diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/lib/libpkix/include | |
parent | Initial commit. (diff) | |
download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/lib/libpkix/include')
18 files changed, 13777 insertions, 0 deletions
diff --git a/security/nss/lib/libpkix/include/Makefile b/security/nss/lib/libpkix/include/Makefile new file mode 100644 index 0000000000..d714361be7 --- /dev/null +++ b/security/nss/lib/libpkix/include/Makefile @@ -0,0 +1,46 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + diff --git a/security/nss/lib/libpkix/include/exports.gyp b/security/nss/lib/libpkix/include/exports.gyp new file mode 100644 index 0000000000..92baaaa9d2 --- /dev/null +++ b/security/nss/lib/libpkix/include/exports.gyp @@ -0,0 +1,38 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'lib_libpkix_include_exports', + 'type': 'none', + 'copies': [ + { + 'files': [ + 'pkix.h', + 'pkix_certsel.h', + 'pkix_certstore.h', + 'pkix_checker.h', + 'pkix_crlsel.h', + 'pkix_errorstrings.h', + 'pkix_params.h', + 'pkix_pl_pki.h', + 'pkix_pl_system.h', + 'pkix_results.h', + 'pkix_revchecker.h', + 'pkix_sample_modules.h', + 'pkix_util.h', + 'pkixt.h' + ], + 'destination': '<(nss_private_dist_dir)/<(module)' + } + ] + } + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/security/nss/lib/libpkix/include/include.gyp b/security/nss/lib/libpkix/include/include.gyp new file mode 100644 index 0000000000..c435015910 --- /dev/null +++ b/security/nss/lib/libpkix/include/include.gyp @@ -0,0 +1,12 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../coreconf/config.gypi' + ], + 'targets': [], + 'variables': { + 'module': 'nss' + } +}
\ No newline at end of file diff --git a/security/nss/lib/libpkix/include/manifest.mn b/security/nss/lib/libpkix/include/manifest.mn new file mode 100644 index 0000000000..3792dbb869 --- /dev/null +++ b/security/nss/lib/libpkix/include/manifest.mn @@ -0,0 +1,29 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../../.. + +PRIVATE_EXPORTS = \ + pkix.h \ + pkix_crlsel.h \ + pkix_errorstrings.h \ + pkix_results.h \ + pkixt.h \ + pkix_certsel.h \ + pkix_params.h \ + pkix_revchecker.h \ + pkix_certstore.h \ + pkix_pl_pki.h \ + pkix_sample_modules.h \ + pkix_checker.h \ + pkix_pl_system.h \ + pkix_util.h \ + $(NULL) + +MODULE = nss + +CSRCS = \ + $(NULL) + +REQUIRES = dbm diff --git a/security/nss/lib/libpkix/include/pkix.h b/security/nss/lib/libpkix/include/pkix.h new file mode 100644 index 0000000000..4ef3cf1fbd --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix.h @@ -0,0 +1,301 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines the public API for libpkix. These are the top-level + * functions in the library. They perform the primary operations of this + * library: building and validating chains of X.509 certificates. + * + */ + +#ifndef _PKIX_H +#define _PKIX_H + +#include "pkixt.h" +#include "pkix_util.h" +#include "pkix_results.h" +#include "pkix_certstore.h" +#include "pkix_certsel.h" +#include "pkix_crlsel.h" +#include "pkix_checker.h" +#include "pkix_revchecker.h" +#include "pkix_pl_system.h" +#include "pkix_pl_pki.h" +#include "pkix_params.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* + * FUNCTION: PKIX_Initialize + * DESCRIPTION: + * + * No PKIX_* types and functions should be used before this function is called + * and returns successfully. This function should only be called once. If it + * is called more than once, the behavior is undefined. + * + * NSS applications are expected to call NSS_Init, and need not know that + * NSS will call this function (with "platformInitNeeded" set to PKIX_FALSE). + * PKIX applications are expected instead to call this function with + * "platformInitNeeded" set to PKIX_TRUE. + * + * This function initializes data structures critical to the operation of + * libpkix. It also ensures that the API version (major.minor) desired by the + * caller (the "desiredMajorVersion", "minDesiredMinorVersion", and + * "maxDesiredMinorVersion") is compatible with the API version supported by + * the library. As such, the library must support the "desiredMajorVersion" + * of the API and must support a minor version that falls between + * "minDesiredMinorVersion" and "maxDesiredMinorVersion", inclusive. If + * compatibility exists, the function returns NULL and stores the library's + * actual minor version at "pActualMinorVersion" (which may be greater than + * "desiredMinorVersion"). If no compatibility exists, the function returns a + * PKIX_Error pointer. If the caller wishes to specify that the largest + * minor version available should be used, then maxDesiredMinorVersion should + * be set to the macro PKIX_MAX_MINOR_VERSION (defined in pkixt.h). + * + * PARAMETERS: + * "platformInitNeeded" + * Boolean indicating whether the platform layer initialization code + * has previously been run, or should be called from this function. + * "desiredMajorVersion" + * The major version of the libpkix API the application wishes to use. + * "minDesiredMinorVersion" + * The minimum minor version of the libpkix API the application wishes + * to use. + * "maxDesiredMinorVersion" + * The maximum minor version of the libpkix API the application wishes + * to use. + * "pActualMinorVersion" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "pPlContext" + * Address at which platform-specific context pointer is stored. Must + * be non-NULL. + * THREAD SAFETY: + * Not Thread Safe + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Initialize Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Initialize( + PKIX_Boolean platformInitNeeded, + PKIX_UInt32 desiredMajorVersion, + PKIX_UInt32 minDesiredMinorVersion, + PKIX_UInt32 maxDesiredMinorVersion, + PKIX_UInt32 *pActualMinorVersion, + void **pPlContext); + +/* + * FUNCTION: PKIX_Shutdown + * DESCRIPTION: + * + * This function deallocates any memory used by libpkix and shuts down any + * ongoing operations. This function should only be called once. If it is + * called more than once, the behavior is undefined. + * + * No PKIX_* types and functions should be used after this function is called + * and returns successfully. + * PARAMETERS: + * "plContext" - Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Shutdown(void *plContext); + +/* + * FUNCTION: PKIX_ValidateChain + * DESCRIPTION: + * + * This function attempts to validate the CertChain that has been set in the + * ValidateParams pointed to by "params" using an RFC 3280-compliant + * algorithm. If successful, this function returns NULL and stores the + * ValidateResult at "pResult", which holds additional information, such as + * the policy tree and the target's public key. If unsuccessful, an Error is + * returned. Note: This function does not currently support non-blocking I/O. + * + * If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which + * tracks the results of the validation. That is, either each node in the + * chain has a NULL Error component, or the last node contains an Error + * which indicates why the validation failed. + * + * PARAMETERS: + * "params" + * Address of ValidateParams used to validate CertChain. Must be non-NULL. + * "pResult" + * Address where object pointer will be stored. Must be non-NULL. + * "pVerifyTree" + * Address where a VerifyTree is stored, if non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (See Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Validate Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateChain( + PKIX_ValidateParams *params, + PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, + void *plContext); + +/* + * FUNCTION: PKIX_ValidateChain_NB + * DESCRIPTION: + * + * This function is the equivalent of PKIX_ValidateChain, except that it + * supports non-blocking I/O. When called with "pNBIOContext" pointing to NULL + * it initiates a new chain validation as in PKIX_ValidateChain, ignoring the + * value in all input variables except "params". If forced to suspend + * processing by a WOULDBLOCK return from some operation, such as a CertStore + * request, it stores the platform-dependent I/O context at "pNBIOContext" and + * stores other intermediate variables at "pCertIndex", "pAnchorIndex", + * "pCheckerIndex", "pRevChecking", and "pCheckers". + * + * When called subsequently with that non-NULL value at "pNBIOContext", it + * relies on those intermediate values to be untouched, and it resumes chain + * validation where it left off. Its behavior is undefined if any of the + * intermediate values was not preserved. + * + * PARAMETERS: + * "params" + * Address of ValidateParams used to validate CertChain. Must be non-NULL. + * "pCertIndex" + * The UInt32 value of the index to the Cert chain, indicating which Cert + * is currently being processed. + * "pAnchorIndex" + * The UInt32 value of the index to the Anchor chain, indicating which + * Trust Anchor is currently being processed. + * "pCheckerIndex" + * The UInt32 value of the index to the List of CertChainCheckers, + * indicating which Checker is currently processing. + * "pRevChecking" + * The Boolean flag indicating whether normal checking or revocation + * checking is occurring for the Cert indicated by "pCertIndex". + * "pCheckers" + * The address of the List of CertChainCheckers. Must be non-NULL. + * "pNBIOContext" + * The address of the platform-dependend I/O context. Must be a non-NULL + * pointer to a NULL value for the call to initiate chain validation. + * "pResult" + * Address where ValidateResult object pointer will be stored. Must be + * non-NULL. + * "pVerifyTree" + * Address where a VerifyTree is stored, if non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a VALIDATE Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */PKIX_Error * +PKIX_ValidateChain_NB( + PKIX_ValidateParams *params, + PKIX_UInt32 *pCertIndex, + PKIX_UInt32 *pAnchorIndex, + PKIX_UInt32 *pCheckerIndex, + PKIX_Boolean *pRevChecking, + PKIX_List **pCheckers, + void **pNBIOContext, + PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, + void *plContext); + +/* + * FUNCTION: PKIX_BuildChain + * DESCRIPTION: + * + * If called with a NULL "state", this function attempts to build and validate + * a CertChain according to the ProcessingParams pointed to by "params", using + * an RFC 3280-compliant validation algorithm. If successful, this function + * returns NULL and stores the BuildResult at "pResult", which holds the built + * CertChain, as well as additional information, such as the policy tree and + * the target's public key. If unsuccessful, an Error is returned. + * + * If the chain building is blocked by a CertStore using non-blocking I/O, this + * function stores platform-dependent non-blocking I/O context at + * "pNBIOContext", its state at "pState", and NULL at "pResult". The caller + * may be able to determine, in a platform-dependent way, when the I/O has + * completed. In any case, calling the function again with "pState" containing + * the returned value will allow the chain building to resume. + * + * If chain building is completed, either successfully or unsuccessfully, NULL + * is stored at "pNBIOContext". + * + * If "pVerifyTree" is non-NULL, a tree of VerifyNodes is created which + * tracks the results of the building. That is, each node of the tree either + * has a NULL Error component, or it is a leaf node and it contains an Error + * which indicates why the chain building could not proceed on this branch. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams used to build and validate CertChain. + * Must be non-NULL. + * "pNBIOContext" + * Address where platform-dependent information is store if the build + * is suspended waiting for non-blocking I/O. Must be non-NULL. + * "pState" + * Address of BuildChain state. Must be NULL on initial call, and the + * value previously returned on subsequent calls. + * "pResult" + * Address where object pointer will be stored. Must be non-NULL. + * "pVerifyTree" + * Address where a VerifyTree is stored, if non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (See Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Build Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_BuildChain( + PKIX_ProcessingParams *params, + void **pNBIOContext, + void **pState, + PKIX_BuildResult **pResult, + PKIX_VerifyNode **pVerifyNode, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_H */ diff --git a/security/nss/lib/libpkix/include/pkix_certsel.h b/security/nss/lib/libpkix/include/pkix_certsel.h new file mode 100644 index 0000000000..e6b20c8c50 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_certsel.h @@ -0,0 +1,1826 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the PKIX_CertSelector and the + * PKIX_ComCertSelParams types. + * + */ + +#ifndef _PKIX_CERTSEL_H +#define _PKIX_CERTSEL_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_CertSelector + * + * PKIX_CertSelectors provide a standard way for the caller to select + * certificates based on particular criteria. A CertSelector is typically used + * by the caller to specify the constraints they wish to impose on the target + * certificate in a chain. (see pkix_params.h) A CertSelector is also often + * used to retrieve certificates from a CertStore that match the selector's + * criteria. (See pkix_certstore.h) For example, the caller may wish to only + * select those certificates that have a particular Subject Distinguished Name + * and a particular value for a private certificate extension. The + * MatchCallback allows the caller to specify the custom matching logic to be + * used by a CertSelector. + * + * By default, the MatchCallback is set to point to the default implementation + * provided by libpkix, which understands how to process the most common + * parameters. If the default implementation is used, the caller should set + * these common parameters using PKIX_CertSelector_SetCommonCertSelectorParams. + * Any common parameter that is not set is assumed to be disabled, which means + * the default MatchCallback implementation will select all certificates + * without regard to that particular disabled parameter. For example, if the + * SerialNumber parameter is not set, MatchCallback will not filter out any + * certificate based on its serial number. As such, if no parameters are set, + * all are disabled and any certificate will match. If a parameter is + * disabled, its associated PKIX_ComCertSelParams_Get* function returns a + * default value of NULL, or -1 for PKIX_ComCertSelParams_GetBasicConstraints + * and PKIX_ComCertSelParams_GetVersion, or 0 for + * PKIX_ComCertSelParams_GetKeyUsage. + * + * If a custom implementation is desired, the default implementation can be + * overridden by calling PKIX_CertSelector_SetMatchCallback. In this case, the + * CertSelector can be initialized with a certSelectorContext, which is where + * the caller can specify the desired parameters the caller wishes to match + * against. Note that this certSelectorContext must be an Object (although any + * object type), allowing it to be reference-counted and allowing it to + * provide the standard Object functions (Equals, Hashcode, ToString, Compare, + * Duplicate). + * + */ + +/* + * FUNCTION: PKIX_CertSelector_MatchCallback + * DESCRIPTION: + * + * This callback function determines whether the specified Cert pointed to by + * "cert" matches the criteria of the CertSelector pointed to by "selector". + * If the Cert does not matches the CertSelector's criteria, an exception will + * be thrown. + * + * PARAMETERS: + * "selector" + * Address of CertSelector whose MatchCallback logic and parameters are + * to be used. Must be non-NULL. + * "cert" + * Address of Cert that is to be matched using "selector". + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertSelector_MatchCallback)( + PKIX_CertSelector *selector, + PKIX_PL_Cert *cert, + void *plContext); + +/* + * FUNCTION: PKIX_CertSelector_Create + * DESCRIPTION: + * + * Creates a new CertSelector using the Object pointed to by + * "certSelectorContext" (if any) and stores it at "pSelector". As noted + * above, by default, the MatchCallback is set to point to the default + * implementation provided by libpkix, which understands how to process + * ComCertSelParams objects. This is overridden if the MatchCallback pointed + * to by "callback" is not NULL, in which case the parameters are specified + * using the certSelectorContext. + * + * PARAMETERS: + * "callback" + * The MatchCallback function to be used. + * "certSelectorContext" + * Address of Object representing the CertSelector's context (if any). + * "pSelector" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertSelector_Create( + PKIX_CertSelector_MatchCallback callback, + PKIX_PL_Object *certSelectorContext, + PKIX_CertSelector **pSelector, + void *plContext); + +/* + * FUNCTION: PKIX_CertSelector_GetMatchCallback + * DESCRIPTION: + * + * Retrieves a pointer to "selector's" Match callback function and puts it in + * "pCallback". + * + * PARAMETERS: + * "selector" + * The CertSelector whose Match callback is desired. Must be non-NULL. + * "pCallback" + * Address where Match callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertSelector_GetMatchCallback( + PKIX_CertSelector *selector, + PKIX_CertSelector_MatchCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertSelector_GetCertSelectorContext + * DESCRIPTION: + * + * Retrieves a pointer to a PKIX_PL_Object representing the context (if any) + * of the CertSelector pointed to by "selector" and stores it at + * "pCertSelectorContext". + * + * PARAMETERS: + * "selector" + * Address of CertSelector whose context is to be stored. + * Must be non-NULL. + * "pCertSelectorContext" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertSelector_GetCertSelectorContext( + PKIX_CertSelector *selector, + PKIX_PL_Object **pCertSelectorContext, + void *plContext); + +/* + * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams + * DESCRIPTION: + * + * Retrieves a pointer to the ComCertSelParams object that represent the + * common parameters of the CertSelector pointed to by "selector" and stores + * it at "pCommonCertSelectorParams". If there are no common parameters + * stored with the CertSelector, this function stores NULL at + * "pCommonCertSelectorParams". + * + * PARAMETERS: + * "selector" + * Address of CertSelector whose ComCertSelParams object is to be stored. + * Must be non-NULL. + * "pCommonCertSelectorParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertSelector_GetCommonCertSelectorParams( + PKIX_CertSelector *selector, + PKIX_ComCertSelParams **pCommonCertSelectorParams, + void *plContext); + +/* + * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams + * DESCRIPTION: + * + * Sets the common parameters for the CertSelector pointed to by "selector" + * using the ComCertSelParams object pointed to by "commonCertSelectorParams". + * + * PARAMETERS: + * "selector" + * Address of CertSelector whose common parameters are to be set. + * Must be non-NULL. + * "commonCertSelectorParams" + * Address of ComCertSelParams object representing the common parameters. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "selector" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertSelector_SetCommonCertSelectorParams( + PKIX_CertSelector *selector, + PKIX_ComCertSelParams *commonCertSelectorParams, + void *plContext); + +/* PKIX_ComCertSelParams + * + * PKIX_ComCertSelParams objects are X.509 parameters commonly used with + * CertSelectors, especially when enforcing constraints on a target + * certificate or determining which certificates to retrieve from a CertStore. + * ComCertSelParams objects are typically used with those CertSelectors that + * use the default implementation of MatchCallback, which understands how to + * process ComCertSelParams objects. + */ + +/* + * FUNCTION: PKIX_ComCertSelParams_Create + * DESCRIPTION: + * + * Creates a new ComCertSelParams object and stores it at "pParams". + * + * PARAMETERS: + * "pParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_Create( + PKIX_ComCertSelParams **pParams, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSubjAltNames + * DESCRIPTION: + * + * Retrieves a pointer to the List of GeneralNames (if any) representing the + * subject alternative names criterion that is set in the ComCertSelParams + * object pointed to by "params" and stores it at "pNames". In order to match + * against this criterion, a certificate must contain all or at least one of + * the criterion's subject alternative names (depending on the result of + * PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default behavior + * requires a certificate to contain all of the criterion's subject + * alternative names in order to match. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pNames", in which case all certificates are considered to match this + * criterion. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject alternative names + * criterion (if any) is to be stored. Must be non-NULL. + * "pNames" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSubjAltNames( + PKIX_ComCertSelParams *params, + PKIX_List **pNames, /* list of PKIX_PL_GeneralName */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames + * DESCRIPTION: + * + * Sets the subject alternative names criterion of the ComCertSelParams object + * pointed to by "params" using a List of GeneralNames pointed to by "names". + * In order to match against this criterion, a certificate must contain all or + * at least one of the criterion's subject alternative names (depending on the + * result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default + * behavior requires a certificate to contain all of the criterion's subject + * alternative names in order to match. + * + * If "names" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject alternative + * names criterion is to be set. Must be non-NULL. + * "names" + * Address of List of GeneralNames used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSubjAltNames( + PKIX_ComCertSelParams *params, + PKIX_List *names, /* list of PKIX_PL_GeneralName */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_AddSubjAltName + * DESCRIPTION: + * + * Adds to the subject alternative names criterion of the ComCertSelParams + * object pointed to by "params" using the GeneralName pointed to by "name". + * In order to match against this criterion, a certificate must contain all + * or at least one of the criterion's subject alternative names (depending on + * the result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default + * behavior requires a certificate to contain all of the criterion's subject + * alternative names in order to match. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject alternative names + * criterion is to be added to. Must be non-NULL. + * "name" + * Address of GeneralName to be added. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_AddSubjAltName( + PKIX_ComCertSelParams *params, + PKIX_PL_GeneralName *name, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetPathToNames + * DESCRIPTION: + * + * Retrieves a pointer to the List of GeneralNames (if any) representing the + * path to names criterion that is set in the ComCertSelParams object pointed + * to by "params" and stores it at "pNames". In order to match against this + * criterion, a certificate must not include name constraints that would + * prohibit building a path to the criterion's specified names. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pNames", in which case all certificates are considered to match this + * criterion. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose path to names criterion + * (if any) is to be stored. Must be non-NULL. + * "pNames" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetPathToNames( + PKIX_ComCertSelParams *params, + PKIX_List **pNames, /* list of PKIX_PL_GeneralName */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetPathToNames + * DESCRIPTION: + * + * Sets the path to names criterion of the ComCertSelParams object pointed to + * by "params" using a List of GeneralNames pointed to by "names". In order to + * match against this criterion, a certificate must not include name + * constraints that would prohibit building a path to the criterion's + * specified names. + * + * If "names" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose path to names criterion + * is to be set. Must be non-NULL. + * "names" + * Address of List of GeneralNames used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetPathToNames( + PKIX_ComCertSelParams *params, + PKIX_List *names, /* list of PKIX_PL_GeneralName */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_AddPathToName + * DESCRIPTION: + * + * Adds to the path to names criterion of the ComCertSelParams object pointed + * to by "params" using the GeneralName pointed to by "pathToName". In order + * to match against this criterion, a certificate must not include name + * constraints that would prohibit building a path to the criterion's + * specified names. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose path to names criterion is to + * be added to. Must be non-NULL. + * "pathToName" + * Address of GeneralName to be added. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_AddPathToName( + PKIX_ComCertSelParams *params, + PKIX_PL_GeneralName *pathToName, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetAuthorityKeyIdentifier + * DESCRIPTION: + * + * Retrieves a pointer to the ByteArray (if any) representing the authority + * key identifier criterion that is set in the ComCertSelParams object + * pointed to by "params" and stores it at "pAuthKeyId". In order to match + * against this criterion, a certificate must contain an + * AuthorityKeyIdentifier extension whose value matches the criterion's + * authority key identifier value. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pAuthKeyId", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose authority key identifier + * criterion (if any) is to be stored. Must be non-NULL. + * "pAuthKeyId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetAuthorityKeyIdentifier( + PKIX_ComCertSelParams *params, + PKIX_PL_ByteArray **pAuthKeyId, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetAuthorityKeyIdentifier + * DESCRIPTION: + * + * Sets the authority key identifier criterion of the ComCertSelParams object + * pointed to by "params" to the ByteArray pointed to by "authKeyId". In + * order to match against this criterion, a certificate must contain an + * AuthorityKeyIdentifier extension whose value matches the criterion's + * authority key identifier value. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose authority key identifier + * criterion is to be set. Must be non-NULL. + * "authKeyId" + * Address of ByteArray used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetAuthorityKeyIdentifier( + PKIX_ComCertSelParams *params, + PKIX_PL_ByteArray *authKeyId, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSubjKeyIdentifier + * DESCRIPTION: + * + * Retrieves a pointer to the ByteArray (if any) representing the subject key + * identifier criterion that is set in the ComCertSelParams object pointed to + * by "params" and stores it at "pSubjKeyId". In order to match against this + * criterion, a certificate must contain a SubjectKeyIdentifier extension + * whose value matches the criterion's subject key identifier value. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pSubjKeyId", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject key identifier + * criterion (if any) is to be stored. Must be non-NULL. + * "pSubjKeyId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSubjKeyIdentifier( + PKIX_ComCertSelParams *params, + PKIX_PL_ByteArray **pSubjKeyId, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSubjKeyIdentifier + * DESCRIPTION: + * + * Sets the subject key identifier criterion of the ComCertSelParams object + * pointed to by "params" using a ByteArray pointed to by "subjKeyId". In + * order to match against this criterion, a certificate must contain an + * SubjectKeyIdentifier extension whose value matches the criterion's subject + * key identifier value. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject key identifier + * criterion is to be set. Must be non-NULL. + * "subjKeyId" + * Address of ByteArray used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSubjKeyIdentifier( + PKIX_ComCertSelParams *params, + PKIX_PL_ByteArray *subKeyId, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSubjPubKey + * DESCRIPTION: + * + * Retrieves a pointer to the PublicKey (if any) representing the subject + * public key criterion that is set in the ComCertSelParams object pointed to + * by "params" and stores it at "pPubKey". In order to match against this + * criterion, a certificate must contain a SubjectPublicKey that matches the + * criterion's public key. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pPubKey", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject public key criterion + * (if any) is to be stored. Must be non-NULL. + * "pPubKey" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSubjPubKey( + PKIX_ComCertSelParams *params, + PKIX_PL_PublicKey **pPubKey, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSubjPubKey + * DESCRIPTION: + * + * Sets the subject public key criterion of the ComCertSelParams object + * pointed to by "params" using a PublicKey pointed to by "pubKey". In order + * to match against this criterion, a certificate must contain a + * SubjectPublicKey that matches the criterion's public key. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject public key + * criterion is to be set. Must be non-NULL. + * "pubKey" + * Address of PublicKey used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSubjPubKey( + PKIX_ComCertSelParams *params, + PKIX_PL_PublicKey *pubKey, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSubjPKAlgId + * DESCRIPTION: + * + * Retrieves a pointer to the OID (if any) representing the subject public key + * algorithm identifier criterion that is set in the ComCertSelParams object + * pointed to by "params" and stores it at "pPubKey". In order to match + * against this criterion, a certificate must contain a SubjectPublicKey with + * an algorithm that matches the criterion's algorithm. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pAlgId", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject public key algorithm + * identifier (if any) is to be stored. Must be non-NULL. + * "pAlgId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSubjPKAlgId( + PKIX_ComCertSelParams *params, + PKIX_PL_OID **pAlgId, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSubjPKAlgId + * DESCRIPTION: + * + * Sets the subject public key algorithm identifier criterion of the + * ComCertSelParams object pointed to by "params" using an OID pointed to by + * "algId". In order to match against this criterion, a certificate must + * contain a SubjectPublicKey with an algorithm that matches the criterion's + * algorithm. + * + * If "algId" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject public key + * algorithm identifier criterion is to be set. Must be non-NULL. + * "algId" + * Address of OID used to set criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSubjPKAlgId( + PKIX_ComCertSelParams *params, + PKIX_PL_OID *algId, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetBasicConstraints + * DESCRIPTION: + * + * Retrieves a pointer to the minimum path length (if any) representing the + * basic constraints criterion that is set in the ComCertSelParams object + * pointed to by "params" and stores it at "pMinPathLength". In order to + * match against this criterion, there are several possibilities. + * + * 1) If the criterion's minimum path length is greater than or equal to zero, + * a certificate must include a BasicConstraints extension with a pathLen of + * at least this value. + * + * 2) If the criterion's minimum path length is -2, a certificate must be an + * end-entity certificate. + * + * 3) If the criterion's minimum path length is -1, no basic constraints check + * is done and all certificates are considered to match this criterion. + * + * The semantics of other values of the criterion's minimum path length are + * undefined but may be defined in future versions of the API. + * + * If "params" does not have this criterion set, this function stores -1 at + * "pMinPathLength", in which case all certificates are considered to match + * this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose basic constraints criterion + * (if any) is to be stored. Must be non-NULL. + * "pMinPathLength" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetBasicConstraints( + PKIX_ComCertSelParams *params, + PKIX_Int32 *pMinPathLength, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetBasicConstraints + * DESCRIPTION: + * + * Sets the basic constraints criterion of the ComCertSelParams object + * pointed to by "params" using the integer value of "minPathLength". In + * order to match against this criterion, there are several possibilities. + * + * 1) If the criterion's minimum path length is greater than or equal to zero, + * a certificate must include a BasicConstraints extension with a pathLen of + * at least this value. + * + * 2) If the criterion's minimum path length is -2, a certificate must be an + * end-entity certificate. + * + * 3) If the criterion's minimum path length is -1, no basic constraints check + * is done and all certificates are considered to match this criterion. + * + * The semantics of other values of the criterion's minimum path length are + * undefined but may be defined in future versions of the API. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose basic constraints + * criterion is to be set. Must be non-NULL. + * "minPathLength" + * Value of PKIX_Int32 used to set the criterion + * (or -1 to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetBasicConstraints( + PKIX_ComCertSelParams *params, + PKIX_Int32 minPathLength, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetCertificate + * DESCRIPTION: + * + * Retrieves a pointer to the Cert (if any) representing the certificate + * criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pCert". In order to match against this + * criterion, a certificate must be equal to the criterion's certificate. If + * this criterion is specified, it is usually not necessary to specify any + * other criteria, since this criterion requires an exact certificate match. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pCert", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose certificate criterion + * (if any) is to be stored. Must be non-NULL. + * "pCert" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetCertificate( + PKIX_ComCertSelParams *params, + PKIX_PL_Cert **pCert, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetCertificate + * DESCRIPTION: + * + * Sets the certificate criterion of the ComCertSelParams object pointed to by + * "params" using a Cert pointed to by "cert". In order to match against this + * criterion, a certificate must be equal to the criterion's certificate. + * If this criterion is specified, it is usually not necessary to specify + * any other criteria, since this criterion requires an exact certificate + * match. + * + * If "cert" is NULL, all certificates are considered to match this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose certificate criterion is to be + * set. Must be non-NULL. + * "cert" + * Address of Cert used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetCertificate( + PKIX_ComCertSelParams *params, + PKIX_PL_Cert *cert, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetCertificateValid + * DESCRIPTION: + * + * Retrieves a pointer to the Date (if any) representing the certificate + * validity criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pDate". In order to match against this + * criterion, a certificate's validity period must include the criterion's + * Date. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pDate", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose certificate validity criterion + * (if any) is to be stored. Must be non-NULL. + * "pDate" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetCertificateValid( + PKIX_ComCertSelParams *params, + PKIX_PL_Date **pDate, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetCertificateValid + * DESCRIPTION: + * + * Sets the certificate validity criterion of the ComCertSelParams object + * pointed to by "params" using a Date pointed to by "date". In order to + * match against this criterion, a certificate's validity period must include + * the criterion's Date. + * + * If "date" is NULL, all certificates are considered to match this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose certificate validity criterion + * is to be set. Must be non-NULL. + * "date" + * Address of Date used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetCertificateValid( + PKIX_ComCertSelParams *params, + PKIX_PL_Date *date, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSerialNumber + * DESCRIPTION: + * + * Retrieves a pointer to the BigInt (if any) representing the serial number + * criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pSerialNumber". In order to match against this + * criterion, a certificate must have a serial number equal to the + * criterion's serial number. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pSerialNumber", in which case all certificates are considered to match + * this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose serial number criterion + * (if any) is to be stored. Must be non-NULL. + * "pSerialNumber" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSerialNumber( + PKIX_ComCertSelParams *params, + PKIX_PL_BigInt **pSerialNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSerialNumber + * DESCRIPTION: + * + * Sets the serial number criterion of the ComCertSelParams object pointed to + * by "params" using a BigInt pointed to by "serialNumber". In order to match + * against this criterion, a certificate must have a serial number equal to + * the criterion's serial number. + * + * If "serialNumber" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose serial number criterion is to + * be set. Must be non-NULL. + * "serialNumber" + * Address of BigInt used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSerialNumber( + PKIX_ComCertSelParams *params, + PKIX_PL_BigInt *serialNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetVersion + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the version criterion that is + * set in the ComCertSelParams object pointed to by "params" and stores it at + * "pVersion". In order to match against this criterion, a certificate's + * version must be equal to the criterion's version. + * + * The version number will either be 0, 1, or 2 (corresponding to + * v1, v2, or v3, respectively). + * + * If "params" does not have this criterion set, this function stores + * 0xFFFFFFFF at "pVersion", in which case all certificates are considered + * to match this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose version criterion (if any) is + * to be stored. Must be non-NULL. + * "pVersion" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetVersion( + PKIX_ComCertSelParams *params, + PKIX_UInt32 *pVersion, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetVersion + * DESCRIPTION: + * + * Sets the version criterion of the ComCertSelParams object pointed to by + * "params" using the integer value of "version". In order to match against + * this criterion, a certificate's version must be equal to the criterion's + * version. If the criterion's version is -1, no version check is done and + * all certificates are considered to match this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose version criterion is to be + * set. Must be non-NULL. + * "version" + * Value of PKIX_Int32 used to set the criterion + * (or -1 to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetVersion( + PKIX_ComCertSelParams *params, + PKIX_Int32 version, + void *plContext); + + +/* + * FUNCTION: PKIX_ComCertSelParams_GetKeyUsage + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the key usage criterion that + * is set in the ComCertSelParams object pointed to by "params" and stores it + * at "pKeyUsage". In order to match against this criterion, a certificate + * must allow the criterion's key usage values. Note that a certificate that + * has no KeyUsage extension implicity allows all key usages. Note also that + * this functions supports a maximum of 32 key usage bits. + * + * If "params" does not have this criterion set, this function stores zero at + * "pKeyUsage", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose key usage criterion (if any) + * is to be stored. Must be non-NULL. + * "pKeyUsage" + * Address where PKIX_UInt32 will be stored. Must not be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetKeyUsage( + PKIX_ComCertSelParams *params, + PKIX_UInt32 *pKeyUsage, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetKeyUsage + * DESCRIPTION: + * + * Sets the key usage criterion of the ComCertSelParams object pointed to by + * "params" using the integer value of "keyUsage". In order to match against + * this criterion, a certificate must allow the criterion's key usage values. + * Note that a certificate that has no KeyUsage extension implicity allows + * all key usages. Note also that this functions supports a maximum of 32 key + * usage bits. + * + * If the criterion's key usage value is zero, no key usage check is done and + * all certificates are considered to match this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose key usage criterion is to be + * set. Must be non-NULL. + * "keyUsage" + * Value of PKIX_Int32 used to set the criterion + * (or zero to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetKeyUsage( + PKIX_ComCertSelParams *params, + PKIX_UInt32 keyUsage, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetExtendedKeyUsage + * DESCRIPTION: + * + * Retrieves a pointer to the List of OIDs (if any) representing the extended + * key usage criterion that is set in the ComCertSelParams object pointed to + * by "params" and stores it at "pExtKeyUsage". In order to match against this + * criterion, a certificate's ExtendedKeyUsage extension must allow the + * criterion's extended key usages. Note that a certificate that has no + * ExtendedKeyUsage extension implicity allows all key purposes. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pExtKeyUsage", in which case all certificates are considered to match + * this criterion. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose extended key usage criterion + * (if any) is to be stored. Must be non-NULL. + * "pExtKeyUsage" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetExtendedKeyUsage( + PKIX_ComCertSelParams *params, + PKIX_List **pExtKeyUsage, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetExtendedKeyUsage + * DESCRIPTION: + * + * Sets the extended key usage criterion of the ComCertSelParams object + * pointed to by "params" using a List of OIDs pointed to by "extKeyUsage". + * In order to match against this criterion, a certificate's ExtendedKeyUsage + * extension must allow the criterion's extended key usages. Note that a + * certificate that has no ExtendedKeyUsage extension implicitly allows all + * key purposes. + * + * If "extKeyUsage" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose extended key usage criterion + * is to be set. Must be non-NULL. + * "extKeyUsage" + * Address of List of OIDs used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetExtendedKeyUsage( + PKIX_ComCertSelParams *params, + PKIX_List *extKeyUsage, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetPolicy + * DESCRIPTION: + * + * Retrieves a pointer to the List of OIDs (if any) representing the policy + * criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pPolicy". In order to match against this + * criterion, a certificate's CertificatePolicies extension must include at + * least one of the criterion's policies. If "params" has this criterion set, + * but the List of OIDs is empty, then a certificate's CertificatePolicies + * extension must include at least some policy. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pPolicy", in which case all certificates are considered to match this + * criterion. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose policy criterion (if any) is + * to be stored. Must be non-NULL. + * "pPolicy" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetPolicy( + PKIX_ComCertSelParams *params, + PKIX_List **pPolicy, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetPolicy + * DESCRIPTION: + * + * Sets the policy criterion of the ComCertSelParams object pointed to by + * "params" using a List of OIDs pointed to by "policy". In order to match + * against this criterion, a certificate's CertificatePolicies extension must + * include at least one of the criterion's policies. If "params" has this + * criterion set, but the List of OIDs is empty, then a certificate's + * CertificatePolicies extension must include at least some policy. + * + * If "policy" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose policy criterion is to be set. + * Must be non-NULL. + * "policy" + * Address of List of OIDs used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetPolicy( + PKIX_ComCertSelParams *params, + PKIX_List *policy, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetIssuer + * DESCRIPTION: + * + * Retrieves a pointer to the X500Name (if any) representing the issuer + * criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pIssuer". In order to match against this + * criterion, a certificate's IssuerName must match the criterion's issuer + * name. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pIssuer", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose issuer criterion (if any) is + * to be stored. Must be non-NULL. + * "pIssuer" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetIssuer( + PKIX_ComCertSelParams *params, + PKIX_PL_X500Name **pIssuer, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetIssuer + * DESCRIPTION: + * + * Sets the issuer criterion of the ComCertSelParams object pointed to by + * "params" using an X500Name pointed to by "issuer". In order to match + * against this criterion, a certificate's IssuerName must match the + * criterion's issuer name. + * + * If "issuer" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose issuer criterion is to be set. + * Must be non-NULL. + * "issuer" + * Address of X500Name used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetIssuer( + PKIX_ComCertSelParams *params, + PKIX_PL_X500Name *issuer, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSubject + * DESCRIPTION: + * + * Retrieves a pointer to the X500Name (if any) representing the subject + * criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pSubject". In order to match against this + * criterion, a certificate's SubjectName must match the criterion's subject + * name. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pSubject", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject criterion (if any) is + * to be stored. Must be non-NULL. + * "pSubject" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSubject( + PKIX_ComCertSelParams *params, + PKIX_PL_X500Name **pSubject, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSubject + * DESCRIPTION: + * + * Sets the subject criterion of the ComCertSelParams object pointed to by + * "params" using an X500Name pointed to by "subject". In order to match + * against this criterion, a certificate's SubjectName must match the + * criterion's subject name. + * + * If "subject" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject criterion is to be + * set. Must be non-NULL. + * "subject" + * Address of X500Name used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSubject( + PKIX_ComCertSelParams *params, + PKIX_PL_X500Name *subject, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetSubjectAsByteArray + * DESCRIPTION: + * + * Retrieves a pointer to the ByteArray (if any) representing the subject + * criterion that is set in the ComCertSelParams object pointed to by + * "params" and stores it at "pSubject". In order to match against this + * criterion, a certificate's SubjectName must match the criterion's subject + * name. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pSubject", in which case all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject criterion (if any) is + * to be stored. Must be non-NULL. + * "pSubject" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetSubjectAsByteArray( + PKIX_ComCertSelParams *params, + PKIX_PL_ByteArray **pSubject, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetSubjectAsByteArray + * DESCRIPTION: + * + * Sets the subject criterion of the ComCertSelParams object pointed to by + * "params" using a ByteArray pointed to by "subject". In order to match + * against this criterion, a certificate's SubjectName must match the + * criterion's subject name. + * + * If "subject" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose subject criterion is to be + * set. Must be non-NULL. + * "subject" + * Address of ByteArray used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetSubjectAsByteArray( + PKIX_ComCertSelParams *params, + PKIX_PL_ByteArray *subject, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetNameConstraints + * DESCRIPTION: + * + * Retrieves a pointer to the X500Name (if any) representing the name + * constraints criterion that is set in the ComCertSelParams object pointed + * to by "params" and stores it at "pConstraints". In order to match against + * this criterion, a certificate's subject and subject alternative names must + * be allowed by the criterion's name constraints. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pConstraints", in which case all certificates are considered to match + * this criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose name constraints criterion + * (if any) is to be stored. Must be non-NULL. + * "pConstraints" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetNameConstraints( + PKIX_ComCertSelParams *params, + PKIX_PL_CertNameConstraints **pConstraints, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetNameConstraints + * DESCRIPTION: + * + * Sets the name constraints criterion of the ComCertSelParams object pointed + * to by "params" using the CertNameConstraints pointed to by "constraints". + * In order to match against this criterion, a certificate's subject and + * subject alternative names must be allowed by the criterion's name + * constraints. + * + * If "constraints" is NULL, all certificates are considered to match this + * criterion. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose name constraints criterion is + * to be set. Must be non-NULL. + * "constraints" + * Address of CertNameConstraints used to set the criterion + * (or NULL to disable the criterion). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetNameConstraints( + PKIX_ComCertSelParams *params, + PKIX_PL_CertNameConstraints *constraints, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetMatchAllSubjAltNames + * DESCRIPTION: + * + * Checks whether the ComCertSelParams object pointed to by "params" indicate + * that all subject alternative names are to be matched and stores the Boolean + * result at "pMatch". This Boolean value determines the behavior of the + * subject alternative names criterion. + * + * In order to match against the subject alternative names criterion, if the + * Boolean value at "pMatch" is PKIX_TRUE, a certificate must contain all of + * the criterion's subject alternative names. If the Boolean value at + * "pMatch" is PKIX_FALSE, a certificate must contain at least one of the + * criterion's subject alternative names. The default behavior is as if the + * Boolean value at "pMatch" is PKIX_TRUE. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object used to determine whether all + * subject alternative names must be matched. Must be non-NULL. + * "pMatch" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_GetMatchAllSubjAltNames( + PKIX_ComCertSelParams *params, + PKIX_Boolean *pMatch, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetMatchAllSubjAltNames + * DESCRIPTION: + * + * Sets the match flag of the ComCertSelParams object pointed to by "params" + * using the Boolean value of "match". This Boolean value determines the + * behavior of the subject alternative names criterion. + * + * In order to match against the subject alternative names criterion, if the + * "match" is PKIX_TRUE, a certificate must contain all of the criterion's + * subject alternative names. If the "match" is PKIX_FALSE, a certificate + * must contain at least one of the criterion's subject alternative names. + * The default behavior is as if "match" is PKIX_TRUE. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose match flag is to be set. + * Must be non-NULL. + * "match" + * Boolean value used to set the match flag. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetMatchAllSubjAltNames( + PKIX_ComCertSelParams *params, + PKIX_Boolean match, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag + * DESCRIPTION: + * + * Return "leafCert" flag of the ComCertSelParams structure. If set to true, + * the flag indicates that a selector should filter out all cert that are not + * qualified to be a leaf cert according to the specified key/ekey usages. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object used to determine whether all + * subject alternative names must be matched. Must be non-NULL. + * "pLeafFlag" + * Address of returned value. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error* +PKIX_ComCertSelParams_GetLeafCertFlag( + PKIX_ComCertSelParams *params, + PKIX_Boolean *pLeafFlag, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag + * DESCRIPTION: + * + * Sets a flag that if its value is true, indicates that the selector + * should only pick certs that qualifies to be leaf for this cert path + * validation. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose match flag is to be set. + * Must be non-NULL. + * "leafFlag" + * Boolean value used to set the leaf flag. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetLeafCertFlag( + PKIX_ComCertSelParams *params, + PKIX_Boolean leafFlag, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_CERTSEL_H */ diff --git a/security/nss/lib/libpkix/include/pkix_certstore.h b/security/nss/lib/libpkix/include/pkix_certstore.h new file mode 100644 index 0000000000..fb705644eb --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_certstore.h @@ -0,0 +1,714 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the PKIX_CertStore type. + * + */ + +#ifndef _PKIX_CERTSTORE_H +#define _PKIX_CERTSTORE_H + +#include "pkixt.h" +#include "certt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_CertStore + * + * A PKIX_CertStore provides a standard way for the caller to retrieve + * certificates and CRLs from a particular repository (or "store") of + * certificates and CRLs, including LDAP directories, flat files, local + * databases, etc. The CertCallback allows custom certificate retrieval logic + * to be used while the CRLCallback allows custom CRL retrieval logic to be + * used. Additionally, a CertStore can be initialized with a certStoreContext, + * which is where the caller can specify configuration data such as the host + * name of an LDAP server. Note that this certStoreContext must be an + * Object (although any object type), allowing it to be reference-counted and + * allowing it to provide the standard Object functions (Equals, Hashcode, + * ToString, Compare, Duplicate). Please note that each certStoreContext must + * provide Equals and Hashcode functions in order for the caching (on Cert and + * CertChain) to work correctly. When providing those two functions, it is not + * required that all the components of the object be hashed or checked for + * equality, but merely that the functions distinguish between unique + * instances of the certStoreContext. + * + * Once the caller has created the CertStore object, the caller then specifies + * these CertStore objects in a ProcessingParams object and passes that object + * to PKIX_ValidateChain or PKIX_BuildChain, which uses the objects to call the + * user's callback functions as needed during the validation or building + * process. + * + * The order of CertStores stored (as a list) at ProcessingParams determines + * the order in which certificates are retrieved. Trusted CertStores should + * precede non-trusted ones on the list of CertStores so their certificates + * are evaluated ahead of other certificates selected on the basis of the same + * selector criteria. + * + * The CheckTrustCallback function is used when the CertStore object + * supports trust status, which means a Cert's trust status can be altered + * dynamically. When a CertStore object is created, if the + * CheckTrustCallback is initialized to be non-NULL, this CertStore is + * defaulted as supporting trust. Then whenever a Cert needs to (re)check its + * trust status, this callback can be invoked. When a Cert is retrieved by + * a CertStore supports trust, at its GetCertCallback, the CertStore + * information should be updated in Cert's data structure so the link between + * the Cert and CertStore exists. + * + */ + +/* + * FUNCTION: PKIX_CertStore_CertCallback + * DESCRIPTION: + * + * This callback function retrieves from the CertStore pointed to by "store" + * all the certificates that match the CertSelector pointed to by "selector". + * It places these certificates in a List and stores a pointer to the List at + * "pCerts". If no certificates are found which match the CertSelector's + * criteria, this function stores an empty List at "pCerts". In either case, if + * the operation is completed, NULL is stored at "pNBIOContext". + * + * A CertStore which uses non-blocking I/O may store platform-dependent + * information at "pNBIOContext" and NULL at "pCerts" to indicate that I/O is + * pending. A subsequent call to PKIX_CertStore_CertContinue is required to + * finish the operation and to obtain the List of Certs. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "store" + * Address of CertStore from which Certs are to be retrieved. + * Must be non-NULL. + * "selector" + * Address of CertSelector whose criteria must be satisfied. + * Must be non-NULL. + * "verifyNode" + * Parent log node for tracking of filtered out certs. + * "pNBIOContext" + * Address at which platform-dependent information is stored if the + * operation is suspended for non-blocking I/O. Must be non-NULL. + * "pCerts" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertStore_CertCallback)( + PKIX_CertStore *store, + PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, + void **pNBIOContext, + PKIX_List **pCerts, /* list of PKIX_PL_Cert */ + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_CertContinue + * DESCRIPTION: + * + * This function continues the non-blocking operation initiated by an earlier + * call to the CertCallback function, for the CertStore pointed to by "store". + * If an earlier call did not terminate with the WOULDBLOCK indication (non-NULL + * value returned in "pNBIOContext") calling this function will return a fatal + * error. If the operation is completed the certificates found are placed in a + * List, a pointer to which is stored at "pCerts". If no certificates are found + * which match the CertSelector's criteria, this function stores an empty List + * at "pCerts". In either case, if the operation is completed, NULL is stored + * at "pNBIOContext". + * + * If non-blocking I/O is still pending this function stores platform-dependent + * information at "pNBIOContext" and NULL at "pCerts". A subsequent call to + * PKIX_CertStore_CertContinue is required to finish the operation and to + * obtain the List of Certs. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "store" + * Address of CertStore from which Certs are to be retrieved. + * Must be non-NULL. + * "selector" + * Address of CertSelector whose criteria must be satisfied. + * Must be non-NULL. + * "verifyNode" + * Parent log node for tracking of filtered out certs. + * "pNBIOContext" + * Address at which platform-dependent information is stored if the + * operation is suspended for non-blocking I/O. Must be non-NULL. + * "pCerts" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_CertContinue( + PKIX_CertStore *store, + PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, + void **pNBIOContext, + PKIX_List **pCerts, /* list of PKIX_PL_Cert */ + void *plContext); + +typedef PKIX_Error * +(*PKIX_CertStore_CertContinueFunction)( + PKIX_CertStore *store, + PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, + void **pNBIOContext, + PKIX_List **pCerts, /* list of PKIX_PL_Cert */ + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_CRLCallback + * DESCRIPTION: + * + * This callback function retrieves from the CertStore pointed to by "store" + * all the CRLs that match the CRLSelector pointed to by "selector". It + * places these CRLs in a List and stores a pointer to the List at "pCRLs". + * If no CRLs are found which match the CRLSelector's criteria, this function + * stores an empty List at "pCRLs". In either case, if the operation is + * completed, NULL is stored at "pNBIOContext". + * + * A CertStore which uses non-blocking I/O may store platform-dependent + * information at "pNBIOContext" and NULL at "pCrls" to indicate that I/O is + * pending. A subsequent call to PKIX_CertStore_CRLContinue is required to + * finish the operation and to obtain the List of Crls. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "store" + * Address of CertStore from which CRLs are to be retrieved. + * Must be non-NULL. + * "selector" + * Address of CRLSelector whose criteria must be satisfied. + * Must be non-NULL. + * "pCrls" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertStore_CRLCallback)( + PKIX_CertStore *store, + PKIX_CRLSelector *selector, + void **pNBIOContext, + PKIX_List **pCrls, /* list of PKIX_PL_CRL */ + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_ImportCrlCallback + * DESCRIPTION: + * + * The function imports crl list into a cert store. Stores that + * have local cache may only have that function defined. + * + * PARAMETERS: + * "store" + * Address of CertStore from which CRLs are to be retrieved. + * Must be non-NULL. + * "issuerName" + * Name of the issuer that will be used to track bad der crls. + * "crlList" + * Address on the importing crl list. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertStore_ImportCrlCallback)( + PKIX_CertStore *store, + PKIX_PL_X500Name *issuerName, + PKIX_List *crlList, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_CheckRevokationByCrlCallback + * DESCRIPTION: + * + * The function checks revocation status of a cert with specified + * issuer, date. It returns revocation status of a cert and + * a reason code(if any) if a cert was revoked. + * + * PARAMETERS: + * "store" + * Address of CertStore from which CRLs are to be retrieved. + * Must be non-NULL. + * "cert" + * Certificate which revocation status will be checked. + * "issuer" + * Issuer certificate of the "crl". + * "date" + * Date of the revocation check. + * "crlDownloadDone" + * Indicates, that all needed crl downloads are done by the time of + * the revocation check. + * "reasonCode" + * If cert is revoked, returned reason code for which a cert was revoked. + * "revStatus" + * Returned revocation status of the cert. See PKIX_RevocationStatus + * for more details + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertStore_CheckRevokationByCrlCallback)( + PKIX_CertStore *store, + PKIX_PL_Cert *cert, + PKIX_PL_Cert *issuer, + PKIX_PL_Date *date, + PKIX_Boolean crlDownloadDone, + CERTCRLEntryReasonCode *reasonCode, + PKIX_RevocationStatus *revStatus, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_CrlContinue + * DESCRIPTION: + * + * This function continues the non-blocking operation initiated by an earlier + * call to the CRLCallback function, for the CertStore pointed to by "store". + * If an earlier call did not terminate with the WOULDBLOCK indication (non-NULL + * value returned in "pNBIOContext") calling this function will return a fatal + * error. If the operation is completed the crls found are placed in a List, a + * pointer to which is stored at "pCrls". If no crls are found which match the + * CRLSelector's criteria, this function stores an empty List at "pCrls". In + * either case, if the operation is completed, NULL is stored at "pNBIOContext". + * + * If non-blocking I/O is still pending this function stores platform-dependent + * information at "pNBIOContext" and NULL at "pCrls". A subsequent call to + * PKIX_CertStore_CrlContinue is required to finish the operation and to + * obtain the List of Crls. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "store" + * Address of CertStore from which Crls are to be retrieved. + * Must be non-NULL. + * "selector" + * Address of CRLSelector whose criteria must be satisfied. + * Must be non-NULL. + * "pNBIOContext" + * Address at which platform-dependent information is stored if the + * operation is suspended for non-blocking I/O. Must be non-NULL. + * "pCrls" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_CrlContinue( + PKIX_CertStore *store, + PKIX_CRLSelector *selector, + void **pNBIOContext, + PKIX_List **pCrls, /* list of PKIX_PL_CRL */ + void *plContext); + +typedef PKIX_Error * +(*PKIX_CertStore_CrlContinueFunction)( + PKIX_CertStore *store, + PKIX_CRLSelector *selector, + void **pNBIOContext, + PKIX_List **pCrls, /* list of PKIX_PL_CRL */ + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_CheckTrustCallback + * DESCRIPTION: + * + * This callback function rechecks "cert's" trust status from the CertStore + * pointed to by "store". + * + * PARAMETERS: + * "store" + * Address of CertStore from which Certs are to be checked. + * Must be non-NULL. + * "cert" + * Address of Cert whose trust status needs to be rechecked. + * Must be non-NULL. + * "pTrusted" + * Address of PKIX_Boolean where the trust status is returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertStore_CheckTrustCallback)( + PKIX_CertStore *store, + PKIX_PL_Cert *cert, + PKIX_Boolean *pTrusted, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_Create + * DESCRIPTION: + * + * Creates a new CertStore and stores it at "pStore". The new CertStore uses + * the CertCallback pointed to by "certCallback" and the CRLCallback pointed + * to by "crlCallback" as its callback functions and uses the Object pointed + * to by "certStoreContext" as its context . Note that this certStoreContext + * must be an Object (although any object type), allowing it to be + * reference-counted and allowing it to provide the standard Object functions + * (Equals, Hashcode, ToString, Compare, Duplicate). Once created, a + * CertStore object is immutable, although the underlying repository can + * change. For example, a CertStore will often be a front-end for a database + * or directory. The contents of that directory can change after the + * CertStore object is created, but the CertStore object remains immutable. + * + * PARAMETERS: + * "certCallback" + * The CertCallback function to be used. Must be non-NULL. + * "crlCallback" + * The CRLCallback function to be used. Must be non-NULL. + * "certContinue" + * The function to be used to resume a certCallback that returned with a + * WOULDBLOCK condition. Must be non-NULL if certStore supports non-blocking + * I/O. + * "crlContinue" + * The function to be used to resume a crlCallback that returned with a + * WOULDBLOCK condition. Must be non-NULL if certStore supports non-blocking + * I/O. + * "trustCallback" + * Address of PKIX_CertStore_CheckTrustCallback which is called to + * verify the trust status of Certs in this CertStore. + * "certStoreContext" + * Address of Object representing the CertStore's context (if any). + * "cachedFlag" + * If TRUE indicates data retrieved from CertStore should be cached. + * "localFlag" + * Boolean value indicating whether this CertStore is local. + * "pStore" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_Create( + PKIX_CertStore_CertCallback certCallback, + PKIX_CertStore_CRLCallback crlCallback, + PKIX_CertStore_CertContinueFunction certContinue, + PKIX_CertStore_CrlContinueFunction crlContinue, + PKIX_CertStore_CheckTrustCallback trustCallback, + PKIX_CertStore_ImportCrlCallback importCrlCallback, + PKIX_CertStore_CheckRevokationByCrlCallback checkRevByCrlCallback, + PKIX_PL_Object *certStoreContext, + PKIX_Boolean cachedFlag, + PKIX_Boolean localFlag, + PKIX_CertStore **pStore, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetCertCallback + * DESCRIPTION: + * + * Retrieves a pointer to "store's" Cert callback function and put it in + * "pCallback". + * + * PARAMETERS: + * "store" + * The CertStore whose Cert callback is desired. Must be non-NULL. + * "pCallback" + * Address where Cert callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetCertCallback( + PKIX_CertStore *store, + PKIX_CertStore_CertCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetCRLCallback + * DESCRIPTION: + * + * Retrieves a pointer to "store's" CRL callback function and put it in + * "pCallback". + * + * PARAMETERS: + * "store" + * The CertStore whose CRL callback is desired. Must be non-NULL. + * "pCallback" + * Address where CRL callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetCRLCallback( + PKIX_CertStore *store, + PKIX_CertStore_CRLCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetImportCrlCallback + * DESCRIPTION: + * + * Retrieves a pointer to "store's" Import CRL callback function and put it in + * "pCallback". + * + * PARAMETERS: + * "store" + * The CertStore whose CRL callback is desired. Must be non-NULL. + * "pCallback" + * Address where CRL callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetImportCrlCallback( + PKIX_CertStore *store, + PKIX_CertStore_ImportCrlCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetCheckRevByCrl + * DESCRIPTION: + * + * Retrieves a pointer to "store's" CRL revocation checker callback function + * and put it in "pCallback". + * + * PARAMETERS: + * "store" + * The CertStore whose CRL callback is desired. Must be non-NULL. + * "pCallback" + * Address where CRL callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetCrlCheckerFn( + PKIX_CertStore *store, + PKIX_CertStore_CheckRevokationByCrlCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetTrustCallback + * DESCRIPTION: + * + * Retrieves the function pointer to the CheckTrust callback function of the + * CertStore pointed to by "store" and stores it at "pCallback". + * + * PARAMETERS: + * "store" + * The CertStore whose CheckTrust callback is desired. Must be non-NULL. + * "pCallback" + * Address where CheckTrust callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetTrustCallback( + PKIX_CertStore *store, + PKIX_CertStore_CheckTrustCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetCertStoreContext + * DESCRIPTION: + * + * Retrieves a pointer to the Object representing the context (if any) + * of the CertStore pointed to by "store" and stores it at + * "pCertStoreContext". + * + * PARAMETERS: + * "store" + * Address of CertStore whose context is to be stored. Must be non-NULL. + * "pCertStoreContext" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetCertStoreContext( + PKIX_CertStore *store, + PKIX_PL_Object **pCertStoreContext, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetCertStoreCacheFlag + * DESCRIPTION: + * + * Retrieves the Boolean cache flag of the CertStore pointed to by "store" and + * stores it at "pCachedFlag". + * + * PARAMETERS: + * "store" + * Address of CertStore whose cache flag is to be stored. Must be non-NULL. + * "pCacheFlag" + * Address where the result will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetCertStoreCacheFlag( + PKIX_CertStore *store, + PKIX_Boolean *pCacheFlag, + void *plContext); + +/* + * FUNCTION: PKIX_CertStore_GetLocalFlag + * DESCRIPTION: + * + * Retrieves the Boolean localFlag for the CertStore pointed to by "store" and + * stores it at "pLocalFlag". The localFlag is TRUE if the CertStore can + * fulfill a request without performing network I/O. + * + * PARAMETERS: + * "store" + * The CertStore whose Local flag is desired. Must be non-NULL. + * "pCallback" + * Address where the Boolean LocalFlag will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertStore_GetLocalFlag( + PKIX_CertStore *store, + PKIX_Boolean *pLocalFlag, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_CERTSTORE_H */ diff --git a/security/nss/lib/libpkix/include/pkix_checker.h b/security/nss/lib/libpkix/include/pkix_checker.h new file mode 100644 index 0000000000..97e29a8403 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_checker.h @@ -0,0 +1,394 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the PKIX_CertChainChecker type. + * + */ + +#ifndef _PKIX_CHECKER_H +#define _PKIX_CHECKER_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_CertChainChecker + * + * PKIX_CertChainCheckers provide a standard way for the caller to insert their + * own custom checks to validate certificates. This may be useful in many + * scenarios, including when the caller wishes to validate private certificate + * extensions. The CheckCallback allows custom certificate processing to take + * place. Additionally, a CertChainChecker can optionally maintain state + * between successive calls to the CheckCallback. This certChainCheckerState + * must be an Object (although any object type), allowing it to be + * reference-counted and allowing it to provide the standard Object functions + * (Equals, Hashcode, ToString, Compare, Duplicate). If the caller wishes + * their CertChainChecker to be used during chain building, their + * certChainCheckerState object must implement an appropriate Duplicate + * function. The builder uses this Duplicate function when backtracking. + * + * Once the caller has created a CertChainChecker object, the caller then + * specifies a CertChainChecker object in a ProcessingParams object + * and passes the ProcessingParams object to PKIX_ValidateChain or + * PKIX_BuildChain, which uses the objects to call the user's callback + * functions as needed during the validation or building process. + * + * A CertChainChecker may be presented certificates in the "reverse" direction + * (from trust anchor to target) or in the "forward" direction (from target to + * trust anchor). All CertChainCheckers must support "reverse checking", while + * support for "forward checking" is optional, but recommended. If "forward + * checking" is not supported, building chains may be much less efficient. The + * PKIX_CertChainChecker_IsForwardCheckingSupported function is used to + * determine whether forward checking is supported, and the + * PKIX_CertChainChecker_IsForwardDirectionExpected function is used to + * determine whether the CertChainChecker has been initialized to expect the + * certificates to be presented in the "forward" direction. + */ + +/* + * FUNCTION: PKIX_CertChainChecker_CheckCallback + * DESCRIPTION: + * + * This callback function checks whether the specified Cert pointed to by + * "cert" is valid using "checker's" internal certChainCheckerState (if any) + * and removes the critical extensions that it processes (if any) from the + * List of OIDs (possibly empty) pointed to by "unresolvedCriticalExtensions". + * If the checker finds that the certificate is not valid, an Error pointer is + * returned. + * + * If the checker uses non-blocking I/O, the address of a platform-dependent + * non-blocking I/O context ("nbioContext") will be stored at "pNBIOContext", + * which the caller may use, in a platform-dependent way, to wait, poll, or + * otherwise determine when to try again. If the checker does not use + * non-blocking I/O, NULL will always be stored at "pNBIOContext". If a non-NULL + * value was stored, on a subsequent call the checker will attempt to complete + * the pending I/O and, if successful, NULL will be stored at "pNBIOContext". + * + * PARAMETERS: + * "checker" + * Address of CertChainChecker whose certChainCheckerState and + * CheckCallback logic is to be used. Must be non-NULL. + * "cert" + * Address of Cert that is to be validated using "checker". + * Must be non-NULL. + * "unresolvedCriticalExtensions" + * Address of List of OIDs that represents the critical certificate + * extensions that have yet to be resolved. This parameter may be + * modified during the function call. Must be non-NULL. + * "pNBIOContext" + * Address at which is stored a platform-dependent structure indicating + * whether checking was suspended for non-blocking I/O. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CertChainChecker_CheckCallback)( + PKIX_CertChainChecker *checker, + PKIX_PL_Cert *cert, + PKIX_List *unresolvedCriticalExtensions, /* list of PKIX_PL_OID */ + void **pNBIOContext, + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_Create + * DESCRIPTION: + * + * Creates a new CertChainChecker and stores it at "pChecker". The new + * CertChainChecker uses the CheckCallback pointed to by "callback" as its + * callback function. It uses the Object pointed to by "initialState" (if + * any) as its initial state. As noted above, the initial state Object must + * provide a custom implementation of PKIX_PL_Object_Duplicate if the + * CertChainChecker is to be used during certificate chain building. + * + * A CertChainChecker may be presented certificates in the "reverse" + * direction (from trust anchor to target) or in the "forward" direction + * (from target to trust anchor). All CertChainCheckers must support + * "reverse checking", while support for "forward checking" is optional. The + * CertChainChecker is initialized with two Boolean flags that deal with this + * distinction: "forwardCheckingSupported" and "forwardDirectionExpected". + * If the "forwardCheckingSupported" Boolean flag is TRUE, it indicates that + * this CertChainChecker is capable of checking certificates in the "forward" + * direction (as well as the "reverse" direction, which all CertChainCheckers + * MUST support). The "forwardDirectionExpected" Boolean flag indicates in + * which direction the CertChainChecker should expect the certificates to be + * presented. This is particularly useful for CertChainCheckers that are + * capable of checking in either the "forward" direction or the "reverse" + * direction, but have different processing steps depending on the direction. + * + * The CertChainChecker also uses the List of OIDs pointed to by "extensions" + * as the supported certificate extensions. All certificate extensions that + * the CertChainChecker might possibly recognize and be able to process + * should be included in the List of supported extensions. If "checker" does + * not recognize or process any certificate extensions, "extensions" should + * be set to NULL. + * + * PARAMETERS: + * "callback" + * The CheckCallback function to be used. Must be non-NULL. + * "forwardCheckingSupported" + * A Boolean value indicating whether or not this CertChainChecker is + * capable of checking certificates in the "forward" direction. + * "forwardDirectionExpected" + * A Boolean value indicating whether or not this CertChainChecker should + * be used to check in the "forward" direction. + * "extensions" + * Address of List of OIDs representing the supported extensions. + * "initialState" + * Address of Object representing the CertChainChecker's initial state + * (if any). + * "pChecker" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_Create( + PKIX_CertChainChecker_CheckCallback callback, + PKIX_Boolean forwardCheckingSupported, + PKIX_Boolean forwardDirectionExpected, + PKIX_List *extensions, /* list of PKIX_PL_OID */ + PKIX_PL_Object *initialState, + PKIX_CertChainChecker **pChecker, + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_GetCheckCallback + * DESCRIPTION: + * + * Retrieves a pointer to "checker's" Check callback function and puts it in + * "pCallback". + * + * PARAMETERS: + * "checker" + * The CertChainChecker whose Check callback is desired. Must be non-NULL. + * "pCallback" + * Address where Check callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_GetCheckCallback( + PKIX_CertChainChecker *checker, + PKIX_CertChainChecker_CheckCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_IsForwardCheckingSupported + * DESCRIPTION: + * + * Checks whether forward checking is supported by the CertChainChecker + * pointed to by "checker" and stores the Boolean result at + * "pForwardCheckingSupported". + * + * A CertChainChecker may be presented certificates in the "reverse" + * direction (from trust anchor to target) or in the "forward" direction + * (from target to trust anchor). All CertChainCheckers must support + * "reverse checking", while support for "forward checking" is optional. This + * function is used to determine whether forward checking is supported. + * + * PARAMETERS: + * "checker" + * The CertChainChecker whose ability to validate certificates in the + * "forward" direction is to be checked. Must be non-NULL. + * "pForwardCheckingSupported" + * Destination of the Boolean result. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_IsForwardCheckingSupported( + PKIX_CertChainChecker *checker, + PKIX_Boolean *pForwardCheckingSupported, + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_IsForwardDirectionExpected + * DESCRIPTION: + * + * Checks whether the CertChainChecker pointed to by "checker" has been + * initialized to expect the certificates to be presented in the "forward" + * direction and stores the Boolean result at "pForwardDirectionExpected". + * + * A CertChainChecker may be presented certificates in the "reverse" + * direction (from trust anchor to target) or in the "forward" direction + * (from target to trust anchor). All CertChainCheckers must support + * "reverse checking", while support for "forward checking" is optional. This + * function is used to determine in which direction the CertChainChecker + * expects the certificates to be presented. + * + * PARAMETERS: + * "checker" + * The CertChainChecker that has been initialized to expect certificates + * in either the "forward" or "reverse" directions. Must be non-NULL. + * "pForwardDirectionExpected" + * Destination of the Boolean result. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_IsForwardDirectionExpected( + PKIX_CertChainChecker *checker, + PKIX_Boolean *pForwardDirectionExpected, + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_GetSupportedExtensions + * DESCRIPTION: + * + * Retrieves a pointer to a List of OIDs (each OID corresponding to a + * certificate extension supported by the CertChainChecker pointed to by + * "checker") and stores it at "pExtensions". All certificate extensions that + * the CertChainChecker might possibly recognize and be able to process + * should be included in the List of supported extensions. If "checker" does + * not recognize or process any certificate extensions, this function stores + * NULL at "pExtensions". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "checker" + * Address of CertChainChecker whose supported extension OIDs are to be + * stored. Must be non-NULL. + * "pExtensions" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_GetSupportedExtensions( + PKIX_CertChainChecker *checker, + PKIX_List **pExtensions, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_GetCertChainCheckerState + * DESCRIPTION: + * + * Retrieves a pointer to a PKIX_PL_Object representing the internal state + * (if any) of the CertChainChecker pointed to by "checker" and stores it at + * "pCertChainCheckerState". + * + * PARAMETERS: + * "checker" + * Address of CertChainChecker whose state is to be stored. + * Must be non-NULL. + * "pCertChainCheckerState" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_GetCertChainCheckerState( + PKIX_CertChainChecker *checker, + PKIX_PL_Object **pCertChainCheckerState, + void *plContext); + +/* + * FUNCTION: PKIX_CertChainChecker_SetCertChainCheckerState + * DESCRIPTION: + * + * Sets the internal state of the CertChainChecker pointed to by "checker" + * using the Object pointed to by "certChainCheckerState". If "checker" needs + * a NULL internal state, "certChainCheckerState" should be set to NULL. + * + * PARAMETERS: + * "checker" + * Address of CertChainChecker whose state is to be set. Must be non-NULL. + * "certChainCheckerState" + * Address of Object representing internal state. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "checker" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertChainChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CertChainChecker_SetCertChainCheckerState( + PKIX_CertChainChecker *checker, + PKIX_PL_Object *certChainCheckerState, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_CHECKER_H */ diff --git a/security/nss/lib/libpkix/include/pkix_crlsel.h b/security/nss/lib/libpkix/include/pkix_crlsel.h new file mode 100644 index 0000000000..491e72f43b --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_crlsel.h @@ -0,0 +1,759 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the PKIX_CRLSelector and the + * PKIX_ComCRLSelParams types. + * + */ + + +#ifndef _PKIX_CRLSEL_H +#define _PKIX_CRLSEL_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_CRLSelector + * + * PKIX_CRLSelectors provide a standard way for the caller to select CRLs + * based on particular criteria. A CRLSelector is typically used by libpkix + * to retrieve CRLs from a CertStore during certificate chain validation or + * building. (see pkix_certstore.h) For example, the caller may wish to only + * select those CRLs that have a particular issuer or a particular value for a + * private CRL extension. The MatchCallback allows the caller to specify the + * custom matching logic to be used by a CRLSelector. + + * By default, the MatchCallback is set to point to the default implementation + * provided by libpkix, which understands how to process the most common + * parameters. If the default implementation is used, the caller should set + * these common parameters using PKIX_CRLSelector_SetCommonCRLSelectorParams. + * Any common parameter that is not set is assumed to be disabled, which means + * the default MatchCallback implementation will select all CRLs without + * regard to that particular disabled parameter. For example, if the + * MaxCRLNumber parameter is not set, MatchCallback will not filter out any + * CRL based on its CRL number. As such, if no parameters are set, all are + * disabled and any CRL will match. If a parameter is disabled, its associated + * PKIX_ComCRLSelParams_Get* function returns a default value of NULL. + * + * If a custom implementation is desired, the default implementation can be + * overridden by calling PKIX_CRLSelector_SetMatchCallback. In this case, the + * CRLSelector can be initialized with a crlSelectorContext, which is where + * the caller can specify the desired parameters the caller wishes to match + * against. Note that this crlSelectorContext must be a PKIX_PL_Object, + * allowing it to be reference-counted and allowing it to provide the standard + * PKIX_PL_Object functions (Equals, Hashcode, ToString, Compare, Duplicate). + * + */ + +/* + * FUNCTION: PKIX_CRLSelector_MatchCallback + * DESCRIPTION: + * + * This callback function determines whether the specified CRL pointed to by + * "crl" matches the criteria of the CRLSelector pointed to by "selector". + * If the CRL matches the CRLSelector's criteria, PKIX_TRUE is stored at + * "pMatch". Otherwise PKIX_FALSE is stored at "pMatch". + * + * PARAMETERS: + * "selector" + * Address of CRLSelector whose MatchCallback logic and parameters are + * to be used. Must be non-NULL. + * "crl" + * Address of CRL that is to be matched using "selector". Must be non-NULL. + * "pMatch" + * Address at which Boolean result is stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_CRLSelector_MatchCallback)( + PKIX_CRLSelector *selector, + PKIX_PL_CRL *crl, + PKIX_Boolean *pMatch, + void *plContext); + +/* + * FUNCTION: PKIX_CRLSelector_Create + * DESCRIPTION: + * + * Creates a new CRLSelector using the Object pointed to by + * "crlSelectorContext" (if any) and stores it at "pSelector". As noted + * above, by default, the MatchCallback is set to point to the default + * implementation provided by libpkix, which understands how to process + * ComCRLSelParams. This is overridden if the MatchCallback pointed to by + * "callback" is not NULL, in which case the parameters are specified using + * the Object pointed to by "crlSelectorContext". + * + * PARAMETERS: + * "issue" + * crl issuer. + * "crlDpList" + * distribution points list + * "callback" + * The MatchCallback function to be used. + * "pSelector" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CRLSelector_Create( + PKIX_PL_Cert *issuer, + PKIX_List *crlDpList, + PKIX_PL_Date *date, + PKIX_CRLSelector **pSelector, + void *plContext); + +/* + * FUNCTION: PKIX_CRLSelector_GetMatchCallback + * DESCRIPTION: + * + * Retrieves a pointer to "selector's" Match callback function and puts it in + * "pCallback". + * + * PARAMETERS: + * "selector" + * The CRLSelector whose Match callback is desired. Must be non-NULL. + * "pCallback" + * Address where Match callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CRLSelector_GetMatchCallback( + PKIX_CRLSelector *selector, + PKIX_CRLSelector_MatchCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext + * DESCRIPTION: + * + * Retrieves a pointer to a PKIX_PL_Object representing the context (if any) + * of the CRLSelector pointed to by "selector" and stores it at + * "pCRLSelectorContext". + * + * PARAMETERS: + * "selector" + * Address of CRLSelector whose context is to be stored. Must be non-NULL. + * "pCRLSelectorContext" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CRLSelector_GetCRLSelectorContext( + PKIX_CRLSelector *selector, + void **pCRLSelectorContext, + void *plContext); + +/* + * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams + * DESCRIPTION: + * + * Retrieves a pointer to the ComCRLSelParams object that represent the common + * parameters of the CRLSelector pointed to by "selector" and stores it at + * "pCommonCRLSelectorParams". If there are no common parameters stored with + * the CRLSelector, this function stores NULL at "pCommonCRLSelectorParams". + * + * PARAMETERS: + * "selector" + * Address of CRLSelector whose ComCRLSelParams are to be stored. + * Must be non-NULL. + * "pCommonCRLSelectorParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CRLSelector_GetCommonCRLSelectorParams( + PKIX_CRLSelector *selector, + PKIX_ComCRLSelParams **pCommonCRLSelectorParams, + void *plContext); + +/* + * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams + * DESCRIPTION: + * + * Sets the common parameters for the CRLSelector pointed to by "selector" + * using the ComCRLSelParams pointed to by "commonCRLSelectorParams". + * + * PARAMETERS: + * "selector" + * Address of CRLSelector whose common parameters are to be set. + * Must be non-NULL. + * "commonCRLSelectorParams" + * Address of ComCRLSelParams representing the common parameters. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "selector" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_CRLSelector_SetCommonCRLSelectorParams( + PKIX_CRLSelector *selector, + PKIX_ComCRLSelParams *commonCRLSelectorParams, + void *plContext); + +/* PKIX_ComCRLSelParams + * + * PKIX_ComCRLSelParams are X.509 parameters commonly used with CRLSelectors, + * especially determining which CRLs to retrieve from a CertStore. + * PKIX_ComCRLSelParams are typically used with those CRLSelectors that use + * the default implementation of MatchCallback, which understands how to + * process ComCRLSelParams. + */ + +/* + * FUNCTION: PKIX_ComCRLSelParams_Create + * DESCRIPTION: + * + * Creates a new ComCRLSelParams object and stores it at "pParams". + * + * PARAMETERS: + * "pParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_Create( + PKIX_ComCRLSelParams **pParams, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetIssuerNames + * DESCRIPTION: + * + * Retrieves a pointer to the List of X500Names (if any) representing the + * issuer names criterion that is set in the ComCRLSelParams pointed to by + * "params" and stores it at "pNames". In order to match against this + * criterion, a CRL's IssuerName must match at least one of the criterion's + * issuer names. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pNames", in which case all CRLs are considered to match. + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose issuer names criterion (if any) is to + * be stored. Must be non-NULL. + * "pNames" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetIssuerNames( + PKIX_ComCRLSelParams *params, + PKIX_List **pNames, /* list of PKIX_PL_X500Name */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetIssuerNames + * DESCRIPTION: + * + * Sets the issuer names criterion of the ComCRLSelParams pointed to by + * "params" using a List of X500Names pointed to by "names". In order to match + * against this criterion, a CRL's IssuerName must match at least one of the + * criterion's issuer names. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParamsParams whose issuer names criterion is to be + * set. Must be non-NULL. + * "names" + * Address of List of X500Names used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetIssuerNames( + PKIX_ComCRLSelParams *params, + PKIX_List *names, /* list of PKIX_PL_X500Name */ + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_AddIssuerName + * DESCRIPTION: + * + * Adds to the issuer names criterion of the ComCRLSelParams pointed to by + * "params" using the X500Name pointed to by "name". In order to match + * against this criterion, a CRL's IssuerName must match at least one of the + * criterion's issuer names. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose issuer names criterion is to be added + * to. Must be non-NULL. + * "name" + * Address of X500Name to be added. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_AddIssuerName( + PKIX_ComCRLSelParams *params, + PKIX_PL_X500Name *name, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetCertificateChecking + * DESCRIPTION: + * + * Retrieves a pointer to the Cert (if any) representing the certificate whose + * revocation status is being checked. This is not a criterion. It is simply + * optional information that may help a CertStore find relevant CRLs. + * + * If "params" does not have a certificate set, this function stores NULL at + * "pCert", in which case there is no optional information to provide. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose certificate being checked (if any) is + * to be stored. Must be non-NULL. + * "pCert" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetCertificateChecking( + PKIX_ComCRLSelParams *params, + PKIX_PL_Cert **pCert, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetCertificateChecking + * DESCRIPTION: + * + * Sets the ComCRLSelParams pointed to by "params" with the certificate + * (pointed to by "cert") whose revocation status is being checked. This is + * not a criterion. It is simply optional information that may help a + * CertStore find relevant CRLs. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose certificate being checked is to be + * set. Must be non-NULL. + * "cert" + * Address of Cert whose revocation status is being checked + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetCertificateChecking( + PKIX_ComCRLSelParams *params, + PKIX_PL_Cert *cert, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime + * DESCRIPTION: + * + * Retrieves a pointer to the Date (if any) representing the dateAndTime + * criterion that is set in the ComCRLSelParams pointed to by "params" and + * stores it at "pDate". In order to match against this criterion, a CRL's + * thisUpdate component must be less than or equal to the criterion's + * dateAndTime and the CRL's nextUpdate component must be later than the + * criterion's dateAndTime. There is no match if the CRL does not contain a + * nextUpdate component. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pDate", in which case all CRLs are considered to match. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose dateAndTime criterion (if any) is to + * be stored. Must be non-NULL. + * "pDate" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetDateAndTime( + PKIX_ComCRLSelParams *params, + PKIX_PL_Date **pDate, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime + * DESCRIPTION: + * + * Sets the dateAndTime criterion of the ComCRLSelParams pointed to by + * "params" using a Date pointed to by "date". In order to match against this + * criterion, a CRL's thisUpdate component must be less than or equal to the + * criterion's dateAndTime and the CRL's nextUpdate component must be later + * than the criterion's dateAndTime. There is no match if the CRL does not + * contain a nextUpdate component. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParamsParams whose dateAndTime criterion is to be + * set. Must be non-NULL. + * "date" + * Address of Date used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetDateAndTime( + PKIX_ComCRLSelParams *params, + PKIX_PL_Date *date, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetNISTPolicyEnabled + * DESCRIPTION: + * + * Retrieves a pointer to the Boolean representing the NIST CRL policy + * activation flag that is set in the ComCRLSelParams pointed to by "params" + * and stores it at "enabled". If enabled, a CRL must have nextUpdate field. + * + * Default value for this flag is TRUE. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose NIST CRL policy criterion is to + * be stored. Must be non-NULL. + * "pEnabled" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetNISTPolicyEnabled( + PKIX_ComCRLSelParams *params, + PKIX_Boolean *pEnabled, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetNISTPolicyEnabled + * DESCRIPTION: + * + * Sets the NIST crl policy criterion of the ComCRLSelParams pointed to by + * "params" using a "enabled" flag. In order to match against this + * criterion, a CRL's nextUpdate must be available and criterion's + * dataAndTime must be within thisUpdate and nextUpdate time period. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParamsParams whose NIST CRL policy criterion + * is to be set. Must be non-NULL. + * "enabled" + * Address of Bollean used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetNISTPolicyEnabled( + PKIX_ComCRLSelParams *params, + PKIX_Boolean enabled, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetMaxCRLNumber + * DESCRIPTION: + * + * Retrieves a pointer to the BigInt (if any) representing the maxCRLNumber + * criterion that is set in the ComCRLSelParams pointed to by "params" and + * stores it at "pNumber". In order to match against this criterion, a CRL + * must have a CRL number extension whose value is less than or equal to the + * criterion's value. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pNumber", in which case all CRLs are considered to match. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose maxCRLNumber criterion (if any) is to + * be stored. Must be non-NULL. + * "pNumber" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetMaxCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt **pNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetMaxCRLNumber + * DESCRIPTION: + * + * Sets the maxCRLNumber criterion of the ComCRLSelParams pointed to by + * "params" using a BigInt pointed to by "number". In order to match against + * this criterion, a CRL must have a CRL number extension whose value is less + * than or equal to the criterion's value. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParamsParams whose maxCRLNumber criterion is to be + * set. Must be non-NULL. + * "number" + * Address of BigInt used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetMaxCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt *number, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetMinCRLNumber + * DESCRIPTION: + * + * Retrieves a pointer to the BigInt (if any) representing the minCRLNumber + * criterion that is set in the ComCRLSelParams pointed to by "params" and + * stores it at "pNumber". In order to match against this criterion, a CRL + * must have a CRL number extension whose value is greater than or equal to + * the criterion's value. + * + * If "params" does not have this criterion set, this function stores NULL at + * "pNumber", in which case all CRLs are considered to match. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParams whose minCRLNumber criterion (if any) is to + * be stored. Must be non-NULL. + * "pNumber" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetMinCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt **pNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetMinCRLNumber + * DESCRIPTION: + * + * Sets the minCRLNumber criterion of the ComCRLSelParams pointed to by + * "params" using a BigInt pointed to by "number". In order to match against + * this criterion, a CRL must have a CRL number extension whose value is + * greater than or equal to the criterion's value. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParamsParams whose minCRLNumber criterion is to be + * set. Must be non-NULL. + * "number" + * Address of BigInt used to set the criterion + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetMinCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt *number, + void *plContext); + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetCrlDp + * DESCRIPTION: + * + * Sets crldp list that can be used to download a crls. + * + * PARAMETERS: + * "params" + * Address of ComCRLSelParamsParams whose minCRLNumber criterion is to be + * set. Must be non-NULL. + * "crldpList" + * A list of CRLDPs. Can be an emptry list. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error* +PKIX_ComCRLSelParams_SetCrlDp( + PKIX_ComCRLSelParams *params, + PKIX_List *crldpList, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_CRLSEL_H */ diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h new file mode 100644 index 0000000000..0519bff0e6 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -0,0 +1,1099 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * This file is intended to be included after different definitions of + * PKIX_ERRORENTRY. It is included in pkixt.h to define a number for each error + * by defining PKIX_ERRORENTRY(x,y) as PKIX_ ## x and then listing thim within + * an enum. It is included in pkix_error.c to define an array of error strings + * by defining PKIX_ERRORENTRY(x,y) #y and then listing thim within an array + * const char * const PKIX_ErrorText[] + */ +/* ALLOCERROR should always be the first */ +PKIX_ERRORENTRY(ALLOCERROR,Allocation Error,SEC_ERROR_NO_MEMORY), +PKIX_ERRORENTRY(ADDHEADERFUNCTIONNOTSUPPORTED,AddHeader function not supported,0), +PKIX_ERRORENTRY(ADDTOVERIFYLOGFAILED,pkix_AddToVerifyLog failed,0), +PKIX_ERRORENTRY(AIAMGRCREATEFAILED,PKIX_PL_AIAMgr_Create failed,0), +PKIX_ERRORENTRY(AIAMGRFINDLDAPCLIENTFAILED,pkix_pl_AiaMgr_FindLDAPClient failed,0), +PKIX_ERRORENTRY(AIAMGRGETAIACERTSFAILED,PKIX_PL_AIAMgr_GetAIACerts failed,SEC_ERROR_UNKNOWN_ISSUER), +PKIX_ERRORENTRY(AIAMGRGETHTTPCERTSFAILED,pkix_pl_AIAMgr_GetHTTPCerts failed,0), +PKIX_ERRORENTRY(AIAMGRGETLDAPCERTSFAILED,pkix_pl_AIAMgr_GetLDAPCerts failed,0), +PKIX_ERRORENTRY(ALGORITHMBYTESLENGTH0,Algorithm bytes length is 0,0), +PKIX_ERRORENTRY(ALLOCATENEWCERTGENERALNAMEFAILED,Allocate new CERTGeneralName failed,0), +PKIX_ERRORENTRY(AMBIGUOUSPARENTAGEOFVERIFYNODE,Ambiguous parentage of VerifyNode,0), +PKIX_ERRORENTRY(ANCHORDIDNOTCHAINTOCERT,Anchor did not chain to Cert,SEC_ERROR_UNKNOWN_ISSUER), +PKIX_ERRORENTRY(ANCHORDIDNOTPASSCERTSELECTORCRITERIA,Anchor did not pass CertSelector criteria,0), +PKIX_ERRORENTRY(APPENDLISTFAILED,pkix_pl_AppendList failed,0), +PKIX_ERRORENTRY(ARGUMENTNOTSTRING,Argument is not a String,0), +PKIX_ERRORENTRY(ARGUMENTSNOTBIGINTS,Arguments are not BigInts,0), +PKIX_ERRORENTRY(ARGUMENTSNOTBYTEARRAYS,Arguments are not Byte Arrays,0), +PKIX_ERRORENTRY(ARGUMENTSNOTDATES,Arguments are not Dates,0), +PKIX_ERRORENTRY(ARGUMENTSNOTOIDS,Arguments are not OIDs,0), +PKIX_ERRORENTRY(ATTEMPTTOADDDUPLICATEKEY,Attempt to add duplicate key,0), +PKIX_ERRORENTRY(ATTEMPTTODECODEANINCOMPLETERESPONSE,Attempt to decode an incomplete response,SEC_ERROR_BAD_DER), +PKIX_ERRORENTRY(ATTEMPTTODECREFALLOCERROR,Attempt to DecRef Alloc Error,0), +PKIX_ERRORENTRY(ATTEMPTTOINCREFALLOCERROR,Attempt to IncRef Alloc Error,0), +PKIX_ERRORENTRY(BADHTTPRESPONSE,Bad Http Response,SEC_ERROR_BAD_HTTP_RESPONSE), +PKIX_ERRORENTRY(BASICCONSTRAINTSCHECKERINITIALIZEFAILED,pkix_BasicConstraintsChecker_Initialize failed,0), +PKIX_ERRORENTRY(BASICCONSTRAINTSCHECKERSTATECREATEFAILED,PKIX_BasicConstraintsCheckerState_Create failed,0), +PKIX_ERRORENTRY(BASICCONSTRAINTSGETCAFLAGFAILED,PKIX_PL_BasicConstraints_GetCAFlag failed,0), +PKIX_ERRORENTRY(BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED,PKIX_PL_BasicConstraints_GetPathLenConstraint failed,0), +PKIX_ERRORENTRY(BASICCONSTRAINTSVALIDATIONFAILEDCA,PKIX_BasicConstraints validation failed: CA Flag not set,SEC_ERROR_CA_CERT_INVALID), +PKIX_ERRORENTRY(BASICCONSTRAINTSVALIDATIONFAILEDLN,PKIX_BasicConstraints validation failed: maximum length mismatch,SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID), +PKIX_ERRORENTRY(BIGINTCOMPARATORFAILED,pkix_pl_BigInt_Comparator failed,0), +PKIX_ERRORENTRY(BIGINTCREATEWITHBYTESFAILED,pkix_pl_BigInt_CreateWithBytes failed,0), +PKIX_ERRORENTRY(BIGINTEQUALSFAILED,PKIX_PL_BigInt_Equals failed,0), +PKIX_ERRORENTRY(BIGINTLENGTH0INVALID,BigInt length 0 is invalid,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(BIGINTTOSTRINGFAILED,pkix_pl_BigInt_ToString failed,0), +PKIX_ERRORENTRY(BIGINTTOSTRINGHELPERFAILED,PKIX_PL_BigInt_ToString_Helper failed,0), +PKIX_ERRORENTRY(BINDREJECTEDBYSERVER,BIND rejected by server,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(BUILDANDVALIDATECHAINFAILED,Failed to build and validate a chain,0), +PKIX_ERRORENTRY(BUILDBUILDSELECTORANDPARAMSFAILED,pkix_Build_BuildSelectorAndParams failed,0), +PKIX_ERRORENTRY(BUILDCOMBINEWITHTRUSTFAILED,pkix_Build_CombineWithTrust failed,0), +PKIX_ERRORENTRY(BUILDFORWARDDEPTHFIRSTSEARCHFAILED,pkix_BuildForwardDepthFirstSearch failed,0), +PKIX_ERRORENTRY(BUILDGATHERCERTSFAILED,pkix_Build_GatherCerts failed,0), +PKIX_ERRORENTRY(BUILDGETRESOURCELIMITSFAILED,pkix_Build_GetResourceLimits failed,0), +PKIX_ERRORENTRY(BUILDINITIATEBUILDCHAINFAILED,pkix_Build_InitiateBuildChain failed,0), +PKIX_ERRORENTRY(BUILDRESULTCREATEFAILED,pkix_BuildResult_Create failed,0), +PKIX_ERRORENTRY(BUILDRESULTGETCERTCHAINFAILED,PKIX_BuildResult_GetCertChain failed,0), +PKIX_ERRORENTRY(BUILDRESULTGETVALIDATERESULTFAILED,PKIX_BuildResult_GetValidateResult failed,0), +PKIX_ERRORENTRY(BUILDREVCHECKPREPFAILED,pkix_Build_RevCheckPrep failed,0), +PKIX_ERRORENTRY(BUILDSORTCANDIDATECERTSFAILED,pkix_Build_SortCandidateCerts failed,0), +PKIX_ERRORENTRY(BUILDSTATECREATEFAILED,pkix_BuildState_Create failed,0), +PKIX_ERRORENTRY(BUILDTRYSHORTCUTFAILED,pkix_Build_TryShortcut failed,0), +PKIX_ERRORENTRY(BUILDUPDATEDATEFAILED,pkix_Build_UpdateDate failed,0), +PKIX_ERRORENTRY(BUILDVALIDATEENTIRECHAINFAILED,pkix_Build_ValidateEntireChain failed,0), +PKIX_ERRORENTRY(BUILDVALIDATIONCHECKERSFAILED,pkix_Build_ValidationCheckers failed,0), +PKIX_ERRORENTRY(BUILDVERIFYCERTIFICATEFAILED,pkix_Build_VerifyCertificate failed,0), +PKIX_ERRORENTRY(BYTEARRAYCOMPARATORFAILED,pkix_pl_ByteArray_Comparator failed,0), +PKIX_ERRORENTRY(BYTEARRAYCREATEFAILED,PKIX_PL_ByteArray_Create failed,0), +PKIX_ERRORENTRY(BYTEARRAYEQUALSFAILED,PKIX_PL_ByteArray_Equals failed,0), +PKIX_ERRORENTRY(BYTEARRAYGETLENGTHFAILED,PKIX_PL_ByteArray_GetLength failed,0), +PKIX_ERRORENTRY(BYTEARRAYGETPOINTERFAILED,PKIX_PL_ByteArray_GetPointer failed,0), +PKIX_ERRORENTRY(BYTEARRAYTOHEXSTRINGFAILED,pkix_pl_ByteArray_ToHexString failed,0), +PKIX_ERRORENTRY(BYTEARRAYTOSTRINGFAILED,PKIX_PL_ByteArray_ToString failed,0), +PKIX_ERRORENTRY(CACHECERTADDFAILED,pkix_CacheCert_Add failed,0), +PKIX_ERRORENTRY(CACHECERTCHAINADDFAILED,pkix_CacheCertChain_Add failed,0), +PKIX_ERRORENTRY(CACHECERTCHAINLOOKUPFAILED,pkix_CacheCertChain_Lookup failed,0), +PKIX_ERRORENTRY(CACHECERTCHAINREMOVEFAILED,pkix_CacheCertChain_Remove failed,0), +PKIX_ERRORENTRY(CACHECRLENTRYADDFAILED,pkix_CacheCrlEntry_Add failed,0), +PKIX_ERRORENTRY(CACHECRLENTRYLOOKUPFAILED,pkix_CacheCrlEntry_Lookup failed,0), +PKIX_ERRORENTRY(CALLOCFAILED,PKIX_PL_Calloc failed,0), +PKIX_ERRORENTRY(CANNOTAQUIRECRLDER,Failed to get DER CRL,0), +PKIX_ERRORENTRY(CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES, Fail to convert certificate usage to pkix KU and EKU,0), +PKIX_ERRORENTRY(CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY,Cannot open CollectionCertStoreContext directory,0), +PKIX_ERRORENTRY(CANTCREATESTRING,Cannot create PKIX_PL_String,0), +PKIX_ERRORENTRY(CANTDECODEBINDRESPONSEFROMSERVER,Cannot decode BIND response from server,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(CANTDECODESEARCHRESPONSEFROMSERVER,Cannot decode SEARCH response from server,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(CANTENABLEREVOCATIONWITHOUTCERTSTORE,Cannot enable Revocation without CertStore,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(CANTLOADLIBSMIME,Cannot load smime3 library,0), +PKIX_ERRORENTRY(CANTREREGISTERSYSTEMTYPE,Cannot reregister system type,0), +PKIX_ERRORENTRY(CERTARECERTPOLICIESCRITICALFAILED,PKIX_PL_Cert_AreCertPoliciesCritical failed,0), +PKIX_ERRORENTRY(CERTBASICCONSTRAINTSCREATEFAILED,pkix_pl_CertBasicConstraints_Create failed,0), +PKIX_ERRORENTRY(CERTBASICCONSTRAINTSTOSTRINGFAILED,PKIX_PL_CertBasicConstraints_ToString failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERCHECKCALLBACKFAILED,PKIX_CertChainChecker_CheckCallback failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERCHECKFAILED,PKIX_CertChainChecker_Check failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERCREATEFAILED,PKIX_CertChainChecker_Create failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_GetCertChainCheckerState failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERGETCHECKCALLBACKFAILED,PKIX_CertChainChecker_GetCheckCallback failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED,PKIX_CertChainChecker_GetSupportedExtensions failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED,PKIX_CertChainChecker_IsForwardCheckingSupported failed,0), +PKIX_ERRORENTRY(CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_SetCertChainCheckerState failed,0), +PKIX_ERRORENTRY(CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION,CertChain fails Certificate Policy validation,SEC_ERROR_POLICY_VALIDATION_FAILED), +PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain,0), +PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain,0), +PKIX_ERRORENTRY(CERTCHECKCERTTYPEFAILED,Check cert type failed,SEC_ERROR_INADEQUATE_CERT_TYPE), +PKIX_ERRORENTRY(CERTCHECKCERTVALIDTIMESFAILED,CERT_CheckCertValidTimes failed,SEC_ERROR_EXPIRED_CERTIFICATE), +PKIX_ERRORENTRY(CERTCHECKCRLFAILED,Fail to get crl cache issued by cert,0), +PKIX_ERRORENTRY(CERTCHECKEXTENDEDKEYUSAGEFAILED,pkix_pl_Cert_CheckExtendedKeyUsage failed,0), +PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE), +PKIX_ERRORENTRY(CERTCHECKNAMECONSTRAINTSFAILED,PKIX_PL_Cert_CheckNameConstraints failed,0), +PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,0), +PKIX_ERRORENTRY(CERTCOMPLETECRLDECODEDENTRIESFAILED,CERT_CompleteCRLDecodedEntries failed,0), +PKIX_ERRORENTRY(CERTCOPYNAMECONSTRAINTFAILED,CERT_CopyNameConstraint failed,0), +PKIX_ERRORENTRY(CERTCOPYNAMEFAILED,CERT_CopyName failed,0), +PKIX_ERRORENTRY(CERTCREATEFAILED,PKIX_PL_Cert_Create failed,0), +PKIX_ERRORENTRY(CERTCREATEGENERALNAMELISTFAILED,CERT_CreateGeneralNameList failed,0), +PKIX_ERRORENTRY(CERTCREATETOLISTFAILED,pkix_pl_Cert_CreateToList failed,0), +PKIX_ERRORENTRY(CERTCREATEWITHNSSCERTFAILED,pkix_pl_Cert_CreateWithNSSCert failed,0), +PKIX_ERRORENTRY(CERTDECODEALTNAMEEXTENSIONFAILED,CERT_DecodeAltNameExtension failed,0), +PKIX_ERRORENTRY(CERTDECODECERTIFICATEPOLICIESEXTENSIONFAILED,CERT_DecodeCertificatePoliciesExtension failed,0), +PKIX_ERRORENTRY(CERTDECODEDERCERTIFICATEFAILED,CERT_DecodeDERCertificate failed,0), +PKIX_ERRORENTRY(CERTDECODEDERCRLFAILED,CERT_DecodeDERCrl failed,0), +PKIX_ERRORENTRY(CERTDECODEINHIBITANYEXTENSIONFAILED,CERT_DecodeInhibitAnyExtension failed,0), +PKIX_ERRORENTRY(CERTDECODEINHIBITANYPOLICYFAILED,pkix_pl_Cert_DecodeInhibitAnyPolicy failed,0), +PKIX_ERRORENTRY(CERTDECODEOIDSEQUENCEFAILED,CERT_DecodeOidSequence failed,0), +PKIX_ERRORENTRY(CERTDECODEPOLICYCONSTRAINTSEXTENSIONFAILED,CERT_DecodePolicyConstraintsExtension failed,0), +PKIX_ERRORENTRY(CERTDECODEPOLICYCONSTRAINTSFAILED,pkix_pl_Cert_DecodePolicyConstraints failed,0), +PKIX_ERRORENTRY(CERTDECODEPOLICYINFOFAILED,pkix_pl_Cert_DecodePolicyInfo failed,0), +PKIX_ERRORENTRY(CERTDECODEPOLICYMAPPINGFAILED,pkix_pl_Cert_DecodePolicyMapping failed,0), +PKIX_ERRORENTRY(CERTDECODEPOLICYMAPPINGSEXTENSIONFAILED,CERT_DecodePolicyMappingsExtension failed,0), +PKIX_ERRORENTRY(CERTEQUALSFAILED,pkix_pl_Cert_Equals failed,0), +PKIX_ERRORENTRY(CERTFAILEDNAMECONSTRAINTSCHECKING,Cert failed NameConstraints checking,SEC_ERROR_CERT_NOT_IN_NAME_SPACE), +PKIX_ERRORENTRY(CERTGETALLSUBJECTNAMESFAILED,PKIX_PL_Cert_GetAllSubjectNames failed,0), +PKIX_ERRORENTRY(CERTGETAUTHORITYINFOACCESSFAILED,PKIX_PL_Cert_GetAuthorityInfoAccess failed,0), +PKIX_ERRORENTRY(CERTGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_PL_Cert_GetAuthorityKeyIdentifier failed,0), +PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTFAILED,PKIX_PL_Cert_GetBasicConstraint failed,0), +PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTSFAILED,PKIX_PL_Cert_GetBasicConstraints failed,0), +PKIX_ERRORENTRY(CERTGETCACHEFLAGFAILED,PKIX_Cert_GetCacheFlag failed,0), +PKIX_ERRORENTRY(CERTGETCERTCERTIFICATEFAILED,PKIX_PL_Cert_GetCERTCertificate failed,0), +PKIX_ERRORENTRY(CERTGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_Cert_GetCriticalExtensionOIDs failed,0), +PKIX_ERRORENTRY(CERTGETCRLDPFAILED,Failed to get cert crldp extension, 0), +PKIX_ERRORENTRY(CERTGETEXTENDEDKEYUSAGEFAILED,PKIX_PL_Cert_GetExtendedKeyUsage failed,0), +PKIX_ERRORENTRY(CERTGETINHIBITANYPOLICYFAILED,PKIX_PL_Cert_GetInhibitAnyPolicy failed,0), +PKIX_ERRORENTRY(CERTGETISSUERFAILED,PKIX_PL_Cert_GetIssuer failed,0), +PKIX_ERRORENTRY(CERTGETNAMECONSTRAINTSFAILED,PKIX_PL_CertGetNameConstraints failed,0), +PKIX_ERRORENTRY(CERTGETNSSSUBJECTALTNAMESFAILED,pkix_pl_Cert_GetNssSubjectAltNames failed,0), +PKIX_ERRORENTRY(CERTGETPOLICYINFORMATIONFAILED,PKIX_PL_Cert_GetPolicyInformation failed,0), +PKIX_ERRORENTRY(CERTGETPOLICYMAPPINGINHIBITEDFAILED,PKIX_PL_Cert_GetPolicyMappingInhibited failed,0), +PKIX_ERRORENTRY(CERTGETPOLICYMAPPINGSFAILED,PKIX_PL_Cert_GetPolicyMappings failed,0), +PKIX_ERRORENTRY(CERTGETREQUIREEXPLICITPOLICYFAILED,PKIX_PL_Cert_GetRequireExplicitPolicy failed,0), +PKIX_ERRORENTRY(CERTGETSERIALNUMBERFAILED,PKIX_PL_Cert_GetSerialNumber failed,0), +PKIX_ERRORENTRY(CERTGETSUBJALTNAMESFAILED,PKIX_PL_Cert_GetSubjAltNames failed,0), +PKIX_ERRORENTRY(CERTGETSUBJECTALTNAMESFAILED,PKIX_PL_Cert_GetSubjectAltNames failed,0), +PKIX_ERRORENTRY(CERTGETSUBJECTFAILED,PKIX_PL_Cert_GetSubject failed,0), +PKIX_ERRORENTRY(CERTGETSUBJECTINFOACCESSFAILED,PKIX_PL_Cert_GetSubjectInfoAccess failed,0), +PKIX_ERRORENTRY(CERTGETSUBJECTKEYIDENTIFIERFAILED,PKIX_PL_Cert_GetSubjectKeyIdentifier failed,0), +PKIX_ERRORENTRY(CERTGETSUBJECTPUBLICKEYALGIDFAILED,PKIX_PL_Cert_GetSubjectPublicKeyAlgId failed,0), +PKIX_ERRORENTRY(CERTGETSUBJECTPUBLICKEYFAILED,PKIX_PL_Cert_GetSubjectPublicKey failed,0), +PKIX_ERRORENTRY(CERTGETVALIDITYNOTAFTERFAILED,PKIX_PL_Cert_GetValidityNotAfter failed,0), +PKIX_ERRORENTRY(CERTGETVERSIONFAILED,PKIX_PL_Cert_GetVersion failed,0), +PKIX_ERRORENTRY(CERTHASHCODEFAILED,PKIX_PL_Cert_Hashcode failed,0), +PKIX_ERRORENTRY(CERTIFICATEDOESNTHAVEVALIDCRL,Certificate does not have a valid CRL,SEC_ERROR_CRL_NOT_FOUND), +PKIX_ERRORENTRY(CERTIFICATEREVOKED,Certificate is revoked,SEC_ERROR_REVOKED_CERTIFICATE), +PKIX_ERRORENTRY(CERTIMPORTCERTIFICATEFUNCTIONFAILED,CERTImportCertificate function failed,0), +PKIX_ERRORENTRY(CERTISCERTTRUSTEDFAILED,PKIX_PL_Cert_IsCertTrusted failed,SEC_ERROR_UNTRUSTED_CERT), +PKIX_ERRORENTRY(CERTISEXTENSIONCRITICALFAILED,pkix_pl_Cert_IsExtensionCritical failed,0), +PKIX_ERRORENTRY(CERTMERGENAMECONSTRAINTSFAILED,PKIX_PL_Cert_MergeNameConstraints failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCHECKNAMEINNAMESPACEFAILED,PKIX_PL_CertNameConstraints_CheckNameInNameSpace failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED,PKIX_PL_CertNameConstraints_CheckNamesInNameSpace failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCHECKNAMESPACENSSNAMESFAILED,pkix_pl_CertNameConstraints_CheckNameSpaceNssNames failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED,pkix_pl_CertNameConstraints_CopyNssNameConstraints failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCREATEBYMERGEFAILED,pkix_pl_CertNameConstraints_CreateByMerge failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCREATEFAILED,pkix_pl_CertNameConstraints_Create failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCREATEHELPERFAILED,pkix_pl_CertNameConstraints_Create_Helper failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSGETEXCLUDEDFAILED,pkix_pl_CertNameConstraints_GetExcluded failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSGETPERMITTEDFAILED,pkix_pl_CertNameConstraints_GetPermitted failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSMERGEFAILED,pkix_pl_CertNameConstraints_Merge failed,0), +PKIX_ERRORENTRY(CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED,pkix_pl_CertNameConstraints_ToString_Helper failed,0), +PKIX_ERRORENTRY(CERTNAMETOASCIIFAILED,CERT_NameToAscii failed,0), +PKIX_ERRORENTRY(CERTNOTALLOWEDTOSIGNCERTIFICATES,Cert not allowed to sign certificates,SEC_ERROR_CA_CERT_INVALID), +PKIX_ERRORENTRY(CERTPOLICYINFOCREATEFAILED,pkix_pl_CertPolicyInfo_Create failed,0), +PKIX_ERRORENTRY(CERTPOLICYINFOGETPOLICYIDFAILED,PKIX_PL_CertPolicyInfo_GetPolicyId failed,0), +PKIX_ERRORENTRY(CERTPOLICYINFOGETPOLQUALIFIERSFAILED,PKIX_PL_CertPolicyInfo_GetPolQualifiers failed,0), +PKIX_ERRORENTRY(CERTPOLICYMAPCREATEFAILED,pkix_pl_CertPolicyMap_Create failed,0), +PKIX_ERRORENTRY(CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED,PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy failed,0), +PKIX_ERRORENTRY(CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED,PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy failed,0), +PKIX_ERRORENTRY(CERTPOLICYQUALIFIERCREATEFAILED,pkix_pl_CertPolicyQualifier_Create failed,0), +PKIX_ERRORENTRY(CERTREJECTEDBYREVOCATIONCHECKER,Cert rejected by revocation checker,0), +PKIX_ERRORENTRY(CERTSELECTORCHECKFAILED,Validation failed: CertSelector check failed,0), +PKIX_ERRORENTRY(CERTSELECTORCREATEFAILED,PKIX_CertSelector_Create failed,0), +PKIX_ERRORENTRY(CERTSELECTORFAILED,certSelector failed,0), +PKIX_ERRORENTRY(CERTSELECTORGETCOMCERTSELPARAMSFAILED,PKIX_CertSelector_GetComCertSelParams failed,0), +PKIX_ERRORENTRY(CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED,PKIX_CertSelector_GetCommonCertSelectorParam failed,0), +PKIX_ERRORENTRY(CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_GetCommonCertSelectorParams failed,0), +PKIX_ERRORENTRY(CERTSELECTORGETMATCHCALLBACKFAILED,PKIX_CertSelector_GetMatchCallback failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHAUTHKEYIDFAILED,pkix_CertSelector_Match_AuthKeyId failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHBASICCONSTRAINTFAILED,pkix_CertSelector_Match_BasicConstraint failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCALLBACKFAILED,PKIX_CertSelector_MatchCallback failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTIFICATEVALIDFAILED,pkix_CertSelector_Match_CertificateValid failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTISSUERFAILED,cert does not match issuer name,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTOBJECTFAILED,cert does not match cert object,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSERIALNUMFAILED,cert does not match serial number,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSUBJECTFAILED,cert does not match subject name,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTVERSIONFAILED,cert does not match cert version,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,SEC_ERROR_INADEQUATE_CERT_TYPE), +PKIX_ERRORENTRY(CERTSELECTORMATCHFAILED,certSelectorMatch failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE), +PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECONSTRAINTSFAILED,pkix_CertSelector_Match_NameConstraints failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJALTNAMESFAILED,pkix_CertSelector_Match_SubjAltNames failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJKEYIDFAILED,pkix_CertSelector_Match_SubjKeyId failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPKALGIDFAILED,pkix_CertSelector_Match_SubjPKAlgId failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPUBKEYFAILED,pkix_CertSelector_Match_SubjPubKey failed,0), +PKIX_ERRORENTRY(CERTSELECTORSELECTFAILED,pkix_CertSelector_Select failed,0), +PKIX_ERRORENTRY(CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_SetCommonCertSelectorParams failed,0), +PKIX_ERRORENTRY(CERTSETASTRUSTANCHORFAILED, PKIX_PL_Cert_SetAsTrustAnchor failed, 0), +PKIX_ERRORENTRY(CERTSETCACHEFLAGFAILED,PKIX_PL_Cert_SetCacheFlag failed,0), +PKIX_ERRORENTRY(CERTSETTRUSTCERTSTOREFAILED,PKIX_PL_Cert_SetTrustCertStore failed,0), +PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFAILED,PKIX_CertStore_CertContinue failed,0), +PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFUNCTIONFAILED,PKIX_CertStore_CertContinueFunction failed,0), +PKIX_ERRORENTRY(CERTSTORECREATEFAILED,PKIX_CertStore_Create failed,0), +PKIX_ERRORENTRY(CERTSTORECRLCONTINUEFAILED,PKIX_CertStore_CrlContinue failed,0), +PKIX_ERRORENTRY(CERTSTOREEQUALSFAILED,pkix_CertStore_Equals failed,0), +PKIX_ERRORENTRY(CERTSTORECRLCHECKFAILED,Fail to check cert crl revocation,0), +PKIX_ERRORENTRY(CERTSTOREGETCHECKREVBYCRLFAILED,Can not get revocation check function,0), +PKIX_ERRORENTRY(CERTSTOREFAILTOIMPORTCRLLIST,Fail to import crls,0), +PKIX_ERRORENTRY(CERTSTOREGETCERTCALLBACKFAILED,PKIX_CertStore_GetCertCallback failed,0), +PKIX_ERRORENTRY(CERTSTOREGETCERTSTORECACHEFLAGFAILED,PKIX_CertStore_GetCertStoreCacheFlag failed,0), +PKIX_ERRORENTRY(CERTSTOREGETCERTSTORECONTEXTFAILED,PKIX_CertStore_GetCertStoreContext failed,0), +PKIX_ERRORENTRY(CERTSTOREGETCRLCALLBACKFAILED,PKIX_CertStore_GetCRLCallback failed,0), +PKIX_ERRORENTRY(CERTSTOREGETLOCALFLAGFAILED,PKIX_CertStore_GetLocalFlag failed,0), +PKIX_ERRORENTRY(CERTSTOREGETTRUSTCALLBACKFAILED,PKIX_CertStore_GetTrustCallback failed,0), +PKIX_ERRORENTRY(CERTSTOREHASHCODEFAILED,pkix_CertStore_Hashcode failed,0), +PKIX_ERRORENTRY(CERTTOSTRINGFAILED,PKIX_PL_Cert_ToString failed,0), +PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0), +PKIX_ERRORENTRY(CERTVERIFYCERTTYPEFAILED,PKIX_PL_Cert_VerifyCertAndKeyType failed,0), +PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0), +PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0), +PKIX_ERRORENTRY(CHAINVERIFYCALLBACKFAILED,Chain rejected by Application Callback,SEC_ERROR_APPLICATION_CALLBACK_ERROR), +PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0), +PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0), +PKIX_ERRORENTRY(CHECKCHAINFAILED,pkix_CheckChain failed,0), +PKIX_ERRORENTRY(CHECKTRUSTCALLBACKFAILED,CheckTrustCallback failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECERTFAILED,pkix_pl_CollectionCertStoreContext_PopulateCert failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECRLFAILED,pkix_pl_CollectionCertStoreContext_PopulateCrl failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTCREATECERTFAILED,pkix_pl_CollectionCertStoreContext_CreateCert failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTCREATECRLFAILED,pkix_pl_CollectionCertStoreContext_CreateCRL failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTGETSELECTCERTFAILED,pkix_pl_CollectionCertStoreContext_GetSelectCert failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTGETSELECTCRLFAILED,pkix_pl_CollectionCertStoreContext_GetSelectCRL failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTPOPULATECERTFAILED,pkix_pl_CollectionCertStoreContext_PopulateCert failed,0), +PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTPOPULATECRLFAILED,pkix_pl_CollectionCertStoreContext_PopulateCRL failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSCREATEFAILED,PKIX_ComCertSelParams_Create failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_GetAuthorityKeyIdentifier failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED,PKIX_ComCertSelParams_GetBasicConstraints failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEFAILED,PKIX_ComCertSelParams_GetCertificate failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_GetCertificateValid failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED,PKIX_ComCertSelParams_GetExtendedKeyUsage failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETISSUERFAILED,PKIX_ComCertSelParams_GetIssuer failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETKEYUSAGEFAILED,PKIX_ComCertSelParams_GetKeyUsage failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_GetLeafCertFlag failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetMatchAllSubjAltNames failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED,PKIX_ComCertSelParams_GetNameConstraints failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETPATHTONAMESFAILED,PKIX_ComCertSelParams_GetPathToNames failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETPOLICYFAILED,PKIX_ComCertSelParams_GetPolicy failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETSERIALNUMBERFAILED,PKIX_ComCertSelParams_GetSerialNumber failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetSubjAltNames failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJECTFAILED,PKIX_ComCertSelParams_GetSubject failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_GetSubjKeyIdentifier failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJPKALGIDFAILED,PKIX_ComCertSelParams_GetSubjPKAlgId failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJPUBKEYFAILED,PKIX_ComCertSelParams_GetSubjPubKey failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETVERSIONFAILED,PKIX_ComCertSelParams_GetVersion failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETBASICCONSTRAINTSFAILED,PKIX_ComCertSelParams_SetBasicConstraints failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEFAILED,PKIX_ComCertSelParams_SetCertificate failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_SetCertificateValid failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETEXTKEYUSAGEFAILED,PKIX_ComCertSelParams_SetExtendedKeyUsage failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETKEYUSAGEFAILED,PKIX_ComCertSelParams_SetKeyUsage failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_SetLeafCertFlag failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETPATHTONAMESFAILED,PKIX_ComCertSelParams_SetPathToNames failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJECTFAILED,PKIX_ComCertSelParams_SetSubject failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_SetSubjKeyIdentifier failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSADDISSUERNAMEFAILED,PKIX_ComCRLSelParams_AddIssuerName failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSCREATEFAILED,PKIX_ComCRLSelParams_Create failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSEQUALSFAILED,pkix_ComCRLSelParams_Equals failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSGETDATEANDTIMEFAILED,PKIX_ComCRLSelParams_GetDateAndTime failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSGETISSUERNAMESFAILED,PKIX_ComCRLSelParams_GetIssuerNames failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSGETMAXCRLNUMBERFAILED,PKIX_ComCRLSelParams_GetMaxCRLNumber failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSGETMINCRLNUMBERFAILED,PKIX_ComCRLSelParams_GetMinCRLNumber failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED,PKIX_ComCRLSelParams_GetNISTPolicyEnabled failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSSETCERTFAILED,PKIX_ComCRLSelParams_SetCertificateChecking failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSSETDATEANDTIMEFAILED,PKIX_ComCRLSelParams_SetDateAndTime failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSTOSTRINGFAILED,pkix_ComCRLSelParams_ToString failed,0), +PKIX_ERRORENTRY(COMCRLSELPARAMSTOSTRINGHELPERFAILED,pkix_ComCRLSelParams_ToString_Helper failed,0), +PKIX_ERRORENTRY(COMPARATORCALLBACKFAILED,comparator callback failed,0), +PKIX_ERRORENTRY(CONTENTTYPENOTPKCS7MIME,Content type is not application/pkcs7-mime,0), +PKIX_ERRORENTRY(CONTENTTYPENOTPKIXCRL,Content type is not application/pkix-crl,SEC_ERROR_BAD_HTTP_RESPONSE), +PKIX_ERRORENTRY(COULDNOTALLOCATEMEMORY,Could not allocate memory,0), +PKIX_ERRORENTRY(COULDNOTALLOCATENEWSTRINGOBJECT,Could not allocate new string object,0), +PKIX_ERRORENTRY(COULDNOTAPPENDCHILDTOPARENTSPOLICYNODELIST,Could not append child to parent PolicyNode list,0), +PKIX_ERRORENTRY(COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST,Could not append child to parent VerifyNode list,0), +PKIX_ERRORENTRY(COULDNOTCREATEAIAMGROBJECT,Could not create AiaMgr object,0), +PKIX_ERRORENTRY(COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT,Could not create basic constraints state object,0), +PKIX_ERRORENTRY(COULDNOTCREATEBUILDPARAMSOBJECT,Could not create build params object,0), +PKIX_ERRORENTRY(COULDNOTCREATEBUILDRESULTOBJECT,Could not create build result object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTBASICCONSTRAINTSOBJECT,Could not create a CertBasicConstraints object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTCHAINCHECKEROBJECT,Could not create cert chain checker object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTNAMECONSTRAINTSOBJECT,Could not create CertNameConstraints object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTPOLICYINFOOBJECT,Could not create a CertPolicyInfo object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTPOLICYMAPOBJECT,Could not create a CertPolicyMap object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTPOLICYQUALIFIEROBJECT,Could not create a CertPolicyQualifier object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTSELECTOROBJECT,Could not create cert selector object,0), +PKIX_ERRORENTRY(COULDNOTCREATECERTSTOREOBJECT,Could not create CertStore object,0), +PKIX_ERRORENTRY(COULDNOTCREATECOLLECTIONCERTSTORECONTEXTOBJECT,Could not create CollectionCertStoreContext object,0), +PKIX_ERRORENTRY(COULDNOTCREATECOMMONCERTSELPARAMSOBJECT,Could not create common certsel params object,0), +PKIX_ERRORENTRY(COULDNOTCREATECOMMONCRLSELECTORPARAMSOBJECT,Could not create common crl selector params object,0), +PKIX_ERRORENTRY(COULDNOTCREATECRLENTRYOBJECT,Could not create CRLENTRY object,0), +PKIX_ERRORENTRY(COULDNOTCREATECRLOBJECT,Could not create CRL object,0), +PKIX_ERRORENTRY(COULDNOTCREATECRLSELECTOROBJECT,Could not create CRLSelector object,0), +PKIX_ERRORENTRY(COULDNOTCREATECRLCHECKEROBJECT,Could not create CRLChecker object,0), +PKIX_ERRORENTRY(COULDNOTCREATEOCSPCHECKEROBJECT,Could not create OcspChecker object,0), +PKIX_ERRORENTRY(COULDNOTCREATEREVOCATIONMETHODOBJECT,Could not create RevocationMethod object,0), +PKIX_ERRORENTRY(COULDNOTCREATEDEFAULTREVOCATIONCHECKEROBJECT,Could not create DefaultRevocationChecker object,0), +PKIX_ERRORENTRY(COULDNOTCREATEEKUCHECKERSTATEOBJECT,Could not create EkuCheckerState object,0), +PKIX_ERRORENTRY(COULDNOTCREATEFORWARDBUILDERSTATEOBJECT,Could not create forwardBuilder state object,0), +PKIX_ERRORENTRY(COULDNOTCREATEHASHTABLEOBJECT,Could not create HashTable object,0), +PKIX_ERRORENTRY(COULDNOTCREATEHTTPDEFAULTCLIENTOBJECT,Could not create HttpDefaultClient object,0), +PKIX_ERRORENTRY(COULDNOTCREATEINFOACCESSOBJECT,Could not create InfoAccess object,0), +PKIX_ERRORENTRY(COULDNOTCREATELDAPDEFAULTCLIENTOBJECT,Could not create LdapDefaultClient object,0), +PKIX_ERRORENTRY(COULDNOTCREATELOCKOBJECT,Could not create lock object,0), +PKIX_ERRORENTRY(COULDNOTCREATELOGGEROBJECT,Could not create Logger object,0), +PKIX_ERRORENTRY(COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT,Could not create NameConstraintsCheckerState object,0), +PKIX_ERRORENTRY(COULDNOTCREATENSSDN,Could not create NSS DN,0), +PKIX_ERRORENTRY(COULDNOTCREATEOBJECT,Could not create object,0), +PKIX_ERRORENTRY(COULDNOTCREATEOBJECTSTORAGE,Could not create object storage,0), +PKIX_ERRORENTRY(COULDNOTCREATEPOLICYCHECKERSTATEOBJECT,Could not create policyChecker state object,0), +PKIX_ERRORENTRY(COULDNOTCREATEPOLICYNODEOBJECT,Could not create a PolicyNode object,0), +PKIX_ERRORENTRY(COULDNOTCREATEPROCESSINGPARAMSOBJECT,Could not create processing params object,0), +PKIX_ERRORENTRY(COULDNOTCREATERESOURCELIMITOBJECT,Could not create ResourceLimit object,0), +PKIX_ERRORENTRY(COULDNOTCREATESIGNATURECHECKERSTATEOBJECT,Could not create SignatureCheckerState object,0), +PKIX_ERRORENTRY(COULDNOTCREATESOCKETOBJECT,Could not create Socket object,0), +PKIX_ERRORENTRY(COULDNOTCREATESTRING,Could not create string,0), +PKIX_ERRORENTRY(COULDNOTCREATETARGETCERTCHECKERSTATEOBJECT,Could not create target cert checker state object,0), +PKIX_ERRORENTRY(COULDNOTCREATETRUSTANCHOROBJECT,Could not create trust anchor object,0), +PKIX_ERRORENTRY(COULDNOTCREATEVALIDATEPARAMSOBJECT,Could not create validate params object,0), +PKIX_ERRORENTRY(COULDNOTCREATEVALIDATERESULTOBJECT,Could not create validate result object,0), +PKIX_ERRORENTRY(COULDNOTCREATEVERIFYNODEOBJECT,Could not create a VerifyNode object,0), +PKIX_ERRORENTRY(COULDNOTCREATEX500NAMEOBJECT,Could not create X500Name object,0), +PKIX_ERRORENTRY(COULDNOTGETFIRSTOBJECTTYPE,Could not get first object type,0), +PKIX_ERRORENTRY(COULDNOTGETSECONDOBJECTTYPE,Could not get second object type,0), +PKIX_ERRORENTRY(COULDNOTGETTYPEOFSECONDARGUMENT,Could not get type of second argument,0), +PKIX_ERRORENTRY(COULDNOTLOOKUPINHASHTABLE,Could not lookup in hashtable,0), +PKIX_ERRORENTRY(COULDNOTMALLOCNEWKEY,Could not malloc new key,0), +PKIX_ERRORENTRY(COULDNOTTESTWHETHERKEYSEQUAL,Could not test whether keys are equal,0), +PKIX_ERRORENTRY(CREATECERTFAILED,CreateCert failed,0), +PKIX_ERRORENTRY(CREATECRLSELECTORDUPLICATEOBJECTFAILED,Create CRLSelector Duplicate Object failed,0), +PKIX_ERRORENTRY(CREATEPROCESSINGPARAMSFAILED,Failed to create processing parameters,0), +PKIX_ERRORENTRY(CRLCHECKERCREATEFAILED,pkix_CRLChecker_Create failed,0), +PKIX_ERRORENTRY(CRLCHECKERINITIALIZEFAILED,pkix_CRLChecker_Initialize failed,0), +PKIX_ERRORENTRY(CRLCHECKERNOLOCALCERTSTOREFOUND,No local cert store found, 0), +PKIX_ERRORENTRY(CRLCHECKERSETSELECTORFAILED,pkix_CRLChecker_SetSelector failed,0), +PKIX_ERRORENTRY(CRLCREATEFAILED,PKIX_PL_CRL_Create failed,0), +PKIX_ERRORENTRY(CRLCREATETOLISTFAILED,pkix_pl_CRL_CreateToList failed,0), +PKIX_ERRORENTRY(CRLCREATEWITHSIGNEDCRLFAILED,pkix_pl_CRL_CreateWithSignedCRL failed,0), +PKIX_ERRORENTRY(CRLCRITICALEXTENSIONOIDSNOTPROCESSED,CRL Critical Extension OIDs not processed,0), +PKIX_ERRORENTRY(CRLDPCREATEFAILED, Failed to create CRL DP,0), +PKIX_ERRORENTRY(CRLENTRYCREATEFAILED,pkix_pl_CRLEntry_Create failed,0), +PKIX_ERRORENTRY(CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED,CRLEntry Critical Extension was not processed,0), +PKIX_ERRORENTRY(CRLENTRYEXTENSIONSEQUALSFAILED,PKIX_PL_CRLEntry_Extensions_Equals failed,0), +PKIX_ERRORENTRY(CRLENTRYEXTENSIONSHASHCODEFAILED,pkix_pl_CRLEntry_Extensions_Hashcode failed,0), +PKIX_ERRORENTRY(CRLENTRYGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_CRLEntry_GetCriticalExtensionOIDs failed,0), +PKIX_ERRORENTRY(CRLENTRYGETCRLENTRYREASONCODEFAILED,PKIX_PL_CRLEntry_GetCRLEntryReasonCode failed,0), +PKIX_ERRORENTRY(CRLENTRYTOSTRINGHELPERFAILED,pkix_pl_CRLEntry_ToString_Helper failed,0), +PKIX_ERRORENTRY(CRLGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_CRL_GetCriticalExtensionOIDs failed,0), +PKIX_ERRORENTRY(CRLGETCRLENTRIESFAILED,pkix_pl_CRL_GetCRLEntries failed,0), +PKIX_ERRORENTRY(CRLGETCRLENTRYFORSERIALNUMBERFAILED,PKIX_PL_CRL_GetCRLEntryForSerialNumber failed,0), +PKIX_ERRORENTRY(CRLGETCRLNUMBERFAILED,PKIX_PL_CRL_GetCRLNumber failed,0), +PKIX_ERRORENTRY(CRLGETISSUERFAILED,PKIX_PL_CRL_GetIssuer failed,0), +PKIX_ERRORENTRY(CRLGETPARTITIONEDFLAGFAILED,PKIX_PL_CRL_IsPartitioned failed,0), +PKIX_ERRORENTRY(CRLGETSIGNATUREALGIDFAILED,pkix_pl_CRL_GetSignatureAlgId failed,0), +PKIX_ERRORENTRY(CRLGETVERSIONFAILED,pkix_pl_CRL_GetVersion failed,0), +PKIX_ERRORENTRY(CRLISSUECERTEXPIRED,CRL issue cert has expired,0), +PKIX_ERRORENTRY(CRLMAXNUMBERRANGEMATCHFAILED,CRL MaxNumber Range Match Failed,0), +PKIX_ERRORENTRY(CRLSELECTORCREATEFAILED,PKIX_CRLSelector_Create failed,0), +PKIX_ERRORENTRY(CRLSELECTORFAILED,crlSelector failed,0), +PKIX_ERRORENTRY(CRLSELECTORGETCOMCERTSELPARAMSFAILED,PKIX_CRLSelector_GetComCertSelParams failed,0), +PKIX_ERRORENTRY(CRLSELECTORGETMATCHCALLBACKFAILED,PKIX_CRLSelector_GetMatchCallback failed,0), +PKIX_ERRORENTRY(CRLSELECTORMATCHCALLBACKFAILED,PKIX_CRLSelector_MatchCallback failed,0), +PKIX_ERRORENTRY(CRLSELECTORMATCHFAILED,crlSelectorMatch failed,0), +PKIX_ERRORENTRY(CRLSELECTORSELECTFAILED,pkix_CRLSelector_Select failed,0), +PKIX_ERRORENTRY(CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED,PKIX_CRLSelector_SetCommonCRLSelectorParams failed,0), +PKIX_ERRORENTRY(CRLSELECTORTOSTRINGHELPERFAILED,pkix_CRLSelector_ToString_Helper failed,0), +PKIX_ERRORENTRY(CRLTOSTRINGHELPERFAILED,pkix_pl_CRL_ToString_Helper failed,0), +PKIX_ERRORENTRY(CRLVERIFYUPDATETIMEFAILED,pkix_pl_CRL_VerifyUpdateTime failed,0), +PKIX_ERRORENTRY(DATECREATECURRENTOFFBYSECONDSFAILED,PKIX_PL_Date_Create_CurrentOffBySeconds failed,0), +PKIX_ERRORENTRY(DATECREATEFROMPRTIMEFAILED,pkix_pl_Date_CreateFromPRTime failed,0), +PKIX_ERRORENTRY(DATECREATEUTCTIMEFAILED,PKIX_PL_Date_Create_UTCTime failed,0), +PKIX_ERRORENTRY(DATEDERTIMETOPRTIMEFAILED,Fail to convert encoded time to PRTime,0), +PKIX_ERRORENTRY(DATEEQUALSFAILED,PKIX_PL_Date_Equals failed,0), +PKIX_ERRORENTRY(DATEGETPRTIMEFAILED,pkix_pl_Date_GetPRTime failed,0), +PKIX_ERRORENTRY(DATEHASHCODEFAILED,PKIX_PL_Date_Hashcode failed,0), +PKIX_ERRORENTRY(DATETOSTRINGFAILED,PKIX_Date_ToString failed,0), +PKIX_ERRORENTRY(DATETOSTRINGHELPERFAILED,pkix_pl_Date_ToString_Helper failed,0), +PKIX_ERRORENTRY(DECIPHERONLYKEYUSAGENOTSUPPORTED,decipherOnly key usage not supported,0), +PKIX_ERRORENTRY(DECODINGCERTNAMECONSTRAINTSFAILED,Decoding Cert NameConstraints failed,0), +PKIX_ERRORENTRY(DEFAULTREVCHECKERCREATEFAILED,pkix_DefaultRevChecker_Create failed,0), +PKIX_ERRORENTRY(DEFAULTREVCHECKERINITIALIZEFAILED,pkix_DefaultRevChecker_Initialize failed,0), +PKIX_ERRORENTRY(DEPTHWOULDEXCEEDRESOURCELIMITS,Depth would exceed Resource Limits,SEC_ERROR_OUT_OF_SEARCH_LIMITS), +PKIX_ERRORENTRY(DERASCIITOTIMEFAILED,DER_AsciiToTime failed,0), +PKIX_ERRORENTRY(DERDECODETIMECHOICEFAILED,DER_DecodeTimeChoice failed,0), +PKIX_ERRORENTRY(DERDECODETIMECHOICEFORLASTUPDATEFAILED,DER_DecodeTimeChoice for lastUpdate failed,0), +PKIX_ERRORENTRY(DERDECODETIMECHOICEFORNEXTUPDATEFAILED,DER_DecodeTimeChoice for nextUpdate failed,0), +PKIX_ERRORENTRY(DERENCODETIMECHOICEFAILED,DER_EncodeTimeChoice failed,0), +PKIX_ERRORENTRY(DERGENERALIZEDDAYTOASCIIFAILED,DER_GeneralizedDayToAscii failed,0), +PKIX_ERRORENTRY(DERTIMETOUTCTIMEFAILED,DER_TimeToUTCTime failed,0), +PKIX_ERRORENTRY(DERUTCTIMETOASCIIFAILED,DER_UTCTimeToAscii failed,0), +PKIX_ERRORENTRY(DESTROYSPKIFAILED,pkix_pl_DestroySPKI failed,0), +PKIX_ERRORENTRY(DIRECTORYNAMECREATEFAILED,pkix_pl_DirectoryName_Create failed,0), +PKIX_ERRORENTRY(DUPLICATEIMMUTABLEFAILED,pkix_duplicateImmutable failed,0), +PKIX_ERRORENTRY(CANNOTSORTIMMUTABLELIST,pkix_List_BubbleSort can not sort immutable list,0), +PKIX_ERRORENTRY(EKUCHECKERGETREQUIREDEKUFAILED,pkix_pl_EkuChecker_GetRequiredEku failed,0), +PKIX_ERRORENTRY(EKUCHECKERINITIALIZEFAILED,PKIX_PL_EkuChecker_Initialize failed,0), +PKIX_ERRORENTRY(EKUCHECKERSTATECREATEFAILED,pkix_pl_EkuCheckerState_Create failed,0), +PKIX_ERRORENTRY(ENABLEREVOCATIONWITHOUTCERTSTORE,Enable Revocation without CertStore,0), +PKIX_ERRORENTRY(ERRORALLOCATINGMONITORLOCK,Error Allocating MonitorLock,0), +PKIX_ERRORENTRY(ERRORALLOCATINGRWLOCK,Error Allocating RWLock,0), +PKIX_ERRORENTRY(ERRORCREATINGCHILDSTRING,Error creating child string,0), +PKIX_ERRORENTRY(ERRORCREATINGFORMATSTRING,Error creating format string,0), +PKIX_ERRORENTRY(ERRORCREATINGINDENTSTRING,Error creating indent string,0), +PKIX_ERRORENTRY(ERRORCREATINGITEMSTRING,Error creating item string,0), +PKIX_ERRORENTRY(ERRORCREATINGLISTITEM,Error Creating List Item,0), +PKIX_ERRORENTRY(ERRORCREATINGSUBTREESTRING,Error creating subtree string,0), +PKIX_ERRORENTRY(ERRORCREATINGTABLELOCK,Error creating table lock,0), +PKIX_ERRORENTRY(ERRORFINDINGORPROCESSINGURI,Error finding or processing URI,0), +PKIX_ERRORENTRY(ERRORGETTINGCAUSESTRING,Error getting cause string,0), +PKIX_ERRORENTRY(ERRORGETTINGCLASSTABLEENTRY,Error getting class table entry,0), +PKIX_ERRORENTRY(ERRORGETTINGHASHCODE,Error getting hashcode,0), +PKIX_ERRORENTRY(ERRORGETTINGSECONDOBJECTTYPE,Error getting second object type,0), +PKIX_ERRORENTRY(ERRORINBYTEARRAYHASHCODE,Error in PKIX_PL_ByteArray_Hashcode,0), +PKIX_ERRORENTRY(ERRORINGETTINGDESTRUCTOR,Error in getting destructor,0), +PKIX_ERRORENTRY(ERRORINHASH,Error in pkix_hash,0), +PKIX_ERRORENTRY(ERRORINLISTHASHCODE,Error in PKIX_List_Hashcode,0), +PKIX_ERRORENTRY(ERRORINOBJECTDEFINEDESTROY,Error in object-defined destroy callback,0), +PKIX_ERRORENTRY(ERRORINOIDHASHCODE,Error in PKIX_PL_OID_Hashcode,0), +PKIX_ERRORENTRY(ERRORINRECURSIVEEQUALSCALL,Error in recursive equals call,0), +PKIX_ERRORENTRY(ERRORINSINGLEPOLICYNODETOSTRING,Error in pkix_SinglePolicyNode_ToString,0), +PKIX_ERRORENTRY(ERRORINSINGLEVERIFYNODETOSTRING,Error in pkix_SingleVerifyNode_ToString,0), +PKIX_ERRORENTRY(ERRORINSPRINTF,Error in PKIX_PL_Sprintf,0), +PKIX_ERRORENTRY(ERRORINSTRINGCREATE,Error in PKIX_PL_String_Create,0), +PKIX_ERRORENTRY(ERRORLOCKINGOBJECT,Error locking object,0), +PKIX_ERRORENTRY(ERRORTOSTRINGFAILED,PKIX_Error_ToString failed,0), +PKIX_ERRORENTRY(ERRORTRAVERSINGBUCKET,Error traversing bucket,0), +PKIX_ERRORENTRY(ERRORUNLOCKINGMUTEX,Error unlocking mutex,0), +PKIX_ERRORENTRY(ERRORUNLOCKINGOBJECT,Error unlocking object,0), +PKIX_ERRORENTRY(ESCASCIITOUTF16FAILED,pkix_EscASCII_to_UTF16 failed,0), +PKIX_ERRORENTRY(EXPIRATIONCHECKERINITIALIZEFAILED,pkix_ExpirationChecker_Initialize failed,0), +PKIX_ERRORENTRY(EXTENDEDKEYUSAGECHECKINGFAILED,Extended Key Usage Checking failed,SEC_ERROR_INADEQUATE_CERT_TYPE), +PKIX_ERRORENTRY(EXTENDEDKEYUSAGEUSEROBJECT,Extended Key Usage User Object,0), +PKIX_ERRORENTRY(EXTRACTPARAMETERSFAILED,pkix_ExtractParameters failed,0), +PKIX_ERRORENTRY(FAILEDINENCODINGSEARCHREQUEST,failed in encoding searchRequest,SEC_ERROR_FAILED_TO_ENCODE_DATA), +PKIX_ERRORENTRY(FAILEDTODECODECRL, failed to decode CRL,SEC_ERROR_BAD_DER), +PKIX_ERRORENTRY(FAILEDTOGETNSSTRUSTANCHORS,Failed to get nss trusted roots,0), +PKIX_ERRORENTRY(FAILEDTOGETTRUST, failed to get trust from the cert,0), +PKIX_ERRORENTRY(FAILTOREMOVEDPFROMLIST, failed to remove dp from the list,0), +PKIX_ERRORENTRY(FAILTOSELECTCERTSFROMANCHORS,failed to select certs from anchors,0), +PKIX_ERRORENTRY(FAILUREHASHINGCERT,Failure hashing Cert,0), +PKIX_ERRORENTRY(FAILUREHASHINGERROR,Failure hashing Error,0), +PKIX_ERRORENTRY(FAILUREHASHINGLISTEXPECTEDPOLICYSET,Failure hashing PKIX_List expectedPolicySet,0), +PKIX_ERRORENTRY(FAILUREHASHINGLISTQUALIFIERSET,Failure hashing PKIX_List qualifierSet,0), +PKIX_ERRORENTRY(FAILUREHASHINGOIDVALIDPOLICY,Failure hashing PKIX_PL_OID validPolicy,0), +PKIX_ERRORENTRY(FANOUTEXCEEDSRESOURCELIMITS,Fanout exceeds Resource Limits,0), +PKIX_ERRORENTRY(FETCHINGCACHEDCRLFAILED,Fetching Cached CRLfailed,0), +PKIX_ERRORENTRY(FILLINPROCESSINGPARAMSFAILED,Fail to fill in parameters,0), +PKIX_ERRORENTRY(FILLINRETURNRESULTSFAILED,Fail to fill in return results,0), +PKIX_ERRORENTRY(FIRSTARGUMENTNOTBYTEARRAY,FirstObject is not a ByteArray,0), +PKIX_ERRORENTRY(FIRSTARGUMENTNOTCERTBASICCONSTRAINTSOBJECT,First argument is not a CertBasicConstraints Object,0), +PKIX_ERRORENTRY(FIRSTDOUBLEHEXMUSTNOTBE00,First DoubleHex MUST NOT be 00,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(FIRSTFIELDMUSTBEBETWEEN02,First field must be between 0-2,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTANOCSPRESPONSE,FirstObject is not an OcspResponse,0), +PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTLDAPREQUEST,FirstObject is not a LdapRequest,0), +PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTLDAPRESPONSE,FirstObject is not a LdapResponse,0), +PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTOCSPREQUEST,FirstObject is not a OcspRequest,0), +PKIX_ERRORENTRY(FIRSTOBJECTARGUMENTNOTANX500NAME,FirstObject is not an X500Name,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTANERROROBJECT,FirstObject is not an Error object,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTBIGINT,FirstObject not a BigInt,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTBUILDPARAMS,FirstObject is not a BuildParams,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTBUILDRESULT,FirstObject is not a BuildResult,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCERT,FirstObject is not a Cert,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTBASICCONSTRAINTS,FirstObject is not a CertBasicConstraints,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTNAMECONSTRAINTS,FirstObject is not a CertNameConstraints,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTPOLICYINFO,FirstObject is not a CertPolicyInfo,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTPOLICYMAP,FirstObject is not a CertPolicyMap,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTPOLICYQUALIFIER,FirstObject is not a CertPolicyQualifier,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCOMCRLSELPARAMS,FirstObject is not a ComCRLSelParams,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCRL,FirstObject is not a CRL,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCRLENTRY,FirstObject is not a CRLEntry,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTCRLSELECTOR,FirstObject is not a CRLSelector,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTDATE,FirstObject is not a Date,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTERROR,FirstObject is not an Error,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTGENERALNAME,FirstObject is not a GeneralName,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTINFOACCESS,FirstObject is not a InfoAccess,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTLIST,FirstObject is not a List,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTLOGGER,FirstObject is not a Logger,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTPOLICYNODE,FirstObject is not a PolicyNode,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTPROCESSINGPARAMS,FirstObject is not a ProcessingParams,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTPUBLICKEY,FirstObject is not a PublicKey,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTRESOURCELIMITS,FirstObject is not a ResourceLimits,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTSTRING,FirstObject is not a String,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTTRUSTANCHOR,FirstObject is not a TrustAnchor,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTVALIDATEPARAMS,FirstObject is not a ValidateParams,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTVALIDATERESULT,FirstObject is not a ValidateResult,0), +PKIX_ERRORENTRY(FIRSTOBJECTNOTVERIFYNODE,FirstObject is not a VerifyNode,0), +PKIX_ERRORENTRY(FIRSTPUBKEYTYPENULLKEY,firstPubKeyType is nullKey,0), +PKIX_ERRORENTRY(FUNCTIONMUSTNOTBEUSED,Function MUST not be used,SEC_ERROR_LIBPKIX_INTERNAL), +PKIX_ERRORENTRY(FORWARDBUILDERSTATEDUMPSTATEFAILED,pkix_ForwardBuilderState_DumpState failed,0), +PKIX_ERRORENTRY(FORWARDBUILDERSTATEISIOPENDINGFAILED,pkix_ForwardBuilderState_IsIOPending failed,0), +PKIX_ERRORENTRY(FORWARDBUILDSTATECREATEFAILED,pkix_ForwardBuildState_Create failed,0), +PKIX_ERRORENTRY(FREEFAILED,PKIX_PL_Free failed,0), +PKIX_ERRORENTRY(GENERALNAMECREATEFAILED,pkix_pl_GeneralName_Create failed,0), +PKIX_ERRORENTRY(GENERALNAMEGETNSSGENERALNAMEFAILED,pkix_pl_GeneralName_GetNssGeneralName failed,0), +PKIX_ERRORENTRY(GENERALNAMESTRINGMISSINGDOUBLESLASH,GeneralName string missing double slash,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +PKIX_ERRORENTRY(GENERALNAMESTRINGMISSINGLOCATIONTYPE,GeneralName string missing location type,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +PKIX_ERRORENTRY(GENERALNAMESTRINGMISSINGSERVERSITE,GeneralName string missing server-site,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +PKIX_ERRORENTRY(GENERALNAMETOSTRINGFAILED,pkix_pl_GeneralName_ToString failed,0), +PKIX_ERRORENTRY(GENERALNAMETOSTRINGHELPERFAILED,pkix_pl_GeneralName_ToString_Helper failed,0), +PKIX_ERRORENTRY(GENERICCLIENTNOTANLDAPDEFAULTCLIENT,genericClient is not an LdapDefaultClient,0), +PKIX_ERRORENTRY(GETATTRIBUTESCALLEDFORNONENTRYMESSAGE,GetAttributes called for non-Entry message,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(GETCERTSFAILED,getCerts failed,0), +PKIX_ERRORENTRY(GETCRITICALEXTENSIONOIDSFAILED,pkix_GetCriticalExtensionOIDs failed,0), +PKIX_ERRORENTRY(GETCRLSFAILED,getCrls failed,0), +PKIX_ERRORENTRY(GETOIDTOKENFAILED,pkix_pl_getOIDToken failed,0), +PKIX_ERRORENTRY(GETPKIXERRORCODEFAILED,Get PKIX error code failed,0), +PKIX_ERRORENTRY(GETREQCERTIFICATEUSAGESFAILED,Fail to get required certificate usages,0), +PKIX_ERRORENTRY(GETRESULTCODECALLEDFORNONRESULTMESSAGE,GetResultCode called for non-Result message,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(GETRETCERTIFICATEUSAGESFAILED,Fail to get returned certificate usages,0), +PKIX_ERRORENTRY(GETTRUSTEDCERTLISTFAILED,Fail to get trusted cert list,0), +PKIX_ERRORENTRY(HASHFAILED,pkix_hash failed,0), +PKIX_ERRORENTRY(HASHTABLEADDFAILED,PKIX_PL_HashTable_Add failed,0), +PKIX_ERRORENTRY(HASHTABLECREATEFAILED,PKIX_PL_HashTable_Create failed,0), +PKIX_ERRORENTRY(HASHTABLELOOKUPFAILED,PKIX_PL_HashTable_Lookup failed,0), +PKIX_ERRORENTRY(HASHTABLEREMOVEFAILED,PKIX_PL_HashTable_Remove failed,0), +PKIX_ERRORENTRY(HELPERBYTES2ASCIIFAILED,pkix_pl_helperBytes2Ascii failed,0), +PKIX_ERRORENTRY(HELPERBYTES2ASCIINUMTOKENSZERO,pkix_pl_helperBytes2Ascii: numTokens is zero,0), +PKIX_ERRORENTRY(HTTPCERTSTORECREATEREQUESTSESSIONFAILED,pkix_pl_HttpCertStore_CreateRequestSession failed,0), +PKIX_ERRORENTRY(HTTPCERTSTORECREATEWITHASCIINAMEFAILED,PKIX_PL_HttpCertStore_CreateWithAsciiName failed,0), +PKIX_ERRORENTRY(HTTPCERTSTOREDECODECERTPACKAGEFAILED,pkix_pl_HttpCertStore_DecodeCertPackage failed,0), +PKIX_ERRORENTRY(HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED,pkix_HttpCertStore_FindSocketConnection failed,0), +PKIX_ERRORENTRY(HTTPCERTSTOREPROCESSCERTRESPONSEFAILED,pkix_pl_HttpCertStore_ProcessCertResponse failed,0), +PKIX_ERRORENTRY(HTTPCERTSTOREPROCESSCRLRESPONSEFAILED,pkix_pl_HttpCertStore_ProcessCrlResponse failed,0), +PKIX_ERRORENTRY(HTTPCLIENTCREATESESSIONFAILED,HttpClient->CreateSession failed,0), +PKIX_ERRORENTRY(HTTPCLIENTININVALIDSTATE,HttpClient in invalid state,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTCONNECTCONTINUEFAILED,pkix_pl_HttpDefaultClient_ConnectContinue failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTCREATEFAILED,pkix_pl_HttpDefaultClient_Create failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTDISPATCHFAILED,pkix_pl_HttpDefaultClient_Dispatch failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED,pkix_pl_HttpDefaultClient_HdrCheckComplete failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTINILLEGALSTATE,HttpDefaultClient in illegal state,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVBODYCONTINUEFAILED,pkix_pl_HttpDefaultClient_RecvBodyContinue failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVBODYFAILED,pkix_pl_HttpDefaultClient_RecvBody failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVHDRCONTINUEFAILED,pkix_pl_HttpDefaultClient_RecvHdrContinue failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVHDRFAILED,pkix_pl_HttpDefaultClient_RecvHdr failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTSENDCONTINUEFAILED,pkix_pl_HttpDefaultClient_SendContinue failed,0), +PKIX_ERRORENTRY(HTTPDEFAULTCLIENTSENDFAILED,pkix_pl_HttpDefaultClient_Send failed,0), +PKIX_ERRORENTRY(HTTPSERVERERROR,HTTP Server Error,0), +PKIX_ERRORENTRY(ILLEGALCHARACTERINESCAPEDASCII,Illegal character in Escaped ASCII String,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(ILLEGALCHARACTERINOID,Illegal character in OID,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(ILLEGALDOTINOID,Illegal period in OID,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(ILLEGALSURROGATEPAIR,Illegal surrogate pair in EscapedASCII,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(ILLEGALUNICODECHARACTER,Illegal Unicode character in EscapedASCII,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(ILLEGALUSEOFAMP,Illegal use of ampersand character,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(IMPOSSIBLECRITERIONFORCRLQUERY,Impossible criterion for Crl Query,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(INDEXOUTOFBOUNDS,Index out of bounds,SEC_ERROR_LIBPKIX_INTERNAL), +PKIX_ERRORENTRY(INESCAPEDASCII,in EscapedASCII,0), +PKIX_ERRORENTRY(INFOACCESSCREATEFAILED,pkix_pl_InfoAccess_Create failed,0), +PKIX_ERRORENTRY(INFOACCESSCREATELISTFAILED,pkix_pl_InfoAccess_CreateList failed,0), +PKIX_ERRORENTRY(INFOACCESSGETLOCATIONFAILED,PKIX_PL_InfoAccess_GetLocation failed,0), +PKIX_ERRORENTRY(INFOACCESSGETLOCATIONTYPEFAILED,PKIX_PL_InfoAccess_GetLocationType failed,0), +PKIX_ERRORENTRY(INFOACCESSGETMETHODFAILED,PKIX_PL_InfoAccess_GetMethod failed,0), +#ifndef NSS_PKIX_NO_LDAP +PKIX_ERRORENTRY(INFOACCESSPARSELOCATIONFAILED,pkix_pl_InfoAccess_ParseLocation failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +#endif +PKIX_ERRORENTRY(INFOACCESSPARSETOKENSFAILED,pkix_pl_InfoAccess_ParseTokens failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +PKIX_ERRORENTRY(INITIALIZECHECKERSFAILED,pkix_InitializeCheckers failed,0), +PKIX_ERRORENTRY(INITIALIZEFAILED,PKIX_PL_Initialize failed,0), +PKIX_ERRORENTRY(INPUTLISTMUSTBEHEADER,Input List must be header,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(INPUTLISTSMUSTBELISTHEADERS,Input Lists must be list headers,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCERTQUERY,Insufficient criteria for Cert query,0), +PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCRLQUERY,Insufficient criteria for Crl Query,0), +PKIX_ERRORENTRY(INTRUSTEDCERT,in Trusted Cert,0), +PKIX_ERRORENTRY(INVALIDCHARACTERINBIGINT,Invalid character in BigInt,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(INVALIDDERENCODINGFOROID,Invalid DER-encoding for OID,0), +PKIX_ERRORENTRY(INVALIDENCODINGOIDTOKENVALUETOOBIG,Invalid encoding: OID token value too big,0), +PKIX_ERRORENTRY(INVALIDPOLICYMAPPINGINCLUDESANYPOLICY,Invalid policyMapping includes anyPolicy,SEC_ERROR_INVALID_POLICY_MAPPING), +PKIX_ERRORENTRY(INVALIDREVOCATIONMETHOD,Invalid revocation method,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(INVALIDSIGNINGCERTINOCSPRESPONSE,Invalid signing Cert in OCSP response,SEC_ERROR_OCSP_INVALID_SIGNING_CERT), +PKIX_ERRORENTRY(INVALIDSTATUS,INVALID STATUS,0), +PKIX_ERRORENTRY(INVALIDSTORETYPEFORSETTINGCONFIGDIR,Invalid Store type for Setting ConfigDir,0), +PKIX_ERRORENTRY(IPADDRBYTES2ASCIIDATALENGTHZERO,pkix_pl_ipAddrBytes2Ascii: data length is zero,0), +PKIX_ERRORENTRY(IPADDRBYTES2ASCIIFAILED,pkix_pl_ipAddrBytes2Ascii failed,0), +PKIX_ERRORENTRY(ISCERTSELFISSUEDFAILED,pkix_IsCertSelfIssued failed,0), +PKIX_ERRORENTRY(ISCERTSELFISSUEFAILED,pkix_IsCertSelfIssue failed,0), +PKIX_ERRORENTRY(KEYUSAGEKEYCERTSIGNBITNOTON,Validation failed: KeyUsage KeyCertSign bit is not on,SEC_ERROR_CA_CERT_INVALID), +PKIX_ERRORENTRY(KEYUSAGEKEYCRLSIGNBITNOTON,Validation failed: KeyUsage CRLSign bit is not on,0), +PKIX_ERRORENTRY(LDAPCERTSTOREBUILDCERTLISTFAILED,pkix_pl_LdapCertStore_BuildCertList failed,0), +PKIX_ERRORENTRY(LDAPCERTSTOREBUILDCRLLISTFAILED,pkix_pl_LdapCertStore_BuildCrlList failed,0), +PKIX_ERRORENTRY(LDAPCERTSTOREDECODECROSSCERTPAIRFAILED,pkix_pl_LdapCertStore_DecodeCrossCertPair failed,0), +PKIX_ERRORENTRY(LDAPCERTSTOREDESTROYAVALISTFAILED,pkix_pl_LdapCertStore_DestroyAVAList failed,0), +PKIX_ERRORENTRY(LDAPCERTSTOREINILLEGALSTATE,LDAP CertStore in illegal state,0), +PKIX_ERRORENTRY(LDAPCERTSTOREMAKENAMEAVALISTFAILED,pkix_pl_LdapCertStore_MakeNameAVAList failed,0), +PKIX_ERRORENTRY(LDAPCLIENTINITIATEREQUESTFAILED,PKIX_PL_LdapClient_InitiateRequest failed,0), +PKIX_ERRORENTRY(LDAPCLIENTRESUMEREQUESTFAILED,PKIX_PL_LdapClient_ResumeRequest failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTABANDONCONTINUEFAILED,pkix_pl_LdapDefaultClient_AbandonContinue failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDCONTINUEFAILED,pkix_pl_LdapDefaultClient_BindContinue failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDFAILED,pkix_pl_LdapDefaultClient_Bind failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDRESPONSECONTINUEFAILED,pkix_pl_LdapDefaultClient_BindResponseContinue failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDRESPONSEFAILED,pkix_pl_LdapDefaultClient_BindResponse failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTCONNECTCONTINUEFAILED,pkix_pl_LdapDefaultClient_ConnectContinue failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTCREATEBYNAMEFAILED,PKIX_PL_LdapDefaultClient_CreateByName failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTCREATEHELPERFAILED,pkix_pl_LdapDefaultClient_CreateHelper failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTDECODEBINDRESPONSEFAILED,pkix_pl_LdapDefaultClient_DecodeBindResponse failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTDISPATCHFAILED,pkix_pl_LdapDefaultClient_Dispatch failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTINILLEGALSTATE,LDAP DefaultClient in illegal state,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEABANDONFAILED,pkix_pl_LdapDefaultClient_MakeAbandon failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEANDFILTERFAILED,pkix_pl_LdapDefaultClient_MakeAndFilter failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEBINDFAILED,pkix_pl_LdapDefaultClient_MakeBind failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEUNBINDFAILED,pkix_pl_LdapDefaultClient_MakeUnbind failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVCHECKCOMPLETEFAILED,pkix_pl_LdapDefaultClient_RecvCheckComplete failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVCONTINUEFAILED,pkix_pl_LdapDefaultClient_RecvContinue failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVFAILED,pkix_pl_LdapDefaultClient_Recv failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVINITIALFAILED,pkix_pl_LdapDefaultClient_RecvInitial failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVNONINITIALFAILED,pkix_pl_LdapDefaultClient_RecvNonInitial failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTSENDCONTINUEFAILED,pkix_pl_LdapDefaultClient_SendContinue failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTSENDFAILED,pkix_pl_LdapDefaultClient_Send failed,0), +PKIX_ERRORENTRY(LDAPDEFAULTCLIENTVERIFYBINDRESPONSEFAILED,pkix_pl_LdapDefaultClient_VerifyBindResponse failed,0), +PKIX_ERRORENTRY(LDAPREQUESTATTRSTRINGTOBITFAILED,pkix_pl_LdapRequest_AttrStringToBit failed,0), +PKIX_ERRORENTRY(LDAPREQUESTATTRTYPETOBITFAILED,pkix_pl_LdapRequest_AttrTypeToBit failed,0), +PKIX_ERRORENTRY(LDAPREQUESTCREATEFAILED,pkix_pl_LdapRequest_Create failed,0), +PKIX_ERRORENTRY(LDAPREQUESTENCODEATTRSFAILED,pkix_pl_LdapRequest_EncodeAttrs failed,0), +PKIX_ERRORENTRY(LDAPREQUESTGETENCODEDFAILED,pkix_pl_LdapRequest_GetEncoded failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEAPPENDFAILED,pkix_pl_LdapResponse_Append failed,0), +PKIX_ERRORENTRY(LDAPRESPONSECREATEFAILED,pkix_pl_LdapResponseCreate failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEDECODEFAILED,pkix_pl_LDAPResponse_Decode failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEGETCAPACITYFAILED,pkix_pl_LdapResponse_GetCapacity failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEGETMESSAGEFAILED,pkix_pl_LdapResponse_GetMessage failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEGETMESSAGETYPEFAILED,pkix_pl_LdapResponse_GetMessageType failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEGETRESULTCODEFAILED,pkix_pl_LdapResponse_GetResultCode failed,0), +PKIX_ERRORENTRY(LDAPRESPONSEISCOMPLETEFAILED,pkix_pl_LdapResponse_IsComplete failed,0), +PKIX_ERRORENTRY(LISTAPPENDFAILED,PKIX_List_Append failed,0), +PKIX_ERRORENTRY(LISTAPPENDITEMFAILED,PKIX_List_AppendItem failed,0), +PKIX_ERRORENTRY(LISTAPPENDLISTFAILED,pkix_List_AppendList failed,0), +PKIX_ERRORENTRY(LISTAPPENDUNIQUEFAILED,pkix_List_AppendUnique failed,0), +PKIX_ERRORENTRY(LISTBUBBLESORTFAILED,pkix_List_BubbleSort failed,0), +PKIX_ERRORENTRY(LISTCONTAINSFAILED,pkix_List_Contains failed,0), +PKIX_ERRORENTRY(LISTCREATEFAILED,PKIX_List_Create failed,0), +PKIX_ERRORENTRY(LISTCREATEINTERNALFAILED,pkix_List_Create_Internal failed,0), +PKIX_ERRORENTRY(LISTDELETEITEMFAILED,PKIX_List_DeleteItem failed,0), +PKIX_ERRORENTRY(LISTDUPLICATEFAILED,pkix_List_Duplicate failed,0), +PKIX_ERRORENTRY(LISTEQUALSFAILED,PKIX_List_Equals failed,0), +PKIX_ERRORENTRY(LISTGETELEMENTFAILED,pkix_List_GetElement failed,0), +PKIX_ERRORENTRY(LISTGETITEMFAILED,PKIX_List_GetItem failed,0), +PKIX_ERRORENTRY(LISTGETLENGTHFAILED,PKIX_List_GetLength failed,0), +PKIX_ERRORENTRY(LISTHASHCODEFAILED,pkix_List_Hashcode failed,0), +PKIX_ERRORENTRY(LISTINSERTITEMFAILED,PKIX_List_InsertItem failed,0), +PKIX_ERRORENTRY(LISTISEMPTYFAILED,PKIX_List_IsEmpty failed,0), +PKIX_ERRORENTRY(LISTMERGEFAILED,pkix_List_MergeList failed,0), +PKIX_ERRORENTRY(LISTQUICKSORTFAILED,pkix_List_QuickSort failed,0), +PKIX_ERRORENTRY(LISTREMOVEFAILED,pkix_List_Remove failed,0), +PKIX_ERRORENTRY(LISTREMOVEITEMSFAILED,pkix_List_RemoveItems failed,0), +PKIX_ERRORENTRY(LISTREVERSELISTFAILED,PKIX_List_ReverseList failed,0), +PKIX_ERRORENTRY(LISTSETIMMUTABLEFAILED,PKIX_List_SetImmutable failed,0), +PKIX_ERRORENTRY(LISTSETITEMFAILED,PKIX_List_SetItem failed,0), +PKIX_ERRORENTRY(LISTTOSTRINGFAILED,pkix_List_ToString failed,0), +PKIX_ERRORENTRY(LISTTOSTRINGHELPERFAILED,pkix_List_ToString Helper failed,0), +PKIX_ERRORENTRY(LOCATIONSTRINGNOTPROPERLYTERMINATED,Location string not properly terminated,0), +PKIX_ERRORENTRY(LOCKHASNONZEROREADCOUNT,Lock has non-zero read count,0), +PKIX_ERRORENTRY(LOCKOBJECTFAILED,pkix_LockObject failed,0), +PKIX_ERRORENTRY(LOGGERDUPLICATEFAILED,pkix_Logger_Duplicate failed,0), +PKIX_ERRORENTRY(LOGGINGLEVELEXCEEDSMAXIMUM,Logging Level exceeds Maximum,0), +PKIX_ERRORENTRY(LOOPDISCOVEREDDUPCERTSNOTALLOWED,Loop discovered: duplicate certificates not allowed,SEC_ERROR_UNTRUSTED_ISSUER), +PKIX_ERRORENTRY(LOOPOFERRORCAUSEDETECTED,Loop of error causes detected,0), +PKIX_ERRORENTRY(MAJORVERSIONSDONTMATCH,Major versions do not match,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(MALLOCFAILED,PKIX_PL_Malloc failed,0), +PKIX_ERRORENTRY(MEMLEAKGENERATEDERROR,Error generated for memory leak testing,SEC_ERROR_NO_MEMORY), +PKIX_ERRORENTRY(MINORVERSIONNOTBETWEENDESIREDMINANDMAX,Minor version does not fall between desired minimum and maximum,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(MISSINGDSAPARAMETERS,Missing DSA parameters in Trusted Cert,SEC_ERROR_INVALID_KEY), +PKIX_ERRORENTRY(MONITORLOCKCREATEFAILED,PKIX_PL_MonitorLock_Create failed,0), +PKIX_ERRORENTRY(MONITORLOCKENTERFAILED,PKIX_PL_MonitorLock_Enter failed,0), +PKIX_ERRORENTRY(MONITORLOCKEXITFAILED,PKIX_PL_MonitorLock_Exit failed,0), +PKIX_ERRORENTRY(MUTEXLOCKFAILED,PKIX_PL_Mutex_Lock failed,0), +PKIX_ERRORENTRY(NAMECHAININGCHECKERINITIALIZEFAILED,pkix_NameChainingChecker_Initialize failed,0), +PKIX_ERRORENTRY(NAMECHAININGCHECKFAILED,Name Chaining Check failed,SEC_ERROR_UNKNOWN_ISSUER), +PKIX_ERRORENTRY(NAMECOMPONENTWITHNOEQ,Name Component with no equal sign,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +PKIX_ERRORENTRY(NAMECONSTRAINTSCHECKERINITIALIZEFAILED,pkix_NameConstraintsChecker_Initialize failed,0), +PKIX_ERRORENTRY(NAMECONSTRAINTSCHECKERSTATECREATEFAILED,pkix_NameConstraintsCheckerState_Create failed,0), +PKIX_ERRORENTRY(NAMETYPENOTSUPPORTED,name type not supported,0), +PKIX_ERRORENTRY(NOCONTENTTYPEINHTTPRESPONSE,No content type in Http Response,SEC_ERROR_BAD_HTTP_RESPONSE), +PKIX_ERRORENTRY(NODESMISSINGFROMCHAIN,Nodes missing from chain,0), +PKIX_ERRORENTRY(NOREGISTEREDHTTPCLIENT,No registered Http Client,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(NORESPONSEDATAINHTTPRESPONSE,No responseData in Http Response,SEC_ERROR_BAD_HTTP_RESPONSE), +PKIX_ERRORENTRY(NOTARGETCERTSUPPLIED,No target cert supplied,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(NOTCONFORMINGCRLDP,Cert CRL DP does not conform to the rfc, 0), +PKIX_ERRORENTRY(NOTDERPACKAGE,Not a DER package,0), +PKIX_ERRORENTRY(NOTENOUGHNAMECOMPONENTSINGENERALNAME,Not enough name components in GeneralName,SEC_ERROR_BAD_INFO_ACCESS_LOCATION), +PKIX_ERRORENTRY(NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED,Failed to convert nss certificate usage to pkix ku and eku data structures,0), +PKIX_ERRORENTRY(NSSCONTEXTCREATEFAILED,PKIX_PL_NssContext_Create failed,0), +PKIX_ERRORENTRY(NSSCONTEXTDESTROYFAILED,PKIX_PL_NssContext_Destroy failed,0), +PKIX_ERRORENTRY(NSSCONTEXTGETCHECKALLUSAGESFAILED, pkix_pl_NssContext_GetCheckAllUsages failed,0), +PKIX_ERRORENTRY(NSSCONTEXTGETRETURNUSAGESFAILED, pkix_pl_NssContext_GetReturnUsages failed,0), +PKIX_ERRORENTRY(NSSCONTEXTGETWINCXFAILED,pkix_pl_NssContext_GetWincx failed,0), +PKIX_ERRORENTRY(NSSCONTEXTSETCERTSIGNCHECKFAILED, pkix_pl_NssContext_SetCertSignatureCheck,0), +PKIX_ERRORENTRY(NSSCONTEXTSETCERTUSAGEFAILED, pkix_pl_NssContext_SetCertUsage failed,0), +PKIX_ERRORENTRY(NSSCONTEXTSETCHECKALLUSAGESFAILED, pkix_pl_NssContext_SetCheckAllUsages failed,0), +PKIX_ERRORENTRY(NSSCONTEXTSETRETURNEDCERTUSAGEFAILED, pkix_pl_NssContext_SetReturnedCertUsage,0), +PKIX_ERRORENTRY(NSSCONTEXTSETRETURNUSAGESFAILED, pkix_pl_NssContext_SetReturnUsages failed,0), +PKIX_ERRORENTRY(NSSCONTEXTVALIDATINGRESPONDERCERTFAILED,pkix_pl_NssContext_ValidatingResponderCert failed,0), +PKIX_ERRORENTRY(NSSTRUSTEDLISTISEMPTY,nss trusted roots list is empty,0), +PKIX_ERRORENTRY(NULLARGUMENT,Null argument,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(NUMBUCKETSEQUALSZERO,NumBuckets equals zero,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(OBJECTALLOCFAILED,PKIX_PL_Object_Alloc failed,0), +PKIX_ERRORENTRY(OBJECTARGUMENTNOTPOLICYMAP,object argument is not a PolicyMap,0), +PKIX_ERRORENTRY(OBJECTCOMPARATORFAILED,PKIX_PL_Object_Comparator failed,0), +PKIX_ERRORENTRY(OBJECTDEFINED,object-defined ,0), +PKIX_ERRORENTRY(OBJECTDUPLICATECERTFAILED,PKIX_PL_Object_Duplicate Cert failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATECONTEXTFAILED,PKIX_PL_Object_Duplicate Context failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATEDATEFAILED,PKIX_PL_Object_Duplicate Date failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATEFAILED,PKIX_PL_Object_Duplicate failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATEISSUERNAMESFAILED,PKIX_PL_Object_Duplicate IssuerNames failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATELISTFAILED,PKIX_PL_Object_Duplicate List failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATEMAXCRLNUMBERFAILED,PKIX_PL_Object_Duplicate maxCRLNumber failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATEMINCRLNUMBERFAILED,PKIX_PL_Object_Duplicate minCRLNumber failed,0), +PKIX_ERRORENTRY(OBJECTDUPLICATEPARAMSFAILED,PKIX_PL_Object_Duplicate Params failed,0), +PKIX_ERRORENTRY(OBJECTEQUALSFAILED,PKIX_PL_Object_Equals failed,0), +PKIX_ERRORENTRY(OBJECTEQUALSFAILEDONCHILDREN,PKIX_PL_Object_Equals failed on children,0), +PKIX_ERRORENTRY(OBJECTEQUALSFAILEDONEXPECTEDPOLICYSETS,PKIX_PL_Object_Equals failed on expectedPolicySets,0), +PKIX_ERRORENTRY(OBJECTGETTYPEFAILED,PKIX_PL_Object_GetType failed,0), +PKIX_ERRORENTRY(OBJECTHASHCODEFAILED,PKIX_PL_Object_Hashcode failed,0), +PKIX_ERRORENTRY(OBJECTINVALIDATECACHEFAILED,PKIX_PL_Object_InvalidateCache failed,0), +PKIX_ERRORENTRY(OBJECTISTYPEREGISTEREDFAILED,PKIX_PL_Object_IsTypeRegistered failed,0), +PKIX_ERRORENTRY(OBJECTLOCKFAILED,PKIX_PL_Object_Lock failed,0), +PKIX_ERRORENTRY(OBJECTNOTAIAMGR,Object is not a AIAMgr,0), +PKIX_ERRORENTRY(OBJECTNOTANEKUCHECKERSTATE,Object is not an EKU Checker State,0), +PKIX_ERRORENTRY(OBJECTNOTANERROR,Object is not an Error,0), +PKIX_ERRORENTRY(OBJECTNOTANHTTPCERTSTORECONTEXT,Object is not an HttpCertStoreContext,0), +PKIX_ERRORENTRY(OBJECTNOTANHTTPDEFAULTCLIENT,Object is not an HttpDefaultClient,0), +PKIX_ERRORENTRY(OBJECTNOTANINFOACCESS,Object is not an InfoAccess,0), +PKIX_ERRORENTRY(OBJECTNOTANLDAPDEFAULTCLIENT,Object is not an LdapDefaultClient,0), +PKIX_ERRORENTRY(OBJECTNOTANOCSPRESPONSE,Object is not an OcspResponse,0), +PKIX_ERRORENTRY(OBJECTNOTANOID,Object is not an OID,0), +PKIX_ERRORENTRY(OBJECTNOTANSOCKET,Object is not an Socket,0), +PKIX_ERRORENTRY(OBJECTNOTANX500NAME,Object is not an X500Name,0), +PKIX_ERRORENTRY(OBJECTNOTBASICCONSTRAINTSCHECKERSTATE,Object is not a basic constraints checker state,0), +PKIX_ERRORENTRY(OBJECTNOTBIGINT,Object is not a BigInt,0), +PKIX_ERRORENTRY(OBJECTNOTBUILDPARAMS,Object is not a BuildParams,0), +PKIX_ERRORENTRY(OBJECTNOTBUILDRESULT,Object is not a BuildResult,0), +PKIX_ERRORENTRY(OBJECTNOTBYTEARRAY,Object is not a bytearray,0), +PKIX_ERRORENTRY(OBJECTNOTCERT,Object is not a Cert,0), +PKIX_ERRORENTRY(OBJECTNOTCERTBASICCONSTRAINTS,Object is not a CertBasicConstraints,0), +PKIX_ERRORENTRY(OBJECTNOTCERTCHAINCHECKER,Object is not a cert chain checker,0), +PKIX_ERRORENTRY(OBJECTNOTCERTNAMECONSTRAINTS,Object is not a CertNameConstraints,0), +PKIX_ERRORENTRY(OBJECTNOTCERTPOLICYINFO,Object is not a CertPolicyInfo,0), +PKIX_ERRORENTRY(OBJECTNOTCERTPOLICYMAP,Object is not a CertPolicyMap,0), +PKIX_ERRORENTRY(OBJECTNOTCERTPOLICYQUALIFIER,Object is not a CertPolicyQualifier,0), +PKIX_ERRORENTRY(OBJECTNOTCERTSELECTOR,Object is not a cert selector,0), +PKIX_ERRORENTRY(OBJECTNOTCERTSTORE,Object is not a CertStore,0), +PKIX_ERRORENTRY(OBJECTNOTCOLLECTIONCERTSTORECONTEXT,Object is not a CollectionCertStoreContext,0), +PKIX_ERRORENTRY(OBJECTNOTCOMCERTSELPARAMS,Object is not a comCertSelParams,0), +PKIX_ERRORENTRY(OBJECTNOTCOMCRLSELPARAMS,Object is not a ComCRLSelParams,0), +PKIX_ERRORENTRY(OBJECTNOTCRL,Object is not a CRL,0), +PKIX_ERRORENTRY(OBJECTNOTCRLENTRY,Object is not a CRLEntry,0), +PKIX_ERRORENTRY(OBJECTNOTCRLSELECTOR,Object is not a CRLSelector,0), +PKIX_ERRORENTRY(OBJECTNOTDATE,Object is not a Date,0), +PKIX_ERRORENTRY(OBJECTNOTCRLCHECKER,Object is not a CRLChecker,0), +PKIX_ERRORENTRY(OBJECTNOTDEFAULTREVOCATIONCHECKER,Object is not a DefaultRevocationChecker,0), +PKIX_ERRORENTRY(OBJECTNOTFORWARDBUILDERSTATE,Object is not a PKIX_ForwardBuilderState,0), +PKIX_ERRORENTRY(OBJECTNOTGENERALNAME,Object is not a GeneralName,0), +PKIX_ERRORENTRY(OBJECTNOTHASHTABLE,Object is not a hashtable,0), +PKIX_ERRORENTRY(OBJECTNOTINFOACCESS,Object is not a InfoAccess,0), +PKIX_ERRORENTRY(OBJECTNOTLDAPREQUEST,Object is not a LdapRequest,0), +PKIX_ERRORENTRY(OBJECTNOTLDAPRESPONSE,Object is not a LdapResponse,0), +PKIX_ERRORENTRY(OBJECTNOTLIST,Object is not a list,0), +PKIX_ERRORENTRY(OBJECTNOTLOGGER,Object is not a Logger,0), +PKIX_ERRORENTRY(OBJECTNOTMONITORLOCK,Object is not a MonitorLock,0), +PKIX_ERRORENTRY(OBJECTNOTMUTEX,Object is not a Mutex,0), +PKIX_ERRORENTRY(OBJECTNOTNAMECONSTRAINTSCHECKERSTATE,Object is not a name constraints checker state,0), +PKIX_ERRORENTRY(OBJECTNOTOCSPCERTID,Object is not an OcspCertID,0), +PKIX_ERRORENTRY(OBJECTNOTOCSPCHECKER,Object is not an OCSPChecker,0), +PKIX_ERRORENTRY(OBJECTNOTOCSPREQUEST,Object is not an OcspRequest,0), +PKIX_ERRORENTRY(OBJECTNOTPOLICYCHECKERSTATE,Object is not a PKIX_PolicyCheckerState,0), +PKIX_ERRORENTRY(OBJECTNOTPOLICYNODE,Object is not a PolicyNode,0), +PKIX_ERRORENTRY(OBJECTNOTPROCESSINGPARAMS,Object is not a ProcessingParams,0), +PKIX_ERRORENTRY(OBJECTNOTPUBLICKEY,Object is not a PublicKey,0), +PKIX_ERRORENTRY(OBJECTNOTRESOURCELIMITS,Object is not a ResourceLimits,0), +PKIX_ERRORENTRY(OBJECTNOTREVOCATIONCHECKER,Object is not a revocation checker,0), +PKIX_ERRORENTRY(OBJECTNOTRWLOCK,Object is not a RWLock,0), +PKIX_ERRORENTRY(OBJECTNOTSIGNATURECHECKERSTATE,Object is not a signature checker state,0), +PKIX_ERRORENTRY(OBJECTNOTSOCKET,Object is not a Socket,0), +PKIX_ERRORENTRY(OBJECTNOTSTRING,Object is not a string,0), +PKIX_ERRORENTRY(OBJECTNOTTARGETCERTCHECKERSTATE,Object is not a target cert checker state,0), +PKIX_ERRORENTRY(OBJECTNOTTRUSTANCHOR,Object is not a trustAnchor,0), +PKIX_ERRORENTRY(OBJECTNOTVALIDATEPARAMS,Object is not a ValidateParams,0), +PKIX_ERRORENTRY(OBJECTNOTVALIDATERESULT,Object is not a ValidateResult,0), +PKIX_ERRORENTRY(OBJECTNOTVERIFYNODE,Object is not a VerifyNode,0), +PKIX_ERRORENTRY(OBJECTREGISTERTYPEFAILED,PKIX_PL_Object_RegisterType failed,0), +PKIX_ERRORENTRY(OBJECTRETRIEVEEQUALSCALLBACKFAILED,pkix_pl_Object_RetrieveEqualsCallback failed,0), +PKIX_ERRORENTRY(OBJECTSPECIFICFUNCTIONFAILED,object-specific function failed,0), +PKIX_ERRORENTRY(OBJECTSTILLREFERENCED,Object is still referenced,0), +PKIX_ERRORENTRY(OBJECTTOSTRINGFAILED,PKIX_PL_Object_ToString failed,0), +PKIX_ERRORENTRY(OBJECTTYPESDONOTMATCH,Object types do not match,0), +PKIX_ERRORENTRY(OBJECTWITHNONPOSITIVEREFERENCES,Object with non-positive references,0), +PKIX_ERRORENTRY(OCSPCERTIDCREATEFAILED,PKIX_PL_OcspCertID_Create failed,0), +PKIX_ERRORENTRY(OCSPCERTIDGETFRESHCACHESTATUSFAILED,PKIX_PL_OcspCertID_GetFreshCacheStatus returned an error,0), +PKIX_ERRORENTRY(OCSPCERTIDREMEMBEROCSPFAILUREDFAILED,PKIX_PL_OcspCertID_RememberOCSPProcessingFailure,0), +PKIX_ERRORENTRY(OCSPCHECKERCREATEFAILED,PKIX_OcspChecker_Create failed,0), +PKIX_ERRORENTRY(OCSPBADHTTPRESPONSE,Bad Http Response,SEC_ERROR_OCSP_BAD_HTTP_RESPONSE), +PKIX_ERRORENTRY(OCSPREQUESTCREATEFAILED,PKIX_PL_OcspRequest_Create failed,0), +PKIX_ERRORENTRY(OCSPREQUESTGETCERTIDFAILED,pkix_pl_OcspRequest_GetCertID failed,0), +PKIX_ERRORENTRY(OCSPREQUESTGETENCODEDFAILED,pkix_pl_OcspRequest_GetEncoded failed,0), +PKIX_ERRORENTRY(OCSPREQUESTGETLOCATIONFAILED,pkix_pl_OcspRequest_GetLocation failed,0), +PKIX_ERRORENTRY(OCSPRESPONSECREATEFAILED,pkix_pl_OcspResponse_Create failed,0), +PKIX_ERRORENTRY(OCSPRESPONSEDECODEFAILED,pkix_pl_OcspResponse_Decode failed,0), +PKIX_ERRORENTRY(OCSPRESPONSEGETSTATUSFORCERTFAILED,pkix_pl_OcspResponse_GetStatusForCert failed,0), +PKIX_ERRORENTRY(OCSPRESPONSEGETSTATUSRETURNEDANERROR,pkix_pl_OcspResponse_GetStatus returned an error,0), +PKIX_ERRORENTRY(OCSPRESPONSESAYSCERTREVOKED,OCSP response says Cert revoked,SEC_ERROR_REVOKED_CERTIFICATE_OCSP), +PKIX_ERRORENTRY(OCSPRESPONSEVERIFYSIGNATUREFAILED,pkix_pl_OcspResponse_VerifySignature failed,0), +PKIX_ERRORENTRY(OCSPSERVERERROR,OCSP Server Error,SEC_ERROR_OCSP_SERVER_ERROR), +PKIX_ERRORENTRY(OIDBYTES2ASCIIDATALENGTHZERO,pkix_pl_oidBytes2Ascii: data length is zero,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(OIDBYTES2ASCIIFAILED,pkix_pl_oidBytes2Ascii failed,0), +PKIX_ERRORENTRY(OIDBYTESLENGTH0,Oid bytes length is 0,0), +PKIX_ERRORENTRY(OIDCOMPARATORFAILED,pkix_pl_OID_Comparator failed,0), +PKIX_ERRORENTRY(OIDCOMPONENTTOOBIG,Overflow error: OID component > 2^32,0), +PKIX_ERRORENTRY(OIDCREATEFAILED,PKIX_PL_OID_Create failed,0), +PKIX_ERRORENTRY(OIDEQUALFAILED,PKIX_PL_OID_Equal failed,0), +PKIX_ERRORENTRY(OIDEQUALSFAILED,PKIX_PL_OID_Equals failed,0), +PKIX_ERRORENTRY(OIDGETNEXTTOKENFAILED,pkix_pl_OID_GetNextToken failed,0), +PKIX_ERRORENTRY(OIDHASHCODEFAILED,PKIX_PL_OID_Hashcode failed,0), +PKIX_ERRORENTRY(OIDLENGTHTOOSHORT,OID length too short,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(OIDNEEDS2ORMOREFIELDS,OID needs 2 or more fields,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(OIDTOSTRINGFAILED,PKIX_PL_OID_ToString failed,0), +PKIX_ERRORENTRY(OPERATIONNOTPERMITTEDONIMMUTABLELIST,Operation not permitted on Immutable List,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(OTHERNAMECREATEFAILED,pkix_pl_OtherName_Create failed,0), +PKIX_ERRORENTRY(OUTOFMEMORY,Out of Memory,0), +PKIX_ERRORENTRY(PATHLENCONSTRAINTINVALID,Certificate path length constraint is invalid,SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID), +PKIX_ERRORENTRY(PK11CERTSTORECERTQUERYFAILED,pkix_pl_Pk11CertStore_CertQuery failed,0), +PKIX_ERRORENTRY(PK11CERTSTORECREATEFAILED,PKIX_PL_Pk11CertStore_Create failed,0), +PKIX_ERRORENTRY(PK11CERTSTORECRLQUERYFAILED,pkix_pl_Pk11CertStore_CrlQuery failed,0), +PKIX_ERRORENTRY(PKIXUNKNOWNERROR,PKIX uninitialized error code,0), +PKIX_ERRORENTRY(POLICYCHECKERCALCULATEINTERSECTIONFAILED,pkix_PolicyChecker_CalculateIntersection failed,0), +PKIX_ERRORENTRY(POLICYCHECKERCHECKANYFAILED,pkix_PolicyChecker_CheckAny failed,0), +PKIX_ERRORENTRY(POLICYCHECKERCHECKPOLICYRECURSIVEFAILED,pkix_PolicyChecker_CheckPolicyRecursive failed,0), +PKIX_ERRORENTRY(POLICYCHECKERERROR,PolicyChecker Error,0), +PKIX_ERRORENTRY(POLICYCHECKERINITIALIZEFAILED,pkix_PolicyChecker_Initialize failed,0), +PKIX_ERRORENTRY(POLICYCHECKERMAKEMUTABLECOPYFAILED,pkix_PolicyChecker_MakeMutableCopy failed,0), +PKIX_ERRORENTRY(POLICYCHECKERMAKESINGLETONFAILED,pkix_PolicyChecker_MakeSingleton failed,0), +PKIX_ERRORENTRY(POLICYCHECKERMAPCONTAINSFAILED,pkix_PolicyChecker_MapContains failed,0), +PKIX_ERRORENTRY(POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED,pkix_PolicyChecker_MapGetMappedPolicies failed,0), +PKIX_ERRORENTRY(POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED,pkix_PolicyChecker_MapGetSubjectDomainPolicies failed,0), +PKIX_ERRORENTRY(POLICYCHECKERSPAWNFAILED,pkix_PolicyChecker_Spawn failed,0), +PKIX_ERRORENTRY(POLICYCHECKERSTATECREATEFAILED,PKIX_PolicyCheckerState_Create failed,0), +PKIX_ERRORENTRY(POLICYNODEADDTOPARENTFAILED,pkix_PolicyNode_AddToParent failed,0), +PKIX_ERRORENTRY(POLICYNODECREATEFAILED,pkix_PolicyNode_Create failed,0), +PKIX_ERRORENTRY(POLICYNODEDUPLICATEHELPERFAILED,pkix_PolicyNode_DuplicateHelper failed,0), +PKIX_ERRORENTRY(POLICYNODEGETCHILDRENMUTABLEFAILED,pkix_PolicyNode_GetChildrenMutable failed,0), +PKIX_ERRORENTRY(POLICYNODEGETDEPTHFAILED,PKIX_PolicyNode_GetDepth failed,0), +PKIX_ERRORENTRY(POLICYNODEGETEXPECTEDPOLICIESFAILED,PKIX_PolicyNode_GetExpectedPolicies failed,0), +PKIX_ERRORENTRY(POLICYNODEGETPARENTFAILED,PKIX_PolicyNode_GetParent failed,0), +PKIX_ERRORENTRY(POLICYNODEGETPOLICYQUALIFIERSFAILED,PKIX_PolicyNode_GetPolicyQualifiers failed,0), +PKIX_ERRORENTRY(POLICYNODEGETVALIDPOLICYFAILED,PKIX_PolicyNode_GetValidPolicy failed,0), +PKIX_ERRORENTRY(POLICYNODEISCRITICALFAILED,PKIX_PolicyNode_IsCritical failed,0), +PKIX_ERRORENTRY(POLICYNODEPRUNEFAILED,pkix_PolicyNode_Prune failed,0), +PKIX_ERRORENTRY(POLICYTREETOOIDSFAILED,Failed to convert policy tree to oid,0), +PKIX_ERRORENTRY(PORTARENAALLOCFAILED,PORT Arena Allocation failed, 0), +PKIX_ERRORENTRY(PORTUCS2UTF8CONVERSIONFAILED,PORT_UCS2_UTF8Conversion failed.,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(PRACCEPTFAILED,PR_Accept failed,0), +PKIX_ERRORENTRY(PRBINDFAILED,PR_Bind failed,0), +PKIX_ERRORENTRY(PRCONNECTCONTINUEFAILED,PR_ConnectContinue failed,0), +PKIX_ERRORENTRY(PRCONNECTFAILED,PR_Connect failed,0), +PKIX_ERRORENTRY(PRECONDITIONFAILED,Function precondition failed,SEC_ERROR_LIBPKIX_INTERNAL), +PKIX_ERRORENTRY(PRENUMERATEHOSTENTFAILED,PR_EnumerateHostEnt failed.,0), +PKIX_ERRORENTRY(PRGETHOSTBYNAMEREJECTSHOSTNAMEARGUMENT,PR_GetHostByName rejects hostname argument.,0), +PKIX_ERRORENTRY(PRIMHASHTABLEADDFAILED,pkix_pl_PrimHashTable_Add failed,0), +PKIX_ERRORENTRY(PRIMHASHTABLECREATEFAILED,pkix_pl_PrimHashTable_Create failed,0), +PKIX_ERRORENTRY(PRIMHASHTABLEDESTROYFAILED,pkix_pl_PrimHashTable_Destroy failed,0), +PKIX_ERRORENTRY(PRIMHASHTABLEGETBUCKETSIZEFAILED,pkix_pl_PrimHashTable_GetBucketSize failed,0), +PKIX_ERRORENTRY(PRIMHASHTABLELOOKUPFAILED,pkix_pl_PrimHashTable_Lookup failed,0), +PKIX_ERRORENTRY(PRIMHASHTABLEREMOVEFAILED,pkix_pl_PrimHashTable_Remove failed,0), +PKIX_ERRORENTRY(PRLISTENFAILED,PR_Listen failed,0), +PKIX_ERRORENTRY(PRNEWTCPSOCKETFAILED,PR_NewTCPSocket failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSADDCERTCHAINCHECKERFAILED,PKIX_ProcessingParams_AddCertChainChecker failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSADDCERTSTOREFAILED,PKIX_ProcessingParams_AddCertStore failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSADDREVMETHODFAILED,PKIX_ProcessingParams_AddRevocationMethod failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSCREATEFAILED,PKIX_ProcessingParams_Create failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED,PKIX_ProcessingParams_GetCertChainCheckers failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETCERTSTORESFAILED,PKIX_ProcessingParams_GetCertStores failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETDATEFAILED,PKIX_ProcessingParams_GetDate failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETHINTCERTSFAILED,PKIX_ProcessingParams_GetHintCerts failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETINITIALPOLICIESFAILED,PKIX_ProcessingParams_GetInitialPolicies failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED,pkix_ProcessingParams_GetNISTRevocationPolicyEnabled failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED,PKIX_ProcessingParams_GetPolicyQualifiersRejected failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETRESOURCELIMITSFAILED,PKIX_ProcessingParams_GetResourceLimits failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED,PKIX_ProcessingParams_GetRevocationChecker failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_GetRevocationEnabled failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_GetTargetCertConstraints failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETTRUSTANCHORSFAILED,PKIX_ProcessingParams_GetTrustAnchors failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED,PKIX_ProcessingParams_IsAnyPolicyInhibited failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED,PKIX_ProcessingParams_IsExplicitPolicyRequired failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED,PKIX_ProcessingParams_IsPolicyMappingInhibited failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETANYPOLICYINHIBITED,PKIX_ProcessingParams_SetAnyPolicyInhibited failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETCERTSTORESFAILED,PKIX_ProcessingParams_SetCertStores failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETDATEFAILED,PKIX_ProcessingParams_SetDate failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED,PKIX_ProcessingParams_SetExplicitPolicyRequired failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETHINTCERTSFAILED,PKIX_ProcessingParams_SetHintCerts failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETINITIALPOLICIESFAILED,PKIX_ProcessingParams_SetInitialPolicies failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetNISTRevocationEnabled failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED,PKIX_ProcessingParams_SetPolicyMappingInhibited failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED,PKIX_ProcessingParams_SetRevocationChecker failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_SetTargetCertConstraints failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED,ProcessingParams_SetQualifyTargetCertFlag failed,0), +PKIX_ERRORENTRY(PRPOLLFAILED,PR_Poll failed,0), +PKIX_ERRORENTRY(PRPOLLRETBADFILENUM,PR_Poll failed,0), +PKIX_ERRORENTRY(PRRECVFAILED,PR_Recv failed,0), +PKIX_ERRORENTRY(PRRECVREPORTSNETWORKCONNECTIONCLOSED,PR_Recv reports network connection is closed,0), +PKIX_ERRORENTRY(PRSENDFAILED,PR_Send failed,0), +PKIX_ERRORENTRY(PRSHUTDOWNFAILED,PR_Shutdown failed,0), +PKIX_ERRORENTRY(PRSMPRINTFFAILED,PR_smprintf failed,0), +PKIX_ERRORENTRY(PRSNPRINTFFAILED,PR_snprintf failed,0), +PKIX_ERRORENTRY(PUBKEYTYPENULLKEY,pubKeyType is nullKey,0), +PKIX_ERRORENTRY(PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED,PKIX_PL_PublicKey_MakeInheritedDSAPublicKey failed,0), +PKIX_ERRORENTRY(PUBLICKEYNEEDSDSAPARAMETERSFAILED,PKIX_PL_PublicKey_NeedsDSAParameters failed,0), +PKIX_ERRORENTRY(PUBLICKEYTOSTRINGFAILED,PKIX_PL_PublicKey_ToString failed,0), +PKIX_ERRORENTRY(PUBLICKEYTOSTRINGHELPERFAILED,pkix_pl_PublicKey_ToString_Helper failed,0), +PKIX_ERRORENTRY(QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION,Qualifiers in critical Certificate Policy extension,0), +PKIX_ERRORENTRY(REALLOCFAILED,PKIX_PL_Realloc failed,0), +PKIX_ERRORENTRY(RECEIVEDCORRUPTEDOBJECTARGUMENT,Received corrupted object argument,0), +PKIX_ERRORENTRY(REGISTERCERTSTOREFAILED,RegisterCertStores failed,0), +PKIX_ERRORENTRY(REMOVEDUPUNTRUSTEDCERTSFAILED, pkix_Build_RemoveDupUntrustedCerts failed,0), +PKIX_ERRORENTRY(REQUESTNOTANHTTPDEFAULTCLIENT,request is not an HttpDefaultClient,0), +PKIX_ERRORENTRY(RESOURCELIMITSGETMAXDEPTHFAILED,PKIX_ResourceLimits_GetMaxDepth failed,0), +PKIX_ERRORENTRY(RESOURCELIMITSGETMAXFANOUTFAILED,PKIX_ResourceLimits_GetMaxFanout failed,0), +PKIX_ERRORENTRY(RESOURCELIMITSGETMAXTIMEFAILED,PKIX_ResourceLimits_GetMaxTime failed,0), +PKIX_ERRORENTRY(RETRIEVEOUTPUTSFAILED,pkix_RetrieveOutputs failed,0), +PKIX_ERRORENTRY(REVCHECKCERTFAILED,pkix_RevCheckCert failed,0), +PKIX_ERRORENTRY(REVCHECKERCHECKFAILED,revCheckerCheck failed,0), +PKIX_ERRORENTRY(REVOCATIONCHECKERADDMETHODFAILED,Can not add revocation method,0), +PKIX_ERRORENTRY(REVOCATIONCHECKERCREATEFAILED,PKIX_RevocationChecker_Create failed,0), +PKIX_ERRORENTRY(REVOCATIONCHECKERGETREVCALLBACKFAILED,PKIX_RevocationChecker_GetRevCallback failed,0), +PKIX_ERRORENTRY(REVOCATIONCHECKERGETREVCHECKERCONTEXTFAILED,PKIX_RevocationChecker_GetRevCheckerContext failed,0), +PKIX_ERRORENTRY(REVOCATIONCHECKERWASNOTSET,Revocation chekcer was not set,0), +PKIX_ERRORENTRY(REVOKEDBYUNKNOWNCRLREASONCODE,Revoked by Unknown CRL ReasonCode,0), +PKIX_ERRORENTRY(SEARCHRESPONSEPACKETOFUNKNOWNTYPE,SearchResponse packet of unknown type,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(SECASN1ENCODEITEMFAILED,SEC_ASN1EncodeItem failed,SEC_ERROR_FAILED_TO_ENCODE_DATA), +PKIX_ERRORENTRY(SECERRORUNKNOWNISSUER,Nss legacy err code: build failed. Issuer is unknown.,SEC_ERROR_UNKNOWN_ISSUER), +PKIX_ERRORENTRY(SECKEYCOPYSUBJECTPUBLICKEYINFOFAILED,SECKEY_CopySubjectPublicKeyInfo failed,0), +PKIX_ERRORENTRY(SECKEYEXTRACTPUBLICKEYFAILED,SECKEY_ExtractPublicKey failed,0), +PKIX_ERRORENTRY(SECOIDCOPYALGORITHMIDFAILED,SECOID_CopyAlgorithmID failed,0), +PKIX_ERRORENTRY(SECOIDFINDOIDTAGDESCRIPTIONFAILED,SECOID_FindOIDTag Description failed,0), +PKIX_ERRORENTRY(SECONDFIELDMUSTBEBETWEEN039,Second field must be between 0-39,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(SECONDKEYDSAPUBLICKEY,Second key is a DSA public key but has null parameters,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(SECONDKEYNOTDSAPUBLICKEY,Second key is not a DSA public key,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(SECONDPUBKEYTYPENULLKEY,secondPubKeyType is nullKey,0), +PKIX_ERRORENTRY(SECQUICKDERDECODERFAILED,SEC_QuickDERDecodeItem failed,0), +PKIX_ERRORENTRY(SECREADPKCS7CERTSFAILED,SEC_ReadPKCS7Certs failed,0), +PKIX_ERRORENTRY(SELECTORMATCHFAILED,selectorMatch failed,0), +PKIX_ERRORENTRY(SESSIONNOTANHTTPDEFAULTCLIENT,session is not an HttpDefaultClient,0), +PKIX_ERRORENTRY(SETPOLICIESFAILED,Fail to set cert validation policies,0), +PKIX_ERRORENTRY(SHUTDOWNFAILED,PKIX_PL_Shutdown failed,0), +PKIX_ERRORENTRY(SIGNATURECHECKERINITIALIZEFAILED,pkix_SignatureChecker_Initialize failed,0), +PKIX_ERRORENTRY(SIGNATURECHECKERSTATECREATEFAILED,pkix_SignatureCheckerState_Create failed,0), +PKIX_ERRORENTRY(SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY,Signature did not verify with the public key,0), +PKIX_ERRORENTRY(SINGLEPOLICYNODEEQUALSFAILED,PKIX_PL_SinglePolicyNode_Equals failed,0), +PKIX_ERRORENTRY(SINGLEPOLICYNODEHASHCODEFAILED,pkix_SinglePolicyNode_Hashcode failed,0), +PKIX_ERRORENTRY(SINGLEPOLICYNODETOSTRINGFAILED,pkix_SinglePolicyNode_ToString failed,0), +PKIX_ERRORENTRY(SINGLEVERIFYNODEEQUALSFAILED,PKIX_PL_SingleVerifyNode_Equals failed,0), +PKIX_ERRORENTRY(SINGLEVERIFYNODEHASHCODEFAILED,pkix_SingleVerifyNode_Hashcode failed,0), +PKIX_ERRORENTRY(SOCKETCONNECTCONTINUEFAILED,pkix_pl_Socket_ConnectContinue failed,0), +PKIX_ERRORENTRY(SOCKETCONNECTFAILED,pkix_pl_Socket_Connect failed,0), +PKIX_ERRORENTRY(SOCKETCREATEBYHOSTANDPORTFAILED,pkix_pl_Socket_CreateByHostAndPort failed,0), +PKIX_ERRORENTRY(SOCKETCREATEBYNAMEFAILED,pkix_pl_Socket_CreateByName failed,0), +PKIX_ERRORENTRY(SOCKETCREATECLIENTFAILED,pkix_pl_Socket_CreateClient failed,0), +PKIX_ERRORENTRY(SOCKETCREATEFAILED,pkix_pl_Socket_Create failed,0), +PKIX_ERRORENTRY(SOCKETCREATESERVERFAILED,pkix_pl_Socket_CreateServer failed,0), +PKIX_ERRORENTRY(SOCKETEQUALSFAILED,PKIX_PL_Socket_Equals failed,0), +PKIX_ERRORENTRY(SOCKETGETCALLBACKLISTFAILED,pkix_pl_Socket_GetCallbackList failed,0), +PKIX_ERRORENTRY(SOCKETGETPRFILEDESCFAILED,pkix_pl_Socket_GetPRFileDesc failed,0), +PKIX_ERRORENTRY(SOCKETHASHCODEFAILED,PKIX_PL_Socket_Hashcode failed,0), +PKIX_ERRORENTRY(SOCKETPOLLFAILED,pkix_pl_Socket_Poll failed,0), +PKIX_ERRORENTRY(SOCKETRECVFAILED,pkix_pl_Socket_Recv failed,0), +PKIX_ERRORENTRY(SOCKETSENDFAILED,pkix_pl_Socket_Send failed,0), +PKIX_ERRORENTRY(SOCKETSETNONBLOCKINGFAILED,pkix_pl_Socket_SetNonBlocking failed,0), +PKIX_ERRORENTRY(SOURCESTRINGHASINVALIDLENGTH,Source string has invalid length,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(SPRINTFFAILED,PKIX_PL_Sprintf failed,0), +PKIX_ERRORENTRY(STRINGCOMPARATORFAILED,pkix_pl_String_Comparator failed,0), +PKIX_ERRORENTRY(STRINGCREATEFAILED,PKIX_PL_String_Create failed,0), +PKIX_ERRORENTRY(STRINGEQUALSFAILED,pkix_pl_String_Equals failed,0), +PKIX_ERRORENTRY(STRINGGETENCODEDFAILED,PKIX_PL_String_GetEncoded failed,0), +PKIX_ERRORENTRY(STRINGHASHCODEFAILED,pkix_pl_String_Hashcode failed,0), +PKIX_ERRORENTRY(SUBJALTNAMECHECKFAILED,Validation failed: SubjAltNamecheck failed,0), +PKIX_ERRORENTRY(TARGETCERTCHECKERINITIALIZEFAILED,pkix_TargetCertChecker_Initialize failed,0), +PKIX_ERRORENTRY(TARGETCERTCHECKERSTATECREATEFAILED,pkix_TargetCertCheckerState_Create failed,0), +PKIX_ERRORENTRY(TESTANOTHERERRORMESSAGE, Another Error Message,0), +PKIX_ERRORENTRY(TESTERRORMESSAGE, Error Message,0), +PKIX_ERRORENTRY(TESTNOMATCHINGPOLICY, No Matching Policy,0), +PKIX_ERRORENTRY(TESTNOTANERRORCRLSELECTMISMATCH, Not an error CRL Select mismatch,0), +PKIX_ERRORENTRY(TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, Policies extension but no Policy Qualifiers,0), +PKIX_ERRORENTRY(TIMECONSUMEDEXCEEDSRESOURCELIMITS,Time consumed exceeds Resource Limits,SEC_ERROR_OUT_OF_SEARCH_LIMITS), +PKIX_ERRORENTRY(TOOLITTLEDATAINDERSEQUENCE,Too little data in DER Sequence,0), +PKIX_ERRORENTRY(TOOMUCHDATAINDERSEQUENCE,Too much data in DER Sequence,0), +PKIX_ERRORENTRY(TOSTRINGFORTHISGENERALNAMETYPENOTSUPPORTED,ToString for this GeneralName type not supported,0), +PKIX_ERRORENTRY(TRUNCATEDUNICODEINESCAPEDASCII,Truncated Unicode in EscapedASCII,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(TRUSTANCHORCREATEWITHCERTFAILED,PKIX_TrustAnchor_CreateWithCert failed,0), +PKIX_ERRORENTRY(TRUSTANCHORGETCANAMEFAILED,PKIX_TrustAnchor_GetCAName failed,0), +PKIX_ERRORENTRY(TRUSTANCHORGETCAPUBLICKEYFAILED,PKIX_TrustAnchor_GetCAPublicKey failed,0), +PKIX_ERRORENTRY(TRUSTANCHORGETNAMECONSTRAINTSFAILED,PKIX_TrustAnchor_GetNameConstraints failed,0), +PKIX_ERRORENTRY(TRUSTANCHORGETTRUSTEDCERTFAILED,PKIX_TrustAnchor_GetTrustedCert failed,0), +PKIX_ERRORENTRY(TRUSTANCHORTOCERTFAILED,Fail to convert trust anchor to cert,0), +PKIX_ERRORENTRY(TYPEALREADYREGISTERED,Type is already registered,0), +PKIX_ERRORENTRY(UNABLETOADDACCEPTABLERESPONSESTOREQUEST,Unable to add acceptableResponses to request,0), +PKIX_ERRORENTRY(UNABLETOADDCERTTOCERTLIST,Unable to add Cert to CertList,0), +PKIX_ERRORENTRY(UNABLETOBUILDCHAIN,Unable to build chain,0), +PKIX_ERRORENTRY(UNABLETOCREATECERTOCSPREQUEST,Unable to create a CertOCSPRequest,0), +PKIX_ERRORENTRY(UNABLETOCREATECRLSTRING,Unable to create crlString,0), +PKIX_ERRORENTRY(UNABLETOCREATEGENERALNAMEOFTHISTYPE,Unable to create GeneralName of this type,0), +PKIX_ERRORENTRY(UNABLETOCREATEISSUER,Unable to create Issuer,0), +PKIX_ERRORENTRY(UNABLETOCREATELIST,Unable to create list,0), +PKIX_ERRORENTRY(UNABLETOCREATENEWCERTLIST,Unable to create a new CertList,0), +PKIX_ERRORENTRY(UNABLETOCREATEPSTRING,Unable to create pString,0), +PKIX_ERRORENTRY(UNABLETOFINDSTATUSINOCSPRESPONSE,Unable to find status in OCSP response,SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS), +PKIX_ERRORENTRY(UNABLETOMAKELISTIMMUTABLE,Unable to make list immutable,0), +PKIX_ERRORENTRY(UNABLETOOPENCERTFILE,Unable to open cert file,0), +PKIX_ERRORENTRY(UNABLETOOPENCRLFILE,Unable to open crl file,0), +PKIX_ERRORENTRY(UNABLETOPARSEOCSPRESPONSE,Unable to parse OCSP response,SEC_ERROR_OCSP_MALFORMED_RESPONSE), +PKIX_ERRORENTRY(UNABLETOREADDERFROMCERTFILE,Unable to read DER from cert file,0), +PKIX_ERRORENTRY(UNABLETOREADDERFROMCRLFILE,Unable to read DER from crl file,0), +PKIX_ERRORENTRY(UNABLETOSETSOCKETTONONBLOCKING,Unable to set socket to non-blocking I/O,0), +PKIX_ERRORENTRY(UNDEFINEDCALLBACK,Undefined callback,0), +PKIX_ERRORENTRY(UNDEFINEDCLASSTABLEENTRY,Undefined class table entry,0), +PKIX_ERRORENTRY(UNDEFINEDCOMPARATOR,Undefined Comparator,0), +PKIX_ERRORENTRY(UNDEFINEDDUPLICATEFUNCTION,Undefined Duplicate function,0), +PKIX_ERRORENTRY(UNDEFINEDEQUALSCALLBACK,Undefined equals callback,0), +PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in establishing connection,0), +PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE), +PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(UNKNOWNINFOACCESSMETHOD,Unknown InfoAccess method,SEC_ERROR_BAD_INFO_ACCESS_METHOD), +PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0), +PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0), +PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0), +PKIX_ERRORENTRY(UNLOCKOBJECTFAILED,pkix_UnlockObject failed,0), +PKIX_ERRORENTRY(UNRECOGNIZEDCRITICALEXTENSION,Unrecognized Critical Extension,SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION), +PKIX_ERRORENTRY(UNRECOGNIZEDCRLENTRYCRITICALEXTENSION,Unrecognized CRLEntry Critical Extension,SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION), +PKIX_ERRORENTRY(UNRECOGNIZEDPROTOCOLREQUESTED,Unrecognized protocol requested,0), +PKIX_ERRORENTRY(UNRECOGNIZEDREQUESTMETHOD,Unrecognized request method,0), +PKIX_ERRORENTRY(UNRECOGNIZEDTIMETYPE,Unrecognized time type,0), +PKIX_ERRORENTRY(UNSUPPORTEDCRLDPTYPE,CrlDp type is not supported,0), +PKIX_ERRORENTRY(UNSUPPORTEDVERSIONOFHTTPCLIENT,Unsupported version of Http Client,0), +PKIX_ERRORENTRY(UNSUPPORTEDCERTUSAGE,Specified certificate usage is unsupported,SEC_ERROR_CERT_USAGES_INVALID), +PKIX_ERRORENTRY(URLPARSINGFAILED,URL Parsing failed,0), +PKIX_ERRORENTRY(USERCHECKERCHECKFAILED,userCheckerCheck failed,0), +PKIX_ERRORENTRY(UTF16ALIGNMENTERROR,UTF16 Alignment Error,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(UTF16HIGHZONEALIGNMENTERROR,UTF16 High Zone Alignment Error,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(UTF16LOWZONEERROR,UTF16 Low Zone Error,SEC_ERROR_INVALID_ARGS), +PKIX_ERRORENTRY(UTF16TOESCASCIIFAILED,pkix_UTF16_to_EscASCII failed,0), +PKIX_ERRORENTRY(UTF16TOUTF8FAILED,pkix_UTF16_to_UTF8 failed,0), +PKIX_ERRORENTRY(UTF8TOUTF16FAILED,pkix_UTF8_to_UTF16 failed,0), +PKIX_ERRORENTRY(VALIDATEBUILDUSEROIDSFAILED,pkix_Validate_BuildUserOIDs failed,0), +PKIX_ERRORENTRY(VALIDATECERTCHAINFAILED,Failed to validate cert chain,0), +PKIX_ERRORENTRY(VALIDATECHAINFAILED,PKIX_ValidateChain failed,0), +PKIX_ERRORENTRY(VALIDATEPARAMSGETCERTCHAINFAILED,PKIX_ValidateParams_GetCertChain failed,0), +PKIX_ERRORENTRY(VALIDATEPARAMSGETPROCESSINGPARAMSFAILED,PKIX_ValidateParams_GetProcessingParams failed,0), +PKIX_ERRORENTRY(VALIDATERESULTCREATEFAILED,pkix_ValidateResult_Create failed,0), +PKIX_ERRORENTRY(VALIDATERESULTGETPOLICYTREEFAILED,PKIX_ValidateResult_GetPolicyTree failed,0), +PKIX_ERRORENTRY(VALIDATERESULTGETTRUSTANCHORFAILED,PKIX_ValidateResult_GetTrustAnchor failed,0), +PKIX_ERRORENTRY(VALIDATIONFAILEDCERTSIGNATURECHECKING,Validation failed: Cert Signature checking,0), +PKIX_ERRORENTRY(VALIDATIONFAILEDNULLCERTPOINTER,Validation failed: NULL Cert pointer,0), +PKIX_ERRORENTRY(VALIDATIONFAILEDPATHTONAMECHECKFAILED,Validation failed: PathToName check failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE), +PKIX_ERRORENTRY(VALUEINESCAPEDASCII,value in EscapedASCII,0), +PKIX_ERRORENTRY(VERIFYNODEADDTOCHAINFAILED,pkix_VerifyNode_AddToChain failed,0), +PKIX_ERRORENTRY(VERIFYNODEADDTOTREEFAILED,pkix_VerifyNode_AddToTree failed,0), +PKIX_ERRORENTRY(VERIFYNODECREATEFAILED,pkix_VerifyNode_Create failed,0), +PKIX_ERRORENTRY(VERIFYNODEDUPLICATEHELPERFAILED,pkix_VerifyNode_DuplicateHelper failed,0), +PKIX_ERRORENTRY(VERIFYNODEFINDERRORFAILED,pkix_VerifyNode_FindError failed,0), +PKIX_ERRORENTRY(VERIFYNODESETDEPTHFAILED,pkix_VerifyNode_SetDepth failed,0), +PKIX_ERRORENTRY(VERIFYNODESETERRORFAILED,pkix_VerifyNode_SetError failed,0), +PKIX_ERRORENTRY(VERSIONVALUEMUSTBEV1ORV2,Version value must be V1(0) or V2(1),SEC_ERROR_CRL_INVALID), +PKIX_ERRORENTRY(VERSIONVALUEMUSTBEV1V2ORV3,Version value must be v1(0) v2(1) or v3(2),SEC_ERROR_CERT_VALID), +PKIX_ERRORENTRY(X500NAMECOMPAREDERBYTESFAILED,pkix_pl_X500Name_CompareDERBytes failed,0), +PKIX_ERRORENTRY(X500NAMECREATEFAILED,PKIX_PL_X500Name_Create failed,0), +PKIX_ERRORENTRY(X500NAMECREATEFROMCERTNAMEFAILED,pkix_pl_X500Name_CreateFromCERTName failed,0), +PKIX_ERRORENTRY(X500NAMECREATEFROMUTF8FAILED,pkix_pl_X500Name_CreateFromUtf8 failed,0), +PKIX_ERRORENTRY(X500NAMEEQUALSFAILED,PKIX_PL_X500Name_Equals failed,0), +PKIX_ERRORENTRY(X500NAMEGETCOMMONNAMEFAILED,pkix_pl_X500Name_GetCommonName failed,0), +PKIX_ERRORENTRY(X500NAMEGETCOUNTRYNAMEFAILED,pkix_pl_X500Name_GetCountryName failed,0), +PKIX_ERRORENTRY(X500NAMEGETORGNAMEFAILED,pkix_pl_X500Name_GetOrgName failed,0), +PKIX_ERRORENTRY(X500NAMEGETSECNAMEFAILED,pkix_pl_X500Name_GetSECName failed,0), +PKIX_ERRORENTRY(X500NAMEHASHCODEFAILED,PKIX_PL_X500Name_Hashcode failed,0), +PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed,0), +PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed,0), +PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0), +PKIX_ERRORENTRY(INVALIDOCSPHTTPMETHOD,Unsupported HTTP Method for OCSP retrieval,0), +PKIX_ERRORENTRY(OCSPGETREQUESTTOOBIG,OCSP request too big for HTTP GET method,0), +PKIX_ERRORENTRY(CERTISBLOCKLISTEDATISSUANCETIME,Issuer Certificate is distrusted at the time the subordinate certifiate was issued,SEC_ERROR_UNTRUSTED_ISSUER) diff --git a/security/nss/lib/libpkix/include/pkix_params.h b/security/nss/lib/libpkix/include/pkix_params.h new file mode 100644 index 0000000000..a4d8e485cb --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_params.h @@ -0,0 +1,1793 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the various parameters used + * by the top-level functions. + * + */ + +#ifndef _PKIX_PARAMS_H +#define _PKIX_PARAMS_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_ProcessingParams + * + * PKIX_ProcessingParams are parameters used when validating or building a + * chain of certificates. Using the parameters, the caller can specify several + * things, including the various inputs to the PKIX chain validation + * algorithm (such as trust anchors, initial policies, etc), any customized + * functionality (such as CertChainCheckers, RevocationCheckers, CertStores), + * and whether revocation checking should be disabled. + * + * Once the caller has created the ProcessingParams object, the caller then + * passes it to PKIX_ValidateChain or PKIX_BuildChain, which uses it to call + * the user's callback functions as needed during the validation or building + * process. + * + * If a parameter is not set (or is set to NULL), it will be set to the + * default value for that parameter. The default value for the Date parameter + * is NULL, which indicates the current time when the path is validated. The + * default for the remaining parameters is the least constrained. + */ + +/* + * FUNCTION: PKIX_ProcessingParams_Create + * DESCRIPTION: + * + * Creates a new ProcessingParams object. Trust anchor list is set to + * newly created empty list of trust. In this case trust anchors will + * be taken from provided cert store. Pointed to the created + * ProcessingParams object is stored in "pParams". + * + * PARAMETERS: + * "anchors" + * Address of List of (non-empty) TrustAnchors to be used. + * Must be non-NULL. + * "pParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_Create( + PKIX_ProcessingParams **pParams, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetCertChainCheckers + * DESCRIPTION: + * + * Retrieves a pointer to the List of CertChainCheckers (if any) that are set + * in the ProcessingParams pointed to by "params" and stores it at + * "pCheckers". Each CertChainChecker represents a custom certificate + * validation check used by PKIX_ValidateChain or PKIX_BuildChain as needed + * during the validation or building process. If "params" does not have any + * CertChainCheckers, this function stores an empty List at "pCheckers". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of CertChainCheckers (if any) + * are to be stored. Must be non-NULL. + * "pCheckers" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetCertChainCheckers( + PKIX_ProcessingParams *params, + PKIX_List **pCheckers, /* list of PKIX_CertChainChecker */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetCertChainCheckers + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a List of + * CertChainCheckers pointed to by "checkers". Each CertChainChecker + * represents a custom certificate validation check used by + * PKIX_ValidateChain or PKIX_BuildChain as needed during the validation or + * building process. If "checkers" is NULL, no CertChainCheckers will be used. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of CertChainCheckers is to be + * set. Must be non-NULL. + * "checkers" + * Address of List of CertChainCheckers to be set. If NULL, no + * CertChainCheckers will be used. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" and "checkers" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetCertChainCheckers( + PKIX_ProcessingParams *params, + PKIX_List *checkers, /* list of PKIX_CertChainChecker */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_AddCertChainChecker + * DESCRIPTION: + * + * Adds the CertChainChecker pointed to by "checker" to the ProcessingParams + * pointed to by "params". The CertChainChecker represents a custom + * certificate validation check used by PKIX_ValidateChain or PKIX_BuildChain + * as needed during the validation or building process. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams to be added to. Must be non-NULL. + * "checker" + * Address of CertChainChecker to be added. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_AddCertChainChecker( + PKIX_ProcessingParams *params, + PKIX_CertChainChecker *checker, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetRevocationChecker + * DESCRIPTION: + * + * Retrieves a pointer to the RevocationChecker that are set + * in the ProcessingParams pointed to by "params" and stores it at + * "pRevChecker". Each RevocationChecker represents a revocation + * check used by PKIX_ValidateChain or PKIX_BuildChain as needed during the + * validation or building process. If "params" does not have any + * RevocationCheckers, this function stores an empty List at "pRevChecker". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of RevocationCheckers + * is to be stored. Must be non-NULL. + * "pRevChecker" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetRevocationChecker( + PKIX_ProcessingParams *params, + PKIX_RevocationChecker **pChecker, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetRevocationChecker + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a + * RevocationChecker pointed to by "revChecker". Revocation + * checker object should be created and assigned to processing + * parameters before chain build or validation can begin. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of RevocationCheckers is to be + * set. Must be non-NULL. + * "revChecker" + * Address of RevocationChecker to be set. Must be set before chain + * building or validation. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetRevocationChecker( + PKIX_ProcessingParams *params, + PKIX_RevocationChecker *revChecker, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetCertStores + * DESCRIPTION: + * + * Retrieves a pointer to the List of CertStores (if any) that are set in the + * ProcessingParams pointed to by "params" and stores it at "pStores". Each + * CertStore represents a particular repository from which certificates and + * CRLs can be retrieved by PKIX_ValidateChain or PKIX_BuildChain as needed + * during the validation or building process. If "params" does not have any + * CertStores, this function stores an empty List at "pStores". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of CertStores (if any) are to + * be stored. Must be non-NULL. + * "pStores" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetCertStores( + PKIX_ProcessingParams *params, + PKIX_List **pStores, /* list of PKIX_CertStore */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetCertStores + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a List of CertStores + * pointed to by "stores". Each CertStore represents a particular repository + * from which certificates and CRLs can be retrieved by PKIX_ValidateChain or + * PKIX_BuildChain as needed during the validation or building process. If + * "stores" is NULL, no CertStores will be used. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of CertStores is to be set. + * Must be non-NULL. + * "stores" + * Address of List of CertStores to be set. If NULL, no CertStores will + * be used. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetCertStores( + PKIX_ProcessingParams *params, + PKIX_List *stores, /* list of PKIX_CertStore */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_AddCertStore + * DESCRIPTION: + * + * Adds the CertStore pointed to by "store" to the ProcessingParams pointed + * to by "params". The CertStore represents a particular repository from + * which certificates and CRLs can be retrieved by PKIX_ValidateChain or + * PKIX_BuildChain as needed during the validation or building process. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams to be added to. Must be non-NULL. + * "store" + * Address of CertStore to be added. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_AddCertStore( + PKIX_ProcessingParams *params, + PKIX_CertStore *store, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetDate + * DESCRIPTION: + * + * Retrieves a pointer to the Date (if any) that is set in the + * ProcessingParams pointed to by "params" and stores it at "pDate". The + * Date represents the time for which the validation of the certificate chain + * should be determined. If "params" does not have any Date set, this function + * stores NULL at "pDate". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose Date (if any) is to be stored. + * Must be non-NULL. + * "pDate" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetDate( + PKIX_ProcessingParams *params, + PKIX_PL_Date **pDate, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetDate + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a Date pointed to by + * "date". The Date represents the time for which the validation of the + * certificate chain should be determined. If "date" is NULL, the current + * time is used during validation. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose Date is to be set. Must be non-NULL. + * "date" + * Address of Date to be set. If NULL, current time is used. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetDate( + PKIX_ProcessingParams *params, + PKIX_PL_Date *date, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetInitialPolicies + * DESCRIPTION: + * + * Retrieves a pointer to the List of OIDs (if any) that are set in the + * ProcessingParams pointed to by "params" and stores it at "pInitPolicies". + * Each OID represents an initial policy identifier, indicating that any + * one of these policies would be acceptable to the certificate user for + * the purposes of certification path processing. If "params" does not have + * any initial policies, this function stores an empty List at + * "pInitPolicies". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of OIDs (if any) are to be + * stored. Must be non-NULL. + * "pInitPolicies" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetInitialPolicies( + PKIX_ProcessingParams *params, + PKIX_List **pInitPolicies, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetInitialPolicies + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a List of OIDs + * pointed to by "initPolicies". + * + * Each OID represents an initial policy identifier, indicating that any + * one of these policies would be acceptable to the certificate user for + * the purposes of certification path processing. By default, any policy + * is acceptable (i.e. all policies), so a user that wants to allow any + * policy as acceptable does not need to call this method. Similarly, if + * initPolicies is NULL or points to an empty List, all policies are + * acceptable. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of OIDs is to be set. + * Must be non-NULL. + * "initPolicies" + * Address of List of OIDs to be set. If NULL or if pointing to an empty + * List, all policies are acceptable. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetInitialPolicies( + PKIX_ProcessingParams *params, + PKIX_List *initPolicies, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetPolicyQualifiersRejected + * DESCRIPTION: + * + * Checks whether the ProcessingParams pointed to by "params" indicate that + * policy qualifiers should be rejected and stores the Boolean result at + * "pRejected". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams used to determine whether or not policy + * qualifiers should be rejected. Must be non-NULL. + * "pRejected" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetPolicyQualifiersRejected( + PKIX_ProcessingParams *params, + PKIX_Boolean *pRejected, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetPolicyQualifiersRejected + * DESCRIPTION: + * + * Specifies in the ProcessingParams pointed to by "params" whether policy + * qualifiers are rejected using the Boolean value of "rejected". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams to be set. Must be non-NULL. + * "rejected" + * Boolean value indicating whether policy qualifiers are to be rejected. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetPolicyQualifiersRejected( + PKIX_ProcessingParams *params, + PKIX_Boolean rejected, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetTargetCertConstraints + * DESCRIPTION: + * + * Retrieves a pointer to the CertSelector (if any) that is set in the + * ProcessingParams pointed to by "params" and stores it at "pConstraints". + * The CertSelector represents the constraints to be placed on the target + * certificate. If "params" does not have any CertSelector set, this function + * stores NULL at "pConstraints". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose CertSelector (if any) is to be + * stored. Must be non-NULL. + * "pConstraints" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetTargetCertConstraints( + PKIX_ProcessingParams *params, + PKIX_CertSelector **pConstraints, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetTargetCertConstraints + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a CertSelector + * pointed to by "constraints". The CertSelector represents the constraints + * to be placed on the target certificate. If "constraints" is NULL, no + * constraints are defined. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose CertSelector is to be set. + * Must be non-NULL. + * "constraints" + * Address of CertSelector to be set. If NULL, no constraints are defined. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetTargetCertConstraints( + PKIX_ProcessingParams *params, + PKIX_CertSelector *constraints, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetTrustAnchors + * DESCRIPTION: + * + * Retrieves a pointer to the List of TrustAnchors that are set in + * the ProcessingParams pointed to by "params" and stores it at "pAnchors". + * If the function succeeds, the pointer to the List is guaranteed to be + * non-NULL and the List is guaranteed to be non-empty. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of TrustAnchors are to + * be stored. Must be non-NULL. + * "pAnchors" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetTrustAnchors( + PKIX_ProcessingParams *params, + PKIX_List **pAnchors, /* list of TrustAnchor */ + void *plContext); +/* + * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors + * DESCRIPTION: + * + * Sets user defined set of trust anchors. The handling of the trust anchors + * may be furthered alter via PKIX_ProcessingParams_SetUseOnlyTrustAnchors. + * By default, a certificate will be considered invalid if it does not chain + * to a trusted anchor from this list. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of TrustAnchors are to + * be stored. Must be non-NULL. + * "anchors" + * Address of the trust anchors list object. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetTrustAnchors( + PKIX_ProcessingParams *params, + PKIX_List *pAnchors, /* list of TrustAnchor */ + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetUseOnlyTrustAnchors + * DESCRIPTION: + * + * Retrieves a pointer to the Boolean. The boolean value represents + * the switch value that is used to identify whether trust anchors, if + * specified, should be the exclusive source of trust information. + * If the function succeeds, the pointer to the Boolean is guaranteed to be + * non-NULL. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams. Must be non-NULL. + * "pUseOnlyTrustAnchors" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetUseOnlyTrustAnchors( + PKIX_ProcessingParams *params, + PKIX_Boolean *pUseOnlyTrustAnchors, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors + * DESCRIPTION: + * + * Configures whether trust anchors are used as the exclusive source of trust. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams. Must be non-NULL. + * "useOnlyTrustAnchors" + * If true, indicates that trust anchors should be used exclusively when + * they have been specified via PKIX_ProcessingParams_SetTrustAnchors. A + * certificate will be considered invalid if it does not chain to a + * trusted anchor from that list. + * If false, indicates that the trust anchors are additive to whatever + * existing trust stores are configured. A certificate is considered + * valid if it chains to EITHER a trusted anchor from that list OR a + * certificate marked trusted in a trust store. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetUseOnlyTrustAnchors( + PKIX_ProcessingParams *params, + PKIX_Boolean useOnlyTrustAnchors, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetUseAIAForCertFetching + * DESCRIPTION: + * + * Retrieves a pointer to the Boolean. The boolean value represents + * the switch value that is used to identify if url in cert AIA extension + * may be used for cert fetching. + * If the function succeeds, the pointer to the Boolean is guaranteed to be + * non-NULL. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams. Must be non-NULL. + * "pUseAIA" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetUseAIAForCertFetching( + PKIX_ProcessingParams *params, + PKIX_Boolean *pUseAIA, /* list of TrustAnchor */ + void *plContext); +/* + * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors + * DESCRIPTION: + * + * Sets switch value that defines if url in cert AIA extension + * may be used for cert fetching. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams. + * "useAIA" + * Address of the trust anchors list object. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetUseAIAForCertFetching( + PKIX_ProcessingParams *params, + PKIX_Boolean useAIA, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert + * DESCRIPTION: + * + * Sets a boolean value that tells if libpkix needs to check that + * the target certificate satisfies the conditions set in processing + * parameters. Includes but not limited to date, ku and eku checks. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of TrustAnchors are to + * be stored. Must be non-NULL. + * "qualifyTargetCert" + * boolean value if set to true will trigger qualification of the + * target certificate. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetQualifyTargetCert( + PKIX_ProcessingParams *params, + PKIX_Boolean qualifyTargetCert, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetHintCerts + * DESCRIPTION: + * + * Retrieves a pointer to a List of Certs supplied by the user as a suggested + * partial CertChain (subject to verification), that are set in the + * ProcessingParams pointed to by "params", and stores it at "pHintCerts". + * The List returned may be empty or NULL. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of TrustAnchors are to + * be stored. Must be non-NULL. + * "pHintCerts" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetHintCerts( + PKIX_ProcessingParams *params, + PKIX_List **pHintCerts, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetHintCerts + * DESCRIPTION: + * + * Stores a pointer to a List of Certs supplied by the user as a suggested + * partial CertChain (subject to verification), as an element in the + * ProcessingParams pointed to by "params". The List may be empty or NULL. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of HintCerts is to be stored. + * Must be non-NULL. + * "hintCerts" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetHintCerts( + PKIX_ProcessingParams *params, + PKIX_List *hintCerts, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_GetResourceLimits + * DESCRIPTION: + * + * Retrieves a pointer to the ResourceLimits (if any) that is set in the + * ProcessingParams pointed to by "params" and stores it at "pResourceLimits". + * The ResourceLimits represent the maximum resource usage that the caller + * desires (such as MaxTime). The ValidateChain or BuildChain call will not + * exceed these maximum limits. If "params" does not have any ResourceLimits + * set, this function stores NULL at "pResourceLimits". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose ResourceLimits (if any) are to be + * stored. Must be non-NULL. + * "pResourceLimits" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_GetResourceLimits( + PKIX_ProcessingParams *params, + PKIX_ResourceLimits **pResourceLimits, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetResourceLimits + * DESCRIPTION: + * + * Sets the ProcessingParams pointed to by "params" with a ResourceLimits + * object pointed to by "resourceLimits". The ResourceLimits represent the + * maximum resource usage that the caller desires (such as MaxTime). The + * ValidateChain or BuildChain call will not exceed these maximum limits. + * If "resourceLimits" is NULL, no ResourceLimits are defined. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose ResourceLimits are to be set. + * Must be non-NULL. + * "resourceLimits" + * Address of ResourceLimits to be set. If NULL, no limits are defined. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetResourceLimits( + PKIX_ProcessingParams *params, + PKIX_ResourceLimits *resourceLimits, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_IsAnyPolicyInhibited + * DESCRIPTION: + * + * Checks whether the ProcessingParams pointed to by "params" indicate that + * anyPolicy is inhibited and stores the Boolean result at "pInhibited". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams used to determine whether or not anyPolicy + * inhibited. Must be non-NULL. + * "pInhibited" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_IsAnyPolicyInhibited( + PKIX_ProcessingParams *params, + PKIX_Boolean *pInhibited, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetAnyPolicyInhibited + * DESCRIPTION: + * + * Specifies in the ProcessingParams pointed to by "params" whether anyPolicy + * is inhibited using the Boolean value of "inhibited". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams to be set. Must be non-NULL. + * "inhibited" + * Boolean value indicating whether anyPolicy is to be inhibited. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetAnyPolicyInhibited( + PKIX_ProcessingParams *params, + PKIX_Boolean inhibited, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_IsExplicitPolicyRequired + * DESCRIPTION: + * + * Checks whether the ProcessingParams pointed to by "params" indicate that + * explicit policies are required and stores the Boolean result at + * "pRequired". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams used to determine whether or not explicit + * policies are required. Must be non-NULL. + * "pRequired" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_IsExplicitPolicyRequired( + PKIX_ProcessingParams *params, + PKIX_Boolean *pRequired, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetExplicitPolicyRequired + * DESCRIPTION: + * + * Specifies in the ProcessingParams pointed to by "params" whether explicit + * policies are required using the Boolean value of "required". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams to be set. Must be non-NULL. + * "required" + * Boolean value indicating whether explicit policies are to be required. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetExplicitPolicyRequired( + PKIX_ProcessingParams *params, + PKIX_Boolean required, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_IsPolicyMappingInhibited + * DESCRIPTION: + * + * Checks whether the ProcessingParams pointed to by "params" indicate that + * policyMapping is inhibited and stores the Boolean result at "pInhibited". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams used to determine whether or not policy + * mappings are inhibited. Must be non-NULL. + * "pInhibited" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_IsPolicyMappingInhibited( + PKIX_ProcessingParams *params, + PKIX_Boolean *pInhibited, + void *plContext); + +/* + * FUNCTION: PKIX_ProcessingParams_SetPolicyMappingInhibited + * DESCRIPTION: + * + * Specifies in the ProcessingParams pointed to by "params" whether policy + * mapping is inhibited using the Boolean value of "inhibited". + * + * PARAMETERS: + * "params" + * Address of ProcessingParams to be set. Must be non-NULL. + * "inhibited" + * Boolean value indicating whether policy mapping is to be inhibited. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetPolicyMappingInhibited( + PKIX_ProcessingParams *params, + PKIX_Boolean inhibited, + void *plContext); + + +/* PKIX_ValidateParams + * + * PKIX_ValidateParams consists of a ProcessingParams object as well as the + * List of Certs (certChain) that the caller is trying to validate. + */ + +/* + * FUNCTION: PKIX_ValidateParams_Create + * DESCRIPTION: + * + * Creates a new ValidateParams object and stores it at "pParams". + * + * PARAMETERS: + * "procParams" + * Address of ProcessingParams to be used. Must be non-NULL. + * "chain" + * Address of List of Certs (certChain) to be validated. Must be non-NULL. + * "pParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateParams_Create( + PKIX_ProcessingParams *procParams, + PKIX_List *chain, + PKIX_ValidateParams **pParams, + void *plContext); + +/* + * FUNCTION: PKIX_ValidateParams_GetProcessingParams + * DESCRIPTION: + * + * Retrieves a pointer to the ProcessingParams that represent the basic + * certificate processing parameters used during chain validation and chain + * building from the ValidateParams pointed to by "valParams" and stores it + * at "pProcParams". If the function succeeds, the pointer to the + * ProcessingParams is guaranteed to be non-NULL. + * + * PARAMETERS: + * "valParams" + * Address of ValidateParams whose ProcessingParams are to be stored. + * Must be non-NULL. + * "pProcParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateParams_GetProcessingParams( + PKIX_ValidateParams *valParams, + PKIX_ProcessingParams **pProcParams, + void *plContext); + +/* + * FUNCTION: PKIX_ValidateParams_GetCertChain + * DESCRIPTION: + * + * Retrieves a pointer to the List of Certs (certChain) that is set in the + * ValidateParams pointed to by "valParams" and stores it at "pChain". If the + * function succeeds, the pointer to the CertChain is guaranteed to be + * non-NULL. + * + * PARAMETERS: + * "valParams" + * Address of ValidateParams whose CertChain is to be stored. + * Must be non-NULL. + * "pChain" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateParams_GetCertChain( + PKIX_ValidateParams *valParams, + PKIX_List **pChain, + void *plContext); + +/* PKIX_TrustAnchor + * + * A PKIX_TrustAnchor represents a trusted entity and can be specified using a + * self-signed certificate or using the trusted CA's name and public key. In + * order to limit the trust in the trusted entity, name constraints can also + * be imposed on the trust anchor. + */ + +/* + * FUNCTION: PKIX_TrustAnchor_CreateWithCert + * DESCRIPTION: + * + * Creates a new TrustAnchor object using the Cert pointed to by "cert" as + * the trusted certificate and stores it at "pAnchor". Once created, a + * TrustAnchor is immutable. + * + * PARAMETERS: + * "cert" + * Address of Cert to use as trusted certificate. Must be non-NULL. + * "pAnchor" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_TrustAnchor_CreateWithCert( + PKIX_PL_Cert *cert, + PKIX_TrustAnchor **pAnchor, + void *plContext); + +/* + * FUNCTION: PKIX_TrustAnchor_CreateWithNameKeyPair + * DESCRIPTION: + * + * Creates a new TrustAnchor object using the X500Name pointed to by "name", + * and the PublicKey pointed to by "pubKey" and stores it at "pAnchor". The + * CertNameConstraints pointed to by "nameConstraints" (if any) are used to + * limit the trust placed in this trust anchor. To indicate that name + * constraints don't apply, set "nameConstraints" to NULL. Once created, a + * TrustAnchor is immutable. + * + * PARAMETERS: + * "name" + * Address of X500Name to use as name of trusted CA. Must be non-NULL. + * "pubKey" + * Address of PublicKey to use as trusted public key. Must be non-NULL. + * "nameConstraints" + * Address of CertNameConstraints to use as initial name constraints. + * If NULL, no name constraints are applied. + * "pAnchor" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_TrustAnchor_CreateWithNameKeyPair( + PKIX_PL_X500Name *name, + PKIX_PL_PublicKey *pubKey, + PKIX_PL_CertNameConstraints *nameConstraints, + PKIX_TrustAnchor **pAnchor, + void *plContext); + +/* + * FUNCTION: PKIX_TrustAnchor_GetTrustedCert + * DESCRIPTION: + * + * Retrieves a pointer to the Cert that is set in the TrustAnchor pointed to + * by "anchor" and stores it at "pCert". If "anchor" does not have a Cert + * set, this function stores NULL at "pCert". + * + * PARAMETERS: + * "anchor" + * Address of TrustAnchor whose Cert is to be stored. Must be non-NULL. + * "pChain" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_TrustAnchor_GetTrustedCert( + PKIX_TrustAnchor *anchor, + PKIX_PL_Cert **pCert, + void *plContext); + +/* + * FUNCTION: PKIX_TrustAnchor_GetCAName + * DESCRIPTION: + * + * Retrieves a pointer to the CA's X500Name (if any) that is set in the + * TrustAnchor pointed to by "anchor" and stores it at "pCAName". If "anchor" + * does not have an X500Name set, this function stores NULL at "pCAName". + * + * PARAMETERS: + * "anchor" + * Address of TrustAnchor whose CA Name is to be stored. Must be non-NULL. + * "pCAName" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_TrustAnchor_GetCAName( + PKIX_TrustAnchor *anchor, + PKIX_PL_X500Name **pCAName, + void *plContext); + +/* + * FUNCTION: PKIX_TrustAnchor_GetCAPublicKey + * DESCRIPTION: + * + * Retrieves a pointer to the CA's PublicKey (if any) that is set in the + * TrustAnchor pointed to by "anchor" and stores it at "pPubKey". If "anchor" + * does not have a PublicKey set, this function stores NULL at "pPubKey". + * + * PARAMETERS: + * "anchor" + * Address of TrustAnchor whose CA PublicKey is to be stored. + * Must be non-NULL. + * "pPubKey" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_TrustAnchor_GetCAPublicKey( + PKIX_TrustAnchor *anchor, + PKIX_PL_PublicKey **pPubKey, + void *plContext); + +/* + * FUNCTION: PKIX_TrustAnchor_GetNameConstraints + * DESCRIPTION: + * + * Retrieves a pointer to the CertNameConstraints (if any) set in the + * TrustAnchor pointed to by "anchor" and stores it at "pConstraints". If + * "anchor" does not have any CertNameConstraints set, this function stores + * NULL at "pConstraints". + * + * PARAMETERS: + * "anchor" + * Address of TrustAnchor whose CertNameConstraints are to be stored. + * Must be non-NULL. + * "pConstraints" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_TrustAnchor_GetNameConstraints( + PKIX_TrustAnchor *anchor, + PKIX_PL_CertNameConstraints **pNameConstraints, + void *plContext); + +/* PKIX_ResourceLimits + * + * A PKIX_ResourceLimits object represents the maximum resource usage that + * the caller desires. The ValidateChain or BuildChain call + * will not exceed these maximum limits. For example, the caller may want + * a timeout value of 1 minute, meaning that if the ValidateChain or + * BuildChain function is unable to finish in 1 minute, it should abort + * with an Error. + */ + +/* + * FUNCTION: PKIX_ResourceLimits_Create + * DESCRIPTION: + * + * Creates a new ResourceLimits object and stores it at "pResourceLimits". + * + * PARAMETERS: + * "pResourceLimits" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_Create( + PKIX_ResourceLimits **pResourceLimits, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_GetMaxTime + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the maximum time that is + * set in the ResourceLimits object pointed to by "resourceLimits" and stores + * it at "pMaxTime". This maximum time (in seconds) should not be exceeded + * by the function whose ProcessingParams contain this ResourceLimits object + * (typically ValidateChain or BuildChain). It essentially functions as a + * time-out value and is only appropriate if blocking I/O is being used. + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum time (in seconds) is + * to be stored. Must be non-NULL. + * "pMaxTime" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_GetMaxTime( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 *pMaxTime, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_SetMaxTime + * DESCRIPTION: + * + * Sets the maximum time of the ResourceLimits object pointed to by + * "resourceLimits" using the PKIX_UInt32 value of "maxTime". This + * maximum time (in seconds) should not be exceeded by the function + * whose ProcessingParams contain this ResourceLimits object + * (typically ValidateChain or BuildChain). It essentially functions as a + * time-out value and is only appropriate if blocking I/O is being used. + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum time (in seconds) is + * to be set. Must be non-NULL. + * "maxTime" + * Value of PKIX_UInt32 representing the maximum time (in seconds) + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_SetMaxTime( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 maxTime, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_GetMaxFanout + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the maximum fanout that is + * set in the ResourceLimits object pointed to by "resourceLimits" and stores + * it at "pMaxFanout". This maximum fanout (number of certs) should not be + * exceeded by the function whose ProcessingParams contain this ResourceLimits + * object (typically ValidateChain or BuildChain). If the builder encounters + * more than this maximum number of certificates when searching for the next + * candidate certificate, it should abort and return an error. This + * parameter is only relevant for ValidateChain if it needs to internally call + * BuildChain (e.g. in order to build the chain to a CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum fanout (number of certs) + * is to be stored. Must be non-NULL. + * "pMaxFanout" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_GetMaxFanout( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 *pMaxFanout, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_SetMaxFanout + * DESCRIPTION: + * + * Sets the maximum fanout of the ResourceLimits object pointed to by + * "resourceLimits" using the PKIX_UInt32 value of "maxFanout". This maximum + * fanout (number of certs) should not be exceeded by the function whose + * ProcessingParams contain this ResourceLimits object (typically ValidateChain + * or BuildChain). If the builder encounters more than this maximum number of + * certificates when searching for the next candidate certificate, it should + * abort and return an Error. This parameter is only relevant for ValidateChain + * if it needs to internally call BuildChain (e.g. in order to build the + * chain to a CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum fanout (number of certs) + * is to be set. Must be non-NULL. + * "maxFanout" + * Value of PKIX_UInt32 representing the maximum fanout (number of certs) + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_SetMaxFanout( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 maxFanout, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_GetMaxDepth + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the maximum depth that is + * set in the ResourceLimits object pointed to by "resourceLimits" and stores + * it at "pMaxDepth". This maximum depth (number of certs) should not be + * exceeded by the function whose ProcessingParams contain this ResourceLimits + * object (typically ValidateChain or BuildChain). If the builder encounters + * more than this maximum number of certificates when searching for the next + * candidate certificate, it should abort and return an error. This + * parameter is only relevant for ValidateChain if it needs to internally call + * BuildChain (e.g. in order to build the chain to a CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum depth (number of certs) + * is to be stored. Must be non-NULL. + * "pMaxDepth" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_GetMaxDepth( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 *pMaxDepth, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_SetMaxDepth + * DESCRIPTION: + * + * Sets the maximum depth of the ResourceLimits object pointed to by + * "resourceLimits" using the PKIX_UInt32 value of "maxDepth". This maximum + * depth (number of certs) should not be exceeded by the function whose + * ProcessingParams contain this ResourceLimits object (typically ValidateChain + * or BuildChain). If the builder encounters more than this maximum number of + * certificates when searching for the next candidate certificate, it should + * abort and return an Error. This parameter is only relevant for ValidateChain + * if it needs to internally call BuildChain (e.g. in order to build the + * chain to a CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum depth (number of certs) + * is to be set. Must be non-NULL. + * "maxDepth" + * Value of PKIX_UInt32 representing the maximum depth (number of certs) + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_SetMaxDepth( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 maxDepth, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCerts + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the maximum number of traversed + * certs that is set in the ResourceLimits object pointed to by "resourceLimits" + * and stores it at "pMaxNumber". This maximum number of traversed certs should + * not be exceeded by the function whose ProcessingParams contain this ResourceLimits + * object (typically ValidateChain or BuildChain). If the builder traverses more + * than this number of certs during the build process, it should abort and + * return an Error. This parameter is only relevant for ValidateChain if it + * needs to internally call BuildChain (e.g. in order to build the chain to a + * CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum number of traversed certs + * is to be stored. Must be non-NULL. + * "pMaxNumber" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_GetMaxNumberOfCerts( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 *pMaxNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCerts + * DESCRIPTION: + * + * Sets the maximum number of traversed certs of the ResourceLimits object + * pointed to by "resourceLimits" using the PKIX_UInt32 value of "maxNumber". + * This maximum number of traversed certs should not be exceeded by the function + * whose ProcessingParams contain this ResourceLimits object (typically ValidateChain + * or BuildChain). If the builder traverses more than this number of certs + * during the build process, it should abort and return an Error. This parameter + * is only relevant for ValidateChain if it needs to internally call BuildChain + * (e.g. in order to build the chain to a CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum number of traversed certs + * is to be set. Must be non-NULL. + * "maxNumber" + * Value of PKIX_UInt32 representing the maximum number of traversed certs + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_SetMaxNumberOfCerts( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 maxNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCRLs + * DESCRIPTION: + * + * Retrieves a PKIX_UInt32 (if any) representing the maximum number of traversed + * CRLs that is set in the ResourceLimits object pointed to by "resourceLimits" + * and stores it at "pMaxNumber". This maximum number of traversed CRLs should + * not be exceeded by the function whose ProcessingParams contain this ResourceLimits + * object (typically ValidateChain or BuildChain). If the builder traverses more + * than this number of CRLs during the build process, it should abort and + * return an Error. This parameter is only relevant for ValidateChain if it + * needs to internally call BuildChain (e.g. in order to build the chain to a + * CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum number of traversed CRLs + * is to be stored. Must be non-NULL. + * "pMaxNumber" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_GetMaxNumberOfCRLs( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 *pMaxNumber, + void *plContext); + +/* + * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCRLs + * DESCRIPTION: + * + * Sets the maximum number of traversed CRLs of the ResourceLimits object + * pointed to by "resourceLimits" using the PKIX_UInt32 value of "maxNumber". + * This maximum number of traversed CRLs should not be exceeded by the function + * whose ProcessingParams contain this ResourceLimits object (typically ValidateChain + * or BuildChain). If the builder traverses more than this number of CRLs + * during the build process, it should abort and return an Error. This parameter + * is only relevant for ValidateChain if it needs to internally call BuildChain + * (e.g. in order to build the chain to a CRL's issuer). + * + * PARAMETERS: + * "resourceLimits" + * Address of ResourceLimits object whose maximum number of traversed CRLs + * is to be set. Must be non-NULL. + * "maxNumber" + * Value of PKIX_UInt32 representing the maximum number of traversed CRLs + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a ResourceLimits Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ResourceLimits_SetMaxNumberOfCRLs( + PKIX_ResourceLimits *resourceLimits, + PKIX_UInt32 maxNumber, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_PARAMS_H */ diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h new file mode 100644 index 0000000000..0a449b94a7 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h @@ -0,0 +1,2735 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines several platform independent functions to + * manipulate certificates and CRLs in a portable manner. + * + */ + +#ifndef _PKIX_PL_PKI_H +#define _PKIX_PL_PKI_H + +#include "pkixt.h" +#include "seccomon.h" +#include "certt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* + * Cert + * + * A Cert represents an X.509 certificate. It can be created using the bytes + * of a valid ASN.1 DER encoding. Once created, a Cert is immutable. The + * following functions include accessors (gettors) for the various components + * of an X.509 certificate. Also included are functions to perform various + * checks on a certificate, including name constraints, key usage, validity + * (expiration), and signature verification. + */ + +/* + * FUNCTION: PKIX_PL_Cert_Create + * DESCRIPTION: + * + * Creates a new certificate using the bytes in the ByteArray pointed to by + * "byteArray" and stores it at "pCert". If the bytes are not a valid ASN.1 + * DER encoding of a certificate, a PKIX_Error pointer is returned. Once + * created, a Cert is immutable. + * + * Certificate ::= SEQUENCE { + * tbsCertificate TBSCertificate, + * signatureAlgorithm AlgorithmIdentifier, + * signatureValue BIT STRING } + * + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL } + * + * TBSCertificate ::= SEQUENCE { + * version [0] EXPLICIT Version DEFAULT v1, + * serialNumber CertificateSerialNumber, + * signature AlgorithmIdentifier, + * issuer Name, + * validity Validity, + * subject Name, + * subjectPublicKeyInfo SubjectPublicKeyInfo, + * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + * -- If present, version MUST be v2 or v3 + * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + * -- If present, version MUST be v2 or v3 + * extensions [3] EXPLICIT Extensions OPTIONAL + * -- If present, version MUST be v3 + * } + * + * Version ::= INTEGER { v1(0), v2(1), v3(2) } + * + * CertificateSerialNumber ::= INTEGER + * + * Validity ::= SEQUENCE { + * notBefore Time, + * notAfter Time } + * + * Time ::= CHOICE { + * utcTime UTCTime, + * generalTime GeneralizedTime } + * + * UniqueIdentifier ::= BIT STRING + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING } + * + * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension + * + * Extension ::= SEQUENCE { + * extnID OBJECT IDENTIFIER, + * critical BOOLEAN DEFAULT FALSE, + * extnValue OCTET STRING } + * + * PARAMETERS: + * "byteArray" + * Address of ByteArray representing the CERT's DER encoding. + * Must be non-NULL. + * "pCert" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_Create( + PKIX_PL_ByteArray *byteArray, + PKIX_PL_Cert **pCert, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_CreateFromCERTCertificate + * DESCRIPTION: + * + * Creates a new certificate using passed in CERTCertificate object. + * + * PARAMETERS: + * "nssCert" + * The object that will be used to create new PKIX_PL_Cert. + * "pCert" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_CreateFromCERTCertificate( + const CERTCertificate *nssCert, + PKIX_PL_Cert **pCert, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetCERTCertificate + * DESCRIPTION: + * + * Returns underlying CERTCertificate structure. Return CERTCertificate + * object is duplicated and should be destroyed by caller. + * + * PARAMETERS: + * "cert" + * Address of PKIX_PL_Cert. Must be non-NULL. + * "pCert" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetCERTCertificate( + PKIX_PL_Cert *cert, + CERTCertificate **pnssCert, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetVersion + * DESCRIPTION: + * + * Retrieves the version of the Cert pointed to by "cert" and stores it at + * "pVersion". The version number will either be 0, 1, or 2 (corresponding to + * v1, v2, or v3, respectively). + * + * Version ::= INTEGER { v1(0), v2(1), v3(2) } + * + * PARAMETERS: + * "cert" + * Address of Cert whose version is to be stored. Must be non-NULL. + * "pVersion" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetVersion( + PKIX_PL_Cert *cert, + PKIX_UInt32 *pVersion, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetSerialNumber + * DESCRIPTION: + * + * Retrieves a pointer to the BigInt that represents the serial number of the + * Cert pointed to by "cert" and stores it at "pSerialNumber". + * + * CertificateSerialNumber ::= INTEGER + * + * PARAMETERS: + * "cert" + * Address of Cert whose serial number is to be stored. Must be non-NULL. + * "pSerial" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSerialNumber( + PKIX_PL_Cert *cert, + PKIX_PL_BigInt **pSerial, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetIssuer + * DESCRIPTION: + * + * Retrieves a pointer to the X500Name that represents the issuer DN of the + * Cert pointed to by "cert" and stores it at "pIssuer". + * + * PARAMETERS: + * "cert" + * Address of Cert whose issuer is to be stored. Must be non-NULL. + * "pIssuer" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetIssuer( + PKIX_PL_Cert *cert, + PKIX_PL_X500Name **pIssuer, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetSubject + * DESCRIPTION: + * + * Retrieves a pointer to the X500Name that represents the subject DN of the + * Cert pointed to by "cert" and stores it at "pSubject". If the Cert does not + * have a subject DN, this function stores NULL at "pSubject". + * + * PARAMETERS: + * "cert" + * Address of Cert whose subject is to be stored. Must be non-NULL. + * "pSubject" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSubject( + PKIX_PL_Cert *cert, + PKIX_PL_X500Name **pSubject, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKeyAlgId + * DESCRIPTION: + * + * Retrieves a pointer to the OID that represents the subject public key + * algorithm of the Cert pointed to by "cert" and stores it at + * "pSubjKeyAlgId". + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING } + * + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL } + * + * PARAMETERS: + * "cert" + * Address of Cert whose subject public key algorithm OID is to be stored. + * Must be non-NULL. + * "pSubjKeyAlgId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSubjectPublicKeyAlgId( + PKIX_PL_Cert *cert, + PKIX_PL_OID **pSubjKeyAlgId, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey + * DESCRIPTION: + * + * Retrieves a pointer to the PublicKey that represents the subject public key + * of the Cert pointed to by "cert" and stores it at "pPublicKey". + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING } + * + * PARAMETERS: + * "cert" + * Address of Cert whose subject public key is to be stored. + * Must be non-NULL. + * "pPublicKey" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSubjectPublicKey( + PKIX_PL_Cert *cert, + PKIX_PL_PublicKey **pPublicKey, + void *plContext); + +/* + * FUNCTION: PKIX_PL_PublicKey_NeedsDSAParameters + * DESCRIPTION: + * + * Determines if the PublicKey pointed to by "pubKey" is a DSA Key with null + * parameters and stores the result at "pNeedsParams". + * + * PARAMETERS: + * "pubKey" + * Address of the Public Key of interest. Must be non-NULL. + * "pNeedsParams" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a PublicKey Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_PublicKey_NeedsDSAParameters( + PKIX_PL_PublicKey *pubKey, + PKIX_Boolean *pNeedsParams, + void *plContext); + +/* + * FUNCTION: PKIX_PL_PublicKey_MakeInheritedDSAPublicKey + * DESCRIPTION: + * + * This function is used for DSA key parameter inheritance, which allows a + * first DSA key with omitted parameters (pointed to by "firstKey") to inherit + * the PQG parameters of a second DSA key that does have parameters. (pointed + * to by "secondKey"). Once created, a PublicKey is immutable. + * + * Specifically, the algorithm used by the function is: + * + * If the first PublicKey is not a DSA public key with omitted parameters, + * the function stores NULL at "pResultKey". (No Error is returned) + * Else if the second PublicKey is not a DSA public key with non-NULL, + * parameters, the function returns an Error. + * Else + * the function creates a third PublicKey with a "Y" value from the + * first PublicKey and the DSA parameters from the second PublicKey, + * and stores it at "pResultKey". + * + * PARAMETERS: + * "firstKey" + * Address of a Public Key that needs to inherit DSA parameters. + * Must be non-NULL. + * "secondKey" + * Address of a Public Key that has DSA parameters that will be inherited + * by "firstKey". Must be non-NULL. + * "pResultKey" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a PublicKey Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_PublicKey_MakeInheritedDSAPublicKey( + PKIX_PL_PublicKey *firstKey, + PKIX_PL_PublicKey *secondKey, + PKIX_PL_PublicKey **pResultKey, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetCriticalExtensionOIDs + * DESCRIPTION: + * + * Retrieves a pointer to the List of OIDs (each OID corresponding to a + * critical extension of the Cert pointed to by "cert") and stores it at + * "pExtensions". If "cert" does not have any critical extensions, this + * function stores an empty List at "pExtensions". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "cert" + * Address of Cert whose critical extension OIDs are to be stored. + * Must be non-NULL. + * "pExtensions" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetCriticalExtensionOIDs( + PKIX_PL_Cert *cert, + PKIX_List **pExtensions, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetAuthorityKeyIdentifier + * DESCRIPTION: + * + * Retrieves a pointer to a ByteArray representing the authority key + * identifier extension of the Cert pointed to by "cert" and stores it at + * "pAuthKeyId". + * + * Note that this function only retrieves the keyIdentifier component + * (OCTET STRING) of the AuthorityKeyIdentifier extension, when present. + * + * If "cert" does not have an AuthorityKeyIdentifier extension or if the + * keyIdentifier component of the AuthorityKeyIdentifier extension is not + * present, this function stores NULL at "pAuthKeyId". + * + * AuthorityKeyIdentifier ::= SEQUENCE { + * keyIdentifier [0] KeyIdentifier OPTIONAL, + * authorityCertIssuer [1] GeneralNames OPTIONAL, + * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + * + * PARAMETERS: + * "cert" + * Address of Cert whose authority key identifier is to be stored. + * Must be non-NULL. + * "pAuthKeyId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetAuthorityKeyIdentifier( + PKIX_PL_Cert *cert, + PKIX_PL_ByteArray **pAuthKeyId, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetSubjectKeyIdentifier + * DESCRIPTION: + * + * Retrieves a pointer to a ByteArray representing the subject key identifier + * extension of the Cert pointed to by "cert" and stores it at "pSubjKeyId". + * If "cert" does not have a SubjectKeyIdentifier extension, this function + * stores NULL at "pSubjKeyId". + * + * SubjectKeyIdentifier ::= KeyIdentifier + * + * PARAMETERS: + * "cert" + * Address of Cert whose subject key identifier is to be stored. + * Must be non-NULL. + * "pSubjKeyId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSubjectKeyIdentifier( + PKIX_PL_Cert *cert, + PKIX_PL_ByteArray **pSubjKeyId, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetSubjectAltNames + * DESCRIPTION: + * + * Retrieves a pointer to the List of GeneralNames (each GeneralName + * representing a subject alternative name found in the subject alternative + * names extension of the Cert pointed to by "cert") and stores it at + * "pSubjectAltNames". If "cert" does not have a SubjectAlternativeNames + * extension, this function stores NULL at "pSubjectAltNames". + * + * Note that the List returned by this function is immutable. + * + * SubjectAltName ::= GeneralNames + * + * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + * + * GeneralName ::= CHOICE { + * otherName [0] OtherName, + * rfc822Name [1] IA5String, + * dNSName [2] IA5String, + * x400Address [3] ORAddress, + * directoryName [4] Name, + * ediPartyName [5] EDIPartyName, + * uniformResourceIdentifier [6] IA5String, + * iPAddress [7] OCTET STRING, + * registeredID [8] OBJECT IDENTIFIER } + * + * OtherName ::= SEQUENCE { + * type-id OBJECT IDENTIFIER, + * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * EDIPartyName ::= SEQUENCE { + * nameAssigner [0] DirectoryString OPTIONAL, + * partyName [1] DirectoryString } + * + * PARAMETERS: + * "cert" + * Address of Cert whose subjectAltNames are to be stored. + * Must be non-NULL. + * "pSubjectAltNames" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSubjectAltNames( + PKIX_PL_Cert *cert, + PKIX_List **pSubjectAltNames, /* list of PKIX_PL_GeneralName */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetAllSubjectNames + * DESCRIPTION: + * + * Retrieves a pointer to the List of GeneralNames (each GeneralName + * representing a subject DN or a subject alternative name found in the + * subject alternative names extension of the Cert pointed to by "cert") and + * stores it at "pAllSubjectNames".If the Subject DN of "cert" is empty and + * it does not have a SubjectAlternativeNames extension, this function stores + * NULL at "pAllSubjectNames". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "cert" + * Address of Cert whose subject DN and subjectAltNames are to be stored. + * Must be non-NULL. + * "pAllSubjectNames" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetAllSubjectNames( + PKIX_PL_Cert *cert, + PKIX_List **pAllSubjectNames, /* list of PKIX_PL_GeneralName */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetExtendedKeyUsage + * DESCRIPTION: + * + * Retrieves a pointer to a List of OIDs (each OID corresponding to an + * extended key usage of the Cert pointed to by "cert") and stores it at + * "pKeyUsage". If "cert" does not have an extended key usage extension, this + * function stores a NULL at "pKeyUsage". + * + * Note that the List returned by this function is immutable. + * + * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + * + * KeyPurposeId ::= OBJECT IDENTIFIER + * + * PARAMETERS: + * "cert" + * Address of Cert whose extended key usage OIDs are to be stored. + * Must be non-NULL. + * "pKeyUsage" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetExtendedKeyUsage( + PKIX_PL_Cert *cert, + PKIX_List **pKeyUsage, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetNameConstraints + * DESCRIPTION: + * + * Retrieves a pointer to a CertNameConstraints object representing the name + * constraints extension of the Cert pointed to by "cert" and stores it at + * "pNameConstraints". + * + * If "cert" does not have a name constraints extension, this function stores + * NULL at "pNameConstraints". + * + * NameConstraints ::= SEQUENCE { + * permittedSubtrees [0] GeneralSubtrees OPTIONAL, + * excludedSubtrees [1] GeneralSubtrees OPTIONAL } + * + * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + * + * GeneralSubtree ::= SEQUENCE { + * base GeneralName, + * minimum [0] BaseDistance DEFAULT 0, + * maximum [1] BaseDistance OPTIONAL } + * + * BaseDistance ::= INTEGER (0..MAX) + * + * PARAMETERS: + * "cert" + * Address of Cert whose name constraints extension is to be stored. + * Must be non-NULL. + * "pNameConstraints" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetNameConstraints( + PKIX_PL_Cert *cert, + PKIX_PL_CertNameConstraints **pNameConstraints, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetBasicConstraints + * DESCRIPTION: + * + * Retrieves a pointer to a CertBasicConstraints object representing the basic + * constraints extension of the Cert pointed to by "cert" and stores it at + * "pBasicConstraints". + * + * If "cert" does not have a basic constraints extension, this function stores + * NULL at "pBasicConstraints". Once created, a CertBasicConstraints object + * is immutable. + * + * BasicConstraints ::= SEQUENCE { + * cA BOOLEAN DEFAULT FALSE, + * pathLenConstraint INTEGER (0..MAX) OPTIONAL } + * + * PARAMETERS: + * "cert" + * Address of Cert whose basic constraints extension is to be stored. + * Must be non-NULL. + * "pBasicConstraints" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetBasicConstraints( + PKIX_PL_Cert *cert, + PKIX_PL_CertBasicConstraints **pBasicConstraints, + void *plContext); + +/* + * FUNCTION: PKIX_PL_BasicConstraints_GetCAFlag + * DESCRIPTION: + * + * Retrieves a pointer to a Boolean value representing the cA Flag component + * of the CertBasicConstraints object pointed to by "basicConstraints" and + * stores it at "pResult". + * + * BasicConstraints ::= SEQUENCE { + * cA BOOLEAN DEFAULT FALSE, + * pathLenConstraint INTEGER (0..MAX) OPTIONAL } + * + * PARAMETERS: + * "basicConstraints" + * Address of CertBasicConstraints whose cA Flag is to be stored. + * Must be non-NULL. + * "pResult" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_BasicConstraints_GetCAFlag( + PKIX_PL_CertBasicConstraints *basicConstraints, + PKIX_Boolean *pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_BasicConstraints_GetPathLenConstraint + * DESCRIPTION: + * + * Retrieves a pointer to an integer value representing the pathLenConstraint + * component of the CertBasicConstraints object pointed to by + * "basicConstraints" and stores it at "pPathLenConstraint". If the + * pathLenConstraint component is not present, this function stores -1 at + * "pPathLenConstraint". + * + * PARAMETERS: + * "basicConstraints" + * Address of CertBasicConstraints whose pathLen is to be stored. + * Must be non-NULL. + * "pPathLenConstraint" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_BasicConstraints_GetPathLenConstraint( + PKIX_PL_CertBasicConstraints *basicConstraints, + PKIX_Int32 *pPathLenConstraint, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetPolicyInformation + * DESCRIPTION: + * + * Retrieves a pointer to a List of CertPolicyInfos found in the certificate + * policies extension of the Cert pointed to by "cert" and stores it at + * "pPolicyInfo". If "cert" does not have a certificate policies extension, + * this function stores NULL at "pPolicyInfo". Once created, a CertPolicyInfo + * object is immutable. + * + * Note that the List returned by this function is immutable. + * + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + * + * PolicyInformation ::= SEQUENCE { + * policyIdentifier CertPolicyId, + * policyQualifiers SEQUENCE SIZE (1..MAX) OF + * PolicyQualifierInfo OPTIONAL } + * + * PARAMETERS: + * "cert" + * Address of Cert whose CertPolicyInfos are to be stored. + * Must be non-NULL. + * "pPolicyInfo" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetPolicyInformation( + PKIX_PL_Cert *cert, + PKIX_List **pPolicyInfo, /* list of PKIX_PL_CertPolicyInfo */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolicyId + * DESCRIPTION: + * + * Retrieves a pointer to an OID representing the policyIdentifier of the + * CertPolicyInfo pointed to by "policyInfo" and stores it at "pCertPolicyId". + * + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + * + * PolicyInformation ::= SEQUENCE { + * policyIdentifier CertPolicyId, + * policyQualifiers SEQUENCE SIZE (1..MAX) OF + * PolicyQualifierInfo OPTIONAL } + * + * CertPolicyId ::= OBJECT IDENTIFIER + * + * PARAMETERS: + * "policyInfo" + * Address of CertPolicyInfo whose policy identifier is to be stored. + * Must be non-NULL. + * "pCertPolicyId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CertPolicyInfo_GetPolicyId( + PKIX_PL_CertPolicyInfo *policyInfo, + PKIX_PL_OID **pCertPolicyId, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolQualifiers + * DESCRIPTION: + * + * Retrieves a pointer to a List of the CertPolicyQualifiers representing + * the policyQualifiers of the CertPolicyInfo pointed to by "policyInfo" and + * stores it at "pPolicyQualifiers". If "policyInfo" does not have any + * policyQualifiers, this function stores NULL at "pPolicyQualifiers". Once + * created, a CertPolicyQualifier is immutable. + * + * Note that the List returned by this function is immutable. + * + * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + * + * PolicyInformation ::= SEQUENCE { + * policyIdentifier CertPolicyId, + * policyQualifiers SEQUENCE SIZE (1..MAX) OF + * PolicyQualifierInfo OPTIONAL } + * + * PolicyQualifierInfo ::= SEQUENCE { + * policyQualifierId PolicyQualifierId, + * qualifier ANY DEFINED BY policyQualifierId } + * + * PARAMETERS: + * "policyInfo" + * Address of CertPolicyInfo whose policy qualifiers List is to be stored. + * Must be non-NULL. + * "pPolicyQualifiers" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CertPolicyInfo_GetPolQualifiers( + PKIX_PL_CertPolicyInfo *policyInfo, + PKIX_List **pPolicyQualifiers, /* list of PKIX_PL_CertPolicyQualifier */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_PolicyQualifier_GetPolicyQualifierId + * DESCRIPTION: + * + * Retrieves a pointer to an OID representing the policyQualifierId of the + * CertPolicyQualifier pointed to by "policyQualifier" and stores it at + * "pPolicyQualifierId". + * + * PolicyQualifierInfo ::= SEQUENCE { + * policyQualifierId PolicyQualifierId, + * qualifier ANY DEFINED BY policyQualifierId } + * + * PolicyQualifierId ::= + * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + * + * PARAMETERS: + * "policyQualifier" + * Address of CertPolQualifier whose policyQualifierId is to be stored. + * Must be non-NULL. + * "pPolicyQualifierId" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_PolicyQualifier_GetPolicyQualifierId( + PKIX_PL_CertPolicyQualifier *policyQualifier, + PKIX_PL_OID **pPolicyQualifierId, + void *plContext); + +/* + * FUNCTION: PKIX_PL_PolicyQualifier_GetQualifier + * DESCRIPTION: + * + * Retrieves a pointer to a ByteArray representing the qualifier of the + * CertPolicyQualifier pointed to by "policyQualifier" and stores it at + * "pQualifier". + * + * PolicyQualifierInfo ::= SEQUENCE { + * policyQualifierId PolicyQualifierId, + * qualifier ANY DEFINED BY policyQualifierId } + * + * PARAMETERS: + * "policyQualifier" + * Address of CertPolicyQualifier whose qualifier is to be stored. + * Must be non-NULL. + * "pQualifier" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_PolicyQualifier_GetQualifier( + PKIX_PL_CertPolicyQualifier *policyQualifier, + PKIX_PL_ByteArray **pQualifier, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetPolicyMappings + * DESCRIPTION: + * + * Retrieves a pointer to a List of CertPolicyMaps found in the policy + * mappings extension of the Cert pointed to by "cert" and stores it at + * "pPolicyMappings". If "cert" does not have a policy mappings extension, + * this function stores NULL at "pPolicyMappings". Once created, a + * CertPolicyMap is immutable. + * + * Note that the List returned by this function is immutable. + * + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + * issuerDomainPolicy CertPolicyId, + * subjectDomainPolicy CertPolicyId } + * + * PARAMETERS: + * "cert" + * Address of Cert whose CertPolicyMaps are to be stored. + * Must be non-NULL. + * "pPolicyMappings" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetPolicyMappings( + PKIX_PL_Cert *cert, + PKIX_List **pPolicyMappings, /* list of PKIX_PL_CertPolicyMap */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy + * DESCRIPTION: + * + * Retrieves a pointer to an OID representing the issuerDomainPolicy of the + * CertPolicyMap pointed to by "policyMapping" and stores it at + * "pIssuerDomainPolicy". + * + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + * issuerDomainPolicy CertPolicyId, + * subjectDomainPolicy CertPolicyId } + * + * PARAMETERS: + * "policyMapping" + * Address of CertPolicyMap whose issuerDomainPolicy is to be stored. + * Must be non-NULL. + * "pIssuerDomainPolicy" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy( + PKIX_PL_CertPolicyMap *policyMapping, + PKIX_PL_OID **pIssuerDomainPolicy, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy + * DESCRIPTION: + * + * Retrieves a pointer to an OID representing the subjectDomainPolicy of the + * CertPolicyMap pointed to by "policyMapping" and stores it at + * "pSubjectDomainPolicy". + * + * PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + * issuerDomainPolicy CertPolicyId, + * subjectDomainPolicy CertPolicyId } + * + * PARAMETERS: + * "policyMapping" + * Address of CertPolicyMap whose subjectDomainPolicy is to be stored. + * Must be non-NULL. + * "pSubjectDomainPolicy" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy( + PKIX_PL_CertPolicyMap *policyMapping, + PKIX_PL_OID **pSubjectDomainPolicy, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetRequireExplicitPolicy + * DESCRIPTION: + * + * Retrieves the requireExplicitPolicy value of the policy constraints + * extension of the Cert pointed to by "cert" and stores it at "pSkipCerts". + * If "cert" does not have a policy constraints extension or the + * requireExplicitPolicy component is not populated, this function stores -1 + * at "pSkipCerts". + * + * PolicyConstraints ::= SEQUENCE { + * requireExplicitPolicy [0] SkipCerts OPTIONAL, + * inhibitPolicyMapping [1] SkipCerts OPTIONAL } + * + * SkipCerts ::= INTEGER (0..MAX) + * + * PARAMETERS: + * "cert" + * Address of Cert whose requireExplicitPolicy value is to be stored. + * Must be non-NULL. + * "pSkipCerts" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetRequireExplicitPolicy( + PKIX_PL_Cert *cert, + PKIX_Int32 *pSkipCerts, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetPolicyMappingInhibited + * DESCRIPTION: + * + * Retrieves the inhibitPolicyMapping value of the policy constraints + * extension of the Cert pointed to by "cert" and stores it at "pSkipCerts". + * If "cert" does not have a policy constraints extension or the + * inhibitPolicyMapping component is not populated, this function stores -1 + * at "pSkipCerts". + * + * PolicyConstraints ::= SEQUENCE { + * requireExplicitPolicy [0] SkipCerts OPTIONAL, + * inhibitPolicyMapping [1] SkipCerts OPTIONAL } + * + * SkipCerts ::= INTEGER (0..MAX) + * + * PARAMETERS: + * "cert" + * Address of Cert whose requireExplicitPolicy value is to be stored. + * Must be non-NULL. + * "pSkipCerts" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetPolicyMappingInhibited( + PKIX_PL_Cert *cert, + PKIX_Int32 *pSkipCerts, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetInhibitAnyPolicy + * DESCRIPTION: + * + * Retrieves the value of the inhibit any-policy extension of the Cert + * pointed to by "cert" and stores it at "pSkipCerts". If "cert" does not have + * an inhibit any-policy extension, this function stores -1 at "pSkipCerts". + * + * InhibitAnyPolicy ::= SkipCerts + * + * SkipCerts ::= INTEGER (0..MAX) + * + * PARAMETERS: + * "cert" + * Address of Cert whose inhibit any-policy extensions value is to be + * stored. Must be non-NULL. + * "pSkipCerts" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetInhibitAnyPolicy( + PKIX_PL_Cert *cert, + PKIX_Int32 *pSkipCerts, + void *plContext); + +/* policy processing functions */ + +/* + * FUNCTION: PKIX_PL_Cert_AreCertPoliciesCritical + * DESCRIPTION: + * + * Checks whether the certificate policies extension of the Cert pointed to + * by "cert" is critical and stores the Boolean result at "pCritical". If + * "cert" does not have a certificate policies extension, this function + * stores NULL at "pCritical". + * + * XXX what distinguishes NULL from PKIX_FALSE? + * + * PARAMETERS: + * "cert" + * Address of Cert whose certificate policies extension's criticality is + * to be determined. Must be non-NULL. + * "pCritical" + * Address where PKIX_Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_AreCertPoliciesCritical( + PKIX_PL_Cert *cert, + PKIX_Boolean *pCritical, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_CheckNameConstraints + * DESCRIPTION: + * + * Checks whether the subject distinguished name and subject alternative names + * of the Cert pointed to by "cert" satisfy the CertNameConstraints pointed + * to by "nameConstraints". If the CertNameConstraints are not satisfied, a + * PKIX_Error pointer is returned. If "nameConstraints" is NULL, the function + * does nothing. + * + * PARAMETERS: + * "cert" + * Address of Cert whose subject names are to be checked. + * Must be non-NULL. + * "nameConstraints" + * Address of CertNameConstraints that need to be satisfied. + * "treatCommonNameAsDNSName" + * PKIX_TRUE if the subject common name should be considered a dNSName + * when evaluating name constraints. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_CheckNameConstraints( + PKIX_PL_Cert *cert, + PKIX_PL_CertNameConstraints *nameConstraints, + PKIX_Boolean treatCommonNameAsDNSName, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_MergeNameConstraints + * DESCRIPTION: + * + * Merges the CertNameConstraints pointed to by "firstNC" and the + * CertNameConstraints pointed to by "secondNC" and stores the merged + * CertNameConstraints at "pResultNC". If "secondNC" is NULL, the + * CertNameConstraints pointed to by "firstNC" is stored at "pResultNC". + * + * Once created, a CertNameConstraints object is immutable. + * + * PARAMETERS: + * "firstNC" + * Address of first CertNameConstraints to be merged. Must be non-NULL. + * "secondNC" + * Address of second CertNameConstraints to be merged + * "pResultNC" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_MergeNameConstraints( + PKIX_PL_CertNameConstraints *firstNC, + PKIX_PL_CertNameConstraints *secondNC, + PKIX_PL_CertNameConstraints **pResultNC, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage + * DESCRIPTION: + * + * Verifies that the keyUsage bit(s) specified by "keyUsage" appear in the + * keyUsage extension of the Cert pointed to by "cert". The keyUsage bit + * values specified in pkixt.h are supported, and can be bitwise or'ed if + * multiple bit values are to be verified. If the keyUsages do not all appear + * in the keyUsage extension of "cert", a PKIX_Error pointer is returned. + * + * KeyUsage ::= BIT STRING { + * digitalSignature (0), + * nonRepudiation (1), + * keyEncipherment (2), + * dataEncipherment (3), + * keyAgreement (4), + * keyCertSign (5), + * cRLSign (6), + * encipherOnly (7), + * decipherOnly (8) } + * + * PARAMETERS: + * "cert" + * Address of Cert whose keyUsage bits are to be verified. + * Must be non-NULL. + * "keyUsage" + * Constant representing keyUsage bit(s) that all must appear in keyUsage + * extension of "cert". + * "plContext" - Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_VerifyKeyUsage( + PKIX_PL_Cert *cert, + PKIX_UInt32 keyUsage, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_VerifyCertAndKeyType + * DESCRIPTION: + * + * Verifies cert and key types against certificate usage that is + * a part of plContext(pkix_pl_nsscontext) structure. Throws an error + * if cert or key types does not match. + * + * PARAMETERS: + * "cert" + * Address of Cert whose keyUsage bits are to be verified. + * Must be non-NULL. + * "isLeafCert" + * What type of a cert has been verified. + * "plContext" - Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_VerifyCertAndKeyType( + PKIX_PL_Cert *cert, + PKIX_Boolean isChainCert, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_CheckValidity + * DESCRIPTION: + * + * Checks whether the Cert pointed to by "cert" would be valid at the time + * represented by the Date pointed to by "date". If "date" is NULL, then this + * function checks whether the Cert would be valid at the current time. If the + * Cert would not be valid at the specified Date, a PKIX_Error pointer is + * returned. + * + * Validity ::= SEQUENCE { + * notBefore Time, + * notAfter Time } + * + * Time ::= CHOICE { + * utcTime UTCTime, + * generalTime GeneralizedTime } + * + * PARAMETERS: + * "cert" + * Address of Cert whose validity is to be checked. Must be non-NULL. + * "date" + * Address of Date at which the Cert is being checked for validity. + * If NULL, the current time is used for the Date. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_CheckValidity( + PKIX_PL_Cert *cert, + PKIX_PL_Date *date, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetValidityNotAfter + * DESCRIPTION: + * + * Retrieves a pointer to the Date that represents the notAfter time of the + * Certificate pointed to by "cert" and stores it at "pDate". + * + * Validity ::= SEQUENCE { + * notBefore Time, + * notAfter Time } + * + * PARAMETERS: + * "cert" + * Address of Cert whose validity time is to be retrieved. Must be + * non-NULL. + * "date" + * Address of Date at which the Cert's notAfter time is being retrieved. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetValidityNotAfter( + PKIX_PL_Cert *cert, + PKIX_PL_Date **pDate, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_VerifySignature + * DESCRIPTION: + * + * Verifies the signature on the Cert pointed to by "cert" using the + * PublicKey pointed to by "pubKey". If the signature doesn't verify, an + * Error pointer is returned. + * + * PARAMETERS: + * "cert" + * Address of Cert whose signature is to be verified. Must be non-NULL. + * "pubKey" + * Address of a Public Key used to verify the signature. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_VerifySignature( + PKIX_PL_Cert *cert, + PKIX_PL_PublicKey *pubKey, + void *plContext); + +/* A set of flags to indicate how explicitly configured trust anchors should be + * handled by PKIX_PL_Cert_IsCertTrusted + */ +typedef enum PKIX_PL_TrustAnchorModeEnum { + /* Indicates trust anchors should be ignored; only the underlying + * platform's trust settings should be used. + */ + PKIX_PL_TrustAnchorMode_Ignore, + + /* Indicates that explicitly configured trust anchors may be considered + * trustworthy, if present. + * Note: If the underlying platform supports marking a certificate as + * explicitly untrustworthy, explicitly configured trust anchors + * MAY be ignored/rejected. + */ + PKIX_PL_TrustAnchorMode_Additive, + + /* Indicates that ONLY trust anchors should be considered as + * trustworthy. + * Note: If the underlying platform supports marking a certificate as + * explicitly untrustworthy, explicitly configured trust anchors + * MAY be ignored/rejected. + */ + PKIX_PL_TrustAnchorMode_Exclusive +} PKIX_PL_TrustAnchorMode; + +/* + * FUNCTION: PKIX_PL_Cert_IsCertTrusted + * DESCRIPTION: + * + * Checks the Cert specified by "cert" to determine, in a manner that depends + * on the underlying platform, whether it is trusted, and stores the result in + * "pTrusted". If a certificate is trusted it means that a chain built to that + * certificate, and satisfying all the usage, policy, validity, and other + * tests, is a valid chain and the End Entity certificate from which it was + * built can be trusted. + * + * If the Certificate is not intrinsically trustworthy, it still might end up a + * component in a successful chain. + * + * If the Certificate is intrinsically untrustworthy, this function will return + * an error. + * + * PARAMETERS + * "cert" + * Address of Cert whose trustworthiness is to be determined. Must be + * non-NULL. + * "trustAnchorMode" + * A PKIX_PL_TrustAnchorMode that indicates how explicitly defined user + * trust anchors should be handled. + * "pTrusted" + * Address where the Boolean value will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CERT Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_IsCertTrusted( + PKIX_PL_Cert *cert, + PKIX_PL_TrustAnchorMode trustAnchorMode, + PKIX_Boolean *pTrusted, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_IsLeafCertTrusted + * DESCRIPTION: + * + * Checks the Leaf Cert specified by "cert" to determine, in a manner that + * depends on the underlying platform, whether it is trusted, and stores the + * result in "pTrusted". If a certificate is trusted it means that this + * End Entify certificate has been marked as trusted for the requested usage, + * policy, validity, and other tests. + * + * If the Certificate is not intrinsically trustworthy, we can still try to + * build a successful chain. + * + * If the Certificate is intrinsically untrustworthy, this function will return + * an error. + * + * PARAMETERS + * "cert" + * Address of Cert whose trustworthiness is to be determined. Must be + * non-NULL. + * "pTrusted" + * Address where the Boolean value will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CERT Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_IsLeafCertTrusted( + PKIX_PL_Cert *cert, + PKIX_Boolean *pTrusted, + void *plContext); + +/* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */ +PKIX_Error* +PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetCacheFlag + * DESCRIPTION: + * + * Retrieves the value of the cache flag in "cert" and return it at address + * pointed by "pCacheFlag". The initila cache flag is determined by the + * CertStore this "cert" is fetched from. When CertStore is created, user + * need to specify if the data should be cached. + * + * PARAMETERS: + * "cert" + * Address of Cert whose cache flag is fetched. Must be non-NULL. + * "pCacheFlag" + * Address where PKIX_Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetCacheFlag( + PKIX_PL_Cert *cert, + PKIX_Boolean *pCacheFlag, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_SetCacheFlag + * DESCRIPTION: + * + * Set the value of the cache flag in "cert" base on the boolean value stored + * at "cacheFlag". This function is meant to be used by CertStore after a + * Cert is created. + * + * PARAMETERS: + * "cert" + * Address of Cert where "cacheFlag" is stored. Must be non-NULL. + * "cacheFlag" + * PKIX_Boolean flag for cache flag. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_SetCacheFlag( + PKIX_PL_Cert *cert, + PKIX_Boolean cacheFlag, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_GetTrustCertStore + * DESCRIPTION: + * + * Retrieves the value of the CertStore in "cert" and return it at address + * pointed by "pCertStore". + * + * PARAMETERS: + * "cert" + * Address of Cert whose CertStore is fetched. Must be non-NULL. + * "pTrustCertStore" + * Address where CertStore will be stored and returned. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetTrustCertStore( + PKIX_PL_Cert *cert, + PKIX_CertStore **pTrustCertStore, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Cert_SetTrustCertStore + * DESCRIPTION: + * + * Set the value of the CertStore "certStore" in "cert". + * + * PARAMETERS: + * "cert" + * Address of Cert where "certStore" will be stored. Must be non-NULL. + * "trustCertStore" + * Address where the CertStore is. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_SetTrustCertStore( + PKIX_PL_Cert *cert, + PKIX_CertStore *trustCertStore, + void *plContext); + + +/* + * FUNCTION: PKIX_PL_Cert_GetAuthorityInfoAccess + * DESCRIPTION: + * + * Retrieves the value(s) of the Authority Information Access in "cert" and + * returns it in a list at address pointed by "pAuthorityInfoAccess". + * + * SubjectInfoAccess ::= + * SEQUENCE SIZE (1..MAX) of AccessDescription + * AccessDescription ::= SEQUENCE { + * accessMethod OBJECT IDENTIFIER, + * accessLocation GeneralName + * } + * + * PARAMETERS: + * "cert" + * Address of Cert whose Authority Information Access is fetched. + * Must be non-NULL. + * "pAuthorityInfoAccess" + * Address where Authority InfoAccess will be stored and returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetAuthorityInfoAccess( + PKIX_PL_Cert *cert, + PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */ + void *plContext); + + +/* + * FUNCTION: PKIX_PL_Cert_GetSubjectInfoAccess + * DESCRIPTION: + * + * Retrieves the value(s) of the Subject Information Access in "cert" and + * returns it in a list at address pointed by "pSubjectInfoAccess". + * + * SubjectInfoAccess ::= + * SEQUENCE SIZE (1..MAX) of AccessDescription + * AccessDescription ::= SEQUENCE { + * accessMethod OBJECT IDENTIFIER, + * accessLocation GeneralName + * } + * + * PARAMETERS: + * "cert" + * Address of Cert whose Subject Information Access is fetched. + * Must be non-NULL. + * "pSubjectInfoAccess" + * Address where Subject InfoAccess will be stored and returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetSubjectInfoAccess( + PKIX_PL_Cert *cert, + PKIX_List **pSiaList, /* of PKIX_PL_InfoAccess */ + void *plContext); + + + +/* + * FUNCTION: PKIX_PL_Cert_GetCrlDp + * DESCRIPTION: + * + * Retrieves the value(s) of the CRL Distribution Point Extension and + * returns it in a list at address pointed by "pDpList". + * + * PARAMETERS: + * "cert" + * Address of Cert whose Subject Information Access is fetched. + * Must be non-NULL. + * "pDpList" + * Address where CRL DP will be stored and returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert, + PKIX_List **pDpList, + void *plContext); + + +/* + * InfoAccess + * + * To hold Authority Information Access or Subject Information Access + * retrieved from a Certificate. + */ + +#define PKIX_INFOACCESS_OCSP 1 +#define PKIX_INFOACCESS_CA_ISSUERS 2 +#define PKIX_INFOACCESS_TIMESTAMPING 3 +#define PKIX_INFOACCESS_CA_REPOSITORY 5 + +#define PKIX_INFOACCESS_LOCATION_UNKNOWN 0 +#define PKIX_INFOACCESS_LOCATION_HTTP 1 +#ifndef NSS_PKIX_NO_LDAP +#define PKIX_INFOACCESS_LOCATION_LDAP 2 +#endif + +/* + * FUNCTION: PKIX_PL_InfoAccess_GetMethod + * DESCRIPTION: + * + * Stores the method of the Information Access from "infoAccess" and + * returns in "pMethod". + * + * SubjectInfoAccess ::= + * AccessDescription ::= SEQUENCE { + * accessMethod OBJECT IDENTIFIER, + * accessLocation GeneralName + * } + * + * PARAMETERS: + * "infoAccess" + * Address of PKIX_PL_InfoAccess that has the access data. + * Must be non-NULL. + * "pMethod" + * Address where access method will be stored and returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_InfoAccess_GetMethod( + PKIX_PL_InfoAccess *infoAccess, + PKIX_UInt32 *pMethod, + void *plContext); + +/* + * FUNCTION: PKIX_PL_InfoAccess_GetLocation + * DESCRIPTION: + * + * Stores the location of the Information Access from "infoAccess" and + * returns in "pLocation". + * + * SubjectInfoAccess ::= + * AccessDescription ::= SEQUENCE { + * accessMethod OBJECT IDENTIFIER, + * accessLocation GeneralName + * } + * + * PARAMETERS: + * "infoAccess" + * Address of PKIX_PL_InfoAccess that has the access data. + * Must be non-NULL. + * "pLocation" + * Address where access location will be stored and returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_InfoAccess_GetLocation( + PKIX_PL_InfoAccess *infoAccess, + PKIX_PL_GeneralName **pLocation, + void *plContext); + +/* + * FUNCTION: PKIX_PL_InfoAccess_GetLocationType + * DESCRIPTION: + * + * Stores the type of location of the Information Access from "infoAccess" and + * returns in "pType". + * + * SubjectInfoAccess ::= + * AccessDescription ::= SEQUENCE { + * accessMethod OBJECT IDENTIFIER, + * accessLocation GeneralName + * } + * + * PARAMETERS: + * "infoAccess" + * Address of PKIX_PL_InfoAccess that has the access data. + * Must be non-NULL. + * "pType" + * Address where access location type will be stored and returned. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Cert Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_InfoAccess_GetLocationType( + PKIX_PL_InfoAccess *infoAccess, + PKIX_UInt32 *pType, + void *plContext); + +PKIX_Error * +pkix_pl_InfoAccess_GetAIACerts( + PKIX_PL_InfoAccess *ia, + void **pNBIOContext, + void **pHandle, + PKIX_List **pCerts, + void *plContext); + +/* + * CRL + * + * A CRL represents an X.509 certificate revocation list. It can be created + * using the bytes of a valid ASN.1 DER encoding. Once created, a CRL is + * immutable. The following functions include accessors (gettors) for the + * various components of an X.509 CRL, as well as a function for signature + * verification. + */ + +/* + * FUNCTION: PKIX_PL_CRL_Create + * DESCRIPTION: + * + * Creates a new CRL using the bytes in the ByteArray pointed to by + * "byteArray" and stores it at "pCRL". If the bytes are not a valid ASN.1 + * DER encoding of a CRL, a PKIX_Error pointer is returned. Once created, a + * CRL is immutable. + * + * CertificateList ::= SEQUENCE { + * tbsCertList TBSCertList, + * signatureAlgorithm AlgorithmIdentifier, + * signatureValue BIT STRING } + * + * TBSCertList ::= SEQUENCE { + * version Version OPTIONAL, + * -- if present, MUST be v2 + * signature AlgorithmIdentifier, + * issuer Name, + * thisUpdate Time, + * nextUpdate Time OPTIONAL, + * revokedCertificates SEQUENCE OF SEQUENCE { + * userCertificate CertificateSerialNumber, + * revocationDate Time, + * crlEntryExtensions Extensions OPTIONAL + * -- if present, MUST be v2 + * } OPTIONAL, + * crlExtensions [0] EXPLICIT Extensions OPTIONAL + * -- if present, MUST be v2 + * } + * + * PARAMETERS: + * "byteArray" + * Address of ByteArray representing the CRL's DER encoding. + * Must be non-NULL. + * "pCRL" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_Create( + PKIX_PL_ByteArray *byteArray, + PKIX_PL_CRL **pCRL, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_GetIssuer + * DESCRIPTION: + * + * Retrieves a pointer to the X500Name that represents the issuer of the CRL + * pointed to by "crl" and stores it at "pCRLIssuer". + * + * PARAMETERS: + * "crl" + * Address of CRL whose issuer is to be stored. Must be non-NULL. + * "pCRLIssuer" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_GetIssuer( + PKIX_PL_CRL *crl, + PKIX_PL_X500Name **pCRLIssuer, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_GetCriticalExtensionOIDs + * DESCRIPTION: + * + * Retrieves a pointer to the List of OIDs (each OID corresponding to a + * critical extension of the CRL pointed to by "crl") and stores it at + * "pExtensions". If "crl" does not have any critical extensions, this + * function stores an empty List at "pExtensions". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "crl" + * Address of CRL whose critical extension OIDs are to be stored. + * Must be non-NULL. + * "pExtensions" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_GetCriticalExtensionOIDs( + PKIX_PL_CRL *crl, + PKIX_List **pExtensions, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_GetCRLEntryForSerialNumber + * DESCRIPTION: + * + * Retrieves a pointer to the CRLEntry (found in the CRL pointed to by "crl") + * corresponding to the BigInt pointed to by "serialNumber" and stores it at + * "pCRLEntry". If there is no such CRLEntry, this functions stores NULL at + * "pCRLEntry". Once created, a CRLEntry is immutable. + * + * PARAMETERS: + * "crl" + * Address of CRL whose CRL Entries are to be searched. Must be non-NULL. + * "serialNumber" + * Address of BigInt representing serial number of certificate whose + * CRLEntry is to be found. Must be non-NULL. + * "pCRLEntry" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_GetCRLEntryForSerialNumber( + PKIX_PL_CRL *crl, + PKIX_PL_BigInt *serialNumber, + PKIX_PL_CRLEntry **pCRLEntry, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_GetCRLNumber + * DESCRIPTION: + * Retrieves the CRL Number from extension. This is non-critical extension. + * + * PARAMETERS: + * "crl" + * Address of CRL whose version is to be stored. Must be non-NULL. + * "pCrlNumber" + * Address where a CRL Number will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_GetCRLNumber( + PKIX_PL_CRL *crl, + PKIX_PL_BigInt **pCrlNumber, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_VerifyUpdateTime + * DESCRIPTION: + * + * Checks whether the CRL pointed to by "crl" would be valid at the time + * represented by the Date pointed to by "date" and stores the Boolean result + * at "pResult". This check is done only when NIST policy is enforced. + * + * Time ::= CHOICE { + * utcTime UTCTime, + * generalTime GeneralizedTime } + * + * PARAMETERS: + * "crl" + * Address of CRL whose validity is to be checked. Must be non-NULL. + * "date" + * Address of Date at which the CRL is being checked for validity. + * Must be non-NULL. + * "pResult" + * Address of Boolean result. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_VerifyUpdateTime( + PKIX_PL_CRL *crl, + PKIX_PL_Date *date, + PKIX_Boolean *pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_VerifySignature + * DESCRIPTION: + * + * Verifies the signature on the CRL pointed to by "crl" using the PublicKey + * pointed to by "pubKey". If the signature doesn't verify, a PKIX_Error + * pointer is returned. + * + * PARAMETERS: + * "crl" + * Address of CRL whose signature is to be verified. Must be non-NULL. + * "pubKey" + * Address of a Public Key used to verify the signature. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_VerifySignature( + PKIX_PL_CRL *crl, + PKIX_PL_PublicKey *pubKey, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRL_ReleaseDerCrl + * DESCRIPTION: + * + * Relinguish the ownership for the crl der. The operation will succeed if + * a crl owns the der. If the crl was created from existing crl and does not + * own the der, then the function will return null. + * + * PARAMETERS: + * "crl" + * Address of CRL whose signature is to be verified. Must be non-NULL. + * "derCrl" + * Pointer to a SECItem that has der crl. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_ReleaseDerCrl(PKIX_PL_CRL *crl, + SECItem **derCrl, + void *plContext); +/* + * FUNCTION: PKIX_PL_CRL_AdoptDerCrl + * DESCRIPTION: + * + * Adopt memory of the der. The secItem that contains der will be + * freed with destruction of parent pkix crl structure. + * + * * PARAMETERS: + * "crl" + * Address of CRL whose signature is to be verified. Must be non-NULL. + * "derCrl" + * Pointer to a SECItem that has der crl. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRL_AdoptDerCrl(PKIX_PL_CRL *crl, + SECItem *derCrl, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRLEntry_GetCRLEntryReasonCode + * DESCRIPTION: + * + * Retrieves the value of the reason code extension of the CRLEntry pointed + * to by "crlEntry" and stores it at "pReason". If the "crlEntry" has no + * reason code extension, this function stores -1 at "pReason". + * + * CRLReason ::= ENUMERATED { + * unspecified (0), + * keyCompromise (1), + * cACompromise (2), + * affiliationChanged (3), + * superseded (4), + * cessationOfOperation (5), + * certificateHold (6), + * removeFromCRL (8), + * privilegeWithdrawn (9), + * aACompromise (10) } + * + * PARAMETERS: + * "crlEntry" + * Address of CRLEntry whose reason code bit values are to be returned + * at "pReason". Must be non-NULL. + * "pReason" + * Address of PKIX_Int32 where reason code is stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRLEntry_GetCRLEntryReasonCode( + PKIX_PL_CRLEntry *crlEntry, + PKIX_Int32 *pReason, + void *plContext); + +/* + * FUNCTION: PKIX_PL_CRLEntry_GetCriticalExtensionOIDs + * DESCRIPTION: + * + * Retrieves a pointer to the List of OIDs (each OID corresponding to a + * critical extension of the CRLEntry pointed to by "crlEntry") and stores it + * at "pExtensions". If "crlEntry" does not have any critical extensions, this + * function stores an empty List at "pExtensions". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "crlEntry" + * Address of CRLEntry whose critical extension OIDs are to be stored. + * Must be non-NULL. + * "pExtensions" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRL Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CRLEntry_GetCriticalExtensionOIDs( + PKIX_PL_CRLEntry *crlEntry, + PKIX_List **pExtensions, /* list of PKIX_PL_OID */ + void *plContext); + +#ifdef BUILD_LIBPKIX_TESTS +/* + * FUNCTION: PKIX_PL_X500Name_Create + * DESCRIPTION: + * + * Creates a new X500Name using the UTF8 string representation pointed to by + * "stringRep" and stores it at "pName". Once created, an X500Name is + * immutable. + * + * Name ::= CHOICE { + * RDNSequence } + * + * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + * + * RelativeDistinguishedName ::= + * SET OF AttributeTypeAndValue + * + * AttributeTypeAndValue ::= SEQUENCE { + * type AttributeType, + * value AttributeValue } + * + * AttributeType ::= OBJECT IDENTIFIER + * + * AttributeValue ::= ANY DEFINED BY AttributeType + * + * DirectoryString ::= CHOICE { + * teletexString TeletexString (SIZE (1..MAX)), + * printableString PrintableString (SIZE (1..MAX)), + * universalString UniversalString (SIZE (1..MAX)), + * utf8String UTF8String (SIZE (1..MAX)), + * bmpString BMPString (SIZE (1..MAX)) } + * + * PARAMETERS: + * "stringRep" + * Address of UTF8 String representation of X500Name. Must be non-NULL. + * "pName" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an X500Name Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_X500Name_Create ( + PKIX_PL_String *stringRep, + PKIX_PL_X500Name **pName, + void *plContext); + +#endif /* BUILD_LIBPKIX_TESTS */ + +/* + * FUNCTION: PKIX_PL_X500Name_CreateFromCERTName + * DESCRIPTION: + * + * The function creates x500Name using der encoded DN and/or pointer to + * CERTName. If arument "name" is NULL, but derName is supplied when + * the function generates nssDN(CERTName type) from der data. If derName + * is not supplied, CERTName *name will not be used to generate DN DER + * encoding. + * + * PARAMETERS: + * "derName" + * Address of DER representation of X500Name. Can be NULL + * "name" + * Address of CERTName representation of X500Name. Can be NULL + * "pName" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an X500Name Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_X500Name_CreateFromCERTName( + SECItem *derName, + CERTName *name, + PKIX_PL_X500Name **pName, + void *plContext); + + +/* + * TYPE: PKIX_PL_X500Name_Match + * DESCRIPTION: + * Checks whether the X500Name pointed to by "firstX500Name" MATCHES the + * X500Name pointed to by "secondX500Name" and stores the boolean result at + * "pResult". Two X500Names MATCH if they meet the conditions specified by + * RFC 3280 (section 4.1.2.4). Namely: + * + * "This specification requires only a subset of the name comparison + * functionality specified in the X.500 series of specifications. + * Conforming implementations are REQUIRED to implement the following + * name comparison rules: + * + * (a) attribute values encoded in different types (e.g., PrintableString + * and BMPString) MAY be assumed to represent different strings; + * + * (b) attribute values in types other than PrintableString are case + * sensitive (this permits matching of attribute values as binary objects) + * + * (c) attribute values in PrintableString are not case sensitive + * (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and + * + * (d) attribute values in PrintableString are compared after removing + * leading and trailing white space and converting internal substrings of + * one or more consecutive white space characters to a single space." + * + * PARAMETERS: + * "firstX500Name" + * Address of first X500Name to compare. Must be non-NULL. + * "secondX500Name" + * Address of second X500Name to compare. Must be non-NULL. + * "pResult" + * Address of Boolean result. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an X500Name Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_X500Name_Match( + PKIX_PL_X500Name *firstX500Name, + PKIX_PL_X500Name *secondX500Name, + PKIX_Boolean *pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Date_Create_UTCTime + * DESCRIPTION: + * Creates a new Date of type UTCTime using the string representation pointed + * to by "stringRep" and stores it at "pDate". The UTCTime restriction means + * that the year can only be specified by the least significant two digits + * (YY). As such, Only the years 1950-2049 can be represented. If "stringRep" + * is NULL, this function creates a new Date representing the current time + * and stores it at "pDate". Once created, a Date is immutable. + * + * If YY is greater than or equal to 50, the year is interpreted as 19YY. + * If YY is less than 50, the year is interpreted as 20YY. + * + * The string representation of the date must be in the following form: + * "YYMMDDhhmmssZ" where: + * + * YY is the least significant two digits of the year + * MM is the month (01 to 12) + * DD is the day (01 to 31) + * hh is the hour (00 to 23) + * mm are the minutes (00 to 59) + * ss are the seconds (00 to 59) + * Z indicates that local time is GMT + * + * PARAMETERS: + * "stringRep" + * Address of String representation of Date. + * If NULL, current time is used. + * "pDate" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Date Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Date_Create_UTCTime ( + PKIX_PL_String *stringRep, + PKIX_PL_Date **pDate, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Date_Create_UTCTime + * DESCRIPTION: + * Creates a new Date from PRTime data. + * + * PARAMETERS: + * "time" + * Represented time in PRTime type. + * "pDate" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Date Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Date_CreateFromPRTime( + PRTime time, + PKIX_PL_Date **pDate, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Date_Create_CurrentOffBySeconds + * DESCRIPTION: + * Creates a new Date of type UTCTime for current time with seconds off by + * "secondsOffset" and returns it at "pDate". + * + * PARAMETERS: + * "secondsOffset" + * A PKIX_Int32 indicates the time offset from current. If "secondsOffset" + * is negative, the time is in past. + * "pDate" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Date Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Date_Create_CurrentOffBySeconds( + PKIX_Int32 secondsOffset, + PKIX_PL_Date **pDate, + void *plContext); + +#ifdef BUILD_LIBPKIX_TESTS +/* + * FUNCTION: PKIX_PL_GeneralName_Create + * DESCRIPTION: + * + * Creates a new GeneralName of type "nameType" using the string + * representation pointed to by "stringRep" and stores it at "pGName". + * All of the GeneralName type format values specified in pkixt.h are + * supported, with the exception of PKIX_OTHER_NAME, PKIX_EDIPARTY_NAME, + * PKIX_IP_NAME, and PKIX_X400_ADDRESS. A PKIX_ESCASCII string representation + * should be used for all supported nameTypes, with the exception of + * registeredID and directoryName. For registeredID, the string representation + * should be the same as that used by PKIX_PL_OID_Create. For directoryName, + * the string representation should be the same as that used by + * PKIX_PL_X500Name_Create. If an unsupported name type is used, an Error is + * returned. Once created, a GeneralName is immutable. + * + * GeneralName ::= CHOICE { + * otherName [0] OtherName, + * rfc822Name [1] IA5String, + * dNSName [2] IA5String, + * x400Address [3] ORAddress, + * directoryName [4] Name, + * ediPartyName [5] EDIPartyName, + * uniformResourceIdentifier [6] IA5String, + * iPAddress [7] OCTET STRING, + * registeredID [8] OBJECT IDENTIFIER } + * + * + * NOTE: This function is allowed to be called only by pkix tests programs. + * + * PARAMETERS: + * "nameType" + * Type of GeneralName to be created. This must be one of the GeneralName + * type format values specified in pkixt.h + * "stringRep" + * Address of String representation of GeneralName. Must be non-NULL. + * "pGName" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a GeneralName Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_GeneralName_Create ( + PKIX_UInt32 nameType, + PKIX_PL_String *stringRep, + PKIX_PL_GeneralName **pGName, + void *plContext); +#endif /* BUILD_LIBPKIX_TESTS */ + +/* + * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace + * DESCRIPTION: + * + * This function checks whether names in "nameList" comply with + * "nameConstraints". It stores PKIX_TRUE at "pCheckPass" if the names meet the + * requirement of the NameConstraints, PKIX_FALSE otherwise. + * + * PARAMETERS + * "nameList" + * List of GeneralNames that are checked for compliance. May be empty + * or NULL. + * "nameConstraints" + * Address of CertNameConstraints that provides lists of permitted + * and excluded names. Must be non-NULL. + * "pCheckPass" + * Address where PKIX_TRUE is returned if the all names in "nameList" are + * valid. Must be non-NULL. + * "plContext" - Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a NameConstraints Error if the function fails in a + * non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CertNameConstraints_CheckNamesInNameSpace( + PKIX_List *nameList, /* List of PKIX_PL_GeneralName */ + PKIX_PL_CertNameConstraints *nameConstraints, + PKIX_Boolean *pCheckPass, + void *plContext); + +/* + * FUNCTION: PKIX_PL_AIAMgr_Create + * DESCRIPTION: + * + * This function creates an AIAMgr to handle retrieval of Certs and CRLs + * from servers given by AIA Certificate extensions. It manages connections + * and caches. The manager created is stored at "pAIAMgr". + * + * PARAMETERS: + * "pAIAMgr" + * The address at which the result is stored. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an AIAMgr Error if the function fails in a non-fatal way + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_AIAMgr_Create( + PKIX_PL_AIAMgr **pAIAMgr, + void *plContext); + +/* + * FUNCTION: PKIX_PL_AIAMgr_GetAIACerts + * DESCRIPTION: + * + * This function uses the AIAMgr pointed to by "aiaMgr" to retrieve the Certs + * specified by an AIA certificate extension, if any, in the Cert pointed to by + * "prevCert", storing the results at "pCerts". If the certificate has no such + * extension, this function stores NULL at "pCerts". + * + * If the request is suspended for non-blocking I/O, a platform-dependent + * context is stored at "pNBIOContext" and NULL is stored at "pCerts". This + * return is referred to as the WOULDBLOCK state. Note that the caller must + * check for a non-NULL value at "pNBIOContext", to distinguish this state from + * the "no such extension" return described in the first paragraph. (The + * alternative would be to return an empty List, but it seemed wrong to incur + * the overhead of creating and destroying an empty List for the most common + * situation.) + * + * After a WOULDBLOCK return, the user may continue the operation by calling + * pkix_AIAMgr_GetAIACerts (possibly more than once, if the function again + * returns in the WOULDBLOCK state) with the previously-returned non-NULL + * value of "pNBIOContext". When results are complete, NULL is stored at + * "pNBIOContext", and the results (which may be NULL) are stored at "pCerts". + * + * PARAMETERS: + * "aiaMgr" + * The AIAMgr which controls the retrieval of certificates. Must be + * non-NULL. + * "prevCert" + * Address of PKIX_PL_Cert which may provide an AIA or SIA extension. Must + * be non-NULL. + * "pNBIOContext" + * Address at which platform-dependent information is returned if request + * is suspended for non-blocking I/O. Must be non-NULL. + * "pCerts" + * Address at which the returned List is stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an AIAMgr Error if the function fails in a non-fatal way + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_AIAMgr_GetAIACerts( + PKIX_PL_AIAMgr *aiaMgr, + PKIX_PL_Cert *prevCert, + void **pNBIOContext, + PKIX_List **pCerts, + void *plContext); + +typedef PKIX_Error * +(*PKIX_PL_VerifyCallback)( + PKIX_PL_Object *signedObject, + PKIX_PL_Cert *signerCert, /* can be unknown */ + PKIX_PL_Date *producedAt, + PKIX_ProcessingParams *procParams, + void **pNBIOContext, + void **pState, + PKIX_BuildResult **pBuildResult, + PKIX_VerifyNode **pVerifyTree, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_PL_PKI_H */ diff --git a/security/nss/lib/libpkix/include/pkix_pl_system.h b/security/nss/lib/libpkix/include/pkix_pl_system.h new file mode 100644 index 0000000000..57d5df7cc0 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_pl_system.h @@ -0,0 +1,1545 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines several platform independent functions to make system + * calls in a portable manner. + * + */ + +#ifndef _PKIX_PL_SYSTEM_H +#define _PKIX_PL_SYSTEM_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* + * FUNCTION: PKIX_PL_Initialize + * DESCRIPTION: + * + * XXX If this function is really only meant to be used by PKIX_Initialize, + * why don't we just put it in a private header file rather than the public + * API. I think it may confuse users. + * + * This function should NOT be called by applications. It is only meant to + * be used internally. The application needs only to call PKIX_Initialize, + * which in turn will call this function. + * + * This function initializes data structures critical to the operation of + * libpkix. If initialization is not successful, an Error pointer is + * returned. This function should only be called once. If it is called more + * than once, the behavior is undefined. + * + * No PKIX_* types and functions should be used before this function is + * called and returns successfully. + * + * PARAMETERS: + * "platformInitNeeded" + * Boolean indicating whether platform initialization is to be called + * "useArenas" + * Boolean indicating whether allocation is to be done using arenas or + * individual allocation (malloc). + * "pPlContext" + * Address at which platform-specific context pointer is stored. Must be + * non-NULL. + * THREAD SAFETY: + * Not Thread Safe + * + * This function assumes that no other thread is calling this function while + * it is executing. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Initialize( + PKIX_Boolean platformInitNeeded, + PKIX_Boolean useArenas, + void **pPlContext); + +/* + * FUNCTION: PKIX_PL_Shutdown + * DESCRIPTION: + * + * XXX If this function is really only meant to be used by PKIX_Shutdown, + * why don't we just put it in a private header file rather than the public + * API. I think it may confuse users. + * + * This function should NOT be called by applications. It is only meant to + * be used internally. The application needs only to call PKIX_Shutdown, + * which in turn will call this function. + * + * This function deallocates any memory used by the Portability Layer (PL) + * component of the libpkix library and shuts down any ongoing operations. + * This function should only be called once. If it is called more than once, + * the behavior is undefined. + * + * No PKIX_* types and functions should be used after this function is called + * and returns successfully. + * + * PARAMETERS: + * "platformInitNeeded" + * Boolean value of whether PKIX initialized NSS: PKIX_TRUE if we + * called nssInit, PKIX_FALSE otherwise + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe + * + * This function makes use of global variables and should only be called once. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Shutdown(void *plContext); + +/* standard memory management operations (not reference-counted) */ + +/* + * FUNCTION: PKIX_PL_Malloc + * DESCRIPTION: + * + * Allocates a block of "size" bytes. The bytes are not initialized. A + * pointer to the newly allocated memory will be stored at "pMemory". The + * memory allocated by PKIX_PL_Malloc() may only be freed by PKIX_PL_Free(). + * If "size" equals zero, this function stores NULL at "pMemory". + * + * PARAMETERS: + * "size" + * Number of bytes to allocate. + * "pMemory" + * Address where newly allocated pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on underlying thread safety of platform used by PL. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Malloc( + PKIX_UInt32 size, + void **pMemory, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Calloc + * DESCRIPTION: + * + * Allocates memory for an array of "nElem" elements, with each element + * requiring "elSize" bytes, and with all the bits initialized to zero. A + * pointer to the newly allocated memory will be stored at "pMemory". The + * memory allocated by PKIX_PL_Calloc() may only be freed by PKIX_PL_Free(). + * If "nElem" equals zero or "elSize" equals zero, this function stores NULL + * at "pMemory". + * + * PARAMETERS: + * "nElem" + * Number of elements needed. + * "elSize" + * Number of bytes needed per element. + * "pMemory" + * Address where newly allocated pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on underlying thread safety of platform used by PL. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Calloc( + PKIX_UInt32 nElem, + PKIX_UInt32 elSize, + void **pMemory, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Realloc + * DESCRIPTION: + * + * Resizes an existing block of memory (pointed to by "ptr") to "size" bytes. + * Stores a pointer to the resized memory at "pNewPtr". The "ptr" must + * originate from either PKIX_PL_Malloc(), PKIX_PL_Realloc(), or + * PKIX_PL_Calloc(). If "ptr" is NULL, this function behaves as if + * PKIX_PL_Malloc were called. If "ptr" is not NULL and "size" equals zero, + * the memory pointed to by "ptr" is deallocated and this function stores + * NULL at "pPtr". + * + * PARAMETERS: + * "ptr" + * A pointer to an existing block of memory. + * "size" + * New size in bytes. + * "pPtr" + * Address where newly allocated pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on underlying thread safety of platform used by PL. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Realloc( + void *ptr, + PKIX_UInt32 size, + void **pNewPtr, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Free + * DESCRIPTION: + * + * Frees a block of memory pointed to by "ptr". This value must originate with + * either PKIX_PL_Malloc(), PKIX_PL_Calloc, or PKIX_PL_Realloc(). If "ptr" is + * NULL, the function has no effect. + * + * PARAMETERS: + * "ptr" + * A pointer to an existing block of memory. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on underlying thread safety of platform used by PL. + * RETURNS: + * Returns NULL always. + */ +PKIX_Error * +PKIX_PL_Free( + void *ptr, + void *plContext); + +/* Callback Types + * + * The next few typedefs define function pointer types for the standard + * functions associated with every object type. See the Implementation + * Guidelines or the comments below for more information. + */ + +/* + * TYPE: PKIX_PL_DestructorCallback + * DESCRIPTION: + * + * This callback function destroys (or DecRef's) any pointers contained in + * the user data for the Object pointed to by "object" before the Object is + * destroyed. + * + * PARAMETERS: + * "object" + * Address of Object to destroy. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts (as long as they're not operating on the same + * object and nobody else is performing an operation on the object at the + * same time). Both of these conditions should be guaranteed by the fact that + * the object's ref count was reduced to 0 in a lock that's still held when + * this callback is called. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_PL_DestructorCallback)( + PKIX_PL_Object *object, + void *plContext); + +/* + * TYPE: PKIX_PL_EqualsCallback + * DESCRIPTION: + * + * This callback function compares the Object pointed to by "firstObject" with + * the Object pointed to by "secondObject" for equality and stores the result + * at "pResult" (PKIX_TRUE if equal; PKIX_FALSE if not). + * + * PARAMETERS: + * "firstObject" + * Address of first object to compare. Must be non-NULL. + * "secondObject" + * Address of second object to compare. Must be non-NULL. + * "pResult" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_PL_EqualsCallback)( + PKIX_PL_Object *firstObject, + PKIX_PL_Object *secondObject, + PKIX_Boolean *pResult, + void *plContext); + +/* + * TYPE: PKIX_PL_HashcodeCallback + * DESCRIPTION: + * + * This callback function computes the hashcode of the Object pointed to by + * "object" and stores the result at "pValue". + * + * PARAMETERS: + * "object" + * Address of Object whose hashcode is desired. Must be non-NULL. + * "pValue" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_PL_HashcodeCallback)( + PKIX_PL_Object *object, + PKIX_UInt32 *pValue, + void *plContext); + +/* + * TYPE: PKIX_PL_ToStringCallback + * DESCRIPTION: + * + * This callback function converts the Object pointed to by "object" to a + * string representation and stores the result at "pString". + * + * PARAMETERS: + * "object" + * Object to get a string representation from. Must be non-NULL. + * "pString" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_PL_ToStringCallback)( + PKIX_PL_Object *object, + PKIX_PL_String **pString, + void *plContext); + +/* + * TYPE: PKIX_PL_ComparatorCallback + * DESCRIPTION: + * + * This callback function determines how the Object pointed to by + * "firstObject" compares to the Object pointed to by "secondObject" and + * stores the result at "pResult". + * + * Result is less than 0 if firstObject < secondObject + * Result equals 0 if firstObject = secondObject + * Result is greater than 0 if firstObject > secondObject + * + * PARAMETERS: + * "firstObject" + * Address of the first Object to compare. Must be non-NULL. + * "secondObject" + * Address of the second Object to compare. Must be non-NULL. + * "pResult" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_PL_ComparatorCallback)( + PKIX_PL_Object *firstObject, + PKIX_PL_Object *secondObject, + PKIX_Int32 *pResult, + void *plContext); + +/* + * TYPE: PKIX_PL_DuplicateCallback + * DESCRIPTION: + * + * This callback function creates a copy of the Object pointed to by "object" + * and stores it at "pNewObject". Changes to the copy will not affect the + * original and vice versa. + * + * Note that if "object" is immutable, the Duplicate callback function simply + * needs to increment the reference count on "object" and return a reference + * to "object". + * + * PARAMETERS: + * "object" + * Address of the object to be copied. Must be non-NULL. + * "pNewObject" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_PL_DuplicateCallback)( + PKIX_PL_Object *object, + PKIX_PL_Object **pNewObject, + void *plContext); + +/* reference-counted objects */ + +/* + * FUNCTION: PKIX_PL_Object_Alloc + * DESCRIPTION: + * + * Allocates a new Object of type "type" with "size" bytes and stores the + * resulting pointer at "pObject". The reference count of the newly + * allocated object will be initialized to 1. To improve performance, each + * object maintains a small cache for the results of Hashcode and ToString. + * Mutable objects should call InvalidateCache whenever changes are made to + * the object's state (after creation). If an error occurs during allocation, + * "pObject" will be set to NULL. If "size" equals zero, this function creates + * an Object with a reference count of 1, and places a pointer to unallocated + * memory at "pMemory". + * + * PARAMETERS: + * "type" + * The type code of this object. See pkixt.h for codes. The type code + * must be previously registered with PKIX_PL_Object_RegisterType(). + * "size" + * The number of bytes needed for this object. + * "pMemory" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Alloc( + PKIX_TYPENUM type, + PKIX_UInt32 size, + PKIX_PL_Object **pObject, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_IsTypeRegistered + * DESCRIPTION: + * + * Checks whether "type" has been registered by a previous call to + * PKIX_PL_Object_RegisterType() and stores the Boolean result at "pBool". + * This function will typically only be called by constructors for specific + * types. + * + * PARAMETERS: + * "type" + * The type code to check if valid. + * "pBool" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_IsTypeRegistered( + PKIX_UInt32 type, + PKIX_Boolean *pBool, + void *plContext); + +#ifdef PKIX_USER_OBJECT_TYPE +/* + * FUNCTION: PKIX_PL_Object_RegisterType + * DESCRIPTION: + * + * Registers a new Object with type value "type" and associates it with a set + * of functions ("destructor", "equalsFunction", "hashcodeFunction", + * "toStringFunction", "comparator", "duplicateFunction"). The new type value + * is also associated with a string pointed to by "description", which is used + * by the default ToStringCallback. This function may only be called with a + * particular "type" value once. If "destructor", "equalsFunction", + * "hashcodeFunction", or "toStringFunction" are NULL, default functions will + * be registered. However, if "comparator" and "duplicateFunction" are NULL, + * no functions will be registered and calls to PKIX_PL_Object_Compare and + * PKIX_PL_Object_Duplicate will result in an error. + * + * PARAMETERS: + * "type" + * The type code. + * "description" + * The string used by the default ToStringCallback. Default used if NULL. + * "destructor" + * The DestructorCallback function to be set. Default used if NULL. + * "equalsFunction" + * The EqualsCallback function to be set. Default used if NULL. + * "hashcodeFunction" + * The HashcodeCallback function to be set. Default used if NULL. + * "toStringFunction" + * The ToStringCallback function to be set. Default used if NULL. + * "comparator" + * The ComparatorCallback function to be set. None set if NULL. If no + * callback function is set in this field, calls to + * PKIX_PL_Object_Compare() will result in an error. + * "duplicateFunction" + * The DuplicateCallback function to be set. None set if NULL. If no + * callback function is set in this field, calls to + * PKIX_PL_Object_Duplicate() will result in an error. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Object Error if "type" is already registered. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_RegisterType( + PKIX_UInt32 type, + char *description, + PKIX_PL_DestructorCallback destructor, + PKIX_PL_EqualsCallback equalsFunction, + PKIX_PL_HashcodeCallback hashcodeFunction, + PKIX_PL_ToStringCallback toStringFunction, + PKIX_PL_ComparatorCallback comparator, + PKIX_PL_DuplicateCallback duplicateFunction, + void *plContext); + +#endif +/* + * FUNCTION: PKIX_PL_Object_InvalidateCache + * DESCRIPTION: + * + * Invalidates the cache of the Object pointed to by "object". The cache + * contains results of Hashcode and ToString. This function should be used by + * mutable objects whenever changes are made to the Object's state (after + * creation). + * + * For example, if ToString is called on a mutable Object, the result will be + * computed, cached, and returned. If the Object's state does not change, a + * subsequent call to ToString will recognize that the relevant result is + * cached and will simply return the result (without calling the Object's + * ToStringCallback to recompute it). However, when the Object's state + * changes, the cache needs to be invalidated in order to force a subsequent + * call to ToString to recompute the result. + * + * PARAMETERS: + * "object" + * Address of Object whose cache is to be invalidated. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * + * THREAD SAFETY + * Thread Safe - Object Type Table is locked during modification. + * + * Multiple threads can safely call this function without worrying about + * conflicts, even if they're operating on the same object. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_InvalidateCache( + PKIX_PL_Object *object, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_IncRef + * DESCRIPTION: + * + * Increments the reference count of the Object pointed to by "object". + * + * PARAMETERS: + * "object" + * Address of Object whose reference count is to be incremented. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_IncRef( + PKIX_PL_Object *object, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_DecRef + * DESCRIPTION: + * + * Decrements the reference count of the Object pointed to by "object". If the + * resulting reference count is zero, the destructor (if any) registered for + * the Object's type (by PKIX_PL_RegisterType) will be called and then the + * Object will be destroyed. + * + * PARAMETERS: + * "object" + * Address of Object whose reference count is to be decremented. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * If destructor is not called, multiple threads can safely call this function + * without worrying about conflicts, even if they're operating on the same + * object. If destructor is called, thread safety depends on the callback + * defined by PKIX_PL_RegisterType(). + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_DecRef( + PKIX_PL_Object *object, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_Equals + * DESCRIPTION: + * + * Compares the Object pointed to by "firstObject" with the Object pointed to + * by "secondObject" for equality using the callback function registered for + * "firstObject"'s type, and stores the Boolean result at "pResult". While + * typical callbacks will return PKIX_FALSE if the objects are of different + * types, other callbacks may be capable of comparing objects of different + * types [which may correctly result in cases where Equals(first, second) + * differs from Equals(second, first)]. + * + * PARAMETERS: + * "firstObject" + * Address of the first Object to compare. Must be non-NULL. + * The EqualsCallback for this Object will be called. + * "secondObject" + * Address of the second Object to compare. Must be non-NULL. + * "pResult" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on the callback defined by PKIX_PL_RegisterType(). + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Object Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Equals( + PKIX_PL_Object *firstObject, + PKIX_PL_Object *secondObject, + PKIX_Boolean *pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_Hashcode + * DESCRIPTION: + * + * Computes a hashcode of the Object pointed to by "object" using the + * callback registered for "object"'s type and stores it at "pValue". Two + * objects which are equal should have the same hashcode. Once a call to + * Hashcode has been made, the results are cached and subsequent calls to + * Hashcode will return the cached value. For mutable objects, an + * InvalidateCache function is provided, which should be called whenever + * changes are made to the object's state (after creation). + * + * PARAMETERS: + * "object" + * Address of the Object whose hashcode is desired. Must be non-NULL. + * The HashcodeCallback for this object will be called. + * "pValue" + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * + * THREAD SAFETY: + * Thread safety depends on the callback defined by PKIX_PL_RegisterType(). + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Object Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Hashcode( + PKIX_PL_Object *object, + PKIX_UInt32 *pValue, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_ToString + * DESCRIPTION: + * + * Creates a string representation of the Object pointed to by "object" using + * the callback registered for "object"'s type and stores it at "pString". + * Once a call to ToString has been made, the results are cached and + * subsequent calls to ToString will return the cached value. For mutable + * objects, an InvalidateCache function is provided, which should be called + * whenever changes are made to the object's state (after creation). + * + * PARAMETERS: + * "object" + * Address of Object whose string representation is desired. + * Must be non-NULL. The ToStringCallback for this object will be called. + * "pString" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on the callback defined by PKIX_PL_RegisterType(). + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Object Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_ToString( + PKIX_PL_Object *object, + PKIX_PL_String **pString, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_Compare + * DESCRIPTION: + * + * Compares the Object pointed to by "firstObject" and the Object pointed to + * by "secondObject" using the comparator registered for "firstObject"'s type + * and stores the result at "pResult". Different types may be compared. This + * may correctly result in cases where Compare(first, second) is not the + * opposite of Compare(second, first). The PKIX_Int32 value stored at + * "pResult" will be: + * Less than 0 if "firstObject" < "secondObject" + * Equals to 0 if "firstObject" = "secondObject" + * Greater than 0 if "firstObject" > "secondObject" + * + * PARAMETERS: + * "firstObject" + * Address of first Object to compare. Must be non-NULL. + * The ComparatorCallback for this object will be called. + * "secondObject" + * Address of second object to compare. Must be non-NULL. + * "pResult + * Address where PKIX_Int32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on the comparator defined by PKIX_PL_RegisterType(). + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Object Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Compare( + PKIX_PL_Object *firstObject, + PKIX_PL_Object *secondObject, + PKIX_Int32 *pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_Duplicate + * DESCRIPTION: + * + * Creates a duplicate copy of the Object pointed to by "object" using the + * callback registered for "object"'s type and stores the copy at + * "pNewObject". Changes to the new object will not affect the original and + * vice versa. + * + * Note that if "object" is immutable, the Duplicate callback function simply + * needs to increment the reference count on "object" and return a reference + * to "object". + * + * PARAMETERS: + * "object" + * Address of Object to be duplicated. Must be non-NULL. + * The DuplicateCallback for this Object will be called. + * "pNewObject" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread safety depends on the callback defined by PKIX_PL_RegisterType(). + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Object Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Duplicate( + PKIX_PL_Object *object, + PKIX_PL_Object **pNewObject, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_GetType + * DESCRIPTION: + * + * Retrieves the type code of the Object pointed to by "object" and stores it + * at "pType". See pkixt.h for type codes. + * + * PARAMETERS: + * "object" + * Address of Object whose type is desired. Must be non-NULL. + * "pType" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_GetType( + PKIX_PL_Object *object, + PKIX_UInt32 *pType, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_Lock + * DESCRIPTION: + * + * Locks the Mutex associated with the Object pointed to by "object". When an + * object is created, it is associated with an object-specific Mutex to allow + * for synchronization when the fields of the object are modified. + * + * PARAMETERS: + * "object" + * Address of Object whose Mutex is to be locked. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Lock( + PKIX_PL_Object *object, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Object_Unlock + * DESCRIPTION: + * + * Unlocks the Mutex associated with the Object pointed to by "object". When + * an object is created, it is associated with an object-specific Mutex to + * allow for synchronization when the fields of the object are modified. + * + * PARAMETERS: + * "object" + * Address of Object whose Mutex is to be unlocked. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Object_Unlock( + PKIX_PL_Object *object, + void *plContext); + +/* mutexes (locks) */ + +/* + * FUNCTION: PKIX_PL_Mutex_Create + * DESCRIPTION: + * + * Creates a new Mutex and stores it at "pNewLock". + * + * PARAMETERS: + * "pNewLock" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Mutex_Create( + PKIX_PL_Mutex **pNewLock, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Mutex_Lock + * DESCRIPTION: + * + * Locks the Mutex pointed to by "lock". If the Mutex is already locked, this + * function will block the current thread until the mutex can be locked by + * this thread. + * + * PARAMETERS: + * "lock" + * Address of Mutex to lock. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Mutex_Lock( + PKIX_PL_Mutex *lock, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Mutex_Unlock + * DESCRIPTION: + * + * Unlocks the Mutex pointed to by "lock" if the current thread holds the + * Mutex. + * + * PARAMETERS: + * "lock" + * Address of Mutex to unlock. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Mutex_Unlock( + PKIX_PL_Mutex *lock, + void *plContext); + +/* monitor (locks) */ + +/* + * FUNCTION: PKIX_PL_MonitorLock_Create + * DESCRIPTION: + * + * Creates a new PKIX_PL_MonitorLock and stores it at "pNewLock". + * + * PARAMETERS: + * "pNewLock" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_MonitorLock_Create( + PKIX_PL_MonitorLock **pNewLock, + void *plContext); + +/* + * FUNCTION: PKIX_PL_MonitorLock_Enter + * DESCRIPTION: + * + * Locks the MonitorLock pointed to by "lock". If the MonitorLock is already + * locked by other thread, this function will block the current thread. If + * the "lock" had been locked by current thread, this function will NOT block. + * + * PARAMETERS: + * "lock" + * Address of MonitorLock to lock. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_MonitorLock_Enter( + PKIX_PL_MonitorLock *lock, + void *plContext); + +/* + * FUNCTION: PKIX_PL_MonitorLock_Exit + * DESCRIPTION: + * + * Unlocks the MonitorLock pointed to by "lock" if the lock counter of + * current thread holds the MonitorLock reach 0, the lock is released. + * + * PARAMETERS: + * "lock" + * Address of MonitorLock to unlock. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_MonitorLock_Exit( + PKIX_PL_MonitorLock *lock, + void *plContext); + +/* strings and formatted printing */ + +/* + * FUNCTION: PKIX_PL_String_Create + * DESCRIPTION: + * + * Creates a new String using the data pointed to by "pString", the + * PKIX_UInt32 pointed to by "stringLen", and the PKIX_UInt32 pointed to by + * "fmtIndicator" and stores it at "pString". If the format is PKIX_ESCASCII + * the "stringLen" parameter is ignored and the string extends until a zero + * byte is found. Once created, a String object is immutable. + * + * Valid formats are: + * PKIX_ESCASCII + * PKIX_ESCASCII_DEBUG + * PKIX_UTF8 + * PKIX_UTF8_NULL_TERM + * PKIX_UTF16 + * + * PARAMETERS: + * "fmtIndicator" + * Format that "stringRep" is encoded with. Must be non-NULL. + * "stringRep" + * Address of encoded string representation. Must be non-NULL. + * "stringLen" + * Length of data stored at stringRep. + * "pString" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a String Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_String_Create( + PKIX_UInt32 fmtIndicator, + const void *stringRep, + PKIX_UInt32 stringLen, + PKIX_PL_String **pString, + void *plContext); + +/* + * FUNCTION: PKIX_PL_Sprintf + * DESCRIPTION: + * + * Creates a formatted string at "pOut" using the given format "fmt" and a + * variable length list of arguments. The format flags are identical to + * standard C with the exception that %s expects a PKIX_PL_String*, rather + * than a char *, and that {%d, %i, %o, %u, %x, %X} expect PKIX_UInt32 or + * PKIX_Int32 instead of int or unsigned int. + * + * PARAMETERS: + * "pOut" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * "fmt" + * Address of format string. Must be non-NULL. + * THREAD SAFETY: + * Not Thread Safe - Caller must have exclusive access to all arguments. + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a String Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Sprintf( + PKIX_PL_String **pOut, + void *plContext, + const PKIX_PL_String *fmt, ...); + +/* + * FUNCTION: PKIX_PL_GetString + * DESCRIPTION: + * + * Retrieves the String associated with the value of "stringID" (if any) and + * stores it at "pString". If no such string is associated with "stringID", + * this function uses "defaultString" to create a String and stores it at + * "pString". + * + * PARAMETERS: + * "stringID" + * PKIX_UInt32 valud of string identifier. + * "defaultString" + * Address of a PKIX_ESCASCII encoded string representation. + * Must be non-NULL. + * "pString" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a String Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_GetString( + PKIX_UInt32 stringID, + char *defaultString, + PKIX_PL_String **pString, + void *plContext); + +/* + * FUNCTION: PKIX_PL_String_GetEncoded + * DESCRIPTION: + * + * Retrieves the value of the String pointed to by "string" in the encoding + * specified by "fmtIndicator" and stores the result in "pStringRep" and + * "pLength", respectively. Note that "pStringRep" is not reference counted + * and will need to be freed with PKIX_PL_Free(). + * + * PARAMETERS: + * "string" + * Address of String whose encoded value is desired. Must be non-NULL. + * "fmtIndicator" + * Format of encoding. Supported formats are: + * PKIX_ESCASCII, PKIX_ESCASII_DEBUG, PKIX_UTF8, PKIX_UTF8_NULL_TERM, and + * PKIX_UTF16. XXX Where are these documented? + * "pStringRep" + * Address where pointer to encoded value will be stored. + * Must be non-NULL. + * "pLength" + * Address where byte length of encoded value will be stored. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a String Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_String_GetEncoded( + PKIX_PL_String *string, + PKIX_UInt32 fmtIndicator, + void **pStringRep, + PKIX_UInt32 *pLength, + void *plContext); + +/* + * Hashtable + * + * A hashtable is a very efficient data structure used for mapping keys to + * values. Any non-null PKIX_PL_Object can be used as a key or as a value, + * provided that it correctly implements the PKIX_PL_EqualsCallback and the + * PKIX_PL_HashcodeCallback. A hashtable consists of several buckets, with + * each bucket capable of holding a linked list of key/value mappings. When + * adding, retrieving, or deleting a value, the hashcode of the key is used to + * determine which bucket's linked list is relevant. The corresponding + * key/value pair is then appended, retrieved, or deleted. + */ + +/* + * FUNCTION: PKIX_PL_HashTable_Create + * DESCRIPTION: + * + * Creates a new Hashtable with an initial capacity of "numBuckets" buckets + * and "maxEntriesPerBucket" of entries limit for each bucket and stores it + * at "pResult". + * + * PARAMETERS: + * "numBuckets" + * The initial number of hash table buckets. Must be non-zero. + * "maxEntriesPerBucket" + * The limit of entries per bucket. Zero means no limit. + * "pResult" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_HashTable_Create( + PKIX_UInt32 numBuckets, + PKIX_UInt32 maxEntriesPerBucket, + PKIX_PL_HashTable **pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_HashTable_Add + * DESCRIPTION: + * + * Adds a key/value mapping using the Objects pointed to by "key" and "value" + * to the Hashtable pointed to by "ht". + * + * Function increments key/value reference counts. Caller is responsible to + * to decrement(destroy) key/value ref counts(objects). + * + * PARAMETERS: + * "ht" + * Address of Hashtable to be added to. Must be non-NULL. + * "key" + * Address of Object to be associated with "value". Must be non-NULL. + * "value" + * Address of Object to be added to Hashtable. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "ht" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Hashtable Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_HashTable_Add( + PKIX_PL_HashTable *ht, + PKIX_PL_Object *key, + PKIX_PL_Object *value, + void *plContext); + +/* + * FUNCTION: PKIX_PL_HashTable_Remove + * DESCRIPTION: + * + * Removes the Object value whose key is equal to the Object pointed to by + * "key" from the Hashtable pointed to by "ht". If no such object exists, + * this function throws an Error. + * + * Function frees "value" object. Caller is responsible to free "key" + * object. + * + * PARAMETERS: + * "ht" + * Address of Hashtable to remove object from. Must be non-NULL. + * "key" + * Address of Object used for lookup. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "ht" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Hashtable Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_HashTable_Remove( + PKIX_PL_HashTable *ht, + PKIX_PL_Object *key, + void *plContext); + +/* + * FUNCTION: PKIX_PL_HashTable_Lookup + * DESCRIPTION: + * + * Retrieves the Object whose key equals the Object pointed to by "key" from + * the Hashtable associated with "ht" and stores it at "pResult". If no + * Object is found, this function stores NULL at "pResult". + * + * PARAMETERS: + * "ht" + * Address of Hashtable to lookup Object from. Must be non-NULL. + * "key" + * Address of key Object used for lookup. Must be non-NULL. + * "pResult" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Hashtable Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_HashTable_Lookup( + PKIX_PL_HashTable *ht, + PKIX_PL_Object *key, + PKIX_PL_Object **pResult, + void *plContext); + +/* + * FUNCTION: PKIX_PL_ByteArray_Create + * DESCRIPTION: + * + * Creates a new ByteArray using "length" bytes of data pointed to by "array" + * and stores it at "pByteArray". Once created, a ByteArray is immutable. + * + * PARAMETERS: + * "array" + * Address of source data. + * "length" + * Number of bytes to copy. + * "pByteArray" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_ByteArray_Create( + void *array, + PKIX_UInt32 length, + PKIX_PL_ByteArray **pByteArray, + void *plContext); + +/* + * FUNCTION: PKIX_PL_ByteArray_GetPointer + * DESCRIPTION: + * + * Allocates enough memory to hold the contents of the ByteArray pointed to + * by "byteArray", copies the data from the ByteArray pointed to by + * "byteArray" into the newly allocated memory, and stores a pointer to the + * memory at "pArray". Note that "pArray" is not reference counted. It will + * need to be freed with PKIX_PL_Free(). + * + * PARAMETERS: + * "byteArray" + * Address of ByteArray whose data is desired. Must be non-NULL. + * "pArray" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_ByteArray_GetPointer( + PKIX_PL_ByteArray *byteArray, + void **pArray, + void *plContext); + +/* + * FUNCTION: PKIX_PL_ByteArray_GetLength + * DESCRIPTION: + * + * Retrieves the length of the ByteArray pointed to by "byteArray" and stores + * the length at "pLength". + * + * PARAMETERS: + * "byteArray" + * Address of ByteArray whose length is desired. Must be non-NULL. + * "pLength" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_ByteArray_GetLength( + PKIX_PL_ByteArray *byteArray, + PKIX_UInt32 *pLength, + void *plContext); + +/* + * FUNCTION: PKIX_PL_OID_Create + * DESCRIPTION: + * + * Creates a new OID using NSS oid tag. + * + * PARAMETERS: + * "idtag" + * nss oid id tag. + * "pOID" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OID_Create( + SECOidTag idtag, + PKIX_PL_OID **pOID, + void *plContext); + +/* + * FUNCTION: PKIX_PL_OID_CreateBySECItem + * DESCRIPTION: + * + * Creates a new OID using a DER encoded OID stored as SECItem. + * + * PARAMETERS: + * "derOid" + * Address of SECItem that holds DER encoded OID. + * "pOID" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OID_CreateBySECItem( + SECItem *derOid, + PKIX_PL_OID **pOID, + void *plContext); + +/* + * FUNCTION: PKIX_PL_BigInt_Create + * DESCRIPTION: + * + * Creates a new BigInt using the source String pointed to by "stringRep" and + * stores it at "pBigInt". Valid source Strings consist of an even number of + * hexadecimal digits, which are always interpreted as a positive number. + * Once created, a BigInt is immutable. + * + * The regexp format is: + * HexDigit ::= [0-9] | [A-F] | [a-f] + * DoubleHex ::= HexDigit HexDigit + * BigIntSrc ::= (DoubleHex)+ + * + * Note that since we are using DoubleHex, the number of characters in the + * source MUST be even. Additionally, the first DoubleHex MUST NOT be "00" + * unless it is the only DoubleHex. + * + * Valid : "09" + * Valid : "00" (special case where first and only DoubleHex is "00") + * Invalid: "9" (not DoubleHex: odd number of characters) + * Invalid: "0009" (first DoubleHex is "00") + * + * XXX Why does this take a String object while OID_Create takes a char* ? + * Perhaps because OID_Create is often used with constant strings and + * this function isn't. That's a good reason, but we should explain it + * (if it's right) + * PARAMETERS: + * "stringRep" + * Address of String representing a BigInt. Must be non-NULL. + * "pBigInt" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a BigInt Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_BigInt_Create( + PKIX_PL_String *stringRep, + PKIX_PL_BigInt **pBigInt, + void *plContext); + +#ifdef __cplusplus +} +#endif + +/* + * FUNCTION: PKIX_PL_GetPLErrorCode + * DESCRIPTION: + * + * Returns error code from PL layer. + * + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * PL layer error code. + */ +int +PKIX_PL_GetPLErrorCode(); + +#endif /* _LIBPKIX_SYSTEM_H */ diff --git a/security/nss/lib/libpkix/include/pkix_results.h b/security/nss/lib/libpkix/include/pkix_results.h new file mode 100644 index 0000000000..bf4a381faa --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_results.h @@ -0,0 +1,425 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the results used + * by the top-level functions. + * + */ + +#ifndef _PKIX_RESULTS_H +#define _PKIX_RESULTS_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ +/* PKIX_ValidateResult + * + * PKIX_ValidateResult represents the result of a PKIX_ValidateChain call. It + * consists of the valid policy tree and public key resulting from validation, + * as well as the trust anchor used for this chain. Once created, a + * ValidateResult object is immutable. + */ + +/* + * FUNCTION: PKIX_ValidateResult_GetPolicyTree + * DESCRIPTION: + * + * Retrieves the PolicyNode component (representing the valid_policy_tree) + * from the ValidateResult object pointed to by "result" and stores it at + * "pPolicyTree". + * + * PARAMETERS: + * "result" + * Address of ValidateResult whose policy tree is to be stored. Must be + * non-NULL. + * "pPolicyTree" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateResult_GetPolicyTree( + PKIX_ValidateResult *result, + PKIX_PolicyNode **pPolicyTree, + void *plContext); + +/* + * FUNCTION: PKIX_ValidateResult_GetPublicKey + * DESCRIPTION: + * + * Retrieves the PublicKey component (representing the valid public_key) of + * the ValidateResult object pointed to by "result" and stores it at + * "pPublicKey". + * + * PARAMETERS: + * "result" + * Address of ValidateResult whose public key is to be stored. + * Must be non-NULL. + * "pPublicKey" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateResult_GetPublicKey( + PKIX_ValidateResult *result, + PKIX_PL_PublicKey **pPublicKey, + void *plContext); + +/* + * FUNCTION: PKIX_ValidateResult_GetTrustAnchor + * DESCRIPTION: + * + * Retrieves the TrustAnchor component (representing the trust anchor used + * during chain validation) of the ValidateResult object pointed to by + * "result" and stores it at "pTrustAnchor". + * + * PARAMETERS: + * "result" + * Address of ValidateResult whose trust anchor is to be stored. + * Must be non-NULL. + * "pTrustAnchor" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ValidateResult_GetTrustAnchor( + PKIX_ValidateResult *result, + PKIX_TrustAnchor **pTrustAnchor, + void *plContext); + +/* PKIX_BuildResult + * + * PKIX_BuildResult represents the result of a PKIX_BuildChain call. It + * consists of a ValidateResult object, as well as the built and validated + * CertChain. Once created, a BuildResult object is immutable. + */ + +/* + * FUNCTION: PKIX_BuildResult_GetValidateResult + * DESCRIPTION: + * + * Retrieves the ValidateResult component (representing the build's validate + * result) of the BuildResult object pointed to by "result" and stores it at + * "pResult". + * + * PARAMETERS: + * "result" + * Address of BuildResult whose ValidateResult component is to be stored. + * Must be non-NULL. + * "pResult" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_BuildResult_GetValidateResult( + PKIX_BuildResult *result, + PKIX_ValidateResult **pResult, + void *plContext); + +/* + * FUNCTION: PKIX_BuildResult_GetCertChain + * DESCRIPTION: + * + * Retrieves the List of Certs (certChain) component (representing the built + * and validated CertChain) of the BuildResult object pointed to by "result" + * and stores it at "pChain". + * + * PARAMETERS: + * "result" + * Address of BuildResult whose CertChain component is to be stored. + * Must be non-NULL. + * "pChain" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_BuildResult_GetCertChain( + PKIX_BuildResult *result, + PKIX_List **pChain, + void *plContext); + +/* PKIX_PolicyNode + * + * PKIX_PolicyNode represents a node in the policy tree returned in + * ValidateResult. The policy tree is the same length as the validated + * certificate chain and the nodes are associated with a particular depth + * (corresponding to a particular certificate in the chain). + * PKIX_ValidateResult_GetPolicyTree returns the root node of the valid policy + * tree. Other nodes can be accessed using the getChildren and getParents + * functions, and individual elements of a node can be accessed with the + * appropriate gettors. Once created, a PolicyNode is immutable. + */ + +/* + * FUNCTION: PKIX_PolicyNode_GetChildren + * DESCRIPTION: + * + * Retrieves the List of PolicyNodes representing the child nodes of the + * Policy Node pointed to by "node" and stores it at "pChildren". If "node" + * has no child nodes, this function stores an empty List at "pChildren". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose child nodes are to be stored. + * Must be non-NULL. + * "pChildren" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_GetChildren( + PKIX_PolicyNode *node, + PKIX_List **pChildren, /* list of PKIX_PolicyNode */ + void *plContext); + +/* + * FUNCTION: PKIX_PolicyNode_GetParent + * DESCRIPTION: + * + * Retrieves the PolicyNode representing the parent node of the PolicyNode + * pointed to by "node" and stores it at "pParent". If "node" has no parent + * node, this function stores NULL at "pParent". + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose parent node is to be stored. + * Must be non-NULL. + * "pParent" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_GetParent( + PKIX_PolicyNode *node, + PKIX_PolicyNode **pParent, + void *plContext); + +/* + * FUNCTION: PKIX_PolicyNode_GetValidPolicy + * DESCRIPTION: + * + * Retrieves the OID representing the valid policy of the PolicyNode pointed + * to by "node" and stores it at "pValidPolicy". + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose valid policy is to be stored. + * Must be non-NULL. + * "pValidPolicy" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_GetValidPolicy( + PKIX_PolicyNode *node, + PKIX_PL_OID **pValidPolicy, + void *plContext); + +/* + * FUNCTION: PKIX_PolicyNode_GetPolicyQualifiers + * DESCRIPTION: + * + * Retrieves the List of CertPolicyQualifiers representing the policy + * qualifiers associated with the PolicyNode pointed to by "node" and stores + * it at "pQualifiers". If "node" has no policy qualifiers, this function + * stores an empty List at "pQualifiers". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose policy qualifiers are to be stored. + * Must be non-NULL. + * "pQualifiers" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_GetPolicyQualifiers( + PKIX_PolicyNode *node, + PKIX_List **pQualifiers, /* list of PKIX_PL_CertPolicyQualifier */ + void *plContext); + +/* + * FUNCTION: PKIX_PolicyNode_GetExpectedPolicies + * DESCRIPTION: + * + * Retrieves the List of OIDs representing the expected policies associated + * with the PolicyNode pointed to by "node" and stores it at "pExpPolicies". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose expected policies are to be stored. + * Must be non-NULL. + * "pExpPolicies" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_GetExpectedPolicies( + PKIX_PolicyNode *node, + PKIX_List **pExpPolicies, /* list of PKIX_PL_OID */ + void *plContext); + +/* + * FUNCTION: PKIX_PolicyNode_IsCritical + * DESCRIPTION: + * + * Checks the criticality field of the PolicyNode pointed to by "node" and + * stores the Boolean result at "pCritical". + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose criticality field is examined. + * Must be non-NULL. + * "pCritical" + * Address where Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_IsCritical( + PKIX_PolicyNode *node, + PKIX_Boolean *pCritical, + void *plContext); + +/* + * FUNCTION: PKIX_PolicyNode_GetDepth + * DESCRIPTION: + * + * Retrieves the depth component of the PolicyNode pointed to by "node" and + * stores it at "pDepth". + * + * PARAMETERS: + * "node" + * Address of PolicyNode whose depth component is to be stored. + * Must be non-NULL. + * "pDepth" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Result Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PolicyNode_GetDepth( + PKIX_PolicyNode *node, + PKIX_UInt32 *pDepth, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_RESULTS_H */ diff --git a/security/nss/lib/libpkix/include/pkix_revchecker.h b/security/nss/lib/libpkix/include/pkix_revchecker.h new file mode 100644 index 0000000000..a16d23a933 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_revchecker.h @@ -0,0 +1,215 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with the PKIX_RevocationChecker + * type. + * + */ + +#ifndef _PKIX_REVCHECKER_H +#define _PKIX_REVCHECKER_H + +#include "pkixt.h" +#include "pkix_pl_pki.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_RevocationChecker + * + * PKIX_RevocationChecker provides a standard way of revocation checking. + * Caller should configure two set of tests(represented at lists of + * RevocationMethod objects) to be performed on the leaf and on the rest of + * the chain certificates. + * + * PKIX_RevocationMethods provide a standard way for the caller to insert + * their own custom revocation checks to verify the revocation status of + * certificates. This may be useful in many scenarios, including when the + * caller wishes to use their own revocation checking mechanism instead of (or + * in addition to) the default revocation checking mechanism provided by + * libpkix, which uses CRLs and OCSP. + * + * Once the caller has created the RevocationMethod object(s), the caller + * then specifies the RevocationMethod object(s) in a RevocationCheck object + * and sets it into a ProcessingParams. + */ + +/* + * FUNCTION: PKIX_RevocationChecker_Create + * DESCRIPTION: + * + * Creates a revocation checker object with the given flags. Revocation will + * be checked at the current date. + * + * PARAMETERS: + * "leafMethodListFlags" + * Defines a set of method independent flags that will be used to check + * revocation of the leaf cert in the chain. + * "chainMethodListFlags" + * Defines a set of method independent flags that will be used to check + * revocation of the remaining certs in the chain. + * "pChecker" + * The return address of created checker. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a RevocationChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_RevocationChecker_Create( + PKIX_UInt32 leafMethodListFlags, + PKIX_UInt32 chainMethodListFlags, + PKIX_RevocationChecker **pChecker, + void *plContext); + +/* + * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod + * DESCRIPTION: + * + * Creates revocation method object with given parameters and adds it + * to revocation checker method list. + * + * PARAMETERS: + * "revChecker" + * Address of revocation checker structure. + * "procParams" + * Address of ProcessingParams used to initialize the checker. + * Must be non-NULL. + * "methodType" + * Type of the method. Currently only two types are + * supported: crl and ocsp. (See PKIX_RevocationMethodType enum). + * "methodFlags" + * Set of flags for the method. + * "methodPriority" + * Method priority. (0 corresponds to the highest priority) + * "verificationFn" + * User call back function that will perform validation of fetched + * revocation information(new crl or ocsp response) + * "isLeafMethod" + * Boolean flag that if set to true indicates that the method should + * should be used for leaf cert revocation test(false for chain set + * methods). + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a RevocationChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_RevocationChecker_CreateAndAddMethod( + PKIX_RevocationChecker *revChecker, + PKIX_ProcessingParams *params, + PKIX_RevocationMethodType methodType, + PKIX_UInt32 methodFlags, + PKIX_UInt32 methodPriority, + PKIX_PL_VerifyCallback verificationFn, + PKIX_Boolean isLeafMethod, + void *plContext); + +/* + * FUNCTION: PKIX_RevocationChecker_Check + * DESCRIPTION: + * + * Verifies revocation status of the certificate. Issuer cert is given to + * be used in verification of revocation information. Performed verification + * check depends on configured revocation methods(ocsp, crl. See + * PKIX_RevocationChecker_CreateAndAddMethod function) and a point of chain + * building process at which PKIX_RevocationChecker_Check was invoked. + * For security reasons, the cert status is checked only against cached + * revocation information during chain building stage(no trust anchor yes has + * been found). The fresh revocation information fetching is done only at chain + * verification stage after trust anchor was identified. + * + * PARAMETERS: + * "cert" + * Address of Cert whose revocation status is to be determined. + * Must be non-NULL. + * "issuer" + * Issuer cert that potentially holds public key that will be used + * to verify revocation info. + * "revChecker" + * Address of revocation checker structure. + * "procParams" + * Address of ProcessingParams used to initialize the checker. + * Must be non-NULL. + * "chainVerificationState" + * Need to be set to true, if the check was called during chain verification + * as an opposite to chain building. + * "testingLeafCert" + * Set to true if verifying revocation status of a leaf cert. + * "revStatus" + * Address of the returned revocation status of the cert. + * "pResultCode" + * Address where revocation status will be stored. Must be non-NULL. + * "pNBIOContext" + * Address at which platform-dependent non-blocking I/O context is stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a RevocationChecker Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_RevocationChecker_Check(PKIX_PL_Cert *cert, + PKIX_PL_Cert *issuer, + PKIX_RevocationChecker *revChecker, + PKIX_ProcessingParams *procParams, + PKIX_Boolean chainVerificationState, + PKIX_Boolean testingLeafCert, + PKIX_RevocationStatus *revStatus, + PKIX_UInt32 *pReasonCode, + void **pNbioContext, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_REVCHECKER_H */ diff --git a/security/nss/lib/libpkix/include/pkix_sample_modules.h b/security/nss/lib/libpkix/include/pkix_sample_modules.h new file mode 100644 index 0000000000..75d9618c57 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_sample_modules.h @@ -0,0 +1,420 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines functions associated with CertStore types. + * + */ + + +#ifndef _PKIX_SAMPLEMODULES_H +#define _PKIX_SAMPLEMODULES_H + +#include "pkix_pl_common.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_PL_CollectionCertStore + * + * A PKIX_CollectionCertStore provides an example for showing how to retrieve + * certificates and CRLs from a repository, such as a directory in the system. + * It is expected the directory is an absolute directory which contains CRL + * and Cert data files. CRL files are expected to have the suffix of .crl + * and Cert files are expected to have the suffix of .crt . + * + * Once the caller has created the CollectionCertStoreContext object, the caller + * then can call pkix_pl_CollectionCertStore_GetCert or + * pkix_pl_CollectionCertStore_GetCRL to obtain Lists of PKIX_PL_Cert or + * PKIX_PL_CRL objects, respectively. + */ + +/* + * FUNCTION: PKIX_PL_CollectionCertStore_Create + * DESCRIPTION: + * + * Creates a new CollectionCertStore and returns it at + * "pColCertStore". + * + * PARAMETERS: + * "storeDir" + * The absolute path where *.crl files are located. + * "pColCertStoreContext" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CollectionCertStoreContext Error if the function fails in + * a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_CollectionCertStore_Create( + PKIX_PL_String *storeDir, + PKIX_CertStore **pCertStore, + void *plContext); + +/* PKIX_PL_PK11CertStore + * + * A PKIX_PL_PK11CertStore retrieves certificates and CRLs from a PKCS11 + * database. The directory that contains the cert8.db, key3.db, and secmod.db + * files that comprise a PKCS11 database are specified in NSS initialization. + * + * Once the caller has created the Pk11CertStore object, the caller can call + * pkix_pl_Pk11CertStore_GetCert or pkix_pl_Pk11CertStore_GetCert to obtain + * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively. + */ + +/* + * FUNCTION: PKIX_PL_Pk11CertStore_Create + * DESCRIPTION: + * + * Creates a new Pk11CertStore and returns it at "pPk11CertStore". + * + * PARAMETERS: + * "pPk11CertStore" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_Pk11CertStore_Create( + PKIX_CertStore **pPk11CertStore, + void *plContext); + +#ifndef NSS_PKIX_NO_LDAP +/* PKIX_PL_LdapCertStore + * + * A PKIX_PL_LdapCertStore retrieves certificates and CRLs from an LDAP server + * over a socket connection. It used the LDAP protocol as described in RFC1777. + * + * Once the caller has created the LdapCertStore object, the caller can call + * pkix_pl_LdapCertStore_GetCert or pkix_pl_LdapCertStore_GetCert to obtain + * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively. + */ + +/* + * FUNCTION: PKIX_PL_LdapDefaultClient_Create + * DESCRIPTION: + * + * Creates an LdapDefaultClient using the PRNetAddr poined to by "sockaddr", + * with a timeout value of "timeout", and a BindAPI pointed to by "bindAPI"; + * and stores the address of the default LdapClient at "pClient". + * + * At the time of this version, there are unresolved questions about the LDAP + * protocol. Although RFC1777 describes a BIND and UNBIND message, it is not + * clear whether they are appropriate to this application. We have tested only + * using servers that do not expect authentication, and that reject BIND + * messages. It is not clear what values might be appropriate for the bindname + * and authentication fields, which are currently implemented as char strings + * supplied by the caller. (If this changes, the API and possibly the templates + * will have to change.) Therefore the Client_Create API contains a BindAPI + * structure, a union, which will have to be revised and extended when this + * area of the protocol is better understood. + * + * PARAMETERS: + * "sockaddr" + * Address of the PRNetAddr to be used for the socket connection. Must be + * non-NULL. + * "timeout" + * The PRIntervalTime value to be used as a timeout value in socket calls; + * a zero value indicates non-blocking I/O is to be used. + * "bindAPI" + * The address of a BindAPI to be used if a BIND message is required. If + * this argument is NULL, no Bind (or Unbind) will be sent. + * "pClient" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_LdapDefaultClient_Create( + PRNetAddr *sockaddr, + PRIntervalTime timeout, + LDAPBindAPI *bindAPI, + PKIX_PL_LdapDefaultClient **pClient, + void *plContext); + +/* + * FUNCTION: PKIX_PL_LdapDefaultClient_CreateByName + * DESCRIPTION: + * + * Creates an LdapDefaultClient using the hostname poined to by "hostname", + * with a timeout value of "timeout", and a BindAPI pointed to by "bindAPI"; + * and stores the address of the default LdapClient at "pClient". + * + * At the time of this version, there are unresolved questions about the LDAP + * protocol. Although RFC1777 describes a BIND and UNBIND message, it is not + * clear whether they are appropriate to this application. We have tested only + * using servers that do not expect authentication, and that reject BIND + * messages. It is not clear what values might be appropriate for the bindname + * and authentication fields, which are currently implemented as char strings + * supplied by the caller. (If this changes, the API and possibly the templates + * will have to change.) Therefore the Client_Create API contains a BindAPI + * structure, a union, which will have to be revised and extended when this + * area of the protocol is better understood. + * + * PARAMETERS: + * "hostname" + * Address of the hostname to be used for the socket connection. Must be + * non-NULL. + * "timeout" + * The PRIntervalTime value to be used as a timeout value in socket calls; + * a zero value indicates non-blocking I/O is to be used. + * "bindAPI" + * The address of a BindAPI to be used if a BIND message is required. If + * this argument is NULL, no Bind (or Unbind) will be sent. + * "pClient" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_LdapDefaultClient_CreateByName( + char *hostname, + PRIntervalTime timeout, + LDAPBindAPI *bindAPI, + PKIX_PL_LdapDefaultClient **pClient, + void *plContext); + +/* + * FUNCTION: PKIX_PL_LdapCertStore_Create + * DESCRIPTION: + * + * Creates a new LdapCertStore using the LdapClient pointed to by "client", + * and stores the address of the CertStore at "pCertStore". + * + * PARAMETERS: + * "client" + * Address of the LdapClient to be used. Must be non-NULL. + * "pCertStore" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertStore Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_LdapCertStore_Create( + PKIX_PL_LdapClient *client, + PKIX_CertStore **pCertStore, + void *plContext); +#endif /* !NSS_PKIX_NO_LDAP */ + +/* PKIX_PL_NssContext + * + * A PKIX_PL_NssContext provides an example showing how the "plContext" + * argument, that is part of every libpkix function call, can be used. + * The "plContext" is the Portability Layer Context, which can be used + * to communicate layer-specific information from the application to the + * underlying Portability Layer (while bypassing the Portable Code, which + * blindly passes the plContext on to every function call). + * + * In this case, NSS serves as both the application and the Portability Layer. + * We define an NSS-specific structure, which includes an arena and a number + * of SECCertificateUsage bit flags encoded as a PKIX_UInt32. A third argument, + * wincx, is used on Windows platforms for PKCS11 access, and should be set to + * NULL for other platforms. + * Before calling any of the libpkix functions, the caller should create the NSS + * context, by calling PKIX_PL_NssContext_Create, and provide that NSS context + * as the "plContext" argument in every libpkix function call the caller makes. + * When the caller is finished using the NSS context (usually just after he + * calls PKIX_Shutdown), the caller should call PKIX_PL_NssContext_Destroy to + * free the NSS context structure. + */ + +/* + * FUNCTION: PKIX_PL_NssContext_Create + * DESCRIPTION: + * + * Creates a new NssContext using the certificate usage(s) specified by + * "certUsage" and stores it at "pNssContext". This function also internally + * creates an arena and stores it as part of the NssContext structure. Unlike + * most other libpkix API functions, this function does not take a "plContext" + * parameter. + * + * PARAMETERS: + * "certUsage" + * The desired SECCertificateUsage(s). + * "useNssArena" + * Boolean flag indicates NSS Arena is used for memory allocation. + * "wincx" + * A Windows-dependent pointer for PKCS11 token handling. + * "pNssContext" + * Address where object pointer will be stored. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Context Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_NssContext_Create( + PKIX_UInt32 certificateUsage, + PKIX_Boolean useNssArena, + void *wincx, + void **pNssContext); + +/* + * FUNCTION: PKIX_PL_NssContext_Destroy + * DESCRIPTION: + * + * Frees the structure pointed to by "nssContext" along with any of its + * associated memory. Unlike most other libpkix API functions, this function + * does not take a "plContext" parameter. + * + * PARAMETERS: + * "nssContext" + * Address of NssContext to be destroyed. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Context Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_NssContext_Destroy( + void *nssContext); + +/* + * FUNCTION: PKIX_PL_NssContext_SetTimeout + * DESCRIPTION: + * + * Sets IO timeout for network operations like OCSP response and cert + * fetching. + * + * PARAMETERS: + * "nssContext" + * Address of NssContext to be destroyed. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Context Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_NssContext_SetTimeout(PKIX_UInt32 timeout, PKIX_PL_NssContext *nssContext); + +/* + * FUNCTION: PKIX_PL_NssContext_SetMaxResponseLen + * DESCRIPTION: + * + * Sets maximum responce length allowed during network IO operations. + * + * PARAMETERS: + * "nssContext" + * Address of NssContext to be destroyed. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Context Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_NssContext_SetMaxResponseLen(PKIX_UInt32 len, PKIX_PL_NssContext *nssContext); + +/* + * FUNCTION: PKIX_PL_NssContext_SetCrlReloadDelay + * DESCRIPTION: + * + * Sets user defined timeout between attempts to load crl using + * CRLDP. + * + * PARAMETERS: + * "delaySeconds" + * Reload delay in seconds. + * "nssContext" + * Address of NssContext to be destroyed. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Context Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_NssContext_SetCrlReloadDelay(PKIX_UInt32 delaySeconds, + PKIX_PL_NssContext *nssContext); + +/* + * FUNCTION: PKIX_PL_NssContext_SetBadDerCrlReloadDelay + * DESCRIPTION: + * + * Sets user defined timeout between attempts to load crls + * that failed to decode. + * + * PARAMETERS: + * "delaySeconds" + * Reload delay in seconds. + * "nssContext" + * Address of NssContext to be destroyed. Must be non-NULL. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Context Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_NssContext_SetBadDerCrlReloadDelay(PKIX_UInt32 delaySeconds, + PKIX_PL_NssContext *nssContext); +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_SAMPLEMODULES_H */ diff --git a/security/nss/lib/libpkix/include/pkix_util.h b/security/nss/lib/libpkix/include/pkix_util.h new file mode 100644 index 0000000000..e42f608c17 --- /dev/null +++ b/security/nss/lib/libpkix/include/pkix_util.h @@ -0,0 +1,941 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * These functions provide support for a number of other functions + * by creating and manipulating data structures used by those functions. + * + */ + +#ifndef _PKIX_UTIL_H +#define _PKIX_UTIL_H + +#include "pkixt.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* General + * + * Please refer to the libpkix Programmer's Guide for detailed information + * about how to use the libpkix library. Certain key warnings and notices from + * that document are repeated here for emphasis. + * + * All identifiers in this file (and all public identifiers defined in + * libpkix) begin with "PKIX_". Private identifiers only intended for use + * within the library begin with "pkix_". + * + * A function returns NULL upon success, and a PKIX_Error pointer upon failure. + * + * Unless otherwise noted, for all accessor (gettor) functions that return a + * PKIX_PL_Object pointer, callers should assume that this pointer refers to a + * shared object. Therefore, the caller should treat this shared object as + * read-only and should not modify this shared object. When done using the + * shared object, the caller should release the reference to the object by + * using the PKIX_PL_Object_DecRef function. + * + * While a function is executing, if its arguments (or anything referred to by + * its arguments) are modified, free'd, or destroyed, the function's behavior + * is undefined. + * + */ + +/* PKIX_Logger + * + * PKIX_Loggers provide a standard way for the caller to insert custom logging + * facilities. These are used by libpkix to log errors, debug information, + * status, etc. The LogCallback allows custom logging to take place. + * Additionally, a Logger can be initialized with a loggerContext, which is + * where the caller can specify configuration data such as the name of a + * logfile or database. Note that this loggerContext must be a PKIX_PL_Object, + * allowing it to be reference-counted and allowing it to provide the standard + * PKIX_PL_Object functions (Equals, Hashcode, ToString, Compare, Duplicate). + * + * Once the caller has created the Logger object(s) (and set the loggerContext + * (if any) and the Log callback), the caller then registers these Loggers + * with the system by calling PKIX_SetLoggers or PKIX_AddLogger. All log + * entries will then be logged using the specified Loggers. If multiple + * Loggers are specified, every log entry will be logged with each of them. + * + * XXX Maybe give some guidance somewhere on how much detail each logging + * level should have and where component boundaries should be. Maybe in + * Implementor's Guide or Programmer's Guide. + */ + +#define PKIX_LOGGER_LEVEL_TRACE 5 +#define PKIX_LOGGER_LEVEL_DEBUG 4 +#define PKIX_LOGGER_LEVEL_WARNING 3 +#define PKIX_LOGGER_LEVEL_ERROR 2 +#define PKIX_LOGGER_LEVEL_FATALERROR 1 + +#define PKIX_LOGGER_LEVEL_MAX 5 + +/* + * FUNCTION: PKIX_Logger_LogCallback + * DESCRIPTION: + * + * This callback function logs a log entry containing the String pointed to + * by "message", the integer value of logLevel, and the String pointed to by + * "logComponent". A log entry can be associated with a particular log + * level (i.e. level 3) and a particular log component (i.e. "CertStore"). + * For example, someone reading the log may only be interested in very general + * log entries so they look only for log level 1. Similarly, they may only be + * interested in log entries pertaining to the CertStore component so they + * look only for that log component. This function can be used before calling + * PKIX_Initialize. + * + * PARAMETERS: + * "logger" + * Address of logger whose LogCallback is to be used. Must be non-NULL. + * "message" + * Address of String that is to be logged used "logger". Must be non-NULL. + * "logLevel" + * Integer value representing the log level for this entry. The higher the + * level, the more detail. Must be non-NULL. + * "logComponent" + * PKIXERRORNUM value (defined in pkixt.h) designating the log component + * for this entry. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads must be able to safely call this function without + * worrying about conflicts, even if they're operating on the same objects. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +typedef PKIX_Error * +(*PKIX_Logger_LogCallback)( + PKIX_Logger *logger, + PKIX_PL_String *message, + PKIX_UInt32 logLevel, + PKIX_ERRORCLASS logComponent, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_Create + * DESCRIPTION: + * + * Creates a new Logger using the Object pointed to by "loggerContext" + * (if any) and stores it at "pLogger". The new Logger uses the LogCallback + * pointed to by "callback". The Logger's maximum logging level is initially + * set to a very high level and its logging component is set to NULL (all + * components). + * + * PARAMETERS: + * "callback" + * The LogCallback function to be used. Must be non-NULL. + * "loggerContext" + * Address of Object representing the Logger's context (if any). + * "pLogger" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_Create( + PKIX_Logger_LogCallback callback, + PKIX_PL_Object *loggerContext, + PKIX_Logger **pLogger, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_GetLogCallback + * DESCRIPTION: + * + * Retrieves a pointer to "logger's" Log callback function and puts it in + * "pCallback". + * + * PARAMETERS: + * "logger" + * Address of Logger whose Log callback is desired. Must be non-NULL. + * "pCallback" + * Address where Log callback function pointer will be stored. + * Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_GetLogCallback( + PKIX_Logger *logger, + PKIX_Logger_LogCallback *pCallback, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_GetLoggerContext + * DESCRIPTION: + * + * Retrieves a pointer to a PKIX_PL_Object representing the context (if any) + * of the Logger pointed to by "logger" and stores it at "pLoggerContext". + * + * PARAMETERS: + * "logger" + * Address of Logger whose context is to be stored. Must be non-NULL. + * "pLoggerContext" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_GetLoggerContext( + PKIX_Logger *logger, + PKIX_PL_Object **pLoggerContext, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_GetMaxLoggingLevel + * DESCRIPTION: + * + * Retrieves a pointer to a PKIX_UInt32 representing the maximum logging + * level of the Logger pointed to by "logger" and stores it at "pLevel". Only + * log entries whose log level is less than or equal to this maximum logging + * level will be logged. + * + * PARAMETERS: + * "logger" + * Address of Logger whose maximum logging level is to be stored. + * Must be non-NULL. + * "pLevel" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_GetMaxLoggingLevel( + PKIX_Logger *logger, + PKIX_UInt32 *pLevel, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_SetMaxLoggingLevel + * DESCRIPTION: + * + * Sets the maximum logging level of the Logger pointed to by "logger" with + * the integer value of "level". + * + * PARAMETERS: + * "logger" + * Address of Logger whose maximum logging level is to be set. + * Must be non-NULL. + * "level" + * Maximum logging level to be set + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "logger" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_SetMaxLoggingLevel( + PKIX_Logger *logger, + PKIX_UInt32 level, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_GetLoggingComponent + * DESCRIPTION: + * + * Retrieves a pointer to a String representing the logging component of the + * Logger pointed to by "logger" and stores it at "pComponent". Only log + * entries whose log component matches the specified logging component will + * be logged. + * + * PARAMETERS: + * "logger" + * Address of Logger whose logging component is to be stored. + * Must be non-NULL. + * "pComponent" + * Address where PKIXERRORNUM will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_GetLoggingComponent( + PKIX_Logger *logger, + PKIX_ERRORCLASS *pComponent, + void *plContext); + +/* + * FUNCTION: PKIX_Logger_SetLoggingComponent + * DESCRIPTION: + * + * Sets the logging component of the Logger pointed to by "logger" with the + * PKIXERRORNUM pointed to by "component". To match a small set of components, + * create a Logger for each. + * + * PARAMETERS: + * "logger" + * Address of Logger whose logging component is to be set. + * Must be non-NULL. + * "component" + * PKIXERRORNUM value representing logging component to be set. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "logger" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Logger_SetLoggingComponent( + PKIX_Logger *logger, + PKIX_ERRORCLASS component, + void *plContext); + +/* + * FUNCTION: PKIX_GetLoggers + * DESCRIPTION: + * + * Retrieves a pointer to the List of Loggers (if any) being used for logging + * by libpkix and stores it at "pLoggers". If no loggers are being used, this + * function stores an empty List at "pLoggers". + * + * Note that the List returned by this function is immutable. + * + * PARAMETERS: + * "pLoggers" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_GetLoggers( + PKIX_List **pLoggers, /* list of PKIX_Logger */ + void *plContext); + +/* + * FUNCTION: PKIX_SetLoggers + * DESCRIPTION: + * + * Sets the Loggers to be used by libpkix to the List of Loggers pointed to + * by "loggers". If "loggers" is NULL, no Loggers will be used. + * + * PARAMETERS: + * "loggers" + * Address of List of Loggers to be set. NULL for no Loggers. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_SetLoggers( + PKIX_List *loggers, /* list of PKIX_Logger */ + void *plContext); + +/* + * FUNCTION: PKIX_AddLogger + * DESCRIPTION: + * + * Adds the Logger pointed to by "logger" to the List of Loggers used by + * libpkix. + * + * PARAMETERS: + * "logger" + * Address of Logger to be added. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Logger Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_AddLogger( + PKIX_Logger *logger, + void *plContext); + +/* Functions pertaining to the PKIX_Error type */ + +/* Error + * + * An Error object is returned by a function upon encountering some error + * condition. Each Error is associated with an errorCode specified in pkixt.h. + * The remaining components of an Error are optional. An Error's description + * specifies a text message describing the Error. An Error's supplementary info + * specifies additional information that might be useful. Finally, an Error's + * cause specifies the underlying Error (if any) that resulted in this Error + * being returned, thereby allowing Errors to be chained so that an entire + * "error stack trace" can be represented. Once created, an Error is immutable. + * + * Note that the Error's supplementary info must be an Object (although any + * object type), allowing it to be reference-counted and allowing it to + * provide the standard Object functions (Equals, Hashcode, ToString, Compare, + * Duplicate). + * + * Errors are classified as either being fatal or non-fatal. If a function + * fails in an unrecoverable way, it returns an Error whose errorCode is + * PKIX_FATAL_ERROR. If such an error is encountered, the caller should + * not attempt to recover since something seriously wrong has happened + * (e.g. corrupted memory, memory finished, etc.). All other errorCodes + * are considered non-fatal errors and can be handled by the caller as they + * see fit. + */ + +/* + * FUNCTION: PKIX_Error_Create + * DESCRIPTION: + * + * Creates a new Error using the value of "errorCode", the Error pointed to by + * "cause" (if any), the Object pointed to by "info" (if any), and the String + * pointed to by "desc" and stores it at "pError". If any error occurs during + * error allocation, it will be returned without chaining, since new errors + * cannot be created. Once created, an Error is immutable. + * + * PARAMETERS: + * "errorCode" + * Value of error code. + * "cause" + * Address of Error representing error's cause. + * NULL if none or unspecified. + * "info" + * Address of Object representing error's supplementary information. + * NULL if none. + * "desc" + * Address of String representing error's description. NULL if none. + * "pError" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Error Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Error_Create( + PKIX_ERRORCLASS errClass, + PKIX_Error *cause, + PKIX_PL_Object *info, + PKIX_ERRORCODE errCode, + PKIX_Error **pError, + void *plContext); + +/* + * FUNCTION: PKIX_Error_GetErrorClass + * DESCRIPTION: + * + * Retrieves the error class of the Error pointed to by "error" and + * stores it at "pClass". Supported error codes are defined in pkixt.h. + * + * PARAMETERS: + * "error" + * Address of Error whose error code is desired. Must be non-NULL. + * "pClass" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Error Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Error_GetErrorClass( + PKIX_Error *error, + PKIX_ERRORCLASS *pClass, + void *plContext); + +/* + * FUNCTION: PKIX_Error_GetErrorCode + * DESCRIPTION: + * + * Retrieves the error code of the Error pointed to by "error" and + * stores it at "pCode". Supported error codes are defined in pkixt.h. + * + * PARAMETERS: + * "error" + * Address of Error whose error code is desired. Must be non-NULL. + * "pCode" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Error Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Error_GetErrorCode( + PKIX_Error *error, + PKIX_ERRORCODE *pCode, + void *plContext); + +/* + * FUNCTION: PKIX_Error_GetCause + * DESCRIPTION: + * + * Retrieves the cause of the Error pointed to by "error" and stores it at + * "pCause". If no cause was specified, NULL will be stored at "pCause". + * + * PARAMETERS: + * "error" + * Address of Error whose cause is desired. Must be non-NULL. + * "pCause" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Error Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Error_GetCause( + PKIX_Error *error, + PKIX_Error **pCause, + void *plContext); + +/* + * FUNCTION: PKIX_Error_GetSupplementaryInfo + * DESCRIPTION: + * + * Retrieves the supplementary info of the Error pointed to by "error" and + * stores it at "pInfo". + * + * PARAMETERS: + * "error" + * Address of Error whose info is desired. Must be non-NULL. + * "pInfo" + * Address where info pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Error Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Error_GetSupplementaryInfo( + PKIX_Error *error, + PKIX_PL_Object **pInfo, + void *plContext); + +/* + * FUNCTION: PKIX_Error_GetDescription + * DESCRIPTION: + * + * Retrieves the description of the Error pointed to by "error" and stores it + * at "pDesc". If no description was specified, NULL will be stored at + * "pDesc". + * + * PARAMETERS: + * "error" + * Address of Error whose description is desired. Must be non-NULL. + * "pDesc" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an Error Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_Error_GetDescription( + PKIX_Error *error, + PKIX_PL_String **pDesc, + void *plContext); + +/* PKIX_List + * + * Represents a collection of items. NULL is considered a valid item. + */ + +/* + * FUNCTION: PKIX_List_Create + * DESCRIPTION: + * + * Creates a new List and stores it at "pList". The List is initially empty + * and holds no items. To initially add items to the List, use + * PKIX_List_AppendItem + * + * PARAMETERS: + * "pList" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_Create( + PKIX_List **pList, + void *plContext); + +/* + * FUNCTION: PKIX_List_SetImmutable + * DESCRIPTION: + * + * Sets the List pointed to by "list" to be immutable. If a caller tries to + * change a List after it has been marked immutable (i.e. by calling + * PKIX_List_AppendItem, PKIX_List_InsertItem, PKIX_List_SetItem, or + * PKIX_List_DeleteItem), an Error is returned. + * + * PARAMETERS: + * "list" + * Address of List to be marked immutable. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "list" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_SetImmutable( + PKIX_List *list, + void *plContext); + +/* + * FUNCTION: PKIX_List_IsImmutable + * DESCRIPTION: + * + * Checks whether the List pointed to by "list" is immutable and stores + * the Boolean result at "pImmutable". If a caller tries to change a List + * after it has been marked immutable (i.e. by calling PKIX_List_AppendItem, + * PKIX_List_InsertItem, PKIX_List_SetItem, or PKIX_List_DeleteItem), an + * Error is returned. + * + * PARAMETERS: + * "list" + * Address of List whose immutability is to be determined. + * Must be non-NULL. + * "pImmutable" + * Address where PKIX_Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_IsImmutable( + PKIX_List *list, + PKIX_Boolean *pImmutable, + void *plContext); + +/* + * FUNCTION: PKIX_List_GetLength + * DESCRIPTION: + * + * Retrieves the length of the List pointed to by "list" and stores it at + * "pLength". + * + * PARAMETERS: + * "list" + * Address of List whose length is desired. Must be non-NULL. + * "pLength" + * Address where PKIX_UInt32 will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_GetLength( + PKIX_List *list, + PKIX_UInt32 *pLength, + void *plContext); + +/* + * FUNCTION: PKIX_List_IsEmpty + * DESCRIPTION: + * + * Checks whether the List pointed to by "list" is empty and stores + * the Boolean result at "pEmpty". + * + * PARAMETERS: + * "list" + * Address of List whose emptiness is to be determined. Must be non-NULL. + * "pEmpty" + * Address where PKIX_Boolean will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_IsEmpty( + PKIX_List *list, + PKIX_Boolean *pEmpty, + void *plContext); + +/* + * FUNCTION: PKIX_List_AppendItem + * DESCRIPTION: + * + * Appends the Object pointed to by "item" after the last non-NULL item in + * List pointed to by "list", if any. Note that a List may validly contain + * NULL items. Appending "c" into the List ("a", NULL, "b", NULL) will result + * in ("a", NULL, "b", "c"). + * + * PARAMETERS: + * "list" + * Address of List to append to. Must be non-NULL. + * "item" + * Address of new item to append. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "list" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_AppendItem( + PKIX_List *list, + PKIX_PL_Object *item, + void *plContext); + +/* + * FUNCTION: PKIX_List_InsertItem + * DESCRIPTION: + * + * Inserts the Object pointed to by "item" into the List pointed to by "list" + * at the given "index". The index counts from zero and must be less than the + * List's length. Existing list entries at or after this index will be moved + * to the next highest index. + * + * XXX why not allow equal to length which would be equivalent to AppendItem? + * + * PARAMETERS: + * "list" + * Address of List to insert into. Must be non-NULL. + * "index" + * Position to insert into. Must be less than List's length. + * "item" + * Address of new item to append. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "list" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_InsertItem( + PKIX_List *list, + PKIX_UInt32 index, + PKIX_PL_Object *item, + void *plContext); + +/* + * FUNCTION: PKIX_List_GetItem + * DESCRIPTION: + * + * Copies the "list"'s item at "index" into "pItem". The index counts from + * zero and must be less than the list's length. Increments the reference + * count on the returned object, if non-NULL. + * + * PARAMETERS: + * "list" + * Address of List to get item from. Must be non-NULL. + * "index" + * Index of list to get item from. Must be less than List's length. + * "pItem" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_GetItem( + PKIX_List *list, + PKIX_UInt32 index, + PKIX_PL_Object **pItem, + void *plContext); + +/* + * FUNCTION: PKIX_List_SetItem + * DESCRIPTION: + * + * Sets the item at "index" of the List pointed to by "list" with the Object + * pointed to by "item". The index counts from zero and must be less than the + * List's length. The previous entry at this index will have its reference + * count decremented and the new entry will have its reference count + * incremented. + * + * PARAMETERS: + * "list" + * Address of List to modify. Must be non-NULL. + * "index" + * Position in List to set. Must be less than List's length. + * "item" + * Address of Object to set at "index". + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "list" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_SetItem( + PKIX_List *list, + PKIX_UInt32 index, + PKIX_PL_Object *item, + void *plContext); + +/* + * FUNCTION: PKIX_List_DeleteItem + * + * Deletes the item at "index" from the List pointed to by "list". The index + * counts from zero and must be less than the List's length. Note that this + * function does not destroy the List. It simply decrements the reference + * count of the item at "index" in the List, deletes that item from the list + * and moves all subsequent entries to a lower index in the list. If there is + * only a single element in the List and that element is deleted, then the + * List will be empty. + * + * PARAMETERS: + * "list" + * Address of List to delete from. Must be non-NULL. + * "index" + * Position in List to delete. Must be less than List's length. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "list" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_DeleteItem( + PKIX_List *list, + PKIX_UInt32 index, + void *plContext); + +/* + * FUNCTION: PKIX_List_ReverseList + * DESCRIPTION: + * + * Creates a new List whose elements are in the reverse order as the elements + * of the Object pointed to by "list" and stores the copy at "pReversedList". + * If "list" is empty, the new reversed List will be a copy of "list". + * Changes to the new object will not affect the original and vice versa. + * + * PARAMETERS: + * "list" + * Address of List whose elements are to be reversed. Must be non-NULL. + * "pReversedList" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_List_ReverseList( + PKIX_List *list, + PKIX_List **pReversedList, + void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_UTIL_H */ diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h new file mode 100644 index 0000000000..71997f700b --- /dev/null +++ b/security/nss/lib/libpkix/include/pkixt.h @@ -0,0 +1,485 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file defines the types in the libpkix API. + * XXX Maybe we should specify the API version number in all API header files + * + */ + +#ifndef _PKIXT_H +#define _PKIXT_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include "secerr.h" + +/* Types + * + * This header file provides typedefs for the abstract types used by libpkix. + * It also provides several useful macros. + * + * Note that all these abstract types are typedef'd as opaque structures. This + * is intended to discourage the caller from looking at the contents directly, + * since the format of the contents may change from one version of the library + * to the next. Instead, callers should only access these types using the + * functions defined in the public header files. + * + * An instance of an abstract type defined in this file is called an "object" + * here, although C does not have real support for objects. + * + * Because C does not typically have automatic garbage collection, the caller + * is expected to release the reference to any object that they create or that + * is returned to them by a libpkix function. The caller should do this by + * using the PKIX_PL_Object_DecRef function. Note that the caller should not + * release the reference to an object if the object has been passed to a + * libpkix function and that function has not returned. + * + * Please refer to libpkix Programmer's Guide for more details. + */ + +/* Version + * + * These macros specify the major and minor version of the libpkix API defined + * by this header file. + */ + +#define PKIX_MAJOR_VERSION ((PKIX_UInt32) 0) +#define PKIX_MINOR_VERSION ((PKIX_UInt32) 3) + +/* Maximum minor version + * + * This macro is used to specify that the caller wants the largest minor + * version available. + */ + +#define PKIX_MAX_MINOR_VERSION ((PKIX_UInt32) 4000000000) + +/* Define Cert Store type for database access */ +#define PKIX_STORE_TYPE_NONE 0 +#define PKIX_STORE_TYPE_PK11 1 + +/* Portable Code (PC) data types + * + * These types are used to perform the primary operations of this library: + * building and validating chains of X.509 certificates. + */ + +typedef struct PKIX_ErrorStruct PKIX_Error; +typedef struct PKIX_ProcessingParamsStruct PKIX_ProcessingParams; +typedef struct PKIX_ValidateParamsStruct PKIX_ValidateParams; +typedef struct PKIX_ValidateResultStruct PKIX_ValidateResult; +typedef struct PKIX_ResourceLimitsStruct PKIX_ResourceLimits; +typedef struct PKIX_BuildResultStruct PKIX_BuildResult; +typedef struct PKIX_CertStoreStruct PKIX_CertStore; +typedef struct PKIX_CertChainCheckerStruct PKIX_CertChainChecker; +typedef struct PKIX_RevocationCheckerStruct PKIX_RevocationChecker; +typedef struct PKIX_CertSelectorStruct PKIX_CertSelector; +typedef struct PKIX_CRLSelectorStruct PKIX_CRLSelector; +typedef struct PKIX_ComCertSelParamsStruct PKIX_ComCertSelParams; +typedef struct PKIX_ComCRLSelParamsStruct PKIX_ComCRLSelParams; +typedef struct PKIX_TrustAnchorStruct PKIX_TrustAnchor; +typedef struct PKIX_PolicyNodeStruct PKIX_PolicyNode; +typedef struct PKIX_LoggerStruct PKIX_Logger; +typedef struct PKIX_ListStruct PKIX_List; +typedef struct PKIX_ForwardBuilderStateStruct PKIX_ForwardBuilderState; +typedef struct PKIX_DefaultRevocationCheckerStruct + PKIX_DefaultRevocationChecker; +typedef struct PKIX_VerifyNodeStruct PKIX_VerifyNode; + +/* Portability Layer (PL) data types + * + * These types are used are used as portable data types that are defined + * consistently across platforms + */ + +typedef struct PKIX_PL_NssContextStruct PKIX_PL_NssContext; +typedef struct PKIX_PL_ObjectStruct PKIX_PL_Object; +typedef struct PKIX_PL_ByteArrayStruct PKIX_PL_ByteArray; +typedef struct PKIX_PL_HashTableStruct PKIX_PL_HashTable; +typedef struct PKIX_PL_MutexStruct PKIX_PL_Mutex; +typedef struct PKIX_PL_RWLockStruct PKIX_PL_RWLock; +typedef struct PKIX_PL_MonitorLockStruct PKIX_PL_MonitorLock; +typedef struct PKIX_PL_BigIntStruct PKIX_PL_BigInt; +typedef struct PKIX_PL_StringStruct PKIX_PL_String; +typedef struct PKIX_PL_OIDStruct PKIX_PL_OID; +typedef struct PKIX_PL_CertStruct PKIX_PL_Cert; +typedef struct PKIX_PL_GeneralNameStruct PKIX_PL_GeneralName; +typedef struct PKIX_PL_X500NameStruct PKIX_PL_X500Name; +typedef struct PKIX_PL_PublicKeyStruct PKIX_PL_PublicKey; +typedef struct PKIX_PL_DateStruct PKIX_PL_Date; +typedef struct PKIX_PL_CertNameConstraintsStruct PKIX_PL_CertNameConstraints; +typedef struct PKIX_PL_CertBasicConstraintsStruct PKIX_PL_CertBasicConstraints; +typedef struct PKIX_PL_CertPoliciesStruct PKIX_PL_CertPolicies; +typedef struct PKIX_PL_CertPolicyInfoStruct PKIX_PL_CertPolicyInfo; +typedef struct PKIX_PL_CertPolicyQualifierStruct PKIX_PL_CertPolicyQualifier; +typedef struct PKIX_PL_CertPolicyMapStruct PKIX_PL_CertPolicyMap; +typedef struct PKIX_PL_CRLStruct PKIX_PL_CRL; +typedef struct PKIX_PL_CRLEntryStruct PKIX_PL_CRLEntry; +typedef struct PKIX_PL_CollectionCertStoreStruct PKIX_PL_CollectionCertStore; +typedef struct PKIX_PL_CollectionCertStoreContext + PKIX_PL_CollectionCertStoreContext; +typedef struct PKIX_PL_LdapCertStoreContext PKIX_PL_LdapCertStoreContext; +typedef struct PKIX_PL_LdapRequestStruct PKIX_PL_LdapRequest; +typedef struct PKIX_PL_LdapResponseStruct PKIX_PL_LdapResponse; +typedef struct PKIX_PL_LdapDefaultClientStruct PKIX_PL_LdapDefaultClient; +typedef struct PKIX_PL_SocketStruct PKIX_PL_Socket; +typedef struct PKIX_PL_InfoAccessStruct PKIX_PL_InfoAccess; +typedef struct PKIX_PL_AIAMgrStruct PKIX_PL_AIAMgr; +typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID; +typedef struct PKIX_PL_OcspRequestStruct PKIX_PL_OcspRequest; +typedef struct PKIX_PL_OcspResponseStruct PKIX_PL_OcspResponse; +typedef struct PKIX_PL_HttpClientStruct PKIX_PL_HttpClient; +typedef struct PKIX_PL_HttpDefaultClientStruct PKIX_PL_HttpDefaultClient; +typedef struct PKIX_PL_HttpCertStoreContextStruct PKIX_PL_HttpCertStoreContext; + +/* Primitive types + * + * In order to guarantee desired behavior as well as platform-independence, we + * typedef these types depending on the platform. XXX This needs more work! + */ + +/* XXX Try compiling these files (and maybe the whole libpkix-nss) on Win32. + * We don't know what type is at least 32 bits long. ISO C probably requires + * at least 32 bits for long. we could default to that and only list platforms + * where that's not true. + * + * #elif + * #error + * #endif + */ + +/* currently, int is 32 bits on all our supported platforms */ + +typedef unsigned int PKIX_UInt32; +typedef int PKIX_Int32; + +typedef int PKIX_Boolean; + +/* Object Types + * + * Every reference-counted PKIX_PL_Object is associated with an integer type. + */ +#define PKIX_TYPES \ + TYPEMACRO(AIAMGR), \ + TYPEMACRO(BASICCONSTRAINTSCHECKERSTATE), \ + TYPEMACRO(BIGINT), \ + TYPEMACRO(BUILDRESULT), \ + TYPEMACRO(BYTEARRAY), \ + TYPEMACRO(CERT), \ + TYPEMACRO(CERTBASICCONSTRAINTS), \ + TYPEMACRO(CERTCHAINCHECKER), \ + TYPEMACRO(CERTNAMECONSTRAINTS), \ + TYPEMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \ + TYPEMACRO(CERTPOLICYCHECKERSTATE), \ + TYPEMACRO(CERTPOLICYINFO), \ + TYPEMACRO(CERTPOLICYMAP), \ + TYPEMACRO(CERTPOLICYNODE), \ + TYPEMACRO(CERTPOLICYQUALIFIER), \ + TYPEMACRO(CERTSELECTOR), \ + TYPEMACRO(CERTSTORE), \ + TYPEMACRO(COLLECTIONCERTSTORECONTEXT), \ + TYPEMACRO(COMCERTSELPARAMS), \ + TYPEMACRO(COMCRLSELPARAMS), \ + TYPEMACRO(CRL), \ + TYPEMACRO(CRLDP), \ + TYPEMACRO(CRLENTRY), \ + TYPEMACRO(CRLSELECTOR), \ + TYPEMACRO(DATE), \ + TYPEMACRO(CRLCHECKER), \ + TYPEMACRO(EKUCHECKER), \ + TYPEMACRO(ERROR), \ + TYPEMACRO(FORWARDBUILDERSTATE), \ + TYPEMACRO(GENERALNAME), \ + TYPEMACRO(HASHTABLE), \ + TYPEMACRO(HTTPCERTSTORECONTEXT), \ + TYPEMACRO(HTTPDEFAULTCLIENT), \ + TYPEMACRO(INFOACCESS), \ + TYPEMACRO(LDAPDEFAULTCLIENT), \ + TYPEMACRO(LDAPREQUEST), \ + TYPEMACRO(LDAPRESPONSE), \ + TYPEMACRO(LIST), \ + TYPEMACRO(LOGGER), \ + TYPEMACRO(MONITORLOCK), \ + TYPEMACRO(MUTEX), \ + TYPEMACRO(OBJECT), \ + TYPEMACRO(OCSPCERTID), \ + TYPEMACRO(OCSPCHECKER), \ + TYPEMACRO(OCSPREQUEST), \ + TYPEMACRO(OCSPRESPONSE), \ + TYPEMACRO(OID), \ + TYPEMACRO(REVOCATIONCHECKER), \ + TYPEMACRO(PROCESSINGPARAMS), \ + TYPEMACRO(PUBLICKEY), \ + TYPEMACRO(RESOURCELIMITS), \ + TYPEMACRO(RWLOCK), \ + TYPEMACRO(SIGNATURECHECKERSTATE), \ + TYPEMACRO(SOCKET), \ + TYPEMACRO(STRING), \ + TYPEMACRO(TARGETCERTCHECKERSTATE), \ + TYPEMACRO(TRUSTANCHOR), \ + TYPEMACRO(VALIDATEPARAMS), \ + TYPEMACRO(VALIDATERESULT), \ + TYPEMACRO(VERIFYNODE), \ + TYPEMACRO(X500NAME) + +#define TYPEMACRO(type) PKIX_ ## type ## _TYPE + +typedef enum { /* Now invoke all those TYPEMACROs to assign the numbers */ + PKIX_TYPES, + PKIX_NUMTYPES /* This gets PKIX_NUMTYPES defined as the total number */ +} PKIX_TYPENUM; + + +#ifdef PKIX_USER_OBJECT_TYPE + +/* User Define Object Types + * + * User may define their own object types offset from PKIX_USER_OBJECT_TYPE + */ +#define PKIX_USER_OBJECT_TYPEBASE 1000 + +#endif /* PKIX_USER_OBJECT_TYPE */ + +/* Error Codes + * + * This list is used to define a set of PKIX_Error exception class numbers. + * ERRMACRO is redefined to produce a corresponding set of + * strings in the table "const char *PKIX_ERRORCLASSNAMES[PKIX_NUMERRORCLASSES]" in + * pkix_error.c. For example, since the fifth ERRMACRO entry is MUTEX, then + * PKIX_MUTEX_ERROR is defined in pkixt.h as 4, and PKIX_ERRORCLASSNAMES[4] is + * initialized in pkix_error.c with the value "MUTEX". + */ +#define PKIX_ERRORCLASSES \ + ERRMACRO(AIAMGR), \ + ERRMACRO(BASICCONSTRAINTSCHECKERSTATE), \ + ERRMACRO(BIGINT), \ + ERRMACRO(BUILD), \ + ERRMACRO(BUILDRESULT), \ + ERRMACRO(BYTEARRAY), \ + ERRMACRO(CERT), \ + ERRMACRO(CERTBASICCONSTRAINTS), \ + ERRMACRO(CERTCHAINCHECKER), \ + ERRMACRO(CERTNAMECONSTRAINTS), \ + ERRMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \ + ERRMACRO(CERTPOLICYCHECKERSTATE), \ + ERRMACRO(CERTPOLICYINFO), \ + ERRMACRO(CERTPOLICYMAP), \ + ERRMACRO(CERTPOLICYNODE), \ + ERRMACRO(CERTPOLICYQUALIFIER), \ + ERRMACRO(CERTSELECTOR), \ + ERRMACRO(CERTSTORE), \ + ERRMACRO(CERTVFYPKIX), \ + ERRMACRO(COLLECTIONCERTSTORECONTEXT), \ + ERRMACRO(COMCERTSELPARAMS), \ + ERRMACRO(COMCRLSELPARAMS), \ + ERRMACRO(CONTEXT), \ + ERRMACRO(CRL), \ + ERRMACRO(CRLDP), \ + ERRMACRO(CRLENTRY), \ + ERRMACRO(CRLSELECTOR), \ + ERRMACRO(CRLCHECKER), \ + ERRMACRO(DATE), \ + ERRMACRO(EKUCHECKER), \ + ERRMACRO(ERROR), \ + ERRMACRO(FATAL), \ + ERRMACRO(FORWARDBUILDERSTATE), \ + ERRMACRO(GENERALNAME), \ + ERRMACRO(HASHTABLE), \ + ERRMACRO(HTTPCERTSTORECONTEXT), \ + ERRMACRO(HTTPDEFAULTCLIENT), \ + ERRMACRO(INFOACCESS), \ + ERRMACRO(LDAPCLIENT), \ + ERRMACRO(LDAPDEFAULTCLIENT), \ + ERRMACRO(LDAPREQUEST), \ + ERRMACRO(LDAPRESPONSE), \ + ERRMACRO(LIFECYCLE), \ + ERRMACRO(LIST), \ + ERRMACRO(LOGGER), \ + ERRMACRO(MEM), \ + ERRMACRO(MONITORLOCK), \ + ERRMACRO(MUTEX), \ + ERRMACRO(OBJECT), \ + ERRMACRO(OCSPCERTID), \ + ERRMACRO(OCSPCHECKER), \ + ERRMACRO(OCSPREQUEST), \ + ERRMACRO(OCSPRESPONSE), \ + ERRMACRO(OID), \ + ERRMACRO(PROCESSINGPARAMS), \ + ERRMACRO(PUBLICKEY), \ + ERRMACRO(RESOURCELIMITS), \ + ERRMACRO(REVOCATIONMETHOD), \ + ERRMACRO(REVOCATIONCHECKER), \ + ERRMACRO(RWLOCK), \ + ERRMACRO(SIGNATURECHECKERSTATE), \ + ERRMACRO(SOCKET), \ + ERRMACRO(STRING), \ + ERRMACRO(TARGETCERTCHECKERSTATE), \ + ERRMACRO(TRUSTANCHOR), \ + ERRMACRO(USERDEFINEDMODULES), \ + ERRMACRO(VALIDATE), \ + ERRMACRO(VALIDATEPARAMS), \ + ERRMACRO(VALIDATERESULT), \ + ERRMACRO(VERIFYNODE), \ + ERRMACRO(X500NAME) + +#define ERRMACRO(type) PKIX_ ## type ## _ERROR + +typedef enum { /* Now invoke all those ERRMACROs to assign the numbers */ + PKIX_ERRORCLASSES, + PKIX_NUMERRORCLASSES /* This gets PKIX_NUMERRORCLASSES defined as the total number */ +} PKIX_ERRORCLASS; + +/* Now define error strings (for internationalization) */ + +#define PKIX_ERRORENTRY(name,desc,plerr) PKIX_ ## name + +/* Define all the error numbers */ +typedef enum { +#include "pkix_errorstrings.h" +, PKIX_NUMERRORCODES +} PKIX_ERRORCODE; + +extern const char * const PKIX_ErrorText[]; + +/* String Formats + * + * These formats specify supported encoding formats for Strings. + */ + +#define PKIX_ESCASCII 0 +#define PKIX_UTF8 1 +#define PKIX_UTF16 2 +#define PKIX_UTF8_NULL_TERM 3 +#define PKIX_ESCASCII_DEBUG 4 + +/* Name Types + * + * These types specify supported formats for GeneralNames. + */ + +#define PKIX_OTHER_NAME 1 +#define PKIX_RFC822_NAME 2 +#define PKIX_DNS_NAME 3 +#define PKIX_X400_ADDRESS 4 +#define PKIX_DIRECTORY_NAME 5 +#define PKIX_EDIPARTY_NAME 6 +#define PKIX_URI_NAME 7 +#define PKIX_IP_NAME 8 +#define PKIX_OID_NAME 9 + +/* Key Usages + * + * These types specify supported Key Usages + */ + +#define PKIX_DIGITAL_SIGNATURE 0x001 +#define PKIX_NON_REPUDIATION 0x002 +#define PKIX_KEY_ENCIPHERMENT 0x004 +#define PKIX_DATA_ENCIPHERMENT 0x008 +#define PKIX_KEY_AGREEMENT 0x010 +#define PKIX_KEY_CERT_SIGN 0x020 +#define PKIX_CRL_SIGN 0x040 +#define PKIX_ENCIPHER_ONLY 0x080 +#define PKIX_DECIPHER_ONLY 0x100 + +/* Reason Flags + * + * These macros specify supported Reason Flags + */ + +#define PKIX_UNUSED 0x001 +#define PKIX_KEY_COMPROMISE 0x002 +#define PKIX_CA_COMPROMISE 0x004 +#define PKIX_AFFILIATION_CHANGED 0x008 +#define PKIX_SUPERSEDED 0x010 +#define PKIX_CESSATION_OF_OPERATION 0x020 +#define PKIX_CERTIFICATE_HOLD 0x040 +#define PKIX_PRIVILEGE_WITHDRAWN 0x080 +#define PKIX_AA_COMPROMISE 0x100 + +/* Boolean values + * + * These macros specify the Boolean values of TRUE and FALSE + * XXX Is it the case that any non-zero value is actually considered TRUE + * and this is just a convenient mnemonic macro? + */ + +#define PKIX_TRUE ((PKIX_Boolean) 1) +#define PKIX_FALSE ((PKIX_Boolean) 0) + +/* + * Define constants for basic constraints selector + * (see comments in pkix_certsel.h) + */ + +#define PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH (-2) +#define PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH (-1) + +/* + * PKIX_ALLOC_ERROR is a special error object hard-coded into the pkix_error.o + * object file. It is thrown if system memory cannot be allocated or may be + * thrown for other unrecoverable errors. PKIX_ALLOC_ERROR is immutable. + * IncRef, DecRef and all Settor functions cannot be called. + * XXX Does anyone actually need to know about this? + * XXX Why no DecRef? Would be good to handle it the same. + */ + +PKIX_Error* PKIX_ALLOC_ERROR(void); + +/* + * In a CertBasicConstraints extension, if the CA flag is set, + * indicating the certificate refers to a Certification + * Authority, then the pathLen field indicates how many intermediate + * certificates (not counting self-signed ones) can exist in a valid + * chain following this certificate. If the pathLen has the value + * of this constant, then the length of the chain is unlimited + */ +#define PKIX_UNLIMITED_PATH_CONSTRAINT ((PKIX_Int32) -1) + +/* + * Define Certificate Extension hard-coded OID's + */ +#define PKIX_UNKNOWN_OID SEC_OID_UNKNOWN +#define PKIX_CERTKEYUSAGE_OID SEC_OID_X509_KEY_USAGE +#define PKIX_CERTSUBJALTNAME_OID SEC_OID_X509_SUBJECT_ALT_NAME +#define PKIX_BASICCONSTRAINTS_OID SEC_OID_X509_BASIC_CONSTRAINTS +#define PKIX_CRLREASONCODE_OID SEC_OID_X509_REASON_CODE +#define PKIX_NAMECONSTRAINTS_OID SEC_OID_X509_NAME_CONSTRAINTS +#define PKIX_CERTIFICATEPOLICIES_OID SEC_OID_X509_CERTIFICATE_POLICIES +#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID SEC_OID_X509_ANY_POLICY +#define PKIX_POLICYMAPPINGS_OID SEC_OID_X509_POLICY_MAPPINGS +#define PKIX_POLICYCONSTRAINTS_OID SEC_OID_X509_POLICY_CONSTRAINTS +#define PKIX_EXTENDEDKEYUSAGE_OID SEC_OID_X509_EXT_KEY_USAGE +#define PKIX_INHIBITANYPOLICY_OID SEC_OID_X509_INHIBIT_ANY_POLICY +#define PKIX_NSCERTTYPE_OID SEC_OID_NS_CERT_EXT_CERT_TYPE +#define PKIX_KEY_USAGE_SERVER_AUTH_OID SEC_OID_EXT_KEY_USAGE_SERVER_AUTH +#define PKIX_KEY_USAGE_CLIENT_AUTH_OID SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH +#define PKIX_KEY_USAGE_CODE_SIGN_OID SEC_OID_EXT_KEY_USAGE_CODE_SIGN +#define PKIX_KEY_USAGE_EMAIL_PROTECT_OID SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT +#define PKIX_KEY_USAGE_TIME_STAMP_OID SEC_OID_EXT_KEY_USAGE_TIME_STAMP +#define PKIX_KEY_USAGE_OCSP_RESPONDER_OID SEC_OID_OCSP_RESPONDER + + +/* Available revocation method types. */ +typedef enum PKIX_RevocationMethodTypeEnum { + PKIX_RevocationMethod_CRL = 0, + PKIX_RevocationMethod_OCSP, + PKIX_RevocationMethod_MAX +} PKIX_RevocationMethodType; + +/* A set of statuses revocation checker operates on */ +typedef enum PKIX_RevocationStatusEnum { + PKIX_RevStatus_NoInfo = 0, + PKIX_RevStatus_Revoked, + PKIX_RevStatus_Success +} PKIX_RevocationStatus; + + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIXT_H */ |