certt.h

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C头文件 代码 · 共 805 行 · 第 1/2 页

/*
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 * 
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 * 
 * The Original Code is the Netscape security libraries.
 * 
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are 
 * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
 * Rights Reserved.
 * 
 * Contributor(s):
 * 
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable 
 * instead of those above.  If you wish to allow use of your 
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */
/*
 * certt.h - public data structures for the certificate library
 *
 * $Id: certt.h,v 1.1 2000/03/31 19:42:35 relyea%netscape.com Exp $
 */
#ifndef _CERTT_H_
#define _CERTT_H_

#include "prclist.h"
#include "pkcs11t.h"
#include "seccomon.h"
#include "secmodt.h"
#include "secoidt.h"
#include "plarena.h"
#include "prcvar.h"
#include "prlock.h"
#include "prio.h"
#include "prmon.h"

/* Non-opaque objects */
typedef struct CERTAVAStr                        CERTAVA;
typedef struct CERTAttributeStr                  CERTAttribute;
typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
typedef struct CERTCertDBHandleStr               CERTCertDBHandle;
typedef struct CERTCertExtensionStr              CERTCertExtension;
typedef struct CERTCertKeyStr                    CERTCertKey;
typedef struct CERTCertListStr                   CERTCertList;
typedef struct CERTCertListNodeStr               CERTCertListNode;
typedef struct CERTCertNicknamesStr              CERTCertNicknames;
typedef struct CERTCertTrustStr                  CERTCertTrust;
typedef struct CERTCertificateStr                CERTCertificate;
typedef struct CERTCertificateListStr            CERTCertificateList;
typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
typedef struct CERTCrlStr                        CERTCrl;
typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
typedef struct CERTCrlEntryStr                   CERTCrlEntry;
typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
typedef struct CERTCrlKeyStr                     CERTCrlKey;
typedef struct CERTCrlNodeStr                    CERTCrlNode;
typedef struct CERTDERCertsStr                   CERTDERCerts;
typedef struct CERTDistNamesStr                  CERTDistNames;
typedef struct CERTGeneralNameStr                CERTGeneralName;
typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
typedef struct CERTNameStr                       CERTName;
typedef struct CERTNameConstraintStr             CERTNameConstraint;
typedef struct CERTNameConstraintsStr            CERTNameConstraints;
typedef struct CERTOKDomainNameStr               CERTOKDomainName;
typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
typedef struct CERTRDNStr                        CERTRDN;
typedef struct CERTSignedCrlStr                  CERTSignedCrl;
typedef struct CERTSignedDataStr                 CERTSignedData;
typedef struct CERTStatusConfigStr               CERTStatusConfig;
typedef struct CERTSubjectListStr                CERTSubjectList;
typedef struct CERTSubjectNodeStr                CERTSubjectNode;
typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
typedef struct CERTValidityStr                   CERTValidity;
typedef struct CERTVerifyLogStr                  CERTVerifyLog;
typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
typedef struct CRLDistributionPointStr           CRLDistributionPoint;

/* CRL extensions type */
typedef unsigned long CERTCrlNumber;

/*
** An X.500 AVA object
*/
struct CERTAVAStr {
    SECItem type;
    SECItem value;
};

/*
** An X.500 RDN object
*/
struct CERTRDNStr {
    CERTAVA **avas;
};

/*
** An X.500 name object
*/
struct CERTNameStr {
    PRArenaPool *arena;
    CERTRDN **rdns;
};

/*
** An X.509 validity object
*/
struct CERTValidityStr {
    PRArenaPool *arena;
    SECItem notBefore;
    SECItem notAfter;
};

/*
 * A serial number and issuer name, which is used as a database key
 */
struct CERTCertKeyStr {
    SECItem serialNumber;
    SECItem derIssuer;
};

/*
** A signed data object. Used to implement the "signed" macro used
** in the X.500 specs.
*/
struct CERTSignedDataStr {
    SECItem data;
    SECAlgorithmID signatureAlgorithm;
    SECItem signature;
};

/*
** An X.509 subject-public-key-info object
*/
struct CERTSubjectPublicKeyInfoStr {
    PRArenaPool *arena;
    SECAlgorithmID algorithm;
    SECItem subjectPublicKey;
};

struct CERTPublicKeyAndChallengeStr {
    SECItem spki;
    SECItem challenge;
};

typedef struct _certDBEntryCert certDBEntryCert;
typedef struct _certDBEntryRevocation certDBEntryRevocation;

struct CERTCertTrustStr {
    unsigned int sslFlags;
    unsigned int emailFlags;
    unsigned int objectSigningFlags;
};

/*
 * defined the types of trust that exist
 */
typedef enum {
    trustSSL,
    trustEmail,
    trustObjectSigning,
    trustTypeNone
} SECTrustType;

#define SEC_GET_TRUST_FLAGS(trust,type) \
        (((type)==trustSSL)?((trust)->sslFlags): \
	 (((type)==trustEmail)?((trust)->emailFlags): \
	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))

/*
** An X.509.3 certificate extension
*/
struct CERTCertExtensionStr {
    SECItem id;
    SECItem critical;
    SECItem value;
};

struct CERTSubjectNodeStr {
    struct CERTSubjectNodeStr *next;
    struct CERTSubjectNodeStr *prev;
    SECItem certKey;
    SECItem keyID;
};

struct CERTSubjectListStr {
    PRArenaPool *arena;
    int ncerts;
    char *emailAddr;
    CERTSubjectNode *head;
    CERTSubjectNode *tail; /* do we need tail? */
    struct _certDBEntrySubject *entry;
};

/*
** An X.509 certificate object (the unsigned form)
*/
struct CERTCertificateStr {
    /* the arena is used to allocate any data structures that have the same
     * lifetime as the cert.  This is all stuff that hangs off of the cert
     * structure, and is all freed at the same time.  I is used when the
     * cert is decoded, destroyed, and at some times when it changes
     * state
     */
    PRArenaPool *arena;

    /* The following fields are static after the cert has been decoded */
    char *subjectName;
    char *issuerName;
    CERTSignedData signatureWrap;	/* XXX */
    SECItem derCert;			/* original DER for the cert */
    SECItem derIssuer;			/* DER for issuer name */
    SECItem derSubject;			/* DER for subject name */
    SECItem derPublicKey;		/* DER for the public key */
    SECItem certKey;			/* database key for this cert */
    SECItem version;
    SECItem serialNumber;
    SECAlgorithmID signature;
    CERTName issuer;
    CERTValidity validity;
    CERTName subject;
    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
    SECItem issuerID;
    SECItem subjectID;
    CERTCertExtension **extensions;
    char *emailAddr;
    CERTCertDBHandle *dbhandle;
    SECItem subjectKeyID;	/* x509v3 subject key identifier */
    PRBool keyIDGenerated;	/* was the keyid generated? */
    unsigned int keyUsage;	/* what uses are allowed for this cert */
    unsigned int rawKeyUsage;	/* value of the key usage extension */
    PRBool keyUsagePresent;	/* was the key usage extension present */
    unsigned int nsCertType;	/* value of the ns cert type extension */

    /* these values can be set by the application to bypass certain checks
     * or to keep the cert in memory for an entire session.
     * XXX - need an api to set these
     */
    PRBool keepSession;			/* keep this cert for entire session*/
    PRBool timeOK;			/* is the bad validity time ok? */
    CERTOKDomainName *domainOK;		/* these domain names are ok */

    /*
     * these values can change when the cert changes state.  These state
     * changes include transitions from temp to perm or vice-versa, and
     * changes of trust flags
     */
    PRBool isperm;
    PRBool istemp;
    char *nickname;
    char *dbnickname;
    certDBEntryCert *dbEntry;		/* database entry struct */
    CERTCertTrust *trust;

    /* the reference count is modified whenever someone looks up, dups
     * or destroys a certificate
     */
    int referenceCount;

    /* The subject list is a list of all certs with the same subject name.
     * It can be modified any time a cert is added or deleted from either
     * the in-memory(temporary) or on-disk(permanent) database.
     */
    CERTSubjectList *subjectList;

    /* these fields are used by client GUI code to keep track of ssl sockets
     * that are blocked waiting on GUI feedback related to this cert.
     * XXX - these should be moved into some sort of application specific
     *       data structure.  They are only used by the browser right now.
     */
    struct SECSocketNode *socketlist;
    int socketcount;
    struct SECSocketNode *authsocketlist;
    int authsocketcount;

    /* This is PKCS #11 stuff. */
    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
    PRBool ownSlot;		/*true if the cert owns the slot reference */
};
#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */

#define SEC_CRL_VERSION_1		0	/* default */
#define SEC_CRL_VERSION_2		1	/* v2 extensions */

/*
 * used to identify class of cert in mime stream code
 */
#define SEC_CERT_CLASS_CA	1
#define SEC_CERT_CLASS_SERVER	2
#define SEC_CERT_CLASS_USER	3
#define SEC_CERT_CLASS_EMAIL	4

struct CERTDERCertsStr {
    PRArenaPool *arena;
    int numcerts;
    SECItem *rawCerts;
};

/*
** A PKCS ? Attribute
** XXX this is duplicated through out the code, it *should* be moved
** to a central location.  Where would be appropriate?
*/
struct CERTAttributeStr {
    SECItem attrType;
    SECItem **attrValue;
};

/*
** A PKCS#10 certificate-request object (the unsigned form)
*/
struct CERTCertificateRequestStr {
    PRArenaPool *arena;
    SECItem version;
    CERTName subject;
    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
    SECItem **attributes;
};
#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */


/*
** A certificate list object.
*/
struct CERTCertificateListStr {
    SECItem *certs;
    int len;					/* number of certs */
    PRArenaPool *arena;
};

struct CERTCertListNodeStr {
    PRCList links;
    CERTCertificate *cert;
    void *appData;
};

struct CERTCertListStr {
    PRCList list;
    PRArenaPool *arena;
};

#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))

struct CERTCrlEntryStr {
    SECItem serialNumber;
    SECItem revocationDate;
    CERTCertExtension **extensions;    
};

struct CERTCrlStr {
    PRArenaPool *arena;
    SECItem version;
    SECAlgorithmID signatureAlg;
    SECItem derName;
    CERTName name;
    SECItem lastUpdate;
    SECItem nextUpdate;				/* optional for x.509 CRL  */
    CERTCrlEntry **entries;
    CERTCertExtension **extensions;    
};

struct CERTCrlKeyStr {
    SECItem derName;
    SECItem dummy;			/* The decoder can not skip a primitive,
					   this serves as a place holder for the
					   decoder to finish its task only
					*/
};

struct CERTSignedCrlStr {
    PRArenaPool *arena;
    CERTCrl crl;
    certDBEntryRevocation *dbEntry;	/* database entry struct */
    PRBool keep;			/* keep this crl in the cache for the  session*/
    PRBool isperm;
    PRBool istemp;
    int referenceCount;
    CERTCertDBHandle *dbhandle;
    CERTSignedData signatureWrap;	/* XXX */
    char *url;
};