| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| #ifndef PKIM_H |
| #define PKIM_H |
| |
| #ifndef BASE_H |
| #include "base.h" |
| #endif /* BASE_H */ |
| |
| #ifndef PKI_H |
| #include "pki.h" |
| #endif /* PKI_H */ |
| |
| #ifndef PKITM_H |
| #include "pkitm.h" |
| #endif /* PKITM_H */ |
| |
| PR_BEGIN_EXTERN_C |
| |
| /* nssPKIObject |
| * |
| * This is the base object class, common to all PKI objects defined in |
| * in this module. Each object can be safely 'casted' to an nssPKIObject, |
| * then passed to these methods. |
| * |
| * nssPKIObject_Create |
| * nssPKIObject_Destroy |
| * nssPKIObject_AddRef |
| * nssPKIObject_AddInstance |
| * nssPKIObject_HasInstance |
| * nssPKIObject_GetTokens |
| * nssPKIObject_GetNicknameForToken |
| * nssPKIObject_RemoveInstanceForToken |
| * nssPKIObject_DeleteStoredObject |
| */ |
| |
| NSS_EXTERN void nssPKIObject_Lock(nssPKIObject *object); |
| NSS_EXTERN void nssPKIObject_Unlock(nssPKIObject *object); |
| NSS_EXTERN PRStatus nssPKIObject_NewLock(nssPKIObject *object, |
| nssPKILockType lockType); |
| NSS_EXTERN void nssPKIObject_DestroyLock(nssPKIObject *object); |
| |
| /* nssPKIObject_Create |
| * |
| * A generic PKI object. It must live in a trust domain. It may be |
| * initialized with a token instance, or alternatively in a crypto context. |
| */ |
| NSS_EXTERN nssPKIObject * |
| nssPKIObject_Create( |
| NSSArena *arenaOpt, |
| nssCryptokiObject *instanceOpt, |
| NSSTrustDomain *td, |
| NSSCryptoContext *ccOpt, |
| nssPKILockType lockType); |
| |
| /* nssPKIObject_AddRef |
| */ |
| NSS_EXTERN nssPKIObject * |
| nssPKIObject_AddRef(nssPKIObject *object); |
| |
| /* nssPKIObject_Destroy |
| * |
| * Returns true if object was destroyed. This notifies the subclass that |
| * all references are gone and it should delete any members it owns. |
| */ |
| NSS_EXTERN PRBool |
| nssPKIObject_Destroy(nssPKIObject *object); |
| |
| /* nssPKIObject_AddInstance |
| * |
| * Add a token instance to the object, if it does not have it already. |
| */ |
| NSS_EXTERN PRStatus |
| nssPKIObject_AddInstance( |
| nssPKIObject *object, |
| nssCryptokiObject *instance); |
| |
| /* nssPKIObject_HasInstance |
| * |
| * Query the object for a token instance. |
| */ |
| NSS_EXTERN PRBool |
| nssPKIObject_HasInstance( |
| nssPKIObject *object, |
| nssCryptokiObject *instance); |
| |
| /* nssPKIObject_GetTokens |
| * |
| * Get all tokens which have an instance of the object. |
| */ |
| NSS_EXTERN NSSToken ** |
| nssPKIObject_GetTokens( |
| nssPKIObject *object, |
| PRStatus *statusOpt); |
| |
| /* nssPKIObject_GetNicknameForToken |
| * |
| * tokenOpt == NULL means take the first available, otherwise return the |
| * nickname for the specified token. |
| */ |
| NSS_EXTERN NSSUTF8 * |
| nssPKIObject_GetNicknameForToken( |
| nssPKIObject *object, |
| NSSToken *tokenOpt); |
| |
| /* nssPKIObject_RemoveInstanceForToken |
| * |
| * Remove the instance of the object on the specified token. |
| */ |
| NSS_EXTERN PRStatus |
| nssPKIObject_RemoveInstanceForToken( |
| nssPKIObject *object, |
| NSSToken *token); |
| |
| /* nssPKIObject_DeleteStoredObject |
| * |
| * Delete all token instances of the object, as well as any crypto context |
| * instances (TODO). If any of the instances are read-only, or if the |
| * removal fails, the object will keep those instances. 'isFriendly' refers |
| * to the object -- can this object be removed from a friendly token without |
| * login? For example, certificates are friendly, private keys are not. |
| * Note that if the token is not friendly, authentication will be required |
| * regardless of the value of 'isFriendly'. |
| */ |
| NSS_EXTERN PRStatus |
| nssPKIObject_DeleteStoredObject( |
| nssPKIObject *object, |
| NSSCallback *uhh, |
| PRBool isFriendly); |
| |
| NSS_EXTERN nssCryptokiObject ** |
| nssPKIObject_GetInstances( |
| nssPKIObject *object); |
| |
| NSS_EXTERN NSSCertificate ** |
| nssTrustDomain_FindCertificatesByID( |
| NSSTrustDomain *td, |
| NSSItem *id, |
| NSSCertificate **rvOpt, |
| PRUint32 maximumOpt, |
| NSSArena *arenaOpt); |
| |
| NSS_EXTERN NSSCRL ** |
| nssTrustDomain_FindCRLsBySubject( |
| NSSTrustDomain *td, |
| NSSDER *subject); |
| |
| /* module-private nsspki methods */ |
| |
| NSS_EXTERN NSSCryptoContext * |
| nssCryptoContext_Create( |
| NSSTrustDomain *td, |
| NSSCallback *uhhOpt); |
| |
| /* XXX for the collection */ |
| NSS_EXTERN NSSCertificate * |
| nssCertificate_Create(nssPKIObject *object); |
| |
| NSS_EXTERN PRStatus |
| nssCertificate_SetCertTrust( |
| NSSCertificate *c, |
| NSSTrust *trust); |
| |
| NSS_EXTERN nssDecodedCert * |
| nssCertificate_GetDecoding(NSSCertificate *c); |
| |
| extern PRIntn |
| nssCertificate_SubjectListSort( |
| void *v1, |
| void *v2); |
| |
| NSS_EXTERN nssDecodedCert * |
| nssDecodedCert_Create( |
| NSSArena *arenaOpt, |
| NSSDER *encoding, |
| NSSCertificateType type); |
| |
| NSS_EXTERN PRStatus |
| nssDecodedCert_Destroy(nssDecodedCert *dc); |
| |
| NSS_EXTERN NSSTrust * |
| nssTrust_Create( |
| nssPKIObject *object, |
| NSSItem *certData); |
| |
| NSS_EXTERN NSSCRL * |
| nssCRL_Create(nssPKIObject *object); |
| |
| NSS_EXTERN NSSCRL * |
| nssCRL_AddRef(NSSCRL *crl); |
| |
| NSS_EXTERN PRStatus |
| nssCRL_Destroy(NSSCRL *crl); |
| |
| NSS_EXTERN PRStatus |
| nssCRL_DeleteStoredObject( |
| NSSCRL *crl, |
| NSSCallback *uhh); |
| |
| NSS_EXTERN NSSPrivateKey * |
| nssPrivateKey_Create(nssPKIObject *o); |
| |
| NSS_EXTERN NSSDER * |
| nssCRL_GetEncoding(NSSCRL *crl); |
| |
| NSS_EXTERN NSSPublicKey * |
| nssPublicKey_Create(nssPKIObject *object); |
| |
| /* nssCertificateArray |
| * |
| * These are being thrown around a lot, might as well group together some |
| * functionality. |
| * |
| * nssCertificateArray_Destroy |
| * nssCertificateArray_Join |
| * nssCertificateArray_FindBestCertificate |
| * nssCertificateArray_Traverse |
| */ |
| |
| /* nssCertificateArray_Destroy |
| * |
| * Will destroy the array and the certs within it. If the array was created |
| * in an arena, will *not* (of course) destroy the arena. However, is safe |
| * to call this method on an arena-allocated array. |
| */ |
| NSS_EXTERN void |
| nssCertificateArray_Destroy(NSSCertificate **certs); |
| |
| /* nssCertificateArray_Join |
| * |
| * Join two arrays into one. The two arrays, certs1 and certs2, should |
| * be considered invalid after a call to this function (they may be destroyed |
| * as part of the join). certs1 and/or certs2 may be NULL. Safe to |
| * call with arrays allocated in an arena, the result will also be in the |
| * arena. |
| */ |
| NSS_EXTERN NSSCertificate ** |
| nssCertificateArray_Join( |
| NSSCertificate **certs1, |
| NSSCertificate **certs2); |
| |
| /* nssCertificateArray_FindBestCertificate |
| * |
| * Use the usual { time, usage, policies } to find the best cert in the |
| * array. |
| */ |
| NSS_EXTERN NSSCertificate * |
| nssCertificateArray_FindBestCertificate( |
| NSSCertificate **certs, |
| NSSTime *timeOpt, |
| const NSSUsage *usage, |
| NSSPolicies *policiesOpt); |
| |
| /* nssCertificateArray_Traverse |
| * |
| * Do the callback for each cert, terminate the traversal if the callback |
| * fails. |
| */ |
| NSS_EXTERN PRStatus |
| nssCertificateArray_Traverse( |
| NSSCertificate **certs, |
| PRStatus (*callback)(NSSCertificate *c, void *arg), |
| void *arg); |
| |
| NSS_EXTERN void |
| nssCRLArray_Destroy(NSSCRL **crls); |
| |
| /* nssPKIObjectCollection |
| * |
| * This is a handy way to group objects together and perform operations |
| * on them. It can also handle "proto-objects"-- references to |
| * objects instances on tokens, where the actual object hasn't |
| * been formed yet. |
| * |
| * nssCertificateCollection_Create |
| * nssPrivateKeyCollection_Create |
| * nssPublicKeyCollection_Create |
| * |
| * If this was a language that provided for inheritance, each type would |
| * inherit all of the following methods. Instead, there is only one |
| * type (nssPKIObjectCollection), shared among all. This may cause |
| * confusion; an alternative would be to define all of the methods |
| * for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't |
| * seem worth the code bloat.. It is left up to the caller to remember |
| * what type of collection he/she is dealing with. |
| * |
| * nssPKIObjectCollection_Destroy |
| * nssPKIObjectCollection_Count |
| * nssPKIObjectCollection_AddObject |
| * nssPKIObjectCollection_AddInstances |
| * nssPKIObjectCollection_Traverse |
| * |
| * Back to type-specific methods. |
| * |
| * nssPKIObjectCollection_GetCertificates |
| * nssPKIObjectCollection_GetCRLs |
| * nssPKIObjectCollection_GetPrivateKeys |
| * nssPKIObjectCollection_GetPublicKeys |
| */ |
| |
| /* nssCertificateCollection_Create |
| * |
| * Create a collection of certificates in the specified trust domain. |
| * Optionally provide a starting set of certs. |
| */ |
| NSS_EXTERN nssPKIObjectCollection * |
| nssCertificateCollection_Create( |
| NSSTrustDomain *td, |
| NSSCertificate **certsOpt); |
| |
| /* nssCRLCollection_Create |
| * |
| * Create a collection of CRLs/KRLs in the specified trust domain. |
| * Optionally provide a starting set of CRLs. |
| */ |
| NSS_EXTERN nssPKIObjectCollection * |
| nssCRLCollection_Create( |
| NSSTrustDomain *td, |
| NSSCRL **crlsOpt); |
| |
| /* nssPrivateKeyCollection_Create |
| * |
| * Create a collection of private keys in the specified trust domain. |
| * Optionally provide a starting set of keys. |
| */ |
| NSS_EXTERN nssPKIObjectCollection * |
| nssPrivateKeyCollection_Create( |
| NSSTrustDomain *td, |
| NSSPrivateKey **pvkOpt); |
| |
| /* nssPublicKeyCollection_Create |
| * |
| * Create a collection of public keys in the specified trust domain. |
| * Optionally provide a starting set of keys. |
| */ |
| NSS_EXTERN nssPKIObjectCollection * |
| nssPublicKeyCollection_Create( |
| NSSTrustDomain *td, |
| NSSPublicKey **pvkOpt); |
| |
| /* nssPKIObjectCollection_Destroy |
| */ |
| NSS_EXTERN void |
| nssPKIObjectCollection_Destroy(nssPKIObjectCollection *collection); |
| |
| /* nssPKIObjectCollection_Count |
| */ |
| NSS_EXTERN PRUint32 |
| nssPKIObjectCollection_Count(nssPKIObjectCollection *collection); |
| |
| NSS_EXTERN PRStatus |
| nssPKIObjectCollection_AddObject( |
| nssPKIObjectCollection *collection, |
| nssPKIObject *object); |
| |
| /* nssPKIObjectCollection_AddInstances |
| * |
| * Add a set of object instances to the collection. The instances |
| * will be sorted into any existing certs/proto-certs that may be in |
| * the collection. The instances will be absorbed by the collection, |
| * the array should not be used after this call (except to free it). |
| * |
| * Failure means the collection is in an invalid state. |
| * |
| * numInstances = 0 means the array is NULL-terminated |
| */ |
| NSS_EXTERN PRStatus |
| nssPKIObjectCollection_AddInstances( |
| nssPKIObjectCollection *collection, |
| nssCryptokiObject **instances, |
| PRUint32 numInstances); |
| |
| /* nssPKIObjectCollection_Traverse |
| */ |
| NSS_EXTERN PRStatus |
| nssPKIObjectCollection_Traverse( |
| nssPKIObjectCollection *collection, |
| nssPKIObjectCallback *callback); |
| |
| /* This function is being added for NSS 3.5. It corresponds to the function |
| * nssToken_TraverseCertificates. The idea is to use the collection during |
| * a traversal, creating certs each time a new instance is added for which |
| * a cert does not already exist. |
| */ |
| NSS_EXTERN PRStatus |
| nssPKIObjectCollection_AddInstanceAsObject( |
| nssPKIObjectCollection *collection, |
| nssCryptokiObject *instance); |
| |
| /* nssPKIObjectCollection_GetCertificates |
| * |
| * Get all of the certificates in the collection. |
| */ |
| NSS_EXTERN NSSCertificate ** |
| nssPKIObjectCollection_GetCertificates( |
| nssPKIObjectCollection *collection, |
| NSSCertificate **rvOpt, |
| PRUint32 maximumOpt, |
| NSSArena *arenaOpt); |
| |
| NSS_EXTERN NSSCRL ** |
| nssPKIObjectCollection_GetCRLs( |
| nssPKIObjectCollection *collection, |
| NSSCRL **rvOpt, |
| PRUint32 maximumOpt, |
| NSSArena *arenaOpt); |
| |
| NSS_EXTERN NSSPrivateKey ** |
| nssPKIObjectCollection_GetPrivateKeys( |
| nssPKIObjectCollection *collection, |
| NSSPrivateKey **rvOpt, |
| PRUint32 maximumOpt, |
| NSSArena *arenaOpt); |
| |
| NSS_EXTERN NSSPublicKey ** |
| nssPKIObjectCollection_GetPublicKeys( |
| nssPKIObjectCollection *collection, |
| NSSPublicKey **rvOpt, |
| PRUint32 maximumOpt, |
| NSSArena *arenaOpt); |
| |
| NSS_EXTERN NSSTime * |
| NSSTime_Now(NSSTime *timeOpt); |
| |
| NSS_EXTERN NSSTime * |
| NSSTime_SetPRTime( |
| NSSTime *timeOpt, |
| PRTime prTime); |
| |
| NSS_EXTERN PRTime |
| NSSTime_GetPRTime( |
| NSSTime *time); |
| |
| NSS_EXTERN nssHash * |
| nssHash_CreateCertificate( |
| NSSArena *arenaOpt, |
| PRUint32 numBuckets); |
| |
| /* 3.4 Certificate cache routines */ |
| |
| NSS_EXTERN PRStatus |
| nssTrustDomain_InitializeCache( |
| NSSTrustDomain *td, |
| PRUint32 cacheSize); |
| |
| NSS_EXTERN PRStatus |
| nssTrustDomain_AddCertsToCache( |
| NSSTrustDomain *td, |
| NSSCertificate **certs, |
| PRUint32 numCerts); |
| |
| NSS_EXTERN void |
| nssTrustDomain_RemoveCertFromCacheLOCKED( |
| NSSTrustDomain *td, |
| NSSCertificate *cert); |
| |
| NSS_EXTERN void |
| nssTrustDomain_LockCertCache(NSSTrustDomain *td); |
| |
| NSS_EXTERN void |
| nssTrustDomain_UnlockCertCache(NSSTrustDomain *td); |
| |
| NSS_IMPLEMENT PRStatus |
| nssTrustDomain_DestroyCache(NSSTrustDomain *td); |
| |
| /* |
| * Remove all certs for the given token from the cache. This is |
| * needed if the token is removed. |
| */ |
| NSS_EXTERN PRStatus |
| nssTrustDomain_RemoveTokenCertsFromCache( |
| NSSTrustDomain *td, |
| NSSToken *token); |
| |
| NSS_EXTERN PRStatus |
| nssTrustDomain_UpdateCachedTokenCerts( |
| NSSTrustDomain *td, |
| NSSToken *token); |
| |
| /* |
| * Find all cached certs with this nickname (label). |
| */ |
| NSS_EXTERN NSSCertificate ** |
| nssTrustDomain_GetCertsForNicknameFromCache( |
| NSSTrustDomain *td, |
| const NSSUTF8 *nickname, |
| nssList *certListOpt); |
| |
| /* |
| * Find all cached certs with this email address. |
| */ |
| NSS_EXTERN NSSCertificate ** |
| nssTrustDomain_GetCertsForEmailAddressFromCache( |
| NSSTrustDomain *td, |
| NSSASCII7 *email, |
| nssList *certListOpt); |
| |
| /* |
| * Find all cached certs with this subject. |
| */ |
| NSS_EXTERN NSSCertificate ** |
| nssTrustDomain_GetCertsForSubjectFromCache( |
| NSSTrustDomain *td, |
| NSSDER *subject, |
| nssList *certListOpt); |
| |
| /* |
| * Look for a specific cert in the cache. |
| */ |
| NSS_EXTERN NSSCertificate * |
| nssTrustDomain_GetCertForIssuerAndSNFromCache( |
| NSSTrustDomain *td, |
| NSSDER *issuer, |
| NSSDER *serialNum); |
| |
| /* |
| * Look for a specific cert in the cache. |
| */ |
| NSS_EXTERN NSSCertificate * |
| nssTrustDomain_GetCertByDERFromCache( |
| NSSTrustDomain *td, |
| NSSDER *der); |
| |
| /* Get all certs from the cache */ |
| /* XXX this is being included to make some old-style calls word, not to |
| * say we should keep it |
| */ |
| NSS_EXTERN NSSCertificate ** |
| nssTrustDomain_GetCertsFromCache( |
| NSSTrustDomain *td, |
| nssList *certListOpt); |
| |
| NSS_EXTERN void |
| nssTrustDomain_DumpCacheInfo( |
| NSSTrustDomain *td, |
| void (*cert_dump_iter)(const void *, void *, void *), |
| void *arg); |
| |
| NSS_EXTERN void |
| nssCertificateList_AddReferences( |
| nssList *certList); |
| |
| PR_END_EXTERN_C |
| |
| #endif /* PKIM_H */ |