summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certdb/cert.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/certdb/cert.h')
-rw-r--r--security/nss/lib/certdb/cert.h1584
1 files changed, 1584 insertions, 0 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
new file mode 100644
index 000000000..e0af65ab0
--- /dev/null
+++ b/security/nss/lib/certdb/cert.h
@@ -0,0 +1,1584 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * cert.h - public data structures and prototypes for the certificate library
+ */
+
+#ifndef _CERT_H_
+#define _CERT_H_
+
+#include "utilrename.h"
+#include "plarena.h"
+#include "plhash.h"
+#include "prlong.h"
+#include "prlog.h"
+
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "keyt.h"
+#include "certt.h"
+
+SEC_BEGIN_PROTOS
+
+/****************************************************************************
+ *
+ * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
+ *
+ ****************************************************************************/
+
+/*
+** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
+*/
+extern CERTName *CERT_AsciiToName(const char *string);
+
+/*
+** Convert an CERTName into its RFC1485 encoded equivalent.
+** Returns a string that must be freed with PORT_Free().
+** This version produces a string for maximum human readability,
+** not for strict RFC compliance.
+*/
+extern char *CERT_NameToAscii(CERTName *name);
+
+/*
+** Convert an CERTName into its RFC1485 encoded equivalent.
+** Returns a string that must be freed with PORT_Free().
+** Caller chooses encoding rules.
+*/
+extern char *CERT_NameToAsciiInvertible(CERTName *name,
+ CertStrictnessLevel strict);
+
+extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
+
+/* convert an OID to dotted-decimal representation */
+/* Returns a string that must be freed with PR_smprintf_free(). */
+extern char *CERT_GetOidString(const SECItem *oid);
+
+/*
+** Examine an AVA and return the tag that refers to it. The AVA tags are
+** defined as SEC_OID_AVA*.
+*/
+extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
+
+/*
+** Compare two AVA's, returning the difference between them.
+*/
+extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
+
+/*
+** Create an RDN (relative-distinguished-name). The argument list is a
+** NULL terminated list of AVA's.
+*/
+extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
+
+/*
+** Make a copy of "src" storing it in "dest".
+*/
+extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
+
+/*
+** Add an AVA to an RDN.
+** "rdn" the RDN to add to
+** "ava" the AVA to add
+*/
+extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
+
+/*
+** Compare two RDN's, returning the difference between them.
+*/
+extern SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b);
+
+/*
+** Create an X.500 style name using a NULL terminated list of RDN's.
+*/
+extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
+
+/*
+** Make a copy of "src" storing it in "dest". Memory is allocated in
+** "dest" for each of the appropriate sub objects. Memory is not freed in
+** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
+** do that).
+*/
+extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest,
+ const CERTName *src);
+
+/*
+** Destroy a Name object.
+** "name" the CERTName to destroy
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyName(CERTName *name);
+
+/*
+** Add an RDN to a name.
+** "name" the name to add the RDN to
+** "rdn" the RDN to add to name
+*/
+extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
+
+/*
+** Compare two names, returning the difference between them.
+*/
+extern SECComparison CERT_CompareName(const CERTName *a, const CERTName *b);
+
+/*
+** Convert a CERTName into something readable
+*/
+extern char *CERT_FormatName(CERTName *name);
+
+/*
+** Convert a der-encoded integer to a hex printable string form.
+** Perhaps this should be a SEC function but it's only used for certs.
+*/
+extern char *CERT_Hexify(SECItem *i, int do_colon);
+
+/*
+** Converts DER string (with explicit length) into zString, if destination
+** buffer is big enough to receive it. Does quoting and/or escaping as
+** specified in RFC 1485. Input string must be single or multi-byte DER
+** character set, (ASCII, UTF8, or ISO 8851-x) not a wide character set.
+** Returns SECSuccess or SECFailure with error code set. If output buffer
+** is too small, sets error code SEC_ERROR_OUTPUT_LEN.
+*/
+extern SECStatus CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src,
+ int srclen);
+
+/******************************************************************************
+ *
+ * Certificate handling operations
+ *
+ *****************************************************************************/
+
+/*
+** Create a new validity object given two unix time values.
+** "notBefore" the time before which the validity is not valid
+** "notAfter" the time after which the validity is not valid
+*/
+extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
+
+/*
+** Destroy a validity object.
+** "v" the validity to destroy
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyValidity(CERTValidity *v);
+
+/*
+** Copy the "src" object to "dest". Memory is allocated in "dest" for
+** each of the appropriate sub-objects. Memory in "dest" is not freed
+** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
+** that).
+*/
+extern SECStatus CERT_CopyValidity(PLArenaPool *arena, CERTValidity *dest,
+ CERTValidity *src);
+
+/*
+** The cert lib considers a cert or CRL valid if the "notBefore" time is
+** in the not-too-distant future, e.g. within the next 24 hours. This
+** prevents freshly issued certificates from being considered invalid
+** because the local system's time zone is incorrectly set.
+** The amount of "pending slop time" is adjustable by the application.
+** Units of SlopTime are seconds. Default is 86400 (24 hours).
+** Negative SlopTime values are not allowed.
+*/
+PRInt32 CERT_GetSlopTime(void);
+
+SECStatus CERT_SetSlopTime(PRInt32 slop);
+
+/*
+** Create a new certificate object. The result must be wrapped with an
+** CERTSignedData to create a signed certificate.
+** "serialNumber" the serial number
+** "issuer" the name of the certificate issuer
+** "validity" the validity period of the certificate
+** "req" the certificate request that prompted the certificate issuance
+*/
+extern CERTCertificate *CERT_CreateCertificate(unsigned long serialNumber,
+ CERTName *issuer,
+ CERTValidity *validity,
+ CERTCertificateRequest *req);
+
+/*
+** Destroy a certificate object
+** "cert" the certificate to destroy
+** NOTE: certificate's are reference counted. This call decrements the
+** reference count, and if the result is zero, then the object is destroyed
+** and optionally freed.
+*/
+extern void CERT_DestroyCertificate(CERTCertificate *cert);
+
+/*
+** Make a shallow copy of a certificate "c". Just increments the
+** reference count on "c".
+*/
+extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
+
+/*
+** Create a new certificate request. This result must be wrapped with an
+** CERTSignedData to create a signed certificate request.
+** "name" the subject name (who the certificate request is from)
+** "spki" describes/defines the public key the certificate is for
+** "attributes" if non-zero, some optional attribute data
+*/
+extern CERTCertificateRequest *CERT_CreateCertificateRequest(
+ CERTName *name, CERTSubjectPublicKeyInfo *spki, SECItem **attributes);
+
+/*
+** Destroy a certificate-request object
+** "r" the certificate-request to destroy
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
+
+/*
+** Start adding extensions to a certificate request.
+*/
+void *CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
+
+/*
+** Reformat the certificate extension list into a CertificateRequest
+** attribute list.
+*/
+SECStatus CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
+
+/*
+** Extract the Extension Requests from a DER CertRequest attribute list.
+*/
+SECStatus CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
+ CERTCertExtension ***exts);
+
+/*
+** Extract a public key object from a certificate
+*/
+extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
+
+/*
+** Retrieve the Key Type associated with the cert we're dealing with
+*/
+
+extern KeyType CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki);
+
+/*
+** Initialize the certificate database. This is called to create
+** the initial list of certificates in the database.
+*/
+extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
+
+extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
+
+/*
+** Default certificate database routines
+*/
+extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
+
+extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
+
+extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert,
+ PRTime time, SECCertUsage usage);
+extern CERTCertificate *CERT_NewTempCertificate(CERTCertDBHandle *handle,
+ SECItem *derCert,
+ char *nickname, PRBool isperm,
+ PRBool copyDER);
+
+/******************************************************************************
+ *
+ * X.500 Name handling operations
+ *
+ *****************************************************************************/
+
+/*
+** Create an AVA (attribute-value-assertion)
+** "arena" the memory arena to alloc from
+** "kind" is one of SEC_OID_AVA_*
+** "valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
+** DER_T61_STRING
+** "value" is the null terminated string containing the value
+*/
+extern CERTAVA *CERT_CreateAVA(PLArenaPool *arena, SECOidTag kind,
+ int valueType, char *value);
+
+/*
+** Extract the Distinguished Name from a DER encoded certificate
+** "derCert" is the DER encoded certificate
+** "derName" is the SECItem that the name is returned in
+*/
+extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
+
+/*
+** Extract the Issuers Distinguished Name from a DER encoded certificate
+** "derCert" is the DER encoded certificate
+** "derName" is the SECItem that the name is returned in
+*/
+extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName);
+
+extern SECItem *CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
+ PLArenaPool *arena);
+
+extern CERTGeneralName *CERT_DecodeGeneralName(PLArenaPool *reqArena,
+ SECItem *encodedName,
+ CERTGeneralName *genName);
+
+/*
+** Generate a database search key for a certificate, based on the
+** issuer and serial number.
+** "arena" the memory arena to alloc from
+** "derCert" the DER encoded certificate
+** "key" the returned key
+*/
+extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
+ SECItem *key);
+
+extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
+ SECItem *sn, SECItem *key);
+
+extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert,
+ SECItem *derName);
+
+/*
+** Generate a database search key for a crl, based on the
+** issuer.
+** "arena" the memory arena to alloc from
+** "derCrl" the DER encoded crl
+** "key" the returned key
+*/
+extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl,
+ SECItem *key);
+
+/*
+** Open the certificate database. Use callback to get name of database.
+*/
+extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
+ CERTDBNameFunc namecb, void *cbarg);
+
+/* Open the certificate database. Use given filename for database. */
+extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
+ char *certdbname, PRBool readOnly);
+
+/*
+** Open and initialize a cert database that is entirely in memory. This
+** can be used when the permanent database can not be opened or created.
+*/
+extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
+
+/*
+** Extract the list of host names, host name patters, IP address strings
+** this cert is valid for.
+** This function does NOT return nicknames.
+** Type CERTCertNicknames is being used because it's a convenient
+** data structure to carry a list of strings and its count.
+*/
+extern CERTCertNicknames *CERT_GetValidDNSPatternsFromCert(
+ CERTCertificate *cert);
+
+/*
+** Check the hostname to make sure that it matches the shexp that
+** is given in the common name of the certificate.
+*/
+extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert,
+ const char *hostname);
+
+/*
+** Add a domain name to the list of names that the user has explicitly
+** allowed (despite cert name mismatches) for use with a server cert.
+*/
+extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert,
+ const char *hostname);
+
+/*
+** Decode a DER encoded certificate into an CERTCertificate structure
+** "derSignedCert" is the DER encoded signed certificate
+** "copyDER" is true if the DER should be copied, false if the
+** existing copy should be referenced
+** "nickname" is the nickname to use in the database. If it is NULL
+** then a temporary nickname is generated.
+*/
+extern CERTCertificate *CERT_DecodeDERCertificate(SECItem *derSignedCert,
+ PRBool copyDER,
+ char *nickname);
+/*
+** Decode a DER encoded CRL into a CERTSignedCrl structure
+** "derSignedCrl" is the DER encoded signed CRL.
+** "type" must be SEC_CRL_TYPE.
+*/
+#define SEC_CRL_TYPE 1
+#define SEC_KRL_TYPE 0 /* deprecated */
+
+extern CERTSignedCrl *CERT_DecodeDERCrl(PLArenaPool *arena,
+ SECItem *derSignedCrl, int type);
+
+/*
+ * same as CERT_DecodeDERCrl, plus allow options to be passed in
+ */
+
+extern CERTSignedCrl *CERT_DecodeDERCrlWithFlags(PLArenaPool *narena,
+ SECItem *derSignedCrl,
+ int type, PRInt32 options);
+
+/* CRL options to pass */
+
+#define CRL_DECODE_DEFAULT_OPTIONS 0x00000000
+
+/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
+ application must then keep derSignedCrl until it destroys the
+ CRL . Ideally, it should allocate derSignedCrl in an arena
+ and pass that arena in as the first argument to
+ CERT_DecodeDERCrlWithFlags */
+
+#define CRL_DECODE_DONT_COPY_DER 0x00000001
+#define CRL_DECODE_SKIP_ENTRIES 0x00000002
+#define CRL_DECODE_KEEP_BAD_CRL 0x00000004
+#define CRL_DECODE_ADOPT_HEAP_DER 0x00000008
+
+/* complete the decoding of a partially decoded CRL, ie. decode the
+ entries. Note that entries is an optional field in a CRL, so the
+ "entries" pointer in CERTCrlStr may still be NULL even after
+ function returns SECSuccess */
+
+extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl *crl);
+
+/* Validate CRL then import it to the dbase. If there is already a CRL with the
+ * same CA in the dbase, it will be replaced if derCRL is more up to date.
+ * If the process successes, a CRL will be returned. Otherwise, a NULL will
+ * be returned. The caller should call PORT_GetError() for the exactly error
+ * code.
+ */
+extern CERTSignedCrl *CERT_ImportCRL(CERTCertDBHandle *handle, SECItem *derCRL,
+ char *url, int type, void *wincx);
+
+extern void CERT_DestroyCrl(CERTSignedCrl *crl);
+
+/* this is a hint to flush the CRL cache. crlKey is the DER subject of
+ the issuer (CA). */
+void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle *dbhandle, SECItem *crlKey);
+
+/* add the specified DER CRL object to the CRL cache. Doing so will allow
+ certificate verification functions (such as CERT_VerifyCertificate)
+ to automatically find and make use of this CRL object.
+ Once a CRL is added to the CRL cache, the application must hold on to
+ the object's memory, because the cache will reference it directly. The
+ application can only free the object after it calls CERT_UncacheCRL to
+ remove it from the CRL cache.
+*/
+SECStatus CERT_CacheCRL(CERTCertDBHandle *dbhandle, SECItem *newcrl);
+
+/* remove a previously added CRL object from the CRL cache. It is OK
+ for the application to free the memory after a successful removal
+*/
+SECStatus CERT_UncacheCRL(CERTCertDBHandle *dbhandle, SECItem *oldcrl);
+
+/*
+** Find a certificate in the database
+** "key" is the database key to look for
+*/
+extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle,
+ SECItem *key);
+
+/*
+** Find a certificate in the database by name
+** "name" is the distinguished name to look up
+*/
+extern CERTCertificate *CERT_FindCertByName(CERTCertDBHandle *handle,
+ SECItem *name);
+
+/*
+** Find a certificate in the database by name
+** "name" is the distinguished name to look up (in ascii)
+*/
+extern CERTCertificate *CERT_FindCertByNameString(CERTCertDBHandle *handle,
+ char *name);
+
+/*
+** Find a certificate in the database by name and keyid
+** "name" is the distinguished name to look up
+** "keyID" is the value of the subjectKeyID to match
+*/
+extern CERTCertificate *CERT_FindCertByKeyID(CERTCertDBHandle *handle,
+ SECItem *name, SECItem *keyID);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database. Return the cert if found.
+** "issuerAndSN" is the issuer and serial number to look for
+*/
+extern CERTCertificate *CERT_FindCertByIssuerAndSN(
+ CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a subject key ID
+** "subjKeyID" is the subject Key ID to look for
+*/
+extern CERTCertificate *CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle,
+ SECItem *subjKeyID);
+
+/*
+** Encode Certificate SKID (Subject Key ID) extension.
+**
+*/
+extern SECStatus CERT_EncodeSubjectKeyID(PLArenaPool *arena,
+ const SECItem *srcString,
+ SECItem *encodedValue);
+
+/*
+** Find a certificate in the database by a nickname
+** "nickname" is the ascii string nickname to look for
+*/
+extern CERTCertificate *CERT_FindCertByNickname(CERTCertDBHandle *handle,
+ const char *nickname);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+** "derCert" is the DER encoded certificate
+*/
+extern CERTCertificate *CERT_FindCertByDERCert(CERTCertDBHandle *handle,
+ SECItem *derCert);
+
+/*
+** Find a certificate in the database by a email address
+** "emailAddr" is the email address to look up
+*/
+CERTCertificate *CERT_FindCertByEmailAddr(CERTCertDBHandle *handle,
+ char *emailAddr);
+
+/*
+** Find a certificate in the database by a email address or nickname
+** "name" is the email address or nickname to look up
+*/
+CERTCertificate *CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle,
+ const char *name);
+
+/*
+** Find a certificate in the database by a email address or nickname
+** and require it to have the given usage.
+** "name" is the email address or nickname to look up
+*/
+CERTCertificate *CERT_FindCertByNicknameOrEmailAddrForUsage(
+ CERTCertDBHandle *handle, const char *name, SECCertUsage lookingForUsage);
+
+/*
+** Find a certificate in the database by a digest of a subject public key
+** "spkDigest" is the digest to look up
+*/
+extern CERTCertificate *CERT_FindCertBySPKDigest(CERTCertDBHandle *handle,
+ SECItem *spkDigest);
+
+/*
+ * Find the issuer of a cert
+ */
+CERTCertificate *CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime,
+ SECCertUsage usage);
+
+/*
+** Check the validity times of a certificate vs. time 't', allowing
+** some slop for broken clocks and stuff.
+** "cert" is the certificate to be checked
+** "t" is the time to check against
+** "allowOverride" if true then check to see if the invalidity has
+** been overridden by the user.
+*/
+extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert,
+ PRTime t,
+ PRBool allowOverride);
+
+/*
+** WARNING - this function is deprecated, and will either go away or have
+** a new API in the near future.
+**
+** Check the validity times of a certificate vs. the current time, allowing
+** some slop for broken clocks and stuff.
+** "cert" is the certificate to be checked
+*/
+extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
+
+/*
+** Extract the validity times from a certificate
+** "c" is the certificate
+** "notBefore" is the start of the validity period
+** "notAfter" is the end of the validity period
+*/
+extern SECStatus CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore,
+ PRTime *notAfter);
+
+/*
+** Extract the issuer and serial number from a certificate
+*/
+extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *,
+ CERTCertificate *);
+
+/*
+** verify the signature of a signed data object with a given certificate
+** "sd" the signed data object to be verified
+** "cert" the certificate to use to check the signature
+*/
+extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
+ CERTCertificate *cert, PRTime t,
+ void *wincx);
+/*
+** verify the signature of a signed data object with the given DER publickey
+*/
+extern SECStatus CERT_VerifySignedDataWithPublicKeyInfo(
+ CERTSignedData *sd, CERTSubjectPublicKeyInfo *pubKeyInfo, void *wincx);
+
+/*
+** verify the signature of a signed data object with a SECKEYPublicKey.
+*/
+extern SECStatus CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
+ SECKEYPublicKey *pubKey,
+ void *wincx);
+
+/*
+** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
+** verify a certificate by checking validity times against a certain time,
+** that we trust the issuer, and that the signature on the certificate is
+** valid.
+** "cert" the certificate to verify
+** "checkSig" only check signatures if true
+*/
+extern SECStatus CERT_VerifyCertificate(CERTCertDBHandle *handle,
+ CERTCertificate *cert, PRBool checkSig,
+ SECCertificateUsage requiredUsages,
+ PRTime t, void *wincx,
+ CERTVerifyLog *log,
+ SECCertificateUsage *returnedUsages);
+
+/* same as above, but uses current time */
+extern SECStatus CERT_VerifyCertificateNow(CERTCertDBHandle *handle,
+ CERTCertificate *cert,
+ PRBool checkSig,
+ SECCertificateUsage requiredUsages,
+ void *wincx,
+ SECCertificateUsage *returnedUsages);
+
+/*
+** Verify that a CA cert can certify some (unspecified) leaf cert for a given
+** purpose. This is used by UI code to help identify where a chain may be
+** broken and why. This takes identical parameters to CERT_VerifyCert
+*/
+extern SECStatus CERT_VerifyCACertForUsage(CERTCertDBHandle *handle,
+ CERTCertificate *cert,
+ PRBool checkSig,
+ SECCertUsage certUsage, PRTime t,
+ void *wincx, CERTVerifyLog *log);
+
+/*
+** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
+** verify a certificate by checking validity times against a certain time,
+** that we trust the issuer, and that the signature on the certificate is
+** valid.
+** "cert" the certificate to verify
+** "checkSig" only check signatures if true
+*/
+extern SECStatus CERT_VerifyCert(CERTCertDBHandle *handle,
+ CERTCertificate *cert, PRBool checkSig,
+ SECCertUsage certUsage, PRTime t, void *wincx,
+ CERTVerifyLog *log);
+
+/* same as above, but uses current time */
+extern SECStatus CERT_VerifyCertNow(CERTCertDBHandle *handle,
+ CERTCertificate *cert, PRBool checkSig,
+ SECCertUsage certUsage, void *wincx);
+
+SECStatus CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
+ PRBool checkSig, SECCertUsage certUsage,
+ PRTime t, void *wincx, CERTVerifyLog *log);
+
+/*
+** Read a base64 ascii encoded DER certificate and convert it to our
+** internal format.
+** "certstr" is a null-terminated string containing the certificate
+*/
+extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
+
+/*
+** Read a certificate in some foreign format, and convert it to our
+** internal format.
+** "certbuf" is the buffer containing the certificate
+** "certlen" is the length of the buffer
+** NOTE - currently supports netscape base64 ascii encoded raw certs
+** and netscape binary DER typed files.
+*/
+extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
+
+extern SECStatus CERT_ImportCAChain(SECItem *certs, int numcerts,
+ SECCertUsage certUsage);
+
+extern SECStatus CERT_ImportCAChainTrusted(SECItem *certs, int numcerts,
+ SECCertUsage certUsage);
+
+/*
+** Read a certificate chain in some foreign format, and pass it to a
+** callback function.
+** "certbuf" is the buffer containing the certificate
+** "certlen" is the length of the buffer
+** "f" is the callback function
+** "arg" is the callback argument
+*/
+typedef SECStatus(PR_CALLBACK *CERTImportCertificateFunc)(void *arg,
+ SECItem **certs,
+ int numcerts);
+
+extern SECStatus CERT_DecodeCertPackage(char *certbuf, int certlen,
+ CERTImportCertificateFunc f, void *arg);
+
+/*
+** Returns the value of an AVA. This was a formerly static
+** function that has been exposed due to the need to decode
+** and convert unicode strings to UTF8.
+**
+** XXX This function resides in certhtml.c, should it be
+** moved elsewhere?
+*/
+extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
+
+/*
+** extract various element strings from a distinguished name.
+** "name" the distinguished name
+*/
+
+extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
+
+extern char *CERT_GetCertEmailAddress(const CERTName *name);
+
+extern const char *CERT_GetFirstEmailAddress(CERTCertificate *cert);
+
+extern const char *CERT_GetNextEmailAddress(CERTCertificate *cert,
+ const char *prev);
+
+/* The return value must be freed with PORT_Free. */
+extern char *CERT_GetCommonName(const CERTName *name);
+
+extern char *CERT_GetCountryName(const CERTName *name);
+
+extern char *CERT_GetLocalityName(const CERTName *name);
+
+extern char *CERT_GetStateName(const CERTName *name);
+
+extern char *CERT_GetOrgName(const CERTName *name);
+
+extern char *CERT_GetOrgUnitName(const CERTName *name);
+
+extern char *CERT_GetDomainComponentName(const CERTName *name);
+
+extern char *CERT_GetCertUid(const CERTName *name);
+
+/* manipulate the trust parameters of a certificate */
+
+extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert,
+ CERTCertTrust *trust);
+
+extern SECStatus CERT_ChangeCertTrust(CERTCertDBHandle *handle,
+ CERTCertificate *cert,
+ CERTCertTrust *trust);
+
+extern SECStatus CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb,
+ CERTCertificate *cert,
+ SECCertUsage usage);
+
+/*************************************************************************
+ *
+ * manipulate the extensions of a certificate
+ *
+ ************************************************************************/
+
+/*
+** Set up a cert for adding X509v3 extensions. Returns an opaque handle
+** used by the next two routines.
+** "cert" is the certificate we are adding extensions to
+*/
+extern void *CERT_StartCertExtensions(CERTCertificate *cert);
+
+/*
+** Add an extension to a certificate.
+** "exthandle" is the handle returned by the previous function
+** "idtag" is the integer tag for the OID that should ID this extension
+** "value" is the value of the extension
+** "critical" is the critical extension flag
+** "copyData" is a flag indicating whether the value data should be
+** copied.
+*/
+extern SECStatus CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
+ PRBool critical, PRBool copyData);
+
+extern SECStatus CERT_AddExtensionByOID(void *exthandle, SECItem *oid,
+ SECItem *value, PRBool critical,
+ PRBool copyData);
+
+extern SECStatus CERT_EncodeAndAddExtension(void *exthandle, int idtag,
+ void *value, PRBool critical,
+ const SEC_ASN1Template *atemplate);
+
+extern SECStatus CERT_EncodeAndAddBitStrExtension(void *exthandle, int idtag,
+ SECItem *value,
+ PRBool critical);
+
+extern SECStatus CERT_EncodeAltNameExtension(PLArenaPool *arena,
+ CERTGeneralName *value,
+ SECItem *encodedValue);
+
+/*
+** Finish adding cert extensions. Does final processing on extension
+** data, putting it in the right format, and freeing any temporary
+** storage.
+** "exthandle" is the handle used to add extensions to a certificate
+*/
+extern SECStatus CERT_FinishExtensions(void *exthandle);
+
+/*
+** Merge an external list of extensions into a cert's extension list, adding one
+** only when its OID matches none of the cert's existing extensions. Call this
+** immediately before calling CERT_FinishExtensions().
+*/
+SECStatus CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
+
+/* If the extension is found, return its criticality and value.
+** This allocate storage for the returning extension value.
+*/
+extern SECStatus CERT_GetExtenCriticality(CERTCertExtension **extensions,
+ int tag, PRBool *isCritical);
+
+extern void CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
+
+/****************************************************************************
+ *
+ * DER encode and decode extension values
+ *
+ ****************************************************************************/
+
+/* Encode the value of the basicConstraint extension.
+** arena - where to allocate memory for the encoded value.
+** value - extension value to encode
+** encodedValue - output encoded value
+*/
+extern SECStatus CERT_EncodeBasicConstraintValue(PLArenaPool *arena,
+ CERTBasicConstraints *value,
+ SECItem *encodedValue);
+
+/*
+** Encode the value of the authorityKeyIdentifier extension.
+*/
+extern SECStatus CERT_EncodeAuthKeyID(PLArenaPool *arena, CERTAuthKeyID *value,
+ SECItem *encodedValue);
+
+/*
+** Encode the value of the crlDistributionPoints extension.
+*/
+extern SECStatus CERT_EncodeCRLDistributionPoints(
+ PLArenaPool *arena, CERTCrlDistributionPoints *value, SECItem *derValue);
+
+/*
+** Decodes a DER encoded basicConstaint extension value into a readable format
+** value - decoded value
+** encodedValue - value to decoded
+*/
+extern SECStatus CERT_DecodeBasicConstraintValue(CERTBasicConstraints *value,
+ const SECItem *encodedValue);
+
+/* Decodes a DER encoded authorityKeyIdentifier extension value into a
+** readable format.
+** arena - where to allocate memory for the decoded value
+** encodedValue - value to be decoded
+** Returns a CERTAuthKeyID structure which contains the decoded value
+*/
+extern CERTAuthKeyID *CERT_DecodeAuthKeyID(PLArenaPool *arena,
+ const SECItem *encodedValue);
+
+/* Decodes a DER encoded crlDistributionPoints extension value into a
+** readable format.
+** arena - where to allocate memory for the decoded value
+** der - value to be decoded
+** Returns a CERTCrlDistributionPoints structure which contains the
+** decoded value
+*/
+extern CERTCrlDistributionPoints *CERT_DecodeCRLDistributionPoints(
+ PLArenaPool *arena, SECItem *der);
+
+/* Extract certain name type from a generalName */
+extern void *CERT_GetGeneralNameByType(CERTGeneralName *genNames,
+ CERTGeneralNameType type,
+ PRBool derFormat);
+
+extern CERTOidSequence *CERT_DecodeOidSequence(const SECItem *seqItem);
+
+/****************************************************************************
+ *
+ * Find extension values of a certificate
+ *
+ ***************************************************************************/
+
+extern SECStatus CERT_FindCertExtension(const CERTCertificate *cert, int tag,
+ SECItem *value);
+
+extern SECStatus CERT_FindNSCertTypeExtension(CERTCertificate *cert,
+ SECItem *value);
+
+extern char *CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag);
+
+extern SECStatus CERT_FindCertExtensionByOID(CERTCertificate *cert,
+ SECItem *oid, SECItem *value);
+
+/* Returns the decoded value of the authKeyID extension.
+** Note that this uses passed in the arena to allocate storage for the result
+*/
+extern CERTAuthKeyID *CERT_FindAuthKeyIDExten(PLArenaPool *arena,
+ CERTCertificate *cert);
+
+/* Returns the decoded value of the basicConstraint extension.
+ */
+extern SECStatus CERT_FindBasicConstraintExten(CERTCertificate *cert,
+ CERTBasicConstraints *value);
+
+/* Returns the decoded value of the crlDistributionPoints extension.
+** Note that the arena in cert is used to allocate storage for the result
+*/
+extern CERTCrlDistributionPoints *CERT_FindCRLDistributionPoints(
+ CERTCertificate *cert);
+
+/* Returns value of the keyUsage extension. This uses PR_Alloc to allocate
+** buffer for the decoded value. The caller should free up the storage
+** allocated in value->data.
+*/
+extern SECStatus CERT_FindKeyUsageExtension(CERTCertificate *cert,
+ SECItem *value);
+
+/* Return the decoded value of the subjectKeyID extension. The caller should
+** free up the storage allocated in retItem->data.
+*/
+extern SECStatus CERT_FindSubjectKeyIDExtension(CERTCertificate *cert,
+ SECItem *retItem);
+
+/*
+** If cert is a v3 certificate, and a critical keyUsage extension is included,
+** then check the usage against the extension value. If a non-critical
+** keyUsage extension is included, this will return SECSuccess without
+** checking, since the extension is an advisory field, not a restriction.
+** If cert is not a v3 certificate, this will return SECSuccess.
+** cert - certificate
+** usage - one of the x.509 v3 the Key Usage Extension flags
+*/
+extern SECStatus CERT_CheckCertUsage(CERTCertificate *cert,
+ unsigned char usage);
+
+/****************************************************************************
+ *
+ * CRL v2 Extensions supported routines
+ *
+ ****************************************************************************/
+
+extern SECStatus CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid,
+ SECItem *value);
+
+extern SECStatus CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value);
+
+extern SECStatus CERT_FindInvalidDateExten(CERTCrl *crl, PRTime *value);
+
+/*
+** Set up a crl for adding X509v3 extensions. Returns an opaque handle
+** used by routines that take an exthandle (void*) argument .
+** "crl" is the CRL we are adding extensions to
+*/
+extern void *CERT_StartCRLExtensions(CERTCrl *crl);
+
+/*
+** Set up a crl entry for adding X509v3 extensions. Returns an opaque handle
+** used by routines that take an exthandle (void*) argument .
+** "crl" is the crl we are adding certs entries to
+** "entry" is the crl entry we are adding extensions to
+*/
+extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
+
+extern CERTCertNicknames *CERT_GetCertNicknames(CERTCertDBHandle *handle,
+ int what, void *wincx);
+
+/*
+** Finds the crlNumber extension and decodes its value into 'value'
+*/
+extern SECStatus CERT_FindCRLNumberExten(PLArenaPool *arena, CERTCrl *crl,
+ SECItem *value);
+
+extern SECStatus CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry,
+ CERTCRLEntryReasonCode *value);
+
+extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
+
+extern PRBool CERT_CompareCerts(const CERTCertificate *c1,
+ const CERTCertificate *c2);
+
+extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
+ CERTCertificate *c2);
+
+/*
+** Generate an array of the Distinguished Names that the given cert database
+** "trusts"
+*/
+extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
+
+extern void CERT_FreeDistNames(CERTDistNames *names);
+
+/* Duplicate distinguished name array */
+extern CERTDistNames *CERT_DupDistNames(CERTDistNames *orig);
+
+/*
+** Generate an array of Distinguished names from an array of nicknames
+*/
+extern CERTDistNames *CERT_DistNamesFromNicknames(CERTCertDBHandle *handle,
+ char **nicknames, int nnames);
+
+/*
+** Generate an array of Distinguished names from a list of certs.
+*/
+extern CERTDistNames *CERT_DistNamesFromCertList(CERTCertList *list);
+
+/*
+** Generate a certificate chain from a certificate.
+*/
+extern CERTCertificateList *CERT_CertChainFromCert(CERTCertificate *cert,
+ SECCertUsage usage,
+ PRBool includeRoot);
+
+extern CERTCertificateList *CERT_CertListFromCert(CERTCertificate *cert);
+
+extern CERTCertificateList *CERT_DupCertList(
+ const CERTCertificateList *oldList);
+
+extern void CERT_DestroyCertificateList(CERTCertificateList *list);
+
+/*
+** is cert a user cert? i.e. does it have CERTDB_USER trust,
+** i.e. a private key?
+*/
+PRBool CERT_IsUserCert(CERTCertificate *cert);
+
+/* is cert a newer than cert b? */
+PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
+
+/* currently a stub for address book */
+PRBool CERT_IsCertRevoked(CERTCertificate *cert);
+
+void CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
+
+/* convert an email address to lower case */
+char *CERT_FixupEmailAddr(const char *emailAddr);
+
+/* decode string representation of trust flags into trust struct */
+SECStatus CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts);
+
+/* encode trust struct into string representation of trust flags */
+char *CERT_EncodeTrustString(CERTCertTrust *trust);
+
+/* find the next or prev cert in a subject list */
+CERTCertificate *CERT_PrevSubjectCert(CERTCertificate *cert);
+CERTCertificate *CERT_NextSubjectCert(CERTCertificate *cert);
+
+/*
+ * import a collection of certs into the temporary or permanent cert
+ * database
+ */
+SECStatus CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
+ unsigned int ncerts, SECItem **derCerts,
+ CERTCertificate ***retCerts, PRBool keepCerts,
+ PRBool caOnly, char *nickname);
+
+char *CERT_MakeCANickname(CERTCertificate *cert);
+
+PRBool CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
+
+PRBool CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
+
+PRBool CERT_IsRootDERCert(SECItem *derCert);
+
+SECStatus CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
+ SECItem *profileTime);
+
+/*
+ * find the smime symmetric capabilities profile for a given cert
+ */
+SECItem *CERT_FindSMimeProfile(CERTCertificate *cert);
+
+SECStatus CERT_AddNewCerts(CERTCertDBHandle *handle);
+
+CERTCertificatePolicies *CERT_DecodeCertificatePoliciesExtension(
+ const SECItem *extnValue);
+
+void CERT_DestroyCertificatePoliciesExtension(
+ CERTCertificatePolicies *policies);
+
+CERTCertificatePolicyMappings *CERT_DecodePolicyMappingsExtension(
+ SECItem *encodedCertPolicyMaps);
+
+SECStatus CERT_DestroyPolicyMappingsExtension(
+ CERTCertificatePolicyMappings *mappings);
+
+SECStatus CERT_DecodePolicyConstraintsExtension(
+ CERTCertificatePolicyConstraints *decodedValue,
+ const SECItem *encodedValue);
+
+SECStatus CERT_DecodeInhibitAnyExtension(
+ CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
+
+CERTUserNotice *CERT_DecodeUserNotice(SECItem *noticeItem);
+
+extern CERTGeneralName *CERT_DecodeAltNameExtension(PLArenaPool *reqArena,
+ SECItem *EncodedAltName);
+
+extern CERTNameConstraints *CERT_DecodeNameConstraintsExtension(
+ PLArenaPool *arena, const SECItem *encodedConstraints);
+
+/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
+extern CERTAuthInfoAccess **CERT_DecodeAuthInfoAccessExtension(
+ PLArenaPool *reqArena, const SECItem *encodedExtension);
+
+extern CERTPrivKeyUsagePeriod *CERT_DecodePrivKeyUsagePeriodExtension(
+ PLArenaPool *arena, SECItem *extnValue);
+
+extern CERTGeneralName *CERT_GetNextGeneralName(CERTGeneralName *current);
+
+extern CERTGeneralName *CERT_GetPrevGeneralName(CERTGeneralName *current);
+
+/*
+ * Look up name constraints for some certs that do not include name constraints
+ * (Most importantly, root certificates)
+ *
+ * If a matching subject is found, |extensions| will be populated with a copy of
+ * the
+ * DER-encoded name constraints extension. The data in |extensions| will point
+ * to
+ * memory that the caller owns.
+ *
+ * There is no mechanism to configure imposed name constraints right now. All
+ * imposed name constraints are built into NSS.
+ */
+SECStatus CERT_GetImposedNameConstraints(const SECItem *derSubject,
+ SECItem *extensions);
+
+CERTNameConstraint *CERT_GetNextNameConstraint(CERTNameConstraint *current);
+
+CERTNameConstraint *CERT_GetPrevNameConstraint(CERTNameConstraint *current);
+
+void CERT_DestroyUserNotice(CERTUserNotice *userNotice);
+
+typedef char *(*CERTPolicyStringCallback)(char *org, unsigned long noticeNumber,
+ void *arg);
+void CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
+
+char *CERT_GetCertCommentString(CERTCertificate *cert);
+
+PRBool CERT_GovtApprovedBitSet(CERTCertificate *cert);
+
+SECStatus CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
+
+CERTCertList *CERT_MatchUserCert(CERTCertDBHandle *handle, SECCertUsage usage,
+ int nCANames, char **caNames, void *proto_win);
+
+CERTCertList *CERT_NewCertList(void);
+
+/* free the cert list and all the certs in the list */
+void CERT_DestroyCertList(CERTCertList *certs);
+
+/* remove the node and free the cert */
+void CERT_RemoveCertListNode(CERTCertListNode *node);
+
+/* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */
+SECStatus CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
+
+/* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */
+SECStatus CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
+
+/*
+ * The new cert list node takes ownership of "cert". "cert" is freed
+ * when the list node is removed.
+ */
+SECStatus CERT_AddCertToListTailWithData(CERTCertList *certs,
+ CERTCertificate *cert, void *appData);
+
+/*
+ * The new cert list node takes ownership of "cert". "cert" is freed
+ * when the list node is removed.
+ */
+SECStatus CERT_AddCertToListHeadWithData(CERTCertList *certs,
+ CERTCertificate *cert, void *appData);
+
+typedef PRBool (*CERTSortCallback)(CERTCertificate *certa,
+ CERTCertificate *certb, void *arg);
+SECStatus CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
+ CERTSortCallback f, void *arg);
+
+/* callback for CERT_AddCertToListSorted that sorts based on validity
+ * period and a given time.
+ */
+PRBool CERT_SortCBValidity(CERTCertificate *certa, CERTCertificate *certb,
+ void *arg);
+
+SECStatus CERT_CheckForEvilCert(CERTCertificate *cert);
+
+CERTGeneralName *CERT_GetCertificateNames(CERTCertificate *cert,
+ PLArenaPool *arena);
+
+CERTGeneralName *CERT_GetConstrainedCertificateNames(
+ const CERTCertificate *cert, PLArenaPool *arena,
+ PRBool includeSubjectCommonName);
+
+/*
+ * Creates or adds to a list of all certs with a give subject name, sorted by
+ * validity time, newest first. Invalid certs are considered older than
+ * valid certs. If validOnly is set, do not include invalid certs on list.
+ */
+CERTCertList *CERT_CreateSubjectCertList(CERTCertList *certList,
+ CERTCertDBHandle *handle,
+ const SECItem *name, PRTime sorttime,
+ PRBool validOnly);
+
+/*
+ * remove certs from a list that don't have keyUsage and certType
+ * that match the given usage.
+ */
+SECStatus CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
+ PRBool ca);
+
+/*
+ * check the key usage of a cert against a set of required values
+ */
+SECStatus CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
+
+/*
+ * return required key usage and cert type based on cert usage
+ */
+SECStatus CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
+ unsigned int *retKeyUsage,
+ unsigned int *retCertType);
+/*
+ * return required trust flags for various cert usages for CAs
+ */
+SECStatus CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
+ unsigned int *retFlags,
+ SECTrustType *retTrustType);
+
+/*
+ * Find all user certificates that match the given criteria.
+ *
+ * "handle" - database to search
+ * "usage" - certificate usage to match
+ * "oneCertPerName" - if set then only return the "best" cert per
+ * name
+ * "validOnly" - only return certs that are curently valid
+ * "proto_win" - window handle passed to pkcs11
+ */
+CERTCertList *CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
+ SECCertUsage usage,
+ PRBool oneCertPerName, PRBool validOnly,
+ void *proto_win);
+
+/*
+ * Find a user certificate that matchs the given criteria.
+ *
+ * "handle" - database to search
+ * "nickname" - nickname to match
+ * "usage" - certificate usage to match
+ * "validOnly" - only return certs that are curently valid
+ * "proto_win" - window handle passed to pkcs11
+ */
+CERTCertificate *CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
+ const char *nickname,
+ SECCertUsage usage, PRBool validOnly,
+ void *proto_win);
+
+/*
+ * Filter a list of certificates, removing those certs that do not have
+ * one of the named CA certs somewhere in their cert chain.
+ *
+ * "certList" - the list of certificates to filter
+ * "nCANames" - number of CA names
+ * "caNames" - array of CA names in string(rfc 1485) form
+ * "usage" - what use the certs are for, this is used when
+ * selecting CA certs
+ */
+SECStatus CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
+ char **caNames, SECCertUsage usage);
+
+/*
+ * Filter a list of certificates, removing those certs that aren't user certs
+ */
+SECStatus CERT_FilterCertListForUserCerts(CERTCertList *certList);
+
+/*
+ * Collect the nicknames from all certs in a CertList. If the cert is not
+ * valid, append a string to that nickname.
+ *
+ * "certList" - the list of certificates
+ * "expiredString" - the string to append to the nickname of any expired cert
+ * "notYetGoodString" - the string to append to the nickname of any cert
+ * that is not yet valid
+ */
+CERTCertNicknames *CERT_NicknameStringsFromCertList(CERTCertList *certList,
+ char *expiredString,
+ char *notYetGoodString);
+
+/*
+ * Extract the nickname from a nickmake string that may have either
+ * expiredString or notYetGoodString appended.
+ *
+ * Args:
+ * "namestring" - the string containing the nickname, and possibly
+ * one of the validity label strings
+ * "expiredString" - the expired validity label string
+ * "notYetGoodString" - the not yet good validity label string
+ *
+ * Returns the raw nickname
+ */
+char *CERT_ExtractNicknameString(char *namestring, char *expiredString,
+ char *notYetGoodString);
+
+/*
+ * Given a certificate, return a string containing the nickname, and possibly
+ * one of the validity strings, based on the current validity state of the
+ * certificate.
+ *
+ * "arena" - arena to allocate returned string from. If NULL, then heap
+ * is used.
+ * "cert" - the cert to get nickname from
+ * "expiredString" - the string to append to the nickname if the cert is
+ * expired.
+ * "notYetGoodString" - the string to append to the nickname if the cert is
+ * not yet good.
+ */
+char *CERT_GetCertNicknameWithValidity(PLArenaPool *arena,
+ CERTCertificate *cert,
+ char *expiredString,
+ char *notYetGoodString);
+
+/*
+ * Return the string representation of a DER encoded distinguished name
+ * "dername" - The DER encoded name to convert
+ */
+char *CERT_DerNameToAscii(SECItem *dername);
+
+/*
+ * Supported usage values and types:
+ * certUsageSSLClient
+ * certUsageSSLServer
+ * certUsageSSLServerWithStepUp
+ * certUsageEmailSigner
+ * certUsageEmailRecipient
+ * certUsageObjectSigner
+ */
+
+CERTCertificate *CERT_FindMatchingCert(CERTCertDBHandle *handle,
+ SECItem *derName, CERTCertOwner owner,
+ SECCertUsage usage, PRBool preferTrusted,
+ PRTime validTime, PRBool validOnly);
+
+/*
+ * Acquire the global lock on the cert database.
+ * This lock is currently used for the following operations:
+ * adding or deleting a cert to either the temp or perm databases
+ * converting a temp to perm or perm to temp
+ * changing(maybe just adding?) the trust of a cert
+ * adjusting the reference count of a cert
+ */
+void CERT_LockDB(CERTCertDBHandle *handle);
+
+/*
+ * Free the global cert database lock.
+ */
+void CERT_UnlockDB(CERTCertDBHandle *handle);
+
+/*
+ * Get the certificate status checking configuratino data for
+ * the certificate database
+ */
+CERTStatusConfig *CERT_GetStatusConfig(CERTCertDBHandle *handle);
+
+/*
+ * Set the certificate status checking information for the
+ * database. The input structure becomes part of the certificate
+ * database and will be freed by calling the 'Destroy' function in
+ * the configuration object.
+ */
+void CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void CERT_LockCertRefCount(CERTCertificate *cert);
+
+/*
+ * Free the cert reference count lock
+ */
+void CERT_UnlockCertRefCount(CERTCertificate *cert);
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void CERT_LockCertTrust(const CERTCertificate *cert);
+
+/*
+ * Free the cert trust lock
+ */
+void CERT_UnlockCertTrust(const CERTCertificate *cert);
+
+/*
+ * Digest the cert's subject public key using the specified algorithm.
+ * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
+ * the tag, length, and number of unused bits) rather than the whole
+ * subjectPublicKeyInfo field.
+ *
+ * The necessary storage for the digest data is allocated. If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise. Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */
+extern SECItem *CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena,
+ const CERTCertificate *cert,
+ SECOidTag digestAlg,
+ SECItem *fill);
+
+/*
+ * Digest the cert's subject name using the specified algorithm.
+ */
+extern SECItem *CERT_GetSubjectNameDigest(PLArenaPool *arena,
+ const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill);
+
+SECStatus CERT_CheckCRL(CERTCertificate *cert, CERTCertificate *issuer,
+ const SECItem *dp, PRTime t, void *wincx);
+
+/*
+ * Add a CERTNameConstraint to the CERTNameConstraint list
+ */
+extern CERTNameConstraint *CERT_AddNameConstraint(
+ CERTNameConstraint *list, CERTNameConstraint *constraint);
+
+/*
+ * Allocate space and copy CERTNameConstraint from src to dest.
+ * Arena is used to allocate result(if dest eq NULL) and its members
+ * SECItem data.
+ */
+extern CERTNameConstraint *CERT_CopyNameConstraint(PLArenaPool *arena,
+ CERTNameConstraint *dest,
+ CERTNameConstraint *src);
+
+/*
+ * Verify name against all the constraints relevant to that type of
+ * the name.
+ */
+extern SECStatus CERT_CheckNameSpace(PLArenaPool *arena,
+ const CERTNameConstraints *constraints,
+ const CERTGeneralName *currentName);
+
+/*
+ * Extract and allocate the name constraints extension from the CA cert.
+ * If the certificate contains no name constraints extension, but
+ * CERT_GetImposedNameConstraints returns a name constraints extension
+ * for the subject of the certificate, then that extension will be returned.
+ */
+extern SECStatus CERT_FindNameConstraintsExten(
+ PLArenaPool *arena, CERTCertificate *cert,
+ CERTNameConstraints **constraints);
+
+/*
+ * Initialize a new GERTGeneralName fields (link)
+ */
+extern CERTGeneralName *CERT_NewGeneralName(PLArenaPool *arena,
+ CERTGeneralNameType type);
+
+/*
+ * Lookup a CERTGeneralNameType constant by its human readable string.
+ */
+extern CERTGeneralNameType CERT_GetGeneralNameTypeFromString(
+ const char *string);
+
+/*
+ * PKIX extension encoding routines
+ */
+extern SECStatus CERT_EncodePolicyConstraintsExtension(
+ PLArenaPool *arena, CERTCertificatePolicyConstraints *constr,
+ SECItem *dest);
+extern SECStatus CERT_EncodeInhibitAnyExtension(
+ PLArenaPool *arena, CERTCertificateInhibitAny *inhibitAny, SECItem *dest);
+extern SECStatus CERT_EncodePolicyMappingExtension(
+ PLArenaPool *arena, CERTCertificatePolicyMappings *maps, SECItem *dest);
+
+extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
+ CERTAuthInfoAccess **info,
+ SECItem *dest);
+extern SECStatus CERT_EncodeUserNotice(PLArenaPool *arena,
+ CERTUserNotice *notice, SECItem *dest);
+
+extern SECStatus CERT_EncodeDisplayText(PLArenaPool *arena, SECItem *text,
+ SECItem *dest);
+
+extern SECStatus CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
+ CERTPolicyInfo **info,
+ SECItem *dest);
+extern SECStatus CERT_EncodeNoticeReference(PLArenaPool *arena,
+ CERTNoticeReference *reference,
+ SECItem *dest);
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags *CERT_GetPKIXVerifyNistRevocationPolicy(void);
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags *CERT_GetClassicOCSPEnabledSoftFailurePolicy(
+ void);
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags *CERT_GetClassicOCSPEnabledHardFailurePolicy(
+ void);
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags *CERT_GetClassicOCSPDisabledPolicy(void);
+
+/*
+ * Verify a Cert with libpkix
+ * paramsIn control the verification options. If a value isn't specified
+ * in paramsIn, it reverts to the application default.
+ * paramsOut specifies the parameters the caller would like to get back.
+ * the caller may pass NULL, in which case no parameters are returned.
+ */
+extern SECStatus CERT_PKIXVerifyCert(CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut, void *wincx);
+
+/* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
+ * to use libpkix validation engine. The function should be called ones at
+ * application initialization time.
+ * Function is not thread safe.*/
+extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
+
+/* The function return PR_TRUE if cert validation should use
+ * libpkix cert validation engine. */
+extern PRBool CERT_GetUsePKIXForValidation(void);
+
+/*
+ * Allocate a parameter container of type CERTRevocationFlags,
+ * and allocate the inner arrays of the given sizes.
+ * To cleanup call CERT_DestroyCERTRevocationFlags.
+ */
+extern CERTRevocationFlags *CERT_AllocCERTRevocationFlags(
+ PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
+ PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods);
+
+/*
+ * Destroy the arrays inside flags,
+ * and destroy the object pointed to by flags, too.
+ */
+extern void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags);
+
+SEC_END_PROTOS
+
+#endif /* _CERT_H_ */