/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef PKIM_H
#define PKIM_H
#ifndef BASE_H
#include "base.h"
#endif /* BASE_H */
#ifndef PKI_H
#include "pki.h"
#endif /* PKI_H */
#ifndef PKITM_H
#include "pkitm.h"
#endif /* PKITM_H */
PR_BEGIN_EXTERN_C
/* nssPKIObject
*
* This is the base object class, common to all PKI objects defined in
* in this module. Each object can be safely 'casted' to an nssPKIObject,
* then passed to these methods.
*
* nssPKIObject_Create
* nssPKIObject_Destroy
* nssPKIObject_AddRef
* nssPKIObject_AddInstance
* nssPKIObject_HasInstance
* nssPKIObject_GetTokens
* nssPKIObject_GetNicknameForToken
* nssPKIObject_RemoveInstanceForToken
* nssPKIObject_DeleteStoredObject
*/
NSS_EXTERN
void nssPKIObject_Lock(nssPKIObject *object);
NSS_EXTERN
void nssPKIObject_Unlock(nssPKIObject *object);
NSS_EXTERN PRStatus nssPKIObject_NewLock(nssPKIObject *object,
nssPKILockType lockType);
NSS_EXTERN
void nssPKIObject_DestroyLock(nssPKIObject *object);
/* nssPKIObject_Create
*
* A generic PKI object. It must live in a trust domain. It may be
* initialized with a token instance, or alternatively in a crypto context.
*/
NSS_EXTERN nssPKIObject *
nssPKIObject_Create(
NSSArena *arenaOpt,
nssCryptokiObject *instanceOpt,
NSSTrustDomain *td,
NSSCryptoContext *ccOpt,
nssPKILockType lockType);
/* nssPKIObject_AddRef
*/
NSS_EXTERN nssPKIObject *
nssPKIObject_AddRef(nssPKIObject *object);
/* nssPKIObject_Destroy
*
* Returns true if object was destroyed. This notifies the subclass that
* all references are gone and it should delete any members it owns.
*/
NSS_EXTERN PRBool
nssPKIObject_Destroy(nssPKIObject *object);
/* nssPKIObject_AddInstance
*
* Add a token instance to the object, if it does not have it already.
*/
NSS_EXTERN PRStatus
nssPKIObject_AddInstance(
nssPKIObject *object,
nssCryptokiObject *instance);
/* nssPKIObject_HasInstance
*
* Query the object for a token instance.
*/
NSS_EXTERN PRBool
nssPKIObject_HasInstance(
nssPKIObject *object,
nssCryptokiObject *instance);
/* nssPKIObject_GetTokens
*
* Get all tokens which have an instance of the object.
*/
NSS_EXTERN NSSToken **
nssPKIObject_GetTokens(
nssPKIObject *object,
PRStatus *statusOpt);
/* nssPKIObject_GetNicknameForToken
*
* tokenOpt == NULL means take the first available, otherwise return the
* nickname for the specified token.
*/
NSS_EXTERN NSSUTF8 *
nssPKIObject_GetNicknameForToken(
nssPKIObject *object,
NSSToken *tokenOpt);
/* nssPKIObject_RemoveInstanceForToken
*
* Remove the instance of the object on the specified token.
*/
NSS_EXTERN PRStatus
nssPKIObject_RemoveInstanceForToken(
nssPKIObject *object,
NSSToken *token);
/* nssPKIObject_DeleteStoredObject
*
* Delete all token instances of the object, as well as any crypto context
* instances (TODO). If any of the instances are read-only, or if the
* removal fails, the object will keep those instances. 'isFriendly' refers
* to the object -- can this object be removed from a friendly token without
* login? For example, certificates are friendly, private keys are not.
* Note that if the token is not friendly, authentication will be required
* regardless of the value of 'isFriendly'.
*/
NSS_EXTERN PRStatus
nssPKIObject_DeleteStoredObject(
nssPKIObject *object,
NSSCallback *uhh,
PRBool isFriendly);
NSS_EXTERN nssCryptokiObject **
nssPKIObject_GetInstances(
nssPKIObject *object);
NSS_EXTERN NSSCertificate **
nssTrustDomain_FindCertificatesByID(
NSSTrustDomain *td,
NSSItem *id,
NSSCertificate **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt);
NSS_EXTERN NSSCRL **
nssTrustDomain_FindCRLsBySubject(
NSSTrustDomain *td,
NSSDER *subject);
/* module-private nsspki methods */
NSS_EXTERN NSSCryptoContext *
nssCryptoContext_Create(
NSSTrustDomain *td,
NSSCallback *uhhOpt);
/* XXX for the collection */
NSS_EXTERN NSSCertificate *
nssCertificate_Create(nssPKIObject *object);
NSS_EXTERN PRStatus
nssCertificate_SetCertTrust(
NSSCertificate *c,
NSSTrust *trust);
NSS_EXTERN nssDecodedCert *
nssCertificate_GetDecoding(NSSCertificate *c);
extern PRIntn
nssCertificate_SubjectListSort(
void *v1,
void *v2);
NSS_EXTERN nssDecodedCert *
nssDecodedCert_Create(
NSSArena *arenaOpt,
NSSDER *encoding,
NSSCertificateType type);
NSS_EXTERN PRStatus
nssDecodedCert_Destroy(nssDecodedCert *dc);
NSS_EXTERN NSSTrust *
nssTrust_Create(
nssPKIObject *object,
NSSItem *certData);
NSS_EXTERN NSSCRL *
nssCRL_Create(nssPKIObject *object);
NSS_EXTERN NSSCRL *
nssCRL_AddRef(NSSCRL *crl);
NSS_EXTERN PRStatus
nssCRL_Destroy(NSSCRL *crl);
NSS_EXTERN PRStatus
nssCRL_DeleteStoredObject(
NSSCRL *crl,
NSSCallback *uhh);
NSS_EXTERN NSSPrivateKey *
nssPrivateKey_Create(nssPKIObject *o);
NSS_EXTERN NSSDER *
nssCRL_GetEncoding(NSSCRL *crl);
NSS_EXTERN NSSPublicKey *
nssPublicKey_Create(nssPKIObject *object);
/* nssCertificateArray
*
* These are being thrown around a lot, might as well group together some
* functionality.
*
* nssCertificateArray_Destroy
* nssCertificateArray_Join
* nssCertificateArray_FindBestCertificate
* nssCertificateArray_Traverse
*/
/* nssCertificateArray_Destroy
*
* Will destroy the array and the certs within it. If the array was created
* in an arena, will *not* (of course) destroy the arena. However, is safe
* to call this method on an arena-allocated array.
*/
NSS_EXTERN
void
nssCertificateArray_Destroy(NSSCertificate **certs);
/* nssCertificateArray_Join
*
* Join two arrays into one. The two arrays, certs1 and certs2, should
* be considered invalid after a call to this function (they may be destroyed
* as part of the join). certs1 and/or certs2 may be NULL. Safe to
* call with arrays allocated in an arena, the result will also be in the
* arena.
*/
NSS_EXTERN NSSCertificate **
nssCertificateArray_Join(
NSSCertificate **certs1,
NSSCertificate **certs2);
/* nssCertificateArray_FindBestCertificate
*
* Use the usual { time, usage, policies } to find the best cert in the
* array.
*/
NSS_EXTERN NSSCertificate *
nssCertificateArray_FindBestCertificate(
NSSCertificate **certs,
NSSTime *timeOpt,
const NSSUsage *usage,
NSSPolicies *policiesOpt);
/* nssCertificateArray_Traverse
*
* Do the callback for each cert, terminate the traversal if the callback
* fails.
*/
NSS_EXTERN PRStatus
nssCertificateArray_Traverse(
NSSCertificate **certs,
PRStatus (*callback)(NSSCertificate *c,
void *arg),
void *arg);
NSS_EXTERN
void
nssCRLArray_Destroy(NSSCRL **crls);
/* nssPKIObjectCollection
*
* This is a handy way to group objects together and perform operations
* on them. It can also handle "proto-objects"-- references to
* objects instances on tokens, where the actual object hasn't
* been formed yet.
*
* nssCertificateCollection_Create
* nssPrivateKeyCollection_Create
* nssPublicKeyCollection_Create
*
* If this was a language that provided for inheritance, each type would
* inherit all of the following methods. Instead, there is only one
* type (nssPKIObjectCollection), shared among all. This may cause
* confusion; an alternative would be to define all of the methods
* for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't
* seem worth the code bloat.. It is left up to the caller to remember
* what type of collection he/she is dealing with.
*
* nssPKIObjectCollection_Destroy
* nssPKIObjectCollection_Count
* nssPKIObjectCollection_AddObject
* nssPKIObjectCollection_AddInstances
* nssPKIObjectCollection_Traverse
*
* Back to type-specific methods.
*
* nssPKIObjectCollection_GetCertificates
* nssPKIObjectCollection_GetCRLs
* nssPKIObjectCollection_GetPrivateKeys
* nssPKIObjectCollection_GetPublicKeys
*/
/* nssCertificateCollection_Create
*
* Create a collection of certificates in the specified trust domain.
* Optionally provide a starting set of certs.
*/
NSS_EXTERN nssPKIObjectCollection *
nssCertificateCollection_Create(
NSSTrustDomain *td,
NSSCertificate **certsOpt);
/* nssCRLCollection_Create
*
* Create a collection of CRLs/KRLs in the specified trust domain.
* Optionally provide a starting set of CRLs.
*/
NSS_EXTERN nssPKIObjectCollection *
nssCRLCollection_Create(
NSSTrustDomain *td,
NSSCRL **crlsOpt);
/* nssPrivateKeyCollection_Create
*
* Create a collection of private keys in the specified trust domain.
* Optionally provide a starting set of keys.
*/
NSS_EXTERN nssPKIObjectCollection *
nssPrivateKeyCollection_Create(
NSSTrustDomain *td,
NSSPrivateKey **pvkOpt);
/* nssPublicKeyCollection_Create
*
* Create a collection of public keys in the specified trust domain.
* Optionally provide a starting set of keys.
*/
NSS_EXTERN nssPKIObjectCollection *
nssPublicKeyCollection_Create(
NSSTrustDomain *td,
NSSPublicKey **pvkOpt);
/* nssPKIObjectCollection_Destroy
*/
NSS_EXTERN
void
nssPKIObjectCollection_Destroy(nssPKIObjectCollection *collection);
/* nssPKIObjectCollection_Count
*/
NSS_EXTERN PRUint32
nssPKIObjectCollection_Count(nssPKIObjectCollection *collection);
NSS_EXTERN PRStatus
nssPKIObjectCollection_AddObject(
nssPKIObjectCollection *collection,
nssPKIObject *object);
/* nssPKIObjectCollection_AddInstances
*
* Add a set of object instances to the collection. The instances
* will be sorted into any existing certs/proto-certs that may be in
* the collection. The instances will be absorbed by the collection,
* the array should not be used after this call (except to free it).
*
* Failure means the collection is in an invalid state.
*
* numInstances = 0 means the array is NULL-terminated
*/
NSS_EXTERN PRStatus
nssPKIObjectCollection_AddInstances(
nssPKIObjectCollection *collection,
nssCryptokiObject **instances,
PRUint32 numInstances);
/* nssPKIObjectCollection_Traverse
*/
NSS_EXTERN PRStatus
nssPKIObjectCollection_Traverse(
nssPKIObjectCollection *collection,
nssPKIObjectCallback *callback);
/* This function is being added for NSS 3.5. It corresponds to the function
* nssToken_TraverseCertificates. The idea is to use the collection during
* a traversal, creating certs each time a new instance is added for which
* a cert does not already exist.
*/
NSS_EXTERN PRStatus
nssPKIObjectCollection_AddInstanceAsObject(
nssPKIObjectCollection *collection,
nssCryptokiObject *instance);
/* nssPKIObjectCollection_GetCertificates
*
* Get all of the certificates in the collection.
*/
NSS_EXTERN NSSCertificate **
nssPKIObjectCollection_GetCertificates(
nssPKIObjectCollection *collection,
NSSCertificate **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt);
NSS_EXTERN NSSCRL **
nssPKIObjectCollection_GetCRLs(
nssPKIObjectCollection *collection,
NSSCRL **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt);
NSS_EXTERN NSSPrivateKey **
nssPKIObjectCollection_GetPrivateKeys(
nssPKIObjectCollection *collection,
NSSPrivateKey **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt);
NSS_EXTERN NSSPublicKey **
nssPKIObjectCollection_GetPublicKeys(
nssPKIObjectCollection *collection,
NSSPublicKey **rvOpt,
PRUint32 maximumOpt,
NSSArena *arenaOpt);
NSS_EXTERN NSSTime *
NSSTime_Now(NSSTime *timeOpt);
NSS_EXTERN NSSTime *
NSSTime_SetPRTime(
NSSTime *timeOpt,
PRTime prTime);
NSS_EXTERN PRTime
NSSTime_GetPRTime(
NSSTime *time);
NSS_EXTERN nssHash *
nssHash_CreateCertificate(
NSSArena *arenaOpt,
PRUint32 numBuckets);
/* 3.4 Certificate cache routines */
NSS_EXTERN PRStatus
nssTrustDomain_InitializeCache(
NSSTrustDomain *td,
PRUint32 cacheSize);
NSS_EXTERN PRStatus
nssTrustDomain_AddCertsToCache(
NSSTrustDomain *td,
NSSCertificate **certs,
PRUint32 numCerts);
NSS_EXTERN
void
nssTrustDomain_RemoveCertFromCacheLOCKED(
NSSTrustDomain *td,
NSSCertificate *cert);
NSS_EXTERN
void
nssTrustDomain_LockCertCache(NSSTrustDomain *td);
NSS_EXTERN
void
nssTrustDomain_UnlockCertCache(NSSTrustDomain *td);
NSS_IMPLEMENT PRStatus
nssTrustDomain_DestroyCache(NSSTrustDomain *td);
/*
* Remove all certs for the given token from the cache. This is
* needed if the token is removed.
*/
NSS_EXTERN PRStatus
nssTrustDomain_RemoveTokenCertsFromCache(
NSSTrustDomain *td,
NSSToken *token);
NSS_EXTERN PRStatus
nssTrustDomain_UpdateCachedTokenCerts(
NSSTrustDomain *td,
NSSToken *token);
/*
* Find all cached certs with this nickname (label).
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsForNicknameFromCache(
NSSTrustDomain *td,
const NSSUTF8 *nickname,
nssList *certListOpt);
/*
* Find all cached certs with this email address.
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsForEmailAddressFromCache(
NSSTrustDomain *td,
NSSASCII7 *email,
nssList *certListOpt);
/*
* Find all cached certs with this subject.
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsForSubjectFromCache(
NSSTrustDomain *td,
NSSDER *subject,
nssList *certListOpt);
/*
* Look for a specific cert in the cache.
*/
NSS_EXTERN NSSCertificate *
nssTrustDomain_GetCertForIssuerAndSNFromCache(
NSSTrustDomain *td,
NSSDER *issuer,
NSSDER *serialNum);
/*
* Look for a specific cert in the cache.
*/
NSS_EXTERN NSSCertificate *
nssTrustDomain_GetCertByDERFromCache(
NSSTrustDomain *td,
NSSDER *der);
/* Get all certs from the cache */
/* XXX this is being included to make some old-style calls word, not to
* say we should keep it
*/
NSS_EXTERN NSSCertificate **
nssTrustDomain_GetCertsFromCache(
NSSTrustDomain *td,
nssList *certListOpt);
NSS_EXTERN
void
nssTrustDomain_DumpCacheInfo(
NSSTrustDomain *td,
void (*cert_dump_iter)(
const void *,
void *,
void *),
void *arg);
NSS_EXTERN
void
nssCertificateList_AddReferences(
nssList *certList);
PR_END_EXTERN_C
#endif /* PKIM_H */
