject_GetNicknameForToken( + nssPKIObject *object, + NSSToken *tokenOpt); + +/* nssPKIObject_RemoveInstanceForToken + * + * Remove the instance of the object on the specified token. + */ +NSS_EXTERN PRStatus +nssPKIObject_RemoveInstanceForToken( + nssPKIObject *object, + NSSToken *token); + +/* nssPKIObject_DeleteStoredObject + * + * Delete all token instances of the object, as well as any crypto context + * instances (TODO). If any of the instances are read-only, or if the + * removal fails, the object will keep those instances. 'isFriendly' refers + * to the object -- can this object be removed from a friendly token without + * login? For example, certificates are friendly, private keys are not. + * Note that if the token is not friendly, authentication will be required + * regardless of the value of 'isFriendly'. + */ +NSS_EXTERN PRStatus +nssPKIObject_DeleteStoredObject( + nssPKIObject *object, + NSSCallback *uhh, + PRBool isFriendly); + +NSS_EXTERN nssCryptokiObject ** +nssPKIObject_GetInstances( + nssPKIObject *object); + +NSS_EXTERN NSSCertificate ** +nssTrustDomain_FindCertificatesByID( + NSSTrustDomain *td, + NSSItem *id, + NSSCertificate **rvOpt, + PRUint32 maximumOpt, + NSSArena *arenaOpt); + +NSS_EXTERN NSSCRL ** +nssTrustDomain_FindCRLsBySubject( + NSSTrustDomain *td, + NSSDER *subject); + +/* module-private nsspki methods */ + +NSS_EXTERN NSSCryptoContext * +nssCryptoContext_Create( + NSSTrustDomain *td, + NSSCallback *uhhOpt); + +/* XXX for the collection */ +NSS_EXTERN NSSCertificate * +nssCertificate_Create(nssPKIObject *object); + +NSS_EXTERN PRStatus +nssCertificate_SetCertTrust( + NSSCertificate *c, + NSSTrust *trust); + +NSS_EXTERN nssDecodedCert * +nssCertificate_GetDecoding(NSSCertificate *c); + +extern PRIntn +nssCertificate_SubjectListSort( + void *v1, + void *v2); + +NSS_EXTERN nssDecodedCert * +nssDecodedCert_Create( + NSSArena *arenaOpt, + NSSDER *encoding, + NSSCertificateType type); + +NSS_EXTERN PRStatus +nssDecodedCert_Destroy(nssDecodedCert *dc); + +NSS_EXTERN NSSTrust * +nssTrust_Create( + nssPKIObject *object, + NSSItem *certData); + +NSS_EXTERN NSSCRL * +nssCRL_Create(nssPKIObject *object); + +NSS_EXTERN NSSCRL * +nssCRL_AddRef(NSSCRL *crl); + +NSS_EXTERN PRStatus +nssCRL_Destroy(NSSCRL *crl); + +NSS_EXTERN PRStatus +nssCRL_DeleteStoredObject( + NSSCRL *crl, + NSSCallback *uhh); + +NSS_EXTERN NSSPrivateKey * +nssPrivateKey_Create(nssPKIObject *o); + +NSS_EXTERN NSSDER * +nssCRL_GetEncoding(NSSCRL *crl); + +NSS_EXTERN NSSPublicKey * +nssPublicKey_Create(nssPKIObject *object); + +/* nssCertificateArray + * + * These are being thrown around a lot, might as well group together some + * functionality. + * + * nssCertificateArray_Destroy + * nssCertificateArray_Join + * nssCertificateArray_FindBestCertificate + * nssCertificateArray_Traverse + */ + +/* nssCertificateArray_Destroy + * + * Will destroy the array and the certs within it. If the array was created + * in an arena, will *not* (of course) destroy the arena. However, is safe + * to call this method on an arena-allocated array. + */ +NSS_EXTERN void +nssCertificateArray_Destroy(NSSCertificate **certs); + +/* nssCertificateArray_Join + * + * Join two arrays into one. The two arrays, certs1 and certs2, should + * be considered invalid after a call to this function (they may be destroyed + * as part of the join). certs1 and/or certs2 may be NULL. Safe to + * call with arrays allocated in an arena, the result will also be in the + * arena. + */ +NSS_EXTERN NSSCertificate ** +nssCertificateArray_Join( + NSSCertificate **certs1, + NSSCertificate **certs2); + +/* nssCertificateArray_FindBestCertificate + * + * Use the usual { time, usage, policies } to find the best cert in the + * array. + */ +NSS_EXTERN NSSCertificate * +nssCertificateArray_FindBestCertificate( + NSSCertificate **certs, + NSSTime *timeOpt, + const NSSUsage *usage, + NSSPolicies *policiesOpt); + +/* nssCertificateArray_Traverse + * + * Do the callback for each cert, terminate the traversal if the callback + * fails. + */ +NSS_EXTERN PRStatus +nssCertificateArray_Traverse( + NSSCertificate **certs, + PRStatus (*callback)(NSSCertificate *c, void *arg), + void *arg); + +NSS_EXTERN void +nssCRLArray_Destroy(NSSCRL **crls); + +/* nssPKIObjectCollection + * + * This is a handy way to group objects together and perform operations + * on them. It can also handle "proto-objects"-- references to + * objects instances on tokens, where the actual object hasn't + * been formed yet. + * + * nssCertificateCollection_Create + * nssPrivateKeyCollection_Create + * nssPublicKeyCollection_Create + * + * If this was a language that provided for inheritance, each type would + * inherit all of the following methods. Instead, there is only one + * type (nssPKIObjectCollection), shared among all. This may cause + * confusion; an alternative would be to define all of the methods + * for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't + * seem worth the code bloat.. It is left up to the caller to remember + * what type of collection he/she is dealing with. + * + * nssPKIObjectCollection_Destroy + * nssPKIObjectCollection_Count + * nssPKIObjectCollection_AddObject + * nssPKIObjectCollection_AddInstances + * nssPKIObjectCollection_Traverse + * + * Back to type-specific methods. + * + * nssPKIObjectCollection_GetCertificates + * nssPKIObjectCollection_GetCRLs + * nssPKIObjectCollection_GetPrivateKeys + * nssPKIObjectCollection_GetPublicKeys + */ + +/* nssCertificateCollection_Create + * + * Create a collection of certificates in the specified trust domain. + * Optionally provide a starting set of certs. + */ +NSS_EXTERN nssPKIObjectCollection * +nssCertificateCollection_Create( + NSSTrustDomain *td, + NSSCertificate **certsOpt); + +/* nssCRLCollection_Create + * + * Create a collection of CRLs/KRLs in the specified trust domain. + * Optionally provide a starting set of CRLs. + */ +NSS_EXTERN nssPKIObjectCollection * +nssCRLCollection_Create( + NSSTrustDomain *td, + NSSCRL **crlsOpt); + +/* nssPrivateKeyCollection_Create + * + * Create a collection of private keys in the specified trust domain. + * Optionally provide a starting set of keys. + */ +NSS_EXTERN nssPKIObjectCollection * +nssPrivateKeyCollection_Create( + NSSTrustDomain *td, + NSSPrivateKey **pvkOpt); + +/* nssPublicKeyCollection_Create + * + * Create a collection of public keys in the specified trust domain. + * Optionally provide a starting set of keys. + */ +NSS_EXTERN nssPKIObjectCollection * +nssPublicKeyCollection_Create( + NSSTrustDomain *td, + NSSPublicKey **pvkOpt); + +/* nssPKIObjectCollection_Destroy + */ +NSS_EXTERN void +nssPKIObjectCollection_Destroy(nssPKIObjectCollection *collection); + +/* nssPKIObjectCollection_Count + */ +NSS_EXTERN PRUint32 +nssPKIObjectCollection_Count(nssPKIObjectCollection *collection); + +NSS_EXTERN PRStatus +nssPKIObjectCollection_AddObject( + nssPKIObjectCollection *collection, + nssPKIObject *object); + +/* nssPKIObjectCollection_AddInstances + * + * Add a set of object instances to the collection. The instances + * will be sorted into any existing certs/proto-certs that may be in + * the collection. The instances will be absorbed by the collection, + * the array should not be used after this call (except to free it). + * + * Failure means the collection is in an invalid state. + * + * numInstances = 0 means the array is NULL-terminated + */ +NSS_EXTERN PRStatus +nssPKIObjectCollection_AddInstances( + nssPKIObjectCollection *collection, + nssCryptokiObject **instances, + PRUint32 numInstances); + +/* nssPKIObjectCollection_Traverse + */ +NSS_EXTERN PRStatus +nssPKIObjectCollection_Traverse( + nssPKIObjectCollection *collection, + nssPKIObjectCallback *callback); + +/* This function is being added for NSS 3.5. It corresponds to the function + * nssToken_TraverseCertificates. The idea is to use the collection during + * a traversal, creating certs each time a new instance is added for which + * a cert does not already exist. + */ +NSS_EXTERN PRStatus +nssPKIObjectCollection_AddInstanceAsObject( + nssPKIObjectCollection *collection, + nssCryptokiObject *instance); + +/* nssPKIObjectCollection_GetCertificates + * + * Get all of the certificates in the collection. + */ +NSS_EXTERN NSSCertificate ** +nssPKIObjectCollection_GetCertificates( + nssPKIObjectCollection *collection, + NSSCertificate **rvOpt, + PRUint32 maximumOpt, + NSSArena *arenaOpt); + +NSS_EXTERN NSSCRL ** +nssPKIObjectCollection_GetCRLs( + nssPKIObjectCollection *collection, + NSSCRL **rvOpt, + PRUint32 maximumOpt, + NSSArena *arenaOpt); + +NSS_EXTERN NSSPrivateKey ** +nssPKIObjectCollection_GetPrivateKeys( + nssPKIObjectCollection *collection, + NSSPrivateKey **rvOpt, + PRUint32 maximumOpt, + NSSArena *arenaOpt); + +NSS_EXTERN NSSPublicKey ** +nssPKIObjectCollection_GetPublicKeys( + nssPKIObjectCollection *collection, + NSSPublicKey **rvOpt, + PRUint32 maximumOpt, + NSSArena *arenaOpt); + +NSS_EXTERN NSSTime * +NSSTime_Now(NSSTime *timeOpt); + +NSS_EXTERN NSSTime * +NSSTime_SetPRTime( + NSSTime *timeOpt, + PRTime prTime); + +NSS_EXTERN PRTime +NSSTime_GetPRTime( + NSSTime *time); + +NSS_EXTERN nssHash * +nssHash_CreateCertificate( + NSSArena *arenaOpt, + PRUint32 numBuckets); + +/* 3.4 Certificate cache routines */ + +NSS_EXTERN PRStatus +nssTrustDomain_InitializeCache( + NSSTrustDomain *td, + PRUint32 cacheSize); + +NSS_EXTERN PRStatus +nssTrustDomain_AddCertsToCache( + NSSTrustDomain *td, + NSSCertificate **certs, + PRUint32 numCerts); + +NSS_EXTERN void +nssTrustDomain_RemoveCertFromCacheLOCKED( + NSSTrustDomain *td, + NSSCertificate *cert); + +NSS_EXTERN void +nssTrustDomain_LockCertCache(NSSTrustDomain *td); + +NSS_EXTERN void +nssTrustDomain_UnlockCertCache(NSSTrustDomain *td); + +NSS_IMPLEMENT PRStatus +nssTrustDomain_DestroyCache(NSSTrustDomain *td); + +/* + * Remove all certs for the given token from the cache. This is + * needed if the token is removed. + */ +NSS_EXTERN PRStatus +nssTrustDomain_RemoveTokenCertsFromCache( + NSSTrustDomain *td, + NSSToken *token); + +NSS_EXTERN PRStatus +nssTrustDomain_UpdateCachedTokenCerts( + NSSTrustDomain *td, + NSSToken *token); + +/* + * Find all cached certs with this nickname (label). + */ +NSS_EXTERN NSSCertificate ** +nssTrustDomain_GetCertsForNicknameFromCache( + NSSTrustDomain *td, + const NSSUTF8 *nickname, + nssList *certListOpt); + +/* + * Find all cached certs with this email address. + */ +NSS_EXTERN NSSCertificate ** +nssTrustDomain_GetCertsForEmailAddressFromCache( + NSSTrustDomain *td, + NSSASCII7 *email, + nssList *certListOpt); + +/* + * Find all cached certs with this subject. + */ +NSS_EXTERN NSSCertificate ** +nssTrustDomain_GetCertsForSubjectFromCache( + NSSTrustDomain *td, + NSSDER *subject, + nssList *certListOpt); + +/* + * Look for a specific cert in the cache. + */ +NSS_EXTERN NSSCertificate * +nssTrustDomain_GetCertForIssuerAndSNFromCache( + NSSTrustDomain *td, + NSSDER *issuer, + NSSDER *serialNum); + +/* + * Look for a specific cert in the cache. + */ +NSS_EXTERN NSSCertificate * +nssTrustDomain_GetCertByDERFromCache( + NSSTrustDomain *td, + NSSDER *der); + +/* Get all certs from the cache */ +/* XXX this is being included to make some old-style calls word, not to + * say we should keep it + */ +NSS_EXTERN NSSCertificate ** +nssTrustDomain_GetCertsFromCache( + NSSTrustDomain *td, + nssList *certListOpt); + +NSS_EXTERN void +nssTrustDomain_DumpCacheInfo( + NSSTrustDomain *td, + void (*cert_dump_iter)(const void *, void *, void *), + void *arg); + +NSS_EXTERN void +nssCertificateList_AddReferences( + nssList *certList); + +PR_END_EXTERN_C + +#endif /* PKIM_H */ -- cgit v1.2.3