summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/mozpkix/include/pkix/pkixc.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/mozpkix/include/pkix/pkixc.h')
-rw-r--r--security/nss/lib/mozpkix/include/pkix/pkixc.h47
1 files changed, 47 insertions, 0 deletions
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixc.h b/security/nss/lib/mozpkix/include/pkix/pkixc.h
new file mode 100644
index 0000000000..a1cc7bf2e9
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixc.h
@@ -0,0 +1,47 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef mozilla_pkix_pkixc_h
+#define mozilla_pkix_pkixc_h
+
+#include "prerror.h"
+#include "stdint.h"
+
+// VerifyCertificateChain will attempt to build a verified certificate chain
+// starting from the 0th certificate in the given array to the indicated trust
+// anchor. It returns true on success and false otherwise. No particular key
+// usage is required, and no particular policy is required. The code signing
+// extended key usage is required. No revocation checking is performed. RSA
+// keys must be at least 2048 bits long, and EC keys must be from one of the
+// curves secp256r1, secp384r1, or secp521r1. Only SHA256, SHA384, and SHA512
+// are acceptable digest algorithms. When doing name checking, the subject
+// common name field is ignored.
+// certificate is an array of pointers to certificates.
+// certificateLengths is an array of the lengths of each certificate.
+// numCertificates indicates how many certificates are in certificates.
+// secondsSinceEpoch indicates the time at which the certificate chain must be
+// valid, in seconds since the epoch.
+// rootSHA256Hash identifies a trust anchor by the SHA256 hash of its contents.
+// It must be an array of 32 bytes.
+// hostname is a doman name for which the end-entity certificate must be valid.
+// error will be set if and only if the return value is false. Its value may
+// indicate why verification failed.
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+bool VerifyCodeSigningCertificateChain(const uint8_t** certificates,
+ const uint16_t* certificateLengths,
+ size_t numCertificates,
+ uint64_t secondsSinceEpoch,
+ const uint8_t* rootSHA256Hash,
+ const uint8_t* hostname,
+ size_t hostnameLength,
+ /* out */ PRErrorCode* error);
+#ifdef __cplusplus
+}
+#endif
+
+#endif // mozilla_pkix_pkixc_h