diff options
author | relyea%netscape.com <devnull@localhost> | 2001-09-27 00:06:44 +0000 |
---|---|---|
committer | relyea%netscape.com <devnull@localhost> | 2001-09-27 00:06:44 +0000 |
commit | a8ec2bb9835adfc3acedb89b5936aa426ba4b422 (patch) | |
tree | 2e3fa0dbd5e9631e3d24d4513fe12e3438bc414b | |
parent | da4f740611bdd606bbc7e71f6d12e97f974ce628 (diff) | |
download | nss-hg-a8ec2bb9835adfc3acedb89b5936aa426ba4b422.tar.gz |
Move low level cert headers into softoken.
-rw-r--r-- | security/nss/lib/softoken/cdbhdl.h | 56 | ||||
-rw-r--r-- | security/nss/lib/softoken/lowcert.c | 439 | ||||
-rw-r--r-- | security/nss/lib/softoken/pcert.h | 469 | ||||
-rw-r--r-- | security/nss/lib/softoken/pcertt.h | 280 |
4 files changed, 1244 insertions, 0 deletions
diff --git a/security/nss/lib/softoken/cdbhdl.h b/security/nss/lib/softoken/cdbhdl.h new file mode 100644 index 000000000..4f47d7bc3 --- /dev/null +++ b/security/nss/lib/softoken/cdbhdl.h @@ -0,0 +1,56 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ +/* + * cdbhdl.h - certificate database handle + * private to the certdb module + * + * $Id$ + */ +#ifndef _CDBHDL_H_ +#define _CDBHDL_H_ + +#include "nspr.h" +#include "mcom_db.h" +#include "pcertt.h" + +/* + * Handle structure for open certificate databases + */ +struct NSSLOWCERTCertDBHandleStr { + DB *permCertDB; + DB *tempCertDB; + void *spkDigestInfo; + PZMonitor *dbMon; +}; + +#endif diff --git a/security/nss/lib/softoken/lowcert.c b/security/nss/lib/softoken/lowcert.c new file mode 100644 index 000000000..86ca97f2e --- /dev/null +++ b/security/nss/lib/softoken/lowcert.c @@ -0,0 +1,439 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +/* + * Certificate handling code + * + * $Id$ + */ + +#include "nssilock.h" +#include "prmon.h" +#include "prtime.h" +#include "lowkeyi.h" +#include "pcert.h" + +static const SEC_ASN1Template nsslowcert_CertKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSLOWCERTCertKey) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + 0 }, /* version */ + { SEC_ASN1_INTEGER, + offsetof(NSSLOWCERTCertKey,serialNumber) }, + { SEC_ASN1_SKIP }, /* signature algorithm */ + { SEC_ASN1_ANY, + offsetof(NSSLOWCERTCertKey,derIssuer) }, + { SEC_ASN1_SKIP_REST }, + { 0 } +}; + +static PZLock *pcertRefCountLock = NULL; + +/* + * Acquire the cert reference count lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +void +nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert) +{ + if ( pcertRefCountLock == NULL ) { + nss_InitLock(&pcertRefCountLock, nssILockRefLock); + PORT_Assert(pcertRefCountLock != NULL); + } + + PZ_Lock(pcertRefCountLock); + return; +} + +/* + * Free the cert reference count lock + */ +void +nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert) +{ + PRStatus prstat; + + PORT_Assert(pcertRefCountLock != NULL); + + prstat = PZ_Unlock(pcertRefCountLock); + + PORT_Assert(prstat == PR_SUCCESS); + + return; +} + + +NSSLOWCERTCertificate * +nsslowcert_DupCertificate(NSSLOWCERTCertificate *c) +{ + if (c) { + nsslowcert_LockCertRefCount(c); + ++c->referenceCount; + nsslowcert_UnlockCertRefCount(c); + } + return c; +} + +/* + * Allow use of default cert database, so that apps(such as mozilla) don't + * have to pass the handle all over the place. + */ +static NSSLOWCERTCertDBHandle *default_pcert_db_handle = 0; + +void +nsslowcert_SetDefaultCertDB(NSSLOWCERTCertDBHandle *handle) +{ + default_pcert_db_handle = handle; + + return; +} + +NSSLOWCERTCertDBHandle * +nsslowcert_GetDefaultCertDB(void) +{ + return(default_pcert_db_handle); +} + + +SECStatus +nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter) +{ + int rv; + + /* convert DER not-before time */ + rv = DER_UTCTimeToTime(notBefore, &c->validity.notBefore); + if (rv) { + return(SECFailure); + } + + /* convert DER not-after time */ + rv = DER_UTCTimeToTime(notAfter, &c->validity.notAfter); + if (rv) { + return(SECFailure); + } + + return(SECSuccess); +} + +/* + * is certa newer than certb? If one is expired, pick the other one. + */ +PRBool +nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb) +{ + PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now; + SECStatus rv; + PRBool newerbefore, newerafter; + + rv = nsslowcert_GetCertTimes(certa, ¬BeforeA, ¬AfterA); + if ( rv != SECSuccess ) { + return(PR_FALSE); + } + + rv = nsslowcert_GetCertTimes(certb, ¬BeforeB, ¬AfterB); + if ( rv != SECSuccess ) { + return(PR_TRUE); + } + + newerbefore = PR_FALSE; + if ( LL_CMP(notBeforeA, >, notBeforeB) ) { + newerbefore = PR_TRUE; + } + + newerafter = PR_FALSE; + if ( LL_CMP(notAfterA, >, notAfterB) ) { + newerafter = PR_TRUE; + } + + if ( newerbefore && newerafter ) { + return(PR_TRUE); + } + + if ( ( !newerbefore ) && ( !newerafter ) ) { + return(PR_FALSE); + } + + /* get current UTC time */ + now = PR_Now(); + + if ( newerbefore ) { + /* cert A was issued after cert B, but expires sooner */ + /* if A is expired, then pick B */ + if ( LL_CMP(notAfterA, <, now ) ) { + return(PR_FALSE); + } + return(PR_TRUE); + } else { + /* cert B was issued after cert A, but expires sooner */ + /* if B is expired, then pick A */ + if ( LL_CMP(notAfterB, <, now ) ) { + return(PR_TRUE); + } + return(PR_FALSE); + } +} + +#define SOFT_DEFAULT_CHUNKSIZE 2048 + +/* + * take a DER certificate and decode it into a certificate structure + */ +NSSLOWCERTCertificate * +nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, + char *nickname) +{ + NSSLOWCERTCertificate *cert; + PRArenaPool *arena; + void *data; + int rv; + int len; + char *tmpname; + + /* make a new arena */ + arena = PORT_NewArena(SOFT_DEFAULT_CHUNKSIZE); + + if ( !arena ) { + return 0; + } + + /* allocate the certificate structure */ + cert = (NSSLOWCERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWCERTCertificate)); + + if ( !cert ) { + goto loser; + } + + cert->arena = arena; + + if ( copyDER ) { + /* copy the DER data for the cert into this arena */ + data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len); + if ( !data ) { + goto loser; + } + cert->derCert.data = (unsigned char *)data; + cert->derCert.len = derSignedCert->len; + PORT_Memcpy(data, derSignedCert->data, derSignedCert->len); + } else { + /* point to passed in DER data */ + cert->derCert = *derSignedCert; + } + + + /*SECItem derCert; /* original DER for the cert */ + /*SECItem derIssuer; /* DER for issuer name */ + /*SECItem derSubject; /* DER for subject name */ + /*SECItem derPublicKey; /* DER for the public key */ + /*SECItem certKey; /* database key for this cert */ + /*SECItem version; */ + /* SECItem serialNumber; */ + /*NSSLOWCERTValidity validity; */ + /*NSSLOWCERTSubjectPublicKeyInfo subjectPublicKeyInfo; */ + /* char *emailAddr; */ + /* NSSLOWCERTCertDBHandle *dbhandle; */ + /* cert->subjectKeyID; /* x509v3 subject key identifier */ + cert->isperm = PR_TRUE; + cert->istemp = PR_FALSE; + cert->dbEntry = NULL; + cert ->trust = NULL; + +#ifdef notdef + /* these fields are used by client GUI code to keep track of ssl sockets + * that are blocked waiting on GUI feedback related to this cert. + * XXX - these should be moved into some sort of application specific + * data structure. They are only used by the browser right now. + */ + struct SECSocketNode *socketlist; + int socketcount; + struct SECSocketNode *authsocketlist; + int authsocketcount; + + /* This is PKCS #11 stuff. */ + PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ + CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ + PRBool ownSlot; /*true if the cert owns the slot reference */ +#endif + +#ifdef FIXME + /* generate and save the database key for the cert */ + rv = nsslowcert_KeyFromDERCert(arena, &cert->derCert, &cert->certKey); + if ( rv ) { + goto loser; + } +#endif + + /* set the nickname */ + if ( nickname == NULL ) { + cert->nickname = NULL; + } else { + /* copy and install the nickname */ + len = PORT_Strlen(nickname) + 1; + cert->nickname = (char*)PORT_ArenaAlloc(arena, len); + if ( cert->nickname == NULL ) { + goto loser; + } + + PORT_Memcpy(cert->nickname, nickname, len); + } + +#ifdef FIXME + /* set the email address */ + cert->emailAddr = CERT_GetCertificateEmailAddress(cert); + + /* initialize the subjectKeyID */ + rv = cert_GetKeyID(cert); + if ( rv != SECSuccess ) { + goto loser; + } + + /* initialize keyUsage */ + rv = GetKeyUsage(cert); + if ( rv != SECSuccess ) { + goto loser; + } + + /* initialize the certType */ + rv = CERT_GetCertType(cert); + if ( rv != SECSuccess ) { + goto loser; + } + + tmpname = CERT_NameToAscii(&cert->subject); + if ( tmpname != NULL ) { + cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname); + PORT_Free(tmpname); + } + + tmpname = CERT_NameToAscii(&cert->issuer); + if ( tmpname != NULL ) { + cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname); + PORT_Free(tmpname); + } +#endif + + cert->referenceCount = 1; + + return(cert); + +loser: + + if ( arena ) { + PORT_FreeArena(arena, PR_FALSE); + } + + return(0); +} + +char * +nsslowcert_FixupEmailAddr(char *emailAddr) +{ + char *retaddr; + char *str; + + if ( emailAddr == NULL ) { + return(NULL); + } + + /* copy the string */ + str = retaddr = PORT_Strdup(emailAddr); + if ( str == NULL ) { + return(NULL); + } + + /* make it lower case */ + while ( *str ) { + *str = tolower( *str ); + str++; + } + + return(retaddr); +} + +static SECStatus +nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn, + SECItem *key) +{ + key->len = sn->len + issuer->len; + + key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len); + if ( !key->data ) { + goto loser; + } + + /* copy the serialNumber */ + PORT_Memcpy(key->data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len); + + return(SECSuccess); + +loser: + return(SECFailure); +} + +/* + * Generate a database key, based on serial number and issuer, from a + * DER certificate. + */ +SECStatus +nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key) +{ + int rv; + NSSLOWCERTSignedData sd; + NSSLOWCERTCertKey certkey; + + PORT_Memset(&sd, 0, sizeof(NSSLOWCERTSignedData)); + PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey)); + + rv = SEC_ASN1DecodeItem(arena, &sd, nsslowcert_SignedDataTemplate, derCert); + + if ( rv ) { + goto loser; + } + + PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey)); + rv = SEC_ASN1DecodeItem(arena, &certkey, nsslowcert_CertKeyTemplate, &sd.data); + + if ( rv ) { + goto loser; + } + + return(nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer, + &certkey.serialNumber, key)); +loser: + return(SECFailure); +} diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h new file mode 100644 index 000000000..f004eb2e9 --- /dev/null +++ b/security/nss/lib/softoken/pcert.h @@ -0,0 +1,469 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +#ifndef _CERTDB_H_ +#define _CERTDB_H_ + +#include "plarena.h" +#include "prlong.h" +#include "pcertt.h" +/* + * Certificate Database related definitions and data structures + */ + +/* version number of certificate database */ +#define CERT_DB_FILE_VERSION 7 +#ifdef USE_NS_ROOTS +#define CERT_DB_CONTENT_VERSION 28 +#else +#define CERT_DB_CONTENT_VERSION 2 +#endif + +#define SEC_DB_ENTRY_HEADER_LEN 3 +#define SEC_DB_KEY_HEADER_LEN 1 + +/* All database entries have this form: + * + * byte offset field + * ----------- ----- + * 0 version + * 1 type + * 2 flags + */ + +/* database entry types */ +typedef enum { + certDBEntryTypeVersion = 0, + certDBEntryTypeCert = 1, + certDBEntryTypeNickname = 2, + certDBEntryTypeSubject = 3, + certDBEntryTypeRevocation = 4, + certDBEntryTypeKeyRevocation = 5, + certDBEntryTypeSMimeProfile = 6, + certDBEntryTypeContentVersion = 7 +} certDBEntryType; + +typedef struct { + certDBEntryType type; + unsigned int version; + unsigned int flags; + PRArenaPool *arena; +} certDBEntryCommon; + +/* + * Certificate entry: + * + * byte offset field + * ----------- ----- + * 0 sslFlags-msb + * 1 sslFlags-lsb + * 2 emailFlags-msb + * 3 emailFlags-lsb + * 4 objectSigningFlags-msb + * 5 objectSigningFlags-lsb + * 6 derCert-len-msb + * 7 derCert-len-lsb + * 8 nickname-len-msb + * 9 nickname-len-lsb + * ... derCert + * ... nickname + * + * NOTE: the nickname string as stored in the database is null terminated, + * in other words, the last byte of the db entry is always 0 + * if a nickname is present. + * NOTE: if nickname is not present, then nickname-len-msb and + * nickname-len-lsb will both be zero. + */ +struct _certDBEntryCert { + certDBEntryCommon common; + NSSLOWCERTCertTrust trust; + SECItem derCert; + char *nickname; +}; + +/* + * Certificate Nickname entry: + * + * byte offset field + * ----------- ----- + * 0 subjectname-len-msb + * 1 subjectname-len-lsb + * 2... subjectname + * + * The database key for this type of entry is a nickname string + * The "subjectname" value is the DER encoded DN of the identity + * that matches this nickname. + */ +typedef struct { + certDBEntryCommon common; + char *nickname; + SECItem subjectName; +} certDBEntryNickname; + +#define DB_NICKNAME_ENTRY_HEADER_LEN 2 + +/* + * Certificate Subject entry: + * + * byte offset field + * ----------- ----- + * 0 ncerts-msb + * 1 ncerts-lsb + * 2 nickname-msb + * 3 nickname-lsb + * 4 emailAddr-msb + * 5 emailAddr-lsb + * ... nickname + * ... emailAddr + * ...+2*i certkey-len-msb + * ...+1+2*i certkey-len-lsb + * ...+2*ncerts+2*i keyid-len-msb + * ...+1+2*ncerts+2*i keyid-len-lsb + * ... certkeys + * ... keyids + * + * The database key for this type of entry is the DER encoded subject name + * The "certkey" value is an array of certificate database lookup keys that + * points to the database entries for the certificates that matche + * this subject. + * + */ +typedef struct _certDBEntrySubject { + certDBEntryCommon common; + SECItem derSubject; + unsigned int ncerts; + char *nickname; + char *emailAddr; + SECItem *certKeys; + SECItem *keyIDs; +} certDBEntrySubject; + +#define DB_SUBJECT_ENTRY_HEADER_LEN 6 + +/* + * Certificate SMIME profile entry: + * + * byte offset field + * ----------- ----- + * 0 subjectname-len-msb + * 1 subjectname-len-lsb + * 2 smimeoptions-len-msb + * 3 smimeoptions-len-lsb + * 4 options-date-len-msb + * 5 options-date-len-lsb + * 6... subjectname + * ... smimeoptions + * ... options-date + * + * The database key for this type of entry is the email address string + * The "subjectname" value is the DER encoded DN of the identity + * that matches this nickname. + * The "smimeoptions" value is a string that represents the algorithm + * capabilities on the remote user. + * The "options-date" is the date that the smime options value was created. + * This is generally the signing time of the signed message that contained + * the options. It is a UTCTime value. + */ +typedef struct { + certDBEntryCommon common; + char *emailAddr; + SECItem subjectName; + SECItem smimeOptions; + SECItem optionsDate; +} certDBEntrySMime; + +#define DB_SMIME_ENTRY_HEADER_LEN 6 + +/* + * Crl/krl entry: + * + * byte offset field + * ----------- ----- + * 0 derCert-len-msb + * 1 derCert-len-lsb + * 2 url-len-msb + * 3 url-len-lsb + * ... derCert + * ... url + * + * NOTE: the url string as stored in the database is null terminated, + * in other words, the last byte of the db entry is always 0 + * if a nickname is present. + * NOTE: if url is not present, then url-len-msb and + * url-len-lsb will both be zero. + */ +#define DB_CRL_ENTRY_HEADER_LEN 4 +struct _certDBEntryRevocation { + certDBEntryCommon common; + SECItem derCrl; + char *url; /* where to load the crl from */ +}; + +/* + * Database Version Entry: + * + * byte offset field + * ----------- ----- + * only the low level header... + * + * The database key for this type of entry is the string "Version" + */ +typedef struct { + certDBEntryCommon common; +} certDBEntryVersion; + +#define SEC_DB_VERSION_KEY "Version" +#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY) + +/* + * Database Content Version Entry: + * + * byte offset field + * ----------- ----- + * 0 contentVersion + * + * The database key for this type of entry is the string "ContentVersion" + */ +typedef struct { + certDBEntryCommon common; + char contentVersion; +} certDBEntryContentVersion; + +#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion" +#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY) + +typedef union { + certDBEntryCommon common; + certDBEntryVersion version; + certDBEntryCert cert; + certDBEntryNickname nickname; + certDBEntrySubject subject; + certDBEntryRevocation revocation; +} certDBEntry; + +/* length of the fixed part of a database entry */ +#define DBCERT_V4_HEADER_LEN 7 +#define DB_CERT_V5_ENTRY_HEADER_LEN 7 +#define DB_CERT_V6_ENTRY_HEADER_LEN 7 +#define DB_CERT_ENTRY_HEADER_LEN 10 + +/* common flags for all types of certificates */ +#define CERTDB_VALID_PEER (1<<0) +#define CERTDB_TRUSTED (1<<1) +#define CERTDB_SEND_WARN (1<<2) +#define CERTDB_VALID_CA (1<<3) +#define CERTDB_TRUSTED_CA (1<<4) /* trusted for issuing server certs */ +#define CERTDB_NS_TRUSTED_CA (1<<5) +#define CERTDB_USER (1<<6) +#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */ +#define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */ +#define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */ + +SEC_BEGIN_PROTOS + +/* +** Add a DER encoded certificate to the permanent database. +** "derCert" is the DER encoded certificate. +** "nickname" is the nickname to use for the cert +** "trust" is the trust parameters for the cert +*/ +SECStatus SEC_AddPermCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert, + char *nickname, NSSLOWCERTCertTrust *trust); + +certDBEntryCert * +SEC_FindPermCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey); + +certDBEntryCert +*SEC_FindPermCertByName(NSSLOWCERTCertDBHandle *handle, SECItem *name); + +#ifdef notdef +SECStatus SEC_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle, + PRBool readOnly, + NSSLOWCERTDBNameFunc namecb, + void *cbarg); +#endif + +SECStatus SEC_DeletePermCertificate(NSSLOWCERTCertificate *cert); + +typedef SECStatus (PR_CALLBACK * PermCertCallback)(NSSLOWCERTCertificate *cert, + SECItem *k, void *pdata); +/* +** Traverse the entire permanent database, and pass the certs off to a +** user supplied function. +** "certfunc" is the user function to call for each certificate +** "udata" is the user's data, which is passed through to "certfunc" +*/ +SECStatus +nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle, + PermCertCallback certfunc, + void *udata ); + +SECStatus +SEC_AddTempNickname(NSSLOWCERTCertDBHandle *handle, char *nickname, SECItem *certKey); + +SECStatus +SEC_DeleteTempNickname(NSSLOWCERTCertDBHandle *handle, char *nickname); + +PRBool +SEC_CertNicknameConflict(char *nickname, SECItem *derSubject, + NSSLOWCERTCertDBHandle *handle); + +PRBool +SEC_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle); + +SECStatus +SEC_GetCrlTimes(NSSLOWCERTCrl *dates, PRTime *notBefore, PRTime *notAfter); + +SECCertTimeValidity +SEC_CheckCrlTimes(NSSLOWCERTCrl *crl, PRTime t); + +PRBool +SEC_CrlIsNewer(NSSLOWCERTCrl *inNew, NSSLOWCERTCrl *old); + +NSSLOWCERTSignedCrl * +SEC_AddPermCrlToTemp(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry); + +SECStatus +SEC_DeleteTempCrl(NSSLOWCERTSignedCrl *crl); + +NSSLOWCERTSignedCrl * +SEC_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, int type); + +NSSLOWCERTSignedCrl * +SEC_FindCrlByName(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, int type); + +NSSLOWCERTSignedCrl * +SEC_FindCrlByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, int type); + +SECStatus +SEC_DestroyCrl(NSSLOWCERTSignedCrl *crl); + +NSSLOWCERTSignedCrl * +SEC_NewCrl(NSSLOWCERTCertDBHandle *handle, char *url, SECItem *derCrl, int type); + +NSSLOWCERTSignedCrl * +cert_DBInsertCRL + (NSSLOWCERTCertDBHandle *handle, char *url, + NSSLOWCERTSignedCrl *newCrl, SECItem *derCrl, int type); + +#ifdef ntodef +SECStatus +SEC_CheckKRL(NSSLOWCERTCertDBHandle *handle,NSSLOWKEYPublicKey *key, + NSSLOWCERTCertificate *rootCert, int64 t, void *wincx); + +SECStatus +SEC_CheckCRL(NSSLOWCERTCertDBHandle *handle,NSSLOWCERTCertificate *cert, + NSSLOWCERTCertificate *caCert, int64 t, void *wincx); + +SECStatus +SEC_DeletePermCRL(NSSLOWCERTSignedCrl *crl); + + +SECStatus +SEC_LookupCrls(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCrlHeadNode **nodes, int type); + +SECStatus +SEC_CrlReplaceUrl(NSSLOWCERTSignedCrl *crl,char *url); +#endif + +NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB(); +NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *); + +NSSLOWCERTCertificate * +nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert, + char *nickname, PRBool isperm, PRBool copyDER); +NSSLOWCERTCertificate * +nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert); +void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert); + +/* + * Lookup a certificate in the databases without locking + * "certKey" is the database key to look for + * + * XXX - this should be internal, but pkcs 11 needs to call it during a + * traversal. + */ +NSSLOWCERTCertificate * +nsslowcert_FindCertByKeyNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *certKey); + +/* +** Generate a certificate key from the issuer and serialnumber, then look it +** up in the database. Return the cert if found. +** "issuerAndSN" is the issuer and serial number to look for +*/ +extern NSSLOWCERTCertificate * +nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN); + +/* +** Find a certificate in the database by a DER encoded certificate +** "derCert" is the DER encoded certificate +*/ +extern NSSLOWCERTCertificate * +nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert); + +/* convert an email address to lower case */ +char *nsslowcert_FixupEmailAddr(char *emailAddr); + +/* +** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure +** "derSignedCert" is the DER encoded signed certificate +** "copyDER" is true if the DER should be copied, false if the +** existing copy should be referenced +** "nickname" is the nickname to use in the database. If it is NULL +** then a temporary nickname is generated. +*/ +extern NSSLOWCERTCertificate * +nsslowcert_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname); +/* +** Decode a DER encoded CRL/KRL into an NSSLOWCERTSignedCrl structure +** "derSignedCrl" is the DER encoded signed crl/krl. +** "type" is this a CRL or KRL. +*/ +#define SEC_CRL_TYPE 1 +#define SEC_KRL_TYPE 0 + +extern NSSLOWCERTSignedCrl * +nsslowcert_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type); + +/* +** Delete a certificate from the temporary database +** "cert" is the certificate to be deleted +*/ +extern SECStatus nsslowcert_DeleteTempCertificate(NSSLOWCERTCertificate *cert); + + + + +SEC_END_PROTOS + + #endif /* _CERTDB_H_ */ diff --git a/security/nss/lib/softoken/pcertt.h b/security/nss/lib/softoken/pcertt.h new file mode 100644 index 000000000..d3b34910e --- /dev/null +++ b/security/nss/lib/softoken/pcertt.h @@ -0,0 +1,280 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ +/* + * certt.h - public data structures for the certificate library + * + * $Id$ + */ +#ifndef _NSSLOWCERTT_H_ +#define _NSSLOWCERTT_H_ + +#include "prclist.h" +#include "pkcs11t.h" +#include "seccomon.h" +#include "secmodt.h" +#include "secoidt.h" +#include "plarena.h" +#include "prcvar.h" +#include "nssilock.h" +#include "prio.h" +#include "prmon.h" + +/* Non-opaque objects */ +typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; +typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; +typedef struct NSSLOWCERTCertListStr NSSLOWCERTCertList; +typedef struct NSSLOWCERTCertListNodeStr NSSLOWCERTCertListNode; +typedef struct NSSLOWCERTCertNicknamesStr NSSLOWCERTCertNicknames; +typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; +typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; +typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; +typedef struct NSSLOWCERTCrlStr NSSLOWCERTCrl; +typedef struct NSSLOWCERTCrlKeyStr NSSLOWCERTCrlKey; +typedef struct NSSLOWCERTCrlNodeStr NSSLOWCERTCrlNode; +typedef struct NSSLOWCERTDERCertsStr NSSLOWCERTDERCerts; +typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN; +typedef struct NSSLOWCERTNameStr NSSLOWCERTName; +typedef struct NSSLOWCERTSignedCrlStr NSSLOWCERTSignedCrl; +typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData; +typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo; +typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity; + +/* +** An X.509 validity object +*/ +struct NSSLOWCERTValidityStr { + PRArenaPool *arena; + SECItem notBefore; + SECItem notAfter; +}; + +/* + * A serial number and issuer name, which is used as a database key + */ +struct NSSLOWCERTCertKeyStr { + SECItem serialNumber; + SECItem derIssuer; +}; + +/* +** A signed data object. Used to implement the "signed" macro used +** in the X.500 specs. +*/ +struct NSSLOWCERTSignedDataStr { + SECItem data; + SECAlgorithmID signatureAlgorithm; + SECItem signature; +}; + +/* +** An X.509 subject-public-key-info object +*/ +struct NSSLOWCERTSubjectPublicKeyInfoStr { + PRArenaPool *arena; + SECAlgorithmID algorithm; + SECItem subjectPublicKey; +}; + +typedef struct _certDBEntryCert certDBEntryCert; +typedef struct _certDBEntryRevocation certDBEntryRevocation; + +struct NSSLOWCERTCertTrustStr { + unsigned int sslFlags; + unsigned int emailFlags; + unsigned int objectSigningFlags; +}; + +/* + * defined the types of trust that exist + */ +typedef enum { + trustSSL = 0, + trustEmail = 1, + trustObjectSigning = 2, + trustTypeNone = 3 +} SECTrustType; + +#define SEC_GET_TRUST_FLAGS(trust,type) \ + (((type)==trustSSL)?((trust)->sslFlags): \ + (((type)==trustEmail)?((trust)->emailFlags): \ + (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0))) + +/* +** An X.509 certificate object (the unsigned form) +*/ +struct NSSLOWCERTCertificateStr { + /* the arena is used to allocate any data structures that have the same + * lifetime as the cert. This is all stuff that hangs off of the cert + * structure, and is all freed at the same time. I is used when the + * cert is decoded, destroyed, and at some times when it changes + * state + */ + PRArenaPool *arena; + NSSLOWCERTCertDBHandle *dbhandle; + + SECItem derCert; /* original DER for the cert */ + SECItem derIssuer; /* DER for issuer name */ + SECItem serialNumber; + SECItem derSubject; /* DER for subject name */ + SECItem derPublicKey; /* DER for the public key */ + NSSLOWCERTSubjectPublicKeyInfo subjectPublicKeyInfo; + SECItem certKey; /* database key for this cert */ + SECItem version; + NSSLOWCERTValidity validity; + certDBEntryCert *dbEntry; /* database entry struct */ + SECItem subjectKeyID; /* x509v3 subject key identifier */ + char *nickname; + char *emailAddr; + NSSLOWCERTCertTrust *trust; + + /* the reference count is modified whenever someone looks up, dups + * or destroys a certificate + */ + int referenceCount; +}; +#define SEC_CERTIFICATE_VERSION_1 0 /* default created */ +#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ +#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ + +#define SEC_CRL_VERSION_1 0 /* default */ +#define SEC_CRL_VERSION_2 1 /* v2 extensions */ + +/* + * used to identify class of cert in mime stream code + */ +#define SEC_CERT_CLASS_CA 1 +#define SEC_CERT_CLASS_SERVER 2 +#define SEC_CERT_CLASS_USER 3 +#define SEC_CERT_CLASS_EMAIL 4 + +struct NSSLOWCERTDERCertsStr { + PRArenaPool *arena; + int numcerts; + SECItem *rawCerts; +}; + + + +struct NSSLOWCERTCrlStr { + PRArenaPool *arena; + SECItem version; + SECAlgorithmID signatureAlg; + SECItem derName; +}; + +struct NSSLOWCERTCrlKeyStr { + SECItem derName; + SECItem dummy; /* The decoder can not skip a primitive, + this serves as a place holder for the + decoder to finish its task only + */ +}; + +struct NSSLOWCERTSignedCrlStr { + PRArenaPool *arena; + NSSLOWCERTCrl crl; + certDBEntryRevocation *dbEntry; /* database entry struct */ + PRBool keep; /* keep this crl in the cache for the session*/ + PRBool isperm; + PRBool istemp; + int referenceCount; + NSSLOWCERTCertDBHandle *dbhandle; + NSSLOWCERTSignedData signatureWrap; /* XXX */ + char *url; +}; + +/* + * Does the cert belong to the user, a peer, or a CA. + */ +typedef enum { + certOwnerUser = 0, + certOwnerPeer = 1, + certOwnerCA = 2 +} NSSLOWCERTCertOwner; + +/* + * This enum represents the state of validity times of a certificate + */ +typedef enum { + secCertTimeValid = 0, + secCertTimeExpired = 1, + secCertTimeNotValidYet = 2 +} SECCertTimeValidity; + +/* + * Interface for getting certificate nickname strings out of the database + */ + +/* these are values for the what argument below */ +#define SEC_CERT_NICKNAMES_ALL 1 +#define SEC_CERT_NICKNAMES_USER 2 +#define SEC_CERT_NICKNAMES_SERVER 3 +#define SEC_CERT_NICKNAMES_CA 4 + +struct NSSLOWCERTCertNicknamesStr { + PRArenaPool *arena; + void *head; + int numnicknames; + char **nicknames; + int what; + int totallen; +}; + +struct NSSLOWCERTIssuerAndSNStr { + SECItem derIssuer; + SECItem serialNumber; +}; + +typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg); + +/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */ +/* callback to return database name based on version number */ +typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion); + +/* XXX Lisa thinks the template declarations belong in cert.h, not here? */ + +#include "secasn1t.h" /* way down here because I expect template stuff to + * move out of here anyway */ + +SEC_BEGIN_PROTOS + +extern const SEC_ASN1Template nsslowcert_CertificateTemplate[]; +extern const SEC_ASN1Template SEC_SignedCertificateTemplate[]; +extern const SEC_ASN1Template nsslowcert_SignedDataTemplate[]; +extern const SEC_ASN1Template NSSLOWKEY_PublicKeyTemplate[]; +extern const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[]; +extern const SEC_ASN1Template nsslowcert_ValidityTemplate[]; + +SEC_END_PROTOS + +#endif /* _CERTT_H_ */ |