diff options
Diffstat (limited to 'security/nss/lib/certdb/certt.h')
| -rw-r--r-- | security/nss/lib/certdb/certt.h | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h index 9cac70ca6..aae1184a8 100644 --- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -35,6 +35,7 @@ typedef struct CERTCertListStr CERTCertList; typedef struct CERTCertListNodeStr CERTCertListNode; typedef struct CERTCertNicknamesStr CERTCertNicknames; typedef struct CERTCertTrustStr CERTCertTrust; +typedef struct CERTCertDistrustStr CERTCertDistrust; typedef struct CERTCertificateStr CERTCertificate; typedef struct CERTCertificateListStr CERTCertificateList; typedef struct CERTCertificateRequestStr CERTCertificateRequest; @@ -141,6 +142,18 @@ struct CERTCertTrustStr { }; /* + * Distrust dates for specific certificate usages. + * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be + * compatible with the format of certdata.txt, other date fields in certs and + * existing functions to read these dates. Clients should check the distrust + * date in certificates to avoid trusting a CA for service they have ceased to + * support */ +struct CERTCertDistrustStr { + SECItem serverDistrustAfter; + SECItem emailDistrustAfter; +}; + +/* * defined the types of trust that exist */ typedef enum SECTrustTypeEnum { @@ -279,6 +292,8 @@ struct CERTCertificateStr { PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ PRBool ownSlot; /*true if the cert owns the slot reference */ + /* These fields are used in nssckbi/builtins CAs. */ + CERTCertDistrust *distrust; }; #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ @@ -416,6 +431,19 @@ struct CERTDistNamesStr { void *head; /* private */ }; +/* + * NS_CERT_TYPE defines are used in two areas: + * 1) The old NSS Cert Type Extension, which is a certificate extension in the + * actual cert. It was created before the x509 Extended Key Usage Extension, + * which has now taken over it's function. This field is only 8 bits wide + * 2) The nsCertType entry in the CERTCertificate structure. This field is + * 32 bits wide. + * Any entries in this table greater than 0x80 will not be able to be encoded + * in an NSS Cert Type Extension, but can still be represented internally in + * the nsCertType field. + */ +#define NS_CERT_TYPE_IPSEC_CA (0x200) /* outside the NS Cert Type Extenstion */ +#define NS_CERT_TYPE_IPSEC (0x100) /* outside the NS Cert Type Extenstion */ #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ @@ -430,11 +458,12 @@ struct CERTDistNamesStr { #define NS_CERT_TYPE_APP \ (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ - NS_CERT_TYPE_OBJECT_SIGNING) + NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING) -#define NS_CERT_TYPE_CA \ - (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \ - NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER) +#define NS_CERT_TYPE_CA \ + (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \ + NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \ + NS_CERT_TYPE_IPSEC_CA) typedef enum SECCertUsageEnum { certUsageSSLClient = 0, certUsageSSLServer = 1, |