Move low level cert headers into softoken.

4 files changed, 1244 insertions, 0 deletions

diff --git a/security/nss/lib/softoken/cdbhdl.h b/security/nss/lib/softoken/cdbhdl.h
new file mode 100644
index 000000000..4f47d7bc3
--- /dev/null
+++ b/security/nss/lib/softoken/cdbhdl.h
@@ -0,0 +1,56 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * cdbhdl.h - certificate database handle
+ *   private to the certdb module
+ *
+ * $Id$
+ */
+#ifndef _CDBHDL_H_
+#define _CDBHDL_H_
+
+#include "nspr.h"
+#include "mcom_db.h"
+#include "pcertt.h"
+
+/*
+ * Handle structure for open certificate databases
+ */
+struct NSSLOWCERTCertDBHandleStr {
+    DB *permCertDB;
+    DB *tempCertDB;
+    void *spkDigestInfo;
+    PZMonitor *dbMon;
+};
+
+#endif
diff --git a/security/nss/lib/softoken/lowcert.c b/security/nss/lib/softoken/lowcert.c
new file mode 100644
index 000000000..86ca97f2e
--- /dev/null
+++ b/security/nss/lib/softoken/lowcert.c
@@ -0,0 +1,439 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Certificate handling code
+ *
+ * $Id$
+ */
+
+#include "nssilock.h"
+#include "prmon.h"
+#include "prtime.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+
+static const SEC_ASN1Template nsslowcert_CertKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSLOWCERTCertKey) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  0 },	/* version */ 
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSLOWCERTCertKey,serialNumber) },
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_ANY,
+	  offsetof(NSSLOWCERTCertKey,derIssuer) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+static PZLock *pcertRefCountLock = NULL;
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+    if ( pcertRefCountLock == NULL ) {
+	nss_InitLock(&pcertRefCountLock, nssILockRefLock);
+	PORT_Assert(pcertRefCountLock != NULL);
+    }
+    
+    PZ_Lock(pcertRefCountLock);
+    return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+void
+nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(pcertRefCountLock != NULL);
+    
+    prstat = PZ_Unlock(pcertRefCountLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
+{
+    if (c) {
+	nsslowcert_LockCertRefCount(c);
+	++c->referenceCount;
+	nsslowcert_UnlockCertRefCount(c);
+    }
+    return c;
+}
+
+/*
+ * Allow use of default cert database, so that apps(such as mozilla) don't
+ * have to pass the handle all over the place.
+ */
+static NSSLOWCERTCertDBHandle *default_pcert_db_handle = 0;
+
+void
+nsslowcert_SetDefaultCertDB(NSSLOWCERTCertDBHandle *handle)
+{
+    default_pcert_db_handle = handle;
+    
+    return;
+}
+
+NSSLOWCERTCertDBHandle *
+nsslowcert_GetDefaultCertDB(void)
+{
+    return(default_pcert_db_handle);
+}
+
+
+SECStatus
+nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    
+    /* convert DER not-before time */
+    rv = DER_UTCTimeToTime(notBefore, &c->validity.notBefore);
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    rv = DER_UTCTimeToTime(notAfter, &c->validity.notAfter);
+    if (rv) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
+{
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    
+    rv = nsslowcert_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = nsslowcert_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+    
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    /* get current UTC time */
+    now = PR_Now();
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	/* if A is expired, then pick B */
+	if ( LL_CMP(notAfterA, <, now ) ) {
+	    return(PR_FALSE);
+	}
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	/* if B is expired, then pick A */
+	if ( LL_CMP(notAfterB, <, now ) ) {
+	    return(PR_TRUE);
+	}
+	return(PR_FALSE);
+    }
+}
+
+#define SOFT_DEFAULT_CHUNKSIZE 2048
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+			 char *nickname)
+{
+    NSSLOWCERTCertificate *cert;
+    PRArenaPool *arena;
+    void *data;
+    int rv;
+    int len;
+    char *tmpname;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(SOFT_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return 0;
+    }
+
+    /* allocate the certificate structure */
+    cert = (NSSLOWCERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWCERTCertificate));
+    
+    if ( !cert ) {
+	goto loser;
+    }
+    
+    cert->arena = arena;
+    
+    if ( copyDER ) {
+	/* copy the DER data for the cert into this arena */
+	data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
+	if ( !data ) {
+	    goto loser;
+	}
+	cert->derCert.data = (unsigned char *)data;
+	cert->derCert.len = derSignedCert->len;
+	PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
+    } else {
+	/* point to passed in DER data */
+	cert->derCert = *derSignedCert;
+    }
+
+
+    /*SECItem derCert;			/* original DER for the cert */
+    /*SECItem derIssuer;			/* DER for issuer name */
+    /*SECItem derSubject;			/* DER for subject name */
+    /*SECItem derPublicKey;		/* DER for the public key */
+    /*SECItem certKey;			/* database key for this cert */
+    /*SECItem version; */
+    /* SECItem serialNumber; */
+    /*NSSLOWCERTValidity validity; */
+    /*NSSLOWCERTSubjectPublicKeyInfo subjectPublicKeyInfo; */
+    /* char *emailAddr; */
+    /* NSSLOWCERTCertDBHandle *dbhandle; */
+    /* cert->subjectKeyID;	/* x509v3 subject key identifier */
+    cert->isperm = PR_TRUE;
+    cert->istemp = PR_FALSE;
+    cert->dbEntry = NULL;
+    cert ->trust = NULL;
+
+#ifdef notdef
+    /* these fields are used by client GUI code to keep track of ssl sockets
+     * that are blocked waiting on GUI feedback related to this cert.
+     * XXX - these should be moved into some sort of application specific
+     *       data structure.  They are only used by the browser right now.
+     */
+    struct SECSocketNode *socketlist;
+    int socketcount;
+    struct SECSocketNode *authsocketlist;
+    int authsocketcount;
+
+    /* This is PKCS #11 stuff. */
+    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
+    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
+    PRBool ownSlot;		/*true if the cert owns the slot reference */
+#endif
+
+#ifdef FIXME
+    /* generate and save the database key for the cert */
+    rv = nsslowcert_KeyFromDERCert(arena, &cert->derCert, &cert->certKey);
+    if ( rv ) {
+	goto loser;
+    }
+#endif
+
+    /* set the nickname */
+    if ( nickname == NULL ) {
+	cert->nickname = NULL;
+    } else {
+	/* copy and install the nickname */
+	len = PORT_Strlen(nickname) + 1;
+	cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
+	if ( cert->nickname == NULL ) {
+	    goto loser;
+	}
+
+	PORT_Memcpy(cert->nickname, nickname, len);
+    }
+
+#ifdef FIXME
+    /* set the email address */
+    cert->emailAddr = CERT_GetCertificateEmailAddress(cert);
+    
+    /* initialize the subjectKeyID */
+    rv = cert_GetKeyID(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize keyUsage */
+    rv = GetKeyUsage(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the certType */
+    rv = CERT_GetCertType(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    tmpname = CERT_NameToAscii(&cert->subject);
+    if ( tmpname != NULL ) {
+	cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
+	PORT_Free(tmpname);
+    }
+    
+    tmpname = CERT_NameToAscii(&cert->issuer);
+    if ( tmpname != NULL ) {
+	cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname);
+	PORT_Free(tmpname);
+    }
+#endif
+    
+    cert->referenceCount = 1;
+    
+    return(cert);
+    
+loser:
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+char *
+nsslowcert_FixupEmailAddr(char *emailAddr)
+{
+    char *retaddr;
+    char *str;
+
+    if ( emailAddr == NULL ) {
+	return(NULL);
+    }
+    
+    /* copy the string */
+    str = retaddr = PORT_Strdup(emailAddr);
+    if ( str == NULL ) {
+	return(NULL);
+    }
+    
+    /* make it lower case */
+    while ( *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    
+    return(retaddr);
+}
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
+			SECItem *key)
+{
+    key->len = sn->len + issuer->len;
+    
+    key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
+{
+    int rv;
+    NSSLOWCERTSignedData sd;
+    NSSLOWCERTCertKey certkey;
+
+    PORT_Memset(&sd, 0, sizeof(NSSLOWCERTSignedData));    
+    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));    
+
+    rv = SEC_ASN1DecodeItem(arena, &sd, nsslowcert_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));
+    rv = SEC_ASN1DecodeItem(arena, &certkey, nsslowcert_CertKeyTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    return(nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+				   &certkey.serialNumber, key));
+loser:
+    return(SECFailure);
+}
diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h
new file mode 100644
index 000000000..f004eb2e9
--- /dev/null
+++ b/security/nss/lib/softoken/pcert.h
@@ -0,0 +1,469 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _CERTDB_H_
+#define _CERTDB_H_
+
+#include "plarena.h"
+#include "prlong.h"
+#include "pcertt.h"
+/*
+ * Certificate Database related definitions and data structures
+ */
+
+/* version number of certificate database */
+#define CERT_DB_FILE_VERSION		7
+#ifdef USE_NS_ROOTS
+#define CERT_DB_CONTENT_VERSION		28
+#else
+#define CERT_DB_CONTENT_VERSION		2
+#endif
+
+#define SEC_DB_ENTRY_HEADER_LEN		3
+#define SEC_DB_KEY_HEADER_LEN		1
+
+/* All database entries have this form:
+ * 	
+ *	byte offset	field
+ *	-----------	-----
+ *	0		version
+ *	1		type
+ *	2		flags
+ */
+
+/* database entry types */
+typedef enum {
+    certDBEntryTypeVersion = 0,
+    certDBEntryTypeCert = 1,
+    certDBEntryTypeNickname = 2,
+    certDBEntryTypeSubject = 3,
+    certDBEntryTypeRevocation = 4,
+    certDBEntryTypeKeyRevocation = 5,
+    certDBEntryTypeSMimeProfile = 6,
+    certDBEntryTypeContentVersion = 7
+} certDBEntryType;
+
+typedef struct {
+    certDBEntryType type;
+    unsigned int version;
+    unsigned int flags;
+    PRArenaPool *arena;
+} certDBEntryCommon;
+
+/*
+ * Certificate entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		sslFlags-msb
+ *	1		sslFlags-lsb
+ *	2		emailFlags-msb
+ *	3		emailFlags-lsb
+ *	4		objectSigningFlags-msb
+ *	5		objectSigningFlags-lsb
+ *	6		derCert-len-msb
+ *	7		derCert-len-lsb
+ *	8		nickname-len-msb
+ *	9		nickname-len-lsb
+ *	...		derCert
+ *	...		nickname
+ *
+ * NOTE: the nickname string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present.
+ * NOTE: if nickname is not present, then nickname-len-msb and
+ *		nickname-len-lsb will both be zero.
+ */
+struct _certDBEntryCert {
+    certDBEntryCommon common;
+    NSSLOWCERTCertTrust trust;
+    SECItem derCert;
+    char *nickname;
+};
+
+/*
+ * Certificate Nickname entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2...		subjectname
+ *
+ * The database key for this type of entry is a nickname string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *nickname;
+    SECItem subjectName;
+} certDBEntryNickname;
+
+#define DB_NICKNAME_ENTRY_HEADER_LEN 2
+
+/*
+ * Certificate Subject entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		ncerts-msb
+ *	1		ncerts-lsb
+ *	2		nickname-msb
+ *	3		nickname-lsb
+ *	4		emailAddr-msb
+ *	5		emailAddr-lsb
+ *	...		nickname
+ *	...		emailAddr
+ *	...+2*i		certkey-len-msb
+ *	...+1+2*i       certkey-len-lsb
+ *	...+2*ncerts+2*i keyid-len-msb
+ *	...+1+2*ncerts+2*i keyid-len-lsb
+ *	...		certkeys
+ *	...		keyids
+ *
+ * The database key for this type of entry is the DER encoded subject name
+ * The "certkey" value is an array of  certificate database lookup keys that
+ *   points to the database entries for the certificates that matche
+ *   this subject.
+ *
+ */
+typedef struct _certDBEntrySubject {
+    certDBEntryCommon common;
+    SECItem derSubject;
+    unsigned int ncerts;
+    char *nickname;
+    char *emailAddr;
+    SECItem *certKeys;
+    SECItem *keyIDs;
+} certDBEntrySubject;
+
+#define DB_SUBJECT_ENTRY_HEADER_LEN 6
+
+/*
+ * Certificate SMIME profile entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2		smimeoptions-len-msb
+ *	3		smimeoptions-len-lsb
+ *	4		options-date-len-msb
+ *	5		options-date-len-lsb
+ *	6...		subjectname
+ *	...		smimeoptions
+ *	...		options-date
+ *
+ * The database key for this type of entry is the email address string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ * The "smimeoptions" value is a string that represents the algorithm
+ *   capabilities on the remote user.
+ * The "options-date" is the date that the smime options value was created.
+ *   This is generally the signing time of the signed message that contained
+ *   the options.  It is a UTCTime value.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *emailAddr;
+    SECItem subjectName;
+    SECItem smimeOptions;
+    SECItem optionsDate;
+} certDBEntrySMime;
+
+#define DB_SMIME_ENTRY_HEADER_LEN 6
+
+/*
+ * Crl/krl entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		derCert-len-msb
+ *	1		derCert-len-lsb
+ *	2		url-len-msb
+ *	3		url-len-lsb
+ *	...		derCert
+ *	...		url
+ *
+ * NOTE: the url string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present. 
+ * NOTE: if url is not present, then url-len-msb and
+ *		url-len-lsb will both be zero.
+ */
+#define DB_CRL_ENTRY_HEADER_LEN	4
+struct _certDBEntryRevocation {
+    certDBEntryCommon common;
+    SECItem	derCrl;
+    char	*url;	/* where to load the crl from */
+};
+
+/*
+ * Database Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	only the low level header...
+ *
+ * The database key for this type of entry is the string "Version"
+ */
+typedef struct {
+    certDBEntryCommon common;
+} certDBEntryVersion;
+
+#define SEC_DB_VERSION_KEY "Version"
+#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
+
+/*
+ * Database Content Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		contentVersion
+ *
+ * The database key for this type of entry is the string "ContentVersion"
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char contentVersion;
+} certDBEntryContentVersion;
+
+#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
+#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
+
+typedef union {
+    certDBEntryCommon common;
+    certDBEntryVersion version;
+    certDBEntryCert cert;
+    certDBEntryNickname nickname;
+    certDBEntrySubject subject;
+    certDBEntryRevocation revocation;
+} certDBEntry;
+
+/* length of the fixed part of a database entry */
+#define DBCERT_V4_HEADER_LEN	7
+#define DB_CERT_V5_ENTRY_HEADER_LEN	7
+#define DB_CERT_V6_ENTRY_HEADER_LEN	7
+#define DB_CERT_ENTRY_HEADER_LEN	10
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+
+SEC_BEGIN_PROTOS
+
+/*
+** Add a DER encoded certificate to the permanent database.
+**	"derCert" is the DER encoded certificate.
+**	"nickname" is the nickname to use for the cert
+**	"trust" is the trust parameters for the cert
+*/
+SECStatus SEC_AddPermCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
+				char *nickname, NSSLOWCERTCertTrust *trust);
+
+certDBEntryCert *
+SEC_FindPermCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
+
+certDBEntryCert
+*SEC_FindPermCertByName(NSSLOWCERTCertDBHandle *handle, SECItem *name);
+
+#ifdef notdef
+SECStatus SEC_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle,
+			     PRBool readOnly,
+			     NSSLOWCERTDBNameFunc namecb,
+			     void *cbarg);
+#endif
+
+SECStatus SEC_DeletePermCertificate(NSSLOWCERTCertificate *cert);
+
+typedef SECStatus (PR_CALLBACK * PermCertCallback)(NSSLOWCERTCertificate *cert,
+                                                   SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+**	"certfunc" is the user function to call for each certificate
+**	"udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+		      PermCertCallback certfunc,
+		      void *udata );
+
+SECStatus
+SEC_AddTempNickname(NSSLOWCERTCertDBHandle *handle, char *nickname, SECItem *certKey);
+
+SECStatus
+SEC_DeleteTempNickname(NSSLOWCERTCertDBHandle *handle, char *nickname);
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 NSSLOWCERTCertDBHandle *handle);
+
+PRBool
+SEC_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle);
+
+SECStatus
+SEC_GetCrlTimes(NSSLOWCERTCrl *dates, PRTime *notBefore, PRTime *notAfter);
+
+SECCertTimeValidity
+SEC_CheckCrlTimes(NSSLOWCERTCrl *crl, PRTime t);
+
+PRBool
+SEC_CrlIsNewer(NSSLOWCERTCrl *inNew, NSSLOWCERTCrl *old);
+
+NSSLOWCERTSignedCrl *
+SEC_AddPermCrlToTemp(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry);
+
+SECStatus
+SEC_DeleteTempCrl(NSSLOWCERTSignedCrl *crl);
+
+NSSLOWCERTSignedCrl *
+SEC_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+NSSLOWCERTSignedCrl *
+SEC_FindCrlByName(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+NSSLOWCERTSignedCrl *
+SEC_FindCrlByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, int type);
+
+SECStatus 
+SEC_DestroyCrl(NSSLOWCERTSignedCrl *crl);
+
+NSSLOWCERTSignedCrl *
+SEC_NewCrl(NSSLOWCERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
+
+NSSLOWCERTSignedCrl *
+cert_DBInsertCRL
+   (NSSLOWCERTCertDBHandle *handle, char *url,
+    NSSLOWCERTSignedCrl *newCrl, SECItem *derCrl, int type);
+
+#ifdef ntodef
+SECStatus
+SEC_CheckKRL(NSSLOWCERTCertDBHandle *handle,NSSLOWKEYPublicKey *key,
+	     NSSLOWCERTCertificate *rootCert, int64 t, void *wincx);
+
+SECStatus
+SEC_CheckCRL(NSSLOWCERTCertDBHandle *handle,NSSLOWCERTCertificate *cert,
+	     NSSLOWCERTCertificate *caCert, int64 t, void *wincx);
+
+SECStatus
+SEC_DeletePermCRL(NSSLOWCERTSignedCrl *crl);
+
+
+SECStatus
+SEC_LookupCrls(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCrlHeadNode **nodes, int type);
+
+SECStatus
+SEC_CrlReplaceUrl(NSSLOWCERTSignedCrl *crl,char *url);
+#endif
+
+NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB();
+NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *);
+
+NSSLOWCERTCertificate *
+nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
+                        char *nickname, PRBool isperm, PRBool copyDER);
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
+
+/*
+ * Lookup a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKeyNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+
+/* convert an email address to lower case */
+char *nsslowcert_FixupEmailAddr(char *emailAddr);
+
+/*
+** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure
+**      "derSignedCert" is the DER encoded signed certificate
+**      "copyDER" is true if the DER should be copied, false if the
+**              existing copy should be referenced
+**      "nickname" is the nickname to use in the database.  If it is NULL
+**              then a temporary nickname is generated.
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
+/*
+** Decode a DER encoded CRL/KRL into an NSSLOWCERTSignedCrl structure
+**      "derSignedCrl" is the DER encoded signed crl/krl.
+**      "type" is this a CRL or KRL.
+*/
+#define SEC_CRL_TYPE    1
+#define SEC_KRL_TYPE    0
+
+extern NSSLOWCERTSignedCrl *
+nsslowcert_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
+
+/*
+** Delete a certificate from the temporary database
+**      "cert" is the certificate to be deleted
+*/
+extern SECStatus nsslowcert_DeleteTempCertificate(NSSLOWCERTCertificate *cert);
+
+
+
+
+SEC_END_PROTOS
+
+ #endif /* _CERTDB_H_ */
diff --git a/security/nss/lib/softoken/pcertt.h b/security/nss/lib/softoken/pcertt.h
new file mode 100644
index 000000000..d3b34910e
--- /dev/null
+++ b/security/nss/lib/softoken/pcertt.h
@@ -0,0 +1,280 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id$
+ */
+#ifndef _NSSLOWCERTT_H_
+#define _NSSLOWCERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secmodt.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+/* Non-opaque objects */
+typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
+typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
+typedef struct NSSLOWCERTCertListStr                   NSSLOWCERTCertList;
+typedef struct NSSLOWCERTCertListNodeStr               NSSLOWCERTCertListNode;
+typedef struct NSSLOWCERTCertNicknamesStr              NSSLOWCERTCertNicknames;
+typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
+typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
+typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
+typedef struct NSSLOWCERTCrlStr                        NSSLOWCERTCrl;
+typedef struct NSSLOWCERTCrlKeyStr                     NSSLOWCERTCrlKey;
+typedef struct NSSLOWCERTCrlNodeStr                    NSSLOWCERTCrlNode;
+typedef struct NSSLOWCERTDERCertsStr                   NSSLOWCERTDERCerts;
+typedef struct NSSLOWCERTIssuerAndSNStr                NSSLOWCERTIssuerAndSN;
+typedef struct NSSLOWCERTNameStr                       NSSLOWCERTName;
+typedef struct NSSLOWCERTSignedCrlStr                  NSSLOWCERTSignedCrl;
+typedef struct NSSLOWCERTSignedDataStr                 NSSLOWCERTSignedData;
+typedef struct NSSLOWCERTSubjectPublicKeyInfoStr       NSSLOWCERTSubjectPublicKeyInfo;
+typedef struct NSSLOWCERTValidityStr                   NSSLOWCERTValidity;
+
+/*
+** An X.509 validity object
+*/
+struct NSSLOWCERTValidityStr {
+    PRArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct NSSLOWCERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct NSSLOWCERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct NSSLOWCERTSubjectPublicKeyInfoStr {
+    PRArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+typedef struct _certDBEntryCert certDBEntryCert;
+typedef struct _certDBEntryRevocation certDBEntryRevocation;
+
+struct NSSLOWCERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+ * defined the types of trust that exist
+ */
+typedef enum {
+    trustSSL = 0,
+    trustEmail = 1,
+    trustObjectSigning = 2,
+    trustTypeNone = 3
+} SECTrustType;
+
+#define SEC_GET_TRUST_FLAGS(trust,type) \
+        (((type)==trustSSL)?((trust)->sslFlags): \
+	 (((type)==trustEmail)?((trust)->emailFlags): \
+	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct NSSLOWCERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    PRArenaPool *arena;
+    NSSLOWCERTCertDBHandle *dbhandle;
+
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem serialNumber;
+    SECItem derSubject;			/* DER for subject name */
+    SECItem derPublicKey;		/* DER for the public key */
+    NSSLOWCERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem certKey;			/* database key for this cert */
+    SECItem version;
+    NSSLOWCERTValidity validity;
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    char *nickname;
+    char *emailAddr;
+    NSSLOWCERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+};
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+/*
+ * used to identify class of cert in mime stream code
+ */
+#define SEC_CERT_CLASS_CA	1
+#define SEC_CERT_CLASS_SERVER	2
+#define SEC_CERT_CLASS_USER	3
+#define SEC_CERT_CLASS_EMAIL	4
+
+struct NSSLOWCERTDERCertsStr {
+    PRArenaPool *arena;
+    int numcerts;
+    SECItem *rawCerts;
+};
+
+
+
+struct NSSLOWCERTCrlStr {
+    PRArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID signatureAlg;
+    SECItem derName;
+};
+
+struct NSSLOWCERTCrlKeyStr {
+    SECItem derName;
+    SECItem dummy;			/* The decoder can not skip a primitive,
+					   this serves as a place holder for the
+					   decoder to finish its task only
+					*/
+};
+
+struct NSSLOWCERTSignedCrlStr {
+    PRArenaPool *arena;
+    NSSLOWCERTCrl crl;
+    certDBEntryRevocation *dbEntry;	/* database entry struct */
+    PRBool keep;			/* keep this crl in the cache for the  session*/
+    PRBool isperm;
+    PRBool istemp;
+    int referenceCount;
+    NSSLOWCERTCertDBHandle *dbhandle;
+    NSSLOWCERTSignedData signatureWrap;	/* XXX */
+    char *url;
+};
+
+/*
+ * Does the cert belong to the user, a peer, or a CA.
+ */
+typedef enum {
+    certOwnerUser = 0,
+    certOwnerPeer = 1,
+    certOwnerCA = 2
+} NSSLOWCERTCertOwner;
+
+/*
+ * This enum represents the state of validity times of a certificate
+ */
+typedef enum {
+    secCertTimeValid = 0,
+    secCertTimeExpired = 1,
+    secCertTimeNotValidYet = 2
+} SECCertTimeValidity;
+
+/*
+ * Interface for getting certificate nickname strings out of the database
+ */
+
+/* these are values for the what argument below */
+#define SEC_CERT_NICKNAMES_ALL		1
+#define SEC_CERT_NICKNAMES_USER		2
+#define SEC_CERT_NICKNAMES_SERVER	3
+#define SEC_CERT_NICKNAMES_CA		4
+
+struct NSSLOWCERTCertNicknamesStr {
+    PRArenaPool *arena;
+    void *head;
+    int numnicknames;
+    char **nicknames;
+    int what;
+    int totallen;
+};
+
+struct NSSLOWCERTIssuerAndSNStr {
+    SECItem derIssuer;
+    SECItem serialNumber;
+};
+
+typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
+
+/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template nsslowcert_CertificateTemplate[];
+extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
+extern const SEC_ASN1Template nsslowcert_SignedDataTemplate[];
+extern const SEC_ASN1Template NSSLOWKEY_PublicKeyTemplate[];
+extern const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowcert_ValidityTemplate[];
+
+SEC_END_PROTOS
+
+#endif /* _CERTT_H_ */