/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef PKIM_H #define PKIM_H #ifndef BASE_H #include "base.h" #endif /* BASE_H */ #ifndef PKI_H #include "pki.h" #endif /* PKI_H */ #ifndef PKITM_H #include "pkitm.h" #endif /* PKITM_H */ PR_BEGIN_EXTERN_C /* nssPKIObject * * This is the base object class, common to all PKI objects defined in * in this module. Each object can be safely 'casted' to an nssPKIObject, * then passed to these methods. * * nssPKIObject_Create * nssPKIObject_Destroy * nssPKIObject_AddRef * nssPKIObject_AddInstance * nssPKIObject_HasInstance * nssPKIObject_GetTokens * nssPKIObject_GetNicknameForToken * nssPKIObject_RemoveInstanceForToken * nssPKIObject_DeleteStoredObject */ NSS_EXTERN void nssPKIObject_Lock (nssPKIObject * object); NSS_EXTERN void nssPKIObject_Unlock (nssPKIObject * object); NSS_EXTERN PRStatus nssPKIObject_NewLock (nssPKIObject * object, nssPKILockType lockType); NSS_EXTERN void nssPKIObject_DestroyLock(nssPKIObject * object); /* nssPKIObject_Create * * A generic PKI object. It must live in a trust domain. It may be * initialized with a token instance, or alternatively in a crypto context. */ NSS_EXTERN nssPKIObject * nssPKIObject_Create ( NSSArena *arenaOpt, nssCryptokiObject *instanceOpt, NSSTrustDomain *td, NSSCryptoContext *ccOpt, nssPKILockType lockType ); /* nssPKIObject_AddRef */ NSS_EXTERN nssPKIObject * nssPKIObject_AddRef ( nssPKIObject *object ); /* nssPKIObject_Destroy * * Returns true if object was destroyed. This notifies the subclass that * all references are gone and it should delete any members it owns. */ NSS_EXTERN PRBool nssPKIObject_Destroy ( nssPKIObject *object ); /* nssPKIObject_AddInstance * * Add a token instance to the object, if it does not have it already. */ NSS_EXTERN PRStatus nssPKIObject_AddInstance ( nssPKIObject *object, nssCryptokiObject *instance ); /* nssPKIObject_HasInstance * * Query the object for a token instance. */ NSS_EXTERN PRBool nssPKIObject_HasInstance ( nssPKIObject *object, nssCryptokiObject *instance ); /* nssPKIObject_GetTokens * * Get all tokens which have an instance of the object. */ NSS_EXTERN NSSToken ** nssPKIObject_GetTokens ( nssPKIObject *object, PRStatus *statusOpt ); /* nssPKIObject_GetNicknameForToken * * tokenOpt == NULL means take the first available, otherwise return the * nickname for the specified token. */ NSS_EXTERN NSSUTF8 * nssPKIObject_GetNicknameForToken ( nssPKIObject *object, NSSToken *tokenOpt ); /* nssPKIObject_RemoveInstanceForToken * * Remove the instance of the object on the specified token. */ NSS_EXTERN PRStatus nssPKIObject_RemoveInstanceForToken ( nssPKIObject *object, NSSToken *token ); /* nssPKIObject_DeleteStoredObject * * Delete all token instances of the object, as well as any crypto context * instances (TODO). If any of the instances are read-only, or if the * removal fails, the object will keep those instances. 'isFriendly' refers * to the object -- can this object be removed from a friendly token without * login? For example, certificates are friendly, private keys are not. * Note that if the token is not friendly, authentication will be required * regardless of the value of 'isFriendly'. */ NSS_EXTERN PRStatus nssPKIObject_DeleteStoredObject ( nssPKIObject *object, NSSCallback *uhh, PRBool isFriendly ); NSS_EXTERN nssCryptokiObject ** nssPKIObject_GetInstances ( nssPKIObject *object ); NSS_EXTERN NSSCertificate ** nssTrustDomain_FindCertificatesByID ( NSSTrustDomain *td, NSSItem *id, NSSCertificate **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt ); NSS_EXTERN NSSCRL ** nssTrustDomain_FindCRLsBySubject ( NSSTrustDomain *td, NSSDER *subject ); /* module-private nsspki methods */ NSS_EXTERN NSSCryptoContext * nssCryptoContext_Create ( NSSTrustDomain *td, NSSCallback *uhhOpt ); /* XXX for the collection */ NSS_EXTERN NSSCertificate * nssCertificate_Create ( nssPKIObject *object ); NSS_EXTERN PRStatus nssCertificate_SetCertTrust ( NSSCertificate *c, NSSTrust *trust ); NSS_EXTERN nssDecodedCert * nssCertificate_GetDecoding ( NSSCertificate *c ); extern PRIntn nssCertificate_SubjectListSort ( void *v1, void *v2 ); NSS_EXTERN nssDecodedCert * nssDecodedCert_Create ( NSSArena *arenaOpt, NSSDER *encoding, NSSCertificateType type ); NSS_EXTERN PRStatus nssDecodedCert_Destroy ( nssDecodedCert *dc ); NSS_EXTERN NSSTrust * nssTrust_Create ( nssPKIObject *object, NSSItem *certData ); NSS_EXTERN NSSCRL * nssCRL_Create ( nssPKIObject *object ); NSS_EXTERN NSSCRL * nssCRL_AddRef ( NSSCRL *crl ); NSS_EXTERN PRStatus nssCRL_Destroy ( NSSCRL *crl ); NSS_EXTERN PRStatus nssCRL_DeleteStoredObject ( NSSCRL *crl, NSSCallback *uhh ); NSS_EXTERN NSSPrivateKey * nssPrivateKey_Create ( nssPKIObject *o ); NSS_EXTERN NSSDER * nssCRL_GetEncoding ( NSSCRL *crl ); NSS_EXTERN NSSPublicKey * nssPublicKey_Create ( nssPKIObject *object ); /* nssCertificateArray * * These are being thrown around a lot, might as well group together some * functionality. * * nssCertificateArray_Destroy * nssCertificateArray_Join * nssCertificateArray_FindBestCertificate * nssCertificateArray_Traverse */ /* nssCertificateArray_Destroy * * Will destroy the array and the certs within it. If the array was created * in an arena, will *not* (of course) destroy the arena. However, is safe * to call this method on an arena-allocated array. */ NSS_EXTERN void nssCertificateArray_Destroy ( NSSCertificate **certs ); /* nssCertificateArray_Join * * Join two arrays into one. The two arrays, certs1 and certs2, should * be considered invalid after a call to this function (they may be destroyed * as part of the join). certs1 and/or certs2 may be NULL. Safe to * call with arrays allocated in an arena, the result will also be in the * arena. */ NSS_EXTERN NSSCertificate ** nssCertificateArray_Join ( NSSCertificate **certs1, NSSCertificate **certs2 ); /* nssCertificateArray_FindBestCertificate * * Use the usual { time, usage, policies } to find the best cert in the * array. */ NSS_EXTERN NSSCertificate * nssCertificateArray_FindBestCertificate ( NSSCertificate **certs, NSSTime *timeOpt, const NSSUsage *usage, NSSPolicies *policiesOpt ); /* nssCertificateArray_Traverse * * Do the callback for each cert, terminate the traversal if the callback * fails. */ NSS_EXTERN PRStatus nssCertificateArray_Traverse ( NSSCertificate **certs, PRStatus (* callback)(NSSCertificate *c, void *arg), void *arg ); NSS_EXTERN void nssCRLArray_Destroy ( NSSCRL **crls ); /* nssPKIObjectCollection * * This is a handy way to group objects together and perform operations * on them. It can also handle "proto-objects"-- references to * objects instances on tokens, where the actual object hasn't * been formed yet. * * nssCertificateCollection_Create * nssPrivateKeyCollection_Create * nssPublicKeyCollection_Create * * If this was a language that provided for inheritance, each type would * inherit all of the following methods. Instead, there is only one * type (nssPKIObjectCollection), shared among all. This may cause * confusion; an alternative would be to define all of the methods * for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't * seem worth the code bloat.. It is left up to the caller to remember * what type of collection he/she is dealing with. * * nssPKIObjectCollection_Destroy * nssPKIObjectCollection_Count * nssPKIObjectCollection_AddObject * nssPKIObjectCollection_AddInstances * nssPKIObjectCollection_Traverse * * Back to type-specific methods. * * nssPKIObjectCollection_GetCertificates * nssPKIObjectCollection_GetCRLs * nssPKIObjectCollection_GetPrivateKeys * nssPKIObjectCollection_GetPublicKeys */ /* nssCertificateCollection_Create * * Create a collection of certificates in the specified trust domain. * Optionally provide a starting set of certs. */ NSS_EXTERN nssPKIObjectCollection * nssCertificateCollection_Create ( NSSTrustDomain *td, NSSCertificate **certsOpt ); /* nssCRLCollection_Create * * Create a collection of CRLs/KRLs in the specified trust domain. * Optionally provide a starting set of CRLs. */ NSS_EXTERN nssPKIObjectCollection * nssCRLCollection_Create ( NSSTrustDomain *td, NSSCRL **crlsOpt ); /* nssPrivateKeyCollection_Create * * Create a collection of private keys in the specified trust domain. * Optionally provide a starting set of keys. */ NSS_EXTERN nssPKIObjectCollection * nssPrivateKeyCollection_Create ( NSSTrustDomain *td, NSSPrivateKey **pvkOpt ); /* nssPublicKeyCollection_Create * * Create a collection of public keys in the specified trust domain. * Optionally provide a starting set of keys. */ NSS_EXTERN nssPKIObjectCollection * nssPublicKeyCollection_Create ( NSSTrustDomain *td, NSSPublicKey **pvkOpt ); /* nssPKIObjectCollection_Destroy */ NSS_EXTERN void nssPKIObjectCollection_Destroy ( nssPKIObjectCollection *collection ); /* nssPKIObjectCollection_Count */ NSS_EXTERN PRUint32 nssPKIObjectCollection_Count ( nssPKIObjectCollection *collection ); NSS_EXTERN PRStatus nssPKIObjectCollection_AddObject ( nssPKIObjectCollection *collection, nssPKIObject *object ); /* nssPKIObjectCollection_AddInstances * * Add a set of object instances to the collection. The instances * will be sorted into any existing certs/proto-certs that may be in * the collection. The instances will be absorbed by the collection, * the array should not be used after this call (except to free it). * * Failure means the collection is in an invalid state. * * numInstances = 0 means the array is NULL-terminated */ NSS_EXTERN PRStatus nssPKIObjectCollection_AddInstances ( nssPKIObjectCollection *collection, nssCryptokiObject **instances, PRUint32 numInstances ); /* nssPKIObjectCollection_Traverse */ NSS_EXTERN PRStatus nssPKIObjectCollection_Traverse ( nssPKIObjectCollection *collection, nssPKIObjectCallback *callback ); /* This function is being added for NSS 3.5. It corresponds to the function * nssToken_TraverseCertificates. The idea is to use the collection during * a traversal, creating certs each time a new instance is added for which * a cert does not already exist. */ NSS_EXTERN PRStatus nssPKIObjectCollection_AddInstanceAsObject ( nssPKIObjectCollection *collection, nssCryptokiObject *instance ); /* nssPKIObjectCollection_GetCertificates * * Get all of the certificates in the collection. */ NSS_EXTERN NSSCertificate ** nssPKIObjectCollection_GetCertificates ( nssPKIObjectCollection *collection, NSSCertificate **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt ); NSS_EXTERN NSSCRL ** nssPKIObjectCollection_GetCRLs ( nssPKIObjectCollection *collection, NSSCRL **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt ); NSS_EXTERN NSSPrivateKey ** nssPKIObjectCollection_GetPrivateKeys ( nssPKIObjectCollection *collection, NSSPrivateKey **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt ); NSS_EXTERN NSSPublicKey ** nssPKIObjectCollection_GetPublicKeys ( nssPKIObjectCollection *collection, NSSPublicKey **rvOpt, PRUint32 maximumOpt, NSSArena *arenaOpt ); NSS_EXTERN NSSTime * NSSTime_Now ( NSSTime *timeOpt ); NSS_EXTERN NSSTime * NSSTime_SetPRTime ( NSSTime *timeOpt, PRTime prTime ); NSS_EXTERN PRTime NSSTime_GetPRTime ( NSSTime *time ); NSS_EXTERN nssHash * nssHash_CreateCertificate ( NSSArena *arenaOpt, PRUint32 numBuckets ); /* 3.4 Certificate cache routines */ NSS_EXTERN PRStatus nssTrustDomain_InitializeCache ( NSSTrustDomain *td, PRUint32 cacheSize ); NSS_EXTERN PRStatus nssTrustDomain_AddCertsToCache ( NSSTrustDomain *td, NSSCertificate **certs, PRUint32 numCerts ); NSS_EXTERN void nssTrustDomain_RemoveCertFromCacheLOCKED ( NSSTrustDomain *td, NSSCertificate *cert ); NSS_EXTERN void nssTrustDomain_LockCertCache ( NSSTrustDomain *td ); NSS_EXTERN void nssTrustDomain_UnlockCertCache ( NSSTrustDomain *td ); NSS_IMPLEMENT PRStatus nssTrustDomain_DestroyCache ( NSSTrustDomain *td ); /* * Remove all certs for the given token from the cache. This is * needed if the token is removed. */ NSS_EXTERN PRStatus nssTrustDomain_RemoveTokenCertsFromCache ( NSSTrustDomain *td, NSSToken *token ); NSS_EXTERN PRStatus nssTrustDomain_UpdateCachedTokenCerts ( NSSTrustDomain *td, NSSToken *token ); /* * Find all cached certs with this nickname (label). */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsForNicknameFromCache ( NSSTrustDomain *td, const NSSUTF8 *nickname, nssList *certListOpt ); /* * Find all cached certs with this email address. */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsForEmailAddressFromCache ( NSSTrustDomain *td, NSSASCII7 *email, nssList *certListOpt ); /* * Find all cached certs with this subject. */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsForSubjectFromCache ( NSSTrustDomain *td, NSSDER *subject, nssList *certListOpt ); /* * Look for a specific cert in the cache. */ NSS_EXTERN NSSCertificate * nssTrustDomain_GetCertForIssuerAndSNFromCache ( NSSTrustDomain *td, NSSDER *issuer, NSSDER *serialNum ); /* * Look for a specific cert in the cache. */ NSS_EXTERN NSSCertificate * nssTrustDomain_GetCertByDERFromCache ( NSSTrustDomain *td, NSSDER *der ); /* Get all certs from the cache */ /* XXX this is being included to make some old-style calls word, not to * say we should keep it */ NSS_EXTERN NSSCertificate ** nssTrustDomain_GetCertsFromCache ( NSSTrustDomain *td, nssList *certListOpt ); NSS_EXTERN void nssTrustDomain_DumpCacheInfo ( NSSTrustDomain *td, void (* cert_dump_iter)(const void *, void *, void *), void *arg ); NSS_EXTERN void nssCertificateList_AddReferences ( nssList *certList ); PR_END_EXTERN_C #endif /* PKIM_H */