diff options
author | jpierre%netscape.com <devnull@localhost> | 2004-02-11 05:25:01 +0000 |
---|---|---|
committer | jpierre%netscape.com <devnull@localhost> | 2004-02-11 05:25:01 +0000 |
commit | baebc3837438a76767ee82a3424904d64f4159c6 (patch) | |
tree | 9e8dc918b511a4c8702df3cb683e433e4126eed6 /security/nss/lib/certdb | |
parent | 99245ac17212b9615872af12cf0291db0f997f80 (diff) | |
parent | 5da3736fa6c6d9a44b3a2a0af1f930d53023bd7c (diff) | |
download | nss-hg-baebc3837438a76767ee82a3424904d64f4159c6.tar.gz |
Fix for 233118 . additional check for CRL signing usage. r=nelsonb
Diffstat (limited to 'security/nss/lib/certdb')
-rw-r--r-- | security/nss/lib/certdb/alg1485.c | 4 | ||||
-rw-r--r-- | security/nss/lib/certdb/cert.h | 34 | ||||
-rw-r--r-- | security/nss/lib/certdb/certdb.c | 6 | ||||
-rw-r--r-- | security/nss/lib/certdb/certt.h | 11 | ||||
-rw-r--r-- | security/nss/lib/certdb/certv3.c | 42 | ||||
-rw-r--r-- | security/nss/lib/certdb/crl.c | 2 | ||||
-rw-r--r-- | security/nss/lib/certdb/genname.c | 48 | ||||
-rw-r--r-- | security/nss/lib/certdb/genname.h | 6 | ||||
-rw-r--r-- | security/nss/lib/certdb/stanpcertdb.c | 26 | ||||
-rw-r--r-- | security/nss/lib/certdb/xconst.c | 56 | ||||
-rw-r--r-- | security/nss/lib/certdb/xconst.h | 45 |
11 files changed, 161 insertions, 119 deletions
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index b95cec96a..96cd3762e 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -924,7 +924,7 @@ CERT_GetCertificateEmailAddress(CERTCertificate *cert) if (rawEmailAddr) { break; } - current = cert_get_next_general_name(current); + current = CERT_GetNextGeneralName(current); } while (current != nameList); } } @@ -1038,7 +1038,7 @@ cert_GetCertificateEmailAddresses(CERTCertificate *cert) } else if (current->type == certRFC822Name) { pBuf = appendItemToBuf(pBuf, ¤t->name.other, &maxLen); } - current = cert_get_next_general_name(current); + current = CERT_GetNextGeneralName(current); } while (current != nameList); } SECITEM_FreeItem(&subAltName, PR_FALSE); diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index a154cba78..3d0f17b38 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -646,13 +646,6 @@ CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, void *wincx, CERTVerifyLog *log); /* -** This must only be called on a cert that is known to have an issuer -** with an invalid time -*/ -extern CERTCertificate * -CERT_FindExpiredIssuer (CERTCertDBHandle *handle, CERTCertificate *cert); - -/* ** Read a base64 ascii encoded DER certificate and convert it to our ** internal format. ** "certstr" is a null-terminated string containing the certificate @@ -1094,6 +1087,33 @@ CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies); CERTUserNotice * CERT_DecodeUserNotice(SECItem *noticeItem); +extern CERTGeneralName * +CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName); + +extern CERTNameConstraints * +CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, + SECItem *encodedConstraints); + +/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */ +extern CERTAuthInfoAccess ** +CERT_DecodeAuthInfoAccessExtension(PRArenaPool *arena, + SECItem *encodedExtension); + +extern CERTPrivKeyUsagePeriod * +CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue); + +extern CERTGeneralName * +CERT_GetNextGeneralName(CERTGeneralName *current); + +extern CERTGeneralName * +CERT_GetPrevGeneralName(CERTGeneralName *current); + +CERTNameConstraint * +CERT_GetNextNameConstraint(CERTNameConstraint *current); + +CERTNameConstraint * +CERT_GetPrevNameConstraint(CERTNameConstraint *current); + void CERT_DestroyUserNotice(CERTUserNotice *userNotice); diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 84039ea99..5b52156b1 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -659,7 +659,9 @@ cert_GetCertType(CERTCertificate *cert) PORT_Free(encodedExtKeyUsage.data); CERT_DestroyOidSequence(extKeyUsage); } - PR_AtomicSet(&cert->nsCertType, nsCertType); + /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */ + PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32)); + PR_AtomicSet((PRInt32 *)&cert->nsCertType, nsCertType); return(SECSuccess); } @@ -1480,7 +1482,7 @@ cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn) default: break; } - current = cert_get_next_general_name(current); + current = CERT_GetNextGeneralName(current); } while (current != nameList); if ((!isIPaddr && !DNSextCount) || (isIPaddr && !IPextCount)) { diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h index e502bfdda..70e7b3a66 100644 --- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -88,6 +88,7 @@ typedef struct CERTNameStr CERTName; typedef struct CERTNameConstraintStr CERTNameConstraint; typedef struct CERTNameConstraintsStr CERTNameConstraints; typedef struct CERTOKDomainNameStr CERTOKDomainName; +typedef struct CERTPrivKeyUsagePeriodStr CERTPrivKeyUsagePeriod; typedef struct CERTPublicKeyAndChallengeStr CERTPublicKeyAndChallenge; typedef struct CERTRDNStr CERTRDN; typedef struct CERTSignedCrlStr CERTSignedCrl; @@ -252,7 +253,8 @@ struct CERTCertificateStr { unsigned int keyUsage; /* what uses are allowed for this cert */ unsigned int rawKeyUsage; /* value of the key usage extension */ PRBool keyUsagePresent; /* was the key usage extension present */ - unsigned int nsCertType; /* value of the ns cert type extension */ + PRUint32 nsCertType; /* value of the ns cert type extension */ + /* must be 32-bit for PR_AtomicSet */ /* these values can be set by the application to bypass certain checks * or to keep the cert in memory for an entire session. @@ -657,6 +659,13 @@ struct CERTNameConstraintsStr { }; +/* Private Key Usage Period extension struct. */ +struct CERTPrivKeyUsagePeriodStr { + SECItem notBefore; + SECItem notAfter; + PRArenaPool *arena; +}; + /* X.509 v3 Authority Key Identifier extension. For the authority certificate issuer field, we only support URI now. */ diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c index f4e11b3ae..41957c324 100644 --- a/security/nss/lib/certdb/certv3.c +++ b/security/nss/lib/certdb/certv3.c @@ -370,7 +370,6 @@ CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert) SECStatus CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage) { - PRBool critical; SECItem keyUsage; SECStatus rv; @@ -381,35 +380,18 @@ CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage) keyUsage.data = NULL; - do { - /* if the keyUsage extension exists and is critical, make sure that the - CA certificate is used for certificate signing purpose only. If the - extension does not exist, we will assum that it can be used for - certificate signing purpose. - */ - rv = CERT_GetExtenCriticality(cert->extensions, - SEC_OID_X509_KEY_USAGE, - &critical); - if (rv == SECFailure) { - rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ? - SECSuccess : SECFailure; - break; - } - - if (critical == PR_FALSE) { - rv = SECSuccess; - break; - } - - rv = CERT_FindKeyUsageExtension(cert, &keyUsage); - if (rv != SECSuccess) { - break; - } - if (!(keyUsage.data[0] & usage)) { - PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID); - rv = SECFailure; - } - }while (0); + /* This code formerly ignored the Key Usage extension if it was + ** marked non-critical. That was wrong. Since we do understand it, + ** we are obligated to honor it, whether or not it is critical. + */ + rv = CERT_FindKeyUsageExtension(cert, &keyUsage); + if (rv == SECFailure) { + rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ? + SECSuccess : SECFailure; + } else if (!(keyUsage.data[0] & usage)) { + PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID); + rv = SECFailure; + } PORT_Free (keyUsage.data); return (rv); } diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index 9957e1dd2..5a6ef67d4 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -1461,7 +1461,7 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, through a certificate verification (CERT_CheckCRL) */ if (issuer) { /* if we didn't have a valid issuer cert yet, but we do now. add it */ - if (NULL == cache->issuer) { + if ( (NULL == cache->issuer) && (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN))) { /* save the issuer cert */ cache->issuer = CERT_DupCertificate(issuer); } diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index 18957509c..06aa7aaa5 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -277,7 +277,7 @@ loser: } CERTGeneralName * -cert_get_next_general_name(CERTGeneralName *current) +CERT_GetNextGeneralName(CERTGeneralName *current) { PRCList *next; @@ -286,7 +286,7 @@ cert_get_next_general_name(CERTGeneralName *current) } CERTGeneralName * -cert_get_prev_general_name(CERTGeneralName *current) +CERT_GetPrevGeneralName(CERTGeneralName *current) { PRCList *prev; prev = current->l.prev; @@ -294,7 +294,7 @@ cert_get_prev_general_name(CERTGeneralName *current) } CERTNameConstraint * -cert_get_next_name_constraint(CERTNameConstraint *current) +CERT_GetNextNameConstraint(CERTNameConstraint *current) { PRCList *next; @@ -303,7 +303,7 @@ cert_get_next_name_constraint(CERTNameConstraint *current) } CERTNameConstraint * -cert_get_prev_name_constraint(CERTNameConstraint *current) +CERT_GetPrevNameConstraint(CERTNameConstraint *current) { PRCList *prev; prev = current->l.prev; @@ -384,10 +384,10 @@ cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names) } head = &(names->l); while (current_name->l.next != head) { - current_name = cert_get_next_general_name(current_name); + current_name = CERT_GetNextGeneralName(current_name); ++count; } - current_name = cert_get_next_general_name(current_name); + current_name = CERT_GetNextGeneralName(current_name); items = PORT_ArenaNewArray(arena, SECItem *, count + 1); if (items == NULL) { goto loser; @@ -397,7 +397,7 @@ cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names) if (items[i] == NULL) { goto loser; } - current_name = cert_get_next_general_name(current_name); + current_name = CERT_GetNextGeneralName(current_name); } items[i] = NULL; /* TODO: unmark arena */ @@ -487,7 +487,7 @@ cert_DecodeGeneralNames (PRArenaPool *arena, } if (currentName) { /* TODO: unmark arena */ - return cert_get_next_general_name(currentName); + return CERT_GetNextGeneralName(currentName); } /* TODO: release arena to mark */ return NULL; @@ -508,7 +508,7 @@ cert_DestroyGeneralNames(CERTGeneralName *name) first = name; do { - next = cert_get_next_general_name(name); + next = CERT_GetNextGeneralName(name); PORT_Free(name); name = next; } while (name != first); @@ -553,10 +553,10 @@ cert_EncodeNameConstraintSubTree(CERTNameConstraint *constraints, } head = &constraints->l; while (current_constraint->l.next != head) { - current_constraint = cert_get_next_name_constraint(current_constraint); + current_constraint = CERT_GetNextNameConstraint(current_constraint); ++count; } - current_constraint = cert_get_next_name_constraint(current_constraint); + current_constraint = CERT_GetNextNameConstraint(current_constraint); items = PORT_ArenaZNewArray(arena, SECItem *, count + 1); if (items == NULL) { goto loser; @@ -567,7 +567,7 @@ cert_EncodeNameConstraintSubTree(CERTNameConstraint *constraints, if (items[i] == NULL) { goto loser; } - current_constraint = cert_get_next_name_constraint(current_constraint); + current_constraint = CERT_GetNextNameConstraint(current_constraint); } *dest = items; if (*dest == NULL) { @@ -763,7 +763,7 @@ CERT_CopyGeneralName(PRArenaPool *arena, rv = cert_CopyOneGeneralName(arena, dest, src); if (rv != SECSuccess) goto loser; - src = cert_get_next_general_name(src); + src = CERT_GetNextGeneralName(src); /* if there is only one general name, we shouldn't do this */ if (src != srcHead) { if (dest->l.next == &destHead->l) { @@ -777,7 +777,7 @@ CERT_CopyGeneralName(PRArenaPool *arena, dest->l.next = &temp->l; dest = temp; } else { - dest = cert_get_next_general_name(dest); + dest = CERT_GetNextGeneralName(dest); } } } while (src != srcHead && rv == SECSuccess); @@ -925,7 +925,7 @@ CERT_GetNameConstraintByType (CERTNameConstraint *constraints, goto loser; *returnList = CERT_AddNameConstraint(*returnList, temp); } - current = cert_get_next_name_constraint(current); + current = CERT_GetNextNameConstraint(current); } while (current != constraints); /* TODO: unmark arena */ return SECSuccess; @@ -967,7 +967,7 @@ CERT_GetGeneralNameByType (CERTGeneralName *genNames, PORT_Assert(0); return NULL; } - current = cert_get_next_general_name(current); + current = CERT_GetNextGeneralName(current); } while (current != genNames); return NULL; } @@ -982,7 +982,7 @@ CERT_GetNamesLength(CERTGeneralName *names) if (names != NULL) { do { length++; - names = cert_get_next_general_name(names); + names = CERT_GetNextGeneralName(names); } while (names != first); } return length; @@ -1422,7 +1422,7 @@ cert_CompareNameWithConstraints(CERTGeneralName *name, } if (matched == SECSuccess || rv != SECSuccess) break; - current = cert_get_next_name_constraint(current); + current = CERT_GetNextNameConstraint(current); } while (current != constraints); if (rv == SECSuccess) { if (matched == SECSuccess) @@ -1500,7 +1500,7 @@ CERT_CompareNameSpace(CERTCertificate *cert, if (rv != SECSuccess) break; } - currentName = cert_get_next_general_name(currentName); + currentName = CERT_GetNextGeneralName(currentName); count ++; } while (currentName != namesList); done: @@ -1563,7 +1563,7 @@ CERT_GetNickName(CERTCertificate *cert, found = 1; break; } - current = cert_get_next_general_name(current); + current = CERT_GetNextGeneralName(current); } while (current != names); if (!found) goto loser; @@ -1633,8 +1633,8 @@ CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b) if (currentB == NULL) { return SECFailure; } - currentB = cert_get_next_general_name(currentB); - currentA = cert_get_next_general_name(currentA); + currentB = CERT_GetNextGeneralName(currentB); + currentA = CERT_GetNextGeneralName(currentA); } while (currentA != a); } if (currentB != b) { @@ -1679,12 +1679,12 @@ CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b) } } - currentB = cert_get_next_general_name(currentB); + currentB = CERT_GetNextGeneralName(currentB); } while (currentB != b && found != PR_TRUE); if (found != PR_TRUE) { return SECFailure; } - currentA = cert_get_next_general_name(currentA); + currentA = CERT_GetNextGeneralName(currentA); } while (currentA != a); return SECSuccess; } diff --git a/security/nss/lib/certdb/genname.h b/security/nss/lib/certdb/genname.h index 504f0cd06..57d3afa10 100644 --- a/security/nss/lib/certdb/genname.h +++ b/security/nss/lib/certdb/genname.h @@ -46,12 +46,6 @@ SEC_BEGIN_PROTOS extern const SEC_ASN1Template CERT_GeneralNamesTemplate[]; -extern CERTGeneralName * -cert_get_next_general_name(CERTGeneralName *current); - -extern CERTGeneralName * -cert_get_prev_general_name(CERTGeneralName *current); - extern SECItem * CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena); diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index a908c0f6d..c1420ad73 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -412,18 +412,28 @@ CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name) CERTCertificate * CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID) { - CERTCertList *list = - CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE); + CERTCertList *list; CERTCertificate *cert = NULL; - CERTCertListNode *node = CERT_LIST_HEAD(list); + CERTCertListNode *node, *head; + list = CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE); if (list == NULL) return NULL; - for (node = CERT_LIST_HEAD(list); node ; node = CERT_LIST_NEXT(node)) { - if (SECITEM_ItemsAreEqual(&cert->subjectKeyID, keyID) ) { - cert = CERT_DupCertificate(node->cert); - break; - } + node = head = CERT_LIST_HEAD(list); + if (head) { + do { + if (node->cert && + SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID) ) { + cert = CERT_DupCertificate(node->cert); + goto done; + } + node = CERT_LIST_NEXT(node); + } while (node && head != node); + } + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); +done: + if (list) { + CERT_DestroyCertList(list); } return cert; } diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c index 6bd95ba22..fc2654f52 100644 --- a/security/nss/lib/certdb/xconst.c +++ b/security/nss/lib/certdb/xconst.c @@ -63,17 +63,19 @@ static const SEC_ASN1Template CERTIA5TypeTemplate[] = { static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(PKUPEncodedContext) }, + 0, NULL, sizeof(CERTPrivKeyUsagePeriod) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(PKUPEncodedContext, notBefore), SEC_GeneralizedTimeTemplate}, + offsetof(CERTPrivKeyUsagePeriod, notBefore), + SEC_GeneralizedTimeTemplate}, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(PKUPEncodedContext, notAfter), SEC_GeneralizedTimeTemplate}, + offsetof(CERTPrivKeyUsagePeriod, notAfter), + SEC_GeneralizedTimeTemplate}, { 0, } }; const SEC_ASN1Template CERTAltNameTemplate[] = { - { SEC_ASN1_CONSTRUCTED, offsetof(AltNameEncodedContext, encodedGenName), + { SEC_ASN1_CONSTRUCTED, offsetof(CERTAltNameEncodedContext, encodedGenName), CERT_GeneralNamesTemplate} }; @@ -115,7 +117,9 @@ CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encod SECStatus -CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup, SECItem *encodedValue) +CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, + CERTPrivKeyUsagePeriod *pkup, + SECItem *encodedValue) { SECStatus rv = SECSuccess; @@ -126,6 +130,40 @@ CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup, SE return(rv); } +CERTPrivKeyUsagePeriod * +CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue) +{ + SECStatus rv; + CERTPrivKeyUsagePeriod *pPeriod; + SECItem newExtnValue; + + /* allocate the certificate policies structure */ + pPeriod = PORT_ArenaZNew(arena, CERTPrivKeyUsagePeriod); + if ( pPeriod == NULL ) { + goto loser; + } + + pPeriod->arena = arena; + + /* copy the DER into the arena, since Quick DER returns data that points + into the DER input, which may get freed by the caller */ + rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue); + if ( rv != SECSuccess ) { + goto loser; + } + + rv = SEC_QuickDERDecodeItem(arena, pPeriod, + CERTPrivateKeyUsagePeriodTemplate, + &newExtnValue); + if ( rv != SECSuccess ) { + goto loser; + } + return pPeriod; + +loser: + return NULL; +} + SECStatus CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue) @@ -167,10 +205,10 @@ CERTGeneralName * CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName) { SECStatus rv = SECSuccess; - AltNameEncodedContext encodedContext; + CERTAltNameEncodedContext encodedContext; encodedContext.encodedGenName = NULL; - PORT_Memset(&encodedContext, 0, sizeof(AltNameEncodedContext)); + PORT_Memset(&encodedContext, 0, sizeof(CERTAltNameEncodedContext)); rv = SEC_ASN1DecodeItem (arena, &encodedContext, CERT_GeneralNamesTemplate, EncodedAltName); if (rv == SECFailure) { @@ -202,12 +240,12 @@ CERTNameConstraints * CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedConstraints) { - return cert_DecodeNameConstraints(arena, encodedConstraints); + return cert_DecodeNameConstraints(arena, encodedConstraints); } CERTAuthInfoAccess ** -cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena, +CERT_DecodeAuthInfoAccessExtension(PRArenaPool *arena, SECItem *encodedExtension) { CERTAuthInfoAccess **info = NULL; diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h index e615fa3b4..366d67148 100644 --- a/security/nss/lib/certdb/xconst.h +++ b/security/nss/lib/certdb/xconst.h @@ -30,53 +30,40 @@ * may use your version of this file under either the MPL or the * GPL. */ +#ifndef _XCONST_H_ +#define _XCONST_H_ #include "certt.h" -typedef struct PKUPEncodedContext{ - SECItem notBefore; - SECItem notAfter; - /* SECItem encodedValue; */ - PRArenaPool *arena; -}PKUPEncodedContext; - -typedef struct AltNameEncodedContext{ +typedef struct CERTAltNameEncodedContextStr { SECItem **encodedGenName; -}AltNameEncodedContext; - +} CERTAltNameEncodedContext; -typedef struct NameConstraint{ - CERTGeneralName generalName; - int min; - int max; -}NameConstraint; +SEC_BEGIN_PROTOS extern SECStatus -CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup, +CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, + CERTPrivKeyUsagePeriod *pkup, SECItem *encodedValue); extern SECStatus -CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, CERTNameConstraints *value, - SECItem *encodedValue); -extern CERTGeneralName * -CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName); - -extern CERTNameConstraints * -CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedConstraints); +CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, + CERTNameConstraints *value, + SECItem *encodedValue); extern SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue); +CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, + SECItem *encodedValue); extern SECStatus -CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue); - -CERTAuthInfoAccess ** -cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena, - SECItem *encodedExtension); +CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, + SECItem *encodedValue); SECStatus cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena, CERTAuthInfoAccess **info, SECItem *dest); +SEC_END_PROTOS +#endif |