| blob | aae1184a84d95f0c9a6bf615d3de1b81c2787836 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * certt.h - public data structures for the certificate library
6 */
7 #ifndef _CERTT_H_
8 #define _CERTT_H_
21 /* Stan data types */
25 /* Non-opaque objects */
71 /* CRL extensions type */
74 /*
75 ** An X.500 AVA object
76 */
78 SECItem type;
79 SECItem value;
80 };
82 /*
83 ** An X.500 RDN object
84 */
87 };
89 /*
90 ** An X.500 name object
91 */
95 };
97 /*
98 ** An X.509 validity object
99 */
102 SECItem notBefore;
103 SECItem notAfter;
104 };
106 /*
107 * A serial number and issuer name, which is used as a database key
108 */
110 SECItem serialNumber;
111 SECItem derIssuer;
112 };
114 /*
115 ** A signed data object. Used to implement the "signed" macro used
116 ** in the X.500 specs.
117 */
119 SECItem data;
120 SECAlgorithmID signatureAlgorithm;
121 SECItem signature;
122 };
124 /*
125 ** An X.509 subject-public-key-info object
126 */
129 SECAlgorithmID algorithm;
130 SECItem subjectPublicKey;
131 };
134 SECItem spki;
135 SECItem challenge;
136 };
142 };
144 /*
145 * Distrust dates for specific certificate usages.
146 * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
147 * compatible with the format of certdata.txt, other date fields in certs and
148 * existing functions to read these dates. Clients should check the distrust
149 * date in certificates to avoid trusting a CA for service they have ceased to
150 * support */
152 SECItem serverDistrustAfter;
153 SECItem emailDistrustAfter;
154 };
156 /*
157 * defined the types of trust that exist
158 */
166 #define SEC_GET_TRUST_FLAGS(trust, type) \
167 (((type) == trustSSL) \
168 ? ((trust)->sslFlags) \
169 : (((type) == trustEmail) ? ((trust)->emailFlags) \
170 : (((type) == trustObjectSigning) \
171 ? ((trust)->objectSigningFlags) \
172 : 0)))
174 /*
175 ** An X.509.3 certificate extension
176 */
178 SECItem id;
179 SECItem critical;
180 SECItem value;
181 };
186 SECItem certKey;
187 SECItem keyID;
188 };
197 };
199 /*
200 ** An X.509 certificate object (the unsigned form)
201 */
203 /* the arena is used to allocate any data structures that have the same
204 * lifetime as the cert. This is all stuff that hangs off of the cert
205 * structure, and is all freed at the same time. It is used when the
206 * cert is decoded, destroyed, and at some times when it changes
207 * state
208 */
211 /* The following fields are static after the cert has been decoded */
220 SECItem version;
221 SECItem serialNumber;
222 SECAlgorithmID signature;
223 CERTName issuer;
224 CERTValidity validity;
225 CERTName subject;
226 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
227 SECItem issuerID;
228 SECItem subjectID;
238 /* must be 32-bit for PR_ATOMIC_SET */
240 /* these values can be set by the application to bypass certain checks
241 * or to keep the cert in memory for an entire session.
242 * XXX - need an api to set these
243 */
248 /*
249 * these values can change when the cert changes state. These state
250 * changes include transitions from temp to perm or vice-versa, and
251 * changes of trust flags
252 */
253 PRBool isperm;
254 PRBool istemp;
260 /* the reference count is modified whenever someone looks up, dups
261 * or destroys a certificate
262 */
265 /* The subject list is a list of all certs with the same subject name.
266 * It can be modified any time a cert is added or deleted from either
267 * the in-memory(temporary) or on-disk(permanent) database.
268 */
271 /* these belong in the static section, but are here to maintain
272 * the structure's integrity
273 */
277 /* these fields are used by client GUI code to keep track of ssl sockets
278 * that are blocked waiting on GUI feedback related to this cert.
279 * XXX - these should be moved into some sort of application specific
280 * data structure. They are only used by the browser right now.
281 */
286 /* add any new option bits needed here */
291 /* This is PKCS #11 stuff. */
295 /* These fields are used in nssckbi/builtins CAs. */
297 };
305 /*
306 * used to identify class of cert in mime stream code
307 */
308 #define SEC_CERT_CLASS_CA 1
309 #define SEC_CERT_CLASS_SERVER 2
310 #define SEC_CERT_CLASS_USER 3
311 #define SEC_CERT_CLASS_EMAIL 4
317 };
319 /*
320 ** A PKCS ? Attribute
321 ** XXX this is duplicated through out the code, it *should* be moved
322 ** to a central location. Where would be appropriate?
323 */
325 SECItem attrType;
327 };
329 /*
330 ** A PKCS#10 certificate-request object (the unsigned form)
331 */
334 SECItem version;
335 CERTName subject;
336 CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
338 };
341 /*
342 ** A certificate list object.
343 */
348 };
351 PRCList links;
354 };
357 PRCList list;
359 };
361 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
362 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
363 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
364 #define CERT_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
365 #define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
368 SECItem serialNumber;
369 SECItem revocationDate;
371 };
375 SECItem version;
376 SECAlgorithmID signatureAlg;
377 SECItem derName;
378 CERTName name;
379 SECItem lastUpdate;
383 /* can't add anything there for binary backwards compatibility reasons */
384 };
387 SECItem derName;
389 this serves as a place holder for the
390 decoder to finish its task only
391 */
392 };
396 CERTCrl crl;
398 PRBool reserved2;
399 PRBool isperm;
400 PRBool istemp;
407 CK_OBJECT_HANDLE pkcs11ID;
409 };
416 };
422 };
424 /*
425 * Array of X.500 Distinguished Names
426 */
432 };
434 /*
435 * NS_CERT_TYPE defines are used in two areas:
436 * 1) The old NSS Cert Type Extension, which is a certificate extension in the
437 * actual cert. It was created before the x509 Extended Key Usage Extension,
438 * which has now taken over it's function. This field is only 8 bits wide
439 * 2) The nsCertType entry in the CERTCertificate structure. This field is
440 * 32 bits wide.
441 * Any entries in this table greater than 0x80 will not be able to be encoded
442 * in an NSS Cert Type Extension, but can still be represented internally in
443 * the nsCertType field.
444 */
456 #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
457 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
459 #define NS_CERT_TYPE_APP \
460 (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
461 NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING)
463 #define NS_CERT_TYPE_CA \
464 (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \
465 NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \
466 NS_CERT_TYPE_IPSEC_CA)
485 #define certificateUsageCheckAllUsages (0x0000)
486 #define certificateUsageSSLClient (0x0001)
487 #define certificateUsageSSLServer (0x0002)
488 #define certificateUsageSSLServerWithStepUp (0x0004)
489 #define certificateUsageSSLCA (0x0008)
490 #define certificateUsageEmailSigner (0x0010)
491 #define certificateUsageEmailRecipient (0x0020)
492 #define certificateUsageObjectSigner (0x0040)
493 #define certificateUsageUserCertImport (0x0080)
494 #define certificateUsageVerifyCA (0x0100)
495 #define certificateUsageProtectedObjectSigner (0x0200)
496 #define certificateUsageStatusResponder (0x0400)
497 #define certificateUsageAnyCA (0x0800)
498 #define certificateUsageIPsec (0x1000)
500 #define certificateUsageHighest certificateUsageIPsec
502 /*
503 * Does the cert belong to the user, a peer, or a CA.
504 */
511 /*
512 * This enum represents the state of validity times of a certificate
513 */
519 cert, most likely because it was NULL */
522 /*
523 * This is used as return status in functions that compare the validity
524 * periods of two certificates A and B, currently only
525 * CERT_CompareValidityTimes.
526 */
530 over another */
536 /*
537 * Interface for getting certificate nickname strings out of the database
538 */
540 /* these are values for the what argument below */
541 #define SEC_CERT_NICKNAMES_ALL 1
542 #define SEC_CERT_NICKNAMES_USER 2
543 #define SEC_CERT_NICKNAMES_SERVER 3
544 #define SEC_CERT_NICKNAMES_CA 4
553 };
556 SECItem derIssuer;
557 CERTName issuer;
558 SECItem serialNumber;
559 };
561 /* X.509 v3 Key Usage Extension flags */
570 #define KU_ALL \
571 (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION | KU_KEY_ENCIPHERMENT | \
572 KU_DATA_ENCIPHERMENT | KU_KEY_AGREEMENT | KU_KEY_CERT_SIGN | \
573 KU_CRL_SIGN | KU_ENCIPHER_ONLY)
575 /* This value will not occur in certs. It is used internally for the case
576 * when either digital signature or non-repudiation is the correct value.
577 */
578 #define KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION (0x2000)
580 /* This value will not occur in certs. It is used internally for the case
581 * when the key type is not know ahead of time and either key agreement or
582 * key encipherment are the correct value based on key type
583 */
584 #define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
586 /* internal bits that do not match bits in the x509v3 spec, but are used
587 * for similar purposes
588 */
590 /*
591 * x.509 v3 Basic Constraints Extension
592 * If isCA is false, the pathLenConstraint is ignored.
593 * Otherwise, the following pathLenConstraint values will apply:
594 * < 0 - there is no limit to the certificate path
595 * 0 - CA can issues end-entity certificates only
596 * > 0 - the number of certificates in the certificate path is
597 * limited to this number
598 */
599 #define CERT_UNLIMITED_PATH_CONSTRAINT -2
604 in the cert path. Only applies to a CA
605 certificate; otherwise, it's ignored.
606 */
607 };
609 /* Maximum length of a certificate chain */
610 #define CERT_MAX_CERT_CHAIN 20
615 /* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
624 /* enum for CRL Entry Reason Code */
638 /* If we needed to extract the general name field, use this */
639 /* General Name types */
653 SECItem name;
654 SECItem oid;
665 comparison */
666 PRCList l;
667 };
675 };
678 CERTGeneralName name;
679 SECItem DERName;
680 SECItem min;
681 SECItem max;
682 PRCList l;
683 };
690 };
692 /* Private Key Usage Period extension struct. */
694 SECItem notBefore;
695 SECItem notAfter;
697 };
699 /* X.509 v3 Authority Key Identifier extension. For the authority certificate
700 issuer field, we only support URI now.
701 */
707 the authCertIssuer field. It is used
708 by the encoding engine. It should be
709 used as a read only field by the caller.
710 */
711 };
713 /* x.509 v3 CRL Distributeion Point */
715 /*
716 * defined the types of CRL Distribution points
717 */
724 DistributionPointTypes distPointType;
727 CERTRDN relativeName;
729 SECItem reasons;
732 /* Reserved for internal use only*/
733 SECItem derDistPoint;
734 SECItem derRelativeName;
737 SECItem bitsmap;
738 };
742 };
744 /*
745 * This structure is used to keep a log of errors when verifying
746 * a cert chain. This allows multiple errors to be reported all at
747 * once.
748 */
756 };
763 };
768 };
780 };
783 SECItem method;
784 SECItem derLocation;
786 };
788 /* This is the typedef for the callback passed to CERT_OpenCertDB() */
789 /* callback to return database name based on version number */
792 /*
793 * types of cert packages that we can decode
794 */
803 /*
804 * these types are for the PKIX Certificate Policies extension
805 */
807 SECOidTag oid;
808 SECItem qualifierID;
809 SECItem qualifierValue;
813 SECOidTag oid;
814 SECItem policyID;
824 SECItem organization;
830 CERTNoticeReference noticeReference;
831 SECItem derNoticeReference;
832 SECItem displayText;
840 /*
841 * these types are for the PKIX Policy Mappings extension
842 */
844 SECItem issuerDomainPolicy;
845 SECItem subjectDomainPolicy;
853 /*
854 * these types are for the PKIX inhibitAnyPolicy extension
855 */
857 SECItem inhibitAnySkipCerts;
860 /*
861 * these types are for the PKIX Policy Constraints extension
862 */
864 SECItem explicitPolicySkipCerts;
865 SECItem inhibitMappingSkipCerts;
868 /*
869 * These types are for the validate chain callback param.
870 *
871 * CERTChainVerifyCallback is an application-supplied callback that can be used
872 * to augment libpkix's certificate chain validation with additional
873 * application-specific checks. It may be called multiple times if there are
874 * multiple potentially-valid paths for the certificate being validated. This
875 * callback is called before revocation checking is done on the certificates in
876 * the given chain.
877 *
878 * - isValidChainArg contains the application-provided opaque argument
879 * - currentChain is the currently validated chain. It is ordered with the leaf
880 * certificate at the head and the trust anchor at the tail.
881 *
882 * The callback should set *chainOK = PR_TRUE and return SECSuccess if the
883 * certificate chain is acceptable. It should set *chainOK = PR_FALSE and
884 * return SECSuccess if the chain is unacceptable, to indicate that the given
885 * chain is bad and path building should continue. It should return SECFailure
886 * to indicate an fatal error that will cause path validation to fail
887 * immediately.
888 */
892 /*
893 * Note: If extending this structure, it will be necessary to change the
894 * associated CERTValParamInType
895 */
897 CERTChainVerifyCallbackFunc isChainValid;
901 /*
902 * these types are for the CERT_PKIX* Verification functions
903 * These are all optional parameters.
904 */
908 * CERTValParam* */
910 * resume a session. If this argument is
911 * specified, no other arguments should be.
912 * Specified in value.pointer.p. If the
913 * operation completes the context will be
914 * freed. */
916 * existing operation which the caller wants
917 * to abort. If this argument is
918 * specified, no other arguments should be.
919 * Specified in value.pointer.p. If the
920 * operation succeeds the context will be
921 * freed. */
923 * this value is given, then the path
924 * construction step in the validation is
925 * skipped. Specified in value.pointer.chain */
927 * Specified in value.array.oids. Cert must
928 * be good for at least one OID in order
929 * to validate. Default is that the user is not
930 * concerned about certificate policy. */
932 * Specified in value.scalar.ul. Policy flags
933 * apply to all specified oids.
934 * Use CERT_POLICY_FLAG_* macros below. If not
935 * specified policy flags default to 0 */
937 * will be evaluated against, specified in
938 * value.scalar.ui. The cert must validate for
939 * at least one of the specified key usages.
940 * Values match the KU_ bit flags defined
941 * in this file. Default is derived from
942 * the 'usages' function argument */
944 * usage of the certificate. Specified as
945 * an array of oidTags in value.array.oids.
946 * The cert must validate for at least one
947 * of the specified extended key usages.
948 * If not specified, no extended key usages
949 * will be checked. */
951 * specified in value.scalar.time. A special
952 * value '0' indicates 'now'. default is '0' */
954 * See CERT_REV_FLAG_* macros below
955 * Set in value.pointer.revocation */
957 * Set in value.scalar.ui */
958 cert_pi_trustAnchors =
960 * validate against.
961 * The default set of trusted roots, these are
962 * root CA certs from libnssckbi.so or CA
963 * certs trusted by user, are used in any of
964 * the following cases:
965 * * when the parameter is not set.
966 * * when the list of trust anchors is
967 * empty.
968 * Note that this handling can be further
969 * altered by altering the
970 * cert_pi_useOnlyTrustAnchors flag
971 * Specified in value.pointer.chain */
973 * In NSS 3.12.1 or later. Default is off.
974 * Value is in value.scalar.b */
976 /* The callback container for doing extra
977 * validation on the currently calculated chain.
978 * Value is in value.pointer.chainVerifyCallback */
980 /* If true, disables trusting any
981 * certificates other than the ones passed in via cert_pi_trustAnchors.
982 * If false, then the certificates specified via cert_pi_trustAnchors
983 * will be combined with the pre-existing trusted roots, but only
984 * for the certificate validation being performed.
985 * If no value has been supplied via cert_pi_trustAnchors, this has
986 * no effect.
987 * The default value is true, meaning if this is not supplied, only
988 * trust anchors supplied via cert_pi_trustAnchors are trusted.
989 * Specified in value.scalar.b */
990 cert_pi_max /* SPECIAL: signifies maximum allowed value,
991 * can increase in future releases */
994 /*
995 * for all out parameters:
996 * out parameters are only returned if the caller asks for them in
997 * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
998 * array itself. The pkix verify function will allocate and other arrays
999 * pointers, or objects. The Caller is responsible for freeing those results.
1000 * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
1001 */
1004 * CERTValParam* */
1006 * non-blocking context is specified, then
1007 * blocking IO will be used.
1008 * Returned in value.pointer.p. The context is
1009 * freed after an abort or a complete operation.
1010 * This value is only returned on SECWouldBlock.
1011 */
1013 * was validated. Returned in
1014 * value.pointer.cert, this value is only
1015 * returned on SECSuccess. */
1017 * Returned in value.pointer.certList. If no
1018 * chain could be constructed, this value
1019 * would be NULL. */
1021 * valid. Returned in value.array.oids as an
1022 * array. This is only returned on
1023 * SECSuccess. */
1025 * Returned in value.pointer.log */
1027 for. Returned in value.scalar.usages */
1029 * is valid for.
1030 * Returned in value.scalar.usage */
1032 * certificate is valid for.
1033 * Returned in value.array.oids */
1034 cert_po_max /* SPECIAL: signifies maximum allowed value,
1035 * can increase in future releases */
1041 cert_revocation_method_ocsp,
1042 cert_revocation_method_count
1045 /*
1046 * The following flags are supposed to be used to control bits in
1047 * each integer contained in the array pointed to be:
1048 * CERTRevocationTests.cert_rev_flags_per_method
1049 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1050 * this is a method dependent flag.
1051 */
1053 /*
1054 * Whether or not to use a method for revocation testing.
1055 * If set to "do not test", then all other flags are ignored.
1056 */
1057 #define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD 0UL
1058 #define CERT_REV_M_TEST_USING_THIS_METHOD 1UL
1060 /*
1061 * Whether or not NSS is allowed to attempt to fetch fresh information
1062 * from the network.
1063 * (Although fetching will never happen if fresh information for the
1064 * method is already locally available.)
1065 */
1066 #define CERT_REV_M_ALLOW_NETWORK_FETCHING 0UL
1067 #define CERT_REV_M_FORBID_NETWORK_FETCHING 2UL
1069 /*
1070 * Example for an implicit default source:
1071 * The globally configured default OCSP responder.
1072 * IGNORE means:
1073 * ignore the implicit default source, whether it's configured or not.
1074 * ALLOW means:
1075 * if an implicit default source is configured,
1076 * then it overrides any available or missing source in the cert.
1077 * if no implicit default source is configured,
1078 * then we continue to use what's available (or not available)
1079 * in the certs.
1080 */
1081 #define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 0UL
1082 #define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 4UL
1084 /*
1085 * Defines the behavior if no fresh information is available,
1086 * fetching from the network is allowed, but the source of revocation
1087 * information is unknown (even after considering implicit sources,
1088 * if allowed by other flags).
1089 * SKIPT_TEST means:
1090 * We ignore that no fresh information is available and
1091 * skip this test.
1092 * REQUIRE_INFO means:
1093 * We still require that fresh information is available.
1094 * Other flags define what happens on missing fresh info.
1095 */
1096 #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0UL
1097 #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8UL
1099 /*
1100 * Defines the behavior if we are unable to obtain fresh information.
1101 * INGORE means:
1102 * Return "cert status unknown"
1103 * FAIL means:
1104 * Return "cert revoked".
1105 */
1106 #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0UL
1107 #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16UL
1109 /*
1110 * What should happen if we were able to find fresh information using
1111 * this method, and the data indicated the cert is good?
1112 * STOP_TESTING means:
1113 * Our success is sufficient, do not continue testing
1114 * other methods.
1115 * CONTINUE_TESTING means:
1116 * We will continue and test the next allowed
1117 * specified method.
1118 */
1119 #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
1120 #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
1122 /* When this flag is used, libpkix will never attempt to use the GET HTTP
1123 * method for OCSP requests; it will always use POST.
1124 */
1125 #define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
1127 /*
1128 * The following flags are supposed to be used to control bits in
1129 * CERTRevocationTests.cert_rev_method_independent_flags
1130 * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
1131 * this is a method independent flag.
1132 */
1134 /*
1135 * This defines the order to checking.
1136 * EACH_METHOD_SEPARATELY means:
1137 * Do all tests related to a particular allowed method
1138 * (both local information and network fetching) in a single step.
1139 * Only after testing for a particular method is done,
1140 * then switching to the next method will happen.
1141 * ALL_LOCAL_INFORMATION_FIRST means:
1142 * Start by testing the information for all allowed methods
1143 * which are already locally available. Only after that is done
1144 * consider to fetch from the network (as allowed by other flags).
1145 */
1146 #define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY 0UL
1147 #define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1UL
1149 /*
1150 * Use this flag to specify that it's necessary that fresh information
1151 * is available for at least one of the allowed methods, but it's
1152 * irrelevant which of the mechanisms succeeded.
1153 * NO_OVERALL_INFO_REQUIREMENT means:
1154 * We strictly follow the requirements for each individual method.
1155 * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
1156 * After the individual tests have been executed, we must have
1157 * been able to find fresh information using at least one method.
1158 * If we were unable to find fresh info, it's a failure.
1159 * This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1160 * flag on all methods.
1161 */
1162 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT 0UL
1163 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2UL
1166 /*
1167 * The size of the array that cert_rev_flags_per_method points to,
1168 * meaning, the number of methods that are known and defined
1169 * by the caller.
1170 */
1171 PRUint32 number_of_defined_methods;
1173 /*
1174 * A pointer to an array of integers.
1175 * Each integer defines revocation checking for a single method,
1176 * by having individual CERT_REV_M_* bits set or not set.
1177 * The meaning of index numbers into this array are defined by
1178 * enum CERTRevocationMethodIndex
1179 * The size of the array must be specified by the caller in the separate
1180 * variable number_of_defined_methods.
1181 * The size of the array may be smaller than
1182 * cert_revocation_method_count, it can happen if a caller
1183 * is not yet aware of the latest revocation methods
1184 * (or does not want to use them).
1185 */
1188 /*
1189 * How many preferred methods are specified?
1190 * This is equivalent to the size of the array that
1191 * preferred_methods points to.
1192 * It's allowed to set this value to zero,
1193 * then NSS will decide which methods to prefer.
1194 */
1195 PRUint32 number_of_preferred_methods;
1197 /* Array that may specify an optional order of preferred methods.
1198 * Each array entry shall contain a method identifier as defined
1199 * by CERTRevocationMethodIndex.
1200 * The entry at index [0] specifies the method with highest preference.
1201 * These methods will be tested first for locally available information.
1202 * Methods allowed for downloading will be attempted in the same order.
1203 */
1206 /*
1207 * An integer which defines certain aspects of revocation checking
1208 * (independent of individual methods) by having individual
1209 * CERT_REV_MI_* bits set or not set.
1210 */
1211 PRUint64 cert_rev_method_independent_flags;
1215 CERTRevocationTests leafTests;
1216 CERTRevocationTests chainTests;
1221 PRBool b;
1222 PRInt32 i;
1223 PRUint32 ui;
1224 PRInt64 l;
1225 PRUint64 ul;
1226 PRTime time;
1248 PRBool b;
1249 PRInt32 i;
1250 PRUint32 ui;
1251 PRInt64 l;
1252 PRUint64 ul;
1253 SECCertificateUsage usages;
1270 CERTValParamInType type;
1271 CERTValParamInValue value;
1275 CERTValParamOutType type;
1276 CERTValParamOutValue value;
1279 /*
1280 * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
1281 */
1286 all DirectoryStrings encoded in hex */
1289 /*
1290 * policy flag defines
1291 */
1292 #define CERT_POLICY_FLAG_NO_MAPPING 1
1293 #define CERT_POLICY_FLAG_EXPLICIT 2
1294 #define CERT_POLICY_FLAG_NO_ANY 4
1296 /*
1297 * CertStore flags
1298 */
1299 #define CERT_ENABLE_LDAP_FETCH 1
1300 #define CERT_ENABLE_HTTP_FETCH 2
1302 /* This functin pointer type may be used for any function that takes
1303 * a CERTCertificate * and returns an allocated string, which must be
1304 * freed by a call to PORT_Free.
1305 */
1308 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
1311 * move out of here anyway */
1313 SEC_BEGIN_PROTOS
1335 /*
1336 ** XXX should the attribute stuff be centralized for all of ns/security?
1337 */
1341 /* These functions simply return the address of the above-declared templates.
1342 ** This is necessary for Windows DLLs. Sigh.
1343 */
1357 SEC_END_PROTOS