certt.h

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C头文件 代码 · 共 805 行 · 第 1/2 页

struct CERTCrlHeadNodeStr {
    PRArenaPool *arena;
    CERTCertDBHandle *dbhandle;
    CERTCrlNode *first;
    CERTCrlNode *last;
};


struct CERTCrlNodeStr {
    CERTCrlNode *next;
    int 	type;
    CERTSignedCrl *crl;
};


/*
 * Array of X.500 Distinguished Names
 */
struct CERTDistNamesStr {
    PRArenaPool *arena;
    int nnames;
    SECItem  *names;
    void *head; /* private */
};


#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */

#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)

#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
			  NS_CERT_TYPE_SSL_SERVER | \
			  NS_CERT_TYPE_EMAIL | \
			  NS_CERT_TYPE_OBJECT_SIGNING )

#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
			 NS_CERT_TYPE_EMAIL_CA | \
			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
			 EXT_KEY_USAGE_STATUS_RESPONDER )
typedef enum {
    certUsageSSLClient,
    certUsageSSLServer,
    certUsageSSLServerWithStepUp,
    certUsageSSLCA,
    certUsageEmailSigner,
    certUsageEmailRecipient,
    certUsageObjectSigner,
    certUsageUserCertImport,
    certUsageVerifyCA,
    certUsageProtectedObjectSigner,
    certUsageStatusResponder,
    certUsageAnyCA
} SECCertUsage;

/*
 * Does the cert belong to the user, a peer, or a CA.
 */
typedef enum {
    certOwnerUser,
    certOwnerPeer,
    certOwnerCA
} CERTCertOwner;

/*
 * This enum represents the state of validity times of a certificate
 */
typedef enum {
    secCertTimeValid,
    secCertTimeExpired,
    secCertTimeNotValidYet
} SECCertTimeValidity;

/*
 * Interface for getting certificate nickname strings out of the database
 */

/* these are values for the what argument below */
#define SEC_CERT_NICKNAMES_ALL		1
#define SEC_CERT_NICKNAMES_USER		2
#define SEC_CERT_NICKNAMES_SERVER	3
#define SEC_CERT_NICKNAMES_CA		4

struct CERTCertNicknamesStr {
    PRArenaPool *arena;
    void *head;
    int numnicknames;
    char **nicknames;
    int what;
    int totallen;
};

struct CERTIssuerAndSNStr {
    SECItem derIssuer;
    CERTName issuer;
    SECItem serialNumber;
};


/* X.509 v3 Key Usage Extension flags */
#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
#define KU_CRL_SIGN			(0x02)  /* bit 6 */
#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
					 KU_NON_REPUDIATION | \
					 KU_KEY_ENCIPHERMENT | \
					 KU_DATA_ENCIPHERMENT | \
					 KU_KEY_AGREEMENT | \
					 KU_KEY_CERT_SIGN | \
					 KU_CRL_SIGN)

/* This value will not occur in certs.  It is used internally for the case
 * when the key type is not know ahead of time and either key agreement or
 * key encipherment are the correct value based on key type
 */
#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)

/* internal bits that do not match bits in the x509v3 spec, but are used
 * for similar purposes
 */
#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
/*
 * x.509 v3 Basic Constraints Extension
 * If isCA is false, the pathLenConstraint is ignored.
 * Otherwise, the following pathLenConstraint values will apply:
 *	< 0 - there is no limit to the certificate path
 *	0   - CA can issues end-entity certificates only
 *	> 0 - the number of certificates in the certificate path is
 *	      limited to this number
 */
#define CERT_UNLIMITED_PATH_CONSTRAINT -2

struct CERTBasicConstraintsStr {
    PRBool isCA;			/* on if is CA */
    int pathLenConstraint;		/* maximum number of certificates that can be
					   in the cert path.  Only applies to a CA
					   certificate; otherwise, it's ignored.
					 */
};

/* Maximum length of a certificate chain */
#define CERT_MAX_CERT_CHAIN 20

/* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
#define RF_UNUSED			(0x80)	/* bit 0 */
#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
#define RF_SUPERSEDED			(0x08)  /* bit 4 */
#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */

/* If we needed to extract the general name field, use this */
/* General Name types */
typedef enum {
    certOtherName = 1,
    certRFC822Name = 2,
    certDNSName = 3,
    certX400Address = 4,
    certDirectoryName = 5,
    certEDIPartyName = 6,
    certURI = 7,
    certIPAddress = 8,
    certRegisterID = 9
} CERTGeneralNameType;


typedef struct OtherNameStr {
    SECItem          name;
    SECItem          oid;
}OtherName;



struct CERTGeneralNameStr {
    CERTGeneralNameType type;		/* name type */
    union {
	CERTName directoryName;         /* distinguish name */
	OtherName  OthName;		/* Other Name */
	SECItem other;                  /* the rest of the name forms */
    }name;
    SECItem derDirectoryName;		/* this is saved to simplify directory name
					   comparison */
    PRCList l;
};

struct CERTGeneralNameListStr {
    PRArenaPool *arena;
    CERTGeneralName *name;
    int refCount;
    int len;
    PRLock *lock;
};

struct CERTNameConstraintStr {
    CERTGeneralName  name;
    SECItem          DERName;
    SECItem          min;
    SECItem          max;
    PRCList          l;
};


struct CERTNameConstraintsStr {
    CERTNameConstraint  *permited;
    CERTNameConstraint  *excluded;
    SECItem             **DERPermited;
    SECItem             **DERExcluded;
};


/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
   issuer field, we only support URI now.
 */
struct CERTAuthKeyIDStr {
    SECItem keyID;			/* unique key identifier */
    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
    SECItem authCertSerialNumber;	/* CA's certificate serial number */
    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
					   the authCertIssuer field. It is used
					   by the encoding engine. It should be
					   used as a read only field by the caller.
					*/
};

/* x.509 v3 CRL Distributeion Point */

/*
 * defined the types of CRL Distribution points
 */
typedef enum {
    generalName = 1,			/* only support this for now */
    relativeDistinguishedName = 2
} DistributionPointTypes;

struct CRLDistributionPointStr {
    DistributionPointTypes distPointType;
    union {
	CERTGeneralName *fullName;
	CERTRDN relativeName;
    } distPoint;
    SECItem reasons;
    CERTGeneralName *crlIssuer;
    
    /* Reserved for internal use only*/
    SECItem derDistPoint;
    SECItem derRelativeName;
    SECItem **derCrlIssuer;
    SECItem **derFullName;
    SECItem bitsmap;
};

struct CERTCrlDistributionPointsStr {
    CRLDistributionPoint **distPoints;
};

/*
 * This structure is used to keep a log of errors when verifying
 * a cert chain.  This allows multiple errors to be reported all at
 * once.
 */
struct CERTVerifyLogNodeStr {
    CERTCertificate *cert;	/* what cert had the error */
    long error;			/* what error was it? */
    unsigned int depth;		/* how far up the chain are we */
    void *arg;			/* error specific argument */
    struct CERTVerifyLogNodeStr *next; /* next in the list */
    struct CERTVerifyLogNodeStr *prev; /* next in the list */
};


struct CERTVerifyLogStr {
    PRArenaPool *arena;
    unsigned int count;
    struct CERTVerifyLogNodeStr *head;
    struct CERTVerifyLogNodeStr *tail;
};


struct CERTOKDomainNameStr {
    CERTOKDomainName *next;
    char              name[1]; /* actual length may be longer. */
};


typedef SECStatus PR_CALLBACK (*CERTStatusChecker) (CERTCertDBHandle *handle,
						    CERTCertificate *cert,
						    int64 time,
						    void *pwArg);

typedef SECStatus PR_CALLBACK (*CERTStatusDestroy) (CERTStatusConfig *handle);

struct CERTStatusConfigStr {
    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
    void *statusContext;		/* cx specific to checking protocol */
};

struct CERTAuthInfoAccessStr {
    SECItem method;
    SECItem derLocation;
    CERTGeneralName *location;		/* decoded location */
};


/* This is the typedef for the callback passed to CERT_OpenCertDB() */
/* callback to return database name based on version number */
typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);

/*
 * types of cert packages that we can decode
 */
typedef enum {
    certPackageNone,
    certPackageCert,
    certPackagePKCS7,
    certPackageNSCertSeq,
    certPackageNSCertWrap
} CERTPackageType;

/*
 * these types are for the PKIX Certificate Policies extension
 */
typedef struct {
    SECOidTag oid;
    SECItem qualifierID;
    SECItem qualifierValue;
} CERTPolicyQualifier;

typedef struct {
    SECOidTag oid;
    SECItem policyID;
    CERTPolicyQualifier **policyQualifiers;
} CERTPolicyInfo;

typedef struct {
    PRArenaPool *arena;
    CERTPolicyInfo **policyInfos;
} CERTCertificatePolicies;

typedef struct {
    SECItem organization;
    SECItem **noticeNumbers;
} CERTNoticeReference;

typedef struct {
    PRArenaPool *arena;
    CERTNoticeReference noticeReference;
    SECItem derNoticeReference;
    SECItem displayText;
} CERTUserNotice;

typedef struct {
    PRArenaPool *arena;
    SECItem **oids;
} CERTOidSequence;


/* XXX Lisa thinks the template declarations belong in cert.h, not here? */

#include "secasn1t.h"	/* way down here because I expect template stuff to
			 * move out of here anyway */

extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
extern const SEC_ASN1Template CERT_CertificateTemplate[];
extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
extern const SEC_ASN1Template CERT_ValidityTemplate[];
extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
extern const SEC_ASN1Template SEC_CertSequenceTemplate[];

extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
extern const SEC_ASN1Template CERT_NameTemplate[];
extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
extern const SEC_ASN1Template CERT_RDNTemplate[];
extern const SEC_ASN1Template CERT_SignedDataTemplate[];
extern const SEC_ASN1Template CERT_CrlTemplate[];

/*
** XXX should the attribute stuff be centralized for all of ns/security?
*/
extern const SEC_ASN1Template CERT_AttributeTemplate[];
extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];

#endif /* _CERTT_H_ */